Kubernetes 二进制部署 《easzlab / kubeasz项目部署》- 00-规划集群和配置介绍（一）

本次通过Github上的一个开源项目(kubeasz)部署K8s，该项目在生产环境中得到过多次验证，部署的质量有一定的保证

kubeasz简介

一款基于Ansible的Kubernetes安装与运维管理工具，提供自动化部署、集群管理、配置管理等功能。 - 功能：提供自动化部署Kubernetes集群、节点管理、容器管理、存储管理、网络管理等功能。 - 特点：基于Ansible，易于上手；支持离线安装；支持多种Kubernetes版本。

官网 https://github.com/easzlab/kubeasz
国内网址 https://gitcode.com/easzlab/kubeasz/overview

本文是笔者在观看了马哥教育-张士杰讲师的视频后，进行整理实践，本文内容如涉及侵权，请联系笔者删除

下面我们将按照官网流程进行安装

1. 准备工作

本次实践将在虚拟机中进行，所以我们提前配置好一个基础环境，然后进行克隆。

base环境

[root@k8s-master-01 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@k8s-master-01 ~]# uname -r
3.10.0-1160.108.1.el7.x86_64

内核版本建议升级到稳定版本，毕竟搭建完成后，再进行内核升级属实是个不小的工程

1.1 设置防火墙

本次实践将关闭防火墙，在某些公司需要打开防火墙，并对防火墙规则及富规则会有明确要求。对某些规则变更或添加端口等等，需要经过严格评审。

systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld
[root@k8s-master-01 ~]# systemctl status firewalld
● firewalld.service
   Loaded: masked (/dev/null; bad)
   Active: inactive (dead)

1.2 设置SeLinux

本次实践将关闭SeLinux功能

[root@k8s-master-01 ~]# getenforce
Disabled
[root@k8s-master-01 ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
SELINUXTYPE=targeted

1.3 设置时区及时间同步

ntpdate ntp1.aliyun.com	#同步时间
[root@k8s-master-01 ~]# cat /var/spool/cron/root	#添加计划任务
*/5 * * * * root /usr/bin/ntpdate ntp1.aliyun.com &> /dev/null && hwclock -w
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime #更改时区

1.4 配置域名解析

[root@k8s-master-01 ~]# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 114.114.114.114

1.5 确认SSH开启

[root@k8s-master-01 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2024-02-19 18:00:09 CST; 20min ago
...
[root@k8s-master-01 ~]# yum list openssh
...
Installed Packages
openssh.x86_64                                                   7.4p1-23.el7_9                                                   @updates

1.6 IP转发

sysctl -w net.ipv4.ip_forward=1
[root@k8s-master-01 ~]# cat /etc/sysctl.conf
...
net.ipv4.ip_forward = 1

1.7 安装docker

本次的K8s容器使用docker而非默认的containerd，所以可以提前安装docker
参考 https://blog.csdn.net/u010230019/article/details/128624286

yum update 
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum update 

[root@k8s-master-01 ~]# yum list docker-ce
...
Available Packages
docker-ce.x86_64                                              3:25.0.3-1.el7                                              docker-ce-stable

yum install -y docker-ce
systemctl start docker
systemctl enable docker

像其他工具安装，例如vim等，个人设置，例如alias等，可根据自己具体情况执行。
到这里，我们的基础环境准备完毕

其他的设置，如免密登录，主机名等等，在分配好服务器后再通过ansible进行配置

1.8 关闭swap

[root@k8s-master-01 ~]# swapoff -a
[root@k8s-master-01 ~]# free
              total        used        free      shared  buff/cache   available
Mem:        1862788      224324      207308        9736     1431156     1464188
Swap:             0           0           0
[root@k8s-master-01 ~]# cat /etc/fstab
...
#/dev/mapper/centos-swap swap                    swap    defaults        0 0

2. 服务器规划

2.1 基本架构图

2.2 官方建议

1. 高可用集群所需节点配置如下

角色	数量	描述
部署节点	1	运行ansible/ezctl命令，一般复用第一个master节点
etcd节点	3	注意etcd集群需要1,3,5,…奇数个节点，一般复用master节点
master节点	2	高可用集群至少2个master节点
node节点	n	运行应用负载的节点，可根据需要提升机器配置/增加节点数

2. 机器配置：

   • master节点：4c/8g内存/50g硬盘
   • worker节点：建议8c/32g内存/200g硬盘以上

注意：默认配置下容器运行时和kubelet会占用/var的磁盘空间，如果磁盘分区特殊，可以设置config.yml中的容器运行时和kubelet数据目录：CONTAINERD_STORAGE_DIR DOCKER_STORAGE_DIR KUBELET_ROOT_DIR

2.3 实践服务器规划

本次配置以生产环境为目标，所以配置的内容尽量详细

角色	数量	IP	描述
gitlab	1	192.168.17.191	代码库
master	2	192.168.17.200 192.168.17.201	master-apiserver，高可用至少2个，和ansible主控机混用，通过VIP做主备高可用
etcd	3+	192.168.17.210 192.168.17.211 192.168.17.212	etcd-server，涉及选举所以需要3个
harbor	2	192.168.17.220 192.168.17.221	镜像管理服务器
hproxy	2	192.168.17.230 192.168.17.231	高可用etcd代理服务器
ansible	2	192.168.17.200 192.168.17.201	k8s部署服务器，可以和master混用
node	2+	192.168.17.240 192.168.17.241	工作节点，高可用至少2+，后续可以扩容

IP掩码建议22位，这样同一个子网允许有1000+个服务器，一般情况下都可以满足需求。当然确定用不到这么多服务器，24位也是可以的，但如果超出子网超出范围再扩容还是很麻烦的

类型	IP	主机名	VIP
gitlab-server	192.168.17.191	k8s-gitlab-01.xx.net
k8s master1	192.168.17.200	k8s-master-01.xx.net	192.168.17.188
k8s master2	192.168.17.201	k8s-master-02.xx.net	192.168.17.188
etcd1	192.168.17.210	k8s-etcd-01.xx.net
etcd2	192.168.17.211	k8s-etcd-02.xx.net
etcd3	192.168.17.212	k8s-etcd-03.xx.net
harbor1	192.168.17.220	k8s-harbor-01.xx.net
harbor2	192.168.17.221	k8s-harbor-02.xx.net
haproxy1	192.168.17.230	k8s-haproxy-01.xx.net
haproxy2	192.168.17.231	k8s-haproxy-02.xx.net
node1	192.168.17.240	k8s-node-01.xx.net
node2	192.168.17.241	k8s-node-02.xx.net

本次实践一共12台机器，可以根据实际情况自行安排虚拟机配置，gitlab-server建议配置高一点，其他服务器可以适当减配

3. 服务器配置

由于是虚拟机，所以在服务器规划完成后，就可以进行克隆了，等克隆完成后可以根据不同服务器类型进行单独配置

gitlab、harbor和haproxy不属于K8s的部署范畴，但是为了后续CD的实践需要，还是一同部署了

3.1 配置域名及IP

在克隆完成后，根据前面的清单配置每个服务器的域名及IP，如

[root@k8s-master-01 ~]# hostnamectl set-hostname k8s-master-01.xx.net
[root@k8s-master-01 ~]# hostname
k8s-master-01.xx.net
[root@k8s-master-01 ~]# grep IPADDR /etc/sysconfig/network-scripts/ifcfg-ens34
IPADDR=192.168.17.200

3.2 配置hosts

我们可以提前把/etc/hosts中的对应关系配置好

[root@k8s-master-01 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.17.191 k8s-gitlab-01.xx.net gitlab-server
192.168.17.200 k8s-master-01.xx.net k8s-master1
192.168.17.201 k8s-master-02.xx.net k8s-master2
192.168.17.210 k8s-etcd-01.xx.net etcd1
192.168.17.211 k8s-etcd-02.xx.net etcd2
192.168.17.212 k8s-etcd-03.xx.net etcd3
192.168.17.220 k8s-harbor-01.xx.net harbor1
192.168.17.221 k8s-harbor-02.xx.net harbor2
192.168.17.225 k8s-harbor-lb-01.xx.net harborlb1
192.168.17.230 k8s-haproxy-01.xx.net haproxy1
192.168.17.231 k8s-haproxy-02.xx.net haproxy2
192.168.17.240 k8s-node-01.xx.net node1
192.168.17.241 k8s-node-02.xx.net node2
[root@k8s-master-01 ~]# ping k8s-master-02.xx.net
PING k8s-master-02.xx.net (192.168.17.201) 56(84) bytes of data.
64 bytes from k8s-master-02.xx.net (192.168.17.201): icmp_seq=1 ttl=64 time=0.351 ms
64 bytes from k8s-master-02.xx.net (192.168.17.201): icmp_seq=2 ttl=64 time=0.417 ms
[root@k8s-master-01 ~]# ping k8s-master1
PING k8s-master-01.xx.net (192.168.17.200) 56(84) bytes of data.
64 bytes from k8s-master-01.xx.net (192.168.17.200): icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from k8s-master-01.xx.net (192.168.17.200): icmp_seq=2 ttl=64 time=0.084 ms

3.3 配置部署服务器

1. python环境确认
   由于本次使用Ansible easzlab / kubeasz项目部署，该项目依赖python环境，所以确认python环境

[root@k8s-master-01 ~]# python -V
Python 2.7.5

如果没有，需要自行安装

2. 安装ansible

yum install epel-release
yum list ansible

[root@k8s-master-01 ~]# ansible --version
ansible 2.9.27

3. 免密登录

[root@k8s-master-01 ansible]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:vpCfdo/3ASX/R3Oo5kDS/eNRlxgMmx6Jd+Ia9k8V/ck root@k8s-master-01.xx.net
The key's randomart image is:
+---[RSA 2048]----+
|           .     |
|          . *   .|
|         . B.+...|
|         .+.+++.=|
|        Soooo.oE*|
|       o.o+  +.++|
|      o ....o.= o|
|       o.o.=+. +.|
|       .+..oooo  |
+----[SHA256]-----+
[root@k8s-master-01 ansible]# ssh-copy-id k8s-master2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'k8s-master2 (192.168.17.201)' can't be established.
ECDSA key fingerprint is SHA256:4nnztXLWowGhpbgty9XumjujsHbrQXnyYCX3kTYuSJI.
ECDSA key fingerprint is MD5:f3:d3:c8:50:c5:61:ee:4b:df:d6:b5:03:c4:12:fc:32.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@k8s-master2's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'k8s-master2'"
and check to make sure that only the key(s) you wanted were added.

[root@k8s-master-01 ansible]# ssh k8s-master2
Last login: Mon Feb 19 23:29:00 2024 from gateway
[root@k8s-master-02 ~]# exit
logout
Connection to k8s-master2 closed.

我们可以通过sshpass -p yurq ssh-copy-id gitlab-server进行批量服务器免密操作

[root@k8s-master-01 ansible]# cat ssh-cp.sh
#!/usr/bin/env bash
passwd=xxx
cat /etc/hosts | while read ipaddr hostname1 hostname2
do
echo $passwd,$ipaddr
sshpass -p $passwd ssh-copy-id $ipaddr
done

4. 资产清单
   这里我们配置下/etc/ansible/hosts，便于管理

[master]
192.168.17.200
192.168.17.201

[etcd]
192.168.17.210
192.168.17.211
192.168.17.212

[harbor]
192.168.17.220
192.168.17.221

[haproxy]
192.168.17.230
192.168.17.231

[node]
192.168.17.240
192.168.17.241

[gitlab]
192.168.17.191

[k8s-server:children]
master
etcd
node

验证下该配置文件

[root@k8s-master-01 ansible]# ansible all -m ping
192.168.17.241 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}
...

5. 把/etc/hosts和/etc/resolv.conf分发给各机器
   可以通过上面的脚本修改，或者ansible

ansible all -m copy -a "src=/etc/hosts dest=/etc/"
ansible all -m copy -a "src=/etc/resolv.conf dest=/etc/"
ansible all -m shell -a "cat /etc/hosts"

重启下所有服务器，因为前面改完主机名一直没重启

ansible etcd -m shell -a "reboot"

这里注意要分组单独重启，如果all的话，可能有些服务器不能重启哦

测试联通性

[root@k8s-master-01 ansible]# cat ssh-host.sh
#!/usr/bin/env bash
passwd=yurq
cat /etc/hosts | while read ipaddr hostname1 hostname2
do
ping $hostname1 -c 1 -W 1 &> /dev/null
if [ $? == 0 ];then
        echo $hostname1  connected
fi
done
[root@k8s-master-01 ansible]# sh ssh-host.sh
localhost connected
localhost connected
k8s-gitlab-01.xx.net connected
k8s-master-01.xx.net connected
k8s-master-02.xx.net connected
k8s-etcd-01.xx.net connected
k8s-etcd-02.xx.net connected
k8s-etcd-03.xx.net connected
k8s-harbor-01.xx.net connected
k8s-harbor-02.xx.net connected
k8s-haproxy-01.xx.net connected
k8s-haproxy-02.xx.net connected
k8s-node-01.xx.net connected
k8s-node-02.xx.net connected

3.4 配置gitlab服务器

参考官网 https://packages.gitlab.com/gitlab/gitlab-ce

curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash
yum install gitlab-ce-16.9.0-ce.0.el7.x86_64

[root@k8s-gitlab-01 ~]# grep external_url /etc/gitlab/gitlab.rb
##! For more details on configuring external_url see:
external_url 'http://k8s-gitlab-01.xx.net'		#修改下URL
...

gitlab-ctl reconfigure

[root@k8s-gitlab-01 ~]# cat /etc/gitlab/initial_root_password
# WARNING: This value is valid only in the following conditions
#          1. If provided manually (either via `GITLAB_ROOT_PASSWORD` environment variable or via `gitlab_rails['initial_root_password']` setting in `gitlab.rb`, it was provided before database was seeded for the first time (usually, the first reconfigure run).
#          2. Password hasn't been changed manually, either via UI or via command line.
#
#          If the password shown here doesn't work, you must reset the admin password following https://docs.gitlab.com/ee/security/reset_user_password.html#reset-your-root-password.

Password: iJbwq1batBXr2P8qPHpDcNDv80jfmR49+drT+yG1GcY=

# NOTE: This file will be automatically deleted in the first reconfigure run after 24 hours.

gitlab常用管理命令：

gitlab-ctl --help
gitlab-ctl restart
gitlab-ctl start
gitlab-ctl stop
gitlab-ctl status

3.5 配置haproxy服务器

配置haproxy服务器，需要安装keepalived和haproxy

1. keepalived
   参考 https://blog.csdn.net/u010230019/article/details/129284821

可以在部署服务器通过ansible安装，或在haproxy服务器手动安装

ansible haproxy -m yum -a "name=keepalived state=installed"

• k8s-haproxy-01.xx.net服务器修改配置文件/etc/keepalived/keepalived.conf，作为主节点

[root@k8s-haproxy-01 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

vrrp_instance VI_1 {
    state MASTER
    interface ens34
    virtual_router_id 1
    priority 100
    advert_int 1
    unicast_src_ip 192.168.17.230
    unicast_peer {
    192.168.17.231
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.17.188 dev ens34 label ens34:1
    }
}

• k8s-haproxy-02.xx.net服务器修改配置文件/etc/keepalived/keepalived.conf，作为备节点

[root@k8s-haproxy-02 ~]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

vrrp_instance VI_1 {
    state BACKUP
    interface ens34
    virtual_router_id 1
    priority 80
    advert_int 1
    unicast_src_ip 192.168.17.231
    unicast_peer {
    192.168.17.230
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.17.188 dev ens34 label ens34:1
    }
}

达到的效果

[root@k8s-haproxy-01 ~]# ip a
...
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:b5:c2:71 brd ff:ff:ff:ff:ff:ff
    inet 192.168.17.230/24 brd 192.168.17.255 scope global noprefixroute ens34
       valid_lft forever preferred_lft forever
    inet 192.168.17.188/32 scope global ens34:1
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:feb5:c271/64 scope link
       valid_lft forever preferred_lft forever
...
[root@k8s-master-01 ansible]# ping 192.168.17.188
PING 192.168.17.188 (192.168.17.188) 56(84) bytes of data.
64 bytes from 192.168.17.188: icmp_seq=1 ttl=64 time=0.750 ms
^C
--- 192.168.17.188 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.750/0.750/0.750/0.000 ms
[root@k8s-master-01 ansible]# ansible haproxy -m shell -a "systemctl enable keepalived"
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
192.168.17.231 | CHANGED | rc=0 >>
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.
192.168.17.230 | CHANGED | rc=0 >>
Created symlink from /etc/systemd/system/multi-user.target.wants/keepalived.service to /usr/lib/systemd/system/keepalived.service.

2. haproxy
   参考 https://blog.csdn.net/coolpale/article/details/79773429

ansible haproxy -m yum -a "name=haproxy state=installed"

修改配置文件/etc/haproxy/haproxy.cfg，在后面添加如下内容

[root@k8s-haproxy-01 haproxy]# tail /etc/haproxy/haproxy.cfg
...
listen k8s_api_6443
    bind 192.168.17.188:6443
    mode tcp
    server 192.168.17.200 192.168.17.200:6443 check inter 2000 fall 3 rise 5
    server 192.168.17.201 192.168.17.201:6443 check inter 2000 fall 3 rise 5

启动服务并设置开机自启

systemctl start haproxy
systemctl enable haproxy

查看是否监听

[root@k8s-haproxy-01 haproxy]# ss -lntpu|grep 6443
tcp    LISTEN     0      128    192.168.17.188:6443                  *:*                   users:(("haproxy",pid=6459,fd=5))

当我们在haproxy2服务器，安装配置完成后，可能发现该服务无法启动

Starting proxy k8s_api_6443: cannot bind socket [192.168.17.188:6443]

这是由于系统默认无法监听不在本机的端口

[root@k8s-haproxy-02 ~]# sysctl -a |grep bind
net.ipv4.ip_nonlocal_bind = 0
...

做如下修改

[root@k8s-haproxy-02 ~]# sysctl -w net.ipv4.ip_nonlocal_bind=1
net.ipv4.ip_nonlocal_bind = 1
[root@k8s-haproxy-02 ~]# tail -2 /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1

此时，haproxy2服务器也正常启动haproxy服务了

[root@k8s-haproxy-02 ~]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2024-02-21 01:13:17 CST; 6s ago
...

3.6 配置harbor服务器

参考 https://blog.csdn.net/u010230019/article/details/136261147