k8s安装与部署
一、安装环境
192.168.74.30 master
192.168.74.31 node1
192.168.74.32 node2
设置IP:
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=a4e154e3-b735-4e70-9e66-5d74aafd2b19 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.74.32 NETMASK=255.255.255.0 GATEWAY=192.168.74.2
DNS1=202.96.134.133
systemctl restart network
二、安装docker
1.每个节点都安装
cd /etc/yum.repos.d/ wget https://download.docker.com/linux/centos/docker-ce.repo yum install -y docker-ce
2.重启docker
systemctl enable docker
systemctl restart docker
二、安装k8s
1.设置主机名,注意不用使用下划线:
hostnamectl set-hostname master
hostnamectl set-hostname node1
hostnamectl set-hostname node2
2.设置hosts文件(所有节点)
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.74.30 master
192.168.74.31 node1
192.168.74.32 node2
3.关掉各节点防火墙,安装相关软件(所有节点)
yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git lrzsz systemctl stop firewalld && systemctl disable firewalld yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
4.关闭各节点selinux(所有节点)
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
5.关闭各节点swap分区(所有节点)
swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
6.同步各节点的时间,这个时间服务,如果机器可以直通外网,那就按以下命令执行就行(所有节点)
yum -y install chrony systemctl start chronyd.service systemctl enable chronyd.service timedatectl set-timezone Asia/Shanghai chronyc -a makestep
7.各节点内核调整(所有节点)
cat > /etc/sysctl.d/k8s.conf << EOF net.ipv4.ip_nonlocal_bind = 1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 net.ipv4.ip_forward=1 net.ipv4.tcp_tw_recycle=0 vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它 vm.overcommit_memory=1 # 不检查物理内存是否够用 vm.panic_on_oom=0 # 开启 OOM fs.inotify.max_user_instances=8192 fs.inotify.max_user_watches=1048576 fs.file-max=52706963 fs.nr_open=52706963 net.ipv6.conf.all.disable_ipv6=1 net.netfilter.nf_conntrack_max=2310720 EOF sysctl -p /etc/sysctl.d/k8s.conf
8.配置各节点k8s的yum源(所有节点)
cat > /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
9.各节点开启ipvs模块(所有节点)
cat >/etc/sysconfig/modules/ipvs.modules <<EOF #!/bin/sh modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh #modprobe -- nf_conntrack_ipv4 #4以上的内核就没有ipv4 modprobe -- nf_conntrack EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack
10.安装k8s软件包,每个节点都需要安装这些软件(所有节点)
#直接装最新的
yum install -y kubelet-1.20.13 kubeadm-1.20.13 kubectl-1.20.13
systemctl enable kubelet
11.编辑配置文件
a.获取默认配置文件
mkdir ~/k8s-install && cd ~/k8s-install
kubeadm config print init-defaults> kubeadm.yaml
b.修改配置文件
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 1.2.3.4#默认的信息为1.2.3.4,这里需更改为k8s-master01内网地址ip
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
imagePullPolicy: IfNotPresent
name: node#这里定义了节点的名字,需要调整为master
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io#需要更改这个,为国内的镜像源registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: 1.22.13#这段需要注意,为你的版本,如果存在差异,记得调整为一致状态
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16#这段为新增,添加pod网段,设置容器内网络
serviceSubnet: 10.96.0.0/12
scheduler: {}
12.下载相关镜像文件
[root@master k8s-install]# kubeadm config images pull --config kubeadm.yaml
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-apiserver:v1.20.13
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-controller-manager:v1.20.13
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-scheduler:v1.20.13
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-proxy:v1.20.13
[config/images] Pulled registry.aliyuncs.com/google_containers/pause:3.2
[config/images] Pulled registry.aliyuncs.com/google_containers/etcd:3.4.13-0
[config/images] Pulled registry.aliyuncs.com/google_containers/coredns:1.7.0
13.初始化集群
[root@master k8s-install]# kubeadm init --config kubeadm.yaml
14.拷贝k8s认证文件
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
15.安装pod网络插件(目前Kubernetes主流的网络方案 calico)
curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O kubectl apply -f calico.yaml
16.加入集群(node节点)
kubeadm join 192.168.74.30:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:fa87d21b98b277b2193cf151e0e3d984293ea57774a42afe73d559e04924ba45
参考:https://blog.csdn.net/m0_63004677/article/details/129816419
三、安装dashboard
1.创建yaml文件
vi recommended.yaml
copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: name: kubernetes-dashboard --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard type: NodePort --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kubernetes-dashboard type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder namespace: kubernetes-dashboard type: Opaque --- kind: ConfigMap apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings namespace: kubernetes-dashboard --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster", "dashboard-metrics-scraper"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] verbs: ["get"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard rules: # Allow Metrics Scraper to get metrics from the Metrics server - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: kubernetesui/dashboard:v2.3.1 imagePullPolicy: Always ports: - containerPort: 8443 protocol: TCP args: - --auto-generate-certificates - --namespace=kubernetes-dashboard # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.6
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
2.创建服务
kubectl apply -f recommended.yaml
3.查看服务
[root@master k8s-install]# kubectl get svc -A | grep kubernetes-dashboard kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.101.206.71 <none> 8000/TCP 54s kubernetes-dashboard kubernetes-dashboard NodePort 10.111.89.163 <none> 443:31239/TCP 55s
4.打开dashboard
https://192.168.74.30:31239/#/login
5、创建访问账号
vi dash.yaml
# 创建访问账号,准备一个yaml文件; vi dash.yaml apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard
kubectl apply -f dash.yaml
6、获取访问令牌
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
得到的令牌输入浏览器
eyJhbGciOiJSUzI1NiIsImtpZCI6IktHV3ozTDlWcW9mejROVGNEbU9feWNEc1JLTW5zVGtBRzBpU3BnYzhkaG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXpud2dkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIzODE5ZTQyNy03MWIzLTRlODYtOTRmYy02NjZlMjBlMjY5YTYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.pFyi4Lmj6etNUs7AEy6EKDnJjh3kWHW5krnKGGVSqE0qz8DS0xshIGTClnFcxssjNjeiA_qRU7T-j83XjunKCkTQKe46hlGeqS60-KY3xQhXQBbDJ9ep2Zz3YMzRD9IPsQl5PxewQ5DfNkUjoZsi5jfkiD6mNHHE-ecd4oVJR7-Vp300M76DTToQEpgH4A3ph4fmStmlyQYFQi09yKhM1RBPg0w-O9p-oH_21uG6ZEjp40ElNzmymvl8UoyMSN2wDnhgsGBq9Smsay_FtwA8kgcGns13i01B62fuLV6hf0UsciBbPpe_kmpFIy7d_s-Zim_v7MvURIy6u7iXEy9acA
常见报错:
1.It seems like the kubelet isn't running or healthy.
解决方法:
2.nodeRegistration.name: Invalid value: "k8s_master": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.
解决方法:原因是主机名有特殊符号,修改主机名
3.To see the stack trace of this error execute with --v=5 or higher
4.Failed to start Docker Application Container Engine.
解决方法:https://blog.csdn.net/chshgod1/article/details/124574733
5.[ERROR CRI]: container runtime is not running:
解决方法:
[root@master:~] rm -rf /etc/containerd/config.toml [root@master:~] systemctl restart containerd
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileAvailable–etc-kubernetes-manifests-kube-apiserver.yaml]: /etc/kubernetes/manifests/kube-apiserver.yaml already exists
[ERROR FileAvailable–etc-kubernetes-manifests-kube-controller-manager.yaml]: /etc/kubernetes/manifests/kube-controller-manager.yaml already exists
[ERROR FileAvailable–etc-kubernetes-manifests-kube-scheduler.yaml]: /etc/kubernetes/manifests/kube-scheduler.yaml already exists
[ERROR FileAvailable–etc-kubernetes-manifests-etcd.yaml]: /etc/kubernetes/manifests/etcd.yaml already exists
[preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=...
To see the stack trace of this error execute with --v=5 or higher
解决:
kubeadm reset
报错二:
[kubelet-check] Initial timeout of 40s passed.
[kubelet-check] It seems like the kubelet isn’t running or healthy.
[kubelet-check] The HTTP call equal to ‘curl -sSL http://localhost:10248/healthz’ failed with error: Get “http://localhost:10248/healthz”: dial tcp [::1]:10248: connect: connection refused.
出现报错后,执行 tail /var/log/messages > error
查看报错信息:
cat error
1
Jun 9 22:15:56 master kubelet: E0609 22:15:56.367821 12257 node_container_manager_linux.go:61] “Failed to create cgroup” err=“Cannot set property TasksAccounting, or unknown property.” cgroupName=[kubepods]
Jun 9 22:15:56 master kubelet: E0609 22:15:56.367834 12257 kubelet.go:1431] “Failed to start ContainerManager” err=“Cannot set property TasksAccounting, or unknown property.”
Jun 9 22:15:56 master systemd: kubelet.service: main process exited, code=exited, status=1/FAILURE
Jun 9 22:15:56 master systemd: Unit kubelet.service entered failed state.
Jun 9 22:15:56 master systemd: kubelet.service failed.
更新 systemd
[root@master ~]# kubelet --version
Kubernetes v1.23.1
[root@master ~]# yum info systemd
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Installed Packages
Name : systemd
Arch : x86_64
Version : 219
Release : 78.el7
1
2
3
4
5
6
7
8
9
10
yum list kubelet
卸载现有的低版本
yum remove systemd
重新安装高版本
yum install systemd
kubeadm reset
重新初始化:
kubeadm init --config kubeadm-init.yaml
我出现该报错的原因是使用的rhel7.3,systemd版本太低,更新systemd后重新初始化成功。
出现该问题的原因还可能是kubelet的cgroup driver和containerd的 cgroup driver二者不一致致使kubelet启动失败。我这里使用的kubele和container的 cgroup driver是systemd。
浙公网安备 33010602011771号