硬件配置
| 系统 |
角色 |
IP |
内存 |
| CentOs7.8 |
master |
172.17.0.3 |
2核4GB |
| CentOs7.8 |
node |
172.17.0.4 |
2核4GB |
| CentOs7.8 |
node |
172.17.0.5 |
2核4GB |
系统设置
修改节点名称
1
2
3
4
5
6
7
8
| yum update -y
hostnamectl set-hostname k8s-master
sudo vim /etc/hosts
172.17.0.3 k8s-master
172.17.0.4 k8s-node1
172.17.0.4 k8s-node2
|
master hostname k8s-master, node hostname k8s-node...
安装依赖
1
| yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vimnet-tools git
|
设置防火墙为Iptables并设置规则
1
2
| systemctl stop firewalld && systemctl disable firewalld
yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
|
关闭SELINUX分区
1
2
| swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
|
关闭邮件服务
1
| systemctl stop postfix && systemctl disable postfix
|
设置 rsyslogd 和 systemd journald
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
mkdir /var/log/journal
mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化保存到磁盘
Storage=persistent
# 压缩历史日志
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000 # 最大占用空间10G
SystemMaxUse=10G # 单日志文件最大200M
SystemMaxFileSize=200M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到syslog
ForwardToSyslog=no
EOF
systemctl restart systemd-journald
|
同步时间
1
2
3
4
5
6
7
|
yum install -y ntpdate
timedatectl set-timezone Asia/Shanghai
date
|
升级系统内核为 4.44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install -y kernel-lt
awk '$1=="menuentry" {print $2,$3,$4}' /etc/grub2.cfg
sed -i "s/GRUB_DEFAULT=saved/GRUB_DEFAULT=0/g" /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
uname -r
|
如果内核高于 4 版本可以不用升级
调整内核参数,对于 k8s
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| cat > kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.overcommit_memory=1 # 不检查物理内存是否够用
vm.panic_on_oom=0 # 开启 OOM
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
sysctl -p /etc/sysctl.d/kubernetes.conf
|
kube-proxy开启ipvs的前置条件
1
2
3
4
5
6
7
8
9
10
11
12
| modprobe br_netfilter
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules &&
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
|
安装 Docker
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
yum install yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum update && yum install \
containerd.io-1.2.10 \
docker-ce-19.03.4 \
docker-ce-cli-19.03.4
mkdir /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://7w2ycc3f.mirror.aliyuncs.com"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF
mkdir -p /etc/systemd/system/docker.service.d
systemctl daemon-reload && systemctl restart docker && systemctl enable docker
|
安装 kubeadm
设置 kubeadm 下载地址
1
2
3
4
5
6
7
8
9
10
| cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
|
安装 kubelet kubeadm kubectl
1
2
3
4
5
| yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable --now kubelet
|
kubeadm 初始化 k8s 集群
在 Master 节点服务器上 初始化集群
初始化配置文件
1
| kubeadm config print init-defaults --kubeconfig ClusterConfiguration > kubeadm-config.yaml
|
修改配置文件 kubeadm-config.yaml, 修改镜像地址,使用的是国内镜像仓库, Pod所在网段 ,如果你服务器所在的集群网段不和 192.168.0.0/16 冲突,可以不修改这个网段地址,使用默认即可, 完整配置文件如下。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 172.17.0.3
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
networking:
podSubnet: 10.244.0.0/16
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
scheduler: {}
|
初始化
1
2
3
4
5
6
7
8
|
kubeadm config images list --config kubeadm-config.yaml
kubeadm config images pull --config kubeadm-config.yaml
kubeadm init --config=kubeadm-config.yaml --upload-certs | tee kubeadm-init.log
|
如果是安装成功会看到日志中输出 Your Kubernetes control-plane has initialized successfully!
创建 kubectl
1
2
3
| mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
|
记录加入Master节点的token
1
2
3
| kubeadm join 172.17.0.3:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:b0e18c9900ff18103df0c36da270a425f17b8269149e418d7d778828cd8a82ba
|
初始化的日志会保存在 kubeadm-init.log 中,方便后期查看
整理安装脚本
1
2
3
4
| mkdir -p install-k8s/core
mv kubeadm-config.yaml kubeadm-init.log ./install-k8s/core/
mv install-k8s /usr/local/
|
部署网络
1
2
3
4
5
6
7
| mkdir -p install-k8s/plugin/flannel/
cd install-k8s/plugin/flannel/
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl create -f kube-flannel.yml
kubectl get pod -n kube-system
|
安装 Dashboard 仪表盘
1
2
3
| mkdir -p /usr/local/install-k8s/plugin/dashboard/
cd /usr/local/install-k8s/plugin/dashboard/
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
|
为了测试方便,我们将Service改成NodePort类型,注意 YAML 中最下面的 Service 部分新增一个type=NodePort
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
type: NodePort
selector:
k8s-app: kubernetes-dashboard
|
部署 Dashboard
部署成功如下图显示
1
2
3
4
5
| kubectl apply -f recommended.yaml
kubectl get pods -n kubernetes-dashboard
kubectl get pods,svc -n kubernetes-dashboard
|
生成token
1
2
| cd /usr/local/install-k8s/plugin/dashboard/
vim auth.yaml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
|
执行如下命令可创建 ServiceAccount 和 ClusterRoleBinding
1
| kubectl apply -f auth.yaml
|
获取Bearer Token
1
| kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
|
token详情如下
更换 Dashboard 证书
虽然上面显示安装成功 dashboard 但是用浏览器打开显示不是私密链接
