linux cpu占用率如何看
238
2022-09-11
部署Kubernetes集群
第一部分 系统初始化
基础环境
CentOS7.9_x64
修改yum源
# 安装阿里云源curl -o /etc/yum.repos.d/CentOS-Base.repo 安装epel源yum -y install epel-release# 建立缓存yum makecache# 更新系统yum -y update --exclude=kernel*问题:There are unfinished transactions remaining. You might consider running yum-complete-transaction# 清除yum缓存yum -y install yum-utilsyum clean all# 清理未完成事物yum-complete-transaction --cleanup-only
安装工具
yum -y install gcc gcc-c++ lrzsz tree unzip openssl-devel pcre-devel rsync wget tree lsof telnet zip net-tools bind-utils vim git nc psmisc jq
添加管理员用户(非必需)
useradd meceecho '123456'|passwd --stdin mececat >>/etc/sudoers < 关闭SELinux sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 关闭swap swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab 关闭服务 systemctl disable --now firewalldsystemctl disable --now postfixsystemctl disable --now NetworkManager 配置资源限制 echo -e 'ulimit -c unlimited' >> /etc/profileecho -e 'ulimit -s unlimited' >> /etc/profileecho -e 'ulimit -SHn 65535' >> /etc/profileecho -e 'export HISTTIMEFORMAT="%F %T `whoami` "' >>/etc/profile# echo -e 'export TMOUT=300' >>/etc/profile# echo -e "HISTFILESIZE=100" >>/etc/profilesource /etc/profilecat >>/etc/security/limits.conf < 内核参数优化 cat >> /etc/sysctl.conf < 配置时钟同步 yum -y install chronysystemctl enable --now chronyd && chronyc sources 重启服务器 reboot 第二部分 kubernetes初始化 基础环境** 适用版本:k8s 1.17+虚拟机:禁止使用克隆或注意修改网卡信息安装方式:二进制操作系统:CentOS 7.9版本:推荐用小版本5+Host:192.168.94.200 k8s-master-lb192.168.94.138 k8s-master01 192.168.94.139 k8s-node01 K8s Service网段:10.96.0.0/12K8s Pod网段:172.168.0.0/12Docker版本:Kubernetes版本: 设置主机名 每台主机分别设置hostnamectl set-hostname k8s-master01hostnamectl set-hostname k8s-node01 配置hosts # 每台主机都执行cat >>/etc/hosts < 创建目录 mkdir -pv /data/kubernetes备注:用于存放kubernetes相关yaml文件,主节点即可 配置kubernetes源(kubeadmin安装时) cat >/etc/yum.repos.d/kubernetes.repo < 升级内核 CentOS7.9内核版本:3.10.0-1160.53.1.el7.x86_64升级为:最新版本升级内核rpm --import -Uvh --disablerepo=\* --enablerepo=elrepo-kernel repolistyum --disablerepo=\* --enablerepo=elrepo-kernel list kernel*yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-ml.x86_64grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfggrubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"升级内核工具包yum -y remove kernel-tools-libs.x86_64 kernel-tools.x86_64yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-ml-tools.x86_64检查默认内核grubby --default-kernel重启reboot 安装依赖包 yum -y install conntrack ipvsadm ipset libseccomp sysstat 安装IPVS模块 # 在内核4.19+版本nf_conntrack_ipv4已经更改为nf_conntrack;在4.19以下使用nf_conntrack_ipv4modprobe -- ip_vsmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- nf_conntrackcat < 配置内核参数 cat < 重启 reboot 第三部分 Docker安装 卸载旧版本 yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-engine 设置yum源 yum -y install yum-utilsyum-config-manager \ --add-repo \ list docker-ce --showduplicates |sort -ryum -y install docker-ce-19.03.* 配置docker mkdir -pv /etc/docker /data/dockercat < 测试容器状态 docker run hello-worldecho -e "GET /containers/redis-slave1/stats HTTP/1.0\r\n\ " | nc -U /var/run/docker.sock 第四部分 二进制安装 安装etcd cd /data/kuberneteswget xf etcd-v3.4.13-linux-amd64.tar.gz --strip-components=1 -C /usr/local/bin/ etcd-v3.4.13-linux-amd64/etcd{,ctl}etcdctl verion 安装kubernetes cd /data/kuberneteswget xf kubernetes-server-linux-amd64.tar.gz --strip-components=3 -C /usr/local/bin/ kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}kubelet --version 推送到其他节点 # master节点for node in k8s-master-01;do scp -r /usr/local/bin/kube{ctl,-apiserver,-controller-manager,-scheduler} $node:/usr/local/bin/;done# node节点for node in k8s-node-01;do scp -r /usr/local/bin/kube{let,-proxy} $node:/usr/local/bin/;done 配置calico # 创建目录mkdir -pv /opt/cni/bin 生成证书 wget "-O /usr/local/bin/cfsslwget "-O /usr/local/bin/cfssljsonchmod +x /usr/local/bin/cfssl*# 所有master节点创建etcd证书目录mkdir -pv /etc/etcd/ssl# 所有节点创建kubernetes证书目录mkdir -pv /etc/kubernetes/pki# Master01节点生成etcd证书生成证书的CSR文件,即证书签名的请求文件etcd-ca-csr.json# 生成etcd的CA证书和CA证书的Keycd /data/kubernetescfssl gencert -initca etcd-ca-csr.json |cfssljson -bare /etc/etcd/ssl/etcd-ca# 颁发etcd的客户端证书和keycfssl gencert -ca=/etc/etcd/ssl/etcd-ca.pem -ca-key=/etc/etcd/ssl/etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,k8s-master-01,k8s-master-02,k8s-master-03,192.168.94.138 -profile=kubernetes etcd-csr.json |cfssljson -bare /etc/etcd/ssl/etcd# 将证书复制到其他master节点scp -r /etc/etcd/ssl/etcd-ca* /etc/etcd/ssl/etcd{-key.pem,.pem}# Master01节点生成kubernetes证书生成证书的CSR文件,即证书签名的请求文件ca-csr.json# 生成kubernetes的CA证书和CA证书的Keycd /data/kubernetescfssl gencert -initca ca-csr.json |cfssljson -bare /etc/kubernetes/pki/ca# 颁发apiserver的客户端证书和keycfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -hostname=10.96.0.1,192.168.94.138,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.94.200,k8s-master-01,k8s-master-02,k8s-master-03 -profile=kubernetes apiserver-csr.json |cfssljson -bare /etc/kubernetes/pki/apiserver# 生成apiserver的聚合证书cfssl gencert -initca front-proxy-ca-csr.json |cfssljson -bare /etc/kubernetes/pki/front-proxy-cacfssl gencert -ca=/etc/kubernetes/pki/front-proxy-ca.pem -ca-key=/etc/kubernetes/pki/front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json |cfssljson -bare /etc/kubernetes/pki/front-proxy-client# 生成controller-manager的证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes manager-csr.json |cfssljson -bare /etc/kubernetes/pki/controller-manager# 配置controller-manager的kubeconfig文件# set-cluster:设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/pki/controller-manager.pem --client-key=/etc/kubernetes/pki/controller-manager-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=sysetm:kube-controller-manager --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 生成kube-scheduler证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json |cfssljson -bare /etc/kubernetes/pki/scheduler# 设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-scheduler --client-certificate=/etc/kubernetes/pki/scheduler.pem --client-key=/etc/kubernetes/pki/scheduler-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=sysetm:kube-scheduler --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 生成admin证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json |cfssljson -bare /etc/kubernetes/pki/admin# 设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/admin.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-admin --client-certificate=/etc/kubernetes/pki/admin.pem --client-key=/etc/kubernetes/pki/scheduler-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/admin.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-admin@kubernetes --cluster=kubernetes --user=sysetm:kube-admin --kubeconfig=/etc/kubernetes/admin.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-admin@kubernetes --kubeconfig=/etc/kubernetes/admin.kubeconfig# 生成ServiceAccount Keyopenssl genrsa -out /etc/kubernetes/pki/sa.key 2048openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub# 生成kubelet证书自动颁发# 拷贝证书到其他节点cd /etc/kubernetes/pkiscp -r /etc/kubernetes/pki/* root@k8s-master-01:/etc/kubernetes/pki/cd /et/kubernetesscp -r admin.kubeconfig controller-manager.kubeconfig scheduler.kubeconfig root@k8s-master-01 系统组件配置 配置etcd vi /etc/etcd/etcd.config.ymlname: 'k8s-master-01'data-dir: /var/lib/etcdwal-dir: /var/lib/etcd/walsnapshot-count: 5000heartbeat-interval: 100election-timeout: 1000quota-backend-bytes: 0listen-peer-urls: ''3max-wals: 5cors:initial-advertise-peer-urls: '''proxy'discovery-proxy:discovery-srv:# initial-cluster: 'k8s-master-01='k8s-master-01='etcd-k8s-cluster'initial-cluster-state: 'new'strict-reconfig-check: falseenable-v2: trueenable-pprof: trueproxy: 'off'proxy-failure-wait: 5000proxy-refresh-interval: 30000proxy-dial-timeout: 1000proxy-write-timeout: 5000proxy-read-timeout: 0client-transport-security: ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' client-cert-auth: true trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' auto-tls: truepeer-transport-security: ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' peer-client-cert-auth: true trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' auto-tls: truedebug: falselog-package-levels:log-output: defaultforce-new-cluster: false# 启动/usr/lib/systemd/system/etcd.service
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~