基于 debian 12 利用 kubeadm 部署 k8s 1.29 版本
预先准备
-
准备三台
debian 12
的虚拟机,配置如下:Hostname IP 配置 k8s-master1 192.168.31.60 4vCPU、8GiB 内存、50GiB 硬盘 k8s-worker1 192.168.31.61 4vCPU、8GiB 内存、50GiB 硬盘 k8s-worker2 192.168.31.62 4vCPU、8GiB 内存、50GiB 硬盘 -
开放
root
账户允许其远程ssh
登录-
打开
/etc/ssh/sshd_config
文件,并找到以下行:shell#PermitRootLogin prohibit-password
-
将
no
修改为yes
,以允许 root 用户远程登录。修改后的行应该如下所示:shellPermitRootLogin yes
-
保存修改后,关闭编辑器,并重新启动 SSH 服务以应用更改:
shellsudo systemctl restart ssh
-
-
执行如下指令安装必备软件
shellapt-get install -y vim curl sudo net-tools telnet chrony ipvsadm
-
关闭三台机器的 swap
shellswapoff -a sed -i 's/.*swap.*/#&/' /etc/fstab
-
关闭防火墙
shelliptables -F systemctl stop iptables nftables systemctl disable iptables nftables
-
三台主机之间设置免密登录
-
先在三台主机上执行
ssh-keygen
指令,然后一直回车直至结束 -
再在三台虚拟机上
/etc/hosts
文件末尾加入如下三行解析shell192.168.31.60 k8s-master1 192.168.31.61 k8s-worker1 192.168.31.62 k8s-worker2
-
最后在三台主机上分别执行如下指令
shellssh-copy-id k8s-master1 ssh-copy-id k8s-worker1 ssh-copy-id k8s-worker2
-
-
修改三台主机内核参数,分别在三台机器上执行如下指令
# 加载 br_netfilter 模块 modprobe br_netfilter # 创建配置文件 cat > /etc/sysctl.d/k8s.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF # 修改内核配置 sysctl -p /etc/sysctl.d/k8s.conf
-
三台主机安装 docker 、containerd 和 crictl
shell# 删除残留包,防止安装冲突 for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done # 安装前更新相关配置 # Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update # 安装容器相关软件 sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin # 安装crictl VERSION="v1.29.0" wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin rm -f crictl-$VERSION-linux-amd64.tar.gz
-
修改 containerd 相关配置
-
执行
containerd config default > /etc/containerd/config.toml
,打开/etc/containerd/config.toml
,把SystemdCgroup = false
修改成SystemdCgroup = true
,最后执行systemctl enable containerd --now && systemctl restart containerd
-
生成
/etc/crictl.yaml
配置文件如下cat > /etc/crictl.yaml <<EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF
-
-
三台主机配置时间同步服务器,执行如下指令
shellecho 'server ntp.aliyun.com iburst' > /etc/chrony/sources.d/local-ntp-server.source chronyc reload sources # 查看时钟状态 chronyc tracking
安装 kubeadm, kubelet 和 kubectl
shell
sudo apt-get update
# apt-transport-https may be a dummy package; if so, you can skip that package
sudo apt-get install -y apt-transport-https ca-certificates curl gpg
# If the directory `/etc/apt/keyrings` does not exist, it should be created before the curl command, read the note below.
# sudo mkdir -p -m 755 /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
# This overwrites any existing configuration in /etc/apt/sources.list.d/kubernetes.list
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
sudo systemctl enable --now kubelet
kubeadm 初始化集群
-
三台虚拟机设置
crictl
的运行环境为containerd
shellcrictl config runtime-endpoint unix:///run/containerd/containerd.sock
-
kubeadm
生成初始化配置文件并进行修改-
生成配置文件
kubeadm.yaml
shellkubeadm config print init-defaults > kubeadm.yaml
-
修改
advertiseAddress
为主节点 IP,并将控制节点主机名name
修改为k8s-master1
-
新增
podSubnet
字段shellkind: ClusterConfiguration kubernetesVersion: 1.29.0 networking: dnsDomain: cluster.local podSubnet: 10.244.0.0/16 #指定pod网段, 需要新增加这个 serviceSubnet: 10.96.0.0/12 scheduler: {}
-
新增
kubeproxy
和kubelet
配置,---
不能省略shell--- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: ipvs --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd
-
-
执行初始化
kubeadm init --config=kubeadm.yaml
-
授权
kubectl
指令,使其可以管理集群shellmkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config # 将访问权限拷贝到工作节点 scp -r /root/.kube k8s-worker1:/root scp -r /root/.kube k8s-worker2:/root
-
测试
kubectl
指令shellkubectl get nodes
-
如果出现错误,请执行如下指令重置,并排查错误
shellkubeadm reset
-
将
k8s-worker1
和k8s-worker2
加入集群shell# 生成加入指令 kubeadm token create --print-join-command # 执行指令加入集群 kubeadm join 192.168.31.60:6443 --token k1biqb.7vbcgtguh54ju81c --discovery-token-ca-cert-hash sha256:82b02d429821cc106a540a9507d1066a3fe8103d7b79a6581adfdd405744079d
-
安装
calico
打通集群网络-
下载
v3.27
配置模板,在https://github.com/projectcalico/calico/tree/release-v3.27/manifests
下载tigera-operator.yaml
和custom-resources.yaml
两个配置文件 -
执行
kubectl create -f tigera-operator.yaml
安装calico
相关镜像和基础配置 -
修改
custom-resources.yaml
配置文件,将cidr
修改为10.244.0.0/16
并新增nodeAddressAutodetectionV4
字段shell# This section includes base Calico installation configuration. # For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation apiVersion: operator.tigera.io/v1 kind: Installation metadata: name: default spec: # Configures Calico networking. calicoNetwork: # Note: The ipPools section cannot be modified post-install. ipPools: - blockSize: 26 # 填写自己 pod 的 IP 信息 cidr: 10.244.0.0/16 encapsulation: VXLANCrossSubnet natOutgoing: Enabled nodeSelector: all() # 绑定自己的网卡信息,默认绑定第一个网卡 nodeAddressAutodetectionV4: interface: ens* --- # This section configures the Calico API server. # For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer apiVersion: operator.tigera.io/v1 kind: APIServer metadata: name: default spec: {}
-
执行
watch kubectl get pods -n calico-system
等待网络构建完成 -
执行
kubectl get nodes
确认网络打通
-