背景
服务器配置
节点 | 内网IP | 公网IP | 配置 |
---|---|---|---|
ren | 10.0.4.17 | 1.15.230.38 | 4C8G |
yan | 10.0.4.15 | 101.34.64.205 | 4C8G |
bai | 192.168.0.4 | 106.12.145.172 | 2C8G |
软件版本
软件 | 版本 |
---|---|
centos | 7.6 |
docker | 20.10.7 |
kubelet | 1.20.9 |
kubeadm | 1.20.9 |
kubectl | 1.20.9 |
镜像版本
镜像 | 版本 |
---|---|
k8s.gcr.io/kube-apiserver | 1.20.9 |
k8s.gcr.io/kube-controller-manager | 1.20.9 |
k8s.gcr.io/kube-scheduler | 1.20.9 |
k8s.gcr.io/kube-proxy | 1.20.9 |
k8s.gcr.io/pause | 3.2 |
k8s.gcr.io/etcd | 3.4.13-0 |
k8s.gcr.io/coredns | 1.7.0 |
创建初始文件夹
#/Users/keyboardone/同步空间/software
mkdir -p /opt/software
cd /opt/software/k8s/
chmod 755 /opt/software/k8s/*.sh
配置ssh免密
ren
ren-ssh.sh
cd /opt/software/k8s/
vi ren-ssh.sh
#修改主机名
sudo hostnamectl set-hostname ren
sudo hostnamectl set-hostname "ren" --pretty
sudo hostnamectl set-hostname ren --static
sudo hostnamectl set-hostname ren --transient
#标识其他主机名
cat > /etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.4.17 ren
101.34.64.205 yan
106.12.145.172 bai
EOF
#清空密钥
cd ~/.ssh/
rm -rf *
#用户目录下生成公钥、私钥文件
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
#分发公钥到其他主机
for ip in yan bai; # 请将此处主机名替换为自己要部署的机器的 hostname
do
ssh-copy-id $ip # 该操作执行过程中需要手动输入用户的密码
done
yan
yan-ssh.sh
cd /opt/software/k8s/
vi yan-ssh.sh
#修改主机名
sudo hostnamectl set-hostname yan
sudo hostnamectl set-hostname "yan" --pretty
sudo hostnamectl set-hostname yan --static
sudo hostnamectl set-hostname yan --transient
#标识其他主机名
cat > /etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
1.15.230.38 ren
10.0.4.15 yan
106.12.145.172 bai
EOF
#清空密钥
cd ~/.ssh/
rm -rf *
#用户目录下生成公钥、私钥文件
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
#分发公钥到其他主机
for ip in ren bai; # 请将此处主机名替换为自己要部署的机器的 hostname
do
ssh-copy-id $ip # 该操作执行过程中需要手动输入用户的密码
done
bai
bai-ssh.sh
cd /opt/software/k8s/
vi bai-ssh.sh
#修改主机名
sudo hostnamectl set-hostname bai
sudo hostnamectl set-hostname "bai" --pretty
sudo hostnamectl set-hostname bai --static
sudo hostnamectl set-hostname bai --transient
#标识其他主机名
cat > /etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
1.15.230.38 ren
101.34.64.205 yan
192.168.0.4 bai
EOF
#清空密钥
cd ~/.ssh/
rm -rf *
#用户目录下生成公钥、私钥文件
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
#分发公钥到其他主机
for ip in ren yan; # 请将此处主机名替换为自己要部署的机器的 hostname
do
ssh-copy-id $ip # 该操作执行过程中需要手动输入用户的密码
done
文件准备
上传相关文件到 /opt/software/
scp -r /opt/software/ yan:/opt/
scp -r /opt/software/ bai:/opt/
准备集群基础环境
ren
ren-os.sh nohup /opt/software/k8s/ren-os.sh > ren-os.log 2>&1 &
cd /opt/software/k8s/
vi ren-os.sh
#设置重启自动加载模块
modprobe br_netfilter
sysctl -p /etc/sysctl.conf
#查看
lsmod | grep br_netfilter
#永久设置
#新建 rc.sysinit
cat > /etc/rc.sysinit <<EOF
#!/bin/bash
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
EOF
#新建 br_netfilter.modules
cat > /etc/sysconfig/modules/br_netfilter.modules <<EOF
modprobe br_netfilter
EOF
#授权br_netfilter.modules文件执行权限
chmod 755 /etc/sysconfig/modules/br_netfilter.modules
#查看
lsmod |grep br_netfilter
#新建k8s网桥配置文件
cat > /root/k8s.conf <<EOF
#开启网桥模式
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#开启转发
net.ipv4.ip_forward = 1
##关闭ipv6
net.ipv6.conf.all.disable_ipv6=1
EOF
#拷贝k8s网桥配置文件到系统目录下
cp /root/k8s.conf /etc/sysctl.d/k8s.conf
sysctl -p /etc/sysctl.d/k8s.conf
#设置时区
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的UTC时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
#关闭邮件服务
systemctl stop postfix && systemctl disable postfix
#设置rsyslogd、systemd、journald
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
#新建 journald 配置文件
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化
Storage=persistent
# 压缩历史日志
Compress=yes
SysnIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到 syslog
ForwardToSyslog=no
EOF
#重启 journald 使生效
systemctl restart systemd-journald
#ipvs前置条件准备
modprobe br_netfilter
#新建 ipvs.modules 配置文件
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
#授权 ipvs.modules 文件执行权限
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules
#查看已载入系统的模块
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
#关闭swap分区
free -lh
#删除 swap 区所有内容
swapoff -a
free -lh
#开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#安装docker
cd /opt/software/docker
tar xzvf docker-20.10.7.tgz
chmod +x docker/*
mv docker/* /usr/local/bin/
#创建docker配置文件
echo '[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
[Service]
Environment="PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/usr/local/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
Restart=always
RestartSec=5
TimeoutSec=0
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
' >> /etc/systemd/system/docker.service
#重新加载docker配置文件
cd /usr/local/bin
#重新加载配置文件
systemctl daemon-reload
#设置开机启动
systemctl enable docker.service
#启动
systemctl start docker.service
#重启
systemctl daemon-reload
systemctl restart docker
#等待
sleep 30s
#添加docker源
mkdir -p /etc/docker/
touch /etc/docker/daemon.json
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors":["https://docker.mirrors.ustc.edu.cn/"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["http://ren:8088"]
}
EOF
#重启docker
systemctl daemon-reload
systemctl restart docker
#等待
sleep 1m
#查看验证docker
docker info
#等待
sleep 1m
#安装Kubeadm、Kubelet、Kubectl
#添加yum源
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
#关闭SELinux
getenforce
sestatus
setenforce 0
getenforce
sestatus
#yum安装kubelet、kubeadm、kubectl
sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes
#kubelet设置为开机自启
sudo systemctl enable --now kubelet
#检查 kubelet 服务
systemctl status kubelet
#建立虚拟网卡
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=1.15.230.38
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
#重启网卡,使生效
systemctl restart network
#等待
sleep 30s
ip addr
#重启网卡后,重新开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
#修改kubelet启动参数
mkdir -p /usr/lib/systemd/system/kubelet.service.d/
cp /opt/software/k8s/ren-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/
rm -rf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
mv /usr/lib/systemd/system/kubelet.service.d/ren-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
#准备kubeadm初始化环境
#编写 kubeadm-config.yaml 文件,准备初始化主节点
cat > /root/kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
certSANs: #填写所有kube-apiserver节点的hostname、IP、VIP
- ren #替换为hostname
- 1.15.230.38 #替换为公网
- 10.0.4.17 #替换为私网
- 10.96.0.1 #不要替换,此IP是API的集群地址,部分服务会用到
controlPlaneEndpoint: 1.15.230.38:6443 #替换为公网IP
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
--- 将默认调度方式改为ipvs
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
EOF
#查看要下载的镜像
kubeadm config images list
#等待
sleep 30s
#编写镜像拉取脚本,准备分发各节点执行
cat >/root/pull_k8s_images.sh << "EOF"
# 内容为
set -o errexit
set -o nounset
set -o pipefail
##这里定义需要下载的版本
KUBE_VERSION=v1.20.9
KUBE_PAUSE_VERSION=3.2
ETCD_VERSION=3.4.13-0
DNS_VERSION=1.7.0
##这是原来被墙的仓库
GCR_URL=k8s.gcr.io
##这里就是写你要使用的仓库,也可以使用gotok8s
DOCKERHUB_URL=registry.cn-hangzhou.aliyuncs.com/google_containers
##这里是镜像列表
images=(
kube-proxy:${KUBE_VERSION}
kube-scheduler:${KUBE_VERSION}
kube-controller-manager:${KUBE_VERSION}
kube-apiserver:${KUBE_VERSION}
pause:${KUBE_PAUSE_VERSION}
etcd:${ETCD_VERSION}
coredns:${DNS_VERSION}
)
## 这里是拉取和改名的循环语句, 先下载, 再tag重命名生成需要的镜像, 再删除下载的镜像
for imageName in ${images[@]} ; do
docker pull $DOCKERHUB_URL/$imageName
docker tag $DOCKERHUB_URL/$imageName $GCR_URL/$imageName
docker rmi $DOCKERHUB_URL/$imageName
done
EOF
#授权 镜像拉取脚本 执行权限
chmod +x /root/pull_k8s_images.sh
#执行 镜像拉取 脚本
bash /root/pull_k8s_images.sh
#验证镜像拉取
docker images
主节点执行 kubeadm ,进行初始化
kubeadm init —config=kubeadm-config.yaml
yan
yan-os.sh nohup /opt/software/k8s/yan-os.sh > yan-os.log 2>&1 &
cd /opt/software/k8s/
vi yan-os.sh
#设置重启自动加载模块
modprobe br_netfilter
sysctl -p /etc/sysctl.conf
#查看
lsmod | grep br_netfilter
#永久设置
#新建 rc.sysinit
cat > /etc/rc.sysinit <<EOF
#!/bin/bash
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
EOF
#新建 br_netfilter.modules
cat > /etc/sysconfig/modules/br_netfilter.modules <<EOF
modprobe br_netfilter
EOF
#授权br_netfilter.modules文件执行权限
chmod 755 /etc/sysconfig/modules/br_netfilter.modules
#查看
lsmod |grep br_netfilter
#新建k8s网桥配置文件
cat > /root/k8s.conf <<EOF
#开启网桥模式
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#开启转发
net.ipv4.ip_forward = 1
##关闭ipv6
net.ipv6.conf.all.disable_ipv6=1
EOF
#拷贝k8s网桥配置文件到系统目录下
cp /root/k8s.conf /etc/sysctl.d/k8s.conf
sysctl -p /etc/sysctl.d/k8s.conf
#设置时区
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的UTC时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
#关闭邮件服务
systemctl stop postfix && systemctl disable postfix
#设置rsyslogd、systemd、journald
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
#新建 journald 配置文件
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化
Storage=persistent
# 压缩历史日志
Compress=yes
SysnIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到 syslog
ForwardToSyslog=no
EOF
#重启 journald 使生效
systemctl restart systemd-journald
#ipvs前置条件准备
modprobe br_netfilter
#新建 ipvs.modules 配置文件
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
#授权 ipvs.modules 文件执行权限
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules
#查看已载入系统的模块
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
#关闭swap分区
free -lh
#删除 swap 区所有内容
swapoff -a
free -lh
#开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#安装docker
cd /opt/software/docker
tar xzvf docker-20.10.7.tgz
chmod +x docker/*
mv docker/* /usr/local/bin/
#创建docker配置文件
echo '[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
[Service]
Environment="PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/usr/local/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
Restart=always
RestartSec=5
TimeoutSec=0
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
' >> /etc/systemd/system/docker.service
#重新加载docker配置文件
cd /usr/local/bin
#重新加载配置文件
systemctl daemon-reload
#设置开机启动
systemctl enable docker.service
#启动
systemctl start docker.service
#重启
systemctl daemon-reload
systemctl restart docker
#等待
sleep 30s
#添加docker源
mkdir -p /etc/docker/
touch /etc/docker/daemon.json
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors":["https://docker.mirrors.ustc.edu.cn/"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["http://ren:8088"]
}
EOF
#重启docker
systemctl daemon-reload
systemctl restart docker
#等待
sleep 1m
#查看验证docker
docker info
#等待
sleep 1m
#安装Kubeadm、Kubelet、Kubectl
#添加yum源
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
#关闭SELinux
getenforce
sestatus
setenforce 0
getenforce
sestatus
#yum安装kubelet、kubeadm、kubectl
sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes
#kubelet设置为开机自启
sudo systemctl enable --now kubelet
#检查 kubelet 服务
systemctl status kubelet
#建立虚拟网卡
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=101.34.64.205
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
#重启网卡,使生效
systemctl restart network
#等待
sleep 30s
ip addr
#重启网卡后,重新开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
#修改kubelet启动参数
mkdir -p /usr/lib/systemd/system/kubelet.service.d/
cp /opt/software/k8s/yan-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/
rm -rf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
mv /usr/lib/systemd/system/kubelet.service.d/yan-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
#准备kubeadm初始化环境
#编写 kubeadm-config.yaml 文件,准备初始化主节点
cat > /root/kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
certSANs: #填写所有kube-apiserver节点的hostname、IP、VIP
- ren #替换为hostname
- 1.15.230.38 #替换为公网
- 10.0.4.17 #替换为私网
- 10.96.0.1 #不要替换,此IP是API的集群地址,部分服务会用到
controlPlaneEndpoint: 1.15.230.38:6443 #替换为公网IP
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
--- 将默认调度方式改为ipvs
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
EOF
#查看要下载的镜像
kubeadm config images list
#等待
sleep 30s
#编写镜像拉取脚本,准备分发各节点执行
cat >/root/pull_k8s_images.sh << "EOF"
# 内容为
set -o errexit
set -o nounset
set -o pipefail
##这里定义需要下载的版本
KUBE_VERSION=v1.20.9
KUBE_PAUSE_VERSION=3.2
ETCD_VERSION=3.4.13-0
DNS_VERSION=1.7.0
##这是原来被墙的仓库
GCR_URL=k8s.gcr.io
##这里就是写你要使用的仓库,也可以使用gotok8s
DOCKERHUB_URL=registry.cn-hangzhou.aliyuncs.com/google_containers
##这里是镜像列表
images=(
kube-proxy:${KUBE_VERSION}
kube-scheduler:${KUBE_VERSION}
kube-controller-manager:${KUBE_VERSION}
kube-apiserver:${KUBE_VERSION}
pause:${KUBE_PAUSE_VERSION}
etcd:${ETCD_VERSION}
coredns:${DNS_VERSION}
)
## 这里是拉取和改名的循环语句, 先下载, 再tag重命名生成需要的镜像, 再删除下载的镜像
for imageName in ${images[@]} ; do
docker pull $DOCKERHUB_URL/$imageName
docker tag $DOCKERHUB_URL/$imageName $GCR_URL/$imageName
docker rmi $DOCKERHUB_URL/$imageName
done
EOF
#授权 镜像拉取脚本 执行权限
chmod +x /root/pull_k8s_images.sh
#执行 镜像拉取 脚本
bash /root/pull_k8s_images.sh
#验证镜像拉取
docker images
bai
bai-os.sh nohup /opt/software/k8s/bai-os.sh > bai-os.log 2>&1 &
cd /opt/software/k8s/
vi bai-os.sh
#设置重启自动加载模块
modprobe br_netfilter
sysctl -p /etc/sysctl.conf
#查看
lsmod | grep br_netfilter
#永久设置
#新建 rc.sysinit
cat > /etc/rc.sysinit <<EOF
#!/bin/bash
for file in /etc/sysconfig/modules/*.modules ; do
[ -x $file ] && $file
done
EOF
#新建 br_netfilter.modules
cat > /etc/sysconfig/modules/br_netfilter.modules <<EOF
modprobe br_netfilter
EOF
#授权br_netfilter.modules文件执行权限
chmod 755 /etc/sysconfig/modules/br_netfilter.modules
#查看
lsmod |grep br_netfilter
#新建k8s网桥配置文件
cat > /root/k8s.conf <<EOF
#开启网桥模式
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#开启转发
net.ipv4.ip_forward = 1
##关闭ipv6
net.ipv6.conf.all.disable_ipv6=1
EOF
#拷贝k8s网桥配置文件到系统目录下
cp /root/k8s.conf /etc/sysctl.d/k8s.conf
sysctl -p /etc/sysctl.d/k8s.conf
#设置时区
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的UTC时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
#关闭邮件服务
systemctl stop postfix && systemctl disable postfix
#设置rsyslogd、systemd、journald
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
#新建 journald 配置文件
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化
Storage=persistent
# 压缩历史日志
Compress=yes
SysnIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到 syslog
ForwardToSyslog=no
EOF
#重启 journald 使生效
systemctl restart systemd-journald
#ipvs前置条件准备
modprobe br_netfilter
#新建 ipvs.modules 配置文件
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
#授权 ipvs.modules 文件执行权限
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules
#查看已载入系统的模块
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
#关闭swap分区
free -lh
#删除 swap 区所有内容
swapoff -a
free -lh
#开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#安装docker
cd /opt/software/docker
tar xzvf docker-20.10.7.tgz
chmod +x docker/*
mv docker/* /usr/local/bin/
#创建docker配置文件
echo '[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
[Service]
Environment="PATH=/usr/local/bin:/bin:/sbin:/usr/bin:/usr/sbin"
ExecStart=/usr/local/bin/dockerd -H unix:///var/run/docker.sock -H tcp://0.0.0.0:2375
ExecReload=/bin/kill -s HUP $MAINPID
Restart=always
RestartSec=5
TimeoutSec=0
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
' >> /etc/systemd/system/docker.service
#重新加载docker配置文件
cd /usr/local/bin
#重新加载配置文件
systemctl daemon-reload
#设置开机启动
systemctl enable docker.service
#启动
systemctl start docker.service
#重启
systemctl daemon-reload
systemctl restart docker
#等待
sleep 30s
#添加docker源
mkdir -p /etc/docker/
touch /etc/docker/daemon.json
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors":["https://docker.mirrors.ustc.edu.cn/"],
"exec-opts": ["native.cgroupdriver=systemd"],
"insecure-registries": ["http://ren:8088"]
}
EOF
#重启docker
systemctl daemon-reload
systemctl restart docker
#等待
sleep 1m
#查看验证docker
docker info
#等待
sleep 1m
#安装Kubeadm、Kubelet、Kubectl
#添加yum源
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
#关闭SELinux
getenforce
sestatus
setenforce 0
getenforce
sestatus
#yum安装kubelet、kubeadm、kubectl
sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes
#kubelet设置为开机自启
sudo systemctl enable --now kubelet
#检查 kubelet 服务
systemctl status kubelet
#建立虚拟网卡
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=106.12.145.172
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
#重启网卡,使生效
systemctl restart network
#等待
sleep 30s
ip addr
#重启网卡后,重新开启ipv4
cat /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
#修改kubelet启动参数
mkdir -p /usr/lib/systemd/system/kubelet.service.d/
cp /opt/software/k8s/bai-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/
rm -rf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
mv /usr/lib/systemd/system/kubelet.service.d/bai-10-kubeadm.conf /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
#准备kubeadm初始化环境
#编写 kubeadm-config.yaml 文件,准备初始化主节点
cat > /root/kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
certSANs: #填写所有kube-apiserver节点的hostname、IP、VIP
- ren #替换为hostname
- 1.15.230.38 #替换为公网
- 10.0.4.17 #替换为私网
- 10.96.0.1 #不要替换,此IP是API的集群地址,部分服务会用到
controlPlaneEndpoint: 1.15.230.38:6443 #替换为公网IP
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
--- 将默认调度方式改为ipvs
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
EOF
#查看要下载的镜像
kubeadm config images list
#等待
sleep 30s
#编写镜像拉取脚本,准备分发各节点执行
cat >/root/pull_k8s_images.sh << "EOF"
# 内容为
set -o errexit
set -o nounset
set -o pipefail
##这里定义需要下载的版本
KUBE_VERSION=v1.20.9
KUBE_PAUSE_VERSION=3.2
ETCD_VERSION=3.4.13-0
DNS_VERSION=1.7.0
##这是原来被墙的仓库
GCR_URL=k8s.gcr.io
##这里就是写你要使用的仓库,也可以使用gotok8s
DOCKERHUB_URL=registry.cn-hangzhou.aliyuncs.com/google_containers
##这里是镜像列表
images=(
kube-proxy:${KUBE_VERSION}
kube-scheduler:${KUBE_VERSION}
kube-controller-manager:${KUBE_VERSION}
kube-apiserver:${KUBE_VERSION}
pause:${KUBE_PAUSE_VERSION}
etcd:${ETCD_VERSION}
coredns:${DNS_VERSION}
)
## 这里是拉取和改名的循环语句, 先下载, 再tag重命名生成需要的镜像, 再删除下载的镜像
for imageName in ${images[@]} ; do
docker pull $DOCKERHUB_URL/$imageName
docker tag $DOCKERHUB_URL/$imageName $GCR_URL/$imageName
docker rmi $DOCKERHUB_URL/$imageName
done
EOF
#授权 镜像拉取脚本 执行权限
chmod +x /root/pull_k8s_images.sh
#执行 镜像拉取 脚本
bash /root/pull_k8s_images.sh
#验证镜像拉取
docker images
节点初始化
ren
ren-init.sh nohup /opt/software/k8s/ren-init.sh > ren-init.log 2>&1 &
cd /opt/software/k8s/
vi ren-init.sh
systemctl status kubelet
#Warning: kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units.
systemctl daemon-reload
#等待
sleep 30s
#初始化
kubeadm init --config=/root/kubeadm-config.yaml
#等待
sleep 3m
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG=/etc/kubernetes/admin.conf
#修改kube-apiserver参数
cp /opt/software/k8s/kube-apiserver.yaml /etc/kubernetes/manifests/
yan
yan-join.sh nohup /opt/software/k8s/yan-join.sh > yan-join.log 2>&1 &
systemctl status kubelet
#Warning: kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units.
systemctl daemon-reload
#worker节点加入集群
kubeadm join 1.15.230.38:6443 --token uifpif.fyr2s4f5gtemqgnn \
--discovery-token-ca-cert-hash sha256:80accd0bf78574cd8e0df8b3d276e2a8c1453277b510eb02507f8e5a0675676e
bai
bai-join.sh nohup /opt/software/k8s/bai-join.sh > bai-join.log 2>&1 &
systemctl status kubelet
#Warning: kubelet.service changed on disk. Run 'systemctl daemon-reload' to reload units.
systemctl daemon-reload
#worker节点加入集群
kubeadm join 1.15.230.38:6443 --token uifpif.fyr2s4f5gtemqgnn \
--discovery-token-ca-cert-hash sha256:80accd0bf78574cd8e0df8b3d276e2a8c1453277b510eb02507f8e5a0675676e
查看初始化进度
#监听应用启动情况
kubectl get pod -A -w
#或者
watch -n 1 kubectl get pod -A
#检查各节点连接状态
kubectl get pods -o wide --all-namespaces
#或者
watch -n 1 kubectl get pods -o wide --all-namespaces
安装网络插件 flannel
ren
ren-flannel.sh nohup /opt/software/k8s/ren-flannel.sh > ren-flannel.log 2>&1 &
cd /opt/software/k8s/
vi ren-flannel.sh
kubectl get pod -A
#等待
sleep 3m
kubectl get pod -A
kubectl apply -f /opt/software/k8s/kube-flannel.yml
#等待
sleep 11m
kubectl get pod -A
检查网络是否连通
# 检查pod是否都是ready状态
kubectl get pods -o wide --all-namespaces
...
# 手动创建一个pod
kubectl create deployment nginx --image=nginx
# 查看pod的ip
kubectl get pods -o wide
# 主节点或其它节点,ping一下此ip,看看是否能ping通