kubernetes v1.13.1集群

基础环境配置

swapoff -a
sed -i '/swap/d' /etc/fstab
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
iptables -P FORWARD ACCEPT

添加docker源和安装docker

yum install -y yum-utils
yum-config-manager --add-repo https://download.daocloud.io/docker/linux/centos/docker-ce.repo
yum install -y --setopt=obsoletes=0 docker-ce-18.06.1.ce* 

添加kubernetes源和安装kubeadm,kubelet,kubectl,ipvsadm

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubelet kubeadm kubectl ipvsadm

修改内核参数

cat << EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF

加载内核模块

cat << EOF >  /etc/modules-load.d/k8s.module.conf
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
br_netfilter
EOF

modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
modprobe br_netfilter

sysctl --system
sysctl -p /etc/sysctl.d/k8s.conf

配置国内加速镜像，私有仓库

sed -i 's@ExecStart.*@& --registry-mirror=http://3272dd08.m.daocloud.io@' /usr/lib/systemd/system/docker.service
systemctl daemon-reload
systemctl enable docker
systemctl start docker
systemctl status docker

配置kubelet

DOCKER_CGROUPS=$(docker info | grep 'Cgroup' | cut -d' ' -f3)
echo $DOCKER_CGROUPS
cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1"
EOF
systemctl daemon-reload
systemctl enable kubelet && systemctl restart kubelet

配置kubeadm

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: stable
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
 
apiServer:
  certSANs:
  - "master01"
  - "master02"
  - "master03"
  - "192.168.xxx.xxa"
  - "192.168.xxx.xxb"
  - "192.168.xxx.xxc"
  - "192.168.xxx.vip"
  - "127.0.0.1"
 
controlPlaneEndpoint: 192.168.1.200:6443
 
etcd:
  external:
    endpoints:
    - https://192.168.xxx.xxa:2379
    - https://192.168.xxx.xxb:2379
    - https://192.168.xxx.xxc:2379
    caFile: /etc/etcd/certs/ca.pem
    certFile: /etc/etcd/certs/etcd.pem
    keyFile: /etc/etcd/certs/etcd-key.pem
networking:
  podSubnet: 10.244.0.0/16

转化为新的配置文件

kubeadm config migrate  --old-config kubeadm-config.yaml --new-config new.yaml

拉取镜像

kubeadm config images pull --config new.yaml

初始化

kubeadm init --config new.yaml

其他节点加入控制面

kubeadm join 192.168.xxx.vip:6443 --token 3lrpta.i6nyygp4fdyhdza3 --discovery-token-ca-cert-hash sha256:74151ca281c1034a7bcc45176d6f139b0e9d33a8929186e36d8a387d658c153c  --experimental-control-plane

kubeconfig中的client-certificate-data字段值是证书的base64编码后的文本，将文本解码还原为证书格式

cat /etc/kubernetes/admin.conf | grep client-certificate-data | awk -F ': ' '{print $2}' | base64 -d > /root/client.crt
cat /etc/kubernetes/admin.conf | grep client-key-data | awk -F ': ' '{print $2}' | base64 -d > /root/client.key

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

安装pod网络

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml