一、前期系统环境准备
1、关闭防火墙与selinux
[root@k8s-master ~]# systemctl stop firewalld
[root@k8s-master ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@k8s-master ~]# setenforce 0
[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
2、配置主机映射
[root@k8s-master ~]# vim /etc/hosts
10.0.0.11 k8s-master
10.0.0.22 k8s-node01
10.0.0.33 k8s-node02
[root@k8s-master ~]# scp /etc/hosts root@10.0.0.22:/etc/hosts
[root@k8s-master ~]# scp /etc/hosts root@10.0.0.22:/etc/hosts
3、测试映射效果
[root@k8s-master ~]# ping k8s-node01
PING k8s-node01 (10.0.0.22) 56(84) bytes of data.
64 bytes from k8s-node01 (10.0.0.22): icmp_seq=1 ttl=64 time=0.346 ms
64 bytes from k8s-node01 (10.0.0.22): icmp_seq=2 ttl=64 time=0.265 ms
^C
--- k8s-node01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.265/0.305/0.346/0.044 ms
[root@k8s-master ~]# ping k8s-node02
PING k8s-node02 (10.0.0.33) 56(84) bytes of data.
64 bytes from k8s-node02 (10.0.0.33): icmp_seq=1 ttl=64 time=0.306 ms
64 bytes from k8s-node02 (10.0.0.33): icmp_seq=2 ttl=64 time=0.193 ms
^C
--- k8s-node02 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
4、配置主机间免密登录
[root@k8s-master ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pJNP7Nx9pi00P7w8nBNECxdAyHyKPnc6UNaLdXYs6b8 root@k8s-master
The key's randomart image is:
+---[RSA 2048]----+
| o oo... |
| + o o |
| .. + + + |
| =. + o B o|
| +.So o * o |
| *+.o.= o |
| ++.+.=o+ |
| o .*O .|
| ...+E.|
+----[SHA256]-----+
[root@k8s-master ~]# ssh-copy-id root@10.0.0.22
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed:
"/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to
filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are
prompted now it is to install the new keys
root@10.0.0.22's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.22'"
and check to make sure that only the key(s) you wanted were added.
[root@k8s-master ~]# ssh-copy-id root@10.0.0.33
5、配置yum源
[root@k8s-master ~]# cd /etc/yum.repos.d/
# docker软件源
[root@k8s-master yum.repos.d]# vim docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker
CE Stable - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-source]
name=Docker
CE Stable - Sources
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker
CE Test - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-source]
name=Docker
CE Test - Sources
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly]
name=Docker
CE Nightly - $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker
CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker
CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/dockerce/linux/centos/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
#
K8S软件源
[root@k8s-master yum.repos.d]# vim kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-
x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
[root@k8s-master yum.repos.d]# yum clean all && yum makecache
[root@k8s-master yum.repos.d]# scp docker-ce.repo
root@10.0.0.22:/etc/yum.repos.d/
docker-ce.repo 100% 2073
1.9MB/s 00:00
[root@k8s-master yum.repos.d]# scp kubernetes.repo
root@10.0.0.22:/etc/yum.repos.d/
kubernetes.repo 100% 211
281.2KB/s 00:00
[root@k8s-master yum.repos.d]# scp docker-ce.repo
root@10.0.0.33:/etc/yum.repos.d/
docker-ce.repo 100% 2073
1.9MB/s 00:00
[root@k8s-master yum.repos.d]# scp kubernetes.repo
root@10.0.0.33:/etc/yum.repos.d/
kubernetes.repo 100% 211
281.2KB/s 00:00
6、安装必备工具
[root@k8s-master ~]# yum install wget jq psmisc vim net-tools telnet yum-utils
device-mapper-persistent-data lvm2 git -y
7、关闭swap 分区
[root@k8s-master ~]# swapoff -a && sysctl -w vm.swappiness=0
vm.swappiness = 0
[root@k8s-master ~]# sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
8、同步时间
[root@k8s-master ~]# yum -y install ntpdate
[root@k8s-master ~]# ntpdate time2.aliyun.com
4 Sep 10:08:59 ntpdate[1897]: adjust time server 203.107.6.88 offset 0.007780
sec
[root@k8s-master ~]# which ntpdate
/usr/sbin/ntpdate
[root@k8s-master ~]# crontab -e
* 5 * * * /usr/sbin/ntpdate time2.aliyun.com
9、配置 limit
# 单个进程可以打开的⽂件数量将被限制为 65535
[root@k8s-master ~]# ulimit -SHn 65535
[root@k8s-master ~]# vim /etc/security/limits.conf
# 末尾添加如下内容
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
10、安装 k8s ⾼可⽤性 Git 仓库并重启
# 在 /root/ ⽬录下克隆⼀个名为 k8s-ha-install.git 的 Git 仓库
[root@k8s-master ~]# git clone https://gitee.com/dukuan/k8s-ha-install.git
正克隆到 'k8s-ha-install'...
remote: Enumerating objects: 920, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 920 (delta 1), reused 0 (delta 0), pack-reused 912
接收对象中: 100% (920/920), 19.74 MiB | 1.51 MiB/s, done.
处理 delta 中: 100% (388/388), done.
[root@k8s-master ~]# cd k8s-ha-install/
[root@k8s-master k8s-ha-install]# ls
calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1
README.md
[root@k8s-master k8s-ha-install]# reboot
二、配置内核模块
1、配置ipvs模块
[root@k8s-master ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -
y
# 使⽤ modprobe 命令加载内核模块,核⼼ IPVS 模块。
[root@k8s-master ~]# modprobe -- ip_vs
# IPVS 负载均衡算法 rr。
[root@k8s-master ~]# modprobe -- ip_vs_rr
# IPVS 负载均衡算法 wrr
[root@k8s-master ~]# modprobe -- ip_vs_wrr
# ⽤于源端负载均衡的模块
[root@k8s-master ~]# modprobe -- ip_vs_sh
# ⽤于⽹络流量过滤和跟踪的模块
[root@k8s-master ~]# modprobe -- nf_conntrack
# 在系统启动时加载下列 IPVS 和相关功能所需的模块
[root@k8s-master ~]# find / -name "ipvs.config"
[root@k8s-master ~]# vim /etc/modules-load.d/ipvs.config
ip_vs
# 负载均衡模块
ip_vs_lc
# ⽤于实现基于连接数量的负载均衡算法
ip_vs_wlc
# ⽤于实现带权重的最少连接算法的模块
ip_vs_rr
# 负载均衡rr算法模块
ip_vs_wrr
# 负载均衡wrr算法模块
ip_vs_lblc
# 负载均衡算法,它结合了最少连接(LC)算法和基于偏置的轮询(Round Robin with Bias)算法
ip_vs_lblcr
# ⽤于实现基于链路层拥塞状况的最少连接负载调度算法的模块
ip_vs_dh
# ⽤于实现基于散列(Hashing)的负载均衡算法的模块
ip_vs_sh
# ⽤于源端负载均衡的模块
ip_vs_fo
# ⽤于实现基于本地服务的负载均衡算法的模块
ip_vs_nq
# ⽤于实现NQ算法的模块
ip_vs_sed
# ⽤于实现随机早期检测(Random Early Detection)算法的模块
ip_vs_ftp
# ⽤于实现FTP服务的负载均衡模块
ip_vs_sh
nf_conntrack
# ⽤于跟踪⽹络连接的状态的模块
ip_tables
# ⽤于管理防护墙的机制
ip_set
# ⽤于创建和管理IP集合的模块
xt_set
# ⽤于处理IP数据包集合的模块,提供了与iptables等⽹络⼯具的接⼝
ipt_set
# ⽤于处理iptables规则集合的模块
ipt_rpfilter
# ⽤于实现路由反向路径过滤的模块
ipt_REJECT
# iptables模块之⼀,⽤于将不符合规则的数据包拒绝,并返回特定的错误码
ipip
# ⽤于实现IP隧道功能的模块,使得数据可以在两个⽹络之间进⾏传输
[root@k8s-master ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
# 开机⾃启systemd默认提供的⽹络管理服务
[root@k8s-master ~]# systemctl enable systemd-modules-load.service
[root@k8s-master ~]# systemctl start systemd-modules-load.service
# 查看已写⼊加载的模块
[root@k8s-master ~]# lsmod | grep -e ip_vs -e nf_conntrack
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 133053 1 ip_vs
libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
2、配置k8s内核
# 写⼊k8s所需内核模块
[root@k8s-master ~]# vim /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
# 控制⽹络桥接与iptables之间的⽹络转发⾏为
net.bridge.bridge-nf-call-ip6tables = 1
# ⽤于控制⽹络桥接(bridge)的IP6tables过滤规则。当该参数设置为1时,表示启⽤对⽹络桥接的
IP6tables过滤规则
fs.may_detach_mounts = 1
# ⽤于控制⽂件系统是否允许分离挂载,1表示允许
net.ipv4.conf.all.route_localnet = 1
# 允许本地⽹络上的路由。设置为1表示允许,设置为0表示禁⽌。
vm.overcommit_memory=1
# 控制内存分配策略。设置为1表示允许内存过量分配,设置为0表示不允许。
vm.panic_on_oom=0
# 决定当系统遇到内存不⾜(OOM)时是否产⽣panic。设置为0表示不产⽣panic,设置为1表示产⽣
panic。
fs.inotify.max_user_watches=89100
# inotify可以监视的⽂件和⽬录的最⼤数量。
fs.file-max=52706963
# 系统级别的⽂件描述符的最⼤数量。
fs.nr_open=52706963
# 单个进程可以打开的⽂件描述符的最⼤数量。
net.netfilter.nf_conntrack_max=2310720
# ⽹络连接跟踪表的最⼤⼤⼩。
net.ipv4.tcp_keepalive_time = 600
# TCP保活机制发送探测包的间隔时间(秒)。
net.ipv4.tcp_keepalive_probes = 3
# TCP保活机制发送探测包的最⼤次数。
net.ipv4.tcp_keepalive_intvl =15
# TCP保活机制在发送下⼀个探测包之前等待响应的时间(秒)。
net.ipv4.tcp_max_tw_buckets = 36000
# TCP TIME_WAIT状态的bucket数量。
net.ipv4.tcp_tw_reuse = 1
# 允许重⽤TIME_WAIT套接字。设置为1表示允许,设置为0表示不允许。
net.ipv4.tcp_max_orphans = 327680
# 系统中最⼤的孤套接字数量。
net.ipv4.tcp_orphan_retries = 3
# 系统尝试重新分配孤套接字的次数。
net.ipv4.tcp_syncookies = 1
# ⽤于防⽌SYN洪⽔攻击。设置为1表示启⽤SYN cookies,设置为0表示禁⽤。
net.ipv4.tcp_max_syn_backlog = 16384
# SYN连接请求队列的最⼤⻓度。
net.ipv4.ip_conntrack_max = 65536
# IP连接跟踪表的最⼤⼤⼩。
net.ipv4.tcp_max_syn_backlog = 16384
# 系统中最⼤的监听队列的⻓度。
net.ipv4.tcp_timestamps = 0
# ⽤于关闭TCP时间戳选项。
net.core.somaxconn = 16384
# ⽤于设置系统中最⼤的监听队列的⻓度
# 保存后,所有节点重启,保证重启后内核依然加载
[root@k8s-master ~]# lsmod | grep --color=auto -e ip_vs -e nf_conntrack
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 133053 1 ip_vs
libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
三、基本组件安装
1、安装 Containerd
1)安装 Docker
# 卸载之前的containerd
[root@k8s-master ~]# yum remove -y podman runc containerd
# 安装Docker和containerd
[root@k8s-master ~]# yum install containerd.io docker-ce dockerce-cli -y
2)配置 Containerd 所需模块
[root@k8s-master ~]# cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
> overlay
> br_netfilter
> EOF
overlay # ⽤于⽀持Overlay⽹络⽂件系统的模块,它可以在现有的⽂件系统之上创建叠加层,以实现
虚拟化、隔离和管理等功能。
br_netfilter # ⽤于containerd的⽹络过滤模块,它可以对进出容器的⽹络流量进⾏过滤和管理。
[root@k8s-master ~]# cat /etc/modules-load.d/containerd.conf
overlay
br_netfilter
[root@k8s-master ~]# modprobe -- overlay
[root@k8s-master ~]# modprobe -- br_netfilter
3)配置 Containerd 所需内核
[root@k8s-master ~]# vim /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
# ⽤于控制⽹络桥接是否调⽤iptables进⾏包过滤和转发。
net.ipv4.ip_forward = 1
# 路由转发,1为开启
net.bridge.bridge-nf-call-ip6tables = 1
# 控制是否在桥接接⼝上调⽤IPv6的iptables进⾏数据包过滤和转发。
[root@k8s-master ~]# sysctl --system
4)Containerd 配置⽂件
[root@k8s-master ~]# mkdir -p /etc/containerd
# 读取containerd的配置并保存到/etc/containerd/config.toml
[root@k8s-master ~]# containerd config default | tee
/etc/containerd/config.toml
[root@k8s-master ~]# vim /etc/containerd/config.toml
# 找到第63行修改为sandbox_image = "registry.cnhangzhou.aliyuncs.com/google_containers/pause:3.9"
#
找到containerd.runtimes.runc.options模块,添加SystemdCgroup = false,如果已经存
在则直接修改(在第127行)
# 添加sandbox_image = "registry.cnhangzhou.aliyuncs.com/google_containers/pause:3.9"(第128行)
# 加载systemctl控制脚本
[root@k8s-master ~]# systemctl daemon-reload
# 启动containerd并设置开机启动
[root@k8s-master ~]# systemctl start containerd.service
[root@k8s-master ~]# systemctl enable containerd.service
Created symlink from /etc/systemd/system/multiuser.target.wants/containerd.service
to
/usr/lib/systemd/system/containerd.service.
5)配置 crictl 客户端连接的运⾏位置
# 配置容器运⾏环境的crictl.yml⽂件
[root@k8s-master ~]# vim /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
# 指定了容器运⾏时的地址为:unix://...
image-endpoint: unix:///run/containerd/containerd.sock
# 指定了镜像运⾏时的地址为:unix://...
timeout: 10
# 设置了超时时间为10秒
debug: false
# 关闭调试模式
2、安装 Kubernetes 组件
# 安装 Kubeadm、Kubelet 和 Kubectl
# 查询最新的Kubernetes版本号
[root@k8s-master ~]# yum list kubeadm.x86_64 --showduplicates | sort -r
# 安装1.28最新版本kubeadm、kubelet和kubectl
[root@k8s-master ~]# yum install kubeadm-1.28* kubelet-1.28* kubectl-1.28* -y
[root@k8s-master ~]# systemctl daemon-reload
# 允许开机⾃启kubelet
[root@k8s-master ~]# systemctl enable --now kubelet
# 查看当前安装的kubeadm版本号
[root@k8s-master ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.2",
GitCommit:"89a4ea3e1e4ddd7f7572286090359983e0387b2f", GitTreeState:"clean",
BuildDate:"2023-09-13T09:34:32Z", GoVersion:"go1.20.8", Compiler:"gc",
Platform:"linux/amd64"}
3、Kubernetes 集群初始化
1)Kubeadm 配置⽂件
# 修改kubeadm配置⽂件
[root@k8s-master ~]# vim kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta3
# 指定Kubernetes配置文件的版本,使用的是kubeadm API的v1beta3版本
bootstrapTokens:
# 定义bootstrap tokens的信息。这些tokens用于在Kubernetes集群初始化过程中进行身份验证
- groups:
# 定义了与此token关联的组
- system:bootstrappers:kubeadm:default-node-token
token: 7t2weq.bjbawausm0jaxury
# bootstrap token的值
ttl: 24h0m0s
# token的生存时间,这里设置为24小时
usages:
# 定义token的用途
- signing
# 数字签名
- authentication
# 身份验证
kind: InitConfiguration
# 指定配置对象的类型,InitConfiguration:表示这是一个初始化配置
localAPIEndpoint:
# 定义本地API端点的地址和端口
advertiseAddress: 192.168.15.11
bindPort: 6443
nodeRegistration:
# 定义节点注册时的配置
criSocket: unix:///var/run/containerd/containerd.sock
# 容器运行时(CRI)的套接字路径
name: k8s-master
# 节点的名称
taints:
# 标记
- effect: NoSchedule
# 免调度节点
key: node-role.kubernetes.io/control-plane
# 该节点为控制节点
---
apiServer:
# 定义了API服务器的配置
certSANs:
# 为API服务器指定了附加的证书主体名称(SAN),指定IP即可
- 192.168.15.11
timeoutForControlPlane: 4m0s
# 控制平面的超时时间,这里设置为4分钟
apiVersion: kubeadm.k8s.io/v1beta3
# 指定API Server版本
certificatesDir: /etc/kubernetes/pki
# 指定了证书的存储目录
clusterName: kubernetes
# 定义了集群的名称为"kubernetes"
controlPlaneEndpoint: 192.168.15.11:6443
# 定义了控制节点的地址和端口
controllerManager: {}
# 控制器管理器的配置,为空表示使用默认配置
etcd:
# 定义了etcd的配置
local:
# 本地etcd实例
dataDir: /var/lib/etcd
# 数据目录
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
# 指定了Kubernetes使用的镜像仓库的地址,阿里云的镜像仓库。
kind: ClusterConfiguration
# 指定了配置对象的类型,ClusterConfiguration:表示这是一个集群配置
kubernetesVersion: v1.28.2
# 指定了kubernetes的版本
networking:
# 定义了kubernetes集群网络设置
dnsDomain: cluster.local
# 定义了集群的DNS域为:cluster.local
podSubnet: 172.16.0.0/16
# 定义了Pod的子网
serviceSubnet: 10.96.0.0/16
# 定义了服务的子网
scheduler: {}
# 使用默认的调度器行为
# 将旧的kubeadm配置⽂件转换为新的格式
[root@k8s-master ~]# kubeadm config migrate --old-config kubeadm-config.yaml
--new-config new.yaml
[root@k8s-master ~]# vim new.yaml
# 修改第12行、24行、29行的ip地址为自己本机的ip地址
2)下载组件镜像
# 通过新的配置⽂件new.yaml从指定的阿⾥云仓库拉取kubernetes组件镜像
[root@k8s-master ~]# kubeadm config images pull --config /root/new.yaml
[config/images] Pulled registry.cnhangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.28.2
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.28.2
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.28.2
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/kube-proxy:v1.28.2
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/pause:3.9
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/etcd:3.5.9-0
[config/images]
Pulled registry.cnhangzhou.aliyuncs.com/google_containers/coredns:v1.10.1
3)集群初始化
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
# 等待初始化后保存这些命令
# 当需要加⼊新node节点时,只复制这执行即可
[root@k8s-master ~]# vim token.txt
kubeadm join 10.0.0.200:6443 --token 7t2weq.bjbawausm0jaxury --discoverytoken-ca-cert-hash
sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e
# 当需要⾼可⽤master集群时,将整个token复制下来
--control-plane --certificate-key
f9984be15f98141b212efa176c7a49fcda982888f8869b7cc668e661982cbcc0
4)初始化错误解决
错误信息显示本机内存不够,cpu数量不够,我们现在将本机内存提到4个G,cpu数量提到4个 注意要关闭本主机然后进行修改主机配置的操作
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
错误信息显示需要修改配置文件/proc/sys/net/ipv4/ip_forward
[root@k8s-master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
# 检查kubelet为运行状态
[root@master ~]# systemctl status kubelet
Active: active (running) since 五 2024-09-06 17:33:30 CST; 5min ago
# 可能是配置文件的地址没有改,所以找不到主机,所以超时
[root@k8s-master ~]# vim new.yaml
# 修改第12行、24行、29行的ip地址为自己本机的ip地址
# 初始化重置
[root@k8s-master ~]# kubeadm reset -f ; ipvsadm --clear ; rm -rf ~/.kube
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
5)加载环境变量
[root@k8s-master ~]# vim /root/.bashrc
export KUBECONFIG=/etc/kubernetes/admin.conf
[root@k8s-master ~]# source /root/.bashrc
6)查看组件容器状态
之前采⽤初始化安装⽅式,所有的系统组件均以容器的⽅式运⾏ 并且在 kube-system 命名空间内, 此时可以查看 Pod(容器 组)状态
[root@k8s-master ~]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6554b8b87f-2jslr 0/1 Pending 0 10m
coredns-6554b8b87f-mmgbd 0/1 Pending 0 10m
etcd-k8s-master 1/1 Running 0 10m
kube-apiserver-k8s-master 1/1 Running 0 10m
kube-controller-manager-k8s-master 1/1 Running 3 10m
kube-proxy-tvk64 1/1 Running 0 10m
kube-scheduler-k8s-master 1/1 Running 3 10m
# kubectl:k8s控制命令
# get:获取参数
# po:pod缩写
# -n:指定命名空间
# kube-system:命名空间
4、Token 过期处理
注意:以下步骤是上述初始化命令产⽣的 Token 过期了才需要执 ⾏以下步骤,如果没有过期不需要 执⾏,直接 join 即可。
Token 过期后⽣成新的 token
kubeadm token create --print-join-command
Master 需要⽣成 --certificate-key:
kubeadm init phase upload-certs --upload-certs
5、Node 节点配置
Node 节点上主要部署公司的⼀些业务应⽤,⽣产环境中不建议 Master 节点部署系统组件之外的其 他 Pod,测试环境可以允许 Master 节点部署 Pod 以节省系统资源。
1)查看集群信息
[root@k8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 25s v1.28.2
2)node 结点基础环境配置
[root@node01 ~]# systemctl stop firewalld
[root@node01 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multiuser.target.wants/firewalld.service.
Removed
symlink /etc/systemd/system/dbusorg.fedoraproject.FirewallD1.service.
[root@node01
~]# setenforce 0
[root@node01 ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g'
/etc/sysconfig/selinux
[root@node01 ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g'
/etc/selinux/config
[root@node01 ~]# vim /etc/hosts
[root@node01 ~]# ls /etc/yum.repos.d/
CentOS-Base.repo epel.repo hh.repo repo.tar.gz
docker-ce.repo epel-testing.repo kubernetes.repo
[root@node01 ~]# yum clean all && yum makecache
[root@node01 ~]# yum install wget jq psmisc vim net-tools telnet yum-utils
device-mapper-persistent-data lvm2 git -y
[root@k8s-master ~]# scp /etc/modules-load.d/containerd.conf
root@10.0.0.250:/etc/modules-load.d/containerd.conf
[root@node01 ~]# vim /etc/modules-load.d/containerd.conf
[root@node01 ~]# modprobe -- br_netfilter
[root@node01 ~]# modprobe -- overlay
[root@k8s-master ~]# scp /etc/sysctl.d/99-kubernetes-cri.conf
root@10.0.0.250:/etc/sysctl.d/99-kubernetes-cri.conf
[root@node01 ~]# vim /etc/sysctl.d/99-kubernetes-cri.conf
[root@node01 ~]# sysctl --system
[root@k8s-master ~]# scp /etc/containerd/config.toml
root@10.0.0.250:/etc/containerd/config.toml
[root@node01 ~]# vim /etc/containerd/config.toml
[root@node01 ~]# systemctl enable --now containerd
[root@node01 ~]# cat > /etc/crictl.yaml <<EOF
> runtime-endpoint: unix:///run/containerd/containerd.sock
> image-endpoint: unix:///run/containerd/containerd.sock
> timeout: 10
> debug: false
> EOF
root@node01 ~]# systemctl status containerd
Active: active (running) since 五 2024-09-06 21:41:46 CST; 2min 13s ago
[root@node01 ~]# yum install kubeadm-1.28* kubelet-1.28* kubectl-1.28* -y
[root@node01 ~]# systemctl daemon-reload
[root@node01 ~]# systemctl enable --now kubelet
[root@node01 ~]# systemctl status kubelet
[root@node01 ~]# yum -y install ntpdate
[root@node01 ~]# ntpdate time2.aliyun.com
[root@node01 ~]# crontab -e
* 5 * * * /usr/sbin/ntpdate time2.aliyun.com
[root@node01 ~]# ulimit -SHn 65535
[root@k8s-master ~]# scp /etc/security/limits.conf
root@10.0.0.250:/etc/security/limits.conf
[root@node01 ~]# vim /etc/security/limits.conf
[root@k8s-master ~]# scp /etc/sysctl.d/k8s.conf
root@10.0.0.250:/etc/sysctl.d/k8s.con
[root@node01 ~]# vim /etc/sysctl.d/k8s.conf
[root@node01 ~]# yum install docker-ce docker-ce-cli containerd.io -y
# node01通过复制master初始化⽣成的token来加⼊集群
[root@node01 ~]# kubeadm join 10.0.0.200:6443 --token 7t2weq.bjbawausm0jaxury
--discovery-token-ca-cert-hash
sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e
[root@node01 ~]# swapoff -a && sysctl -w vm.swappiness=0
[root@node01 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@k8s-master ~]# kubeadm token create --print-join-command
kubeadm join 10.0.0.200:6443 --token mwq6bb.h4eqdzp5vjyhe4iy --discoverytoken-ca-cert-hash
sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e
[root@node01 ~]# kubeadm join 10.0.0.200:6443 --token mwq6bb.h4eqdzp5vjyhe4iy
--discovery-token-ca-cert-hash
sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e
[root@k8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 24h v1.28.2
node01 NotReady <none> 68s v1.28.2
3)查看集群状态
master 上查看集群状态(NotReady 不影响)
# 获取所有节点信息
[root@k8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 24h v1.28.2
node01 NotReady <none> 68s v1.28.2
到此建议打快照
6、Calico 组件安装
1)切换 git 分⽀
[root@k8s-master ~]# cd k8s-ha-install/
[root@k8s-master k8s-ha-install]# ls
calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1
README.md
[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x
分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manualinstallation-v1.28.x。
切换到一个新分支
'manual-installation-v1.28.x'
2)修改 Pod ⽹段
[root@k8s-master k8s-ha-install]# cd calico/
# 获取已定义的Pod⽹段
[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kubecontroller-manager.yaml
| grep cluster-cidr= | awk -F= '{print $NF}'`
[root@k8s-master calico]# echo $POD_SUBNET
172.16.0.0/16
# 修改calico.yml⽂件中的pod⽹段
[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml
# 创建calico的pod
[root@k8s-master calico]# kubectl apply -f calico.yaml
3)查看容器和节点状态
[root@k8s-master calico]# kubectl get po -n kube-system
[root@k8s-master calico]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 24h v1.28.2
node01 NotReady <none> 20m v1.28.2
[root@k8s-master calico]# kubectl describe po -n kube-system calico