安装Docker服务
# 安装(二进制安装,master节点不需要安装Docker)
# 二进安装控制节点不需要Pod启动插件
yum install docker-ce-20.10.6 docker-ce-cli-20.10.6 containerd.io -y
# 启动以/开机自启/查看状态
systemctl start docker && systemctl enable docker && systemctl status docker
配置docker镜像加速器和驱动
# 编辑文件
vim /etc/docker/daemon.json
# 内容:(可以使用自己的阿里云镜像加速器)
{
"registry-mirrors":["https://rsbud4vc.mirror.aliyuncs.com","https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hub-mirror.c.163.com","http://qtid6917.mirror.aliyuncs.com", "https://rncxm540.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
# 以上同时配置修改docker文件驱动为systemd,默认为cgroupfs,kubelet默认使用systemd,两者必须一致才可以
systemctl daemon-reload && systemctl restart docker && systemctl status docker
初始化K8S软件包
# 安装(每一台虚拟机都要操作)
yum install -y kubelet-1.20.6 kubeadm-1.20.6 kubectl-1.20.6
# 开启开机自启和查看状态
systemctl enable kubelet && systemctl start kubelet
systemctl status kubelet
#上面可以看到kubelet状态不是running状态,这个是正常的,不用管,等k8s组件起来这个kubelet就正常了
# Kubeadm: kubeadm是一个工具,用来初始化k8s集群的
# kubelet: 安装在集群所有节点上,用于启动Pod的
# kubectl: 通过kubectl可以部署和管理应用,查看各种资源,创建、删除和更新各种组件
k8s apiserver节点高可用(重点)
通过keepalive+nginx实现
配置epel源,这样才能安装keepalived和nginx
# 把epel.repo上传到[各个虚拟机]的/etc/yum.repos.d目录下
# lrz 或者 scp都可
# 只需要在master节点上安装即可
yum install nginx keepalived -y
修改nginx配置文件:主备一样
vim /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
# 四层负载均衡,为两台Master apiserver组件提供负载均衡
stream {
log_format main '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
# 需要修改的地方
server 192.168.40.180:6443; # Master1 APISERVER IP:PORT
server 192.168.40.181:6443; # Master2 APISERVER IP:PORT
}
server {
listen 16443; # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
proxy_pass k8s-apiserver;
}
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
server_name _;
location / {
}
}
}
keepalive配置,主备稍有差别
vim /etc/keepalived/keepalived.conf
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
# 此处脚本需要自行编写
script "/etc/keepalived/check_nginx.sh"
}
vrrp_instance VI_1 {
state MASTER # 主节点配置:MASTER、备用节点配置:BACKUP
interface ens33 # 修改为实际网卡名
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 100 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
# 虚拟IP
virtual_ipaddress {
192.168.40.199/24
}
track_script {
check_nginx
}
}
#vrrp_script:指定检查nginx工作状态脚本(根据nginx状态判断是否故障转移)
#virtual_ipaddress:虚拟IP(VIP)
# 编写上述脚本,内容如下:
vim /etc/keepalived/check_nginx.sh
# 编写完成后赋予可执行权限
chmod +x /etc/keepalived/check_nginx.sh
#注:keepalived根据脚本返回状态码(0为工作正常,非0不正常)判断是否故障转移。
#!/bin/bash
count=$(ps -ef |grep nginx | grep sbin | egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
systemctl stop keepalived
fi
启动服务
# 在所有master上执行
yum install nginx-mod-stream -y
systemctl daemon-reload
# 启动和自启、状态查看
systemctl start nginx
systemctl start keepalived
systemctl enable nginx keepalived
systemctl status keepalived
测试vip是否绑定成功
# 在主master上使用IP查看命令,会看到虚拟IP存在
ip addr
# 停掉主master的Nginx(keepalived会一起停掉)
service nginx stop
# 在备用节点上执行IP查看,会看到虚拟IP飘到了备用节点
# 再次重启主节点Nginx和keepalived
# 虚拟IP又会飘回来 --->> 说明主备配置成功
初始化K8S集群
# 在root目录下操作,文件内容如下:
# 单节点部署时候可以直接在命令中制定参数
vim kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.6
# 虚拟IP
controlPlaneEndpoint: 192.168.40.199:16443
imageRepository: registry.aliyuncs.com/google_containers
apiServer:
certSANs:
# 自己指定的IP(?)
- 192.168.40.180
- 192.168.40.181
- 192.168.40.182
- 192.168.40.199
networking:
# 规划的Pod网络资源
podSubnet: 10.244.0.0/16
serviceSubnet: 10.10.0.0/16
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
上传离线镜像包到根目录,并解压(镜像包很大)
# 每一台虚拟机都要上传&解压,可以使用SCP
docker load -i k8simage-1-20-6.tar.gz
# 命令行启动(单节点启动)
kubeadm init --kubernetes-version=1.20.6 --apiserver-advertise-address=192.168.31.90 --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16 --ignore-preflight-errors=SystemVerification
在Master主节点执行:
kubeadm init --config kubeadm-config.yaml --ignore-preflight-errors=SystemVerification
# --image-repository registry.aliyuncs.com/google_containers:手动指定仓库地址为registry.aliyuncs.com/google_containers。kubeadm默认从k8s.grc.io拉取镜像,但是k8s.gcr.io访问不到,所以需要指定从registry.aliyuncs.com/google_containers仓库拉取镜像。
安装完成后,注意保存相关提示性操作
#配置kubectl的配置文件config,相当于对kubectl进行授权,这样kubectl命令可以使用这个证书对k8s集群进行管理
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubectl get nodes
# 此时集群状态还是NotReady状态,因为没有安装网络插件。
扩容Master节点
证书拷贝
# 在备用节点操作
cd /root && mkdir -p /etc/kubernetes/pki/etcd &&mkdir -p ~/.kube/
scp /etc/kubernetes/pki/ca.crt master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/ca.key master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.key master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.pub master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.crt master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.key master2:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.crt master2:/etc/kubernetes/pki/etcd
scp /etc/kubernetes/pki/etcd/ca.key master2:/etc/kubernetes/pki/etcd/
Token失效及解决方案
#如果过期可先执行此命令
#重新生成token
kubeadm token create
# 生成token并打印Join命令
kubeadm token create --print-join-command
#列出token
kubeadm token list | awk -F" " '{print $1}' |tail -n 1
# 获取CA公钥的哈希值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^ .* //'
# 再次执行加入
kubeadm join 192.168.40.8:6443 --token token填这里 --discovery-token-ca-cert-hash sha256:哈希值填这里
kubeadm join 192.168.74.110:16443 --token xxxx \
--discovery-token-ca-cert-hash sha256:xxxxxxxxxxxxxx \
--control-plane \
--ignore-preflight-errors=SystemVerification
# --control-plane表示是控制节点
# 及时查看节点状态
kubectl get nodes
注意:安装完成后,由于没有安装网络插件,所以当前的节点状态是不可用的