使用kubeadm離線安裝kubernetes v1.9.1

kubeadm簡介

kubeadm是一個工具包,可幫助您以簡單,合理,安全和可擴展的方式安裝Kubernetes羣集。它還支持管理Bootstrap Tokens 和升/降級集羣版本。
kubeadm默認情況下並不會安裝一個網絡解決方案,所以用kubeadm安裝完之後 需要自己來安裝一個網絡的插件。一般的選用插件有Calico,Flannel,Romana, Weaves Net等。

環境

1.一臺或多臺運行deb / rpm兼容操作系統的機器,例如Ubuntu或CentOS
以下版本爲官方所支持的版本:

  1. Ubuntu 16.04+
  2. Debian 9
  3. CentOS 7
  4. RHEL 7
  5. Fedora 25/26 (best-effort)
  6. HypriotOS v1.0.1+
  7. Container Linux (tested with 1576.4.0)

本人在Debian8上也成功安裝了k8s,但是有幾點需要注意,因爲內核問題,在運行kubeadm init時出現missing cgroups: memory,需要更新grub,在/etc/default/grub 添加GRUB_CMDLINE_LINUX_DEFAULT="cgroup_enable=memory swapaccount=1" 並執行update-grub && reboot

2.每臺機器有2 GB或更多的內存
3.主站上有2個以上的CPU
4.集羣中所有機器的公用或專用網絡都是正常的

準備

本人在debian8和centos7都安裝過k8s。此教程適用於以上兩個系統及debian9,其他系統若有出入請自行修改。

1.關閉swap,執行swapoff -a 關閉swap分區
2.關閉selinux,在centos中執行setenforce 0
3.安裝docker
Debian

#從Ubuntu 或者Debian倉庫安裝Docker:

$ apt-get update
$ apt-get install -y docker.io

#從Docker的Ubuntu或Debian倉庫安裝Docker CE 17.03
$ apt-get update
$ apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common
$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
$ add-apt-repository \
   "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \
   stable"
$ apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')

centos7

$ yum install -y docker
$ systemctl enable docker && systemctl start docker

因爲Docker未被牆,所以這裏不提供docker的離線安裝包,更多相關信息請參見官方的Docker安裝指南
在RHEL/CentOS 7 系統上可能會路由失敗,我們需要設置一下:

$ cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
$ sudo sysctl --system

4.確保kubelet使用的cgroup驅動程序與Docker使用的相同。爲了確保兼容性,你可以更新Docker,如下所示:

$ cat << EOF > /etc/docker/daemon.json
{
  "exec-opts": ["native.cgroupdriver=systemd"]
}
EOF

也可改變kubernetes的配置文件/etc/systemd/system/kubelet.service.d/10-kubeadm.conf ,將Environment=”KUBELET_CGROUP_ARGS=–cgroup-driver=systemd” 替換成Environment=”KUBELET_CGROUP_ARGS=–cgroup-driver=cgroupfs”
5.下載需要的鏡像文件及kubeadm,kubelet和kubectl
從以下地址下載所需要的鏡像和包。

鏈接: https://pan.baidu.com/s/1hukuN6O 密碼: 6ehe

因爲linux的包依賴關係複雜,壓縮包中只包含本人安裝時的所缺依賴關係,若有其他依賴請自行下載。

安裝

1.安裝kubeadm,kubelet和kubectl,進入到下載的deb/rpm包目錄下,運行dpkg -i *.deb 或者yum localinstall *.rpm 即可安裝kubeadm,kubelet和kubectl,在centos下運行sudo systemctl enable kubelet && sudo systemctl start kubelet 啓動kubelet。
2.加載所需鏡像,進入到下載的images目錄下,運行docker load -i k8s-1-9-1.tar 即可加載所以kubernetes需要的安裝包,包括flannel,運行docker load -i calicov2.tar 可將calico鏡像load進去。
3.使用kubeadm初始化master,我們在初始化的時候指定一下kubernetes版本,並設置一下pod-network-cidr(後面的flannel會用到):kubeadm init --kubernetes-version=v1.9.1 --pod-network-cidr=10.244.0.0/16 若使用calico網絡請將--pod-network-cidr=10.244.0.0/16 改成--pod-network-cidr=192.168.0.0/16 ,在這個過程中kubeadm執行了一系列的操作,包括一些pre-check,生成ca證書,安裝etcd和其它控制組件等。
輸出應該如下所示:

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.8.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [kubeadm-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.138.0.4]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[init] This often takes around a minute; or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 39.511972 seconds
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[markmaster] Will mark node master as master by adding a label and a taint
[markmaster] Master master tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: <token>
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run (as a regular user):

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  http://kubernetes.io/docs/admin/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>

最下面的這行kubeadm join什麼的,就是用來讓別的node加入集羣的,可以看出非常方便。

4.執行如下命令,讓kubelet控制集羣

# 對於非root用戶
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 對於root用戶
$ export KUBECONFIG=/etc/kubernetes/admin.conf

5.安裝cni插件
安裝flannel插件,執行
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.9.1/Documentation/kube-flannel.yml
安裝calico插件,執行
kubectl apply -f https://docs.projectcalico.org/v3.0/gettingstarted/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml
安裝完network之後,你可以通過kubectl get pods --all-namespaces來查看kube-dns是否在running來判斷network是否安裝成功。
默認情況下,爲了保證master的安全,master是不會被調度到app的。你可以取消這個限制通過輸入:

kubectl taint nodes --all node-role.kubernetes.io/master-

加入node

1.如果你有多臺機器,那麼請將deb/rpm包安裝到node節點上,然後運行kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash> 將其中的token換成你自己的。
輸出應該如下所示:

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "10.138.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.138.0.4:6443"
[discovery] Requesting info from "https://10.138.0.4:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "10.138.0.4:6443"
[discovery] Successfully established connection with API Server "10.138.0.4:6443"
[bootstrap] Detected server version: v1.8.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...

Node join complete:
* Certificate signing request sent to master and response
  received.
* Kubelet informed of new secure connection details.

Run 'kubectl get nodes' on the master to see this machine join.

2.然後在master上運行kubectl get nodes 即可看見加入進來的節點。

拆除節點

要撤消kubeadm的操作,首先應該關閉節點,並確保節點在關閉之前是空的。
1.在要撤銷的節點上運行

kubectl drain <node name> --delete-local-data --force --ignore-daemonsets
kubectl delete node <node name>
#<node name>爲本節點的名

2.在被刪除的節點上,重置所有kubeadm安裝狀態

kubeadm reset
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章