CentOS 8搭建Kubernetes-k8s集群-1.18.5
<p></p><div class="toc"><div class="toc-container-header">目录</div><ul><li>环境配置<ul><li>服务器信息</li><li>软件版本</li><li>环境正确性</li><li>端口正常开放<ul><li>kube-master节点端口</li><li>kube-node节点端口</li></ul></li><li>配置主机互信<ul><li>配置hosts映射</li><li>配置ssh密钥</li></ul></li><li>禁用swap</li><li>关闭SELinux</li><li>设置系统时区、同步时间</li></ul></li><li>部署Docker<ul><li>添加docker yum源</li><li>安装Docker</li><li>确保网络模块开机自动加载</li><li>使桥接流量对iptables可见</li><li>配置docker</li><li>验证docker是否正常</li><li>添加用户到docker组</li></ul></li><li>部署kubernetes集群<ul><li>添加kubernetes源</li><li>安装kubeadm、kubelet、kubectl</li><li>配置自动补全命令</li><li>预拉取kubernetes镜像</li></ul></li><li>初始化master节点<ul><li>修改kubelet配置默认cgroup driver</li><li>生成kubeadm初始化配置文件</li><li>测试环境是否正常</li><li>初始化master</li><li>为日常使用集群的用户添加kubectl使用权限</li><li>配置master认证</li><li>安装网络组件</li><li>查看kube-master节点状态</li><li>备份镜像供其他节点使用</li></ul></li><li>初始化node*节点并加入集群<ul><li>拷贝镜像到node节点</li><li>获取加入kubernetes命令</li><li>在node*节点上执行加入集群命令</li></ul></li><li>查看集群节点状态</li><li>结束</li></ul></div><p></p><h1 id="环境配置">环境配置</h1>
<p>本文档介绍搭建Kubernetes集群,版本为1.18.5,之前安装最新版1.18.8时发现Kubernetes安装所以来的容器在国内无法下载,并且切换使用阿里或腾讯的安装源之后仍无法正常下载,因此更换为1.18.5版本。</p>
<p>本文参考文章链接:https://www.cnblogs.com/hellxz/p/use-kubeadm-init-kubernetes-cluster.html</p>
<h2 id="服务器信息">服务器信息</h2>
<p>本文采用Centos 8作为操作系统,使用虚拟机模拟部署。</p>
<table>
<thead>
<tr>
<th>IP</th>
<th>Hostname</th>
<th>CPU核数</th>
<th>内存</th>
<th>硬盘</th>
<th>说明</th>
</tr>
</thead>
<tbody>
<tr>
<td>192.168.43.130</td>
<td>master</td>
<td>2</td>
<td>2G</td>
<td>20G</td>
<td>控制节点</td>
</tr>
<tr>
<td>192.168.43.129</td>
<td>node01</td>
<td>2</td>
<td>2G</td>
<td>20G</td>
<td>执行节点</td>
</tr>
</tbody>
</table>
<h2 id="软件版本">软件版本</h2>
<table>
<thead>
<tr>
<th>软件</th>
<th>版本号</th>
</tr>
</thead>
<tbody>
<tr>
<td>CentOS</td>
<td>8</td>
</tr>
<tr>
<td>Kubernetes</td>
<td>1.18.5</td>
</tr>
<tr>
<td>Docker</td>
<td>19.03.12</td>
</tr>
</tbody>
</table>
<h2 id="环境正确性">环境正确性</h2>
<table>
<thead>
<tr>
<th>说明</th>
<th>查看命令</th>
<th>修改命令</th>
</tr>
</thead>
<tbody>
<tr>
<td>集群各节点互通</td>
<td><code>ping 192.168.43.129</code></td>
<td>无</td>
</tr>
<tr>
<td>MAC地址唯一</td>
<td><code>ip link</code> 或 <code>ifconfig -a</code></td>
<td>请参考下面命令1</td>
</tr>
<tr>
<td>集群内主机名唯一</td>
<td><code>hostnamectl status</code></td>
<td><code>hostnamectl set-hostname <hostname></code></td>
</tr>
<tr>
<td>系统产品uuid唯一</td>
<td><code>dmidecode -s system-uuid</code></td>
<td>请参考网上修改方法</td>
</tr>
</tbody>
</table>
<pre><code class="language-bash"># 1.修改MAC地址,本命令为实际使用,待验证
ifconfig eth0 down
cd /etc/sysconfig/network-scripts
vim ifcfg-eth0
# 修改其中的"HWADDR=xx:xx:xx:xx:xx:xx"为"MACADDR=xx:xx:xx:xx:xx:xx"
ifconfig eth0 up
service network start
# 注意:关键词HWADDR和MACADDR是有区别的
</code></pre>
<h2 id="端口正常开放">端口正常开放</h2>
<h3 id="kube-master节点端口">kube-master节点端口</h3>
<table>
<thead>
<tr>
<th>协议</th>
<th>方向</th>
<th>端口</th>
<th>目的</th>
</tr>
</thead>
<tbody>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>6443*</td>
<td>kube-api-server</td>
</tr>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>2379-2380</td>
<td>etcd API</td>
</tr>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>10250</td>
<td>Kubelet API</td>
</tr>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>10251</td>
<td>kube-scheduler</td>
</tr>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>10252</td>
<td>kube-controller-manager</td>
</tr>
</tbody>
</table>
<h3 id="kube-node节点端口">kube-node节点端口</h3>
<table>
<thead>
<tr>
<th>协议</th>
<th>方向</th>
<th>端口</th>
<th>目的</th>
</tr>
</thead>
<tbody>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>10250</td>
<td>Kubelet API</td>
</tr>
<tr>
<td>TCP</td>
<td>Inbound</td>
<td>30000-32767</td>
<td>NodePort Services</td>
</tr>
</tbody>
</table>
<pre><code class="language-bash"># 查看防火墙状态
firewall-cmd --state
# 查看防火墙开放的所有端口
firewall-cmd --zone=public --list-ports
# 开放端口命令
firewall-cmd --zone=public --add-port=5672/tcp --permanent
# 批量开放端口
firewall-cmd --permanent --zone=public --add-port=100-500/tcp
# 重新加载防火墙,配置完端口一定要执行重新加载才能生效
firewall-cmd --reload
</code></pre>
<h2 id="配置主机互信">配置主机互信</h2>
<h3 id="配置hosts映射">配置hosts映射</h3>
<p>在<strong>所有节点</strong>配置hosts映射,后面为对应主机名,与我们上面设置的相同。</p>
<p>如果后期增加节点需要在所有节点更新此文件。</p>
<p>注意:修改为实际对应的IP地址。</p>
<pre><code class="language-bash"># 所有节点执行
cat >> /etc/hosts <<EOF
192.168.43.130 master
192.168.43.129 node01
EOF
</code></pre>
<h3 id="配置ssh密钥">配置ssh密钥</h3>
<p>在master节点生成ssh密钥,分发公钥到各节点。</p>
<p>如果新加入其他节点需分发此密钥到新节点。</p>
<pre><code class="language-bash"># master节点执行
# 生成ssh密钥,直接一路回车
ssh-keygen -t rsa
# 复制刚刚生成的密钥到各节点可信列表中,需分别输入各主机密码
ssh-copy-id root@master
ssh-copy-id root@node01
# 配置完成后使用下面命令查看是否可以登录到目标服务器
ssh 'root@master'
# 退出
exit
</code></pre>
<h2 id="禁用swap">禁用swap</h2>
<p>swap仅当在内存不足时使用硬盘空间充当额外内存,因为硬盘IO速度和内存差距较大,禁用swap可以提升性能。</p>
<pre><code class="language-bash"># 所有节点服务器执行
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
</code></pre>
<h2 id="关闭selinux">关闭SELinux</h2>
<p>如果开启SELinux,在kubelet挂在目录时可能会报错 <code>Permission denied</code>,可以将SELinux设置为<code>permissive</code>或者<code>diable</code>,使用<code>permissive</code>会提示warn级别的错误信息。</p>
<pre><code class="language-bash"># 所有节点服务器执行
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
</code></pre>
<h2 id="设置系统时区同步时间">设置系统时区、同步时间</h2>
<pre><code class="language-bash"># 所有节点服务器执行
# 设置时区
timedatectl set-timezone Asia/Shanghai
systemctl enable --now chronyd
# 验证设置是否成功
date
# 查看同步状态
timedatectl status
# 输出结果中显示下列属性证明时钟同步正常
System clock synchronized: yes
NTP service: active
# 将当前的UTC时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog && systemctl restart crond
</code></pre>
<h1 id="部署docker">部署Docker</h1>
<p>所有服务器节点均需安装docker容器软件。</p>
<h2 id="添加docker-yum源">添加docker yum源</h2>
<pre><code class="language-bash"># 所有节点服务器执行
# 安装必要依赖
yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加aliyum docker-ce yum源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 重建yum缓存
yum makecache
</code></pre>
<h2 id="安装docker">安装Docker</h2>
<pre><code class="language-bash"># 所有节点服务器执行
# 查看可用的docker版本
yum list docker-ce.x86_64 --showduplicates | sort -r
# 结果如下:
# yum list docker-ce.x86_64 --showduplicates | sort -r
Last metadata expiration check: 0:02:19 ago on Wed 26 Aug 2020 01:16:53 PM CST.
docker-ce.x86_64 3:19.03.9-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.8-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.7-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.6-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.5-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.4-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.12-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.11-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.10-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.0-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.9-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.8-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.7-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.6-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.5-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.4-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.0-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.3.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.2.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.1.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.0.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 18.03.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.3.ce-1.el7 docker-ce-stable
docker-ce.x86_64 17.03.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
Available Packages
</code></pre>
<pre><code class="language-bash"># 所有节点服务器执行
# 安装指定版本docker,这里以19.03.12为例说明
yum install -y docker-ce-19.03.12-3.el7
# 执行此命令后可能会出现错误如下:
Last metadata expiration check: 0:06:47 ago on Wed 26 Aug 2020 01:16:31 PM CST.
Error:
Problem: package docker-ce-3:19.03.12-3.el7.x86_64 requires containerd.io >= 1.2.2-3, but none of the providers can be installed
- conflicting requests
- package containerd.io-1.2.10-3.2.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.13-3.1.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.13-3.2.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.2-3.3.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.2-3.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.4-3.1.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.5-3.1.el7.x86_64 is filtered out by modular filtering
- package containerd.io-1.2.6-3.3.el7.x86_64 is filtered out by modular filtering
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
# 错误原因:需要安装高版本的containerd.io
# 解决措施:可以安装最新的containerd.io,但是使用官方的下载安装时比较慢,可以使用迅雷等下载工具将此安装包下载后上传至服务器安装
# 这里使用xshell连接服务器为例执行,具体命令如下:
yum install lrzsz
mkdir software
cd software/
rz
yum localinstall -y containerd.io-1.2.6-3.3.el7.x86_64.rpm
# 重新执行安装docker命令,安装成功
yum install -y docker-ce-19.03.12-3.el7
</code></pre>
<h2 id="确保网络模块开机自动加载">确保网络模块开机自动加载</h2>
<pre><code class="language-bash"># 所有节点服务器执行
lsmod | grep overlay
lsmod | grep br_netfilter
</code></pre>
<p>若上面的命令无返回值输出或提示文件不存在,需要执行以下命令:</p>
<pre><code class="language-bash"># 所有节点服务器执行
cat > /etc/modules-load.d/docker.conf <<EOF
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter
</code></pre>
<h2 id="使桥接流量对iptables可见">使桥接流量对iptables可见</h2>
<pre><code class="language-bash"># 所有节点服务器执行
cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
# 验证是否生效,下面两个命令结果需均返回 1
sysctl -n net.bridge.bridge-nf-call-iptables
sysctl -n net.bridge.bridge-nf-call-ip6tables
</code></pre>
<h2 id="配置docker">配置docker</h2>
<pre><code class="language-bash"># 所有节点服务器执行
mkdir /etc/docker
# 修改cgroup驱动为systemd、限制容器日志量、修改存储类型,最后的docker根目录可修改
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"registry-mirrors": ["https://7uuu3esz.mirror.aliyuncs.com"],
"data-root": "/data/docker"
}
EOF
# 添加开机自启动,立即启动
systemctl enable --now docker
</code></pre>
<h2 id="验证docker是否正常">验证docker是否正常</h2>
<pre><code class="language-bash"># 所有节点服务器均执行
# 查看docker信息,判断是否与配置一致
docker info
# hello-docker测试
docker run --rm hello-world
# 删除测试的image
docker rmi hello-world
</code></pre>
<h2 id="添加用户到docker组">添加用户到docker组</h2>
<p>非root用户,无需sudo即可使用docker命令。</p>
<pre><code class="language-bash"># 所有节点服务器均执行
# 添加用户到docker组,此处zgs为其他账号信息
usermod -aG docker zgs
# 当前会话立即更新docker组
newgrp docker
</code></pre>
<h1 id="部署kubernetes集群">部署kubernetes集群</h1>
<p>如未特殊说明,所有节点服务器均需执行下面的命令。</p>
<h2 id="添加kubernetes源">添加kubernetes源</h2>
<pre><code class="language-bash"># 所有节点服务器均执行
cat > /etc/yum.repos.d/kubernetes.repo <<EOF
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 重建yum缓存,输入y添加证书认证
yum makecache
</code></pre>
<h2 id="安装kubeadmkubeletkubectl">安装kubeadm、kubelet、kubectl</h2>
<pre><code class="language-bash"># 所有节点服务器均执行
# 安装
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
# 配置开机启动并立即启动kubelet
systemctl enable --now kubelet
</code></pre>
<h2 id="配置自动补全命令">配置自动补全命令</h2>
<pre><code class="language-bash"># 所有节点服务器均执行
# 安装bash自动补全插件
yum install bash-completion -y
# 设置kubectl与kubeadm命令补全,下次login生效
kubectl completion bash >/etc/bash_completion.d/kubectl
kubeadm completion bash > /etc/bash_completion.d/kubeadm
</code></pre>
<h2 id="预拉取kubernetes镜像">预拉取kubernetes镜像</h2>
<p>由于国内网络因素,kubernetes镜像需要从mirrors站点或通过dockerhub用户推送的镜像拉取。</p>
<pre><code class="language-bash"># 所有节点服务器均执行
# 查看执行kubernetes版本需要哪些镜像
kubeadm config images list --kubernetes-version v1.18.5
# 结果如下
k8s.gcr.io/kube-apiserver:v1.18.5
k8s.gcr.io/kube-controller-manager:v1.18.5
k8s.gcr.io/kube-scheduler:v1.18.5
k8s.gcr.io/kube-proxy:v1.18.5
k8s.gcr.io/pause:3.2
k8s.gcr.io/etcd:3.4.3-0
k8s.gcr.io/coredns:1.6.7
</code></pre>
<p>在<code>/root/k8s</code>目录下新建脚本<code>get-k8s-images.sh</code>,命令如下:</p>
<pre><code class="language-bash"># 所有节点服务器均执行
cd /root/
mkdir k8s
cd k8s/
# 创建脚本文件,文件内容如下一代码段所示
vim get-k8s-images.sh
</code></pre>
<pre><code class="language-bash">#!/bin/bash
# Script For Quick Pull K8S Docker Images
# by Hellxz Zhang <hellxz001@foxmail.com>
KUBE_VERSION=v1.18.5
PAUSE_VERSION=3.2
CORE_DNS_VERSION=1.6.7
ETCD_VERSION=3.4.3-0
# pull kubernetes images from hub.docker.com
docker pull kubeimage/kube-proxy-amd64:$KUBE_VERSION
docker pull kubeimage/kube-controller-manager-amd64:$KUBE_VERSION
docker pull kubeimage/kube-apiserver-amd64:$KUBE_VERSION
docker pull kubeimage/kube-scheduler-amd64:$KUBE_VERSION
# pull aliyuncs mirror docker images
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION
# retag to k8s.gcr.io prefix
docker tag kubeimage/kube-proxy-amd64:$KUBE_VERSIONk8s.gcr.io/kube-proxy:$KUBE_VERSION
docker tag kubeimage/kube-controller-manager-amd64:$KUBE_VERSION k8s.gcr.io/kube-controller-manager:$KUBE_VERSION
docker tag kubeimage/kube-apiserver-amd64:$KUBE_VERSION k8s.gcr.io/kube-apiserver:$KUBE_VERSION
docker tag kubeimage/kube-scheduler-amd64:$KUBE_VERSION k8s.gcr.io/kube-scheduler:$KUBE_VERSION
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION k8s.gcr.io/pause:$PAUSE_VERSION
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION k8s.gcr.io/coredns:$CORE_DNS_VERSION
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION k8s.gcr.io/etcd:$ETCD_VERSION
# untag origin tag, the images won't be delete.
docker rmi kubeimage/kube-proxy-amd64:$KUBE_VERSION
docker rmi kubeimage/kube-controller-manager-amd64:$KUBE_VERSION
docker rmi kubeimage/kube-apiserver-amd64:$KUBE_VERSION
docker rmi kubeimage/kube-scheduler-amd64:$KUBE_VERSION
docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION
docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION
docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION
</code></pre>
<p>给脚本添加可执行权限,执行脚本拉去镜像。</p>
<pre><code class="language-bash"># 所有节点服务器均执行
# 添加脚本执行权限
chmod +x get-k8s-images.sh
# 执行脚本
./get-k8s-images.sh
</code></pre>
<p>脚本执行结束后,执行<code>docker iamges</code>命令确认镜像。</p>
<h1 id="初始化master节点">初始化master节点</h1>
<p>本小节中代码仅需master节点服务器执行此步骤。</p>
<h2 id="修改kubelet配置默认cgroup-driver">修改kubelet配置默认cgroup driver</h2>
<pre><code class="language-bash"># master节点服务器执行
mkdir /var/lib/kubelet
cat > /var/lib/kubelet/config.yaml <<EOF
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
EOF
systemctl restart kubelet
</code></pre>
<h2 id="生成kubeadm初始化配置文件">生成kubeadm初始化配置文件</h2>
<p>[可选],仅当需要自定义初始化配置时用,此时我们应该在<code>/root/k8s</code>目录下。</p>
<pre><code class="language-bash"># master节点服务器执行
kubeadm config print init-defaults > init.default.yaml
</code></pre>
<h2 id="测试环境是否正常">测试环境是否正常</h2>
<p>WARNING是正常的。</p>
<pre><code class="language-bash"># master节点服务器执行
kubeadm init phase preflight
# 原始命令:kubeadm init phase preflight [--config kubeadm-init.yaml]
# 命令执行结束如果出现warning是正常的,一般会出现防火墙、无法连接k8s站点的警告。
# 如果出现无法从k8s拉去镜像的错误属于正常的,在执行初始化时优先使用我们本地Docker中的镜像,如果本地镜像不存在才会从k8s站点拉取。
</code></pre>
<h2 id="初始化master">初始化master</h2>
<p>10.244.0.0/16是flannel固定使用的IP段,设置取决于网络组件要求。</p>
<pre><code class="language-bash"># master节点服务器执行
# 原始命令:kubeadm init --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.18.5 [--config kubeadm-init.yaml]
kubeadm init --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.18.5
</code></pre>
<p>初始化执行结果如下:</p>
<pre><code class="language-bash">W0826 15:02:55.595805 40135 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups
Using Kubernetes version: v1.18.5
Running pre-flight checks
: firewalld is active, please ensure ports are open or your cluster may not function correctly
Pulling images required for setting up a Kubernetes cluster
This might take a minute or two, depending on the speed of your internet connection
You can also perform this action in beforehand using 'kubeadm config images pull'
Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
Starting the kubelet
Using certificateDir folder "/etc/kubernetes/pki"
Generating "ca" certificate and key
Generating "apiserver" certificate and key
apiserver serving cert is signed for DNS names and IPs
Generating "apiserver-kubelet-client" certificate and key
Generating "front-proxy-ca" certificate and key
Generating "front-proxy-client" certificate and key
Generating "etcd/ca" certificate and key
Generating "etcd/server" certificate and key
etcd/server serving cert is signed for DNS names and IPs
Generating "etcd/peer" certificate and key
etcd/peer serving cert is signed for DNS names and IPs
Generating "etcd/healthcheck-client" certificate and key
Generating "apiserver-etcd-client" certificate and key
Generating "sa" key and public key
Using kubeconfig folder "/etc/kubernetes"
Writing "admin.conf" kubeconfig file
Writing "kubelet.conf" kubeconfig file
Writing "controller-manager.conf" kubeconfig file
Writing "scheduler.conf" kubeconfig file
Using manifest folder "/etc/kubernetes/manifests"
Creating static Pod manifest for "kube-apiserver"
Creating static Pod manifest for "kube-controller-manager"
W0826 15:03:01.689893 40135 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
Creating static Pod manifest for "kube-scheduler"
W0826 15:03:01.702934 40135 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
All control plane components are healthy after 18.034495 seconds
Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
Creating a ConfigMap "kubelet-config-1.18" in namespace kube-system with the configuration for the kubelets in the cluster
Skipping phase. Please see --upload-certs
Marking the node master as control-plane by adding the label "node-role.kubernetes.io/master=''"
Marking the node master as control-plane by adding the taints
Using token: 3wolsi.61tnffn49i0clcth
Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
configured RBAC rules to allow Node Bootstrap tokens to get nodes
configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
Creating the "cluster-info" ConfigMap in the "kube-public" namespace
Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
Applied essential addon: CoreDNS
Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f .yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.43.130:6443 --token 3wolsi.61tnffn49i0clcth \
--discovery-token-ca-cert-hash sha256:fea2cc335b2f4b525bc71cc3f7fcbf68f19ced1efd43520710ad41f337ab6969
</code></pre>
<h2 id="为日常使用集群的用户添加kubectl使用权限">为日常使用集群的用户添加kubectl使用权限</h2>
<p>以服务器节点的另一个用户(zgs)为例说明。</p>
<pre><code class="language-bash"># master节点服务器执行
# 如果用户不在管理员组,则需要添加管理员权限
# usermod -g root zgs
# su zgs
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/admin.conf
password for zgs:
$ sudo chown $(id -u):$(id -g) $HOME/.kube/admin.conf
$ echo "export KUBECONFIG=$HOME/.kube/admin.conf" >> ~/.bashrc
$ exit
exit
</code></pre>
<p>如果在执行过程中出现权限相关问题,可能时因为没有将zgs用户添加至sudo权限组中,执行下面命令。</p>
<p>执行时需要切换至root用户下。</p>
<pre><code class="language-bash"># su -
Last login: Wed Aug 26 11:06:42 CST 2020 from 192.168.43.130 on pts/1
# chmod u+w /etc/sudoers
# vim /etc/sudoers
# 在文件内找到:"root ALL=(ALL) ALL"在起下面添加XXX ALL=(ALL) ALL"
# (这里的XXX是我的用户名),然后保存退出。
# chmod u-w /etc/sudoers
# exit
</code></pre>
<h2 id="配置master认证">配置master认证</h2>
<pre><code class="language-bash"># master节点服务器执行
echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> /etc/profile
. /etc/profile
</code></pre>
<p>如果不配置这个,会提示如下提示:</p>
<pre><code class="language-bash">The connection to the server localhost:8080 was refused - did you specify the right host or port?
</code></pre>
<p>此时,mastaer节点已经初始化成功,但是还没有安装网络组件,还无法与其他节点通讯。</p>
<h2 id="安装网络组件">安装网络组件</h2>
<p>以<code>flannel</code>为例。</p>
<pre><code class="language-bash"># master节点服务器执行
cd ~/k8s/
yum install -y wget
#下载最新的flannel配置文件
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f kube-flannel.yml
</code></pre>
<p>运行结果如下:</p>
<pre><code class="language-bash"># kubectl apply -f kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds-amd64 created
daemonset.apps/kube-flannel-ds-arm64 created
daemonset.apps/kube-flannel-ds-arm created
daemonset.apps/kube-flannel-ds-ppc64le created
daemonset.apps/kube-flannel-ds-s390x created
</code></pre>
<h2 id="查看kube-master节点状态">查看kube-master节点状态</h2>
<pre><code class="language-bash"># master节点服务器执行
kubectl get nodes
</code></pre>
<p>运行结果如下:</p>
<pre><code class="language-bash"># kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 44m v1.18.8
</code></pre>
<h2 id="备份镜像供其他节点使用">备份镜像供其他节点使用</h2>
<p>在master节点将镜像备份出来,便于后续传输给其他node节点,当然有镜像仓库更好。</p>
<pre><code class="language-bash">#master节点服务器执行
docker save k8s.gcr.io/kube-proxy:v1.18.5 \
k8s.gcr.io/kube-apiserver:v1.18.5 \
k8s.gcr.io/kube-controller-manager:v1.18.5 \
k8s.gcr.io/kube-scheduler:v1.18.5 \
k8s.gcr.io/pause:3.2 \
k8s.gcr.io/coredns:1.6.7 \
k8s.gcr.io/etcd:3.4.3-0 > k8s-imagesV1.18.5.tar
</code></pre>
<p>将会在<code>/root/k8s</code>目录下创建<code>k8s-imagesV1.18.5.tar</code>文件,里面为<code>k8s</code>所使用的<code>docker image</code>。</p>
<pre><code class="language-bash"># ll -h
total 694M
-rwxr-xr-x. 1 root docker 2.1K Aug 26 14:35 get-k8s-images.sh
-rw-r--r--. 1 root docker826 Aug 26 14:52 init.default.yaml
-rw-r--r--. 1 root docker 694M Aug 26 15:52 k8s-imagesV1.18.5.tar
-rw-r--r--. 1 root docker15K Aug 26 15:45 kube-flannel.yml
</code></pre>
<h1 id="初始化node节点并加入集群">初始化node*节点并加入集群</h1>
<h2 id="拷贝镜像到node节点">拷贝镜像到node节点</h2>
<p>每个node节点都需要相关的docker镜像,下面以其中一个为例,其他的可以参考此法执行。</p>
<pre><code class="language-bash">#node节点服务器执行
mkdir ~/k8s
scp root@kube-master:/root/k8s/k8s-imagesV1.18.5.tar ~/k8s
cd ~/k8s
docker load < k8s-imagesV1.18.5.tar
</code></pre>
<h2 id="获取加入kubernetes命令">获取加入kubernetes命令</h2>
<p>刚才执行完<code>kubeadm init</code>命令后,最后几行输出的为node节点加入集群的命令,如下所示:</p>
<pre><code class="language-bash"># master节点服务器kubeadm init执行结果
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.43.130:6443 --token 3wolsi.61tnffn49i0clcth \
--discovery-token-ca-cert-hash sha256:fea2cc335b2f4b525bc71cc3f7fcbf68f19ced1efd43520710ad41f337ab6969
</code></pre>
<p>如果我们没有记录下执行结果,可以在master节点使用下面的命令创建新的接入token命令,如下所示:</p>
<pre><code class="language-bash"># master节点服务器执行
kubeadm token create --print-join-command
</code></pre>
<p>执行结果如下:</p>
<pre><code class="language-bash">W0826 16:12:44.007200 60971 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups
kubeadm join 192.168.43.130:6443 --token ad399n.rqut2l5e16azf0dv --discovery-token-ca-cert-hash sha256:fea2cc335b2f4b525bc71cc3f7fcbf68f19ced1efd43520710ad41f337ab6969
</code></pre>
<p>执行上面创建接入token命令时将会替换掉旧的接入命令,请注意。</p>
<p>输出结果中有一个警告不用担心。</p>
<h2 id="在node节点上执行加入集群命令">在node*节点上执行加入集群命令</h2>
<p>要使用<code>root</code>用户执行刚才创建的接入token命令。</p>
<pre><code class="language-bash"># 所有node节点服务器执行
kubeadm join 192.168.43.130:6443 --token ad399n.rqut2l5e16azf0dv --discovery-token-ca-cert-hash sha256:fea2cc335b2f4b525bc71cc3f7fcbf68f19ced1efd43520710ad41f337ab6969
</code></pre>
<p>执行结果如下:</p>
<pre><code class="language-bash">W0826 16:17:45.106961 44268 join.go:346] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
Running pre-flight checks
Reading configuration from the cluster...
FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
Starting the kubelet
Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
</code></pre>
<p>当出现<code>This node has joined the cluster:</code>时证明node节点成功加入kubernetes集群。</p>
<h1 id="查看集群节点状态">查看集群节点状态</h1>
<p>在master节点上查看集群中各节点状态。</p>
<pre><code class="language-bash"># master节点服务器执行
kubectl get nodes
</code></pre>
<p>执行结果如下:</p>
<pre><code class="language-bash">NAME STATUS ROLES AGE VERSION
master Ready master 77m v1.18.8
node01 NotReady <none> 2m50s v1.18.8
</code></pre>
<h1 id="结束">结束</h1>
<p>至此,kubernetes集群已成功部署,可以在该集群上面执行业务层面的镜像操作。</p><br><br>
来源:https://www.cnblogs.com/zhang-guansheng/p/13566060.html
頁:
[1]