新节点做准备
新节点是裸机,需要安装一些必备的东西
所有节点都添加新节点的hosts
echo "192.168.33.104 node04" >> /etc/hosts
新节点还需要添加apiserver的hosts
echo "127.0.0.1 apiserver.k8s.local" >> /etc/hosts
新节点关闭防火墙,swap,selinux
#关闭防火墙systemctl disable --now firewalld NetworkManager#关闭swapswapoff -ased -ri '/^[^#]*swap/s@^@#@' /etc/fstab#关闭selinuxsetenforce 0sed -ri '/^[^#]*SELINUX=/s#=.+$#=disabled#' /etc/selinux/config
新节点yum准备
yum install epel-release -yyum update -y
yum -y install gcc bc gcc-c++ ncurses ncurses-devel cmake elfutils-libelf-devel openssl-devel flex* bison* autoconf automake zlib* fiex* libxml* ncurses-devel libmcrypt* libtool-ltdl-devel* make cmake pcre pcre-devel openssl openssl-devel jemalloc-devel tlc libtool vim unzip wget lrzsz bash-comp* ipvsadm ipset jq sysstat conntrack libseccomp conntrack-tools socat curl wget git conntrack-tools psmisc nfs-utils tree bash-completion conntrack libseccomp net-tools crontabs sysstat iftop nload strace bind-utils tcpdump htop telnet lsof
新节点加载ipvs
:> /etc/modules-load.d/ipvs.confmodule=(ip_vsip_vs_rrip_vs_wrrip_vs_shnf_conntrackbr_netfilter)for kernel_module in ${module[@]};do/sbin/modinfo -F filename $kernel_module |& grep -qv ERROR && echo $kernel_module >> /etc/modules-load.d/ipvs.conf || :done
systemctl daemon-reloadsystemctl enable --now systemd-modules-load.service
$ lsmod | grep ip_vsip_vs_sh 12688 0ip_vs_wrr 12697 0ip_vs_rr 12600 11ip_vs 145497 17 ip_vs_rr,ip_vs_sh,ip_vs_wrrnf_conntrack 133095 7 ip_vs,nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_ipv4libcrc32c 12644 3 ip_vs,nf_nat,nf_conntrack
新节点设置k8s系统参数
cat <<EOF > /etc/sysctl.d/k8s.confnet.ipv6.conf.all.disable_ipv6 = 1 #禁用ipv6net.ipv6.conf.default.disable_ipv6 = 1 #禁用ipv6net.ipv6.conf.lo.disable_ipv6 = 1 #禁用ipv6net.ipv4.neigh.default.gc_stale_time = 120 #决定检查过期多久邻居条目net.ipv4.conf.all.rp_filter = 0 #关闭反向路由校验net.ipv4.conf.default.rp_filter = 0 #关闭反向路由校验net.ipv4.conf.default.arp_announce = 2 #始终使用与目标IP地址对应的最佳本地IP地址作为ARP请求的源IP地址net.ipv4.conf.lo.arp_announce = 2 #始终使用与目标IP地址对应的最佳本地IP地址作为ARP请求的源IP地址net.ipv4.conf.all.arp_announce = 2 #始终使用与目标IP地址对应的最佳本地IP地址作为ARP请求的源IP地址net.ipv4.ip_forward = 1 #启用ip转发功能net.ipv4.tcp_max_tw_buckets = 5000 #表示系统同时保持TIME_WAIT套接字的最大数量net.ipv4.tcp_syncookies = 1 #表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理net.ipv4.tcp_max_syn_backlog = 1024 #接受SYN同包的最大客户端数量net.ipv4.tcp_synack_retries = 2 #活动TCP连接重传次数net.bridge.bridge-nf-call-ip6tables = 1 #要求iptables对bridge的数据进行处理net.bridge.bridge-nf-call-iptables = 1 #要求iptables对bridge的数据进行处理net.bridge.bridge-nf-call-arptables = 1 #要求iptables对bridge的数据进行处理net.netfilter.nf_conntrack_max = 2310720 #修改最大连接数fs.inotify.max_user_watches=89100 #同一用户同时可以添加的watch数目fs.may_detach_mounts = 1 #允许文件卸载fs.file-max = 52706963 #系统级别的能够打开的文件句柄的数量fs.nr_open = 52706963 #单个进程可分配的最大文件数vm.overcommit_memory=1 #表示内核允许分配所有的物理内存,而不管当前的内存状态如何vm.panic_on_oom=0 #内核将检查是否有足够的可用内存供应用进程使用vm.swappiness = 0 #关注swapnet.ipv4.tcp_keepalive_time = 600 #修复ipvs模式下长连接timeout问题,小于900即可net.ipv4.tcp_keepalive_intvl = 30 #探测没有确认时,重新发送探测的频度net.ipv4.tcp_keepalive_probes = 10 #在认定连接失效之前,发送多少个TCP的keepalive探测包vm.max_map_count=262144 #定义了一个进程能拥有的最多的内存区域EOFsysctl --system
新节点文件最大数
cat>/etc/security/limits.d/kubernetes.conf<<EOF* soft nproc 131072* hard nproc 131072* soft nofile 131072* hard nofile 131072root soft nproc 131072root hard nproc 131072root soft nofile 131072root hard nofile 131072EOF
新节点docker 安装
docker yum
cd /etc/yum.repos.d/ && wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
官方脚本检查
docker官方的内核检查脚本建议(RHEL7/CentOS7: User namespaces disabled; add 'user_namespace.enable=1' to boot command line)
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"#然后重启reboot
docker安装
yum install docker-ce -y
配置docker
cp /usr/share/bash-completion/completions/docker /etc/bash_completion.d/mkdir -p /etc/docker/cat > /etc/docker/daemon.json <<EOF{"log-driver": "json-file","exec-opts": ["native.cgroupdriver=systemd"],"log-opts": {"max-size": "100m","max-file": "3"},"live-restore": true,"max-concurrent-downloads": 10,"max-concurrent-uploads": 10,"registry-mirrors": ["https://2lefsjdg.mirror.aliyuncs.com"],"storage-driver": "overlay2","storage-opts": ["overlay2.override_kernel_check=true"]}EOF
启动docker
systemctl enable --now docker
新节点启动master高可用的nginx容器
所有节点都需要与kube-apiserver通信,这边所有集群都在本地做了代理,详情看利用kubeadm搭建kubernetes集群
mkdir -p /etc/kubernetescat > /etc/kubernetes/nginx.conf << EOFuser nginx nginx;worker_processes auto;events {worker_connections 20240;use epoll;}error_log /var/log/nginx_error.log info;stream {upstream kube-servers {hash $remote_addr consistent;server master01:6443 weight=5 max_fails=1 fail_timeout=3s;server master02:6443 weight=5 max_fails=1 fail_timeout=3s;server master03:6443 weight=5 max_fails=1 fail_timeout=3s;}server {listen 8443 reuseport;proxy_connect_timeout 3s;proxy_timeout 3000s;proxy_pass kube-servers;}}EOF
docker run --restart=always \-v /etc/kubernetes/nginx.conf:/etc/nginx/nginx.conf \-v /etc/localtime:/etc/localtime:ro \--name k8sHA \--net host \-d \nginx
查看当前集群版本
在master节点执行
kubectl get nodes
新节点kubeadm部署
kubeadm yum
cat <<EOF >/etc/yum.repos.d/kubernetes.repo[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=0EOF
安装kubeadm kubelet
yum install -y \kubeadm-1.18.4 \kubelet-1.18.4 \--disableexcludes=kubernetes && \systemctl enable kubelet
join加入集群
master重新生成新的token
kubeadm的token只有24H,后续节点加入需要新的token
kubeadm token listkubeadm token create
获取ca证书sha256编码hash值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
新节点利用新token加入集群
在新节点上执行
kubeadm join apiserver.k8s.local:8443 --token gqecek.mhbewdq7ess7qb83 \--discovery-token-ca-cert-hash sha256:960113b464e62159df848c661586005a3f2315ab29fafc6e7568ed0dd7f8e40a
重启docker,kubelet
由于kubeadm默认使用cgoupfs,官方推荐用systemd,得进行检查和修改成systemd,然后重启
vim cat /var/lib/kubelet/kubeadm-flags.envvim /var/lib/kubelet/kubeadm-flags.env
先重启docker 再重启kubelet
systemctl restart dockersystemctl restart kubelet
查看扩容后的集群
kubectl get nodes
若有收获,就点个赞吧
0 人点赞
