部署k8s基础环境

一、环境准备

1、主机准备：

k8s-master（192.168.2.90）k8s-node01（192.168.2.91）k8s-node02（192.168.2.92）

2、关闭防火墙、selinux、NetworkManager

[root@k8s-master ~]# systemctl stop firewalld

[root@k8s-master ~]# systemctl disable firewalld

Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.

Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

[root@k8s-master ~]# setenforce 0

[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux

[root@k8s-master ~]# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

3、设置主机劫持

[root@k8s-master ~]# vim /etc/hosts

192.168.2.90 k8s-master

192.168.2.91 k8s-node01

192.168.2.92 k8s-node02

[root@k8s-master ~]# scp /etc/hosts root@192.168.2.91:/etc/hosts

[root@k8s-master ~]# scp /etc/hosts root@192.168.2.92:/etc/hosts

[root@k8s-master ~]# ping k8s-node01

PING k8s-node01 (192.168.2.91) 56(84) bytes of data.

64 bytes from k8s-node01 (192.168.2.91): icmp_seq=1 ttl=64 time=0.346 ms

64 bytes from k8s-node01 (192.168.2.91): icmp_seq=2 ttl=64 time=0.265 ms

4、设置主机间免密：

[root@k8s-master ~]# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:pJNP7Nx9pi00P7w8nBNECxdAyHyKPnc6UNaLdXYs6b8 root@k8s-master

The key's randomart image is:

+---[RSA 2048]----+

| o oo... |

| + o o |

| .. + + + |

| =. + o B o|

| +.So o * o |

| *+.o.= o |

| ++.+.=o+ |

| o .*O .|

| ...+E.|

+----[SHA256]-----+

[root@k8s-master ~]# ssh-copy-id root@192.168.2.91

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@192.168.2.91's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@192.168.2.91'"

and check to make sure that only the key(s) you wanted were added.

[root@k8s-master ~]# ssh-copy-id root@192.168.2.92

5、配置yum源：

[root@k8s-master ~]# cd /etc/yum.repos.d/

docker软件源

[root@k8s-master yum.repos.d]# vim docker-ce.repo

[docker-ce-stable]

name=Docker CE Stable - $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/stable

enabled=1

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-stable-debuginfo]

name=Docker CE Stable - Debuginfo $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/stable

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-stable-source]

name=Docker CE Stable - Sources

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/stable

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-test]

name=Docker CE Test - $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/test

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-test-debuginfo]

name=Docker CE Test - Debuginfo $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/test

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-test-source]

name=Docker CE Test - Sources

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/test

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-nightly]

name=Docker CE Nightly - $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/nightly

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-nightly-debuginfo]

name=Docker CE Nightly - Debuginfo $basearch

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/nightly

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

[docker-ce-nightly-source]

name=Docker CE Nightly - Sources

baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/nightly

enabled=0

gpgcheck=1

gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg

K8S软件源

[root@k8s-master yum.repos.d]# vim kubernetes.repo

[kubernetes]

name=Kubernetes

baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/

enabled=1

gpgcheck=0

repo_gpgcheck=0

gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg

[root@k8s-master yum.repos.d]# yum clean all && yum makecache

[root@k8s-master yum.repos.d]# scp docker-ce.repo root@10.0.0.22:/etc/yum.repos.d/

docker-ce.repo 100% 2073 1.9MB/s 00:00

[root@k8s-master yum.repos.d]# scp kubernetes.repo root@10.0.0.22:/etc/yum.repos.d/

kubernetes.repo 100% 211 281.2KB/s 00:00

[root@k8s-master yum.repos.d]# scp docker-ce.repo root@10.0.0.33:/etc/yum.repos.d/

docker-ce.repo 100% 2073 1.9MB/s 00:00

[root@k8s-master yum.repos.d]# scp kubernetes.repo root@10.0.0.33:/etc/yum.repos.d/

kubernetes.repo 100% 211 281.2KB/s 00:00

6、安装必备工具：

[root@k8s-master ~]# yum install wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git -y

7、关闭swap 分区：

[root@k8s-master ~]# swapoff -a && sysctl -w vm.swappiness=0

vm.swappiness = 0

[root@k8s-master ~]# sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab

8、同步时间

[root@k8s-master ~]# yum -y install ntpdate

[root@k8s-master ~]# ntpdate time2.aliyun.com

4 Sep 10:08:59 ntpdate[1897]: adjust time server 203.107.6.88 offset 0.007780 sec

[root@k8s-master ~]# which ntpdate

/usr/sbin/ntpdate

[root@k8s-master ~]# crontab -e

* 5 * * * /usr/sbin/ntpdate time2.aliyun.com

9、配置 limit

单个进程可以打开的⽂件数量将被限制为 65535

[root@k8s-master ~]# ulimit -SHn 65535

[root@k8s-master ~]# vim /etc/security/limits.conf

末尾添加如下内容

* soft nofile 65536

* hard nofile 131072

* soft nproc 65535

* hard nproc 655350

* soft memlock unlimited

* hard memlock unlimited

10、安装 k8s ⾼可⽤性 Git 仓库并重启

在 /root/ ⽬录下克隆⼀个名为 k8s-ha-install.git 的 Git 仓库

[root@k8s-master ~]# git clone https://gitee.com/dukuan/k8s-ha-install.git

正克隆到 'k8s-ha-install'...

remote: Enumerating objects: 920, done.

remote: Counting objects: 100% (8/8), done.

remote: Compressing objects: 100% (6/6), done.

remote: Total 920 (delta 1), reused 0 (delta 0), pack-reused 912

接收对象中: 100% (920/920), 19.74 MiB | 1.51 MiB/s, done.

处理 delta 中: 100% (388/388), done.

[root@k8s-master ~]# cd k8s-ha-install/

[root@k8s-master k8s-ha-install]# ls

calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1 README.md

[root@k8s-master k8s-ha-install]# reboot

二、配置内核模块

1、配置ipvs模块

[root@k8s-master ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -y

使⽤ modprobe 命令加载内核模块，核⼼ IPVS 模块。

[root@k8s-master ~]# modprobe -- ip_vs

IPVS 负载均衡算法 rr。

[root@k8s-master ~]# modprobe -- ip_vs_rr

IPVS 负载均衡算法 wrr

[root@k8s-master ~]# modprobe -- ip_vs_wrr

⽤于源端负载均衡的模块

[root@k8s-master ~]# modprobe -- ip_vs_sh

⽤于⽹络流量过滤和跟踪的模块

[root@k8s-master ~]# modprobe -- nf_conntrack

在系统启动时加载下列 IPVS 和相关功能所需的模块

[root@k8s-master ~]# find / -name "ipvs.config"

[root@k8s-master ~]# vim /etc/modules-load.d/ipvs.config

ip_vs

负载均衡模块

ip_vs_lc

⽤于实现基于连接数量的负载均衡算法

ip_vs_wlc

⽤于实现带权重的最少连接算法的模块

ip_vs_rr

负载均衡rr算法模块

ip_vs_wrr

负载均衡wrr算法模块

ip_vs_lblc

负载均衡算法，它结合了最少连接（LC）算法和基于偏置的轮询（Round Robin with Bias）算法

ip_vs_lblcr

⽤于实现基于链路层拥塞状况的最少连接负载调度算法的模块

ip_vs_dh

⽤于实现基于散列（Hashing）的负载均衡算法的模块

ip_vs_sh

⽤于源端负载均衡的模块

ip_vs_fo

⽤于实现基于本地服务的负载均衡算法的模块

ip_vs_nq

⽤于实现NQ算法的模块

ip_vs_sed

⽤于实现随机早期检测（Random Early Detection）算法的模块

ip_vs_ftp

⽤于实现FTP服务的负载均衡模块

ip_vs_sh

nf_conntrack

⽤于跟踪⽹络连接的状态的模块

ip_tables

⽤于管理防护墙的机制

ip_set

⽤于创建和管理IP集合的模块

xt_set

⽤于处理IP数据包集合的模块，提供了与iptables等⽹络⼯具的接⼝

ipt_set

⽤于处理iptables规则集合的模块

ipt_rpfilter

⽤于实现路由反向路径过滤的模块

ipt_REJECT

iptables模块之⼀，⽤于将不符合规则的数据包拒绝，并返回特定的错误码

ipip

⽤于实现IP隧道功能的模块，使得数据可以在两个⽹络之间进⾏传输

[root@k8s-master ~]# sysctl --system

* Applying /usr/lib/sysctl.d/00-system.conf ...

* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...

kernel.yama.ptrace_scope = 0

* Applying /usr/lib/sysctl.d/50-default.conf ...

kernel.sysrq = 16

kernel.core_uses_pid = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.promote_secondaries = 1

net.ipv4.conf.all.promote_secondaries = 1

fs.protected_hardlinks = 1

fs.protected_symlinks = 1

* Applying /etc/sysctl.d/99-sysctl.conf ...

* Applying /etc/sysctl.conf ...

开机⾃启systemd默认提供的⽹络管理服务

[root@k8s-master ~]# systemctl enable systemd-modules-load.service

[root@k8s-master ~]# systemctl start systemd-modules-load.service

查看已写⼊加载的模块

[root@k8s-master ~]# lsmod | grep -e ip_vs -e nf_conntrack

ip_vs_sh 12688 0

ip_vs_wrr 12697 0

ip_vs_rr 12600 0

ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr

nf_conntrack 133053 1 ip_vs

libcrc32c 12644 3 xfs,ip_vs,nf_conntrack

2、配置k8s内核

写⼊k8s所需内核模块

[root@k8s-master ~]# vim /etc/sysctl.d/k8s.conf

net.bridge.bridge-nf-call-iptables = 1

控制网络桥接与iptables之间的网络转发行为

net.bridge.bridge-nf-call-ip6tables = 1

⽤于控制网络桥接（bridge）的IP6tables过滤规则。当该参数设置为1时，表示启⽤对⽹络桥接的IP6tables过滤规则

fs.may_detach_mounts = 1

⽤于控制⽂件系统是否允许分离挂载，1表示允许

net.ipv4.conf.all.route_localnet = 1

允许本地⽹络上的路由。设置为1表示允许，设置为0表示禁⽌。

vm.overcommit_memory=1

控制内存分配策略。设置为1表示允许内存过量分配，设置为0表示不允许。

vm.panic_on_oom=0

决定当系统遇到内存不⾜（OOM）时是否产⽣panic。设置为0表示不产⽣panic，设置为1表示产⽣panic。

fs.inotify.max_user_watches=89100

inotify可以监视的⽂件和⽬录的最⼤数量。

fs.file-max=52706963

系统级别的⽂件描述符的最大数量。

fs.nr_open=52706963

单个进程可以打开的⽂件描述符的最⼤数量。

net.netfilter.nf_conntrack_max=2310720

⽹络连接跟踪表的最⼤⼤⼩。

net.ipv4.tcp_keepalive_time = 600

TCP保活机制发送探测包的间隔时间（秒）。

net.ipv4.tcp_keepalive_probes = 3

TCP保活机制发送探测包的最⼤次数。

net.ipv4.tcp_keepalive_intvl =15

TCP保活机制在发送下⼀个探测包之前等待响应的时间（秒）。

net.ipv4.tcp_max_tw_buckets = 36000

TCP TIME_WAIT状态的bucket数量。

net.ipv4.tcp_tw_reuse = 1

允许重⽤TIME_WAIT套接字。设置为1表示允许，设置为0表示不允许。

net.ipv4.tcp_max_orphans = 327680

系统中最⼤的孤套接字数量。

net.ipv4.tcp_orphan_retries = 3

系统尝试重新分配孤套接字的次数。

net.ipv4.tcp_syncookies = 1

⽤于防⽌SYN洪⽔攻击。设置为1表示启⽤SYN cookies，设置为0表示禁⽤。

net.ipv4.tcp_max_syn_backlog = 16384

SYN连接请求队列的最大长度。

net.ipv4.ip_conntrack_max = 65536

IP连接跟踪表的最大大小。

net.ipv4.tcp_max_syn_backlog = 16384

系统中最⼤的监听队列的长度。

net.ipv4.tcp_timestamps = 0

⽤于关闭TCP时间戳选项。

net.core.somaxconn = 16384

⽤于设置系统中最⼤的监听队列的⻓度，保存后，所有节点重启，保证重启后内核依然加载

[root@k8s-master ~]# lsmod | grep --color=auto -e ip_vs -e nf_conntrack

ip_vs_sh 12688 0

ip_vs_wrr 12697 0

ip_vs_rr 12600 0

ip_vs 141432 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr

nf_conntrack 133053 1 ip_vs

libcrc32c 12644 3 xfs,ip_vs,nf_conntrack

三、基本组件安装

1、安装 Containerd

1）安装 Docker

[root@k8s-master ~]# yum remove -y podman runc containerd # 卸载之前的containerd

[root@k8s-master ~]# yum install containerd.io docker-ce dockerce-cli -y

2）配置 Containerd 所需模块

[root@k8s-master ~]# cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf

> overlay

> br_netfilter

> EOF

overlay # ⽤于⽀持Overlay⽹络⽂件系统的模块，它可以在现有的⽂件系统之上创建叠加层，以实现虚拟化、隔离和管理等功能。

br_netfilter # ⽤于containerd的⽹络过滤模块，它可以对进出容器的⽹络流量进⾏过滤和管理。

[root@k8s-master ~]# cat /etc/modules-load.d/containerd.conf

overlay

br_netfilter

[root@k8s-master ~]# modprobe -- overlay

[root@k8s-master ~]# modprobe -- br_netfilter

3）配置 Containerd 所需内核

[root@k8s-master ~]# vim /etc/sysctl.d/99-kubernetes-cri.conf

net.bridge.bridge-nf-call-iptables = 1 # ⽤于控制⽹络桥接是否调⽤iptables进⾏包过滤和转发。

net.ipv4.ip_forward = 1

路由转发，1为开启

net.bridge.bridge-nf-call-ip6tables = 1

控制是否在桥接接⼝上调⽤IPv6的iptables进⾏数据包过滤和转发。

[root@k8s-master ~]# sysctl --system

4）Containerd 配置⽂件

[root@k8s-master ~]# mkdir -p /etc/containerd

读取containerd的配置并保存到/etc/containerd/config.toml

[root@k8s-master ~]# containerd config default | tee /etc/containerd/config.toml

[root@k8s-master ~]# vim /etc/containerd/config.toml

找到第63行修改为sandbox_image = "registry.cnhangzhou.aliyuncs.com/google_containers/pause:3.9"

找到containerd.runtimes.runc.options模块，添加SystemdCgroup = false，如果已经存在则直接修改（127行）

添加sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9" (128行)

加载systemctl控制脚本

[root@k8s-master ~]# systemctl daemon-reload

启动containerd并设置开机启动

[root@k8s-master ~]# systemctl start containerd.service

[root@k8s-master ~]# systemctl enable containerd.service

Created symlink from /etc/systemd/system/multi-user.target.wants/containerd.service to /usr/lib/systemd/system/containerd.service.

注意！！！：不能启动的情况，关闭swap虚拟分区，保证kubelet正常启动

5）配置 crictl 客户端连接的运⾏位置

配置容器运⾏环境的crictl.yml⽂件

[root@k8s-master ~]# cat <<EOF | sudo tee /etc/crictl.yaml

runtime-endpoint: unix:///run/containerd/containerd.sock

image-endpoint: unix:///run/containerd/containerd.sock

timeout: 10

debug: false

EOF

指定了容器运⾏时的地址为：unix://...

image-endpoint: unix:///run/containerd/containerd.sock

指定了镜像运⾏时的地址为：unix://...

timeout: 10

设置了超时时间为10秒

debug: false

2、安装 Kubernetes 组件

安装 Kubeadm、Kubelet 和 Kubectl

查询最新的Kubernetes版本号

[root@k8s-master ~]# yum list kubeadm.x86_64 --showduplicates | sort -r

安装1.28最新版本kubeadm、kubelet和kubectl

[root@k8s-master ~]# yum install kubeadm-1.28* kubelet-1.28* kubectl-1.28* -y

[root@k8s-master ~]# systemctl daemon-reload

允许开机⾃启kubelet

[root@k8s-master ~]# systemctl enable --now kubelet

查看当前安装的kubeadm版本号

[root@k8s-master ~]# kubeadm version

kubeadm version: &version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.2", GitCommit:"89a4ea3e1e4ddd7f7572286090359983e0387b2f", GitTreeState:"clean", BuildDate:"2023-09-13T09:34:32Z", GoVersion:"go1.20.8", Compiler:"gc", Platform:"linux/amd64"}

问题：kubelet启动失败

查看日志

[root@k8s-master ~]# vim /var/log/messages

解决-----配置文件未生成，重新安装kubelet

[root@k8s-master ~]# yum -y remove kubelet

[root@k8s-master ~]# yum -y install kubelet-1.28*

[root@k8s-master ~]# systemctl start kubelet

[root@k8s-master ~]# systemctl status kubelet

Active: active (running) since 三 2024-09-11 14:25:57 CST; 3s ago

由于kubeadm依赖kubelet所以卸载前者时后者也卸载了，需要重新安装

[root@k8s-master ~]# yum -y install kubeadm-1.28*

查看kubelet端口是否启动

[root@k8s-master ~]# netstat -lntup | grep kube

tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 2392/kubelet

tcp6 0 0 :::10250 :::* LISTEN 2392/kubelet

tcp6 0 0 :::10255 :::* LISTEN 2392/kubelet

3、Kubernetes 集群初始化

1）Kubeadm 配置⽂件

修改kubeadm配置⽂件

[root@k8s-master ~]# vim kubeadm-config.yaml

apiVersion: kubeadm.k8s.io/v1beta3

指定Kubernetes配置文件的版本，使用的是kubeadm API的v1beta3版本

bootstrapTokens:

定义bootstrap tokens的信息。这些tokens用于在Kubernetes集群初始化过程中进行身份验证

groups:

定义了与此token关联的组

system:bootstrappers:kubeadm:default-node-token

token: 7t2weq.bjbawausm0jaxury

bootstrap token的值

ttl: 24h0m0s

token的生存时间，这里设置为24小时

usages:

定义token的用途

signing

数字签名

authentication

身份验证

kind: InitConfiguration

指定配置对象的类型，InitConfiguration：表示这是一个初始化配置

localAPIEndpoint:

定义本地API端点的地址和端口

advertiseAddress: 192.168.15.11

bindPort: 6443

nodeRegistration:

定义节点注册时的配置

criSocket: unix:///var/run/containerd/containerd.sock

容器运行时(CRI)的套接字路径

name: k8s-master

节点的名称

taints:

标记

effect: NoSchedule

免调度节点

key: node-role.kubernetes.io/control-plane

该节点为控制节点

apiServer:

定义了API服务器的配置

certSANs:

为API服务器指定了附加的证书主体名称(SAN)，指定IP即可

192.168.15.11

timeoutForControlPlane: 4m0s

控制平面的超时时间，这里设置为4分钟

apiVersion: kubeadm.k8s.io/v1beta3

指定API Server版本

certificatesDir: /etc/kubernetes/pki

指定了证书的存储目录

clusterName: kubernetes

定义了集群的名称为"kubernetes"

controlPlaneEndpoint: 192.168.15.11:6443

定义了控制节点的地址和端口

controllerManager: {}

控制器管理器的配置，为空表示使用默认配置

etcd:

定义了etcd的配置

local:

本地etcd实例

dataDir: /var/lib/etcd

数据目录

imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers

指定了Kubernetes使用的镜像仓库的地址，阿里云的镜像仓库。

kind: ClusterConfiguration

指定了配置对象的类型，ClusterConfiguration：表示这是一个集群配置

kubernetesVersion: v1.28.2

指定了kubernetes的版本

networking:

定义了kubernetes集群网络设置

dnsDomain: cluster.local

定义了集群的DNS域为：cluster.local

podSubnet: 172.16.0.0/16

定义了Pod的子网

serviceSubnet: 10.96.0.0/16

定义了服务的子网

scheduler: {}

使用默认的调度器行为

将旧的kubeadm配置⽂件转换为新的格式

[root@k8s-master ~]# kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml

[root@k8s-master ~]# vim new.yaml # 修改第12行、24行、29行的ip地址为自己本机的ip地址

2）下载组件镜像

通过新的配置⽂件new.yaml从指定的阿⾥云仓库拉取kubernetes组件镜像

[root@k8s-master ~]# kubeadm config images pull --config /root/new.yaml

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.28.2

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.28.2

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.28.2

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.28.2

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9

[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.5.9-0

[config/images] Pulled registry.cnhangzhou.aliyuncs.com/google_containers/coredns:v1.10.1

3）集群初始化

[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs

等待初始化后保存这些命令

当需要加⼊新node节点时，只复制这执行即可

[root@k8s-master ~]# vim token.txt

kubeadm join 10.0.0.200:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:92191cb8741805ac561c5781d936f60a44a3233740209abf6e64738bfecd4c5e

当需要⾼可⽤master集群时，整个token复制

--control-plane --certificate-key f9984be15f98141b212efa176c7a49fcda982888f8869b7cc668e661982cbcc0

问题1：初始化时报错！！！

[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs

端口18258正被kubelet使用，初始化会自动启动kubelet，所以手动关闭kubelet服务 [root@k8s-master ~]# systemctl stop kubelet

问题2：错误信息显示需要修改配置文件/proc/sys/net/ipv4/ip_forward

[root@k8s-master ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs

问题3：错误信息显示本机内存不够，cpu数量不够，我们现在将本机内存提到4个G，cpu数量提到4个，需关闭本主机然后进行修改主机配置的操作。

检查kubelet为运行状态

[root@master ~]# systemctl status kubelet

Active: active (running) since 五 2024-09-06 17:33:30 CST; 5min ago

可能是配置文件的地址没有改，所以找不到主机，所以超时

[root@k8s-master ~]# vim new.yaml

修改第12行、24行、29行的ip地址为自己本机的ip地址，初始化重置

[root@k8s-master ~]# kubeadm reset -f ; ipvsadm --clear ; rm -rf ~/.kube

[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs

5）加载环境变量

[root@k8s-master ~]# vim /root/.bashrc export KUBECONFIG=/etc/kubernetes/admin.conf [root@k8s-master ~]# source /root/.bashrc

6）查看组件容器状态

之前采⽤初始化安装⽅式，所有的系统组件均以容器的⽅式运⾏并且在 kube-system 命名空间内，此时可以查看 Pod（容器组）状态

pending 挂起当前pod没有工作

running 运行中当前pod正常工作

containercreating 正在创建容器正在创建

[root@k8s-master ~]# kubectl get po -A

NAMESPACE NAME READY STATUS RESTARTS AGE

kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 52m

kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 52m

kube-system etcd-k8s-master 1/1 Running 0 52m

kube-system kube-apiserver-k8s-master 1/1 Running 0 52m

kube-system kube-controller-manager-k8s-master 1/1 Running 0 52m

kube-system kube-proxy-9r6st 1/1 Running 0 52m

kube-system kube-proxy-lx5wz 1/1 Running 0 22m

kube-system kube-proxy-xmk6s 1/1 Running 0 25m

kube-system kube-scheduler-k8s-master 1/1 Running 0 52m

[root@k8s-master ~]# kubectl get po -n kube-system

NAME READY STATUS RESTARTS AGE

coredns-6554b8b87f-2jslr 0/1 Pending 0 10m

coredns-6554b8b87f-mmgbd 0/1 Pending 0 10m

etcd-k8s-master 1/1 Running 0 10m

kube-apiserver-k8s-master 1/1 Running 0 10m

kube-controller-manager-k8s-master 1/1 Running 3 10m

kube-proxy-tvk64 1/1 Running 0 10m

kube-scheduler-k8s-master 1/1 Running 3 10m

kubectl：k8s控制命令

get：获取参数

po：pod缩写

-n：指定命名空间

kube-system：命名空间

4、Token 过期处理
注意！！！：以下步骤是上述初始化命令产⽣的 Token 过期了才需要执⾏以下步骤，如果没有过期不需要执⾏，直接 join 即可。

Token 过期后⽣成新的 token：kubeadm token create --print-join-command

Master 需要⽣成 --certificate-key：kubeadm init phase upload-certs --upload-certs

5、Node 节点配置

1）概述：Node 节点上主要部署公司的⼀些业务应⽤，⽣产环境中不建议 Master 节点部署系统组件之外的其他 Pod，测试环境可以允许 Master 节点部署 Pod 以节省系统资源。

2）加入集群

[root@k8s-node01 ~]# kubeadm join 10.0.0.66:6443 --token 7t2weq.bjbawausm0jaxury \

> --discovery-token-ca-cert-hash sha256:f3ac431e03dae7f972728eb71eef1828264d42ec20a163893c812a2a0289cf99

问题：加入集群失败时如何解决？

端口被占用，手动停止kubelet，加入集群的过程中会自动启动

[root@k8s-node01 ~]# systemctl stop kubelet

Warning: kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units.

修改ip_forward文件

[root@k8s-node01 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward

[root@k8s-node01 ~]# kubeadm join 10.0.0.66:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:f3ac431e03dae7f972728eb71eef1828264d42ec20a163893c812a2a0289cf99

[root@k8s-master ~]# kubectl get node # 获取所有节点信息

NAME STATUS ROLES AGE VERSION

k8s-master NotReady control-plane 24h v1.28.2

node01 NotReady <none> 68s v1.28.2

node02 NotReady <none> 57s v1.28.2

[root@k8s-master ~]# kubectl get po -A

NAMESPACE NAME READY STATUS RESTARTS AGE

kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 52m

kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 52m

kube-system etcd-k8s-master 1/1 Running 0 52m

kube-system kube-apiserver-k8s-master 1/1 Running 0 52m

kube-system kube-controller-manager-k8s-master 1/1 Running 0 52m

kube-system kube-proxy-9r6st 1/1 Running 0 52m

kube-system kube-proxy-lx5wz 1/1 Running 0 22m

kube-system kube-proxy-xmk6s 1/1 Running 0 25m

kube-system kube-scheduler-k8s-master 1/1 Running 0 52m

[root@k8s-master ~]# kubectl get po -Aowide

NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 53m <none> <none> <none> <none>

kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 53m <none> <none> <none> <none>

kube-system etcd-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>

kube-system kube-apiserver-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>

kube-system kube-controller-manager-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>

kube-system kube-proxy-9r6st 1/1 Running 0 53m 10.0.0.66 k8s-master <none> <none>

kube-system kube-proxy-lx5wz 1/1 Running 0 23m 10.0.0.88 k8s-node02 <none> <none>

kube-system kube-proxy-xmk6s 1/1 Running 0 26m 10.0.0.77 k8s-node01 <none> <none>

kube-system kube-scheduler-k8s-master 1/1 Running 0 54m 10.0.0.66 k8s-master <none> <none>

6、Calico 组件安装

（1）切换 git 分⽀

[root@k8s-master ~]# cd k8s-ha-install/

[root@k8s-master k8s-ha-install]# ls

calico.yaml krm.yaml LICENSE metrics-server-0.3.7 metrics-server-3.6.1 README.md

[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x

分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manual-installation-v1.28.x，

切换到一个新分支 'manual-installation-v1.28.x'

（2）修改 Pod ⽹段

[root@k8s-master k8s-ha-install]# cd calico/

获取已定义的Pod⽹段

[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep cluster-cidr= | awk -F= '{print $NF}'`

[root@k8s-master calico]# echo $POD_SUBNET

172.16.0.0/16

修改calico.yml⽂件中的pod⽹段

[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml

创建calico的pod

[root@k8s-master calico]# kubectl apply -f calico.yaml

（3）查看容器和节点状态

[root@k8s-master calico]# kubectl get po -n kube-system

[root@k8s-master calico]# kubectl get node

NAME STATUS ROLES AGE VERSION

k8s-master NotReady control-plane 24h v1.28.2

node01 NotReady <none> 20m v1.28.2

[root@k8s-master calico]# kubectl describe po -n kube-system calico

（4）部署calico的pod

找到配置文件calico

[root@k8s-master ~]# cd k8s-ha-install/

切换 git 分⽀

[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x

分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manual-installation-v1.28.x。

切换到一个新分支 'manual-installation-v1.28.x'

修改 Pod ⽹段

[root@k8s-master k8s-ha-install]# ls

bootstrap CoreDNS dashboard metrics-server README.md

calico csi-hostpath kubeadm-metrics-server pki snapshotter

[root@k8s-master k8s-ha-install]# cd calico/

[root@k8s-master calico]# ls

calico.yaml

[root@k8s-master calico]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml

获取已定义的Pod⽹段

[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep cluster-cidr= | awk -F= '{print $NF}'`

[root@k8s-master calico]# echo $POD_SUBNET

172.16.0.0/16

修改配置文件，将文件中的POD_CIDR替换成172.16.0.0/16

[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml

创建pod

[root@k8s-master calico]# kubectl apply -f calico.yaml

（5）查看容器状态

[root@k8s-master calico]# kubectl get po -A

NAMESPACE NAME READY STATUS RESTARTS AGE

kube-system calico-kube-controllers-6d48795585-v5d7x 0/1 Pending 0 69s

kube-system calico-node-747k8 0/1 Init:0/3 0 69s

kube-system calico-node-7klq9 0/1 Init:0/3 0 69s

kube-system calico-node-j9b44 0/1 Init:0/3 0 69s

kube-system coredns-6554b8b87f-2v4tx 0/1 Pending 0 104m

kube-system coredns-6554b8b87f-zfqlb 0/1 Pending 0 104m

kube-system etcd-k8s-master 1/1 Running 0 104m

kube-system kube-apiserver-k8s-master 1/1 Running 0 104m

kube-system kube-controller-manager-k8s-master 1/1 Running 1 (7m42s ago) 7m27s

kube-system kube-proxy-9r6st 1/1 Running 0 104m

kube-system kube-proxy-lx5wz 1/1 Running 0 74m

kube-system kube-proxy-xmk6s 1/1 Running 0 77m

kube-system kube-scheduler-k8s-master 1/1 Running 0 104m