部署k8s基础环境
一、环境准备
1、主机准备:
k8s-master(192.168.2.90)k8s-node01(192.168.2.91)k8s-node02(192.168.2.92)
2、关闭防火墙、selinux、NetworkManager
[root@k8s-master ~]# systemctl stop firewalld
[root@k8s-master ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@k8s-master ~]# setenforce 0
[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
3、设置主机劫持
[root@k8s-master ~]# vim /etc/hosts
192.168.2.90 k8s-master
192.168.2.91 k8s-node01
192.168.2.92 k8s-node02
[root@k8s-master ~]# scp /etc/hosts root@192.168.2.91:/etc/hosts
[root@k8s-master ~]# scp /etc/hosts root@192.168.2.92:/etc/hosts
[root@k8s-master ~]# ping k8s-node01
PING k8s-node01 (192.168.2.91) 56(84) bytes of data.
64 bytes from k8s-node01 (192.168.2.91): icmp_seq=1 ttl=64 time=0.346 ms
64 bytes from k8s-node01 (192.168.2.91): icmp_seq=2 ttl=64 time=0.265 ms
4、设置主机间免密:
[root@k8s-master ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pJNP7Nx9pi00P7w8nBNECxdAyHyKPnc6UNaLdXYs6b8 root@k8s-master
The key's randomart image is:
+---[RSA 2048]----+
| o oo... |
| + o o |
| .. + + + |
| =. + o B o|
| +.So o * o |
| *+.o.= o |
| ++.+.=o+ |
| o .*O .|
| ...+E.|
+----[SHA256]-----+
[root@k8s-master ~]# ssh-copy-id root@192.168.2.91
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.2.91's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.2.91'"
and check to make sure that only the key(s) you wanted were added.
[root@k8s-master ~]# ssh-copy-id root@192.168.2.92
5、配置yum源:
[root@k8s-master ~]# cd /etc/yum.repos.d/
docker软件源
[root@k8s-master yum.repos.d]# vim docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
K8S软件源
[root@k8s-master yum.repos.d]# vim kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
[root@k8s-master yum.repos.d]# yum clean all && yum makecache
[root@k8s-master yum.repos.d]# scp docker-ce.repo root@10.0.0.22:/etc/yum.repos.d/
docker-ce.repo 100% 2073 1.9MB/s 00:00
[root@k8s-master yum.repos.d]# scp kubernetes.repo root@10.0.0.22:/etc/yum.repos.d/
kubernetes.repo 100% 211 281.2KB/s 00:00
[root@k8s-master yum.repos.d]# scp docker-ce.repo root@10.0.0.33:/etc/yum.repos.d/
docker-ce.repo 100% 2073 1.9MB/s 00:00
[root@k8s-master yum.repos.d]# scp kubernetes.repo root@10.0.0.33:/etc/yum.repos.d/
kubernetes.repo 100% 211 281.2KB/s 00:00
6、安装必备工具:
[root@k8s-master ~]# yum install wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git -y
7、关闭swap 分区:
[root@k8s-master ~]# swapoff -a && sysctl -w vm.swappiness=0
vm.swappiness = 0
[root@k8s-master ~]# sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
8、同步时间
[root@k8s-master ~]# yum -y install ntpdate
[root@k8s-master ~]# ntpdate time2.aliyun.com
4 Sep 10:08:59 ntpdate[1897]: adjust time server 203.107.6.88 offset 0.007780 sec
[root@k8s-master ~]# which ntpdate
/usr/sbin/ntpdate
[root@k8s-master ~]# crontab -e
* 5 * * * /usr/sbin/ntpdate time2.aliyun.com
9、配置 limit
单个进程可以打开的⽂件数量将被限制为 65535
[root@k8s-master ~]# ulimit -SHn 65535
[root@k8s-master ~]# vim /etc/security/limits.conf
末尾添加如下内容
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
10、安装 k8s ⾼可⽤性 Git 仓库并重启
在 /root/ ⽬录下克隆⼀个名为 k8s-ha-install.git 的 Git 仓库
[root@k8s-master ~]# git clone https://gitee.com/dukuan/k8s-ha-install.git
正克隆到 'k8s-ha-install'...
remote: Enumerating objects: 920, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 920 (delta 1), reused 0 (delta 0), pack-reused 912
接收对象中: 100% (920/920), 19.74 MiB | 1.51 MiB/s, done.
处理 delta 中: 100% (388/388), done.
[root@k8s-master ~]# cd k8s-ha-install/
[root@k8s-master k8s-ha-install]# ls
calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1 README.md
[root@k8s-master k8s-ha-install]# reboot
二、配置内核模块
1、配置ipvs模块
[root@k8s-master ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -y
使⽤ modprobe 命令加载内核模块,核⼼ IPVS 模块。
[root@k8s-master ~]# modprobe -- ip_vs
IPVS 负载均衡算法 rr。
[root@k8s-master ~]# modprobe -- ip_vs_rr
IPVS 负载均衡算法 wrr
[root@k8s-master ~]# modprobe -- ip_vs_wrr
⽤于源端负载均衡的模块
[root@k8s-master ~]# modprobe -- ip_vs_sh
⽤于⽹络流量过滤和跟踪的模块
[root@k8s-master ~]# modprobe -- nf_conntrack
在系统启动时加载下列 IPVS 和相关功能所需的模块
[root@k8s-master ~]# find / -name "ipvs.config"
[root@k8s-master ~]# vim /etc/modules-load.d/ipvs.config
ip_vs
负载均衡模块
ip_vs_lc
⽤于实现基于连接数量的负载均衡算法
ip_vs_wlc
⽤于实现带权重的最少连接算法的模块
ip_vs_rr
负载均衡rr算法模块
ip_vs_wrr
负载均衡wrr算法模块
ip_vs_lblc
负载均衡算法,它结合了最少连接(LC)算法和基于偏置的轮询(Round Robin with Bias)算法
ip_vs_lblcr
⽤于实现基于链路层拥塞状况的最少连接负载调度算法的模块
ip_vs_dh
⽤于实现基于散列(Hashing)的负载均衡算法的模块
ip_vs_sh
⽤于源端负载均衡的模块
ip_vs_fo
⽤于实现基于本地服务的负载均衡算法的模块
ip_vs_nq
⽤于实现NQ算法的模块
ip_vs_sed
⽤于实现随机早期检测(Random Early Detection)算法的模块
ip_vs_ftp
⽤于实现FTP服务的负载均衡模块
ip_vs_sh
nf_conntrack
⽤于跟踪⽹络连接的状态的模块
ip_tables
⽤于管理防护墙的机制
ip_set
⽤于创建和管理IP集合的模块
xt_set
⽤于处理IP数据包集合的模块,提供了与iptables等⽹络⼯具的接⼝
ipt_set
⽤于处理iptables规则集合的模块
ipt_rpfilter
⽤于实现路由反向路径过滤的模块
ipt_REJECT
iptables模块之⼀,⽤于将不符合规则的数据包拒绝,并返回特定的错误码
ipip
⽤于实现IP隧道功能的模块,使得数据可以在两个⽹络之间进⾏传输
[root@k8s-master ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
开机⾃启systemd默认提供的⽹络管理服务
[root@k8s-master ~]# systemctl enable systemd-modules-load.service
[root@k8s-master ~]# systemctl start systemd-modules-load.service
查看已写⼊加载的模块
[root@k8s-master ~]# lsmod | grep -e ip_vs -e nf_conntrack
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 133053 1 ip_vs
libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
2、配置k8s内核
写⼊k8s所需内核模块
[root@k8s-master ~]# vim /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
控制网络桥接与iptables之间的网络转发行为
net.bridge.bridge-nf-call-ip6tables = 1
⽤于控制网络桥接(bridge)的IP6tables过滤规则。当该参数设置为1时,表示启⽤对⽹络桥接的IP6tables过滤规则
fs.may_detach_mounts = 1
⽤于控制⽂件系统是否允许分离挂载,1表示允许
net.ipv4.conf.all.route_localnet = 1
允许本地⽹络上的路由。设置为1表示允许,设置为0表示禁⽌。
vm.overcommit_memory=1
控制内存分配策略。设置为1表示允许内存过量分配,设置为0表示不允许。
vm.panic_on_oom=0
决定当系统遇到内存不⾜(OOM)时是否产⽣panic。设置为0表示不产⽣panic,设置为1表示产⽣panic。
fs.inotify.max_user_watches=89100
inotify可以监视的⽂件和⽬录的最⼤数量。
fs.file-max=52706963
系统级别的⽂件描述符的最大数量。
fs.nr_open=52706963
单个进程可以打开的⽂件描述符的最⼤数量。
net.netfilter.nf_conntrack_max=2310720
⽹络连接跟踪表的最⼤⼤⼩。
net.ipv4.tcp_keepalive_time = 600
TCP保活机制发送探测包的间隔时间(秒)。
net.ipv4.tcp_keepalive_probes = 3
TCP保活机制发送探测包的最⼤次数。
net.ipv4.tcp_keepalive_intvl =15
TCP保活机制在发送下⼀个探测包之前等待响应的时间(秒)。
net.ipv4.tcp_max_tw_buckets = 36000
TCP TIME_WAIT状态的bucket数量。
net.ipv4.tcp_tw_reuse = 1
允许重⽤TIME_WAIT套接字。设置为1表示允许,设置为0表示不允许。
net.ipv4.tcp_max_orphans = 327680
系统中最⼤的孤套接字数量。
net.ipv4.tcp_orphan_retries = 3
系统尝试重新分配孤套接字的次数。
net.ipv4.tcp_syncookies = 1
⽤于防⽌SYN洪⽔攻击。设置为1表示启⽤SYN cookies,设置为0表示禁⽤。
net.ipv4.tcp_max_syn_backlog = 16384
SYN连接请求队列的最大长度。
net.ipv4.ip_conntrack_max = 65536
IP连接跟踪表的最大大小。
net.ipv4.tcp_max_syn_backlog = 16384
系统中最⼤的监听队列的长度。
net.ipv4.tcp_timestamps = 0
⽤于关闭TCP时间戳选项。
net.core.somaxconn = 16384
⽤于设置系统中最⼤的监听队列的⻓度,保存后,所有节点重启,保证重启后内核依然加载
[root@k8s-master ~]# lsmod | grep --color=auto -e ip_vs -e nf_conntrack
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 133053 1 ip_vs
libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
三、基本组件安装
1、安装 Containerd
1)安装 Docker
[root@k8s-master ~]# yum remove -y podman runc containerd # 卸载之前的containerd
[root@k8s-master ~]# yum install containerd.io docker-ce dockerce-cli -y
2)配置 Containerd 所需模块
[root@k8s-master ~]# cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
> overlay
> br_netfilter
> EOF
overlay # ⽤于⽀持Overlay⽹络⽂件系统的模块,它可以在现有的⽂件系统之上创建叠加层,以实现虚拟化、隔离和管理等功能。
br_netfilter # ⽤于containerd的⽹络过滤模块,它可以对进出容器的⽹络流量进⾏过滤和管理。
[root@k8s-master ~]# cat /etc/modules-load.d/containerd.conf
overlay
br_netfilter
[root@k8s-master ~]# modprobe -- overlay
[root@k8s-master ~]# modprobe -- br_netfilter
3)配置 Containerd 所需内核
[root@k8s-master ~]# vim /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1 # ⽤于控制⽹络桥接是否调⽤iptables进⾏包过滤和转发。
net.ipv4.ip_forward = 1
路由转发,1为开启
net.bridge.bridge-nf-call-ip6tables = 1
控制是否在桥接接⼝上调⽤IPv6的iptables进⾏数据包过滤和转发。
[root@k8s-master ~]# sysctl --system
4)Containerd 配置⽂件
[root@k8s-master ~]# mkdir -p /etc/containerd
读取containerd的配置并保存到/etc/containerd/config.toml
[root@k8s-master ~]# containerd config default | tee /etc/containerd/config.toml
[root@k8s-master ~]# vim /etc/containerd/config.toml
找到第63行修改为sandbox_image = "registry.cnhangzhou.aliyuncs.com/google_containers/pause:3.9"
找到containerd.runtimes.runc.options模块,添加SystemdCgroup = false,如果已经存在则直接修改(127行)
添加sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9" (128行)
加载systemctl控制脚本
[root@k8s-master ~]# systemctl daemon-reload
启动containerd并设置开机启动
[root@k8s-master ~]# systemctl start containerd.service
[root@k8s-master ~]# systemctl enable containerd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/lib/systemd/system/containerd.service.
注意!!!:不能启动的情况,关闭swap虚拟分区,保证kubelet正常启动
5)配置 crictl 客户端连接的运⾏位置
配置容器运⾏环境的crictl.yml⽂件
[root@k8s-master ~]# cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
指定了容器运⾏时的地址为:unix://...
image-endpoint: unix:///run/containerd/containerd.sock
指定了镜像运⾏时的地址为:unix://...
timeout: 10
设置了超时时间为10秒
debug: false
2、安装 Kubernetes 组件
安装 Kubeadm、Kubelet 和 Kubectl
查询最新的Kubernetes版本号
[root@k8s-master ~]# yum list kubeadm.x86_64 --showduplicates | sort -r
安装1.28最新版本kubeadm、kubelet和kubectl
[root@k8s-master ~]# yum install kubeadm-1.28* kubelet-1.28* kubectl-1.28* -y
[root@k8s-master ~]# systemctl daemon-reload
允许开机⾃启kubelet
[root@k8s-master ~]# systemctl enable --now kubelet
查看当前安装的kubeadm版本号
[root@k8s-master ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.2", GitCommit:"89a4ea3e1e4ddd7f7572286090359983e0387b2f", GitTreeState:"clean", BuildDate:"2023-09-13T09:34:32Z", GoVersion:"go1.20.8", Compiler:"gc", Platform:"linux/amd64"}
问题:kubelet启动失败
查看日志
[root@k8s-master ~]# vim /var/log/messages
解决-----配置文件未生成,重新安装kubelet
[root@k8s-master ~]# yum -y remove kubelet
[root@k8s-master ~]# yum -y install kubelet-1.28*
[root@k8s-master ~]# systemctl start kubelet
[root@k8s-master ~]# systemctl status kubelet
Active: active (running) since 三 2024-09-11 14:25:57 CST; 3s ago
由于kubeadm依赖kubelet所以卸载前者时后者也卸载了,需要重新安装
[root@k8s-master ~]# yum -y install kubeadm-1.28*
查看kubelet端口是否启动
[root@k8s-master ~]# netstat -lntup | grep kube
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 2392/kubelet
tcp6 0 0 :::10250 :::* LISTEN 2392/kubelet
tcp6 0 0 :::10255 :::* LISTEN 2392/kubelet
3、Kubernetes 集群初始化
1)Kubeadm 配置⽂件
修改kubeadm配置⽂件
[root@k8s-master ~]# vim kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta3
指定Kubernetes配置文件的版本,使用的是kubeadm API的v1beta3版本
bootstrapTokens:
定义bootstrap tokens的信息。这些tokens用于在Kubernetes集群初始化过程中进行身份验证
- groups:
定义了与此token关联的组
- system:bootstrappers:kubeadm:default-node-token
token: 7t2weq.bjbawausm0jaxury
bootstrap token的值
ttl: 24h0m0s
token的生存时间,这里设置为24小时
usages:
定义token的用途
- signing
数字签名
- authentication
身份验证
kind: InitConfiguration
指定配置对象的类型,InitConfiguration:表示这是一个初始化配置
localAPIEndpoint:
定义本地API端点的地址和端口
advertiseAddress: 192.168.15.11
bindPort: 6443
nodeRegistration:
定义节点注册时的配置
criSocket: unix:///var/run/containerd/containerd.sock
容器运行时(CRI)的套接字路径
name: k8s-master
节点的名称
taints:
标记
- effect: NoSchedule
免调度节点
key: node-role.kubernetes.io/control-plane
该节点为控制节点
apiServer:
定义了API服务器的配置
certSANs:
为API服务器指定了附加的证书主体名称(SAN),指定IP即可
- 192.168.15.11
timeoutForControlPlane: 4m0s
控制平面的超时时间,这里设置为4分钟
apiVersion: kubeadm.k8s.io/v1beta3
指定API Server版本
certificatesDir: /etc/kubernetes/pki
指定了证书的存储目录
clusterName: kubernetes
定义了集群的名称为"kubernetes"
controlPlaneEndpoint: 192.168.15.11:6443
定义了控制节点的地址和端口
controllerManager: {}
控制器管理器的配置,为空表示使用默认配置
etcd:
定义了etcd的配置
local:
本地etcd实例
dataDir: /var/lib/etcd
数据目录
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
指定了Kubernetes使用的镜像仓库的地址,阿里云的镜像仓库。
kind: ClusterConfiguration
指定了配置对象的类型,ClusterConfiguration:表示这是一个集群配置
kubernetesVersion: v1.28.2
指定了kubernetes的版本
networking:
定义了kubernetes集群网络设置
dnsDomain: cluster.local
定义了集群的DNS域为:cluster.local
podSubnet: 172.16.0.0/16
定义了Pod的子网
serviceSubnet: 10.96.0.0/16
定义了服务的子网
scheduler: {}
使用默认的调度器行为
将旧的kubeadm配置⽂件转换为新的格式
[root@k8s-master ~]# kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml
[root@k8s-master ~]# vim new.yaml # 修改第12行、24行、29行的ip地址为自己本机的ip地址
2)下载组件镜像
通过新的配置⽂件new.yaml从指定的阿⾥云仓库拉取kubernetes组件镜像
[root@k8s-master ~]# kubeadm config images pull --config /root/new.yaml
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.28.2
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.28.2
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.28.2
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.28.2
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.5.9-0
[config/images] Pulled registry.cnhangzhou.aliyuncs.com/google_containers/coredns:v1.10.1
3)集群初始化
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
等待初始化后保存这些命令
当需要加⼊新node节点时,只复制这执行即可
[root@k8s-master ~]# vim token.txt
kubeadm join 10.0.0.200:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e
当需要⾼可⽤master集群时,整个token复制
--control-plane --certificate-key f9984be15f98141b212efa176c7a49fcda982888f8869b7cc668e661982cbcc0
问题1:初始化时报错!!!
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
端口18258正被kubelet使用,初始化会自动启动kubelet,所以手动关闭kubelet服务 [root@k8s-master ~]# systemctl stop kubelet
问题2:错误信息显示需要修改配置文件/proc/sys/net/ipv4/ip_forward
[root@k8s-master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
问题3:错误信息显示本机内存不够,cpu数量不够,我们现在将本机内存提到4个G,cpu数量提到4个, 需关闭本主机然后进行修改主机配置的操作。
检查kubelet为运行状态
[root@master ~]# systemctl status kubelet
Active: active (running) since 五 2024-09-06 17:33:30 CST; 5min ago
可能是配置文件的地址没有改,所以找不到主机,所以超时
[root@k8s-master ~]# vim new.yaml
修改第12行、24行、29行的ip地址为自己本机的ip地址,初始化重置
[root@k8s-master ~]# kubeadm reset -f ; ipvsadm --clear ; rm -rf ~/.kube
[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
5)加载环境变量
[root@k8s-master ~]# vim /root/.bashrc export KUBECONFIG=/etc/kubernetes/admin.conf [root@k8s-master ~]# source /root/.bashrc
6)查看组件容器状态
之前采⽤初始化安装⽅式,所有的系统组件均以容器的⽅式运⾏ 并且在 kube-system 命名空间内,此时可以查看 Pod(容器 组)状态
pending 挂起 当前pod没有工作
running 运行中 当前pod正常工作
containercreating 正在创建容器 正在创建
[root@k8s-master ~]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 52m
kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 52m
kube-system etcd-k8s-master 1/1 Running 0 52m
kube-system kube-apiserver-k8s-master 1/1 Running 0 52m
kube-system kube-controller-manager-k8s-master 1/1 Running 0 52m
kube-system kube-proxy-9r6st 1/1 Running 0 52m
kube-system kube-proxy-lx5wz 1/1 Running 0 22m
kube-system kube-proxy-xmk6s 1/1 Running 0 25m
kube-system kube-scheduler-k8s-master 1/1 Running 0 52m
[root@k8s-master ~]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6554b8b87f-2jslr 0/1 Pending 0 10m
coredns-6554b8b87f-mmgbd 0/1 Pending 0 10m
etcd-k8s-master 1/1 Running 0 10m
kube-apiserver-k8s-master 1/1 Running 0 10m
kube-controller-manager-k8s-master 1/1 Running 3 10m
kube-proxy-tvk64 1/1 Running 0 10m
kube-scheduler-k8s-master 1/1 Running 3 10m
kubectl:k8s控制命令
get:获取参数
po:pod缩写
-n:指定命名空间
kube-system:命名空间
4、Token 过期处理
注意!!!:以下步骤是上述初始化命令产⽣的 Token 过期了才需要执 ⾏以下步骤,如果没有过期不需要执⾏,直接 join 即可。
Token 过期后⽣成新的 token:kubeadm token create --print-join-command
Master 需要⽣成 --certificate-key:kubeadm init phase upload-certs --upload-certs
5、Node 节点配置
1)概述:Node 节点上主要部署公司的⼀些业务应⽤,⽣产环境中不建议 Master 节点部署系统组件之外的其他 Pod,测试环境可以允许 Master 节点部署 Pod 以节省系统资源。
2)加入集群
[root@k8s-node01 ~]# kubeadm join 10.0.0.66:6443 --token 7t2weq.bjbawausm0jaxury \
> --discovery-token-ca-cert-hash sha256:f3ac431e03dae7f972728eb71eef1828264d42ec20a163893c812a2a0289cf99
问题:加入集群失败时如何解决?
端口被占用,手动停止kubelet,加入集群的过程中会自动启动
[root@k8s-node01 ~]# systemctl stop kubelet
Warning: kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units.
修改ip_forward文件
[root@k8s-node01 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@k8s-node01 ~]# kubeadm join 10.0.0.66:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:f3ac431e03dae7f972728eb71eef1828264d42ec20a163893c812a2a0289cf99
[root@k8s-master ~]# kubectl get node # 获取所有节点信息
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 24h v1.28.2
node01 NotReady <none> 68s v1.28.2
node02 NotReady <none> 57s v1.28.2
[root@k8s-master ~]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 52m
kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 52m
kube-system etcd-k8s-master 1/1 Running 0 52m
kube-system kube-apiserver-k8s-master 1/1 Running 0 52m
kube-system kube-controller-manager-k8s-master 1/1 Running 0 52m
kube-system kube-proxy-9r6st 1/1 Running 0 52m
kube-system kube-proxy-lx5wz 1/1 Running 0 22m
kube-system kube-proxy-xmk6s 1/1 Running 0 25m
kube-system kube-scheduler-k8s-master 1/1 Running 0 52m
[root@k8s-master ~]# kubectl get po -Aowide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 53m <none> <none> <none> <none>
kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 53m <none> <none> <none> <none>
kube-system etcd-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>
kube-system kube-apiserver-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>
kube-system kube-controller-manager-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>
kube-system kube-proxy-9r6st 1/1 Running 0 53m 10.0.0.66 k8s-master <none> <none>
kube-system kube-proxy-lx5wz 1/1 Running 0 23m 10.0.0.88 k8s-node02 <none> <none>
kube-system kube-proxy-xmk6s 1/1 Running 0 26m 10.0.0.77 k8s-node01 <none> <none>
kube-system kube-scheduler-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>
6、Calico 组件安装
(1)切换 git 分⽀
[root@k8s-master ~]# cd k8s-ha-install/
[root@k8s-master k8s-ha-install]# ls
calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1 README.md
[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x
分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manual-installation-v1.28.x,
切换到一个新分支 'manual-installation-v1.28.x'
(2)修改 Pod ⽹段
[root@k8s-master k8s-ha-install]# cd calico/
获取已定义的Pod⽹段
[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep cluster-cidr= | awk -F= '{print $NF}'`
[root@k8s-master calico]# echo $POD_SUBNET
172.16.0.0/16
修改calico.yml⽂件中的pod⽹段
[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml
创建calico的pod
[root@k8s-master calico]# kubectl apply -f calico.yaml
(3)查看容器和节点状态
[root@k8s-master calico]# kubectl get po -n kube-system
[root@k8s-master calico]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 24h v1.28.2
node01 NotReady <none> 20m v1.28.2
[root@k8s-master calico]# kubectl describe po -n kube-system calico
(4)部署calico的pod
找到配置文件calico
[root@k8s-master ~]# cd k8s-ha-install/
切换 git 分⽀
[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x
分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manual-installation-v1.28.x。
切换到一个新分支 'manual-installation-v1.28.x'
修改 Pod ⽹段
[root@k8s-master k8s-ha-install]# ls
bootstrap CoreDNS dashboard metrics-server README.md
calico csi-hostpath kubeadm-metrics-server pki snapshotter
[root@k8s-master k8s-ha-install]# cd calico/
[root@k8s-master calico]# ls
calico.yaml
[root@k8s-master calico]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml
获取已定义的Pod⽹段
[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep cluster-cidr= | awk -F= '{print $NF}'`
[root@k8s-master calico]# echo $POD_SUBNET
172.16.0.0/16
修改配置文件,将文件中的POD_CIDR替换成172.16.0.0/16
[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml
创建pod
[root@k8s-master calico]# kubectl apply -f calico.yaml
(5) 查看容器状态
[root@k8s-master calico]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-6d48795585-v5d7x 0/1 Pending 0 69s
kube-system calico-node-747k8 0/1 Init:0/3 0 69s
kube-system calico-node-7klq9 0/1 Init:0/3 0 69s
kube-system calico-node-j9b44 0/1 Init:0/3 0 69s
kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 104m
kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 104m
kube-system etcd-k8s-master 1/1 Running 0 104m
kube-system kube-apiserver-k8s-master 1/1 Running 0 104m
kube-system kube-controller-manager-k8s-master 1/1 Running 1 (7m42s ago) 7m27s
kube-system kube-proxy-9r6st 1/1 Running 0 104m
kube-system kube-proxy-lx5wz 1/1 Running 0 74m
kube-system kube-proxy-xmk6s 1/1 Running 0 77m
kube-system kube-scheduler-k8s-master 1/1 Running 0 104m