Kubeadm 搭建k8s集群
注意:Kubernetes 系列 所采用的kuberntetes版本都是 1.15+
1 Master 节点安装
1.1 系统环境配置
1.1.1 设置主机名称
hostnamectl set-hostname kmaster-01
hostnamectl set-hostname knode-01
hostnamectl set-hostname knode-02
vi /etc/hosts
192.168.190.163 knode-01
192.168.190.164 knode-01
192.168.190.165 kmaster-01
1.1.2 关闭防火墙
# 关闭防火墙,并禁止开机启动
systemctl stop firewalld && systemctl disable firewalld
# 查看防火墙状态
systemctl status firewalld
# 状态信息如下
[root@kmaster-01 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Aug 05 15:21:17 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 05 15:21:18 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 12 14:22:20 kmaster-01 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Aug 12 14:22:21 kmaster-01 systemd[1]: Stopped firewalld - dynamic firewall daemon.
1.1.3 禁用SELINUX
#临时关闭,用于关闭selinux防火墙,但重启后失效
setenforce 0
#关闭selinux,将SELINUX=enforcing修改为disabled => 永久关闭
vi /etc/selinux/config
SELINUX=disabled
#查看selinux的状态信息
/usr/sbin/sestatus
#selinux的状态信息如下
[root@kmaster-01 ~]# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: disabled
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
1.1.4 注释掉 SWAP 的自动挂载
vi /etc/fstab
#
# /etc/fstab
# Created by anaconda on Mon Jan 21 19:19:41 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=214b916c-ad23-4762-b916-65b53fce1920 /boot xfs defaults 0 0
#/dev/mapper/centos-swap swap swap defaults 0 0
1.1.5 创建k8s.conf文件
vim /etc/sysctl.d/k8s.conf
#关闭swap,保证 kubelet正确运行
swapoff -a
#创建k8s.conf文件
vi /etc/sysctl.d/k8s.conf
#文件内容
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
#执行命令使修改生效
modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf
1.1.6 kube-proxy开启ipvs的前置条件
#保证在节点重启后能自动加载所需模块
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
# 加上执行权限
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
#查看是否已经正确加载所需的内核模块
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
#安装了ipset软件包
yum -y install ipset
#为了便于查看ipvs的代理规则,安装管理工具ipvsadm
yum -y install ipvsadm
TIPS: 如果以上前提条件如果不满足,则即使kube-proxy的配置开启了ipvs模式,也会退回到iptables模式
1.1.7 同步时间
1.安装ntpdate工具
yum -y install ntp ntpdate
2.设置系统时间与网络时间同步
ntpdate cn.pool.ntp.org
3.将系统时间写入硬件时间
hwclock --systohc
1.2 安装配置 Docker
1.2.1 安装Docker
移除旧的版本
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
安装一些必要的系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
添加软件源信息
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
更新 yum 缓存
sudo yum makecache fast
安装 Docker-ce
sudo yum -y install docker-ce
1.2.2 配置Docker
# 编辑文件
vim /etc/docker/daemon.json
# 简易配置
{
"registry-mirrors": ["https://1bbsr4jc.mirror.aliyuncs.com","https://registry.docker-cn.com"],
"insecure-registries": ["192.168.190.164:5000"]
}
# 高级点配置
{
"graph": "/data/docker",
"storage-driver": "overlay",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
注意:
1、这里bip要根据宿主机ip变化,比如主机是10.4.7.128 => docker 网络可以配置成 172.7.128.1/24
2、insecure-registries: 这里配置私有镜像仓库地址
确认一下iptables filter表中FOWARD链的默认策略(pllicy)为ACCEPT
# 确认一下iptables filter表中FOWARD链的默认策略(pllicy)为ACCEPT
iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 760 bytes)
pkts bytes