一、环境说明
主机名 | IP地址 |
---|---|
master01 | 192.168.186.10 |
master02 | 192.168.186.11 |
master03 | 192.168.186.12 |
node01 | 192.168.186.13 |
node02 | 192.168.186.14 |
node03 | 192.168.186.15 |
VIP | 192.168.186.100 |
二、环境初始化
2.1、关闭防火墙或开启相应端口
2.1.1、开放端口
master节点端口
协议 | 方向 | 端口范围 |
---|---|---|
TCP协议 | 入站 | 6443 |
TCP协议 | 入站 | 2379-2380 |
TCP协议 | 入站 | 10250 |
TCP协议 | 入站 | 10251 |
TCP协议 | 入站 | 10252 |
node节点端口
协议 | 方向 | 端口范围 |
---|---|---|
TCP协议 | 入站 | 10250 |
TCP协议 | 入站 | 30000-32767 |
2.1.2、关闭端口
$ systemctl stop firewalld
$ systemctl disable firewalld
2.2、关闭 swap
$ swapoff -a
$ sed -i 's/.*swap.*/#&/' /etc/fstab
2.3、关闭 SeLinux
$ setenforce 0
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
2.4、修改 /etc/sysctl.conf
$ sed -i "s#^net.ipv4.ip_forward.*#net.ipv4.ip_forward=1#g" /etc/sysctl.conf
$ sed -i "s#^net.bridge.bridge-nf-call-ip6tables.*#net.bridge.bridge-nf-call-ip6tables=1#g" /etc/sysctl.conf
$ sed -i "s#^net.bridge.bridge-nf-call-iptables.*#net.bridge.bridge-nf-call-iptables=1#g" /etc/sysctl.conf
$ sed -i "s#^net.ipv6.conf.all.disable_ipv6.*#net.ipv6.conf.all.disable_ipv6=1#g" /etc/sysctl.conf
$ sed -i "s#^net.ipv6.conf.default.disable_ipv6.*#net.ipv6.conf.default.disable_ipv6=1#g" /etc/sysctl.conf
$ sed -i "s#^net.ipv6.conf.lo.disable_ipv6.*#net.ipv6.conf.lo.disable_ipv6=1#g" /etc/sysctl.conf
$ sed -i "s#^net.ipv6.conf.all.forwarding.*#net.ipv6.conf.all.forwarding=1#g" /etc/sysctl.conf
# 执行命令以应用
$ sysctl -p
三、安装docker及kubelet
每一个节点都需要执行
3.1、安装docker
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
systemctl enable docker && systemctl start docker
3.2、安装kubelet
# 配置K8S的yum源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 安装kubelet、kubeadm、kubectl
$ yum install -y kubelet kubeadm kubectl
#启动 kubelet
$ systemctl enable kubelet && systemctl start kubelet
安装的kubelet对应的版本或者安装最新版,根据情况来,我这里安装的最新版本1.18.4.
四、初始化API Server
这里采用的HAProxy+Keepalived,也可以采用nginx+Keepalived,可以根据自己情况来确定
4.1、配置 HAProxy
4.1.1、新建脚本haproxy-start.sh
#!/bin/bash
# -----------------修改 Master 地址
MasterIP1=192.168.186.10
MasterIP2=192.168.186.11
MasterIP3=192.168.186.12
# ----------------- kube-apiserver 默认端口 6443 不需要修改
MasterPort=6443
HaproxyPort=6444
# 启动
docker run -d --restart=always --name=HAProxy -p $HaproxyPort:$HaproxyPort \
-e MasterIP1=$MasterIP1 \
-e MasterIP2=$MasterIP2 \
-e MasterIP3=$MasterIP3 \
-e MasterPort=$MasterPort \
wise2c/haproxy-k8s
4.1.2、添加权限并初始化
$ chmod +x haproxy-start.sh && ./haproxy-start.sh
4.1.3、查看结果
$ docker ps
4.2、配置 Keepalived
4.2.1、新建keepalived-start.sh 脚本
#!/bin/bash
# ----------------- 修改虚拟 IP 地址
VIRTUAL_IP=192.168.186.150
# ----------------- 网卡名
INTERFACE=ens33
# ----------------- 子网掩码
NETMASK_BIT=24
# ----------------- HAProxy 暴露端口,内部指向 kube-apiserver 的 6443 端口
CHECK_PORT=6444
# ----------------- 路由标识符
RID=10
# ----------------- 虚拟路由标识符
VRID=160
# ----------------- IPV4 多播地址,默认 224.0.0.18
MCAST_GROUP=224.0.0.18
docker run -itd --restart=always --name=Keepalived \
--net=host --cap-add=NET_ADMIN \
-e VIRTUAL_IP=$VIRTUAL_IP \
-e INTERFACE=$INTERFACE \
-e CHECK_PORT=$CHECK_PORT \
-e RID=$RID \
-e VRID=$VRID \
-e NETMASK_BIT=$NETMASK_BIT \
-e MCAST_GROUP=$MCAST_GROUP \
wise2c/keepalived-k8s
4.2.2、添加权限并初始化
$ chmod +x keepalived-start.sh && ./keepalived-start.sh
4.2.3、查看结果
$ docker ps
4.3、将haproxy-start.sh和keepalived-start.sh拷贝至其他master节点执行
$ scp haproxy-start.sh keepalived-start.sh 192.168.186.11:/root/
$ scp haproxy-start.sh keepalived-start.sh 192.168.186.12:/root/
五、初始化第一个master节点
# 替换 hhm.dnsname 为 您想要的 dnsName
export APISERVER_NAME=hhm.dnsname
export POD_SUBNET=10.100.0.1/16
echo "127.0.0.1 ${APISERVER_NAME}" >> /etc/hosts
新建初始化脚本init_master.sh
#!/bin/bash
# 脚本出错时终止执行
set -e
if [ ${#POD_SUBNET} -eq 0 ] || [ ${#APISERVER_NAME} -eq 0 ]; then
echo -e "\033[31;1m请确保您已经设置了环境变量 POD_SUBNET 和 APISERVER_NAME \033[0m"
echo 当前POD_SUBNET=$POD_SUBNET
echo 当前APISERVER_NAME=$APISERVER_NAME
exit 1
fi
rm -f ./kubeadm-config.yaml
cat <<EOF > ./kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.18.3 #1.18.4有些不齐全,所以这里用的1.18.3
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
controlPlaneEndpoint: "${APISERVER_NAME}:6443"
networking:
serviceSubnet: "10.96.0.0/16"
podSubnet: "${POD_SUBNET}"
dnsDomain: "cluster.local"
EOF
# kubeadm init
# 根据您服务器网速的情况,您需要等候 3 - 10 分钟
kubeadm init --config=kubeadm-config.yaml --upload-certs
# 配置 kubectl
rm -rf /root/.kube/
mkdir /root/.kube/
cp -i /etc/kubernetes/admin.conf /root/.kube/config
# 安装 calico 网络插件
echo "安装calico-3.13.1"
rm -f calico-3.13.1.yaml
wget https://kuboard.cn/install-script/calico/calico-3.13.1.yaml
kubectl apply -f calico-3.13.1.yaml
初始化结果
- 第7、8、9行,用于初始化后面的master 节点
- 第17、18行,用于初始化 worker 节点
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join apiserver.demo:6443 --token ca57g6.kfieyzcenhyid42t \
--discovery-token-ca-cert-hash sha256:27e3d309621367b010a7412c329bcfca625b4443452f90035e64d28c632a8df0 \
--control-plane --certificate-key c57decb7c38a6637dba229f6e3ec6808c917391fcaa9c69540f1c23b4b9f7c94
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join apiserver.demo:6443 --token ca57g6.kfieyzcenhyid42t \
--discovery-token-ca-cert-hash sha256:27e3d309621367b010a7412c329bcfca625b4443452f90035e64d28c632a8df0
检查 master 初始化结果
# 只在第一个 master 节点执行
# 执行如下命令,等待 3-10 分钟,直到所有的容器组处于 Running 状态
watch kubectl get pod -n kube-system -o wide
# 查看 master 节点初始化结果
kubectl get nodes
六、初始化后面的master节点
# 替换 x.x.x.x 为 ApiServer LoadBalancer 的 IP 地址
export APISERVER_IP=x.x.x.x
# 替换 hhm.dnsname 为 前面已经使用的 dnsName
export APISERVER_NAME=hhm.dnsname
echo "${APISERVER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 使用前面步骤中获得的master 节点的 join 命令初始化其他master节点
kubeadm join apiserver.demo:6443 --token ca57g6.kfieyzcenhyid42t \
--discovery-token-ca-cert-hash sha256:27e3d309621367b010a7412c329bcfca625b4443452f90035e64d28c632a8df0 \
--control-plane --certificate-key c57decb7c38a6637dba229f6e3ec6808c917391fcaa9c69540f1c23b4b9f7c94
检查 master 初始化结果
#只在第一个master节点执行
$ kubectl get nodes
七、初始化work节点
# 只在 worker 节点执行
# 替换 x.x.x.x 为 ApiServer LoadBalancer 的 IP 地址
export MASTER_IP=x.x.x.x
# 替换 hhm.dnsname 为初始化 master 节点时所使用的 APISERVER_NAME
export APISERVER_NAME=hhm.dnsname
echo "${MASTER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 替换为前面 kubeadm token create --print-join-command 的输出结果
kubeadm join apiserver.demo:6443 --token ca57g6.kfieyzcenhyid42t \
--discovery-token-ca-cert-hash sha256:27e3d309621367b010a7412c329bcfca625b4443452f90035e64d28c632a8df0
检查 worker 初始化结果
#只在第一个master节点执行
$ kubectl get nodes