银河麒麟v10 x86架构二进制方式kubeadm+docker+cri-docker搭建k8s集群(证书有效期100年) —— 筑梦之路

环境说明

master:192.168.100.100

node: 192.168.100.101

kubeadm 1.31.2 (自编译二进制文件,证书有效期100年)

银河麒麟v10 sp2 x86架构

内核版本:5.4.x 编译安装 cgroup v2启用

docker版本:27.x 二进制安装,cgroup v2支持

部署准备

bash 复制代码
# 关闭防火墙
systemctl disable firewalld --now

# 关闭selinux
setenforce 0
sed -i 's/enforcing/disabled/' /etc/selinux/config

#关闭swap
swapoff -a 
sed -ri 's/.*swap.*/#&/' /etc/fstab (永久关闭)

# 主机名与IP对应关系
vim /etc/hosts
192.168.100.100 k8s-master
192.168.100.101 k8s-node

# 添加内核优化参数
cat << EOF > /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
user.max_user_namespaces=28633
EOF

# 使其生效
sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf

# 配置ipvs转发
yum install -y ipset ipvsadm
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF

chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
bash 复制代码
# 配置时间同步

dnf install chronyd -y

cat > /etc/chrony.conf <<EOF
server ntp.aliyun.com iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
logchange 0.5
logdir /var/log/chrony
EOF

systemctl enable chronyd --now

二进制安装docker+cri-docker+cni插件

银河麒麟v10 二进制安装cri-docker+cni插件------ 筑梦之路-CSDN博客

安装kubeadm、kubelet、kubectl

将编译的二进制文件拷贝到/usr/bin/目录下,并授可执行权限

bash 复制代码
# 安装常用工具和依赖包
yum -y install  wget psmisc vim net-tools nfs-utils telnet yum-utils device-mapper-persistent-data lvm2 git tar curl ipvsadm

yum install ipvsadm ipset sysstat conntrack libseccomp -y

yum install socat libnetfilter_queue libnetfilter_cttimeout conntrack-tools libnetfilter_cthelper

# 生成service文件
cat > /usr/lib/systemd/system/kubelet.service << EOF
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/home/
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload

systemctl enable kubelet
bash 复制代码
# 拉取所需镜像

kubeadm config images pull --cri-socket unix:///var/run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers

# 初始化

kubeadm init --kubernetes-version=v1.31.2 \
--apiserver-advertise-address=192.168.100.100 \
--pod-network-cidr=10.244.0.0/16 \
--service-cidr=10.96.0.0/12 \
--token-ttl=0 \
--cri-socket unix:///var/run/cri-dockerd.sock \
--image-repository registry.aliyuncs.com/google_containers
bash 复制代码
接下来在worker节点上执行相关的操作,worker节点与master节点的操作步骤的唯一区别是:master节点执行kubeadm init操作,woker节点执行kubeadm join操作,因此上面的步骤除了kubeadm init步骤之外,其他所有的步骤woker节点同样也需要执行。

执行kubeadm init 成功之后输出的 最后一行kubeadm join 命令

kubeadm config images pull --cri-socket unix:///var/run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers

kubeadm join 192.168.100.100:6443 --token o4zf8w.xxxx --discovery-token-ca-cert-hash sha256:376e215a51620ac6ccc --cri-socket unix:///var/run/cri-dockerd.sock
bash 复制代码
# 部署flannel插件

cat > flannel.yaml << EOF
#---
#kind: Namespace
#apiVersion: v1
#metadata:
#  name: kube-flannel
#  labels:
#    k8s-app: flannel
#    pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: flannel
  name: flannel
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: flannel
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: flannel
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    k8s-app: flannel
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "EnableNFTables": false,
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
    k8s-app: flannel
spec:
  selector:
    matchLabels:
      app: flannel
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni-plugin
        image: docker.io/flannel/flannel-cni-plugin:v1.6.0-flannel1
        command:
        - cp
        args:
        - -f
        - /flannel
        - /opt/cni/bin/flannel
        volumeMounts:
        - name: cni-plugin
          mountPath: /opt/cni/bin
      - name: install-cni
        image: docker.io/flannel/flannel:v0.26.1
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: docker.io/flannel/flannel:v0.26.1
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: EVENT_QUEUE_DEPTH
          value: "5000"
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
        - name: xtables-lock
          mountPath: /run/xtables.lock
      volumes:
      - name: run
        hostPath:
          path: /run/flannel
      - name: cni-plugin
        hostPath:
          path: /opt/cni/bin
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: flannel-cfg
        configMap:
          name: kube-flannel-cfg
      - name: xtables-lock
        hostPath:
          path: /run/xtables.lock
          type: FileOrCreate
EOF

kubectl apply -f flannel.yaml

检查证书有效期

bash 复制代码
kubeadm certs check-expiration

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 27, 2124 10:08 UTC   99y             ca                      no      
apiserver                  Oct 27, 2124 10:08 UTC   99y             ca                      no      
apiserver-etcd-client      Oct 27, 2124 10:08 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Oct 27, 2124 10:08 UTC   99y             ca                      no      
controller-manager.conf    Oct 27, 2124 10:08 UTC   99y             ca                      no      
etcd-healthcheck-client    Oct 27, 2124 10:08 UTC   99y             etcd-ca                 no      
etcd-peer                  Oct 27, 2124 10:08 UTC   99y             etcd-ca                 no      
etcd-server                Oct 27, 2124 10:08 UTC   99y             etcd-ca                 no      
front-proxy-client         Oct 27, 2124 10:08 UTC   99y             front-proxy-ca          no      
scheduler.conf             Oct 27, 2124 10:08 UTC   99y             ca                      no      
super-admin.conf           Oct 27, 2124 10:08 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 27, 2124 10:08 UTC   99y             no      
etcd-ca                 Oct 27, 2124 10:08 UTC   99y             no      
front-proxy-ca          Oct 27, 2124 10:08 UTC   99y             no 

至此使用自编译的kubeadm,证书有效期100年搭建k8s集群完成,仅供参考。

此种方式搭建k8s集群,仍然使用docker作为runtime运行时,和直接使用containerd作为runtime性能上稍差,相对来说docker生态更加完善,使用习惯不变。

相关推荐
能不能别报错9 小时前
K8s学习笔记(十六) 探针(Probe)
笔记·学习·kubernetes
一水鉴天10 小时前
整体设计 逻辑系统程序 之18 Source 容器(Docker)承载 C/P/D 三式的完整设计与双闭环验证 之2
docker·架构·认知科学·公共逻辑
能不能别报错10 小时前
K8s学习笔记(十四) DaemonSet
笔记·学习·kubernetes
飞快的蜗牛12 小时前
利用linux系统自带的cron 定时备份数据库,不需要写代码了
java·docker
火星MARK12 小时前
k8s面试题
容器·面试·kubernetes
香吧香13 小时前
Docker Registry 使用总结
docker
赵渝强老师13 小时前
【赵渝强老师】Docker容器的资源管理机制
linux·docker·容器·kubernetes
haicome15 小时前
deepseek部署
docker·ragflow·deepseek 部署
能不能别报错15 小时前
K8s学习笔记(十五) pause容器与init容器
笔记·学习·kubernetes
稚辉君.MCA_P8_Java15 小时前
kafka解决了什么问题?mmap 和sendfile
java·spring boot·分布式·kafka·kubernetes