内容目录
环境准备
设置/etc/hosts
cat /etc/hosts
192.168.0.101 master1
192.168.0.102 master2
192.168.0.103 master3
192.168.0.104 worker1设置hostname
hostnamectl set-hostname xxxx机器列表
| ip | Name | 备注 |
|---|---|---|
| 192.168.0.101 | master1 | Haproxy |
| 192.168.0.102 | master2 | |
| 192.168.0.103 | master3 | |
| 192.168.0.104 | worker1 |
清除iptables
iptables -F
echo ""> /etc/sysconfig/iptables
systemctl restart iptables禁用 SELINUX
setenforce 0由于开启内核 ipv4 转发需要加载 br_netfilter 模块,所以加载下该模块
modprobe br_netfilter创建/etc/sysctl.d/k8s.conf文件,添加如下内容
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1执行如下命令使修改生效
sysctl -p /etc/sysctl.d/k8s.conf安装 ipvs
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bashmodprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4上面脚本创建了的/etc/sysconfig/modules/ipvs.modules文件,保证在节点重启后能自动加载所需模块。使用lsmod | grep -e ip_vs -e nf_conntrack_ipv4命令查看是否已经正确加载所需的内核模块。
接下来还需要确保各个节点上已经安装了 ipset 软件包
yum install ipset为了便于查看 ipvs 的代理规则,最好安装一下管理工具 ipvsadm
yum install ipvsadm关闭 swap 分区
swapoff -a修改/etc/fstab文件,注释掉 SWAP 的自动挂载,使用free -m确认 swap 已经关闭。swappiness 参数调整,修改/etc/sysctl.d/k8s.conf添加下面一行
vm.swappiness=0执行 sysctl -p /etc/sysctl.d/k8s.conf 使修改生效
安装 Containerd
下载
wget https://github.com/containerd/containerd/releases/download/v1.6.1/cri-containerd-cni-1.6.1-linux-amd64.tar.gz压缩包解压到系统的各个目录中
tar -C / -xzf cri-containerd-cni-1.6.1-linux-amd64.tar.gz生成containerd的默认配置文件
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
修改sandbox_image
sandbox_image = "registry.aliyuncs.com/k8sxio/pause:3.5"修改配置文件,修改 containerd 的 cgroup driver 配置为 systemd,修改以下区块的SystemdCgroup为true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true....如需添加私有镜像仓库需修改配置文件,如添加harbor仓库,以harbor.chenjie.info例,
[plugins."io.containerd.grpc.v1.cri".registry.configs]
#下面为新增内容
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.chenjie.info".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.chenjie.info".auth]
username = "admin"
password = "Harbor12345"
#上面为新增内容
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
#下面为新增内容
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.chenjie.info"]
endpoint = ["https://harbor.chenjie.info"]
#上面为新增内容启用containerd
systemctl daemon-reload
systemctl enable containerd --now查询本地 libseccomp版本,如果低于2.4需升级
升级步骤
下载2.5包
wget https://vault.centos.org/centos/8/BaseOS/x86_64/os/Packages/libseccomp-2.5.1-1.el8.x86_64.rpm 查询现有版本
rpm -qa | grep libseccomp卸载旧版本
rpm -e libseccomp-2.3.1-2.el7.x86_64 --nodeps安装新版本
rpm -ivh libseccomp-2.5.1-1.el8.x86_64.rpm安装负载均衡
在master1 安装
yum install haproxy配置
frontend apiserver
bind *:8443
default_backend apiserver_backend
mode tcp
option tcplog
backend apiserver_backend
balance source
mode tcp
server master1 192.168.0.101:6443 check
#server master2 192.168.0.102:6443 check
#server master3 192.168.0.103:6443 check设置开启启动、启动、状态确认
systemctl enable haproxy
systemctl start haproxy
systemctl status haproxy初始化控制平面
使用阿里云的源进行安装kubeadm等
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF安装 kubeadm、kubelet、kubectl
yum makecache fast
yum install -y kubelet-1.22.8 kubeadm-1.22.8 kubectl-1.22.8 --disableexcludes=kuberneteskubelet 设置成开机启动
systemctl enable --now kubelet在 master1 节点上输出集群初始化默认使用的配置
kubeadm config print init-defaults --component-configs KubeletConfiguration > kubeadm.yaml对配置进行修改,修改点见注释部分
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.0.101 #本机ip
bindPort: 6443
nodeRegistration:
criSocket: /run/containerd/containerd.sock
imagePullPolicy: IfNotPresent
name: master1 #本机hostname
taints: null
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
---
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/k8sxio
kind: ClusterConfiguration
kubernetesVersion: 1.22.8 #版本
controlPlaneEndpoint: master1:8443 #haproxy
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
certSANs: # 添加master节点的相关信息
- master1
- master2
- master3
- 192.168.0.101
- 192.168.0.102
- 192.168.0.103
networking:
dnsDomain: cluster.local
serviceSubnet: 172.30.0.0/16 #service 和物理机网络区分开
podSubnet: 192.168.0.0/16 #pod 和物理机网络区分开
scheduler: {}
---
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
clusterDNS:
- 172.30.0.10 #service x.x.x.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
cgroupDriver: systemd # 配置 cgroup driver
logging: {}
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s查询需要预装的镜像
kubeadm config images list --config kubeadm.yaml
registry.aliyuncs.com/k8sxio/kube-apiserver:v1.22.8
registry.aliyuncs.com/k8sxio/kube-controller-manager:v1.22.8
registry.aliyuncs.com/k8sxio/kube-scheduler:v1.22.8
registry.aliyuncs.com/k8sxio/kube-proxy:v1.22.8
registry.aliyuncs.com/k8sxio/pause:3.5
registry.aliyuncs.com/k8sxio/etcd:3.5.0-0
registry.aliyuncs.com/k8sxio/coredns:v1.8.4拉取镜像
ctr -n k8s.io i pull xxxx
#coredns阿里没有
ctr -n k8s.io i pull docker.io/coredns/coredns:1.8.4
or
crictl pull docker.io/coredns/coredns:1.8.4
#后tag
ctr -n k8s.io i tag docker.io/coredns/coredns:1.8.4 registry.aliyuncs.com/k8sxio/coredns:v1.8.4master1 节点上进行集群初始化
kubeadm init --upload-certs --config kubeadm.yaml执行日志
[init] Using Kubernetes version: v1.22.8
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
...省略...
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join master1:8443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:4350be07df44bb66da5f090dd8b1ca7db39e19f0abf6475ce7c8ce4dad8c0a4d
--control-plane --certificate-key 337a7cc73581c3246349d659adb01c4c3b73d54e19f752864ce570731791db2e
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join master1:8443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:4350be07df44bb66da5f090dd8b1ca7db39e19f0abf6475ce7c8ce4dad8c0a4d可按提示设置kubeconfig
添加后续master或worker节点
添加控制平面节点
对于每个其他控制平面节点,执行先前在第一个节点 master1 上的 kubeadm init 输出提供的 join 命令来添加控制平面节点
kubeadm join master1:8443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:4350be07df44bb66da5f090dd8b1ca7db39e19f0abf6475ce7c8ce4dad8c0a4d
--control-plane --certificate-key 337a7cc73581c3246349d659adb01c4c3b73d54e19f752864ce570731791db2e设置master节点可调度(如果需要在master节点进行业务pod调度)
kubectl taint nodes --all node-role.kubernetes.io/master-如果恢复master only
kubectl taint node xxx node-role.kubernetes.io/master="":NoSchedule添加工作节点
在worker节点执行
kubeadm join master1:8443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:4350be07df44bb66da5f090dd8b1ca7db39e19f0abf6475ce7c8ce4dad8c0a4d安装网络插件
在master1 节点执行以下操作
下载calico
curl https://projectcalico.docs.tigera.io/manifests/calico.yaml -O修改yaml 设置默认网卡,如果有多网卡需要设置,以bond0为例,如果没有多网卡则无需设置
spec:
containers:
- env:
- name: DATASTORE_TYPE
value: kubernetes
- name: IP_AUTODETECTION_METHOD # DaemonSet中添加该环境变量
value: interface=bond0 # 指定内网网卡
- name: WAIT_FOR_DATASTORE
value: "true"查询所需镜像
cat calico.yaml |grep image|uniq
image: docker.io/calico/cni:v3.22.1
image: docker.io/calico/pod2daemon-flexvol:v3.22.1
image: docker.io/calico/node:v3.22.1
image: docker.io/calico/kube-controllers:v3.22.1拉取镜像
ctr -n k8s.io i pull xxx安装calico
kubectl apply -f calico.yaml安装后所有节点ready
kubectl get node
NAME STATUS ROLES AGE VERSION
master1 Ready control-plane,master 4d17h v1.22.8
master2 Ready control-plane,master 4d17h v1.22.8
master3 Ready control-plane,master 4d17h v1.22.8
worker1 Ready <none> 20h v1.22.8systemctl restart kubelet containerd