1 节点规划信息
角色 | IP地址 | 系统 |
k8s-master01 | 192.168.226.20 | CentOS7.8.2003 |
k8s-master02 | 192.168.226.21 | CentOS7.8.2003 |
k8s-master03 | 192.168.226.22 | CentOS7.8.2003 |
k8s-node01 | 192.168.226.23 | CentOS7.8.2003 |
k8s-lb | 192.168.226.24 | CentOS7.8.2003 |
2 环境初始化
1)配置主机名,以k8s-master01为例(需要依次根据节点规划角色修改主机名)
k8s-lb不需要设置
[root@localhost ~]# hostnamectl set-hostname k8s-master012)配置主机hosts映射
cat <<EOF > /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.226.20 k8s-master01
192.168.226.21 k8s-master02
192.168.226.22 k8s-master03
192.168.226.23 k8s-node01
192.168.226.24 k8s-lb
EOF3)配置密钥
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
yum install -y expect
for i in k8s-master01 k8s-master02 k8s-master03 k8s-node01 k8s-lb;do
expect -c "
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$i
expect {
\"*yes/no*\" {send \"yes\r\"; exp_continue}
\"*password*\" {send \"root\r\"; exp_continue}
\"*Password*\" {send \"root\r\";}
} "
done
for host in k8s-master01 k8s-master02 k8s-master03 k8s-node01 k8s-lb;do ping -c 1 $host;done4)关闭防火墙,selinux和swap分区
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i "s/^SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
swapoff -a
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab5)时间同步
yum install chrony -y
systemctl enable chronyd
systemctl start chronyd
chronyc sources6)配置内核参数
ulimit -SHn 65535
cat >> /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
sysctl -p7)内核升级
wget https://cbs.centos.org/kojifiles/packages/kernel/4.9.220/37.el7/x86_64/kernel-4.9.220-37.el7.x86_64.rpm
rpm -ivh kernel-4.9.220-37.el7.x86_64.rpm
reboot
uname -r8)安装ipvs
yum install ipvsadm ipset sysstat conntrack libseccomp -y
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
modprobe -- ip_tables
modprobe -- ip_set
modprobe -- xt_set
modprobe -- ipt_set
modprobe -- ipt_rpfilter
modprobe -- ipt_REJECT
modprobe -- ipip
EOF9)配置重启自动加载
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack10)安装docker-ce
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum list | grep docker-ce
yum install docker-ce-19.03.8-3.el7 -y
systemctl start docker
systemctl enable docker
cat <<EOF >/etc/docker/daemon.json
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
"exec-opts":["native.cgroupdriver=systemd"]
}
EOF
systemctl restart docker
3)安装kubernetes组件
以上操作在所有节点执行
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOFyum install -y kubelet-1.18.2-0 kubeadm-1.18.2-0 kubectl-1.18.2-0 --disableexcludes=kubernetessystemctl enable kubelet.service4)集群初始化
1)配置集群高可用
高可用采用的是HAProxy+Keepalived来进行高可用和master节点的流量负载均衡,HAProxy和KeepAlived以守护进程的方式在所有Master节点部署
yum install keepalived haproxy -y- 配置haproxy
所有master节点的配置相同,如下:
注意:把apiserver地址改成自己节点规划的master地址
cat <<EOF >/etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# kubernetes apiserver frontend which proxys to the backends
#---------------------------------------------------------------------
frontend kubernetes
mode tcp
bind *:16443
option tcplog
default_backend kubernetes-apiserver
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend kubernetes-apiserver
mode tcp
balance roundrobin
server k8s-master01 192.168.226.20:6443 check
server k8s-master02 192.168.226.21:6443 check
server k8s-master03 192.168.226.22:6443 check
#---------------------------------------------------------------------
# collection haproxy statistics message
#---------------------------------------------------------------------
listen stats
bind *:9999
stats auth admin:P@ssW0rd
stats refresh 5s
stats realm HAProxy\ Statistics
stats uri /admin?stats
EOF- 配置keepalived
k8s-master01
cat <<EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
# 定义脚本
vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.226.24
}
# 调用脚本
#track_script {
# check_apiserver
#}
}EOF
k8s-master02节点配置
cat <<EOF >/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
# 定义脚本
vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.226.24
}
# 调用脚本
#track_script {
# check_apiserver
#}
}
EOFk8s-master03节点配置
cat <<EOF >/etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
vrrp_skip_check_adv_addr
vrrp_garp_interval 0
vrrp_gna_interval 0
}
# 定义脚本
vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 98
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.226.24
}
# 调用脚本
#track_script {
# check_apiserver
#}
}
EOF编写健康检测脚本
cat <<EOF >/etc/keepalived/check-apiserver.sh
#!/bin/bash
function check_apiserver(){
for ((i=0;i<5;i++))
do
apiserver_job_id=${pgrep kube-apiserver}
if [[ ! -z ${apiserver_job_id} ]];then
return
else
sleep 2
fi
done
apiserver_job_id=0
}
# 1->running 0->stopped
check_apiserver
if [[ $apiserver_job_id -eq 0 ]];then
/usr/bin/systemctl stop keepalived
exit 1
else
exit 0
fi
EOF启动haproxy和keepalived
systemctl enable --now keepalived
systemctl enable --now haproxy5)部署master
1)在k8s-master01上,编写kubeadm.yaml配置文件,如下:
[root@k8s-master01 ~]# cat >> kubeadm.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.18.2
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
controlPlaneEndpoint: "k8s-lb:16443"
networking:
dnsDomain: cluster.local
podSubnet: 192.168.0.0/16
serviceSubnet: 10.211.0.0/12
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipv
EOF2)下载镜像
[root@k8s-master01 ~]# kubeadm config images pull --config kubeadm.yamldocker load -i 1-18-kube-apiserver.tar.gz
docker load -i 1-18-kube-scheduler.tar.gz
docker load -i 1-18-kube-controller-manager.tar.gz
docker load -i 1-18-pause.tar.gz
docker load -i 1-18-cordns.tar.gz
docker load -i 1-18-etcd.tar.gz
docker load -i 1-18-kube-proxy.tar.gz
说明:
pause版本是3.2,用到的镜像是k8s.gcr.io/pause:3.2
etcd版本是3.4.3,用到的镜像是k8s.gcr.io/etcd:3.4.3-0
cordns版本是1.6.7,用到的镜像是k8s.gcr.io/coredns:1.6.7
apiserver、scheduler、controller-manager、kube-proxy版本是1.18.2,用到的镜像分别是
k8s.gcr.io/kube-apiserver:v1.18.2
k8s.gcr.io/kube-controller-manager:v1.18.2
k8s.gcr.io/kube-scheduler:v1.18.2
k8s.gcr.io/kube-proxy:v1.18.23)进行初始化
在master01节点操作
kubeadm init --config kubeadm.yaml --upload-certs最后输出的kubeadm jion需要记录下来,后面的master节点和node节点需要用
4)配置环境变量
在master01节点操作
cat >> /root/.bashrc <<EOF
export KUBECONFIG=/etc/kubernetes/admin.conf
EOF
source /root/.bashrc5)查看节点状态
[root@k8s-master01 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master01 NotReady master 3m v1.18.26)安装网络插件
如果有节点是多网卡,所以需要在资源清单文件中指定内网网卡(如何单网卡可以不用修改)
wget https://docs.projectcalico.org/v3.8/manifests/calico.yamlvi calico.yaml
......
containers:
# Runs calico-node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
image: calico/node:v3.8.8-1
env:
# Use Kubernetes API as the backing datastore.
- name: DATASTORE_TYPE
value: "kubernetes"
# Wait for the datastore.
- name: IP_AUTODETECTION_METHOD # DaemonSet中添加该环境变量
value: interface=ens33 # 指定内网网卡
- name: WAIT_FOR_DATASTORE
value: "true"
# Set based on the k8s node name.
- name: NODENAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
......# 安装calico网络插件
[root@k8s-master01 ~]# kubectl apply -f calico.yaml当网络插件安装完成后,查看node节点信息如下:
[root@k8s-master01 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 17m v1.18.2可以看到状态已经从NotReady变为ready了。
7)将master02加入集群
- 下载镜像
kubeadm config images pull --config kubeadm.yamlkubeadm join k8s-lb:16443 --token wnukb8.gn07zmn7il6jdysv \
--discovery-token-ca-cert-hash sha256:fe0f71f154cfe35cf1ffc19742bd68d360da08e688f6e9a8f5d4c3211d9ae204 \
--control-plane --certificate-key fae1a738686dc651c52617d4413368d0a694719cbc88d444b550fb88854e9763配置环境变量
cat >> /root/.bashrc <<EOF
export KUBECONFIG=/etc/kubernetes/admin.conf
EOF
source /root/.bashrcmaster03也如上操作
[root@k8s-master03 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 28m v1.18.2
k8s-master02 Ready master 2m31s v1.18.2
k8s-master03 Ready master 55s v1.18.2- 查看集群组件状态
全部都Running,则所有组件都正常了,不正常,可以具体查看pod日志进行排查
[root@k8s-master01 ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE NODE NOMINATED NODE READINESS GATES
calico-kube-controllers-77c5fc8d7f-stl57 1/1 Running 0 26m k8s-master01 <none> <none>
calico-node-ppsph 1/1 Running 0 26m k8s-master01 <none> <none>
calico-node-tl6sq 1/1 Running 0 26m k8s-master02 <none> <none>
calico-node-w92qh 1/1 Running 0 26m k8s-master03 <none> <none>
coredns-546565776c-vtlhr 1/1 Running 0 42m k8s-master01 <none> <none>
coredns-546565776c-wz9bk 1/1 Running 0 42m k8s-master01 <none> <none>
etcd-k8s-master01 1/1 Running 0 42m k8s-master01 <none> <none>
etcd-k8s-master02 1/1 Running 0 30m k8s-master02 <none> <none>
etcd-k8s-master03 1/1 Running 0 28m k8s-master03 <none> <none>
kube-apiserver-k8s-master01 1/1 Running 0 42m k8s-master01 <none> <none>
kube-apiserver-k8s-master02 1/1 Running 0 30m k8s-master02 <none> <none>
kube-apiserver-k8s-master03 1/1 Running 0 28m k8s-master03 <none> <none>
kube-controller-manager-k8s-master01 1/1 Running 1 42m k8s-master01 <none> <none>
kube-controller-manager-k8s-master02 1/1 Running 1 30m k8s-master02 <none> <none>
kube-controller-manager-k8s-master03 1/1 Running 0 28m k8s-master03 <none> <none>
kube-proxy-6sbpp 1/1 Running 0 28m k8s-master03 <none> <none>
kube-proxy-dpppr 1/1 Running 0 42m k8s-master01 <none> <none>
kube-proxy-ln7l7 1/1 Running 0 30m k8s-master02 <none> <none>
kube-scheduler-k8s-master01 1/1 Running 1 42m k8s-master01 <none> <none>
kube-scheduler-k8s-master02 1/1 Running 1 30m k8s-master02 <none> <none>
kube-scheduler-k8s-master03 1/1 Running 0 28m k8s-master03 <none> <none>查看CSR
[root@k8s-master01 ~]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-cfl2w 42m kubernetes.io/kube-apiserver-client-kubelet system:node:k8s-master01 Approved,Issued
csr-mm7g7 28m kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:3k4vr0 Approved,Issued
csr-qzn6r 30m kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:3k4vr0 Approved,Issued
与人善言,暖于布锦,伤人之言,深于矛戟
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
