kubeadm 部署k8s集群(一主两从)
| 主机名 | 地址 | 角色 | 配置 |
|---|---|---|---|
| kub-k8s-master | 192.168.75.100 | 主节点 | 2核2G 50G |
| kub-k8s-node1 | 192.168.75.103 | 工作节点 | 1核2G 50G |
| kub-k8s-node2 | 192.168.75.104 | 工作节点/haproxy | 1核2G 50G |
一、安装docker[集群]
# 一键安装docker脚本
curl -L https://gitea.beyourself.org.cn/newrain001/shell-project/raw/branch/master/os/get-docker-latest.sh | sh
二、导入镜像[集群]
上传镜像包 kube-1.22.0.tar.xz
解压后进入镜像包 sh get-docker-image.sh load
三、环境准备[集群]
- 配置本地解析
- 修改主机名
- 配置静态ip地址
- 同步时间
- 关闭防护墙、selinux
- 关闭swap分区
四、安装k8s包和依赖包[集群]
# 配置k8s源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 依赖包
yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git iproute lrzsz bash-completion tree bridge-utils unzip bind-utils gcc
# k8s组件
yum install -y kubelet-1.22.0-0.x86_64 kubeadm-1.22.0-0.x86_64 kubectl-1.22.0-0.x86_64
五、加载模块、配置内核参数[集群]
# cat <<EOF > /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack_ipv4
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF
# cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
# 配置完成后重启服务器
六、配置启动kubelet[集群]
DOCKER_CGROUPS=`docker info |grep 'Cgroup' | awk ' NR==1 {print $3}'`
cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS --pod-infra-container-image=k8s.gcr.io/pause:3.5"
EOF
systemctl daemon-reload && systemctl enable kubelet && systemctl restart kubelet
七、初始化集群[master]
kubeadm init --kubernetes-version=v1.22.0 --control-plane-endpoint "192.168.91.150:6443" --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.91.150
如果采用的是非高可用不使用keepalived暴露vip的话,就可以不需要加入 --control-plane-endpoint "192.168.91.150:6443"
这指定了 Kubernetes API 服务器的控制平面端点。在高可用性 (HA) 集群设置中,即使主节点的 IP 地址可能更改或有多个主节点,客户端也会使用此端点来与集群通信。
在这里,192.168.91.150 是主节点的 IP 地址,而 6443 是 Kubernetes API 服务器默认的端口。
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
#master执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
# node节点执行
kubeadm join 192.168.91.150:8443 --token 9t5hnx.zfmemmdbkraqkzrr \
--discovery-token-ca-cert-hash sha256:c1eab2b5dfb905cbbb65ee75a28a4a95b28ef2f9621c2079b7e1a15f68ade4af
# master 执行配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
八、node节点加入集群[node]
kubeadm join 10.36.176.200:8443 --token 9t5hnx.zfmemmdbkraqkzrr \
--discovery-token-ca-cert-hash sha256:c1eab2b5dfb905cbbb65ee75a28a4a95b28ef2f9621c2079b7e1a15f68ade4af
每个哈希值不一样
# 可以在master 上查看集群node的信息
[root@kube-master1 kube-1.22.0]# kubectl get node
NAME STATUS ROLES AGE VERSION
kube-master NotReady control-plane,master 50m v1.22.0
kube-node1 NotReady <none> 46m v1.22.0
kube-node2 NotReady <none> 46m v1.22.0
九、安装网络插件[master]
[root@kub-k8s-master1 ~]# curl -L https://docs.projectcalico.org/v3.22/manifests/calico.yaml -O
# 修改 文件在4205行
4205 - name: IP_AUTODETECTION_METHOD
4206 value: "interface=ens33"
[root@kub-k8s-master1 ~]# kubectl apply -f calico.yaml
[root@kub-k8s-master1 ~]# kubectl get pod -A -w # 查看是否所有pod都是running状态
# 所有节点状态应为Ready
[root@kub-k8s-master1 ~]# kubectl get node
集群部署(三主三从)
kubernetes 集群安装 (安装haproxy版)
一、安装docker [集群]
1、curl -L https://gitea.beyourself.org.cn/newrain001/shell-project/raw/branch/master/os/get-docker-latest.sh | sh #脚本安装docker 也可以手动安装
2、sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo #修改配置文件,这个脚本已经修改好了 所以不用执行这一条命令
3、yum -y install docker-ce #安装docker
4、systemctl enable docker && systemctl start docker #做开机自启并启动
二、将集群进行域名解析 ,并修改主机名[集群]
1、 修改主机名
hostnamectl set-hostname kube-master1
........以此类推
2、域名解析
cat >> /etc/hosts <<EOF
192.168.182.5 kube-master1
192.168.182.90 kube-master2
192.168.182.6 kube-master3
192.168.182.7 kube-node1
192.168.182.8 kube-node2
EOF
#可以ping一下进行测试 ping kube-master1
三、关闭防火墙和selinux,以及配置静态ip [集群]
1.关闭防火墙:
# systemctl disable firewalld --now
2.禁用SELinux:
# setenforce 0
3.编辑文件/etc/selinux/config,将SELINUX修改为disabled,如下:
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
SELINUX=disabled
4.时间同步
# timedatectl set-timezone Asia/Shanghai
# yum install -y ntpsec
# ntpdate time.windows.com
# hwclock --systohc
5.配置静态ip
vim /etc/sysconfig/network-scripts/ifcfg-ens33
#建议先配置静态ip在同步时间 这样就不能改变ip
四、关闭swap分区
1.关闭swap分区
# swapoff -a
修改/etc/fstab文件,注释掉SWAP的自动挂载,使用free -m确认swap已经关闭。
2.注释掉swap分区:
# sed -i 's/.*swap.*/#&/' /etc/fstab
# free -m
total used free shared buff/cache available
Mem: 3935 144 3415 8 375 3518
Swap: 0 0 0
五、配置阿里云k8s源,安装依赖包
1、 cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF #配置阿里云k8s源
2、yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git iproute lrzsz bash-completion tree bridge-utils unzip bind-utils gcc #下载依赖包
3、yum install -y kubelet-1.22.0-0.x86_64 kubeadm-1.22.0-0.x86_64 kubectl-1.22.0-0.x86_64 #安装k8s组件
4、cat <<EOF > /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack_ipv4
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF #加载ipvs相关内核模块 需要重启才生效
5、配置转发相关参数,否则可能会出错
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
6、重启服务器
reboot
六、下载镜像 [集群]
我这里是直接下载了镜像 也可以去官网或者阿里云下载(阿里云下载需要改名字)
1、解压
tar xf kube-1.22.0.tar.xz
2、加载k8s数据 两种方法 :
方法一 :输入 cd application/images && ls *.tar | xargs -i docker load -i {} && cd ../.. && cd kube-1.22.0/images && ls *.tar | xargs -i docker load -i {} && cd ../.. && docker images | wc -l
方法二 :1、cd kube-1.22.0 #进入目录
2、sh get-docker-image.sh load #执行里面的脚本
七、配置启动kubelet (初始化集群)
1、配置kubelet使用pause镜像
获取docker的cgroups
配置变量:
[root@k8s-master ~]# DOCKER_CGROUPS=`docker info |grep 'Cgroup' | awk ' NR==1 {print $3}'`
[root@k8s-master ~]# echo $DOCKER_CGROUPS
cgroupfs
2、配置kubelet的cgroups
# cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS --pod-infra-container-image=k8s.gcr.io/pause:3.5"
EOF
3、启动kubelet (这个时候会报错,因为还没有初始化)
systemctl daemon-reload
systemctl enable kubelet && systemctl restart kubelet
在这里使用 # systemctl status kubelet,你会发现报错误信息;
10月 11 00:26:43 node1 systemd[1]: kubelet.service: main process exited, code=exited, status=255/n/a
10月 11 00:26:43 node1 systemd[1]: Unit kubelet.service entered failed state.
10月 11 00:26:43 node1 systemd[1]: kubelet.service failed.
运行 # journalctl -xefu kubelet 命令查看systemd日志才发现,真正的错误是:
unable to load client CA file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory
#这个错误在运行kubeadm init 生成CA证书后会被自动解决,此处可先忽略。
#简单地说就是在kubeadm init 之前kubelet会不断重启。
八 、配置master节点[master1-3]
1、 yum install -y haproxy #安装haproxy
2、修改配置文件
vim /etc/haproxy/haproxy.cfg
将里面内容删除,而后将下面内容写入配置文件
global
log 127.0.0.1 local2 # 设置日志记录,使用本地系统日志服务
chroot /var/lib/haproxy # 设置 HAProxy 的运行环境为隔离模式
pidfile /var/run/haproxy.pid # 指定 HAProxy 进程的 PID 文件位置
maxconn 4000 # 设置最大并发连接数
user haproxy # 指定 HAProxy 运行的用户
group haproxy # 指定 HAProxy 运行的用户组
daemon # 以守护进程模式运行
# 开启状态统计的 UNIX 套接字
stats socket /var/lib/haproxy/stats
# Default settings section
defaults
mode tcp # 默认使用 TCP 模式,适用于非 HTTP 流量
log global # 使用全局日志设置
option tcplog # 开启 TCP 日志记录
timeout connect 10s # 连接超时设置
timeout client 1m # 客户端超时
timeout server 1m # 服务器超时
retries 3 # 连接重试次数
frontend stats
mode http
bind *:9000 # 监听 9000 端口,用于访问统计页面
stats enable # 启用统计报告
stats uri /haproxy_stats # 设置统计报告的 URI,可以通过 http://<your-ip>:9000/haproxy_stats 访问
stats realm HAProxy\ Statistics # 设置认证弹窗的标题
stats auth admin:password # 设置访问统计页面的用户名和密码,这里为 admin 和 password,您应该设置一个更安全的密码
stats admin if TRUE # 如果设置为 TRUE,允许在页面上进行管理操作
# Kubernetes Master 节点的前端配置
frontend kubernetes-frontend
bind *:6443 # 监听 8443 端口,用于 Kubernetes API
default_backend kubernetes-backend # 默认后端设置为 kubernetes-backend
# Kubernetes Master 节点的后端配置
backend kubernetes-backend
balance roundrobin # 使用轮询算法进行负载均衡
option tcp-check # 开启 TCP 检查以检测服务器健康状态
server master1 kub-k8s-master1:6443 check # Kubernetes Master 节点1
server master2 kub-k8s-master2:6443 check # Kubernetes Master 节点2
server master3 kub-k8s-master3:6443 check # Kubernetes Master 节点3
3、 启动haproxy
systemctl start haproxy
八、初始化集群第一部分 [master1做就行]
1、修改参数
kubeadm init --kubernetes-version=v1.22.0 --control-plane-endpoint "192.168.182.200:8443" --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.182.5 --apiserver-cert-extra-sans=192.168.182.200,192.168.182.5,192.168.182.90,192.168.182.6 --upload-certs
# 以上命令详解
kubeadm init #初始化
--kubernetes-version=v1.22.0 #版本信息
--control-plane-endpoint "192.168.182.200:8443" #访问终端 ,这个200是vip
--pod-network-cidr=10.244.0.0/16 #pod的网段
--apiserver-advertise-address=192.168.182.5 #当前服务器的ip 也就是master1的ip
--apiserver-cert-extra-sans=192.168.182.200,192.168.182.5,192.168.182.90,192.168.182.6 --upload-certs #这里是所有的master节点信息加上vip的信息 ,也就是4个ip地址
八、初始化集群第二部分[master2和master3执行]
上面的命令执行完之后会有以下信息:
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join 192.168.182.200:8443 --token 56d0uq.24nysn6gg2046qlx \
--discovery-token-ca-cert-hash sha256:1a79c204bc13f1ce6bc2277b12e8040099268b60b1450095a56055ca3d01d6b5 \
--control-plane --certificate-key 48ffe1a838ac06fd12d153be605bbfeceaf288efafdf6e9d6d1ef2247ac5585a
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.182.200:8443 --token 56d0uq.24nysn6gg2046qlx \
--discovery-token-ca-cert-hash sha256:1a79c204bc13f1ce6bc2277b12e8040099268b60b1450095a56055ca3d01d6b5
上面记录了完成的初始化输出的内容,根据输出的内容基本上可以看出手动初始化安装一个Kubernetes集群所需要的关键步骤。
1、将这三条命令在master1上进行执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
2、将这些参数在其他控制节点执行 ,也就是master2 还有master3
kubeadm join 192.168.182.200:8443 --token 56d0uq.24nysn6gg2046qlx \
--discovery-token-ca-cert-hash sha256:1a79c204bc13f1ce6bc2277b12e8040099268b60b1450095a56055ca3d01d6b5 \
--control-plane --certificate-key 48ffe1a838ac06fd12d153be605bbfeceaf288efafdf6e9d6d1ef2247ac5585a
3、而后在另外两台的master进行操作 步骤1
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
4、这个时候三台master都可以参看信息
kubectl get nodes
八、初始化集群第三部分[node节点执行]
1、 node节点都执行参数
kubeadm join 192.168.182.200:8443 --token 56d0uq.24nysn6gg2046qlx \
--discovery-token-ca-cert-hash sha256:1a79c204bc13f1ce6bc2277b12e8040099268b60b1450095a56055ca3d01d6b5
九、配置keepalived[三台master]
1、下载keepalived
yum -y install keepalived
2、修改配置
vim /etc/keepalived/keepalived.conf
# 将下面参数复制进去
! Configuration File for keepalived
global_defs {
router_id directory1
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 80
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.182.200/24
}
}
3、重启并开机自启keepalived
systemctl restart keepalived && systemctl enable keepalived
十、配置使用网络插件[随便一台master]
1、 部署calico网络插件
curl -L https://docs.projectcalico.org/v3.22/manifests/calico.yaml -O
2、进入这个文件修改配置 vim calico.yaml
4205 - name: IP_AUTODETECTION_METHOD
4206 value: "interface=ens33"
2、kubectl apply -f calico.yaml 启动参数
3、kubectl get pod -A -w #等到READY运行起来变成1
十一 、 集群数据库相关操作
kubernetes命令自动补全
1、yum install -y epel-release bash-completion
2、source /usr/share/bash-completion/bash_completion
3、echo "source <(kubectl completion bash)" >> ~/.bashrc
#即可补全命令
