虚拟机配置要求下表
主机名称 | master | node1 | node2 |
CPU | 至少2 core CPU | 至少2 core CPU | 至少2 core CPU |
内存 | 至少3G | 至少2G | 至少2G |
操作系统 | Centos 7.9 | Centos 7.9 | Centos 7.9 |
节点数 | 至少1个 | 至少1个 | 至少1个 |
操作系统这里使用的是Centos 7.9,建议使用新一点的Centos 7版本,否则后续安装calico网络插件,会报hostPath type check failed:/sys/fs/bpf is not a direcctory错误。非要使用旧的Centos 7版本,建议升级linux系统内核,升级内核请参照ELRepo | HomePage 。
安装 kubeadm准备开始
更改虚拟机名称
主节点master
hostnamectl set-hostname master
修改hosts配置文件,在127.0.0.1一行末尾增加master
vi /etc/hosts
修改如下
子节点node1
hostnamectl set-hostname node1
修改hosts配置文件,在127.0.0.1一行末尾增加node1
vi /etc/hosts
修改如下
子节点node2修改不在说明,和node1类似
关闭防火墙
关闭三台虚拟机的防火墙
systemctl stop firewalld
systemctl disable firewalld
关闭SELINUX
编辑关闭三台虚拟机/etc/selinux/config,修改SELINUX=enforcing为SELINUX=disabled
vi /etc/selinux/config
修改如下图
禁用交换分区
关闭swap分区
swapoff -a
修改配置文件/etc/fstab
vi /etc/fstab
注释到swap相关行
设置时区
timedatectl set-timezone Asia/Shanghai
安装容器运行时
自 1.24 版起,Dockershim 已从 Kubernetes 项目中移除。这里我们使用containerd作为k8s的容器运行时。如果对CRI-O有兴趣的,可使用cri-docker和Docker组合,代替containerd作为k8s的容器运行时。
安装和配置先决条件
- 转发 IPv4 并让 iptables 看到桥接流量
为了让 Linux 节点的 iptables 能够正确查看桥接流量,请确认 sysctl
配置中的 net.bridge.bridge-nf-call-iptables
设置为 1。
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
sudo modprobe overlay
sudo modprobe br_netfilter
# 设置所需的 sysctl 参数,参数在重新启动后保持不变
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
启用包过滤功能
修改/etc/sysctl.d/99-sysctl.conf,增加或修改下面内容
net.ipv4.ip_forward = 1
应用 sysctl 参数而不重新启动
sudo sysctl --system
安装containerd
- 下载安装包
containerd-1.6.10-linux-amd64.tar.gz、runc.amd64、cni-plugins-linux-amd64-v1.1.1.tgz、crictl-v1.25.0-linux-amd64.tar.gz
- 安装 containerd
执行安装命令
tar Cxzvf /usr/local/ containerd-1.6.10-linux-amd64.tar.gz
如果需要通过systemd启动,你可以在/usr/local/lib/systemd/system/文件下创建containerd.service。执行命令
cd /usr/local/lib/systemd/system
vi containerd.service
containerd.service内容如下
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
- 设置containerd 使用systemctl启动
systemctl daemon-reload
systemctl enable --now containerd
- 安装runc
install -m 755 runc.amd64 /usr/local/sbin/runc
- 安装CNI插件
mkdir -p /opt/cni/bin
tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz
- 安装cri插件
tar zxvf crictl-v1.25.0-linux-amd64.tar.gz -C /usr/local/bin/
自定义containerd配置
containerd config default > /etc/containerd/config.toml
- 配置
systemd
cgroup 驱动
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
...
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
- 重载沙箱(pause)镜像
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.2"
- 更改镜像仓库地址
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://i0upsux0.mirror.aliyuncs.com"]
因国内无法访问谷歌,这里把镜像地址改成阿里云或者自己私有仓库地址。
-
设置CRI 套接字
配置文件 config.toml,
在 Linux 上,containerd 的默认 CRI 套接字是 /run/containerd/containerd.sock。
cat << EOF >> /etc/crictl.yaml
runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false
EOF
- 重启containerd
systemctl restart containerd