k8s containerd二进制安装
软件安装规划
master : kube-apiserver kube-controller-manager kube-scheduler etcd kubelet kube-proxy containerd runc
worker : kubelet kube-proxy containerd runc
lb : haproxy keeplived
软件版本
CentOS 7.9
kubenetes 1.28.0
etcd 3.5.9
calico 3.26.1
coredns 1.9.4
containerd 1.7.3
runc 1.1.9
haproxy 1.5.18
keepalived v1.3.5
网络规划
node网络 192.168.1.0/24
service网络 10.96.0.0/16
Pod网络 172.16.0.0/16
设置主机名
hostnamectl set-hostname ha1
hostnamectl set-hostname ha2
hostnamectl set-hostname k8s-master1
hostnamectl set-hostname k8s-master2
hostnamectl set-hostname k8s-master3
hostnamectl set-hostname k8s-worker1
hostnamectl set-hostname k8s-worker2
hostnamectl set-hostname k8s-worker3
添加host文件
cat >> /etc/hosts << EOF
192.168.150.101 k8s-master1
192.168.150.102 k8s-master2
192.168.150.103 k8s-master3
192.168.150.104 k8s-worker1
EOF
关闭防火墙、selinux、swap
firewall-cmd --state
systemctl stop firewalld && systemctl disable firewalld
swapoff -a && sysctl -w vm.swappiness=0
echo "vm.swappiness=0" >> /etc/sysctl.conf
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
时钟同步
yum install -y ntpdate
crontab -e
0 */1 * * * ntpdate time1.aliyun.com
limit优化
ulimit -SHn 65535
cat >> /etc/security/limits.conf << EOF
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
* soft memlock unlimited
* hard memlock unlimited
EOF
ipvs安装及模块加载
安装ipvs
yum install ipvsadm ipset sysstat conntrack libseccomp -y
所有节点配置ipvs模块
# 编辑配置信息
cat > /etc/modules-load.d/ipvs.conf <<EOF
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF
加载containerd内核模块
cat >> /etc/modules-load.d/containerd.conf << EOF
overlay
br_netfilter
EOF
# 重新加载
systemctl enable --now systemd-modules-load.service
# 确认
lsmod | grep -e ip_vs -e nf_conntrack
linux内核升级
yum install -y perl
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo="elrepo-kernel" install kernel-lt
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
调整优化参数
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory = 1
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
fs.netfilter.nf_conntrack_max = 2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 131072
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
EOF
sysctl --system
查看模块IPVS nf_conntrack加载
lsmod | grep --color=auto -e ip_vs -e nf_conntrack
lsmod | egrep 'br_netfilter'
lsmod | egrep 'overlay'
选装工具
yum install -y wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git lrzsz
安装haproxy、keepalived
yum install -y haproxy keepalived
# 配置HAProxy 注意修改ip
cat > /etc/haproxy/haproxy.cfg << EOF
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 2000
ulimit-n 16384
log 127.0.0.1 local0 err
stats timeout 30s
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 15s
timeout http-keep-alive 15s
frontend monitor-in
bind *:33305
mode http
option httplog
monitor-uri /monitor
frontend k8s-master
bind *:8443
mode tcp
option tcplog
tcp-request inspect-delay 5s
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server master01 192.168.83.150:6443 check
server master02 192.168.83.151:6443 check
server master03 192.168.83.152:6443 check
EOF
启动haproxy
systemctl start haproxy
systemctl status haproxy
systemctl enable haproxy
# 配置keepalived
## 注意修改ip,state,网卡名称
cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf_bak
cat > /etc/keepalived/keepalived.conf << EOF
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
mcast_src_ip 192.168.83.161
virtual_router_id 51
priority 100
nopreempt
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.83.161
}
track_script {
chk_apiserver
} }
EOF
所有haproxy启动keepalived
systemctl restart keepalived
启动时会自动添加一个drop的防火墙规则,需要清除
iptables -F
systemctl status keepalived
systemctl enable keepalived
查看vip
ip add | grep 10.11
# 健康检测脚本
cat > /etc/keepalived/check_apiserver.sh << EOF
#!/bin/bash
err=0
for k in $(seq 1 3)
do
check_code=$(pgrep haproxy)
if [[ $check_code == "" ]]; then
err=$(expr $err + 1)
sleep 1
continue
else
err=0
break
fi
done
if [[ $err != "0" ]]; then
echo "systemctl stop keepalived"
/usr/bin/systemctl stop keepalived
exit 1
else
exit 0
fi
EOF
???
# 给执行权限
chmod +x /etc/keepalived/check_apiserver.sh
???
# 所有master节点启动haproxy和keepalived
systemctl enable --now haproxy
systemctl enable --now keepalived
# 验证
ping 192.168.10.11
重要:如果安装了keepalived和haproxy 需要测试keepalived是否是正常的
[root@k8s-master01 pki]# telnet 192.168.10.11 8443
Trying 192.168.10.11...
Connected to 192.168.10.11.
Escape character is '^]'.
Connection closed by foreign host.
如果ping不通且telnet没有出现']',则认为VIP不可以,不可再继续往下执行,需要排查keepalived的问题,比如防火墙和selinux,haproxy和keepalived的状态,监听端口???
所有节点查看防火墙状态必须为disable和inactive:systemctl status firewalld
所有节点查看selinux状态,必须为disable:getenforce
master节点查看haproxy和keepalived状态:systemctl status keepalived haproxy
创建k8s工作目录--存放文件及生成证书文???
mkdir -p /data/k8s-work
wget "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" -O /usr/local/bin/cfssl
wget "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
wget "https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64" -O /usr/local/bin/cfssl-certinfo
生成证书文件损坏请求成功也无法生成文件
安装ETCD
生成CA证书请求文件
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "kubemsb",
"OU": "CN"
}
],
"ca":{
"expiry": "87600h"
}
}
EOF
生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cfssl print-defaults config > ca-config.json --生成CA证书策略文件
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
-------------etcd证书
cat > etcd-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"192.168.83.150",
"192.168.83.151",
"192.168.83.152",
"192.168.83.161"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "kubemsb",
"OU": "CN"
}]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson -bare etcd
-----------------ETCD软件安装
wget https://github.com/etcd-io/etcd/releases/download/v3.5.11/etcd-v3.5.11-linux-amd64.tar.gz
tar xvf etcd-v3.5.11-linux-amd64.tar.gz
cp etcd-v3.5.11-linux-amd64/etcd* /usr/local/bin
scp etcd-v3.5.11-linux-amd64/etcd* k8s-master2:/usr/local/bin
scp etcd-v3.5.11-linux-amd64/etcd* k8s-master3:/usr/local/bin
mkdir /etc/etcd
cat > /etc/etcd/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd3"
ETCD_DATA_DIR="/etc/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.83.152:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.83.152:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.83.152:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.83.152:2379"
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.83.150:2380,etcd2=https://192.168.83.151:2380,etcd3=https://192.168.83.152:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#注:
ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
mkdir -p /etc/etcd/ssl
mkdir -p /var/lib/etcd/default.etcd
cp ca*.pem etcd*.pem /etc/etcd/ssl
scp ca*.pem etcd*.pem k8s-master2:/etc/etcd/ssl
scp ca*.pem etcd*.pem k8s-master3:/etc/etcd/ssl
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/etcd.conf
workingDirectory=/var/lib/etcd/
ExecStart=/usr/local/bin/etcd \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-client-cert-auth \
--client-cert-auth \
--logger=zap
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now etcd.service
systemctl status etcd
ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints="https://192.168.83.150:2379,https://192.168.83.151:2379,https://192.168.83.152:2379" endpoint health
ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints="https://192.168.83.150:2379,https://192.168.83.151:2379,https://192.168.83.152:2379" member list
ETCDCTL_API=3 /usr/local/bin/etcdctl --write-out=table --cacert=/etc/etcd/ssl/ca.pem --cert=/etc/etcd/ssl/etcd.pem --key=/etc/etcd/ssl/etcd-key.pem --endpoints="https://192.168.83.150:2379,https://192.168.83.151:2379,https://192.168.83.152:2379" endpoint status
###################################kubernetes
下载kubernetes
wget --no-check-certificate https://dl.k8s.io/v1.29.0/kubernetes-server-linux-amd64.tar.gz
解压软件
tar -zxvf kubernetes-server-linux-amd64.tar.gz
cd /data/k8s-work/kubernetes/server/bin
cp kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin
拷贝至另外两个节点
scp kube-apiserver kube-controller-manager kube-scheduler kubectl k8s-master2:/usr/local/bin
scp kube-apiserver kube-controller-manager kube-scheduler kubectl k8s-master3:/usr/local/bin
在集群节点上创建目录
mkdir -p /etc/kubernetes
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/log/kubernetes
scp kubelet kube-proxy k8s-worker1:/usr/local/bin
###########################部署api-server
创建api-server证书请求文件
cat > kube-apiserver-csr.json << 'EOF'
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.83.150",
"192.168.83.151",
"192.168.83.152",
"192.168.83.161",
"10.96.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
#注: 如果 hosts 字段不为空则需要指定授权使用该证书的 IP 或域名列表。 由于该证书后续被 kubernetes master 集群使用,需要将master节点的IP都填上,同时还需要填写 service 网络的首个IP。(一般是 kube-apiserver 指定的 service-cluster-ip-range 网段的第一个IP,如 10.255.0.1)
Work节点的证书使用API授权,不自己签发,所以这里的IP地址除了Work节点不用写,其他都要写。
生成api-server证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json | cfssljson -bare kube-apiserver
cat > token.csv << EOF
$(head -c 16 /dev/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
说明???
启用 TLS Bootstrapping 机制
TLS Bootstraping:Master apiserver 启用 TLS 认证后,Node 节点 kubelet ??? kube-proxy 要与 kube-apiserver 进行通信,必须使??? CA 签发的有效证书才可以,当 Node节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes 引入??? TLS bootstraping 机制来自动颁发客户端证书,kubelet会以一个低权限用户自动??? apiserver 申请证书,kubelet 的证书由 apiserver 动态签署。所以强烈建议在 Node 上使用这种方式,目前主要用于 kubelet,kube-proxy 还是由我们统一颁发一个证书???
cat > /etc/kubernetes/kube-apiserver.conf << 'EOF'
KUBE_APISERVER_OPTS="--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
--anonymous-auth=false \
--bind-address=192.168.83.150 \
--secure-port=6443 \
--advertise-address=192.168.83.150 \
--authorization-mode=Node,RBAC \
--runtime-config=api/all=true \
--enable-bootstrap-token-auth \
--service-cluster-ip-range=10.96.0.0/16 \
--token-auth-file=/etc/kubernetes/token.csv \
--service-node-port-range=30000-32767 \
--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--client-ca-file=/etc/kubernetes/ssl/ca.pem \
--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem \
--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--service-account-issuer=api \
--etcd-cafile=/etc/etcd/ssl/ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--etcd-servers=https://192.168.83.150:2379,https://192.168.83.151:2379,https://192.168.83.152:2379 \
--allow-privileged=true \
--apiserver-count=3 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/var/log/kube-apiserver-audit.log \
--event-ttl=1h \
--v=4"
EOF
#注:
--logtostderr:启用日志
--v:日志等级
--log-dir:日志目录
--etcd-servers:etcd集群地址
--bind-address:监听地址
--secure-port:https安全端口
--advertise-address:集群通告地址
--allow-privileged:启用授权
--service-cluster-ip-range:Service虚拟IP地址段
--enable-admission-plugins:准入控制模块
--authorization-mode:认证授权,启用RBAC授权和节点自管理
--enable-bootstrap-token-auth:启用TLS bootstrap机制
--token-auth-file:bootstrap token文件
--service-node-port-range:Service nodeport类型默认分配端口范围
--kubelet-client-xxx:apiserver访问kubelet客户端证书
--tls-xxx-file:apiserver https证书
--etcd-xxxfile:连接Etcd集群证书 –
-audit-log-xxx:审计日志
cp ca*.pem /etc/kubernetes/ssl
cp kube-apiserver*.pem /etc/kubernetes/ssl
cp token.csv /etc/kubernetes
scp ca*.pem k8s-master3:/etc/kubernetes/ssl
scp kube-apiserver*.pem k8s-master3:/etc/kubernetes/ssl
scp token.csv k8s-master3:/etc/kubernetes
scp /etc/kubernetes/kube-apiserver.conf k8s-master3:/etc/kubernetes
配置api-server服务启动文件
cat > /usr/lib/systemd/system/kube-apiserver.service << 'EOF'
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=etcd.service
Wants=etcd.service
[Service]
EnvironmentFile=/etc/kubernetes/kube-apiserver.conf
ExecStart=/usr/local/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
scp /usr/lib/systemd/system/kube-apiserver.service k8s-master2:/usr/lib/systemd/system
scp /usr/lib/systemd/system/kube-apiserver.service k8s-master3:/usr/lib/systemd/system
systemctl daemon-reload
systemctl enable --now kube-apiserver
systemctl start kube-apiserver
验证
curl --insecure https://192.168.83.150:6443/
##################部署kubectl
生成kubectl证书请求文件
cat > /data/k8s-work/admin-csr.json << 'EOF'
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
生成kubectl证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
拷贝证书
cp admin*.pem /etc/kubernetes/ssl
生成kubeconfig配置文件
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.83.161:8443 --kubeconfig=kube.config
设置客户端认证参数
kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kube.config
设置上下文参数
kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kube.config
设置当前上下文
kubectl config use-context kubernetes --kubeconfig=kube.config
mkdir -p ~/.kube
cp kube.config ~/.kube/config
scp kube.config k8s-master2:~/.kube/config
scp kube.config k8s-master3:~/.kube/config
授权kubenetes证书访问kubelet api权限
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes --kubeconfig=/root/.kube/config
查看集群信息
kubectl cluster-info
kubectl get componentstatuses
kubectl get all --all-namespaces
命令补全
yum install -y bash-completion
source /usr/share/bash-completion/bash_completion
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bash
################部署kube-controller-manager
controller-manager 作为 k8s 集群的管理控制中心,负责集群??? Node、Namespace、Service、Token、Replication 等资源对象的管理,使集群内的资源对象维持在预期的工作状态???
每一??? controller 通过 api-server 提供??? restful 接口实时监控集群内每个资源对象的状态,当发生故障,导致资源对象的工作状态发生变化,就进行干预,尝试将资源对象从当前状态恢复为预期的工作状态, 常见??? controller ??? Namespace Controller、Node Controller、Service Controller、ServiceAccount Controller、Token Controller、ResourceQuote Controller、Replication Controller等???
生成kube-controller-manager证书请求文件
cat > /data/k8s-work/kube-controller-manager-csr.json << 'EOF'
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"hosts": [
"127.0.0.1",
"192.168.1.152",
"192.168.1.153",
"192.168.1.154"
],
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "system"
}
]
}
EOF
注:
hosts 列表包含所有 kube-controller-manager 节点 IP;
CN 为 system:kube-controller-manager、
O 为 system:kube-controller-manager,
kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限
生成kube-controller-manager证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
生成kube-controller-manager.kubeconfig文件
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.1.161:6443 --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
生成kube-controller-manager配置文件
cat > /data/k8s-work/kube-controller-manager.conf << 'EOF'
KUBE_CONTROLLER_MANAGER_OPTS="--cluster-name=kubernetes \
--secure-port=10257 \
--bind-address=127.0.0.1 \
--service-cluster-ip-range=10.96.0.0/16 \
--allocate-node-cidrs=true \
--cluster-cidr=172.16.0.0/16 \
--leader-elect=true \
--controllers=*,bootstrapsigner,tokencleaner \
--kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
--tls-cert-file=/etc/kubernetes/ssl/kube-controller-manager.pem \
--tls-private-key-file=/etc/kubernetes/ssl/kube-controller-manager-key.pem \
--cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
--cluster-signing-duration=175200h0m0s \
--use-service-account-credentials=true \
--root-ca-file=/etc/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
--v=2 "
EOF
--service-cluster-ip-range=10.96.0.0/16 #表示service 分配的IP
--cluster-cidr=172.16.0.0.0/16 #表示pod分配的IP
--leader-elect=true #启用CONTROOLER-MANAGER主节点选举功能
--controllers=*,bootstrapsigner,tokencleaner #启用完整的所有的控制???
--use-service-account-credentials #启用K8S内置的RBAC权限策略
创建服务启动文件
cat > /usr/lib/systemd/system/kube-controller-manager.service << 'EOF'
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/kube-controller-manager.conf
ExecStart=/usr/local/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
cp kube-controller-manager*.pem /etc/kubernetes/ssl/
cp kube-controller-manager.kubeconfig /etc/kubernetes/
cp kube-controller-manager.conf /etc/kubernetes/
cp kube-controller-manager.service /usr/lib/systemd/system/
scp kube-controller-manager*.pem k8s-master2:/etc/kubernetes/ssl/
scp kube-controller-manager.kubeconfig k8s-master2:/etc/kubernetes/
scp kube-controller-manager.conf k8s-master2:/etc/kubernetes/
scp kube-controller-manager.service k8s-master2:/usr/lib/systemd/system/
systemctl daemon-reload
systemctl enable --now kube-controller-manager
systemctl status kube-controller-manager
###########################部署kube-scheduler
Scheduler负责节点资源管理,接收来自kube-apiserver创建Pods的任务,收到任务后它会检索出所有符合该Pod要求的Node节点(通过预选策略和优选策略),开始执行Pod调度逻辑。调度成功后将Pod绑定到目标节点上
cat > /data/k8s-work/kube-scheduler-csr.json <<'EOF'
{
"CN": "system:kube-scheduler",
"hosts": [
"127.0.0.1",
"192.168.1.152",
"192.168.1.153",
"192.168.1.154"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:kube-scheduler",
"OU": "system"
}
]
}
EOF
注: hosts 列表包含所有 kube-scheduler 节点 IP; CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限。
生成kube-scheduler证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.1.161:6443 --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
cat > kube-scheduler.conf << 'EOF'
KUBE_SCHEDULER_OPTS="--bind-address=127.0.0.1 \
--kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
--leader-elect=true \
--v=2"
EOF
cat > /usr/lib/systemd/system/kube-scheduler.service << 'EOF'
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/etc/kubernetes/kube-scheduler.conf
ExecStart=/usr/local/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
cp kube-scheduler*.pem /etc/kubernetes/ssl
cp kube-scheduler.kubeconfig /etc/kubernetes
cp kube-scheduler.conf /etc/kubernetes
scp kube-scheduler*.pem k8s-master3:/etc/kubernetes/ssl
scp kube-scheduler.kubeconfig k8s-master3:/etc/kubernetes
scp kube-scheduler.conf k8s-master3:/etc/kubernetes
systemctl daemon-reload
systemctl enable --now kube-scheduler
systemctl status kube-scheduler
##############安装containerd
将文件传送至worker节点,解压至/目录下即安装完成
tar zxvf cri-containerd-cni-1.7.3-linux-amd64.tar.gz -C /
[root@k8s-worker1 ~]# tar -zxvf cri-containerd-cni-1.7.3-linux-amd64.tar.gz -C /
cri-containerd.DEPRECATED.txt
etc/
etc/cni/
etc/cni/net.d/
etc/cni/net.d/10-containerd-net.conflist
etc/systemd/
etc/systemd/system/
etc/systemd/system/containerd.service
etc/crictl.yaml
usr/
usr/local/
usr/local/bin/
usr/local/bin/crictl
usr/local/bin/containerd-shim-runc-v2
usr/local/bin/containerd-stress
usr/local/bin/containerd-shim-runc-v1
usr/local/bin/containerd-shim
usr/local/bin/critest
usr/local/bin/containerd
usr/local/bin/ctr
usr/local/bin/ctd-decoder
usr/local/sbin/
usr/local/sbin/runc
opt/
opt/cni/
opt/cni/bin/
opt/cni/bin/dhcp
opt/cni/bin/macvlan
opt/cni/bin/host-device
opt/cni/bin/dummy
opt/cni/bin/loopback
opt/cni/bin/ipvlan
opt/cni/bin/host-local
opt/cni/bin/vlan
opt/cni/bin/firewall
opt/cni/bin/ptp
opt/cni/bin/portmap
opt/cni/bin/vrf
opt/cni/bin/bandwidth
opt/cni/bin/static
opt/cni/bin/tuning
opt/cni/bin/bridge
opt/cni/bin/sbr
opt/containerd/
opt/containerd/cluster/
opt/containerd/cluster/gce/
opt/containerd/cluster/gce/env
opt/containerd/cluster/gce/configure.sh
opt/containerd/cluster/gce/cni.template
opt/containerd/cluster/gce/cloud-init/
opt/containerd/cluster/gce/cloud-init/node.yaml
opt/containerd/cluster/gce/cloud-init/master.yaml
opt/containerd/cluster/version
创建目录存放配置文件
mkdir -p /etc/containerd
生成配置文件
containerd config default > /etc/containerd/config.toml
根据需要修改配置文件
下载runc
wget https://github.com/opencontainers/runc/releases/download/v1.1.9/runc.amd64
chmod +x runc.amd64
cp runc.amd64 /usr/local/sbin/runc
runc -v
runc version 1.1.9
commit: v1.1.9-0-gccaecfcb
spec: 1.0.2-dev
go: go1.20.3
libseccomp: 2.5.4
systemctl enable --now containerd
###############部署kubelet
创建kubelet-bootstrap.kubeconfig
BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/token.csv)
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.1.161:6443 --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=kubelet-bootstrap
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
cat > kubelet.conf <<'EOF'
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 0
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.2
clusterDomain: cluster.local
healthzBindAddress: 127.0.0.1
healthzPort: 10248
rotateCertificates: true
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
cat > /usr/lib/systemd/system/kubelet.service << 'EOF'
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=containerd.service
Requires=containerd.service
[Service]
ExecStart=/usr/local/bin/kubelet \
--bootstrap-kubeconfig=/etc/kubernetes/kubelet-bootstrap.kubeconfig \
--cert-dir=/etc/kubernetes/ssl \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--config=/etc/kubernetes/kubelet.conf \
--network-plugin=cni \
--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.3 \
--logtostderr=false \
--log-dir=/var/log/kubernetes \
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
#注:
–hostname-override:显示名称,集群中唯一
–network-plugin:启用CNI
–kubeconfig:空路径,会自动生成,后面用于连接apiserver
–bootstrap-kubeconfig:首次启动向apiserver申请证书
–config:配置参数文件
–cert-dir:kubelet证书生成目录
–pod-infra-container-image:管理Pod网络容器的镜像
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/lib/kubelet
mkdir -p /var/log/kubenetes
scp ca.pem ca-key.pem k8s-worker1:/etc/kubernetes/ssl
scp kubelet-bootstrap.kubeconfig k8s-worker1:/etc/kubernetes/
scp kubelet.conf k8s-worker1:/etc/kubernetes/
systemctl daemon-reload
systemctl enable --now kubelet
systemctl status kubelet
###############部署kube-proxy
生成kube-proxy证书请求文件
cat > kube-proxy-csr.json << 'EOF'
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "kubemsb",
"OU": "CN"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.1.161:6443 --kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
cat > kube-proxy.conf << 'EOF'
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 192.168.1.155
clientConnection:
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
clusterCIDR: 172.16.0.0/16
healthzBindAddress: 192.168.1.155:10256
metricsBindAddress: 192.168.1.155:10249
mode: "ipvs"
EOF
bindAddress: 0.0.0.0 # KUBE-PROXY的监听地址[官方默认"0.0.0.0"]
clusterCIDR: "10.0.0.0/16" # CNI网络插件所使用的CIDR范围[官方:PodIP的CIDR范围];
# 与"kube-controller-manager"的"--cluster-cidr="配置有关
healthzBindAddress: "0.0.0.0:10256" # KUBE-PROXY健康检查的地址[官方默认"0.0.0.0:10256"]
metricsBindAddress: "0.0.0.0:10249" # KUBE-PROXY获取METRICS指标的地址[官方默认"127.0.0.1:10249"]
mode: ipvs # 所使用流量转发模式
scp kube-proxy*.pem k8s-worker1:/etc/kubernetes/ssl/
scp kube-proxy.kubeconfig kube-proxy.conf k8s-worker1:/etc/kubernetes/
cat > /usr/lib/systemd/system/kube-proxy.service << 'EOF'
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
WorkingDirectory=/var/lib/kube-proxy
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.conf \
--v=2
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable --now kube-proxy
systemctl status kube-proxy
##############部署网络组件calico
curl https://docs.projectcalico.org/manifests/calico.yaml -O
wget https://docs.tigera.io/calico/latest/manifests/calico.yaml --no-check-certificate
#修改yaml文件,也可直接使用我修改后上传的yaml文件
[root@master1 k8s-yaml]# vim calico.yaml
- name: CALICO_IPV4POOL_CIDR # PodIP的CIDR范围
value: "10.0.0.0/16" # [修改]PodCIDR范围[等于"kube-controller-manager"中的"--cluster-cidr="]
- name: CALICO_IPV4POOL_IPIP # CALICO IPIP 模式的启用/禁用
value: "Never" # [修改]"Never"表示使用BGP;"Always"表示使用IPIP
- name: IP_AUTODETECTION_METHOD # [按需使用]特殊配置,未在默认的配置文件中存在,需要手动增加,与"CALICO_IPV4POOL_CIDR"同级
value: "interface=eth0" # CALICO的部署默认会自动选择合适的网卡,但在一些环境中此方法可能会存在问题,本配置项的作用为
# 用于定义部署过程中的网卡选择;"eth0"这实际是一个正则表达式,"eth0"表示严格匹配所使用的网卡
# 提示:如果你的网络环境能正常部署成功,不建议增加此项而提高维护的复杂度
#部署
kubectl apply -f calico.yaml
部署coredns
curl https://raw.githubusercontent.com/coredns/deployment/master/kubernetes/coredns.yaml.sed > coredns.yaml
kubectl apply -f coredns.yaml
「喜欢这篇文章,您的关注和赞赏是给作者最好的鼓励」
关注作者
【版权声明】本文为墨天轮用户原创内容,转载时必须标注文章的来源(墨天轮),文章链接,文章作者等基本信息,否则作者和墨天轮有权追究责任。如果您发现墨天轮中有涉嫌抄袭或者侵权的内容,欢迎发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
