部署Kubernetes集群

部署Kubernetes集群

第一部分 系统初始化

基础环境

CentOS7.9_x64

修改yum源

# 安装阿里云源curl -o /etc/yum.repos.d/CentOS-Base.repo 安装epel源yum -y install epel-release# 建立缓存yum makecache# 更新系统yum -y update --exclude=kernel*问题：There are unfinished transactions remaining. You might consider running yum-complete-transaction# 清除yum缓存yum -y install yum-utilsyum clean all# 清理未完成事物yum-complete-transaction --cleanup-only

安装工具

yum -y install gcc gcc-c++ lrzsz tree unzip openssl-devel pcre-devel rsync wget tree lsof telnet zip net-tools bind-utils vim git nc psmisc jq

添加管理员用户(非必需)

useradd meceecho '123456'|passwd --stdin mececat >>/etc/sudoers <

关闭SELinux

sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

关闭swap

swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

关闭服务

systemctl disable --now firewalldsystemctl disable --now postfixsystemctl disable --now NetworkManager

配置资源限制

echo -e 'ulimit -c unlimited' >> /etc/profileecho -e 'ulimit -s unlimited' >> /etc/profileecho -e 'ulimit -SHn 65535' >> /etc/profileecho -e 'export HISTTIMEFORMAT="%F %T `whoami` "' >>/etc/profile# echo -e 'export TMOUT=300' >>/etc/profile# echo -e "HISTFILESIZE=100" >>/etc/profilesource /etc/profilecat >>/etc/security/limits.conf <

内核参数优化

cat >> /etc/sysctl.conf <

配置时钟同步

yum -y install chronysystemctl enable --now chronyd && chronyc sources

重启服务器

reboot

第二部分 kubernetes初始化

基础环境**

适用版本：k8s 1.17+虚拟机：禁止使用克隆或注意修改网卡信息安装方式：二进制操作系统：CentOS 7.9版本：推荐用小版本5+Host：192.168.94.200 k8s-master-lb192.168.94.138 k8s-master01 192.168.94.139 k8s-node01 K8s Service网段：10.96.0.0/12K8s Pod网段：172.168.0.0/12Docker版本：Kubernetes版本：

设置主机名

每台主机分别设置hostnamectl set-hostname k8s-master01hostnamectl set-hostname k8s-node01

配置hosts

# 每台主机都执行cat >>/etc/hosts <

创建目录

mkdir -pv /data/kubernetes备注：用于存放kubernetes相关yaml文件，主节点即可

配置kubernetes源(kubeadmin安装时)

cat >/etc/yum.repos.d/kubernetes.repo <

升级内核

CentOS7.9内核版本：3.10.0-1160.53.1.el7.x86_64升级为：最新版本升级内核rpm --import -Uvh --disablerepo=\* --enablerepo=elrepo-kernel repolistyum --disablerepo=\* --enablerepo=elrepo-kernel list kernel*yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-ml.x86_64grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfggrubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"升级内核工具包yum -y remove kernel-tools-libs.x86_64 kernel-tools.x86_64yum --disablerepo=\* --enablerepo=elrepo-kernel install -y kernel-ml-tools.x86_64检查默认内核grubby --default-kernel重启reboot

安装依赖包

yum -y install conntrack ipvsadm ipset libseccomp sysstat

安装IPVS模块

# 在内核4.19+版本nf_conntrack_ipv4已经更改为nf_conntrack；在4.19以下使用nf_conntrack_ipv4modprobe -- ip_vsmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- nf_conntrackcat <

配置内核参数

cat <

重启

reboot

第三部分 Docker安装

卸载旧版本

yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-engine

设置yum源

yum -y install yum-utilsyum-config-manager \ --add-repo \ list docker-ce --showduplicates |sort -ryum -y install docker-ce-19.03.*

配置docker

mkdir -pv /etc/docker /data/dockercat <

测试容器状态

docker run hello-worldecho -e "GET /containers/redis-slave1/stats HTTP/1.0\r\n\ " | nc -U /var/run/docker.sock

第四部分 二进制安装

安装etcd

cd /data/kuberneteswget xf etcd-v3.4.13-linux-amd64.tar.gz --strip-components=1 -C /usr/local/bin/ etcd-v3.4.13-linux-amd64/etcd{,ctl}etcdctl verion

安装kubernetes

cd /data/kuberneteswget xf kubernetes-server-linux-amd64.tar.gz --strip-components=3 -C /usr/local/bin/ kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}kubelet --version

推送到其他节点

# master节点for node in k8s-master-01;do scp -r /usr/local/bin/kube{ctl,-apiserver,-controller-manager,-scheduler} $node:/usr/local/bin/;done# node节点for node in k8s-node-01;do scp -r /usr/local/bin/kube{let,-proxy} $node:/usr/local/bin/;done

配置calico

# 创建目录mkdir -pv /opt/cni/bin

生成证书

wget "-O /usr/local/bin/cfsslwget "-O /usr/local/bin/cfssljsonchmod +x /usr/local/bin/cfssl*# 所有master节点创建etcd证书目录mkdir -pv /etc/etcd/ssl# 所有节点创建kubernetes证书目录mkdir -pv /etc/kubernetes/pki# Master01节点生成etcd证书生成证书的CSR文件，即证书签名的请求文件etcd-ca-csr.json# 生成etcd的CA证书和CA证书的Keycd /data/kubernetescfssl gencert -initca etcd-ca-csr.json |cfssljson -bare /etc/etcd/ssl/etcd-ca# 颁发etcd的客户端证书和keycfssl gencert -ca=/etc/etcd/ssl/etcd-ca.pem -ca-key=/etc/etcd/ssl/etcd-ca-key.pem -config=ca-config.json -hostname=127.0.0.1,k8s-master-01,k8s-master-02,k8s-master-03,192.168.94.138 -profile=kubernetes etcd-csr.json |cfssljson -bare /etc/etcd/ssl/etcd# 将证书复制到其他master节点scp -r /etc/etcd/ssl/etcd-ca* /etc/etcd/ssl/etcd{-key.pem,.pem}# Master01节点生成kubernetes证书生成证书的CSR文件，即证书签名的请求文件ca-csr.json# 生成kubernetes的CA证书和CA证书的Keycd /data/kubernetescfssl gencert -initca ca-csr.json |cfssljson -bare /etc/kubernetes/pki/ca# 颁发apiserver的客户端证书和keycfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -hostname=10.96.0.1,192.168.94.138,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,192.168.94.200,k8s-master-01,k8s-master-02,k8s-master-03 -profile=kubernetes apiserver-csr.json |cfssljson -bare /etc/kubernetes/pki/apiserver# 生成apiserver的聚合证书cfssl gencert -initca front-proxy-ca-csr.json |cfssljson -bare /etc/kubernetes/pki/front-proxy-cacfssl gencert -ca=/etc/kubernetes/pki/front-proxy-ca.pem -ca-key=/etc/kubernetes/pki/front-proxy-ca-key.pem -config=ca-config.json -profile=kubernetes front-proxy-client-csr.json |cfssljson -bare /etc/kubernetes/pki/front-proxy-client# 生成controller-manager的证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes manager-csr.json |cfssljson -bare /etc/kubernetes/pki/controller-manager# 配置controller-manager的kubeconfig文件# set-cluster：设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-controller-manager --client-certificate=/etc/kubernetes/pki/controller-manager.pem --client-key=/etc/kubernetes/pki/controller-manager-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-controller-manager@kubernetes --cluster=kubernetes --user=sysetm:kube-controller-manager --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-controller-manager@kubernetes --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig# 生成kube-scheduler证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes scheduler-csr.json |cfssljson -bare /etc/kubernetes/pki/scheduler# 设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-scheduler --client-certificate=/etc/kubernetes/pki/scheduler.pem --client-key=/etc/kubernetes/pki/scheduler-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-scheduler@kubernetes --cluster=kubernetes --user=sysetm:kube-scheduler --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=/etc/kubernetes/scheduler.kubeconfig# 生成admin证书cfssl gencert -ca=/etc/kubernetes/pki/ca.pem -ca-key=/etc/kubernetes/pki/ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json |cfssljson -bare /etc/kubernetes/pki/admin# 设置一个集群项kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.pem --embed-certs=true --server=--kubeconfig=/etc/kubernetes/admin.kubeconfig# 设置一个用户项kubectl config set-credentials system:kube-admin --client-certificate=/etc/kubernetes/pki/admin.pem --client-key=/etc/kubernetes/pki/scheduler-key.pem --embed-certs=true --kubeconfig=/etc/kubernetes/admin.kubeconfig# 设置一个环境上下文kubectl config set-context system:kube-admin@kubernetes --cluster=kubernetes --user=sysetm:kube-admin --kubeconfig=/etc/kubernetes/admin.kubeconfig# 使用某个环境当作默认环境kubectl config use-context system:kube-admin@kubernetes --kubeconfig=/etc/kubernetes/admin.kubeconfig# 生成ServiceAccount Keyopenssl genrsa -out /etc/kubernetes/pki/sa.key 2048openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub# 生成kubelet证书自动颁发# 拷贝证书到其他节点cd /etc/kubernetes/pkiscp -r /etc/kubernetes/pki/* root@k8s-master-01:/etc/kubernetes/pki/cd /et/kubernetesscp -r admin.kubeconfig controller-manager.kubeconfig scheduler.kubeconfig root@k8s-master-01

系统组件配置

配置etcd

vi /etc/etcd/etcd.config.ymlname: 'k8s-master-01'data-dir: /var/lib/etcdwal-dir: /var/lib/etcd/walsnapshot-count: 5000heartbeat-interval: 100election-timeout: 1000quota-backend-bytes: 0listen-peer-urls: ''3max-wals: 5cors:initial-advertise-peer-urls: '''proxy'discovery-proxy:discovery-srv:# initial-cluster: 'k8s-master-01='k8s-master-01='etcd-k8s-cluster'initial-cluster-state: 'new'strict-reconfig-check: falseenable-v2: trueenable-pprof: trueproxy: 'off'proxy-failure-wait: 5000proxy-refresh-interval: 30000proxy-dial-timeout: 1000proxy-write-timeout: 5000proxy-read-timeout: 0client-transport-security: ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' client-cert-auth: true trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' auto-tls: truepeer-transport-security: ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' peer-client-cert-auth: true trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' auto-tls: truedebug: falselog-package-levels:log-output: defaultforce-new-cluster: false# 启动/usr/lib/systemd/system/etcd.service

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。