1. 配置清单
- 注意这里环境master最少3台。
设备 | IP |
---|---|
master1 | 192.168.2.10 |
master2 | 192.168.2.20 |
master3 | 192.168.2.30 |
node1 | 192.168.2.40 |
VIP | 192.168.2.100 |
2. k8s节点Host及防火墙配置
- master1、master2、master3、node1机器进行如下配置:
2.1. 填加host解析
//添加host解析:
vim /etc/hosts
添加以下内容:
192.168.2.10 master1
192.168.2.20 master2
192.168.2.30 master3
192.168.2.40 node1
2.2. 关闭selinux
setenforce 0
sed -i '/SELINUX/s/enforcing/disabled/g' /etc/sysconfig/selinux
2.3. 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
2.4. 时间同步
yum install ntpdate -y
ntpdate pool.ntp.org
2.5. 修改对应节点的主机名:
- 每个节点执行这条命令即可,注意这条命令网卡名需要根据实际情况填写
hostname `cat /etc/hosts|grep $(ifconfig ens33|grep broadcast|awk '{print $2}')|awk '{print $2}'`;su
2.6. 关闭swap分区
swapoff -a
sed -ri 's/.*swap.*/#&/g' /etc/fstab
3. linux内核参数设置和优化
- master1、master2、master3、node1机器进行如下配置
3.1. 开启ipvs模块
//安装ipset、ipvsadm
yum install -y ipset ipvsadm
//开启ipvs模块
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/sh
modprobe -- ip_vs ##开启ipvs模块
modprobe -- ip_vs_rr ##开启ipvs轮询算法
modprobe -- ip_vs_wrr ##开启ipvs权重加轮询算法
modprobe -- ip_vs_sh ##开启ipvs哈希算法
modprobe -- nf_conntrack_ipv4 ##用于IPv4连接跟踪。它允许Linux内核跟踪网络连接的状态信息
EOF
//开启执行权限并执行ipvs.modules&&确认ipvs模块加载成功
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
3.2. 调整内核参数,对于k8s
cat > /etc/sysctl.d/k8s.conf << EOF
#这两个参数使得 Linux 内核能够拦截和修改 IP 和 IPv6 数据包,以执行网络地址转换 (NAT) 或防火墙规则。
#在 Kubernetes 集群中,这两个参数必须设置为 1,以确保正确的网络流量转发和访问控制。
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#该参数允许非本地 IP 地址绑定到套接字上。在 Kubernetes 中,该参数需要设置为 1,以便容器可以绑定到主机网络接口上的 IP 地址。
net.ipv4.ip_nonlocal_bind = 1
#该参数允许 Linux 内核将网络数据包从一个网络接口转发到另一个网络接口。
#在 Kubernetes 中,该参数需要设置为 1,以便容器可以访问主机之外的网络。
net.ipv4.ip_forward = 1
#该参数控制是否启用 TCP 时间等待状态的快速回收。在 Kubernetes 中,该参数需要设置为 0,以避免网络连接问题
net.ipv4.tcp_tw_recycle=0
#该参数控制 Linux 内核在内存使用上的倾向,值为 0 表示尽可能使用物理内存,而不是交换空间。
vm.swappiness=0
#该参数控制 Linux 是否允许进程申请超过物理内存的内存。在 Kubernetes 中,该参数需要设置为 1,以避免 OOM (Out of Memory) 错误
vm.overcommit_memory=1
#该参数控制 Linux 是否在内存不足时触发内核崩溃。在 Kubernetes 中,该参数需要设置为 0,以避免在内存不足时导致节点崩溃。
vm.panic_on_oom=0
#这两个参数控制 Linux 内核能够同时跟踪的 inotify 实例和文件监视器的数量。
#在 Kubernetes 中,这些参数需要设置为足够大的值,以确保容器可以正确地监视文件系统事件。
fs.inotify.max_user_instances=8182
fs.inotify.max_user_watches=1048576
#这两个参数控制 Linux 内核能够打开的文件和文件描述符的数量。
#在 Kubernetes 中,这些参数需要设置为足够大的值,以确保容器可以打开足够多的文件
fs.file-max=52706963
fs.nr_open=52706963
#该参数禁用 IPv6 协议。在 Kubernetes 中,如果你不使用 IPv6,则可以将该参数设置为 1,以减少网络连接问题。
net.ipv6.conf.all.disable_ipv6=1
#该参数控制 Linux 内核能够跟踪的网络连接数量。在 Kubernetes 中,该参数需要设置为足够大的值,以确保容器可以正确地处理网络连接。
net.netfilter.nf_conntrack_max=2310720
EOF
sysctl -p /etc/sysctl.d/k8s.conf
4. 设置rsyslogd和systemd-journald
- 这是一个 systemd-journald 的配置文件,它用于定义系统日志的存储和管理方式
mkdir /var/log/journal #持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d #配置文件目录
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
Storage=persistent #将日志存储在持久化存储中,以便在系统重启后仍然可用。
Compress=yes #启用日志的压缩功能,以减小磁盘使用量。
SyncIntervalSec=5m #每隔 5 分钟将日志写入磁盘并同步。
RateLimitInterval=30s #限制日志写入速率为每 30 秒最多写入一次。
RateLimitBurst=1000 #允许在限制时间间隔内写入的最大日志条数为 1000 条。
SystemMaxUse=10G #限制系统日志使用的最大磁盘空间为 10GB。
SystemMaxFileSize=200M #限制每个日志文件的最大大小为 200MB。
MaxRetentionSec=2week #限制系统日志的最长保留时间为 2 周。
ForwardToSyslog=no #不将这些日志转发到 syslog 服务器。
EOF
systemctl restart systemd-journald
5. 升级系统内核为5.4
- CentOs7.x系统自带的3.10.x内核存在一些Bugs,导致运行的Docker、k8s不稳定
//查看本机内核版本:
[root@harbor ~]# uname -r
3.10.0-1160.el7.x86_64
//安装elrepo的yum源
rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
//查看elrepo源是否成功
ls /etc/yum.repos.d/
CentOS7-Base-163.repo docker-ce.repo elrepo.repo epel.repo epel-testing.repo local.repo nginx.repo
//升级内核
yum --enablerepo=elrepo-kernel install -y kernel-lt
//设置开机从新的内核启动
grub2-set-default "CentOs Linux (5.4.244-1.el7.elrepo.x86_64) 7 (Core)"
//重启系统
reboot
//查看内核是否升级成功
uname -r
5.4.244-1.el7.elrepo.x86_64
6. 安装docker
- master1、master2、master3、node1机器进行如下配置
//下载yum源
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
//安装docker
yum -y install docker-ce
//启动并开机自启
systemctl start docker && systemctl enable docker
6.1. 各节点配置docker加速器并修改成k8s驱动
{
"registry-mirrors":[ #配置了一个镜像加速器
"http://hub-mirror.c.163.com", #网易镜像站
"https://docker.mirrors.ustc.edu.cn", #中国科技大学镜像站
"https://registry.docker-cn.com" #Docker中国区官方镜像
],
#当 Docker 运行一个容器时,它会使用 Linux 的 cgroups 特性来限制容器的资源使用,例如 CPU、内存、磁盘等。
#在 Linux 系统中,有多种 cgroup 驱动可供 Docker 使用,如 cgroupfs 和 systemd
"exec-opts": ["native.cgroupdriver=systemd"], #表示使用 systemd 作为 Docker 的 cgroup 驱动
"log-driver": "json-file", #使用 JSON 格式记录 Docker 容器的日志
"log-opts": {
"max-size": "100m" #设置单个日志文件的最大大小为 100MB
}
}
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors":[
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn",
"https://registry.docker-cn.com"
],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF
##重启docker
systemctl daemon-reload && systemctl restart docker
7. 所有master节点安装haproxy和keepalived服务
yum -y install haproxy keepalived
8. 修改master1节点keepalived配置文件
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
#设置邮件通知的收件人
notification_email {
yangshuangsxy@163.com
}
#设置邮件通知的发件人
notification_email_from yangshuangsxy@163.com
smtp_server 127.0.0.1 #指定smtp服务IP地址
smtp_connect_timeout 30 #设置邮件服务器连接超时时间
router_id LVS_DEVEL #设置路由 ID,这是一组用于标识 Keepalived 实例的字符串
}
vrrp_script chk_haproxy { #定义一个检测脚本,用于检测 HAProxy 是否存活,chk_haproxy 是这个检测脚本的名称。
script "/data/sh/check_haproxy.sh" #指定检测脚本路径
interval 2 #指定了检测脚本执行的时间间隔
weight 2 #指定了检测脚本的权重,如果有多个检测脚本,权重值越大的脚本优先执行
}
# VIP1
vrrp_instance VI_1 { #定义一个 VRRP 实例,用于实现虚拟路由器的高可用性,VI_1 是这个 VRRP 实例的名称。
state MASTER # 指定此节点的初始状态,这里设置为 MASTER,表示此节点是主节点
interface ens33 #指定了此实例绑定的网卡
virtual_router_id 151 #指定了此实例的虚拟路由器 ID
priority 100 #指定了此节点的优先级,值越大,优先级越高,主节点的优先级应该设置为最高
advert_int 5 #指定了 VRRP 报文的发送间隔
nopreempt #禁止抢占模式,即在主节点失效时,不允许备节点自动切换为主节点
authentication { #用于设置 VRRP 协议的认证方式和密码
auth_type PASS
auth_pass 2222
}
virtual_ipaddress { #指定了此实例的虚拟 IP 地址
192.168.2.100
}
track_script { #指定了需要检测的脚本,如果检测脚本返回错误,那么此节点将会被降级为备节点。
chk_haproxy
}
}
9. 修改master2和master3节点keeplived配置文件
- master2配置文件如下:
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
yangshuangsxy@163.com
}
notification_email_from yangshuangsxy@163.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
}
vrrp_script chk_haproxy {
script "/data/sh/check_haproxy.sh"
interval 2
weight 2
}
# VIP1
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 151
priority 90
advert_int 5
nopreempt
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
192.168.2.100
}
track_script {
chk_haproxy
}
}
- master3配置文件如下:
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
scp -r 192.168.2.20:/etc/keepalived/keepalived.conf /etc/keepalived/
vim /etc/keepalived/keepalived.conf
##里面的除了优先级修改为80其他和master2配置文件一下修改如下:
priority 80
10. 每台master节点haproxy配置文件都一样如下:
mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak
vim /etc/haproxy/haproxy.cfg
global
#定义了haproxy的日志输出方式,这里使用了local0和local1两个facility,其中local0表示输出到syslog的local0日志文件中
#local1表示输出到syslog的local1日志文件中,级别为notice。
log /dev/log local0
log /dev/log local1 notice
pidfile /var/run/haproxy.pid #定义了haproxy进程的pid文件路径
chroot /var/lib/haproxy #定义了haproxy要使用的chroot目录,这里使用了/var/lib/haproxy
#定义了haproxy的统计信息socket文件路径和权限,这里指定了/var/run/haproxy-admin.sock,权限为660,级别为admin
stats socket /var/run/haproxy-admin.sock mode 660 level admin
stats timeout 30s #定义了haproxy统计信息的超时时间,这里设置为30秒
#定义了haproxy进程要使用的用户和组,这里使用了haproxy用户和haproxy组
user haproxy
group haproxy
daemon #定义了haproxy以守护进程方式运行
nbproc 1 #定义了haproxy的工作进程数,这里设置为1
defaults
log global #定义了默认的日志输出方式,这里使用了global,表示使用全局日志配置
timeout connect 5000 #定义了连接超时时间,这里设置为5000毫秒
timeout client 10m #定义了客户端超时时间,这里设置为10分钟
timeout server 10m #定义了服务器超时时间,这里设置为10分钟
listen admin_stats
bind 0.0.0.0:10080 #定义了监听地址和端口,这里使用了0.0.0.0:10080,表示监听所有IP地址的10080端口
mode http #定义了监听模式,这里使用了http模式
log 127.0.0.1 local0 err #定义了日志输出方式,这里将日志输出到127.0.0.1的local0设备,级别为err
stats refresh 30s #定义了统计信息刷新时间,这里设置为30秒
stats uri /status #定义了统计信息页面的URI,这里设置为/status
stats realm welcome login\ Haproxy #定义了统计信息页面的realm,这里设置为"welcome login Haproxy"
stats auth admin:123456 #定义了统计信息页面的用户名和密码,这里设置为admin和123456
stats hide-version #定义了是否隐藏haproxy的版本信息,这里设置为隐藏
stats admin if TRUE #定义了是否启用统计信息页面的管理功能,这里设置为启用
listen kube-master
bind 0.0.0.0:8443 #定义了监听地址和端口,这里使用了0.0.0.0:8443,表示监听所有IP地址的8443端口
mode tcp #定义了监听模式,这里使用了tcp模式
option tcplog #定义了是否启用TCP日志记录,这里设置为启用
balance source #定义了负载均衡算法,这里使用了source算法
#定义了后端服务器,这里定义了三个服务器,分别是master1、master2和master3
#它们的IP地址和端口分别为192.168.2.10:6443、192.168.2.20:6443和192.168.2.30:6443
#check表示启用健康检查,inter 2000表示每2秒进行一次健康检查
#fall 2表示检查失败的阈值为2,rise 2表示检查成功的阈值为2,weight 1表示权重为1
server master1 192.168.2.10:6443 check inter 2000 fall 2 rise 2 weight 1
server master2 192.168.2.20:6443 check inter 2000 fall 2 rise 2 weight 1
server master2 192.168.2.30:6443 check inter 2000 fall 2 rise 2 weight 1
11. 每台master节点编写健康监测脚本
mkdir -p /data/sh
vim /data/sh/check_haproxy.sh
#!/bin/bash
#2022-4-13
#auto check haprox process
netstat -ntlp | grep 8443 > /dev/null
if [ $? -ne 0 ];then
systemctl stop keepalived.service
fi
chmod +x /data/sh/check_haproxy.sh 添加执行权限
12. 所有master节点启动keepalived和haproxy服务并加入开机启动
systemctl start haproxy && systemctl enable haproxy
systemctl start keepalived && systemctl enable keepalived
13. 查看VIP地址
//下面的命令在master1上查看
[root@master1 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:37:25:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.10/24 brd 192.168.2.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.2.100/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe37:259c/64 scope link
valid_lft forever preferred_lft forever
14. 配置k8s各节点的yum源
- 所有机器执行
cat>>/etc/yum.repos.d/kubernetes.repo<<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF
15. 安装软件kubeadm、kubectl、kubelet
- 所有机器执行
- 安装的kubeadm、kubectl和kubelet要和kubernetes版本一致
- 注意:kubelet加入开机启动之后不手动启动,要不然会报错,初始化集群之后集群会自动启动kubelet服务
yum install -y kubeadm-1.20.4 kubelet-1.20.4 kubectl-1.20.4
//启动kubelet并设置开机自启
systemctl enable kubelet.service && systemctl start kubelet.service
16. 执行kubeadm init初始化安装Master相关软件
-
在master1上执行:
-
kubeadm init: 这是kubeadm命令的初始化子命令,用于初始化一个Kubernetes集群的控制平面节点。
-
–control-plane-endpoint=192.168.2.100:8443: 指定控制节点的IP地址和端口号
-
–image-repository registry.aliyuncs.com/google_containers: 指定镜像仓库地址,
-
–kubernetes-version v1.20.4: Kubernetes的版本号,这里使用的是v1.20.4版本。
-
–service-cidr=10.10.0.0/16: Kubernetes中Service的IP地址段,这里指定了一个CIDR地址段(10.10.0.0/16),用于分配给Service的IP地址。
-
–pod-network-cidr=10.244.0.0/16: Kubernetes中Pod的IP地址段,这里指定了一个CIDR地址段(10.244.0.0/16),用于分配给Pod的IP地址。
-
–upload-certs: 上传TLS证书,这个参数用于将生成的TLS证书上传到Kubernetes集群,以确保集群的安全性。
[root@master1 ~]# kubeadm init --control-plane-endpoint=192.168.2.100:8443 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.20.4 --service-cidr=10.10.0.0/16 --pod-network-cidr=10.244.0.0/16 --upload-certs
[init] Using Kubernetes version: v1.20.4
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.21. Latest validated version: 19.03
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master1] and IPs [10.10.0.1 192.168.2.10 192.168.2.100]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master1] and IPs [192.168.2.10 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master1] and IPs [192.168.2.10 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "admin.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.
[apiclient] All control plane components are healthy after 59.514507 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.20" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
942b21eebd4a738f927c18560abd1a1d38cc14166530a6b9818a81dec56ac8c7
[mark-control-plane] Marking the node master1 as control-plane by adding the labels "node-role.kubernetes.io/master=''" and "node-role.kubernetes.io/control-plane='' (deprecated)"
[mark-control-plane] Marking the node master1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: kgtenl.yfgauyzn9dlz8i1i
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join 192.168.2.100:8443 --token kgtenl.yfgauyzn9dlz8i1i \
--discovery-token-ca-cert-hash sha256:83da3f5e06811070fc62a90e05345b0c42397786b1fe928f852ed919e96819b7 \
--control-plane --certificate-key 942b21eebd4a738f927c18560abd1a1d38cc14166530a6b9818a81dec56ac8c7
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.2.100:8443 --token kgtenl.yfgauyzn9dlz8i1i \
--discovery-token-ca-cert-hash sha256:83da3f5e06811070fc62a90e05345b0c42397786b1fe928f852ed919e96819b7
- K8S集群初始化的流程如下:
- 检查工作(Preflight Checks):检查Linux内核版本、Cgroups模块可用性、组件版本、端口占用情况、Docker等依赖情况;
- 生成对外提供服务的CA证书及对应的目录;
- 生成其他组件访问kube-apiserver 所需的配置文件;
- 为Master组件生成Pod配置文件,利用这些配置文件,通过Kubernetes 中特殊的容器启动方法:“Static Pod”(Kubelet启动时自动加载固定目录的 Pod YAML 文件并启动)便可以 Pod 方式部署起 kube-apiserver、kube-controller-manager、kube-scheduler 三个 Master 组件。同时还会生成 Etcd 的 Pod YAML 文件;
- 为集群生成一个Bootstrap token,其他节点加入集群的机器和 Apiserver打交道,需要获取相应的证书文件,所以Bootstrap token需要扮演安全验证的角色;
- 安装默认插件,例如:Kube-proxy 和Core DNS,分别提供集群的服务发现和 DNS 功能
17. 将master2、master3加入k8s集群
//在master2、master3执行以下命令
kubeadm join 192.168.2.100:8443 --token kgtenl.yfgauyzn9dlz8i1i \
--discovery-token-ca-cert-hash sha256:83da3f5e06811070fc62a90e05345b0c42397786b1fe928f852ed919e96819b7 \
--control-plane --certificate-key 942b21eebd4a738f927c18560abd1a1d38cc14166530a6b9818a81dec56ac8c7
//注意每个人创建的token值不一样需要在master1执行初始化时显示的这条命令复制过来执行
18. 将所有node节点加入k8s集群
//下面这条命令在node1执行
kubeadm join 192.168.2.100:8443 --token kgtenl.yfgauyzn9dlz8i1i \
--discovery-token-ca-cert-hash sha256:83da3f5e06811070fc62a90e05345b0c42397786b1fe928f852ed919e96819b7
//注意每个人创建的token值不一样需要在master1执行初始化时显示的这条命令复制过来执行
19. 所有master节点执行以下命令
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
//设置master环境变量
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile
source /etc/profile
//在master配置k8s命令自动补全
source <(kubectl completion bash) && echo 'source <(kubectl completion bash)' >> /root/.bashrc
//在任意master节点查看集群状态
kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 NotReady control-plane,master 14m v1.20.4
master2 NotReady control-plane,master 3m38s v1.20.4
master3 NotReady control-plane,master 94s v1.20.4
node1 NotReady <none> 12m v1.20.4
20. 安装网络插件flanneld
//以下命令在任意一台master节点执行即可
//下载kube-flannel.yml
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
//部署flannel网络
kubectl apply -f kube-flannel.yml
//过一分钟左右查看各节点状态,变为Ready说明网络打通了
kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready control-plane,master 20m v1.20.4
master2 Ready control-plane,master 8m42s v1.20.4
master3 Ready control-plane,master 6m38s v1.20.4
node1 Ready <none> 17m v1.20.4
21. 查看所有pod是否变为Running
[root@master1 ~]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-7f89b7bc75-fh949 1/1 Running 0 21m
kube-system coredns-7f89b7bc75-wwww4 1/1 Running 0 21m
kube-system etcd-master1 1/1 Running 0 22m
kube-system etcd-master2 1/1 Running 0 10m
kube-system etcd-master3 1/1 Running 0 8m40s
kube-system kube-apiserver-master1 1/1 Running 0 22m
kube-system kube-apiserver-master2 1/1 Running 0 10m
kube-system kube-apiserver-master3 1/1 Running 0 8m44s
kube-system kube-controller-manager-master1 1/1 Running 1 22m
kube-system kube-controller-manager-master2 1/1 Running 0 10m
kube-system kube-controller-manager-master3 1/1 Running 0 8m43s
kube-system kube-flannel-ds-bcdrb 1/1 Running 0 4m12s
kube-system kube-flannel-ds-dwdp8 1/1 Running 0 4m12s
kube-system kube-flannel-ds-m58fc 1/1 Running 0 4m12s
kube-system kube-flannel-ds-w9d4t 1/1 Running 0 4m12s
kube-system kube-proxy-5bwm7 1/1 Running 0 21m
kube-system kube-proxy-9g977 1/1 Running 0 10m
kube-system kube-proxy-bbxpp 1/1 Running 0 19m
kube-system kube-proxy-nrkdc 1/1 Running 0 8m44s
kube-system kube-scheduler-master1 1/1 Running 1 22m
kube-system kube-scheduler-master2 1/1 Running 0 10m
kube-system kube-scheduler-master3 1/1 Running 0 8m44s
//如果不是Running输入下面命令查看pod报错信息
kubectl describe pod <报错pod名称> -n <报错pod所属命名空间>
22. 去除Master节点污点,使其可以分配Pod资源
//下面的命令在任意一台master执行即可
kubectl taint nodes --all node-role.kubernetes.io/master-
23. 部署dashboard
//在任意一台master执行
//下载dashboard的部署yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
//修改文件recommended.yaml的39行内容,#因为默认情况下,service的类型是cluster IP,需更改为NodePort的方式,便于访问,也可映射到指定的端口。
vim recommended.yaml
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31001
selector:
k8s-app: kubernetes-dashboard
//部署dashboard
kubectl apply -f recommended.yaml
//查看dashboard部署是否成功
kubectl get pod -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-74db988864-kslc7 1/1 Running 0 40s
kubernetes-dashboard-7bbb9b5fc6-9jrjk 1/1 Running 0 40s
//上面这条命令需要几分钟pod状态才变成Running,因为需要下载镜像
//创建Dashboard的管理用户;
kubectl create serviceaccount dashboard-admin -n kube-system
//将创建的dashboard用户绑定为管理用户;
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
//获取刚刚创建的用户对应的Token名称;
kubectl get secrets -n kube-system | grep dashboard
//查看Token的详细信息;
kubectl describe secrets -n kube-system $(kubectl get secrets -n kube-system | grep dashboard |awk '{print $1}')
24.登录dashboard
-
打开浏览器输入任意masterIP地址:31001
-
上面的token值在master上输入kubectl describe secrets -n kube-system $(kubectl get secrets -n kube-system | grep dashboard |awk ‘{print $1}’)可以得到结果。
-
输入token值进来点击Node查看各个节点信息。
25. 验证
- 把master1服务器关机查看一下服务是否可以正常运行。
//master1关机后正常情况下VIP地址会跳到master2机器上
[root@master2 ~]# ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:96:cf:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.20/24 brd 192.168.2.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.2.100/32 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe96:cf51/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ad:42:2f:de brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 66:94:21:c0:15:3c brd ff:ff:ff:ff:ff:ff
inet 10.244.2.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::6494:21ff:fec0:153c/64 scope link
valid_lft forever preferred_lft forever
//从上面信息可以看到VIP地址飘逸成功,查看各个pod是否正常。
[root@master2 ~]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-7f89b7bc75-fh949 1/1 Running 1 2d1h
kube-system coredns-7f89b7bc75-wwww4 1/1 Running 1 2d1h
kube-system etcd-master1 1/1 Running 1 2d1h
kube-system etcd-master2 1/1 Running 1 2d1h
kube-system etcd-master3 1/1 Running 1 2d1h
kube-system kube-apiserver-master1 1/1 Running 1 2d1h
kube-system kube-apiserver-master2 1/1 Running 1 2d1h
kube-system kube-apiserver-master3 1/1 Running 1 2d1h
kube-system kube-controller-manager-master1 1/1 Running 2 2d1h
kube-system kube-controller-manager-master2 1/1 Running 1 2d1h
kube-system kube-controller-manager-master3 1/1 Running 1 2d1h
kube-system kube-flannel-ds-bcdrb 1/1 Running 1 2d1h
kube-system kube-flannel-ds-dwdp8 1/1 Running 1 2d1h
kube-system kube-flannel-ds-m58fc 1/1 Running 1 2d1h
kube-system kube-flannel-ds-w9d4t 1/1 Running 1 2d1h
kube-system kube-proxy-5bwm7 1/1 Running 1 2d1h
kube-system kube-proxy-9g977 1/1 Running 1 2d1h
kube-system kube-proxy-bbxpp 1/1 Running 1 2d1h
kube-system kube-proxy-nrkdc 1/1 Running 1 2d1h
kube-system kube-scheduler-master1 1/1 Running 2 2d1h
kube-system kube-scheduler-master2 1/1 Running 1 2d1h
kube-system kube-scheduler-master3 1/1 Running 1 2d1h
kubernetes-dashboard dashboard-metrics-scraper-74db988864-kslc7 1/1 Running 1 2d1h
kubernetes-dashboard kubernetes-dashboard-7bbb9b5fc6-9jrjk 1/1 Running 1 2d1h
可以看的到pod都是Running状态。
//查看各个节点状态:
[root@master2 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 NotReady control-plane,master 2d1h v1.20.4
master2 Ready control-plane,master 2d1h v1.20.4
master3 Ready control-plane,master 2d1h v1.20.4
node1 Ready <none> 2d1h v1.20.4
//可以看的出来master1状态为NotReady