环境说明

  • k8s版本:1.20.0
  • docker版本: 19.03.9
  • kubeadm版本:1.20.0
主机名 IP 地址 角色 系统
k8s-master 192.168.200.175 k8s-master Centos7.6
k8s-node-1 192.168.200.176 k8s-node1 Centos7.6
k8s-node-2 192.168.200.177 k8s-node2 Centos7.6

环境初始化

关闭selinux、firewalld、swap,清空iptables规则,配置主机名、hosts文件以及配置kubernetes的转发规则,每台服务器上执行:

[root@master ~]# hostnamectl set-hostname master
[root@master ~]# vim /etc/hosts
192.168.200.175 master
192.168.200.176 node1
192.168.200.177 node2

配置转发相关

[root@master ~]# vim /etc/sysctl.conf 
...
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
[root@master ~]# sysctl -p 

安装docker

每台机器执行

[root@master ~]# wget -O /etc/yum.repos.d/docker-ce.repo http://download.docker.com/linux/centos/docker-ce.repo
# 列出所有Docker的版本
[root@master ~]# yum list docker-ce --showduplicates | sort -r
...
docker-ce.x86_64            3:19.03.15-3.el7                    docker-ce-stable
...
# 安装19.03版本Docker
[root@master ~]# yum install -y docker-ce-19.03.9-3.el7
[root@master ~]# systemctl start docker
[root@master ~]# systemctl enable docker
[root@master ~]# vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": ["https://mirrors.ccs.tencentyun.com"]
}
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker

升级系统以及内核

详见CentOS7升级内核版本

配置kubernetes

每台机器执行

[root@master ~]# cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.cloud.tencent.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enable=1
gpgcheck=0
repo_gpgcheck=0
EOF

安装集群所需要的三个软件kubeadm、kubectl、kubelet,这里都选择1.20.0版本的,安装命令如下:

[root@master ~]# yum install -y kubeadm-1.20.0 kubectl-1.20.0 kubelet-1.20.0
[root@master ~]# systemctl enable kubelet
#设置kubelet
[root@master ~]# DOCKER_CGROUPS=$(docker info | grep 'Cgroup' | cut -d' ' -f4)
[root@master ~]# cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS"
EOF

下载kubernetes所有组件的Docker镜像,1.20版本对应的8个组件版本如下

kube-apiserver:v1.20.0
kube-scheduler:v1.20.0
kube-controller-manager:v1.20.0
kube-proxy:v1.20.0
etcd:3.4.13-0
coredns:1.7.0
pause:3.2
flannel:v0.13.1-rc1  # 网络组件
dashboard:v2.0.0-rc7 # 仪表盘相关组件,可以忽略
metrics-scraper:v1.0.4 # 仪表盘相关组件,可以忽略

由于kubeadm初始化文件中使用的是 k8s.gcr.io这个仓库地址,需要科学上网才能拉取镜像,,Docker Hub下载只需要在前面加前缀tangxu/就行,如下:

[root@master ~]# docker pull tangxu/kube-controller-manager:v1.20.0
[root@master ~]# docker pull tangxu/kube-apiserver:v1.20.0
[root@master ~]# docker pull tangxu/kube-scheduler:v1.20.0
[root@master ~]# docker pull tangxu/kube-proxy:v1.20.0
[root@master ~]# docker pull tangxu/flannel:v0.13.1-rc1
[root@master ~]# docker pull tangxu/etcd:3.4.13-0
[root@master ~]# docker pull tangxu/coredns:1.7.0
[root@master ~]# docker pull tangxu/pause:3.2
[root@master ~]# docker pull tangxu/dashboard:v2.0.0-rc7 
[root@master ~]# docker pull tangxu/metrics-scraper:v1.0.4

重新改下镜像的名字,因为初始化yaml文件中仓库地址与离线的镜像不匹配,如果不修改名字的话,不能使用已经离线的镜像,需要重新拉取,而拉取需要科学上网,Docker Hub下载的镜像修改名字如下:

[root@master ~]# docker tag tangxu/kube-controller-manager:v1.20.0 k8s.gcr.io/kube-controller-manager:v1.20.0
[root@master ~]# docker tag tangxu/kube-apiserver:v1.20.0 k8s.gcr.io/kube-apiserver:v1.20.0
[root@master ~]# docker tag tangxu/kube-scheduler:v1.20.0 k8s.gcr.io/kube-scheduler:v1.20.0
[root@master ~]# docker tag tangxu/etcd:3.4.13-0 k8s.gcr.io/etcd:3.4.13-0
[root@master ~]# docker tag tangxu/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0
[root@master ~]# docker tag tangxu/pause:3.2 k8s.gcr.io/pause:3.2
[root@master ~]# docker tag tangxu/kube-proxy:v1.20.0 k8s.gcr.io/kube-proxy:v1.20.0
[root@master ~]# docker tag tangxu/flannel:v0.13.1-rc1 quay.io/coreos/flannel:v0.13.1-rc1
[root@master ~]# docker tag tangxu/dashboard:v2.0.0-rc7 kubernetesui/dashboard:v2.0.0-rc7
[root@master ~]# docker tag tangxu/metrics-scraper:v1.0.4 kubernetesui/metrics-scraper:v1.0.4

初始化集群

master节点执行,生成集群的初始化配置文件:

[root@master ~]# kubeadm config print init-defaults > kubeadm-config.yaml
[root@master ~]# vim ./kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.0.175 # master节点内网ip
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: master
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
ControlPlaneEndpoint: "mycluster:6443"
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
networking:
  dnsDomain: cluster.local
  podSubnet: "10.244.0.0/16"  # 使用flannel网络插件这样写网段
  serviceSubnet: 10.96.0.0/12
scheduler: {}

主要修改下advertiseAddress的ip地址为master节点的地址,然后在dnsDomain: cluster.local下面增加 podSubnet: “10.244.0.0/16”

开始初始化

[root@master ~]# kubeadm init --config=kubeadm-config.yaml
[init] Using Kubernetes version: v1.20.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master] and IPs [10.96.0.1 10.0.1.7]
[certs] Generating "apiserver-kubelet-client" certificate and key
...
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.0.175:6443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:59a7d6f60dd67d0be0af8022b1b21cadc77797e89cb6a9d0b7587c1ead4906ee

执行下提示中的命令

[root@master ~]# mkdir -p $HOME/.kube
[root@master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config

查看组件准备状态

[root@master ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS      MESSAGE                                                                                       ERROR
scheduler            Unhealthy   Get "http://127.0.0.1:10251/healthz": dial tcp 127.0.0.1:10251: connect: connection refused   
controller-manager   Unhealthy   Get "http://127.0.0.1:10252/healthz": dial tcp 127.0.0.1:10252: connect: connection refused   
etcd-0               Healthy     {"health":"true"}

这里scheduler和 controller-manager显示不健康,需要修改2个配置文件 kube-controller-manager.yaml和 kube-scheduler.yaml,将配置文件中 --prot = 0这项注释掉:

[root@master ~]# vim /etc/kubernetes/manifests/kube-controller-manager.yaml
spec:
  containers:
  - command:
...
    - --leader-elect=true
#    - --port=0
 ...
[root@master ~]# vim /etc/kubernetes/manifests/kube-scheduler.yaml
spec:
  containers:
  - command:
    - kube-scheduler
    - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf
    - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf
    - --bind-address=127.0.0.1
    - --kubeconfig=/etc/kubernetes/scheduler.conf
    - --leader-elect=true
#    - --port=0

修改保存完成后,等待一会儿状态就正常了:

[root@master ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS    MESSAGE             ERROR
controller-manager   Healthy   ok    
scheduler            Healthy   ok    
etcd-0               Healthy   {"health":"true"}

加入工作节点

node节点执行如下操作

[root@node1 ~]# kubeadm join 192.168.200.175:6443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:59a7d6f60dd67d0be0af8022b1b21cadc77797e89cb6a9d0b7587c1ead4906ee

执行后看到以下提示说明节点成功加入集群:

[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

查看集群所有节点

[root@node1 ~]# kubectl get nodes
NAME     STATUS   ROLES                  AGE   VERSION
master   Ready    control-plane,master   18m   v1.20.0
node1    Ready    <none>                 14m   v1.20.0
node2    Ready    <none>                 14m   v1.20.0

安装网络组件

未安装网络组件flannel之前这里的 STATUS状态会是未准备状态,安装网络组件之后就可以了,安装网络组件flannel,kube-flannel.yml文件如下:

[root@master ~]# vim kube-flannel.yml
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.flannel.unprivileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
  privileged: false
  volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  allowedHostPaths:
  - pathPrefix: "/etc/cni/net.d"
  - pathPrefix: "/etc/kube-flannel"
  - pathPrefix: "/run/flannel"
  readOnlyRootFilesystem: false
  # Users and groups
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  # Privilege Escalation
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  # Capabilities
  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  defaultAddCapabilities: []
  requiredDropCapabilities: []
  # Host namespaces
  hostPID: false
  hostIPC: false
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  # SELinux
  seLinux:
    # SELinux is unused in CaaSP
    rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
spec:
  selector:
    matchLabels:
      app: flannel
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:v0.13.1-rc1
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.13.1-rc1
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
      - name: run
        hostPath:
          path: /run/flannel
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: flannel-cfg
        configMap:
          name: kube-flannel-cfg               

部署flannel

[root@master ~]# kubectl apply -f kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created     

查看所有组件运行状态:

[root@master ~]# kubectl get pods -A
NAMESPACE       NAME                                      READY   STATUS    RESTARTS   AGE
kube-system     coredns-79495b5589-4k7vg                  1/1     Running   0          15m
kube-system     coredns-79495b5589-hzrkk                  1/1     Running   0          15m
kube-system     etcd-master                               1/1     Running   2          15m
kube-system     kube-apiserver-master                     1/1     Running   7          15m
kube-system     kube-controller-manager-master            1/1     Running   3          15m
kube-system     kube-flannel-ds-2h478                     1/1     Running   0          15m
kube-system     kube-flannel-ds-9fzq2                     1/1     Running   0          15m
kube-system     kube-flannel-ds-fxhpv                     1/1     Running   1          15m
kube-system     kube-proxy-9thzf                          1/1     Running   0          15m
kube-system     kube-proxy-kqmhp                          1/1     Running   0          15m
kube-system     kube-proxy-r5zvb                          1/1     Running   1          15m
kube-system     kube-scheduler-master                     1/1     Running   3          15m
kube-system     metrics-server-7dcbcf9794-hgdm2           1/1     Running   0          15m
文章作者: 鲜花的主人
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 爱吃可爱多
Kubernetes Kubernetes
喜欢就支持一下吧
打赏
微信 微信
支付宝 支付宝