# Rock 5B 部署k3s集群


# k3s 集群安装
## 安装server节点

```sh
curl -sfL https://get.k3s.io | sh -s - server \
--cluster-init \
--disable=traefik

root@rock5b-1:~# kubectl get no
NAME       STATUS   ROLES                       AGE     VERSION
rock5b-1   Ready    control-plane,etcd,master   8m22s   v1.31.6&#43;k3s1
```
![img](./install-server.png)

## 安装agent节点

获取token
```sh
root@rock5b-1:~# cat /var/lib/rancher/k3s/server/node-token
K10aa6b3d75e6848ee1d29c104436dbf35be2dc8b07fea4ec858a29c8fc02129a9d::server:ebf3c9f070227a0da53687737f628846
```

在rock5b-2,rock5b-3下执行下面的安装agent节点命令
```sh
curl -sfL https://get.k3s.io | K3S_TOKEN=K10aa6b3d75e6848ee1d29c104436dbf35be2dc8b07fea4ec858a29c8fc02129a9d::server:ebf3c9f070227a0da53687737f628846 sh -s - agent --server https://192.168.5.104:6443
```

## 配置命令行补全

```sh
source /usr/share/bash-completion/bash_completion

echo &#39;source &lt;(kubectl completion bash)&#39; &gt;&gt;~/.bashrc

source .bashrc
```

# helm 安装

```sh
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

Downloading https://get.helm.sh/helm-v3.17.2-linux-arm64.tar.gz
Verifying checksum... Done.
Preparing to install helm into /usr/local/bin
helm installed into /usr/local/bin/helm
```

## helm 命令补全
```sh
helm completion bash &gt; /etc/bash_completion.d/helm
source .bashrc
```

# Ingress-Nginx 安装

```sh
helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace

Release &#34;ingress-nginx&#34; does not exist. Installing it now.
NAME: ingress-nginx
LAST DEPLOYED: Sat Mar 22 22:04:56 2025
NAMESPACE: ingress-nginx
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The ingress-nginx controller has been installed.
It may take a few minutes for the load balancer IP to be available.
You can watch the status by running &#39;kubectl get service --namespace ingress-nginx ingress-nginx-controller --output wide --watch&#39;

An example Ingress that makes use of the controller:
  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    name: example
    namespace: foo
  spec:
    ingressClassName: nginx
    rules:
      - host: www.example.com
        http:
          paths:
            - pathType: Prefix
              backend:
                service:
                  name: exampleService
                  port:
                    number: 80
              path: /
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
      - hosts:
        - www.example.com
        secretName: example-tls

If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: &lt;base64 encoded cert&gt;
    tls.key: &lt;base64 encoded key&gt;
  type: kubernetes.io/tls
```

# k8s dashboard 安装
添加k8s dashboard仓库
```sh
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
```

更新k8s dashboard 仓库
```sh
helm repo update

Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the &#34;kubernetes-dashboard&#34; chart repository
Update Complete. ⎈Happy Helming!⎈
```

安装k8s dashboard
```sh
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard

Release &#34;kubernetes-dashboard&#34; does not exist. Installing it now.
NAME: kubernetes-dashboard
LAST DEPLOYED: Sat Mar 22 22:18:12 2025
NAMESPACE: kubernetes-dashboard
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
*************************************************************************************************
*** PLEASE BE PATIENT: Kubernetes Dashboard may need a few minutes to get up and become ready ***
*************************************************************************************************

Congratulations! You have just installed Kubernetes Dashboard in your cluster.

To access Dashboard run:
  kubectl -n kubernetes-dashboard port-forward svc/kubernetes-dashboard-kong-proxy 8443:443

NOTE: In case port-forward command does not work, make sure that kong service name is correct.
      Check the services in Kubernetes Dashboard namespace using:
        kubectl -n kubernetes-dashboard get svc

Dashboard will be available at:
  https://localhost:8443
```

## ingress, service account, cluster role binding

```yml
# ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-dns01 # 配置自动生成 https 证书
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: &#39;true&#39; # 强制跳转 https
    nginx.ingress.kubernetes.io/secure-backends: &#39;true&#39;
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - &#39;k8s.pkg.best&#39;
      secretName: dashboard-letsencrypt-tls
  rules:
    - host: k8s.pkg.best
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard-kong-proxy
                port:
                  number: 443
---
# service account
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hiifong
  namespace: kubernetes-dashboard
---
# cluster role binding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: hiifong
  namespace: kubernetes-dashboard
```

## apply
```sh
kubectl apply -f k8s-dashboard.yml 
```

## create token

```sh
kubectl -n kubernetes-dashboard create token hiifong

eyJhbGciOiJSUzI1NiIsImtpZCI6Im1vM2tkcEE2MHBCMnFtSlVROUM1V2NjbE4xcVMwUUdSN2RWTHdSUzQ1X3MifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzQyNjU5MTE0LCJpYXQiOjE3NDI2NTU1MTQsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiN2U4ZmFhZjAtMzhmMC00NTM5LThkOWQtZjc2MGU1ZTg2Zjg4Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJoaWlmb25nIiwidWlkIjoiNjNmYTlkNmItNjVjMS00N2NlLTgxYzMtMGNiYTk1YzM1NTAzIn19LCJuYmYiOjE3NDI2NTU1MTQsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDpoaWlmb25nIn0.P-VIdlNebYlze6hAqrATf8NDJgee0AIRX5iqyC-5ZFaTmP58CBqD0sx9ZnOxyL24ALXjQ0g6k_-2hbsOhj0DFvlzYUn3lZwqRNuIIbQhcSpC0uheOm7E_DoJaZ_19Cwml7EwzZs0VnzxZzWQY2qGj8S8uLgvR24jIM49ja6i0oYs71Qu-Ydj8Mo1QAMY9ldweSwAWeWk0rlAcbdlvoh-OMwYcpJF4KbIVA-Ue5jquyxsJW56tyvMyiECpc1RQqTBtdRopSLC9TPYbAMTzn0HqkVSonDUgpF2lY5p93EX7aIm1EdP7mjUonUcmzUCVuUJbmHu80fDl6jC8JDxmfU2Ew
```

# host 映射

```sh

```

# cert manager 安装

```sh
helm repo add jetstack https://charts.jetstack.io --force-update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.17.0 \
  --set crds.enabled=true
```


---

> 作者: hiifong  
> URL: https://f.style/k3s-install/