RKE2 部署K8S v1.34.2+rke2r1(Ubuntu2204)离线安装

会飞的小蛮猪2025-12-05 9:38

1.主机配置列表

主机名 K8s节点类型 ip地址 系统版本
server236 Master 192.168.1.236 Ubuntu2204
Server237 Master 192.168.1.237 Ubuntu2204
Server238 Master 192.168.1.238 Ubuntu2204
Server239 Slave 192.168.1.239 Ubuntu2204
Server240 Slave 192.168.1.240 Ubuntu2204
Server241 192.168.1.241 Ubuntu2404

2. 配置hosts(所有主机)

shell 复制代码 
root@server236:~# vi /etc/hosts
192.168.1.236 server236
192.168.1.237 server237
192.168.1.238 server238
192.168.1.239 server239
192.168.1.240 server240

3.内核转发及网桥过滤(所有主机)

shell 复制代码 
# 添加系统启动时自动加载的内核模块
root@server236:~# vi /etc/modules-load.d/k8s.conf
overlay
br_netfilter
root@server236:~# modprobe overlay
root@server236:~# modprobe br_netfilter
# 立即加载模块
root@server236:~# lsmod | grep -E 'overlay|br_netfilter'
br_netfilter           32768  0
bridge                311296  1 br_netfilter
overlay               151552  0
# 开启桥接流量通过 iptables 和 ip6tables 过滤,启用 IPv4 数据包转发。
root@server236:~# vi /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
# 加载内核参数
sysctl --system


#####################-linux内核参数调优(第二种参数优化方式)-#####################
root@server236:~# cat > /etc/sysctl.d/k8s.conf << EOF
#开启网桥模式【重要】
net.bridge.bridge-nf-call-iptables=1
#开启网桥模式【重要】
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
# 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.swappiness=0
# 不检查物理内存是否够用
vm.overcommit_memory=1
# 开启 OOM
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
#关闭ipv6【重要】
# net.ipv6.conf.all.disable_ipv6=1
# net.netfilter.nf_conntrack_max=2310720

# 下面的内核参数可以解决ipvs模式下长连接空闲超时的问题
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_keepalive_time = 600
EOF

4.安装ipset与ipvsadm(所有主机)

shell 复制代码 
# 安装ipset及ipvsadm
root@server236:~# apt install -y ipset ipvsadm
# 配置ipvsadm模块加载
root@server236:~# cat << EOF | sudo tee /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
EOF
# 立即加载ipvs模块
root@server236:~# modprobe --  ip_vs
root@server236:~# modprobe -- ip_vs_rr
root@server236:~# modprobe -- ip_vs_wrr
root@server236:~# modprobe -- ip_vs_sh
root@server236:~# modprobe -- nf_conntrack
# 查看ipvs模块是否加载
lsmod | grep ip_vs

5.时间同步(所有主机)

复制代码 
root@server236:~# timedatectl set-timezone Asia/Shanghai
root@server236:~# apt install ntpdate -y
root@server236:~# ntpdate time1.aliyun.com
root@server236:~# crontab -e
0 0 * * * ntpdate time1.aliyun.com

6.禁用swap分区(所有主机)

shell 复制代码 
root@server236:~# swapoff -a && sudo sed -i '/swap/s/^/#/' /etc/fstab

7.禁用linux的透明大页、标准大页(未验证)

shell 复制代码 
root@server236:~# echo never > /sys/kernel/mm/transparent_hugepage/defrag
root@server236:~# echo never > /sys/kernel/mm/transparent_hugepage/enabled
root@server236:~# echo 'echo never > /sys/kernel/mm/transparent_hugepage/defrag'  >> /etc/rc.local
root@server236:~# echo 'echo never > /sys/kernel/mm/transparent_hugepage/enabled'  >> /etc/rc.local
root@server236:~# chmod +x /etc/rc.d/rc.local

8.文件数设置(所有主机)

shell 复制代码 
root@server236:~# ulimit -SHn 65535
root@server236:~# cat >> /etc/security/limits.conf <<EOF
* soft nofile 655360
* hard nofile 131072
* soft nproc 655350
* hard nproc 655350
* seft memlock unlimited
* hard memlock unlimitedd
EOF

9.RKE2 安装与配置

9.1 第一台管理节点配置
9.1.1 下载离线安装文件(最好提前下载,有些东西可能无法从github拉取)
shell 复制代码 
# 创建文件夹下载离线文件
root@server236:~# mkdir -pv /data/rke2-artifacts
# 创建rke2的image文件用来存储离线镜像
root@server236:~# mkdir -p /var/lib/rancher/rke2/agent/images
# 下载v1.34.2版本(根据需要)
root@server236:~# cd /data/rke2-artifacts
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.34.2%2Brke2r1/rke2-images.linux-amd64.tar.zst
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.34.2%2Brke2r1/rke2.linux-amd64.tar.gz
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.34.2%2Brke2r1/sha256sum-amd64.txt
# 下载v1.29.15版本(根据需要)
root@server236:~# cd /data/rke2-artifacts
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.29.15%2Brke2r1/rke2-images.linux-amd64.tar.zst
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.29.15%2Brke2r1/rke2.linux-amd64.tar.gz
root@server236:/data/rke2-artifacts# wget https://github.com/rancher/rke2/releases/download/v1.29.15%2Brke2r1/sha256sum-amd64.txt
# 将离线镜像拷贝到指定文件夹
root@server236:/data/rke2-artifacts# cp rke2-images.linux-amd64.tar.zst /var/lib/rancher/rke2/agent/images
9.1.2 配置 RKE2 配置文件
shell 复制代码 
root@server236:~# mkdir -p /etc/rancher/rke2 && vim /etc/rancher/rke2/config.yaml
token: 123456
node-name: server236
tls-san: 192.168.1.236
system-default-registry: "registry.cn-hangzhou.aliyuncs.com" #容器镜像仓库
kube-proxy-arg: # 部署负载均衡器
  - proxy-mode=ipvs
  - ipvs-strict-arp=true  
#node-taint: 
#  - "CriticalAddonsOnly=true:NoExecute"
node-label:
  - "node=Master"
  - "Master=server236"

# 解释说明
- token 表示自定义的一个 token 标识。
- node-name 表示配置节点的名称,该名称是全局唯一的,用于 DNS 路由。
- tls-san 表示 TLS 证书上添加的主机名或 IPv4/IPv6 地址,处处填写本机 IP,该参数是为了避免固定地址的证书错误。
- system-default-registry 表示使用国内镜像。
- node-taint: 给主节点打上污点标记,使主节点不执行pod的任务,如果只想从节点执行工作任务,主节点不执行,取消这个注释
9.1.3 配置使用私服仓库(可选,这里配置的是容器私服不是rke2需要镜像)
shell 复制代码 
# cat /etc/rancher/rke2/registries.yaml
mirrors:
  www.aaa.com: # 仓库名
    endpoint:
      - "http://www.aaa.com" # 仓库地址
configs:
  "http://www.aaa.com": # 仓库安全配置
    auth:
      username: admin
      password: 12345

说明:
- mirrors 字段说明  
  表示当访问镜像时,会把 docker.io 重定向到国内的镜像网站 https://docker.mirrors.ustc.edu.cn
- configs 字段说明
  该段配置表示有镜像仓库,企业自己搭建的 harbor 仓库,如果没有私有仓库,则 configs 段配置可以省略。
- www.kubemsb.com 填写镜像仓库的地址。
- auth 块下的 username 和 password 填写仓库的登录账号密码。
如果镜像仓库访问时使用 https(使用了 tls),则需要填写 tls 的信息,如不验证 CA 证书,则 tls 下需要填写 insecure_skip_verify: true。如果需要验证,则需要填写 cert_file、key_file 和 ca_file 这三个参数。
9.1.4 安装Server端
shell 复制代码 
# 下载安装脚本并授权(官网 脚本curl -sfL https://get.rke2.io)
root@server237:~# cd /data/rke2-artifacts
root@server237:/data/rke2-artifacts# wget --no-check-certificate https://rancher-mirror.rancher.cn/rke2/install.sh
root@server237:/data/rke2-artifacts# chmod +x install.sh 
# 指定版本国内源-主节点指定安装版本(使用线上脚本安装,安装过程会失败还不知道什么情况)
# root@server236:~# curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_TYPE="server" INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERTSION=v1.34.2+rke2r1 INSTALL_RKE2_ARTIFACT_PATH=/data/rke2-artifacts sh -

root@server237:/data/rke2-artifacts# INSTALL_RKE2_TYPE="server" INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERTSION=v1.34.2+rke2r1 INSTALL_RKE2_ARTIFACT_PATH=/data/rke2-artifacts sh install.sh
[INFO]  staging local checksums from /data/rke2-artifacts/sha256sum-amd64.txt
[INFO]  staging zst airgap image tarball from /data/rke2-artifacts/rke2-images.linux-amd64.tar.zst
[INFO]  staging tarball from /data/rke2-artifacts/rke2.linux-amd64.tar.gz
[INFO]  verifying airgap tarball
[INFO]  installing airgap tarball to /var/lib/rancher/rke2/agent/images
[INFO]  verifying tarball
[INFO]  unpacking tarball file to /usr/local
# 查找 RKE2 安装位置:
root@server236:~# find / -name rke2
/usr/local/share/rke2
/usr/local/bin/rke2
/etc/rancher/rke2
9.1.5 启动rke2Server开始初始化
shell 复制代码 
# 执行时间会比较久
root@server236:~# systemctl enable --now rke2-server.service
# 如果想查看初识话状态可以使用下面命令
root@server236:~# journalctl -u rke2-server -f
# 查看安装生成的 token
root@server236:/data/rke2-artifacts# cat /var/lib/rancher/rke2/server/node-token
# 查看集群信息(kubeconfig)
root@server236:/data/rke2-artifacts# cat /etc/rancher/rke2/rke2.yaml
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: |
      LS0tLS1CRUdJTiBDRVJUSU...(省略的内容表示证书数据)
    server: https://127.0.0.1:6443
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
10.1.6 配置kubectl命令
shell 复制代码 
# 在安装完成后 kubectl等二进制命令文件都在一个目录当中需要添加环境变量来使系统能够正常调用
root@server237:/data/rke2-artifacts# ls /var/lib/rancher/rke2/bin
containerd  containerd-shim  containerd-shim-runc-v1  containerd-shim-runc-v2  crictl  ctr  kubectl  kubelet  runc
root@server236:/data/rke2-artifacts# vim /etc/profile.d/rke2.sh
export PATH=$PATH:/var/lib/rancher/rke2/bin
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
root@server236:/data/rke2-artifacts# source /etc/profile

# 配置ctr命令和crictl能够正常使用
root@server236:/data/rke2-artifacts# echo 'alias ctr="/var/lib/rancher/rke2/bin/ctr --address /run/k3s/containerd/containerd.sock --namespace k8s.io"' >> /etc/profile
root@server236:/data/rke2-artifacts# echo 'export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml' >> /etc/profile
root@server236:/data/rke2-artifacts# source /etc/profile

# 测试命令
root@server237:/data/rke2-artifacts# kubectl get nodes
NAME        STATUS   ROLES                AGE   VERSION
server237   Ready    control-plane,etcd   21m   v1.34.2+rke2r1

root@server239:/data/rke2-artifacts# crictl images
IMAGE                                                                                   TAG                                                   IMAGE ID            SIZE
docker.io/rancher/hardened-addon-resizer                                                1.8.23-build20251016                                  682ffb21c0403       48.1MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-addon-resizer                        1.8.23-build20251016                                  682ffb21c0403       48.1MB
docker.io/rancher/hardened-calico                                                       v3.30.3-build20251015                                 02dad26543033       686MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-calico                               v3.30.3-build20251015                                 02dad26543033       686MB
docker.io/rancher/hardened-cluster-autoscaler                                           v1.10.2-build20251015                                 88a47d41f8b82       48.7MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-cluster-autoscaler                   v1.10.2-build20251015                                 88a47d41f8b82       48.7MB
docker.io/rancher/hardened-coredns                                                      v1.13.1-build20251015                                 f4ccc0f5d7de0       93.1MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-coredns                              v1.13.1-build20251015                                 f4ccc0f5d7de0       93.1MB
docker.io/rancher/hardened-dns-node-cache                                               1.26.7-build20251016                                  b15f8e9b31de6       70MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-dns-node-cache                       1.26.7-build20251016                                  b15f8e9b31de6       70MB
docker.io/rancher/hardened-etcd                                                         v3.6.5-k3s1-build20251017                             405516f27f18a       47.6MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-etcd                                 v3.6.5-k3s1-build20251017                             405516f27f18a       47.6MB
docker.io/rancher/hardened-flannel                                                      v0.27.4-build20251015                                 cd9765145172e       69.6MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-flannel                              v0.27.4-build20251015                                 cd9765145172e       69.6MB
docker.io/rancher/hardened-k8s-metrics-server                                           v0.8.0-build20251015                                  be573c48df116       71.5MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-k8s-metrics-server                   v0.8.0-build20251015                                  be573c48df116       71.5MB
docker.io/rancher/hardened-kubernetes                                                   v1.34.2-rke2r1-build20251112                          7b491b625ab3a       640MB
registry.cn-hangzhou.aliyuncs.com/rancher/hardened-kubernetes                           v1.34.2-rke2r1-build20251112                          7b491b625ab3a       640MB
docker.io/rancher/klipper-helm                                                          v0.9.10-build20251111                                 1d0854c41ff27       181MB
registry.cn-hangzhou.aliyuncs.com/rancher/klipper-helm                                  v0.9.10-build20251111                                 1d0854c41ff27       181MB
docker.io/rancher/klipper-lb                                                            v0.4.13                                               f7415d0003cb6       12.7MB
registry.cn-hangzhou.aliyuncs.com/rancher/klipper-lb                                    v0.4.13                                               f7415d0003cb6       12.7MB
docker.io/rancher/mirrored-ingress-nginx-kube-webhook-certgen                           v1.6.4                                                884bd0ac01c8f       43.1MB
registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-ingress-nginx-kube-webhook-certgen   v1.6.4                                                884bd0ac01c8f       43.1MB
docker.io/rancher/mirrored-pause                                                        3.6                                                   6270bb605e12e       301kB
registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-pause                                3.6                                                   6270bb605e12e       301kB
docker.io/rancher/mirrored-sig-storage-snapshot-controller                              v8.2.0                                                25f7295428a63       71.9MB
registry.cn-hangzhou.aliyuncs.com/rancher/mirrored-sig-storage-snapshot-controller      v8.2.0                                                25f7295428a63       71.9MB
docker.io/rancher/nginx-ingress-controller                                              v1.13.4-hardened1                                     f184bd6520d3a       707MB
registry.cn-hangzhou.aliyuncs.com/rancher/nginx-ingress-controller                      v1.13.4-hardened1                                     f184bd6520d3a       707MB
docker.io/rancher/rke2-cloud-provider                                                   v1.34.2-0.20251010190833-cf0d35a732d1-build20251017   35741f48740f4       82.1MB
registry.cn-hangzhou.aliyuncs.com/rancher/rke2-cloud-provider                           v1.34.2-0.20251010190833-cf0d35a732d1-build20251017   35741f48740f4       82.1MB
docker.io/rancher/rke2-runtime                                                          v1.34.2-rke2r1                                        0fc9035fae438       306MB
registry.cn-hangzhou.aliyuncs.com/rancher/rke2-runtime                                  v1.34.2-rke2r1                                        0fc9035fae438       306MB
10.2 第二台管理节点加入
shell 复制代码 
# 其他步骤都相同,配置文件稍作修改
root@server236:~# mkdir -p /etc/rancher/rke2 && vim /etc/rancher/rke2/config.yaml
server: https://192.168.1.236:9345
token: 123456
node-name: server237
tls-san: 192.168.1.237
system-default-registry: "registry.cn-hangzhou.aliyuncs.com" #容器镜像仓库
kube-proxy-arg: # 部署负载均衡器
  - proxy-mode=ipvs
  - ipvs-strict-arp=true  
#node-taint: 
#  - "CriticalAddonsOnly=true:NoExecute"
node-label:
  - "node=Master"
  - "Master=server237"
10.3 第三台管理节点加入
shell 复制代码 
# 其他步骤都相同,配置文件稍作修改
root@server236:~# mkdir -p /etc/rancher/rke2 && vim /etc/rancher/rke2/config.yaml
server: https://192.168.1.236:9345
token: 123456
node-name: server238
tls-san: 192.168.1.238
system-default-registry: "registry.cn-hangzhou.aliyuncs.com" #容器镜像仓库
kube-proxy-arg: # 部署负载均衡器
  - proxy-mode=ipvs
  - ipvs-strict-arp=true  
#node-taint: 
#  - "CriticalAddonsOnly=true:NoExecute"
node-label:
  - "node=Master"
  - "Master=server238"
10.4 Work节点加入(所有从节点都可以这样操作)
shell 复制代码 
# 命令基本相同,初始化命令有所不同。
root@server239:/data/rke2-artifacts# wget --no-check-certificate https://rancher-mirror.rancher.cn/rke2/install.sh
root@server239:/data/rke2-artifacts# chmod +x install.sh 
root@server239:/data/rke2-artifacts# INSTALL_RKE2_TYPE="agent" INSTALL_RKE2_MIRROR=cn INSTALL_RKE2_VERTSION=v1.34.2+rke2r1 INSTALL_RKE2_ARTIFACT_PATH=/data/rke2-artifacts sh install.sh

# Work节点配置文件
root@server239:~# mkdir -p /etc/rancher/rke2 && vim /etc/rancher/rke2/config.yaml
server: https://192.168.1.236:9345
token: 123456
node-name: server239
tls-san: 192.168.1.239
system-default-registry: "registry.cn-hangzhou.aliyuncs.com" #容器镜像仓库
kube-proxy-arg: # 部署负载均衡器
  - proxy-mode=ipvs
  - ipvs-strict-arp=true  
#node-taint: 
#  - "CriticalAddonsOnly=true:NoExecute"
node-label:
  - "node=Master"
  - "Master=server239"
  
# agent初始化
root@server236:~# systemctl enable --now rke2-agent.service
# 如果想查看初识话状态可以使用下面命令
root@server236:~# journalctl -u rke2-agent -f
相关推荐
qq_213059431 小时前
CKA认证笔记(1.28版本)
笔记·docker·kubernetes
wxl7812271 小时前
零踩坑部署DeepSeek-OCR API:基于Docker+CUDA 11.8的完整指南
docker·容器·deepseek-ocr
小坏讲微服务1 小时前
K8S 部署 Spring Cloud Alibaba 微服务企业实战完整使用
spring cloud·docker·微服务·云原生·容器·kubernetes·k8s
隐语SecretFlow1 小时前
如何基于Docker集群组网模式来部署Kuscia?
运维·docker·容器
了一梨1 小时前
Docker基础使用
linux·docker·容器
mobº1 小时前
K8s 集群部署微服务 - DevOps(一)
微服务·kubernetes·devops
阿里云云原生1 小时前
Nginx Ingress 退役:阿里云云原生 API 网关的迁移方案与实操详解
nginx·阿里云·云原生
阿里云云原生1 小时前
阿里云 ARMS 自定义指标采集:打破传统 APM 局限,实现业务可视化监控
数据库·阿里云·云原生·oracle·arms
爱吃土豆的马铃薯ㅤㅤㅤㅤㅤㅤㅤㅤㅤ2 小时前
docker打tar包命令
运维·docker·容器
热门推荐
01GitHub 镜像站点02【超详细教程】手把手教你从微软官网免费下载Windows 10官方原版ISO镜像(2025最新版)03安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)04React CVE-2025-55182漏洞排查与修复指南05UV安装并设置国内源06BongoCat - 跨平台键盘猫动画工具07本地部署阿里最新开源的Z-Image08Linux下V2Ray安装配置指南09智能库存管理的需求预测模型:从业务痛点到落地代码的完整实践10Labelme从安装到标注:零基础完整指南