文章目录
- 禁用防火墙
- 禁用交换分区
- [禁用 SELinux](#禁用 SELinux)
- [安装 iptables](#安装 iptables)
- [允许 iptables 检查桥接流量](#允许 iptables 检查桥接流量)
- 添加镜像源
- [安装 crio kubelet kubeadm kubectl](#安装 crio kubelet kubeadm kubectl)
- 重载沙箱(pause)镜像
- 配置国内镜像地址
- 初始化集群
- 复制配置文件使kubectl可用
- 查看节点状态
- 设置节点可以调度
禁用防火墙
shell
systemctl stop firewalld.service & systemctl disable firewalld.service
禁用交换分区
shell
sysctl vm.swappiness=0 & sysctl -p
systemctl stop swap-create@zram0
yum remove -y zram-generator-defaults
禁用 SELinux
shell
sudo setenforce 0 & sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
安装 iptables
shell
yum install -y iptables iproute-tc
允许 iptables 检查桥接流量
shell
cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF
cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl --system
添加镜像源
shell
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.31/rpm/repodata/repomd.xml.key
exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni
EOF
安装 crio kubelet kubeadm kubectl
建议用crio作为容器运行时,containerd网络问题太麻烦
shell
yum install -y crio kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable --now crio & systemctl enable --now kubelet & yum clean all
重载沙箱(pause)镜像
shell
sed -i "s/# pause_image = .*/pause_image = \"registry.aliyuncs.com\/google_containers\/pause:3.10\"/g" /etc/crio/crio.conf
配置国内镜像地址
shell
vi /etc/containers/registries.conf
conf
unqualified-search-registries = ["docker.m.daocloud.io", "docker.io", "k8s.gcr.io", "registry.k8s.io", "registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org"]
[[registry]]
prefix = "docker.io"
location = "docker.m.daocloud.io"
[[registry]]
prefix = "*registry.k8s.io"
location = "registry.aliyuncs.com/google_containers"
[[registry]]
prefix = "*.gcr.io"
location = "docker.m.daocloud.io"
[[registry]]
prefix = "registry.centos.org"
location = "docker.m.daocloud.io"
初始化集群
shell
kubeadm init --pod-network-cidr=192.168.56.101/24 --apiserver-advertise-address=192.168.56.101 --apiserver-cert-extra-sans=192.168.56.101 --cri-socket=unix:///var/run/crio/crio.sock --image-repository=registry.aliyuncs.com/google_containers
复制配置文件使kubectl可用
非root用户
shell
mkdir -p $HOME/.kube & sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config & sudo chown $(id -u):$(id -g) $HOME/.kube/config
root用户
shell
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile & source ~/.bash_profile
查看节点状态
shell
kubectl describe node
设置节点可以调度
单节点master默认不可被调度
shell
kubectl taint nodes <node-name> node-role.kubernetes.io/control-plane:NoSchedule-