目录
[1. 关闭防火墙规则,关闭selinux,关闭swap交换:](#1. 关闭防火墙规则,关闭selinux,关闭swap交换:)
[2. 修改主机名:](#2. 修改主机名:)
[3. 有节点修改hosts文件:](#3. 有节点修改hosts文件:)
[4. 所有节点时间同步:](#4. 所有节点时间同步:)
[5. 所有节点实现Linux的资源限制:](#5. 所有节点实现Linux的资源限制:)
[6. 所有节点升级内核(可选):](#6. 所有节点升级内核(可选):)
[7. 调整内核参数:](#7. 调整内核参数:)
[8. 加载 ip_vs 模块:](#8. 加载 ip_vs 模块:)
[1. 安装:](#1. 安装:)
[2. 更改daemon.json配置:](#2. 更改daemon.json配置:)
[1. 定义kubernetes源:](#1. 定义kubernetes源:)
[2. 配置Kubelet使用阿里云的pause镜像:](#2. 配置Kubelet使用阿里云的pause镜像:)
[3. 开机自启kubelet:](#3. 开机自启kubelet:)
[1. 所有 master 节点部署 Haproxy:](#1. 所有 master 节点部署 Haproxy:)
[2. 配置haproxy代理:](#2. 配置haproxy代理:)
[3. 所有 master 节点部署 keepalived:](#3. 所有 master 节点部署 keepalived:)
[4. 配置keepalived 高可用:](#4. 配置keepalived 高可用:)
[5. 编写健康检测脚本:](#5. 编写健康检测脚本:)
[6. 启动高可用代理集群:](#6. 启动高可用代理集群:)
[1. 在 master01 节点上设置集群初始化配置文件:](#1. 在 master01 节点上设置集群初始化配置文件:)
[2. 更新集群初始化配置文件:](#2. 更新集群初始化配置文件:)
[3. 所有节点拉取镜像:](#3. 所有节点拉取镜像:)
[4. master01 节点进行初始化:](#4. master01 节点进行初始化:)
[5. 修改controller-manager和scheduler配置文件:](#5. 修改controller-manager和scheduler配置文件:)
[6. 部署网络插件flannel:](#6. 部署网络插件flannel:)
[7. 所有节点加入集群:](#7. 所有节点加入集群:)
[7.1 所有master 节点加入集群:](#7.1 所有master 节点加入集群:)
[7.2 node 节点加入集群:](#7.2 node 节点加入集群:)
[8. 查看集群信息:](#8. 查看集群信息:)
[1. 安装docker:](#1. 安装docker:)
[2. 所有 node 节点都修改配置文件,加上私有仓库配置](#2. 所有 node 节点都修改配置文件,加上私有仓库配置)
[3. 安装Harbor:](#3. 安装Harbor:)
[4. 生成证书:](#4. 生成证书:)
[5. 访问:](#5. 访问:)
一、环境规划:
| 服务器类型 | ip地址 |
|---|---|
| master01 | 192.168.88.100 |
| master02 | 192.168.88.101 |
| master03 | 192.168.88.103 |
| node01 | 192.168.88.104 |
| node02 | 192.168.88.105 |
| hub.wzw.com | 192.168.88.106 |
二、注意事项:
- master节点cpu核心数要求大于2
- 最新的版本不一定好,但相对于旧版本,核心功能稳定,但新增功能、接口相对不稳
- 学会一个版本的 高可用部署,其他版本操作都差不多
- 宿主机尽量升级到CentOS 7.9
- 内核kernel升级到 4.19+ 这种稳定的内核
- 部署k8s版本时,尽量找 1.xx.5 这种大于5的小版本(这种一般是比较稳定的版本)
三、环境准备:
1. 关闭防火墙规则,关闭selinux,关闭swap交换:
bash
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's/enforcing/disabled/' /etc/selinux/config
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
swapoff -a
sed -ri 's/.*swap.*/#&/' /etc/fstab2. 修改主机名:
bash
hostnamectl set-hostname master01
hostnamectl set-hostname master02
hostnamectl set-hostname master03
hostnamectl set-hostname node01
hostnamectl set-hostname node023. 有节点修改hosts文件:
bash
cat >> /etc/hosts << EOF
192.168.88.100 master01
192.168.88.101 master02
192.168.88.103 master03
192.168.88.104 node01
192.168.88.105 node02
EOF4. 所有节点时间同步:
bash
yum -y install ntpdate
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
echo 'Asia/Shanghai' >/etc/timezone
ntpdate time2.aliyun.com
systemctl enable --now crond
crontab -e
*/30 * * * * /usr/sbin/ntpdate time2.aliyun.com5. 所有节点实现Linux的资源限制:
bash
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited6. 所有节点升级内核(可选):
bash
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm
cd /opt/
yum localinstall -y kernel-ml*
#更改内核启动方式
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
grubby --default-kernel
reboot7. 调整内核参数:
bash
cat > /etc/sysctl.d/k8s.conf <<EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
EOF
#生效参数
sysctl --system 8. 加载 ip_vs 模块:
bash
for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1 && /sbin/modprobe $i;done四、所有节点安装docker:
1. 安装:
bash
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io2. 更改daemon.json配置:
bash
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://6ijb8ubo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "500m", "max-file": "3"
}
}
EOF
#将docker的资源限制更改为systemd,保持与k8s一致
systemctl daemon-reload
systemctl restart docker.service
systemctl enable docker.service 五、安装kubeadm,kubelet和kubectl:
所有节点安装kubeadm,kubelet和kubectl
1. 定义kubernetes源:
bash
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubelet-1.20.15 kubeadm-1.20.15 kubectl-1.20.152. 配置Kubelet使用阿里云的pause镜像:
bash
cat > /etc/sysconfig/kubelet <<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=systemd --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2"
EOF3. 开机自启kubelet:
bash
systemctl enable --now kubelet六、高可用组件安装、配置:
1. 所有 master 节点部署 Haproxy:
bash
yum -y install haproxy2. 配置haproxy代理:
bash
cat > /etc/haproxy/haproxy.cfg << EOF
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 warning
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option tcplog
option dontlognull
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
frontend monitor-in
bind *:33305
mode http
option httplog
monitor-uri /monitor
frontend k8s-master
bind *:16443 #如果与apiserver部署在同一台机器上监听端口会冲突,更改监听端口
mode tcp
option tcplog
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
server k8s-master1 192.168.88.100:6443 check inter 10000 fall 2 rise 2 weight 1
server k8s-master2 192.168.88.101:6443 check inter 10000 fall 2 rise 2 weight 1
server k8s-master3 192.168.88.103:6443 check inter 10000 fall 2 rise 2 weight 1
EOF3. 所有 master 节点部署 keepalived:
bash
yum -y install keepalived4. 配置keepalived 高可用:
bash
cd /etc/keepalived/
vim keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_HA1
}
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
virtual_ipaddress {
192.168.80.200
}
track_script {
chk_haproxy
}
}5. 编写健康检测脚本:
bash
vim check_haproxy.sh
#!/bin/bash
if ! killall -0 haproxy; then
systemctl stop keepalived
fi
chmod +x check_haproxy.sh6. 启动高可用代理集群:
bash
systemctl enable --now haproxy
systemctl enable --now keepalived七、部署K8S集群:
1. 在 master01 节点上设置集群初始化配置文件:
bash
kubeadm config print init-defaults > /opt/kubeadm-config.yaml
cd /opt/
vim kubeadm-config.yaml
......
11 localAPIEndpoint:
12 advertiseAddress: 192.168.80.10 #指定当前master节点的IP地址
13 bindPort: 6443
21 apiServer:
22 certSANs: #在apiServer属性下面添加一个certsSANs的列表,添加所有master节点的IP地址和集群VIP地址
23 - 192.168.80.100
24 - 192.168.80.10
25 - 192.168.80.11
26 - 192.168.80.12
30 clusterName: kubernetes
31 controlPlaneEndpoint: "192.168.80.100:16444" #指定集群VIP地址
32 controllerManager: {}
38 imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #指定镜像下载地址
39 kind: ClusterConfiguration
40 kubernetesVersion: v1.20.15 #指定kubernetes版本号
41 networking:
42 dnsDomain: cluster.local
43 podSubnet: "10.244.0.0/16" #指定pod网段,10.244.0.0/16用于匹配flannel默认网段
44 serviceSubnet: 10.96.0.0/16 #指定service网段
45 scheduler: {}
#末尾再添加以下内容
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs #把默认的kube-proxy调度方式改为ipvs模式2. 更新集群初始化配置文件:
bash
kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml3. 所有节点拉取镜像:
bash
#拷贝yaml配置文件给其他主机,通过配置文件进行拉取镜像
for i in master02 master03 node01 node02; do scp /opt/new.yaml $i:/opt/; done
kubeadm config images pull --config /opt/new.yaml4. master01 节点进行初始化:
bash
kubeadm init --config new.yaml --upload-certs | tee kubeadm-init.log初始化后会出现以下信息用来加入k8s集群:
bash
#提示:
.........
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
#这个命令是常规用户身份运行,在master01节点执行此命令
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
#如果是root用户,在master01节点执行此命令,两种都行,自己选
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
#master节点加入使用的命令,记录!
kubeadm join 192.168.88.200:16443 --token 7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash sha256:e76e4525ca29a9ccd5c24142a724bdb6ab86512420215242c4313fb830a4eb98 \
--control-plane --certificate-key 0f2a7ff2c46ec172f834e237fcca8a02e7c29500746594c25d995b78c92dde96
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
#node节点加入使用的命令。记录!
kubeadm join 192.168.88.200:16443 --token 7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash sha256:e76e4525ca29a9ccd5c24142a724bdb6ab86512420215242c4313fb830a4eb985. 修改controller-manager和scheduler配置文件:
bash
vim /etc/kubernetes/manifests/kube-scheduler.yaml
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
......
#- --port=0 #搜索port=0,把这一行注释掉
systemctl restart kubelet
所有master节点配置6. 部署网络插件flannel:
bash
所有节点上传 flannel 镜像 flannel.tar 和网络插件 cni-plugins-linux-amd64-v0.8.6.tgz 到 /opt 目录,master节点上传 kube-flannel.yml 文件
cd /opt
docker load < flannel.tar
mv /opt/cni /opt/cni_bak
mkdir -p /opt/cni/bin
tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin
#注意自己使用的版本
kubectl apply -f kube-flannel.yml 7. 所有节点加入集群:
7.1 所有master 节点加入集群:
使用自己的token
bash
kubeadm join 192.168.88.200:16443 --token 7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash sha256:e76e4525ca29a9ccd5c24142a724bdb6ab86512420215242c4313fb830a4eb98 \
--control-plane --certificate-key 0f2a7ff2c46ec172f834e237fcca8a02e7c29500746594c25d995b78c92dde96
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config7.2 node 节点加入集群:
bash
kubeadm join 192.168.88.200:16443 --token 7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash sha256:e76e4525ca29a9ccd5c24142a724bdb6ab86512420215242c4313fb830a4eb988. 查看集群信息:
bash
#在 master01 查看集群信息
kubectl get nodes
kubectl get pod -A八、安装Harbor私有仓库:
新开一台服务器,ip地址为:192.168.88.106
1. 安装docker:
bash
//修改主机名
hostnamectl set-hostname hub.wzw.com
//所有节点加上主机名映射
echo '192.168.88.106 hub.wzw.com' >> /etc/hosts
//安装 docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
mkdir /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://6ijb8ubo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["https://hub.wzw.com"]
}
EOF
systemctl start docker
systemctl enable docker2. 所有 node 节点都修改配置文件,加上私有仓库配置
bash
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://6ijb8ubo.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["https://hub.wzw.com"]
}
EOF
systemctl daemon-reload
systemctl restart docker3. 安装Harbor:
bash
cd /opt/
#上传 harbor-offline-installer-v1.2.2.tgz 和 docker-compose 文件到 /opt 目录
cp docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose
#将docker-compose编排工具复制到bin目录,并添加执行权限
tar -zxvf harbor-offline0installer-v1.2.2.tgz
#将harbor包解包
cd harbor.cfg
vim harbor.cfg
5 hostname = hub.wzw.com
9 ui_url_protocol = https
24 ssl_cert = /data/cert/server.crt
25 ssl_cert_key = /data/cert/server.key
59 harbor_admin_password = Harbor123454. 生成证书:
bash
mkdir -p /data/cert
#创建证书目录
cd /data/cert
openssl genrsa -des3 -out server.key 2048
#生成私钥
//输入两遍密码:123456
openssl req -new -key server.key -out server.csr
#生成证书签名请求文件
//输入私钥密码:123456
//输入国家名:CN
//输入省名:BJ
//输入市名:BJ
//输入组织名:www
//输入机构名:www
//输入域名:hub.wzw.com
//输入管理员邮箱:admin@ydq.com
//其它全部直接回车
cp server.key server.key.org
#备份私钥
openssl rsa -in server.key.org -out server.key
#清除私钥密码:123456,重新生成一个文件,覆盖以前的带密码的。
openssl x509 -req -days 1000 -in server.csr -signkey server.key -out server.crt
#签名证书
chmod +x /data/cert/*
#全部添加执行权限
cd /opt/harbor/
./install.sh
#执行脚本5. 访问:
bash
在本地使用火狐浏览器访问:https://hub.wzw.com
添加例外 -> 确认安全例外
用户名:admin
密码:Harbor12345