K8S集群的安装(kubeadm)
1. 设置主机名与/etc/hosts(或者使用dns服务器解析)
-
各主机名设置如下:
k8s-master1 k8s-master2 k8s-master3 k8s-node1 k8s-node2
-
各主机的/etc/hosts解析设置如下:
172.16.201.3 k8s-master1 172.16.201.4 k8s-master2 172.16.201.5 k8s-master3 172.16.201.6 k8s-node1 172.16.201.7 k8s-node2 172.16.201.10 master.liufeng-k8s.com #负载均衡器,注意它的防火墙需要开放相关端口(6443)
2. 所有节点配置yum源(base、updates、extras、epel、docker-ce、kubernetes)
- 把/etc/yum.conf文件中的plugins=1修改为plugins=0
- 配置各节点能够访问到自搭建的Nexus私服
-
把/etc/yum.repos.d目录文件全部删除,创建文件nexus.repo,输入以下内容:
[base] name=CentOS-$releasever - Base baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/centos/$releasever/os/$basearch/ enabled=1 gpgcheck=0 [updates] name=CentOS-$releasever - Updates baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/centos/$releasever/updates/$basearch/ enabled=1 gpgcheck=0 [extras] name=CentOS-$releasever - Extras baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/centos/$releasever/extras/$basearch/ enabled=1 gpgcheck=0 [epel] name=CentOS-$releasever - Epel baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/epel/$releasever/$basearch/ enabled=1 gpgcheck=0 [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/docker-ce/linux/centos/7/$basearch/stable enabled=1 gpgcheck=0 [kubernetes] name=Kubernetes baseurl=http://nexus3-cicd.apps.test.openshift.com/repository/yum/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=0
3. 所有节点安装相关程序包 :
-
安装必要的软件包
# yum install -y yum-utils device-mapper-persistent-data lvm2 -
安装k8s的必须软件包
# yum install -y docker-ce-18.06.3* kubelet kubeadm kubectl
4. 所有节点配置docker与kubelet:
-
docker相关,并使用私有docker镜像仓库(https://nexus3-docker-cicd.apps.test.openshift.com):
# mkdir /etc/docker # cat > /etc/docker/daemon.json <<EOF { "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2", "storage-opts": [ "overlay2.override_kernel_check=true" ], "registry-mirrors": ["https://nexus3-docker-cicd.apps.test.openshift.com"] } EOF # mkdir -p /etc/systemd/system/docker.service.d
-
kubelet相关:
# cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 EOF # sysctl --system
-
私有docker仓库证书的导入:
# echo -n | openssl s_client -showcerts -connect nexus3-docker-cicd.apps.test.openshift.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> /etc/pki/tls/certs/ca-bundle.crt
-
重加载服务:
# systemctl daemon-reload # systemctl enable docker # systemctl start docker # systemctl enable kubelet -
禁用swap:
# swapoff -a #临时禁用 # sed -i '/swap/s/^/#/' /etc/fstab #永久禁用
5. 选中一台master,一般是master1,使用kubeadm init初始化集群:
-
kubeadm init
# kubeadm init --kubernetes-version=v1.18.2 --control-plane-endpoint=master.liufeng-k8s.com:6443 \ --pod-network-cidr=10.244.0.0/16 --image-repository=nexus3-docker-cicd.apps.test.openshift.com \ --upload-certs 以下是一些帮助: # kubeadm init --help # kubeadm init --image-repository=nexus3-docker-cicd.apps.test.openshift.com
如果出现失败,可查看日志排错,并使用kubeadm reset命令还原操作后,再次kubeadm init。
-
配置集群
# mkdir -p $HOME/.kube # sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # sudo chown $(id -u):$(id -g) $HOME/.kube/config
- 安装网络组件:
-
flannel
# curl https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml -O # kubectl apply -f kube-flannel.yml
-
- 节点使用kubeadm join命令加入到集群中:
-
添加新的node节点:
# kubeadm join master.liufeng-k8s.com:6443 --token yiqsq2.700kevht80v37oap \ --discovery-token-ca-cert-hash sha256:f30993403486327114e83047fdd476e521f5f775cc304f30afa10ec18f9a05d7
-
添加新的master节点:
# kubeadm join master.liufeng-k8s.com:6443 --token yiqsq2.700kevht80v37oap \ --discovery-token-ca-cert-hash sha256:f30993403486327114e83047fdd476e521f5f775cc304f30afa10ec18f9a05d7 \ --control-plane
而因为我第一次安装,在kubeadm init的时候没有加--upload-certs,直接运行上面的命令,会出现类似如下证书找不到的错误:
failure loading key for service account: couldn't load the private key file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory
这时候,需要把master1上的证书scp拷贝到master2、master3上,再运行kubeadm join,具体拷贝的证书如下:
/etc/kubernetes/pki/ca.crt /etc/kubernetes/pki/ca.key /etc/kubernetes/pki/sa.key /etc/kubernetes/pki/sa.pub /etc/kubernetes/pki/front-proxy-ca.crt /etc/kubernetes/pki/front-proxy-ca.key /etc/kubernetes/pki/etcd/ca.crt # Quote this line if you are using external etcd /etc/kubernetes/pki/etcd/ca.key
-
如果token没有复制,或者丢失了,则用下面的命令重新生成token:
# kubeadm token create --print-join-command -
和master1一样,配置新加的master节点:
# mkdir -p $HOME/.kube # sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # sudo chown $(id -u):$(id -g) $HOME/.kube/config
-
6. kubeadm管理集群证书过期:
- 使用 kubeadm 搭建的集群,默认证书有效期是 1 年。如果没有在证书过期前续期,那么集群会无法运行,使用的过程中会报错误:x509: certificate has expired or is not yet valid.
- 查看当前 kubeadm 搭建的集群证书有效期信息,命令如下:
for i in /etc/kubernetes/pki/*.crt;do echo $i; openssl x509 -in $i -text -noout|egrep "Not Before|Not After";echo "-----------";done
- 将 /etc/kubernetes/pki 中的证书文件进行备份,然后使用如下命令重新生成证书:
kubeadm certs renew all #生成证书
kubeadm init phase kubeconfig all #生成kubeconfig文件
- 重启集群kube-apiserver, kube-controller-manager, kube-scheduler and etcd相关组件
7. 后话:
- kubernetes之所以简称为k8s,是因为k和s之间有8个字母
-
kubernetes简单命令
# kubectl get cs #查看组件的状态 # kubectl get ns #查看集群namespaces # kubectl get pods -n kube-system #查看kube-system下的pod # 如果长期在某个namespace下操作,可以设置默认namespace # kubectl config set-context --current --namespace=kube-system # kubectl get pod #看到的都是kube-system下的pod
-
kubeadm搭建k8s集群(v1.18.2)所需要的镜像(使用flannel网络组件)
kube-proxy:v1.18.2 kube-controller-manager:v1.18.2 kube-scheduler:v1.18.2 kube-apiserver:v1.18.2 etcd:3.4.3-0 coredns:1.6.7 pause:3.2 flannel:v0.12.0-amd64
-
安装过程查看系统日志(centos):
# tail -f /var/log/messages -
kubectl命令的自动补全
# yum install -y bash-completion # echo "source <(kubectl completion bash)" >> ~/.bashrc # source ~/.bashrc
浙公网安备 33010602011771号