服務器規劃見下表(均爲4核4G配置):
按上表準備好服務器後,對所有服務器節點的操作系統內核由3.10升級至5.4+(haproxy和keepalived需要用到),步驟如下:
#導入用於內核升級的yum源倉庫ELRepo的祕鑰 rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org #啓用ELRepo倉庫yum源 rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm #查看當前可供升級的內核版本 yum --disablerepo="*" --enablerepo="elrepo-kernel" list available #安裝長期穩定版本的內核(本例中爲5.4.231-1.el7.elrepo) yum --enablerepo=elrepo-kernel install kernel-lt -y #設置GRUB的默認啓動內核爲剛剛新安裝的內核版本(先備份,再修改) cp /etc/default/grub /etc/default/grub.bak vi /etc/default/grub
/etc/default/grub文件原來的內容如下:
GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_jumpserver/root rd.lvm.lv=centos_jumpserver/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true"
將其的 GRUB_DEFAULT=saved 的值由 saved 改爲 0 即可(即 GRUB_DEFAULT=0)保存退出,接着執行以下命令:
#重新生成啓動引導項配置文件,該命令會去讀取/etc/default/grub內容 grub2-mkconfig -o /boot/grub2/grub.cfg #重啓系統 reboot -h now
重啓完成後,查看一下當前的操作系統及內核版本:
[root@master1 ~]# cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) [root@master1 ~]# uname -rs Linux 5.4.231-1.el7.elrepo.x86_64
更新一下yum源倉庫CentOS-Base.repo的地址,配置阿里雲鏡像地址,用於加速後續某些組件的下載速度:
#先安裝一下wget工具 yum install -y wget #然後備份 CentOS-Base.repo mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak #使用阿里雲鏡像倉庫地址重建CentOS-Base.repo wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
#運行yum makecache生成緩存
yum makecache
關閉所有服務器的防火牆(在某些組件(例如Dashboard)的防火牆端口開放範圍不是很清楚的情況下選擇將其關閉,生產環境最好按照K8S和相關組件官網的說明,保持防火牆開啓狀態下選擇開放相關端口):
#臨時關閉防火牆
systemctl stop firewalld
#永久關閉防火牆(禁用,避免重啓後又打開)
systemctl disable firewalld
設置所有服務器的/etc/hosts文件,做好hostname和IP的映射:
cat >> /etc/hosts << EOF
192.168.17.3 master1 192.168.17.4 master2 192.168.17.5 master3 192.168.17.11 node1 192.168.17.12 node2 192.168.17.13 node3 192.168.17.200 lb # 後面將用於Keepalived的VIP(虛擬IP),如果不是高可用集羣,該IP可以是master1的IP
EOF
設置所有服務器的時間同步組件(K8S在進行某些集羣狀態的判斷時(例如節點存活)需要有統一的時間進行參考):
#安裝時間同步組件 yum install -y ntpdate #對齊一下各服務器的當前時間 ntpdate time.windows.com
禁用selinux(K8S在SELINUX方面的使用和控制還不是非常的成熟):
#臨時禁用Selinux setenforce 0 #永久禁用Selinux sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
關閉操作系統swap功能(swap功能可能會使K8S在內存方面的QoS策略失效,進而影響內存資源緊張時的Pod驅逐):
#臨時關閉swap功能 swapoff -a #永久關閉swap功能 sed -ri 's/.*swap.*/#&/' /etc/fstab
在每個節點上將橋接的IPv4流量配置爲傳遞到iptables的處理鏈(K8S的Service功能的實現組件kube-proxy需要使用iptables來轉發流量到目標pod):
#新建 /etc/sysctl.d/k8s.conf 配置文件 cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 vm.swappiness = 0 EOF #新建 /etc/modules-load.d/k8s.conf 配置文件 cat <<EOF | tee /etc/modules-load.d/k8s.conf br_netfilter overlay EOF #加載配置文件 sysctl --system #加載br_netfilter模塊(可以使 iptables 規則在 Linux Bridges 上面工作,用於將橋接的流量轉發至iptables鏈) #如果沒有加載br_netfilter模塊,並不會影響不同node上的pod之間的通信,但是會影響同一node內的pod之間通過service來通信 modprobe br_netfilter #加載網絡虛擬化技術模塊 modprobe overlay
#檢驗網橋過濾模塊是否加載成功
lsmod | grep -e br_netfilter -e overlay
K8S的service有基於iptables和基於ipvs兩種代理模型,基於ipvs的性能要高一些,但是需要手動載入ipvs模塊才能使用:
#安裝ipset和ipvsadm yum install -y ipset ipvsadm #創建需要加載的模塊寫入腳本文件(高版本內核nf_conntrack_ipv4已經換成nf_conntrack) cat <<EOF> /etc/sysconfig/modules/ipvs.modules #!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack EOF #爲上述爲腳本添加執行權限 chmod +x /etc/sysconfig/modules/ipvs.modules #執行上述腳本 /bin/bash /etc/sysconfig/modules/ipvs.modules #查看上述腳本中的模塊是否加載成功 lsmod | grep -e -ip_vs -e nf_conntrack
在master1節點上使用RSA算法生成非對稱加密公鑰和密鑰,並將公鑰傳遞給其他節點(方便後面相同配置文件的分發傳送,以及從master1上免密登錄到其他節點進行集羣服務器管理):
#使用RSA算法成生密鑰和公鑰,遇到輸入,直接Enter即可 ssh-keygen -t rsa #將公鑰傳送給其他幾個節點(遇到(yes/no)的一路輸入yes,並接着輸入相應服務器的root密碼) for i in master1 master2 master3 node1 node2 node3;do ssh-copy-id -i .ssh/id_rsa.pub $i;done
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@node3's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'node3'"
and check to make sure that only the key(s) you wanted were added.
配置所有節點的limits:
#在所有節點上臨時修改limits ulimit -SHn 65536 #先在master1節點永久修改limits vi /etc/security/limits.conf #在最後添加以下內容 * soft nofile 65536 * hard nofile 65536 * soft nproc 4096 * hard nproc 4096 * soft memlock unlimited * soft memlock unlimited
然後將master1上的/etc/security/limits.conf文件複製到其他服務器節點上
scp /etc/security/limits.conf root@master2:/etc/security/limits.conf scp /etc/security/limits.conf root@master3:/etc/security/limits.conf scp /etc/security/limits.conf root@node3:/etc/security/limits.conf scp /etc/security/limits.conf root@node2:/etc/security/limits.conf scp /etc/security/limits.conf root@node1:/etc/security/limits.conf
在所有節點上安裝Docker(K8S v1.24後推薦使用符合CRI標準的containerd或cri-o等作爲容器運行時,原來用於支持Docker作爲容器運行時的dockershim從該版本開始也已經從K8S中移除,如果還要堅持使用Docker的話,需要藉助cri-dockerd適配器,性能沒containerd和cri-o好):
#卸載舊docker相關組件 yum remove -y docker* yum remove -y containerd* #下載docker-ce倉庫的yum源配置 wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo #安裝特定版本的docker(要符合目標版本K8S的docker版本要求) yum install -y docker-ce-20.10.2 #配置docker(國內華中科技大學的鏡像倉庫、cgroup驅動爲systemd等) mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-'EOF' { "exec-opts": ["native.cgroupdriver=systemd"], "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"], "log-driver":"json-file", "log-opts": {"max-size":"500m", "max-file":"3"} } EOF #立即啓動Docker,並設置爲開機自動啓動 systemctl enable docker --now
設置下載K8S相關組件的倉庫爲國內鏡像yum源(國外的太慢了,這裏設置爲阿里雲的):
cat > /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
在master1、master2和master3節點上安裝kubeadm、kubectl和kubelet三個工具:
yum install -y kubeadm-1.20.2 kubectl-1.20.2 kubelet-1.20.2 --disableexcludes=kubernetes
在node1、node2和node3節點上安裝kubeadm和kubelet兩個工具:
yum install -y kubeadm-1.20.2 kubelet-1.20.2 --disableexcludes=kubernetes
在所有節點上立即啓動kubelet,並設置爲開機啓動:
systemctl enable kubelet --now
在所有節點上將kubelet使用的cgroup drver與前端安裝配置Docker時的對齊,都設置爲systemd :
#先在master1上修改"/etc/sysconfig/kubelet"文件的內容 vi /etc/sysconfig/kubelet #cgroup-driver使用systemd驅動 KUBELET_EXTRA_ARGS="--cgroup-driver=systemd" #kube-proxy基於ipvs的代理模型 KUBE_PROXY_MODE="ipvs"
然後將master1上的 /etc/sysconfig/kubelet 文件複製到其他節點上
scp /etc/sysconfig/kubelet root@master2:/etc/sysconfig/kubelet scp /etc/sysconfig/kubelet root@master3:/etc/sysconfig/kubelet scp /etc/sysconfig/kubelet root@node3:/etc/sysconfig/kubelet scp /etc/sysconfig/kubelet root@node2:/etc/sysconfig/kubelet scp /etc/sysconfig/kubelet root@node1:/etc/sysconfig/kubelet
在所有節點上立即啓動kubelet,並設置爲開機自動啓動
#立即啓動kubelet,並設置爲開機自動啓動 systemctl enable kubelet --now #查看各節點上kubelet的運行狀態(由於網絡組件還沒安裝,此時kubelet會不斷重啓,屬於正常現象) systemctl status kubelet
在master1、master2和master3節點上安裝HAProxy和Keepalived高可用維護組件(僅高可用集羣需要):
yum install -y keepalived haproxy
在master1節點上修改HAproxy配置文件/etc/haproxy/haproxy.cfg,修改好後分發到master2和master3:
#先備份HAProxy配置文件 cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak #修改HAProxy配置文件 vi /etc/haproxy/haproxy.cfg
global maxconn 2000 ulimit-n 16384 log 127.0.0.1 local0 err stats timeout 30s defaults log global mode http option httplog timeout connect 5000 timeout client 50000 timeout server 50000 timeout http-request 15s timeout http-keep-alive 15s frontend monitor-in bind *:33305 mode http option httplog monitor-uri /monitor listen stats bind *:8006 mode http stats enable stats hide-version stats uri /stats stats refresh 30s stats realm Haproxy\ Statistics stats auth admin:admin frontend k8s-master bind 0.0.0.0:16443 bind 127.0.0.1:16443 mode tcp option tcplog tcp-request inspect-delay 5s default_backend k8s-master backend k8s-master mode tcp option tcplog option tcp-check balance roundrobin default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 # 下面的配置根據實際情況修改 server master1 192.168.17.3:6443 check server master2 192.168.17.4:6443 check server master3 192.168.17.5:6443 check
然後將master1節點上的 /etc/haproxy/haproxy.cfg 文件複製到master2和master3節點上
scp /etc/haproxy/haproxy.cfg root@master2:/etc/haproxy/haproxy.cfg scp /etc/haproxy/haproxy.cfg root@master3:/etc/haproxy/haproxy.cfg
在master1、master2和master3節點上修改Keepalived的配置文件(注意各節點不一樣的地方,紅色標記):
#先備份Keepalived的配置文件 cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak #修改HAProxy配置文件 vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived global_defs { ## 標識本節點的字符串,通常爲 hostname router_id master1 script_user root enable_script_security } ## 檢測腳本 ## keepalived 會定時執行腳本並對腳本執行的結果進行分析,動態調整 vrrp_instance 的優先級。如果腳本執行結果爲 0,並且 weight 配置的值大於 0,則優先級相應的增加。如果腳本執行結果非 0,並且 weight配置的值小於 0,則優先級相應的減少。其他情況,維持原本配置的優先級,即配置文件中 priority 對應的值。 vrrp_script chk_apiserver { script "/etc/keepalived/check_apiserver.sh" # 每2秒檢查一次 interval 2 # 一旦腳本執行成功,權重減少5 weight -5 fall 3 rise 2 } ## 定義虛擬路由,VR_1 爲虛擬路由的標示符,自己定義名稱 vrrp_instance VR_1 { ## 主節點爲 MASTER,對應的備份節點爲 BACKUP state MASTER ## 綁定虛擬 IP 的網絡接口(網卡),與本機 IP 地址所在的網絡接口相同 interface ens32 # 主機的IP地址 mcast_src_ip 192.168.17.3 # 虛擬路由id virtual_router_id 100 ## 節點優先級,值範圍 0-254,MASTER 要比 BACKUP 高 priority 100 ## 優先級高的設置 nopreempt 解決異常恢復後再次搶佔的問題 nopreempt ## 組播信息發送間隔,所有節點設置必須一樣,默認 1s advert_int 2 ## 設置驗證信息,所有節點必須一致 authentication { auth_type PASS auth_pass K8SHA_KA_AUTH } ## 虛擬 IP 池, 所有節點設置必須一樣 virtual_ipaddress { ## VIP,可以定義多個 192.168.17.200 } track_script { chk_apiserver } }
在master1節點上新建節點存活監控腳本 /etc/keepalived/check_apiserver.sh :
vi /etc/keepalived/check_apiserver.sh
#!/bin/bash err=0 for k in $(seq 1 5) do check_code=$(pgrep kube-apiserver) if [[ $check_code == "" ]]; then err=$(expr $err + 1) sleep 5 continue else err=0 break fi done if [[ $err != "0" ]]; then echo "systemctl stop keepalived" /usr/bin/systemctl stop keepalived exit 1 else exit 0 fi
然後將master1節點上的 /etc/keepalived/check_apiserver.sh 文件複製到master2和master3節點上:
scp /etc/keepalived/check_apiserver.sh root@master2:/etc/keepalived/check_apiserver.sh scp /etc/keepalived/check_apiserver.sh root@master3:/etc/keepalived/check_apiserver.sh
各節點修改 /etc/keepalived/check_apiserver.sh 文件爲可執行權限:
chmod +x /etc/keepalived/check_apiserver.sh
各節點立即啓動HAProxy和Keepalived,並設置爲開機啓動:
#立即啓動haproxy,並設置爲開機啓動 systemctl enable haproxy --now #立即啓動keepalived,並設置爲開機啓動 systemctl enable keepalived --now
測試Keepalived維護的VIP是否暢通:
#在宿主機上(本例爲Windows) ping 192.168.17.200 正在 Ping 192.168.17.200 具有 32 字節的數據: 來自 192.168.17.200 的回覆: 字節=32 時間=1ms TTL=64 來自 192.168.17.200 的回覆: 字節=32 時間<1ms TTL=64 來自 192.168.17.200 的回覆: 字節=32 時間=1ms TTL=64 來自 192.168.17.200 的回覆: 字節=32 時間<1ms TTL=64 192.168.17.200 的 Ping 統計信息: 數據包: 已發送 = 4,已接收 = 4,丟失 = 0 (0% 丟失), 往返行程的估計時間(以毫秒爲單位): 最短 = 0ms,最長 = 1ms,平均 = 0ms #在K8S各節點上 ping 192.168.17.200 -c 4 PING 192.168.17.200 (192.168.17.200) 56(84) bytes of data. 64 bytes from 192.168.17.200: icmp_seq=1 ttl=64 time=0.058 ms 64 bytes from 192.168.17.200: icmp_seq=2 ttl=64 time=0.055 ms 64 bytes from 192.168.17.200: icmp_seq=3 ttl=64 time=0.077 ms 64 bytes from 192.168.17.200: icmp_seq=4 ttl=64 time=0.064 ms --- 192.168.17.200 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3112ms rtt min/avg/max/mdev = 0.055/0.063/0.077/0.011 ms
接下來我們在master1節點生成並配置kubeadm工具用於初始化K8S控制平面(即Master)的配置文件(這裏命名爲kubeadm-config.yaml):
#進入 /etc/kubernetes/ 目錄 cd /etc/kubernetes/ #使用以下命令先將kubeadm默認的控制平臺初始化配置導出來 kubeadm config print init-defaults > kubeadm-config.yaml
生成的kubeadm-config.yaml文件內容如下(紅色部分爲要注意根據情況修改的,藍色爲新加的配置):
apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.17.3 #當前節點IP(各節點不同) bindPort: 6443 nodeRegistration: criSocket: /var/run/dockershim.sock name: master1 #當前節點hostname(各節點不同) taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: "192.168.17.200:16443" #Keepalived維護的VIP和HAProxy維護的Port controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd imageRepository: registry.aliyuncs.com/google_containers #K8S內部拉取鏡像時將使用的鏡像倉庫地址 kind: ClusterConfiguration kubernetesVersion: v1.20.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 #K8S內部生成Service資源對象的IP時將使用的CIDR格式網段 podSubnet: 10.244.0.0/16 #K8S內部生成Pod資源對象的IP時將使用的CIDR格式網段,宿主機、Service、Pod三者的網段不能重疊 scheduler: {}
添加的podSubnet配置項與在命令行中的參與 --pod-network-cidr 是同一個參數,表明使用CNI標準的Pod的網絡插件(後面的Calico就是)
然後將master1節點上的 /etc/kubernetes/kubeadm-config.yaml 文件複製到master2和master3節點上,並修改上述標紅的(各節點不同)部分:
scp /etc/kubernetes/kubeadm-config.yaml root@master2:/etc/kubernetes/kubeadm-config.yaml scp /etc/kubernetes/kubeadm-config.yaml root@master3:/etc/kubernetes/kubeadm-config.yaml
所有master節點使用剛剛的控制平臺初始化配置文件 /etc/kubernetes/kubeadm-config.yaml 提前下載好初始化控制平臺需要的鏡像:
kubeadm config images pull --config /etc/kubernetes/kubeadm-config.yaml
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-apiserver:v1.20.0
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-controller-manager:v1.20.0
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-scheduler:v1.20.0
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-proxy:v1.20.0
[config/images] Pulled registry.aliyuncs.com/google_containers/pause:3.2
[config/images] Pulled registry.aliyuncs.com/google_containers/etcd:3.4.13-0
[config/images] Pulled registry.aliyuncs.com/google_containers/coredns:1.7.0
然後將master1選爲主節點(對應Keepalived的配置),使用配置文件/etc/kubernetes/kubeadm-config.yaml進行K8S控制平面的初始化(會在/etc/kubernetes目錄下生成對應的證書和配置文件):
kubeadm init --config /etc/kubernetes/kubeadm-config.yaml --upload-certs
[init] Using Kubernetes version: v1.20.0 [preflight] Running pre-flight checks [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.2. Latest validated version: 19.03 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master1] and IPs [10.96.0.1 192.168.17.3 192.168.17.200] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [localhost master1] and IPs [192.168.17.3 127.0.0.1 ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [localhost master1] and IPs [192.168.17.3 127.0.0.1 ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address [kubeconfig] Writing "admin.conf" kubeconfig file [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address [kubeconfig] Writing "kubelet.conf" kubeconfig file [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address [kubeconfig] Writing "controller-manager.conf" kubeconfig file [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address [kubeconfig] Writing "scheduler.conf" kubeconfig file [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" [control-plane] Creating static Pod manifest for "kube-scheduler" [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [apiclient] All control plane components are healthy after 17.096734 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.20" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace [upload-certs] Using certificate key: 980848047b8e66250ed598f9a135390c2631bb8d5d53a7610ddfe2d1406b1f80 [mark-control-plane] Marking the node master1 as control-plane by adding the labels "node-role.kubernetes.io/master=''" and "node-role.kubernetes.io/control-plane='' (deprecated)" [mark-control-plane] Marking the node master1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: abcdef.0123456789abcdef [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ You can now join any number of the control-plane node running the following command on each as root: kubeadm join 192.168.17.200:16443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:30d16ec922ca217b0be609a0b98e4ffb6399bfda058463560bfffd84cb4c975c \ --control-plane --certificate-key 980848047b8e66250ed598f9a135390c2631bb8d5d53a7610ddfe2d1406b1f80 Please note that the certificate-key gives access to cluster sensitive data, keep it secret! As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use "kubeadm init phase upload-certs --upload-certs" to reload certs afterward. Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.17.200:16443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:30d16ec922ca217b0be609a0b98e4ffb6399bfda058463560bfffd84cb4c975c
如果初始化失敗,可以使用以下命清理一下,然後重新初始化:
kubeadm reset -f ipvsadm --clear rm -rf ~/.kube
初始化完master1節點上的k8s控制平面後生成的文件夾和文件內容如下圖所示:
根據master1上控制平臺初化始成功後的提示,我們繼續完成高可用集羣搭建的剩餘工作。
爲常規的普通用戶執行以下命令:
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
爲 root 用戶執行以下命令:
export KUBECONFIG=/etc/kubernetes/admin.conf
使用 "kubectl apply -f [podnetwork].yaml" 爲K8S集羣安裝Pod網絡插件,用於集羣內Pod之間的網絡連接建立(不同節點間的Pod直接用其Pod IP通信,相當於集羣節點對於Pod透明),我們這裏選用符合CNI(容器網絡接口)標準的calico網絡插件(flanel也是可以的):
首選,從Calico的版本發行說明站點 https://docs.tigera.io/archive 找到兼容你所安裝的K8S的版本,裏面同時也有安裝配置說明,如下截圖所示:
根據安裝提示,我們執行以下命令進行Calico網絡插件的安裝:
kubectl create -f https://docs.projectcalico.org/archive/v3.21/manifests/tigera-operator.yaml
如果上述步驟無法直接應用目錄站點上的配置進行安裝,可以直接在瀏覽器打開目標URL,將內容複製下來創建一個yaml文件再應用(例如創建一個 /etc/kubernetes/calico.yaml 文件(其內容就是tigera-operator.yaml文件的內容)):
kubectl create -f /etc/kubernetes/calico.yaml