1. #!/bin/bash
    3. # 初始化k8s
    4. kubeadm init --kubernetes-version=1.23.1 \
    5. --apiserver-advertise-address=192.168.56.101 \
    6. --image-repository registry.aliyuncs.com/google_containers \
    7. --service-cidr=10.1.0.0/16 \
    8. --pod-network-cidr=10.244.0.0/16
    10. mkdir -p $HOME/.kube
    11. sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    12. sudo chown $(id -u):$(id -g) $HOME/.kube/config
    13. echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
    15. # 安装网络插件 Flannel
    16. cat >>/root/flannel.yml <<EOF
    17. ---
    18. apiVersion: policy/v1beta1
    19. kind: PodSecurityPolicy
    20. metadata:
    21.   name: psp.flannel.unprivileged
    22.   annotations:
    23.     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    24.     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    25.     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    26.     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    27. spec:
    28.   privileged: false
    29.   volumes:
    30.   - configMap
    31.   - secret
    32.   - emptyDir
    33.   - hostPath
    34.   allowedHostPaths:
    35.   - pathPrefix: "/etc/cni/net.d"
    36.   - pathPrefix: "/etc/kube-flannel"
    37.   - pathPrefix: "/run/flannel"
    38.   readOnlyRootFilesystem: false
    39.   # Users and groups
    40.   runAsUser:
    41.     rule: RunAsAny
    42.   supplementalGroups:
    43.     rule: RunAsAny
    44.   fsGroup:
    45.     rule: RunAsAny
    46.   # Privilege Escalation
    47.   allowPrivilegeEscalation: false
    48.   defaultAllowPrivilegeEscalation: false
    49.   # Capabilities
    50.   allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
    51.   defaultAddCapabilities: []
    52.   requiredDropCapabilities: []
    53.   # Host namespaces
    54.   hostPID: false
    55.   hostIPC: false
    56.   hostNetwork: true
    57.   hostPorts:
    58.   - min: 0
    59.     max: 65535
    60.   # SELinux
    61.   seLinux:
    62.     # SELinux is unused in CaaSP
    63.     rule: 'RunAsAny'
    64. ---
    65. kind: ClusterRole
    66. apiVersion: rbac.authorization.k8s.io/v1
    67. metadata:
    68.   name: flannel
    69. rules:
    70. - apiGroups: ['extensions']
    71.   resources: ['podsecuritypolicies']
    72.   verbs: ['use']
    73.   resourceNames: ['psp.flannel.unprivileged']
    74. - apiGroups:
    75.   - ""
    76.   resources:
    77.   - pods
    78.   verbs:
    79.   - get
    80. - apiGroups:
    81.   - ""
    82.   resources:
    83.   - nodes
    84.   verbs:
    85.   - list
    86.   - watch
    87. - apiGroups:
    88.   - ""
    89.   resources:
    90.   - nodes/status
    91.   verbs:
    92.   - patch
    93. ---
    94. kind: ClusterRoleBinding
    95. apiVersion: rbac.authorization.k8s.io/v1
    96. metadata:
    97.   name: flannel
    98. roleRef:
    99.   apiGroup: rbac.authorization.k8s.io
    100.   kind: ClusterRole
    101.   name: flannel
    102. subjects:
    103. - kind: ServiceAccount
    104.   name: flannel
    105.   namespace: kube-system
    106. ---
    107. apiVersion: v1
    108. kind: ServiceAccount
    109. metadata:
    110.   name: flannel
    111.   namespace: kube-system
    112. ---
    113. kind: ConfigMap
    114. apiVersion: v1
    115. metadata:
    116.   name: kube-flannel-cfg
    117.   namespace: kube-system
    118.   labels:
    119.     tier: node
    120.     app: flannel
    121. data:
    122.   cni-conf.json: |
    123.     {
    124.       "name": "cbr0",
    125.       "cniVersion": "0.3.1",
    126.       "plugins": [
    127.         {
    128.           "type": "flannel",
    129.           "delegate": {
    130.             "hairpinMode": true,
    131.             "isDefaultGateway": true
    132.           }
    133.         },
    134.         {
    135.           "type": "portmap",
    136.           "capabilities": {
    137.             "portMappings": true
    138.           }
    139.         }
    140.       ]
    141.     }
    142.   net-conf.json: |
    143.     {
    144.       "Network": "10.244.0.0/16",
    145.       "Backend": {
    146.         "Type": "vxlan"
    147.       }
    148.     }
    149. ---
    150. apiVersion: apps/v1
    151. kind: DaemonSet
    152. metadata:
    153.   name: kube-flannel-ds
    154.   namespace: kube-system
    155.   labels:
    156.     tier: node
    157.     app: flannel
    158. spec:
    159.   selector:
    160.     matchLabels:
    161.       app: flannel
    162.   template:
    163.     metadata:
    164.       labels:
    165.         tier: node
    166.         app: flannel
    167.     spec:
    168.       affinity:
    169.         nodeAffinity:
    170.           requiredDuringSchedulingIgnoredDuringExecution:
    171.             nodeSelectorTerms:
    172.             - matchExpressions:
    173.               - key: kubernetes.io/os
    174.                 operator: In
    175.                 values:
    176.                 - linux
    177.       hostNetwork: true
    178.       priorityClassName: system-node-critical
    179.       tolerations:
    180.       - operator: Exists
    181.         effect: NoSchedule
    182.       serviceAccountName: flannel
    183.       initContainers:
    184.       - name: install-cni
    185.         image: registry.cn-beijing.aliyuncs.com/qingfeng666/flannel:v0.13.0
    186.         command:
    187.         - cp
    188.         args:
    189.         - -f
    190.         - /etc/kube-flannel/cni-conf.json
    191.         - /etc/cni/net.d/10-flannel.conflist
    192.         volumeMounts:
    193.         - name: cni
    194.           mountPath: /etc/cni/net.d
    195.         - name: flannel-cfg
    196.           mountPath: /etc/kube-flannel/
    197.       containers:
    198.       - name: kube-flannel
    199.         image: registry.cn-beijing.aliyuncs.com/qingfeng666/flannel:v0.13.0
    200.         command:
    201.         - /opt/bin/flanneld
    202.         args:
    203.         - --ip-masq
    204.         - --kube-subnet-mgr
    205.         resources:
    206.           requests:
    207.             cpu: "100m"
    208.             memory: "50Mi"
    209.           limits:
    210.             cpu: "100m"
    211.             memory: "50Mi"
    212.         securityContext:
    213.           privileged: false
    214.           capabilities:
    215.             add: ["NET_ADMIN", "NET_RAW"]
    216.         env:
    217.         - name: POD_NAME
    218.           valueFrom:
    219.             fieldRef:
    220.               fieldPath: metadata.name
    221.         - name: POD_NAMESPACE
    222.           valueFrom:
    223.             fieldRef:
    224.               fieldPath: metadata.namespace
    225.         volumeMounts:
    226.         - name: run
    227.           mountPath: /run/flannel
    228.         - name: flannel-cfg
    229.           mountPath: /etc/kube-flannel/
    230.       volumes:
    231.       - name: run
    232.         hostPath:
    233.           path: /run/flannel
    234.       - name: cni
    235.         hostPath:
    236.           path: /etc/cni/net.d
    237.       - name: flannel-cfg
    238.         configMap:
    239.           name: kube-flannel-cfg
    240. EOF
    242. # 检测状态
    243. kubectl apply -f /root/flannel.yml
    244. kubectl get po -n kube-system
    245. kubectl get node -w