环境配置
软件版本
- 操作系统:Rocky Linux 9.5
- Kubernetes 版本:1.32.1
- 容器运行时:cri-docker
- 网络插件:Calico
操作系统分配
| 主机 | 配置 | IP |
|---|---|---|
| K8s-master | 2核4G | 10.211.55.3 |
| K8s-node01 | 2核4G | 10.211.55.4 |
| K8s-node02 | 2核4G | 10.211.55.6 |
操作系统初始化
更换系统软件源
所有节点操作:
sed -e 's|^mirrorlist=|#mirrorlist=|g' \
-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \
-i.bak \
/etc/yum.repos.d/[Rr]ocky*.repo
# 刷新缓存
dnf makecache关闭防火墙
所有节点操作:
#关闭并禁止开机自启
systemctl disable --now firewalld.service
# 查看状态
systemctl status firewalld.service关闭 SELinux
所有节点操作:
# 永久关闭
sed -ri 's#(SELINUX=)enforcing#\1disabled#g' /etc/selinux/config
# 临时关闭
setenforce 0
# 查看状态
getenforce禁用 swap 分区
所有节点操作:
# 临时禁用
swapoff -a
# 永久禁用
sed -i 's/.*swap.*/#&/' /etc/fstab添加 hosts
所有节点操作:
10.211.55.3 k8s-master
10.211.55.4 k8s-node01
10.211.55.6 k8s-node02配置免密登录
master节点执行:
#安装sshpass
dnf install sshpass -y
#静默生成秘钥
ssh-keygen -P '' -q -t rsa -f .ssh/id_rsa
# 密码
Password=YOURPASSWORD
#复制公钥到所有节点
for i in `awk -F"[ ]+" '/k8s/{print $0}' /etc/hosts`; do sshpass -p $Password ssh-copy-id -o StrictHostKeyChecking=no root@$i ;done
#复制整个.ssh下文件到所有节点
scp -r $HOME/.ssh/* root@k8s-node01:$HOME/.ssh/
scp -r $HOME/.ssh/* root@k8s-node02:$HOME/.ssh/修改内核参数
所有节点操作:
# k8s配置文件
cat >> /etc/sysctl.d/k8s.conf << EOF
#内核参数调整
vm.swappiness=0
#配置iptables参数,使得流经网桥的流量也经过iptables/netfilter防火墙
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
# 加载网桥过滤模块
cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter
# 重新加载
sysctl --system
# 检测
lsmod | grep br_netfilter
# 返回如下内容表示成功
[root@k8s-master ~]# lsmod | grep br_netfilter
br_netfilter 32768 0
bridge 303104 1 br_netfilter配置 ipvs 功能
所有节点操作:
# 安装ipset和ipvsadm
dnf install ipset ipvsadm -y
# 添加需要加载的模块写入脚本文件
cat <<EOF | sudo tee /etc/modules-load.d/ipvs.conf
overlay
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
EOF
modprobe overlay
modprobe ip_vs && modprobe ip_vs_rr && modprobe ip_vs_wrr && modprobe ip_vs_sh && modprobe nf_conntrack
#查看模块是否加载成功
[root@k8s-master ~]# lsmod | grep -e ip_vs -e nf_conntrack_ipv4
ip_vs_sh 12288 0
ip_vs_wrr 12288 0
ip_vs_rr 12288 6
ip_vs 184320 12 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 200704 7 xt_conntrack,nf_nat,xt_nat,nf_conntrack_netlink,xt_CT,xt_MASQUERADE,ip_vs
nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs
libcrc32c 12288 5 nf_conntrack,nf_nat,nf_tables,xfs,ip_vs安装 Docker
所有节点操作:
dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
dnf update
dnf install -y docker-ce配置 Docker 加速器:
所有节点操作:
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.1panel.live"]
}重启 Docker 服务:
所有节点操作:
sudo systemctl daemon-reload
sudo systemctl restart docker设置 Docker 开机启动:
所有节点操作:
systemctl enable docker --now安装运行时环境
所有节点操作:
# 下载对应版本和平台amd/arm的包https://github.com/Mirantis/cri-dockerd/releases
# 解压
tar -xf cri-dockerd-0.3.16.arm64.tgz
# 拷贝并设置执行权限
cp cri-dockerd/cri-dockerd /usr/bin/
chmod +x /usr/bin/cri-dockerd配置cri-docker服务
所有节点操作:
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.service
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.10
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF添加cri-docker套接字
所有节点操作:
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.socket
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service
[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
EOF启动cri-docker对应服务
所有节点操作:
systemctl daemon-reload
# 设置开机启动
systemctl enable cri-docker
# 启动服务
systemctl start cri-docker
# 查看启动状态
systemctl is-active cri-docker # 输出结果为active表示启动正常安装k8s集群
配置仓库源
所有节点操作:
# 配置1.32版本阿里源
cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.32/rpm/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.32/rpm/repodata/repomd.xml.key
EOF安装kubelet、kubeadm、kubectl
所有节点操作:
# 安装
dnf install -y kubelet kubeadm kubectl
# 启动kubelet并设置开机自启
systemctl enable --now kubelet
# 查看拉取的镜像
kubeadm config images list --image-repository=registry.aliyuncs.com/google_containers
# 拉取镜像 --cri-socket 指定拉取时使用的容器运行时
kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --cri-socket unix:///var/run/cri-dockerd.sock初始化k8s集群
master节点操作:
kubeadm init --kubernetes-version=1.32.1 \
--apiserver-advertise-address=10.211.55.3 \
--image-repository registry.aliyuncs.com/google_containers \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=Swap \
--cri-socket=unix:///var/run/cri-dockerd.sock
# 初始化成功会显示如下信息
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 10.211.55.3:6443 --token wft7f9.ytyacrye96ira9p2 \
--discovery-token-ca-cert-hash sha256:d3f98caba36b99a0861a73cfb93731775f9852b91c78a7563e24bdf38aef9c63设置k8s配置文件
master节点操作:
# 设置配置文件
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 复制到其他子节点
scp -r $HOME/.kube k8s-node01:$HOME/
scp -r $HOME/.kube k8s-node02:$HOME/
# 查看主节点状态
kubectl get componentstatuses
# 输出如下信息
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy ok从节点加入集群
所有从节点执行:
# 使用cri-dockerd需要再kubeadm join后加入--cri-socket=unix:///var/run/cri-dockerd.sock
kubeadm join 10.211.55.3:6443 --token wft7f9.ytyacrye96ira9p2 \
--discovery-token-ca-cert-hash sha256:d3f98caba36b99a0861a73cfb93731775f9852b91c78a7563e24bdf38aef9c63 --cri-socket unix:///var/run/cri-dockerd.sock主节点查看状态:
kubectl get nodes
# 显示如下
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 7m25s v1.32.1
k8s-node01 NotReady <none> 55s v1.32.1
k8s-node02 NotReady <none> 46s v1.32.1
# 当前集群是NotReady状态,还需要配置网络后才可用设置k8s网络
以下操作都在master节点操作
安装Tigera Calico
- 官方网址:https://archive-os-3-26.netlify.app/calico/3.26/getting-started/kubernetes/quickstart/
- 打开文档中给定的最新版本地址,下载tigera-operator.yaml文件
- 打开文档中给定的最新版本地址,下载custom-resources.yaml文件
# 例如
wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.5/manifests/tigera-operator.yaml
wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.5/manifests/custom-resources.yaml
# 创建
kubectl create -f tigera-operator.yaml
# 查看tigera-operator内pod是否创建成功
kubectl get pods -n tigera-operator
# 输出如下内容表示创建成功
[root@k8s-master ~]# kubectl get pods -n tigera-operator
NAME READY STATUS RESTARTS AGE
tigera-operator-b65bcdc98-fh2ml 1/1 Running 0 17s安装calico
修改custom-resources.yaml配置文件
vim custom-resources.yaml # cidr的地址为初始化k8s集群是配置的--pod-network-cidr=10.244.0.0/16地址 cidr: 192.168.0.0/16 修改为 cidr: 10.244.0.0/16创建资源
kubectl apply -f custom-resources.yaml验证
# 查看是否创建calico-system命名空间 kubectl get ns # 输出如下内容表示创建成功 [root@k8s-master ~]# kubectl get ns NAME STATUS AGE calico-apiserver Active 8m46s calico-system Active 42m default Active 59m kube-node-lease Active 59m kube-public Active 59m kube-system Active 59m tigera-operator Active 58s # 查看pod是否创建完成 kubectl get pod -n calico-system # 输出如下内容表示创建完成 [root@k8s-master ~]# kubectl get pod -n calico-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-6f6c89fff7-pzdkn 0/1 ContainerCreating 0 41s calico-node-dvlbp 1/1 Running 0 41s calico-node-fwgwv 1/1 Running 0 41s calico-node-p4v6h 1/1 Running 0 41s calico-typha-74f7f775f-flsw6 1/1 Running 0 33s calico-typha-74f7f775f-sgkkq 1/1 Running 0 41s csi-node-driver-6thnf 2/2 Running 0 41s csi-node-driver-7jkpg 2/2 Running 0 41s csi-node-driver-rjvnl 2/2 Running 0 41s # 查看集群状态是否为ready kubectl get nodes # 输出如下内容即为成功 [root@k8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master Ready control-plane 60m v1.32.1 k8s-node01 Ready <none> 53m v1.32.1 k8s-node02 Ready <none> 53m v1.32.1
配置k8s使用ipvs
# 编辑k8s-proxy的configmap文件,修改mode值为ipvs
kubectl edit configmaps kube-proxy -n kube-system
mode: "ipvs" # 将mode: ""修改为mode: "ipvs"
# 删除所有kube-proxy让k8s进行自愈重建
kubectl delete pod -l k8s-app=kube-proxy -n kube-system
# 验证ipvs是否可用
ipvsadm -ln
# 输出如下内容
[root@k8s-master ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.96.0.1:443 rr
-> 10.211.55.3:6443 Masq 1 1 0
TCP 10.96.0.10:53 rr
-> 10.244.235.195:53 Masq 1 0 0
-> 10.244.235.196:53 Masq 1 0 0
TCP 10.96.0.10:9153 rr
-> 10.244.235.195:9153 Masq 1 0 0
-> 10.244.235.196:9153 Masq 1 0 0
TCP 10.99.39.163:5473 rr
-> 10.211.55.4:5473 Masq 1 0 0
-> 10.211.55.6:5473 Masq 1 0 0
TCP 10.107.112.14:443 rr
-> 10.244.58.194:5443 Masq 1 0 0
-> 10.244.85.195:5443 Masq 1 0 0
UDP 10.96.0.10:53 rr
-> 10.244.235.195:53 Masq 1 0 0
-> 10.244.235.196:53 Masq 1 0 0