文章目錄
環境準備
kubernetes環境是通過kubeadm初始化的,以自託管(self-hosted)模式搭建的(docker鏡像)
1.關閉防火牆,關閉selinux
(生產環境按需關閉或打開)
systemctl disable firewalld.service
systemctl stop firewalld.service
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
檢查:
systemctl is-enabled firewalld.service
systemctl status firewalld.service
getenforce
2.同步服務器時間
選擇公網ntpd服務器或者自建ntpd服務器
3.關閉swap分區
echo "vm.swappiness=1">>/etc/sysctl.conf
sysctl -p
檢查:
sysctl -a | grep “vm.swappiness”
4.集羣所有節點主機可以相互解析
5.master對node節點ssh互信
ssh-keygen -t rsa
ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.xx.xx
6.配置系統內核參數使流過網橋的流量也進入iptables/netfilter框架
modprobe br_netfilter
echo -e 'net.bridge.bridge-nf-call-iptables = 1 \nnet.bridge.bridge-nf-call-ip6tables = 1' >> /etc/sysctl.conf && sysctl -p
或者
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
7.修改主機名
hostnamectl set-hostname node02.k8s.com
echo 'node02.k8s.com' >/etc/hostname
節點安裝docker kubeadm kubelet kubernetes-cni
1: 配置yum(所有節點)
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
2: 安裝kubeadm、docker、kubelet
注意:和master節點版本要一致,kubectl會自動安裝
yum install -y yum-utils
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce docker-ce-selinux
yum install -y kubeadm-1.14.2 kubelet-1.14.2 docker-ce-18.09.3
systemctl enable kubelet && systemctl start kubelet
systemctl enable docker && systemctl start docker
3: 下載鏡像(注意版本):
使用k8s.gcr.io鏡像源倉庫,可能會被牆,所以要提前手動下載鏡像。
#!/bin/bash
images=(
kube-proxy:v1.14.2
pause:3.1
)
for imageName in ${images[@]} ; do
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
done
4: 加入集羣
kubeadm join 192.168.3.62:6443 --token f9vc9q.czje7ajf0qqfxtww --discovery-token-ca-cert-hash sha256:9b48669c620fce6a839f1d95938f542ff441156f45cdfd43f690819e9d9ba6df
遇到問題
kubeadm join報錯及解決
1、報錯:
kubeadm join —
[WARNING IsDockerSystemdCheck]: detected “cgroupfs” as the Docker cgroup driver. The recommended driver is “systemd”. Please follow the guide at https://kubernetes.io/docs/setup/cri/
原因k8s默認的cgroup-driver爲cgroupfs,但是yum安裝kubelet的時候自動修改爲systemd,而docker通過docker info命令查看是cgroupfs,解決方法有兩種。
方法一:
將k8s的修改爲cgroupfs
#vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs"
#systemctl enable docker
#systemctl enable kubelet
#kubeadm join --token c04f89.b781cdb55d83c1ef 10.10.3.4:63 --discovery-token-ca-cert-hash sha256:986e83a9cb948368ad0552b95232e31d3b76e2476b595bd1d905d5242ace29af --ignore-preflight-errors=Swap
方法二:
修改docker的cgroup driver爲systemd
mkdir /etc/docker
# Setup daemon.
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF
mkdir -p /etc/systemd/system/docker.service.d
# Restart Docker
systemctl daemon-reload
systemctl restart docker
2、報錯
kubeadm join —
error execution phase preflight: couldn’t validate the identity of the API Server: abort connecting to API servers after timeout of 5m0s
原因:master節點的token過期了
解決:創建新的token,且命令不要寫錯
kubeadm token create #創建token
kubeadm token list #列出創建的token
#查到discovery-token-ca-cert-hash
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt |openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex |sed 's/^.* //'
#加入節點
kubeadm join 192.168.3.62:6443 --token f9vc9q.czjexxx --discovery-token-ca-cert-hash sha256:9b48669c620fcxxxx
3、報錯
[kubelet] Downloading configuration for the kubelet from the “kubelet-config-1.11” ConfigMap in the kube-system namespace configmaps “kubelet-config-1.11” is forbidden: User “system:bootstrap:7df77e” cannot get configmaps in the namespace “kube-system”
原因: kubeadm及kubelet版本與集羣不一致。
卸載cri-tools、kubelet和kubeadm,並重新安裝kubeadm和kubelet正確的版本,版本應依據master的版本來安裝,不應高於master的版本。(如果kubelet版本高於kubeadm,則加入節點成功之後會一直處於NotReady狀態)
4、報錯
Failed create pod sandbox: rpc error: code = Unknown desc = failed pulling image “k8s.gcr.io/pause:3.1”: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
原因:新增節點需要下載pause:3.1鏡像,默認鏡像源gcr.io被GFW牆了
參考上面下載鏡像方法解決。