1. 安装-客户端 Helm
Helm 的安装方式很多,这里采用二进制的方式安装。
bash
# 下载
$ wget https://get.helm.sh/helm-v2.16.7-linux-amd64.tar.gz
# 解压
$ tar -zxvf helm-v2.16.7-linux-amd64.tar.gz
# 复制客户端执行文件到 bin 目录下
$ cp linux-amd64/helm /usr/local/bin/更多安装方法可以参考 Helm 的 官方帮助文档
2. 安装-服务端 Tiller
Tiller 是以 Deployment 方式部署在 Kubernetes 集群中的,只需使用以下指令便可简单的完成安装
bash
$ helm init --upgrade --tiller-image registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.16.7 --stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts这个 Pod 使用的镜像是 gcr.io/kubernetes-helm/tiller:v2.16.7,如果无法访问 gcr.io,以下操作修改镜像源
bash
$ kubectl edit deployment tiller-deploy -n kube-systemyaml
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "3"
creationTimestamp: "2020-06-14T09:51:13Z"
generation: 3
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "15458103"
selfLink: /apis/apps/v1/namespaces/kube-system/deployments/tiller-deploy
uid: eba8d530-97e4-4318-b4af-9393b996cb27
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
# 修改:gcr.io/kubernetes-helm/tiller:v2.16.7 修改为 sapcc/tiller:v2.16.7
image: sapcc/tiller:v2.16.7
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2020-06-15T02:00:27Z"
lastUpdateTime: "2020-06-15T02:00:27Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2020-06-15T02:00:10Z"
lastUpdateTime: "2020-06-15T02:00:27Z"
message: ReplicaSet "tiller-deploy-5d7f7cb9c7" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 3
readyReplicas: 1
replicas: 1
updatedReplicas: 1bash
# 修改后,保存退出
$ wq3. 给 Tiller 授权
Helm 的服务端 Tiller 是一个部署在 Kubernetes 中 Kube-system Namespace 下的 Deployment,它会去连接 kube-api 在 Kubernetes 里创建和删除应用。
从 Kubernetes 1.6 版本开始,API Server 启用了 RBAC 授权。目前的 Tiller 部署时默认没有定义授权的 ServiceAccount,这会导致访问 API Server 时被拒绝。所以我们需要明确为 Tiller 部署添加授权
- 创建一个名为
tiller-adminuser.yaml的配置文件,为 Tiller 创建服务帐号和绑定角色
yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller-cluster-rule
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-systembash
# 修改配置文件后,创建tiller-adminuser 权限
$ kubectl apply -f tiller-adminuser.yaml- 为 Tiller 设置帐号
bash
# 使用 kubectl patch 更新 API 对象
$ kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
-------------------------------------- 输出如下 ------------------------------------------------
deployment.extensions/tiller-deploy patched
------------------------------------------------------------------------------------------------ 查看是否授权成功
bash
$ kubectl get deploy --namespace kube-system tiller-deploy --output yaml|grep serviceAccount
-------------------------------------- 输出如下 ------------------------------------------------
serviceAccount: tiller
serviceAccountName: tiller
-----------------------------------------------------------------------------------------------4. 验证安装是否成功
bash
$ kubectl -n kube-system get pods|grep tiller
-------------------------------------- 输出如下 ------------------------------------------------
tiller-deploy-5d7f7cb9c7-cm4qx 1/1 Running 0 3h29m
----------------------------------------------------------------------------------------------bash
$ helm version
-------------------------------------- 输出如下 ------------------------------------------------
Client: &version.Version{SemVer:"v2.16.7", GitCommit:"5f2584fd3d35552c4af26036f0c464191287986b", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.16.7", GitCommit:"5f2584fd3d35552c4af26036f0c464191287986b", GitTreeState:"clean"}
----------------------------------------------------------------------------------------------5. 扩展-卸载 Tiller (可选)
如果你需要在 Kubernetes 中卸载已部署的 Tiller,可使用以下命令完成卸载
bash
$ helm reset