这篇文章主要介绍“kubernetes环境的搭建步骤”,在日常操作中,相信很多人在kubernetes环境的搭建步骤问题上存在疑惑,小编查阅了各式资料,整理出简单好用的操作方法,希望对大家解答”kubernetes环境的搭建步骤”的疑惑有所帮助!接下来,请跟着小编一起来学习吧!
部署集群没有特殊说明均使用 root 用户执行命令
IP | HOSTNAME | MEM | DISK | EXPLAIN |
---|---|---|---|---|
192.168.1.61 | k8s-master | 8G | 40G | k8s 控制平台节点 |
192.168.1.154 | k8s-node1 | 16G | 40G | k8s 工作节点1 |
192.168.1.62 | k8s-node2 | 16G | 40G | k8s 工作节点2 |
192.168.1.207 | k8s-node3 | 16G | 40G | k8s 工作节点3 |
SoftWare | Version |
---|---|
CentOS | CentOS Linux release 8.2.2004 (Core) |
Kubernetes | v1.20.1 |
Docker | v20.10.1 |
Purpose | Commands |
---|---|
保证集群各节点互通 | ping -c <ip> |
保证MAC地址唯一 | ip link 或者 ifconfig -a |
保证集群内主机名唯一 | 查询 hostnamectl status , 或者 hostnamectl set-hostname <hostnaem> |
保证系统产品UUID唯一 | dmidecode -s system-uuid 或者 sudo cat /sys/class/dmi/id/product_uuid |
# 修改MAC地址参考命令如下: # 1、关闭网卡 ifconfig eth0 down # 2、修改mac ifconfig eth0 hw ether 00:E0:18:EE:ED # 3、开启网卡 ifconfig eth0 up
⚠如果 product_uuid 不唯一,请考虑重装 CentOS 系统!!
k8s-master 节点端口检查:
协议 | 方向 | 端口范围 | 作用 | 使用者 |
---|---|---|---|---|
TCP | 入站 | 6443* | Kubernetes API 服务器 | 所有组件 |
TCP | 入站 | 2379-2380 | etcd server client API | kube-apiserver,etcd |
TCP | 入站 | 10250 | Kubelet API | Kubelet 自身、控制平面组件 |
TCP | 入站 | 10251 | Kube-scheduler | kube-scheduler 组件 |
TCP | 入站 | 10252 | kube-controller-manager | kube-controller-manager 组件 |
k8s-node* 节点端口检查:
协议 | 方向 | 端口范围 | 作用 | 使用者 |
---|---|---|---|---|
TCP | 入站 | 10250 | Kubelet-API | kubelet 组件、控制平面组件 |
TCP | 入站 | 30000-32767 | NodePort服务*** | 所有组件 |
如果你对主机的防火墙配置不是很自信,则可以关掉防火墙:
systemctl disable --now firewalld 或者清除 iptables 规则(iptables -F)【慎用】
分别在各节点配置 hosts 映射:
cat >> /etc/hosts <<EOF 192.168.1.61 k8s-master 192.168.1.154 k8s-node1 192.168.1.62 k8s-node2 192.168.1.207 k8s-node3 EOF
K8s-master 生成 ssh 密钥,分发公钥到各节点:
# 生成 ssh 密钥,直接一路回车 ssh-keygen -t rsa # 复制刚刚生成的密钥到各节点可信列表中,需分别输入各主机密码 ssh-copy-id root@k8s-master ssh-copy-id root@k8s-node1 ssh-copy-id root@k8s-node2 ssh-copy-id root@k8s-node3
swap 仅当内存不够时会使用硬盘块充当额外内存,硬盘的IO较内存差距极大,禁用swap以提供性能,各节点均需执行:
swapoff -a sed -i 's/.*swap.*/#&/' /etc/fstab
关闭SELinux,否则kubelet 挂载目录时可能报错 Permission denied
,可以设置为permissive
或disabled
,permissive
会提示warn信息 ,各节点均需执行:
setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
timedatectl set-timezone Asia/Shanghai systemctl enable --now chronyd # 查看同步状态, 输出 [root@ecs-2aae ~]# timedatectl status Local time: Sun 2020-12-27 21:59:02 CST Universal time: Sun 2020-12-27 13:59:02 UTC RTC time: Sun 2020-12-27 13:58:31 Time zone: Asia/Shanghai (CST, +0800) System clock synchronized: yes NTP service: active RTC in local TZ: no [root@ecs-2aae ~]# ## # systemctl clok synchronronize: yes 表示时钟已同步 # NTP service: active 表示开启了时钟同步服务 ############################################################# # 将当前的 UTC 时间写入硬件时钟 timedatectl set-local-rtc 0 # 重启依赖于系统时间的服务器 systemctl restart rsyslog && systemctl restart crond
所有节点均需安装部署 docker, 可参见《CentOS8 安装docker》
无特殊说明,各节点均需执行如下步骤
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 EOF
各节点均需安装 kubeadm、kubelet,kubectl仅 k8s-master 节点续约安装(作为 worker 节点, kubectl 无法使用, 可以不装)
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes systemctl enable --now kubelet
#安装bash自动补全插件 yum install bash-completion -y #设置kubectl与kubeadm命令补全,下次login生效 kubectl completion bash > /etc/bash_completion.d/kubectl kubeadm completion bash > /etc/bash_completion.d/kubeadm
由于国内网络因素,kubernetes镜像需要从mirrors站点或通过dockerhub用户推送的镜像拉取:
#查看指定k8s版本需要哪些镜像 [root@ecs-2aae ~]# kubeadm config images list k8s.gcr.io/kube-apiserver:v1.20.1 k8s.gcr.io/kube-controller-manager:v1.20.1 k8s.gcr.io/kube-scheduler:v1.20.1 k8s.gcr.io/kube-proxy:v1.20.1 k8s.gcr.io/pause:3.2 k8s.gcr.io/etcd:3.4.13-0 k8s.gcr.io/coredns:1.7.0 [root@ecs-2aae ~]#
在 /opt/soft/kuberetes
目录下,新建脚本pull-k8s-images.sh
,内容如下:
#!/bin/bash # Script For Quick Pull K8S Docker Images # by WUXH <wuxiaohui1026@163.com> KUBE_VERSION=v1.20.1 PAUSE_VERSION=3.2 CORE_DNS_VERSION=1.7.0 ETCD_VERSION=3.4.13-0 # pull kubernetes images from hub.docker.com docker pull kubeimage/kube-proxy:$KUBE_VERSION docker pull kubeimage/kube-controller-manager:$KUBE_VERSION docker pull kubeimage/kube-apiserver:$KUBE_VERSION docker pull kubeimage/kube-scheduler:$KUBE_VERSION # pull aliyuncs mirror docker images docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION # retag to k8s.gcr.io prefix docker tag kubeimage/kube-proxy:$KUBE_VERSION k8s.gcr.io/kube-proxy:$KUBE_VERSION docker tag kubeimage/kube-controller-manager:$KUBE_VERSION k8s.gcr.io/kube-controller-manager:$KUBE_VERSION docker tag kubeimage/kube-apiserver:$KUBE_VERSION k8s.gcr.io/kube-apiserver:$KUBE_VERSION docker tag kubeimage/kube-scheduler:$KUBE_VERSION k8s.gcr.io/kube-scheduler:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION k8s.gcr.io/pause:$PAUSE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION k8s.gcr.io/coredns:$CORE_DNS_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION k8s.gcr.io/etcd:$ETCD_VERSION # untag origin tag, the images won't be delete. docker rmi kubeimage/kube-proxy:$KUBE_VERSION docker rmi kubeimage/kube-controller-manager:$KUBE_VERSION docker rmi kubeimage/kube-apiserver:$KUBE_VERSION docker rmi kubeimage/kube-scheduler:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION
脚本添加可执行权限,执行脚本拉取镜像:
chmod +x pull-k8s-images.sh ./opt/soft/kuberetes/pull-k8s-images.sh
拉取完成,执行 docker images
查看镜像:
kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.20.1 --pod-network-cidr 10.244.0.0/16
输出如下:
[root@ecs-2aae ~]# kubeadm init --image-repository=registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.20.1 [init] Using Kubernetes version: v1.20.1 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.1. Latest validated version: 19.03 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [ecs-2aae kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.61] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [ecs-2aae localhost] and IPs [192.168.1.61 127.0.0.1 ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [ecs-2aae localhost] and IPs [192.168.1.61 127.0.0.1 ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" [control-plane] Creating static Pod manifest for "kube-scheduler" [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [apiclient] All control plane components are healthy after 7.501971 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.20" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node ecs-2aae as control-plane by adding the labels "node-role.kubernetes.io/master=''" and "node-role.kubernetes.io/control-plane='' (deprecated)" [mark-control-plane] Marking the node ecs-2aae as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: xksx1a.t09ok8h7w6ixnyva [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 \ --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f [root@ecs-2aae ~]#
可能故障
故障1:k8s node节点加入集群报错[WARNING IsDockerSystemdCheck]: detected “cgroupfs“ as the Docker cgroup driver. # 解决 cat <<EOF> /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"] } EOF #重启docker systemctl restart docker
为日常使用集群的用户添加kubectl使用权限,配置master认证
[root@ecs-2aae ~]# mkdir -p ~/.kube [root@ecs-2aae ~]# cp -i /etc/kubernetes/admin.conf ~/.kube/admin.conf [root@ecs-2aae ~]# chown $(id -u):$(id -g) ~/.kube/admin.conf [root@ecs-2aae ~]# echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> /etc/profile [root@ecs-2aae ~]# . /etc/profile
安装网络组件,以flannel为例
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml podsecuritypolicy.policy/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds created [root@k8s-master ~]#
这句话其实就是Master节点执行kubeadm init
成功之后输出的最后一句话,我们拿到Node节点中直接执行即可
kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 \ --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f
输出:
[root@k8s-node1 ~]# kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f [preflight] Running pre-flight checks [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.1. Latest validated version: 19.03 [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: ### 节点加入成功啦 * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. [root@k8s-node1 ~]#
[root@k8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master Ready control-plane,master 67m v1.20.1 k8s-node1 Ready <none> 40m v1.20.1 k8s-node2 Ready <none> 32m v1.20.1 k8s-node3 Ready <none> 30m v1.20.1 [root@k8s-master ~]#
⚠: 如果节点是 NoReady 状态,可以稍微等一会儿,集群节点会自动拉起 flannel 镜像,由于网络可能稍慢!!
到此,关于“kubernetes环境的搭建步骤”的学习就结束了,希望能够解决大家的疑惑。理论与实践的搭配能更好的帮助大家学习,快去试试吧!若想继续学习更多相关知识,请继续关注亿速云网站,小编会继续努力为大家带来更多实用的文章!
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。