使用sealos工具安装kubernetes集群
一、安装前准备
1.1、主机规划
IP | 系统 | 角色 | 主机名 |
---|---|---|---|
192.168.80.7 | CentOS7.6 | master | k8s-master-1 |
192.168.80.17 | CentOS7.6 | node | k8s-master-2 |
192.168.80.27 | CentOS7.6 | node | k8s-master-3 |
192.168.80.37 | CentOS7.6 | node | k8s-node-1 |
1.2、修改主机名
按主机规划设备各主机的主机名,并在 /etc/hosts 文件中添加解析配置
#修改主机名
hostnamectl set-hostname k8s-master-1
#修改/etc/hosts,添加以下配置
vim /etc/hosts
192.168.80.7 k8s-master-1
192.168.80.17 k8s-master-2
192.168.80.27 k8s-master-3
192.168.80.37 k8s-node-1
1.3、关闭防火墙
# 停止
systemctl stop firewalld.service
# 禁用
systemctl disable firewalld.service
1.4、关闭SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
1.5、关闭swap
swapoff -a
1.6、设置时间同步
# 设置时区
timedatectl set-timezone Asia/Shanghai
# 同步时间
yum install -y ntpdate
ntpdate time1.aliyun.com
二、部署k8s集群
2.1、带calico网络插件安装
(1) 下载并安装sealos,sealos是个golang的二进制工具,直接下载拷贝到bin目录即可, release页面也可下载,当时latest版本为v3.3.9,目前最新版本为v4.1.6,安装k8s集群的方式已不同,请参考官网,v3.3.9-rc11下载地址为:https://github.com/labring/sealos/releases/download/v3.3.9-rc.11/sealos_3.3.9-rc.11_linux_amd64.tar.gz
wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/latest/sealos && chmod +x sealos && mv sealos /usr/bin
(2) 下载离线资源包(请自行下载)
#新建软件包存放目录
mkdir -pv /usr/local/soft/package
#下载软件包
kube1.18.14.tar.gz
(3) 安装集群
sealos init --passwd '123456' \
--master 192.168.80.7 --master 192.168.80.17 --master 192.168.80.27 \
--node 192.168.80.37 \
--pkg-url /usr/local/soft/package/kube1.18.14.tar.gz \
--version v1.18.14
参数含义
参数名 | 含义 | 示例 | 是否必须 |
---|---|---|---|
passwd | 服务器密码 | 123456 | 和私钥二选一 |
master | k8s master节点IP地址 | 192.168.0.2 | 必须 |
node | k8s node节点IP地址 | 192.168.80.37 | 可选 |
pkg-url | 离线资源包地址,支持下载到本地,或者一个远程地址 | /root/kube1.16.0.tar.gz | 必须 |
version | 资源包对应的版本 | v1.18.14 | 必须 |
kubeadm-config | 自定义kubeadm配置文件 | kubeadm.yaml.temp | 可选 |
pk | ssh私钥地址,免密钥时使用 | /root/.ssh/id_rsa | 和passwd二选一 |
pk-passwd | ssh私钥密码 | 默认为空 | 私钥有密码时添加即可 |
user | ssh用户名 | root | 可选 |
interface | 机器网卡名,CNI网卡发现用 | eth.* | 可选 |
network | CNI类型如calico flannel | calico | 可选 |
podcidr | pod网段 | 100.64.0.0/10 | 可选 |
repo | 镜像仓库,离线包通常不用配置,除非你把镜像导入到自己私有仓库了 | k8s.gcr.io | 可选 |
svccidr | clusterip网段 | 10.96.0.0/12 | 可选 |
vlog | kubeadm 日志等级 | 5 | 可选 |
cert-sans | kubernetes apiServerCertSANs | sealyun.com | 可选 |
without-cni | 不装cni插件,为了用户自己装别的CNI | 默认安装calico-cni | 可选 |
(4) 等待安装完成即可
(5) 其它命令
#增加master
sealos join --master 192.168.80.47 --master 192.168.80.57
sealos join --master 192.168.80.47-192.168.80.57 # 或者多个连续IP
#增加node
sealos join --node 192.168.80.47 --master 192.168.80.57
sealos join --node 192.168.80.47-192.168.80.57 # 或者多个连续IP
#删除指定master节点
sealos clean --master 192.168.80.47 --master 192.168.80.57
sealos clean --master 192.168.80.47-192.168.80.57 # 或者多个连续IP
#删除指定node节点
sealos clean --node 192.168.80.47 --node 192.168.80.57
sealos clean --node 192.168.80.47-192.168.80.57 # 或者多个连续IP
#清理集群
sealos clean --all
#备份集群
sealos etcd save
2.2、不带网络插件安装
(1) 下载并安装sealos,sealos是个golang的二进制工具,直接下载拷贝到bin目录即可, release页面也可下载
wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/latest/sealos && chmod +x sealos && mv sealos /usr/bin
(2) 下载离线资源包(请自行下载)
#新建软件包存放目录
mkdir -pv /usr/local/soft/package
#下载软件包
kube1.18.14.tar.gz
(3) 安装集群
sealos init --passwd '123456' \
--master 192.168.80.7 --master 192.168.80.17 --master 192.168.80.27 \
--node 192.168.80.37 \
--without-cni \
--pkg-url /usr/local/soft/package/kube1.18.14.tar.gz \
--version v1.18.14
#使用flannel网络插件时,可以添加 --podcidr 10.244.0.0/16 参数,后续就不用改kube-flannel.ywl文件中的网段,而直接使用 kubectl apply -f kube-flannel.ywl 即可
(4) 下载cni网络插件工具
#下载
wget -c https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
#创建目录
mkdir -pv /opt/cni/bin
#解压
tar -xf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/
(5) 安装flannel插件
wget -c https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
#修改kube-flannel.yml文件中的网段,如果和pod的网段不在同一网段,在pod内可能ping不通外网
vim kube-flannel.yml
#找到以下内容,将Network的值改为100.64.0.0/10,sealos默认安装的podcidr为100.64.0.0/24
net-conf.json: |
{
"Network": "10.244.0.0/16", #修改此处
"Backend": {
"Type": "vxlan"
}
}
kubectl apply -f kube-flannel.yml
kube-flannel.yml 文件内容如下:
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "100.64.0.0/10",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: quay.io/coreos/flannel:v0.14.0
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.14.0
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
(6) 下载并导入镜像
因国内网络原因,quay.io镜像可能拉取不到,可以用中科大镜像,然后修改tag即可,如果是内网,建议在有网的主机上下载,然后上传导入。
#拉取镜像
docker pull quay.mirrors.ustc.edu.cn/coreos/flannel:v0.14.0
#打标签
docker tag quay.mirrors.ustc.edu.cn/coreos/flannel:v0.14.0 quay.io/coreos/flannel:v0.14.0
#导出
docker save quay.io/coreos/flannel:v0.14.0 | gzip > flannel-014.tgz
#导入
docker load -i flannel-014.tgz
三、更换网络插件
sealos默认使用的calico插件,有些云平台可能不支持,导致主节点上的NodePort无法telnet,也无法访问。刚可能需要更换网络插件为flannel。
(1) 清空iptables规则
iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat
(2) 停用tunl0虚拟网卡
ip link set tunl0 down
(3) 删除calico的一些文件
rm -f /etc/cni/net.d/*
rm -rf /run/calico/
(4) 替换cni网络插件工具
#下载
wget -c https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
#备份
mkdir /root/cni-bak
mv /opt/cni/bin/* cni-bak/
#解压
tar -xf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/
(5) 安装flannel插件
wget -c https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f kube-flannel.yml
(6) 重启docker和kubelet
systemctl restart docker
systemctl restart kubelet
(7) 修改iptables FORWARD 链中访问规则(如有需要)
iptables -P FORWARD ACCEPT
#或开启内核数据包转发参数
net.ipv4.ip_forward = 1