kubeadm是官方社區推出的一個用於快速部署kubernetes集羣的工具。
這個工具能通過兩條指令完成一個kubernetes集羣的部署:
# 創建一個 Master 節點$ kubeadm init# 將一個 Node 節點加入到當前集羣中$ kubeadm join <Master節點的IP和端口 >
1. 安裝要求
在開始之前,部署Kubernetes集羣機器需要滿足以下幾個條件:
· 一台或多台機器,操作系統麒麟V10
· 硬件配置:2GB或更多RAM,2個CPU或更多CPU,硬盤30GB或更多
· 集羣中所有機器之間網絡互通
· 可以訪問外網,需要拉取鏡像
· 禁止swap分區
2. 準備環境
|
角色 |
IP |
|
k8s-master01 |
11.0.1.131 |
|
k8s-node01 |
11.0.1.132 |
#關閉防火牆:
systemctl stop firewalld
systemctl disable firewalld
#關閉selinux:
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
setenforce 0 # 臨時
#關閉swap:
swapoff -a # 臨時
# vim /etc/fstab # 永久
#設置主機名:
hostnamectl set-hostname k8s-master01 && bash
#hostnamectl set-hostname k8s-node01 && bash
#hostnamectl set-hostname k8s-node02 && bash
#在master添加hosts:
cat >> /etc/hosts << EOF
11.0.1.131 k8s-master01
EOF
# 加載必要的模塊
sudo modprobe br_netfilter
sudo modprobe overlay
# 驗證模塊已加載
lsmod | grep br_netfilter
# 應該看到 br_netfilter 模塊
#將橋接的IPv4流量傳遞到iptables的鏈:
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl --system安裝docker 、cri-docker、 kubeadm 、kubectl、kubelet 服務
# 安裝docker
2、安裝Docker
tar xf docker-26.1.4.tgz
chmod +x docker/*
mv docker/* /usr/bin/
配置啓動的服務
sudo tee /etc/systemd/system/docker.service <<-'EOF'
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=containerd.service
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
[Install]
WantedBy=multi-user.target
EOF
#安裝cri-docker
tar xzvf cri-dockerd-0.3.9.amd64.tgz
# 安裝到系統
sudo cp cri-dockerd/cri-dockerd /usr/local/bin/
sudo chmod +x /usr/local/bin/cri-dockerd
# 驗證
/usr/local/bin/cri-dockerd --version
#配置啓動服務
sudo tee /etc/systemd/system/cri-docker.service <<-'EOF'
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=docker.service
[Service]
Type=notify
ExecStart=/usr/local/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
# 啓動服務 systemctl restart docker && systemctl enable docker
# 啓動服務 systemctl restart cri-docker && systemctl enable cri-docker
#cat /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {"max-size": "100m"},
"storage-driver": "overlay2",
"registry-mirrors": [
"https://docker.mirrors.ustc.edu.cn"
]
}
#安裝kubelet、kubeadm 、kubectl 服務
tar -xf kube.tar
rpm -i ./*.rpm
systemctl enable kubelet集羣初始化
kubeadm init --apiserver-advertise-address=11.0.1.131 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.28.0 --service-cidr=10.96.0.0/12 --pod-network-cidr=10.244.0.0/16 --ignore-preflight-errors=all拷貝kubectl使用的連接k8s認證文件到默認路徑:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf
$HOME/.kube/configsudo
chown (id -g) $HOME/.kube/config#查看node節點
kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 NotReady control-plane 49m v1.28.05. 加入Kubernetes Node
在11.0.1.132(Node)執行。
向集羣添加新節點,執行在kubeadm init輸出的kubeadm join命令:
#所有的node 節點執行kubeadm join 11.0.1.131:16443 --token 5s30j7.cp5rjrfcnwe6yn49 \ --discovery-token-ca-cert-hash sha256:225727afa50dabc8d80dd8a5f85d3b799bb7e6a64abedd14f3a8af1978fad854
默認token有效期為24小時,當過期之後,該token就不可用了。這時就需要重新創建token,操作如下:
$ kubeadm token create$ kubeadm token list$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'63bca849e0e01691ae14eab449570284f0c3ddeea590f8da988c07fe2729e924$ kubeadm join 11.0.1.143:6443 --token nuja6n.o3jrhsffiqs9swnu --discovery-token-ca-cert-hash sha256:63bca849e0e01691ae14eab449570284f0c3ddeea590f8da988c07fe2729e924
或者直接命令快捷生成:kubeadm token create --print-join-command
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/
6. 部署容器網絡(CNI)
6.1 caclio
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network
注意:只需要部署下面其中一個,推薦Calico。
Calico是一個純三層的數據中心網絡方案,Calico支持廣泛的平台,包括Kubernetes、OpenStack等。
Calico 在每一個計算節點利用 Linux Kernel 實現了一個高效的虛擬路由器( vRouter) 來負責數據轉發,而每個 vRouter 通過 BGP 協議負責把自己上運行的 workload 的路由信息向整個 Calico 網絡內傳播。
此外,Calico 項目還實現了 Kubernetes 網絡策略,提供ACL功能。
https://docs.projectcalico.org/getting-started/kubernetes/quickstart
curl https://raw.githubusercontent.com/projectcalico/calico/v3.29.0/manifests/calico.yaml -O
下載完後還需要修改裏面定義Pod網絡(CALICO_IPV4POOL_CIDR),與前面kubeadm init指定的一樣
修改完後應用清單:
kubectl apply -f calico.yamlkubectl get pods -n kube-system
7. 部署 Dashboard
7.1 插件為caclio 的k8s集羣web
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml默認Dashboard只能集羣內部訪問,修改Service為NodePort類型,暴露到外部:
$ vi recommended.yaml
...
kind: Service
apiVersion: v1metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboardspec:
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
type: NodePort
...
kubectl apply -f recommended.yaml
kubectl get pods -n kubernetes-dashboardNAME READY STATUS RESTARTS AGEdashboard-metrics-scraper-6b4884c9d5-gl8nr 1/1 Running 0 13mkubernetes-dashboard-7f99b75bf4-89cds 1/1 Running 0 13m
訪問地址:https://NodeIP:30001
創建service account並綁定默認cluster-admin管理員集羣角色:
# 創建用户 kubectl create serviceaccount dashboard-admin -n kube-system# 用户授權 kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin# 獲取用户Token kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
使用輸出的token登錄Dashboard
