1 硬件要求
1.1 测试环境
- master:2核 4G 20G
- master:4核 8G 40G
1.2 生产环境
配置要求更高
2 搭建方式
- kubeadm:部署工具,提供
kubeadm init和kubeadm join,用于快速部署k8s集群- 门槛低,屏蔽了很多细节,遇到问题很难排查
- 二进制包:下载发行包,手动部署每个组件,组成k8s集群。
- 手动部署,过程麻烦,但是利于后期维护
3 kubeadm方式搭建(推荐)
// 1 对所有服务器进行初始化操作// 1.1 关闭防火墙sys// 注意,必须开放的端口6443 10250firewall-cmd --zone=public --add-port=6443/tcp --permanentfirewall-cmd --zone=public --add-port=10250/tcp --permanent// 1.2 关闭selinux// 1.3 关闭swap分区// 1.4 设置主机名称hostnamectl set-hostname 主机名// 1.5 在master添加hostvim /etv/hostsip1 主机名1ip2 主机名2ip3 主机名3// 1.6 将桥接的ipv4流量拆改地道iptables的链// 1.7 时间同步(更新到最新)// 2 安装docker// 3 安装kubeadm,kubelet,kubectl// 3.1 设置yum源 vim /[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=1repo_gpgcheck=1gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpghttps://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg// 3.2 安装kubeletyum install -y kubelet// 3.3 安装kubeadmyum install -y kubeadm// 3.4 安装kubectlyum install -y kubectl// 4 部署master节点// 4.1 在master节点执行kubeadm init \--apiserver-advertise-address=本机ip \--image-repository registry.aliyuncs.com/google_containers \--kubernetes-version v1.23.1(当前版本) \--service-cidr=10.96.0.0/12 \--pod-network-cidr=10.244.0.0/16// 4.2 查看nodeskubectl get nodes// 5 加入node节点// 5.1 在node节点执行kubeadm join 节点ip \--token=[token] \--discovery-token-ca-cert-hash [hash值]// 5.2 查看nodeskubectl get nodes// 6 配置CNI网络插件// 7 最后测试检验集群部署的正确性
4 kubectl方式手动搭建(重要)
4.1 所有机器进行初始化操作
// 1 关闭防火墙 --可以不关// 1.1 临时关闭systemctl stop firewall// 1.2 永久关闭systemctl disable firewall// 1.3 注意,必须开放的端口2379firewall-cmd --zone=public --add-port=2379/tcp --permanentfirewall-cmd --reload// 2 关闭selinux --可以不关// 2.1 临时关闭setenforce 0// 2.2 永久关闭// sed 直接对文本文件进行操作 sed -i 's/原字符串/新字符串' 目标文件sed -i 's/enforcing/disabled' /etc/selinux/config// 3 关闭swap分区 --必须// 3.1 临时关闭swapoff -a// 3.2 永久关闭// sed 直接对文本文件进行操作 sed -i 's/原字符串/新字符串' 目标文件sed -ri 's/.*swap.*/#&/' /etc/fstab// 4 修改hostname// 4.1 设置hostnamehostnamectl set-hostname 主机名// 4.2 查询hostnamehostname// 5 修改hostvim /etc/hosts;// 5.1 添加如下内容192.168.203.166 master192.168.203.167 node-167192.168.203.168 node-168// 5.2 相互ping,测试是否设置成功// 6 将桥接的IPv4流量传递到iptables的链 ****本次学习未设置****vim /etc/sysctl.d/k8s.conf;// 6.1 添加如下内容net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1// 6.2 使其生效sysctl --system
4.2 部署etcd集群
4.2.1 准备cfssl证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfsslwget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljsonwget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfochmod +x /usr/local/bin/cfssl*
4.2.2 生成Etcd证书
// 1 创建CA配置文件ca-config.jsonvim /opt/ssl/k8sca/ca-config.json{"signing": {"default": {"expiry": "87600h"},"profiles": {"www": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "87600h"}}}}// 2 创建CA证书签名请求ca-csr.jsonvim /opt/ssl/k8sca/ca-csr.json{"CN": "etcd CA","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "GuangDong","ST": "ShenZhen"}]}// 3 生成ca证书和私钥(生成ca.csr、ca-key.pem、ca.pem)cfssl gencert -initca ca-csr.json | cfssljson -bare ca// 4 创建etcd证书申请文件server-csr.json{"CN": "etcd","hosts": ["192.168.203.166","192.168.203.167","192.168.203.168"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "GuangDong","ST": "ShenZhen"}]}// 5 使用自签CA生成etcd 的https证书和私钥cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
4.2.3 部署etcd集群
// master主机// 1 下载etcdwget https://storage.googleapis.com/etcd/v3.5.1/etcd-v3.5.1-linux-amd64.tar.gz// 2 解压安装etcdtar xzvf ./etcd-v3.5.1-linux-amd64.tar.gz -C ./etcd --strip-components=1// 3 创建软链接ln -s ./etcd /usr/local/bin/etcdln -s ./etcdctl /usr/local/bin/etcdctl// 4 验证安装etcd --version// 5 设置配置文件etcd.confvim /usr/local/etcd/etcd.conf#[Member]# 节点名称,集群中唯一ETCD_NAME="etcd-1"# 数据目录ETCD_DATA_DIR="/usr/local/etcd/default.etcd"# 集群通信监听地址ETCD_LISTEN_PEER_URLS="https://192.168.203.166:2380"# 客户端访问监听地址ETCD_LISTEN_CLIENT_URLS="https://192.168.203.166:2379"#[Clustering]# 集群通告地址ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.203.166:2380"# 客户端通告地址ETCD_ADVERTISE_CLIENT_URLS="https://192.168.203.166:2379"# 集群节点地址ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.203.166:2380,etcd-2=https://192.168.203.167:2380,etcd-3=https://192.168.203.168:2380"# 集群 TokenETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"# 加入集群的当前状态,new 是新集群,existing 表示加入 已有集群ETCD_INITIAL_CLUSTER_STATE="new"// 6 设置服务etcd.servicevim /usr/lib/systemd/system/etcd.service[Unit]Description=Etcd ServerAfter=network.targetAfter=network-online.targetWants=network-online.target[Service]Type=notifyEnvironmentFile=/usr/local/etcd/etcd.confExecStart=etcd \# 证书配置--cert-file=/opt/ssl/etcd/server.pem \--key-file=/opt/ssl/etcd/server-key.pem \--peer-cert-file=/opt/ssl/etcd/server.pem \--peer-key-file=/opt/ssl/etcd/server-key.pem \--trusted-ca-file=/opt/ssl/etcd/ca.pem \--peer-trusted-ca-file=/opt/ssl/etcd/ca.pem \--logger=zapRestart=on-failureLimitNOFILE=65536[Install]WantedBy=multi-user.target// 7 拷贝上一步生成的证书到指定目录cp /opt/ssl/k8sca/{ca,server,server-key}.pem /opt/ssl/etcd/// 8 启动并设置开机启动systemctl daemon-reloadsystemctl start etcdsystemctl enable etcd
4.2.4 部署etcd集群
// 1 将上面节点 1 所有生成的文件拷贝到其他节点scp -r /usr/loca/etcd/ root@其他节点IP:/usr/local/scp /usr/lib/systemd/system/etcd.service root@192.168.31.72:/usr/lib/systemd/system/// 2 然后在节点 2 和节点 3 分别修改 etcd.conf 配置文件中的节点名称和当前服务器 IPETCD_NAME="etcd-1" # 修改此处,节点 2 改为 etcd-2,节点 3 改为 etcd-3ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380" # 修改此处为当前服务器 IPETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器 IPETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380" # 修改此处为当前 服务器 IPETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器 IP// 3 最后启动 etcd 并设置开机启动,同上。// 4 查看集群状态ETCDCTL_API=3 etcdctl \--cacert=/opt/ssl/etcd/ca.pem \--cert=/opt/ssl/etcd/server.pem \--key=/opt/ssl/etcd/server-key.pem \--endpoints="https://192.168.203.166:2379,https://192.168.203.167:2379,https://192.168.203.168:2379" \endpoint health
4.3 部署Master Node
主要工作:
- 部署API server
- 部署scheduler
- 部署controller-manager
4.3.1 为apiserver自签证书
// 1 创建CA配置文件ca-config.jsonvim /opt/ssl/k8s/ca-config.json{"signing": {"default": {"expiry": "87600h"},"profiles": {"www": {"usages": ["signing","key encipherment","server auth","client auth"],"expiry": "87600h"}}}}// 2 创建CA证书签名请求ca-csr.jsonvim /opt/ssl/k8s/ca-csr.json{"CN": "kubernetes","key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","L": "GuangDong","ST": "ShenZhen","O": "k8s","OU": "System"}]}// 3 生成ca证书和私钥cfssl gencert -initca ca-csr.json | cfssljson -bare ca -// 4 创建kubernetes证书申请文件kubernetes-csr.json// 注意:可信任ip列表在此处添加hostsvim /opt/ssl/k8s/kubernetes-csr.json{"CN": "kubernetes","hosts": ["10.0.0.1","127.0.0.1","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local","192.168.203.166","192.168.203.167","192.168.203.168","192.168.203.2"],"key": { "algo": "rsa", "size": 2048 },"names": [{ "C": "CN", "L": "GuangDong", "ST": "ShenZhen", "O": "k8s", "OU": "System" }]}// 5 使用自签CA生成etcd 的https证书和私钥cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www kubernetes-csr.json | cfssljson -bare server
4.3.2 部署 kube-apiserver
// 1 下载kubernetes-server二进制包(下载地址在本文最下端)// 注意:此教程不支持1.19以上的版本tar zxvf kubernetes-server-linux-amd64.tar.gzcp ./kubernetes/server/bin/{kube-apiserver,kube-scheduler,kube-controller-manager} /usr/local/bin// 2 部署 kube-apiserver// 2.1 创建配置文件vim /opt/kubernetes/kube-apiserver.confKUBE_APISERVER_OPTS="--logtostderr=false \\--v=2 \\--log-dir=/opt/kubernetes/logs \\--etcd-servers=https://192.168.203.166:2379,https://192.168.203.167:2379,https://192.168.203.168:2379 \\--bind-address=192.168.203.166 \\--secure-port=6443 \\--advertise-address=192.168.203.166 \\--allow-privileged=true \\--service-cluster-ip-range=10.0.0.0/24 \\--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\--authorization-mode=RBAC,Node \\--enable-bootstrap-token-auth=true \\--token-auth-file=/opt/kubernetes/cfg/token.csv \\--service-node-port-range=30000-32767 \\--kubelet-client-certificate=/opt/ssl/k8s/server.pem \\--kubelet-client-key=/opt/ssl/k8s/server-key.pem \\--tls-cert-file=/opt/ssl/k8s/server.pem \\--tls-private-key-file=/opt/ssl/k8s/server-key.pem \\--client-ca-file=/opt/ssl/k8s/ca.pem \\--service-account-key-file=/opt/ssl/k8s/ca-key.pem \\--etcd-cafile=/opt/ssl/etcd/ca.pem \\--etcd-certfile=/opt/ssl/etcd/server.pem \\--etcd-keyfile=/opt/ssl/etcd/server-key.pem \\--audit-log-maxage=30 \\--audit-log-maxbackup=3 \\--audit-log-maxsize=100 \\--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"// 2.2 启用 TLS Bootstrapping 机制vim /opt/kubernetes/cfg/token.csvc47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node- bootstrapper"// 3 systemd 管理 apiservervim /usr/lib/systemd/system/kube-apiserver.service[Unit]Description=Kubernetes API ServerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.confExecStart=kube-apiserver $KUBE_APISERVER_OPTSRestart=on-failure[Install]WantedBy=multi-user.target// 4 启动并设置开机启动systemctl daemon-reloadsystemctl start kube-apiserversystemctl enable kube-apiserversystemctl status kube-apiserver// 查错cat /var/log/messages|grep kube-apiserver// 5 授权 kubelet-bootstrap 用户允许请求证书kubectl create clusterrolebinding kubelet-bootstrap \--clusterrole=system:node-bootstrapper \--user=kubelet-bootstrap
4.3.3 部署 kube-controller-manager
// 1 创建配置文件vim /opt/kubernetes/kube-controller-manager.confKUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\--v=2 \\--log-dir=/opt/kubernetes/logs \\--leader-elect=true \\--master=127.0.0.1:8080 \\--bind-address=127.0.0.1 \\--allocate-node-cidrs=true \\--cluster-cidr=10.244.0.0/16 \\--service-cluster-ip-range=10.0.0.0/24 \\--cluster-signing-cert-file=/opt/ssl/kubernetes/ca.pem \\--cluster-signing-key-file=/opt/ssl/kubernetes/ca-key.pem \\--root-ca-file=/opt/ssl/kubernetes/ca.pem \\--service-account-private-key-file=/opt/ssl/kubernetes/ca-key.pem \\--experimental-cluster-signing-duration=87600h0m0s"// 2 systemd 管理kube-controller-managervim /usr/lib/systemd/system/kube-controller-manager.service[Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.confExecStart=kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTSRestart=on-failure[Install]WantedBy=multi-user.target// 3 启动并设置开机启动systemctl daemon-reloadsystemctl start kube-controller-managersystemctl enable kube-controller-managersystemctl status kube-controller-manager
4.3.4 部署 kube-scheduler
// 1 创建配置文件vim /opt/kubernetes/kube-scheduler.confKUBE_SCHEDULER_OPTS="--logtostderr=false \\--v=2 \\--log-dir=/opt/kubernetes/logs \\--leader-elect \\--master=127.0.0.1:8080 \\--bind-address=127.0.0.1"// 2 systemd 管理kube-schedulervim /usr/lib/systemd/system/kube-scheduler.service[Unit]Description=Kubernetes Controller ManagerDocumentation=https://github.com/kubernetes/kubernetes[Service]EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.confExecStart=kube-scheduler $KUBE_SCHEDULER_OPTSRestart=on-failure[Install]WantedBy=multi-user.target// 3 启动并设置开机启动systemctl daemon-reloadsystemctl start kube-scheduler.servicesystemctl enable kube-scheduler.servicesystemctl status kube-scheduler.service
4.3.5 查看集群状态
kubectl get cs
4.4 部署Worker Node
主要工作:
- 部署kubelet
- 部署kube-proxy
4.4.1 部署 kubelet
// 1 创建配置文件vim /opt/kubernetes/cfg/kubelet.conf# –hostname-override:显示名称,集群中唯一# –network-plugin:启用 CNI –kubeconfig:空路径,会自动生成,后面用于连接 apiserver# –bootstrap-kubeconfig:首次启动向 apiserver 申请证书# –config:配置参数文件# –cert-dir:kubelet 证书生成目录# –pod-infra-container-image:管理 Pod 网络容器的镜像KUBELET_OPTS="--logtostderr=false \--v=2 \--log-dir=/opt/kubernetes/logs \--hostname-override=k8s-master \--network-plugin=cni \--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \--config=/opt/kubernetes/cfg/kubelet-config.yml \--cert-dir=/opt/kubernetes/ssl \--pod-infra-container-image=lizhenliang/pause-amd64:3.0"// 2 配置参数文件vim /opt/kubernetes/cfg/kubelet-config.ymlkind: KubeletConfigurationapiVersion: kubelet.config.k8s.io/v1beta1address: 0.0.0.0port: 10250readOnlyPort: 10255cgroupDriver: cgroupfsclusterDNS:- 10.0.0.2clusterDomain: cluster.localfailSwapOn: falseauthentication:anonymous:enabled: falsewebhook:cacheTTL: 2m0senabled: truex509:clientCAFile: /opt/ssl/k8s/ca.pemauthorization:mode: Webhookwebhook:cacheAuthorizedTTL: 5m0scacheUnauthorizedTTL: 30sevictionHard:imagefs.available: 15%memory.available: 100Minodefs.available: 10%nodefs.inodesFree: 5%maxOpenFiles: 1000000maxPods: 110// 3 生成 bootstrap.kubeconfig 文件vim /opt/kubernetes/cfg/bootstrap.kubeconfigKUBE_APISERVER="https://192.168.203.166:6443" # apiserver IP:PORTTOKEN="c47ffb939f5ca36231d9e3121a252940" # 与 token.csv 里保持一致# 生成 kubelet bootstrap kubeconfig 配置文件kubectl config set-cluster kubernetes \--certificate-authority=/opt/kubernetes/ssl/ca.pem \--embed-certs=true \--server=${KUBE_APISERVER} \--kubeconfig=bootstrap.kubeconfigkubectl config set-credentials "kubelet-bootstrap" \--token=${TOKEN} \--kubeconfig=bootstrap.kubeconfig kubectl config set-context default \--cluster=kubernetes \--user="kubelet-bootstrap" \--kubeconfig=bootstrap.kubeconfigkubectl config use-context default --kubeconfig=bootstrap.kubeconfig// 4 systemd 管理 kubeletsystemctl daemon-reloadsystemctl start kubeletsystemctl enable kubelet
5 使用官网推荐搭建
5.1 安装 kubeadm
5.1.1 允许 iptables 检查桥接流量
// 1 查询br_netfilter是否被加载lsmod | grep br_netfilter// 2 如果未加载,执行如下命令// 2.1 临时启动sudo modprobe br_netfilter// 2.2 设置开机启动vi /etc/modules-load.d/k8s.confbr_netfilter// 3 为了让Linux节点的iptables能够正确地查看桥接流量,需要将sysctl配置中net.bridge.bridge-nf-call-iptables设置为1vi /etc/sysctl.d/k8s.confnet.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1// 3.1 使其生效sudo sysctl --system
5.1.2 检查所需端口
5.1.3 安装运行容器docker
5.1.4 安装 kubeadm、kubelet 和 kubectl
//1 设置yum源vi /etc/yum.repos.d/kubernetes.repo[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=1repo_gpgcheck=1gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg// 2 将 SELinux 设置为 permissive 模式(相当于将其禁用)// 2.1 临时关闭sudo setenforce 0// 2.2 永久关闭sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config// 3 安装sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes// 4 激活并启动 kubeletsudo systemctl enable --now kubelet
5.1.4 配置 cgroup 驱动程序
容器运行时和 kubelet 都具有名字为 “cgroup driver” 的属性,该属性对于在 Linux 机器上管理 CGroups 而言非常重要。
警告: 你需要确保容器运行时和 kubelet 所使用的是相同的 cgroup 驱动,否则 kubelet 进程会失败。 相关细节可参见配置 cgroup 驱动。
// 1 配置容器运行时 cgroup 驱动(docker)mkdir /etc/dockervi /etc/docker/daemon.json{"exec-opts": ["native.cgroupdriver=systemd"],"log-driver": "json-file","log-opts": {"max-size": "100m"},"storage-driver": "overlay2"}sudo systemctl enable dockersudo systemctl daemon-reloadsudo systemctl restart docker// 2 配置 kubelet 的 cgroup 驱动
5.2 使用 kubeadm 创建集群
5.2.1 初始化(kubeadm init)
// 1 关闭swap分区// 1.1 临时关闭swapoff -a// 1.2 永久关闭// sed 直接对文本文件进行操作 sed -i 's/原字符串/新字符串' 目标文件sed -ri 's/.*swap.*/#&/' /etc/fstab// 2 开启6443和10250端口firewall-cmd --zone=public --add-port=6443/tcp --permanentfirewall-cmd --zone=public --add-port=10250/tcp --permanentfirewall-cmd --reload// 3 初始化集群kubeadm init \--apiserver-advertise-address=本机ip \--image-repository registry.aliyuncs.com/google_containers \--pod-network-cidr=10.244.0.0/16
5.2.2 配置网络插件
mkdir -p /etc/cni/net.dvim ptp.confist{"cniVersion": "0.3.1","name": "mynet","plugins": [{"type": "ptp","ipMasq": true,"ipam": {"type": "host-local","subnet": "172.16.30.0/24","routes": [{"dst": "0.0.0.0/0"}]}},{"type": "portmap","capabilities": {"portMappings": true},"externalSetMarkChain": "KUBE-MARK-MASQ"}]}
5.2.3 节点加入集群(kubeadm join)
// 1 配置网络// 2 安装docker,复制deamon.json// 3 安装 kubeadm、kubelet 和 kubectl// 4 加入集群kubeadm join ip:6443 --token <token> --discovery-token-ca-cert-hash sha256:<hash>// 5 开启10248端口firewall-cmd --zone=public --add-port=10248/tcp --permanentfirewall-cmd --reload// 6 配置网络插件同5.2.2
其他
若有收获,就点个赞吧
0 人点赞
