返回顶部

使用sealos工具安装kubernetes集群

一、安装前准备

1.1、主机规划

IP 系统 角色 主机名
192.168.80.7 CentOS7.6 master k8s-master-1
192.168.80.17 CentOS7.6 node k8s-master-2
192.168.80.27 CentOS7.6 node k8s-master-3
192.168.80.37 CentOS7.6 node k8s-node-1

1.2、修改主机名

按主机规划设备各主机的主机名,并在 /etc/hosts 文件中添加解析配置

#修改主机名
hostnamectl set-hostname k8s-master-1

#修改/etc/hosts,添加以下配置
vim /etc/hosts
192.168.80.7    k8s-master-1
192.168.80.17   k8s-master-2
192.168.80.27   k8s-master-3
192.168.80.37   k8s-node-1

1.3、关闭防火墙

# 停止
systemctl stop firewalld.service
# 禁用
systemctl disable firewalld.service

1.4、关闭SELinux

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux

1.5、关闭swap

swapoff -a

1.6、设置时间同步

# 设置时区
timedatectl set-timezone Asia/Shanghai

# 同步时间
yum install -y ntpdate
ntpdate time1.aliyun.com

二、部署k8s集群

2.1、带calico网络插件安装

(1) 下载并安装sealos,sealos是个golang的二进制工具,直接下载拷贝到bin目录即可, release页面也可下载,当时latest版本为v3.3.9,目前最新版本为v4.1.6,安装k8s集群的方式已不同,请参考官网,v3.3.9-rc11下载地址为:https://github.com/labring/sealos/releases/download/v3.3.9-rc.11/sealos_3.3.9-rc.11_linux_amd64.tar.gz

wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/latest/sealos && chmod +x sealos && mv sealos /usr/bin 

(2) 下载离线资源包(请自行下载)

#新建软件包存放目录
mkdir -pv /usr/local/soft/package
#下载软件包
kube1.18.14.tar.gz

(3) 安装集群

sealos init --passwd '123456' \
--master 192.168.80.7  --master 192.168.80.17  --master 192.168.80.27 \
--node 192.168.80.37  \
--pkg-url /usr/local/soft/package/kube1.18.14.tar.gz \
--version v1.18.14

参数含义

参数名 含义 示例 是否必须
passwd 服务器密码 123456 和私钥二选一
master k8s master节点IP地址 192.168.0.2 必须
node k8s node节点IP地址 192.168.80.37 可选
pkg-url 离线资源包地址,支持下载到本地,或者一个远程地址 /root/kube1.16.0.tar.gz 必须
version 资源包对应的版本 v1.18.14 必须
kubeadm-config 自定义kubeadm配置文件 kubeadm.yaml.temp 可选
pk ssh私钥地址,免密钥时使用 /root/.ssh/id_rsa 和passwd二选一
pk-passwd ssh私钥密码 默认为空 私钥有密码时添加即可
user ssh用户名 root 可选
interface 机器网卡名,CNI网卡发现用 eth.* 可选
network CNI类型如calico flannel calico 可选
podcidr pod网段 100.64.0.0/10 可选
repo 镜像仓库,离线包通常不用配置,除非你把镜像导入到自己私有仓库了 k8s.gcr.io 可选
svccidr clusterip网段 10.96.0.0/12 可选
vlog kubeadm 日志等级 5 可选
cert-sans kubernetes apiServerCertSANs sealyun.com 可选
without-cni 不装cni插件,为了用户自己装别的CNI 默认安装calico-cni 可选

(4) 等待安装完成即可

(5) 其它命令

#增加master
sealos join --master 192.168.80.47 --master 192.168.80.57
sealos join --master 192.168.80.47-192.168.80.57  # 或者多个连续IP

#增加node
sealos join --node 192.168.80.47 --master 192.168.80.57
sealos join --node 192.168.80.47-192.168.80.57  # 或者多个连续IP

#删除指定master节点
sealos clean --master 192.168.80.47 --master 192.168.80.57
sealos clean --master 192.168.80.47-192.168.80.57  # 或者多个连续IP

#删除指定node节点
sealos clean --node 192.168.80.47 --node 192.168.80.57
sealos clean --node 192.168.80.47-192.168.80.57  # 或者多个连续IP

#清理集群
sealos clean --all

#备份集群
sealos etcd save

2.2、不带网络插件安装

(1) 下载并安装sealos,sealos是个golang的二进制工具,直接下载拷贝到bin目录即可, release页面也可下载

wget -c https://sealyun.oss-cn-beijing.aliyuncs.com/latest/sealos && chmod +x sealos && mv sealos /usr/bin 

(2) 下载离线资源包(请自行下载)

#新建软件包存放目录
mkdir -pv /usr/local/soft/package
#下载软件包
kube1.18.14.tar.gz

(3) 安装集群

sealos init --passwd '123456' \
--master 192.168.80.7  --master 192.168.80.17  --master 192.168.80.27 \
--node 192.168.80.37  \
--without-cni \
--pkg-url /usr/local/soft/package/kube1.18.14.tar.gz \
--version v1.18.14

#使用flannel网络插件时,可以添加 --podcidr 10.244.0.0/16 参数,后续就不用改kube-flannel.ywl文件中的网段,而直接使用 kubectl apply -f kube-flannel.ywl 即可

(4) 下载cni网络插件工具

#下载
wget -c https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz

#创建目录
mkdir -pv /opt/cni/bin

#解压
tar -xf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/

(5) 安装flannel插件

wget -c https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

#修改kube-flannel.yml文件中的网段,如果和pod的网段不在同一网段,在pod内可能ping不通外网
vim kube-flannel.yml
#找到以下内容,将Network的值改为100.64.0.0/10,sealos默认安装的podcidr为100.64.0.0/24
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",	#修改此处
      "Backend": {
        "Type": "vxlan"
      }
    }

kubectl apply -f kube-flannel.yml

kube-flannel.yml 文件内容如下:

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.flannel.unprivileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
  privileged: false
  volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  allowedHostPaths:
  - pathPrefix: "/etc/cni/net.d"
  - pathPrefix: "/etc/kube-flannel"
  - pathPrefix: "/run/flannel"
  readOnlyRootFilesystem: false
  # Users and groups
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  # Privilege Escalation
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  # Capabilities
  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  defaultAddCapabilities: []
  requiredDropCapabilities: []
  # Host namespaces
  hostPID: false
  hostIPC: false
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  # SELinux
  seLinux:
    # SELinux is unused in CaaSP
    rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "100.64.0.0/10",
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
spec:
  selector:
    matchLabels:
      app: flannel
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:v0.14.0
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.14.0
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
      - name: run
        hostPath:
          path: /run/flannel
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: flannel-cfg
        configMap:
          name: kube-flannel-cfg

(6) 下载并导入镜像

​ 因国内网络原因,quay.io镜像可能拉取不到,可以用中科大镜像,然后修改tag即可,如果是内网,建议在有网的主机上下载,然后上传导入。

#拉取镜像
docker pull quay.mirrors.ustc.edu.cn/coreos/flannel:v0.14.0

#打标签
docker tag  quay.mirrors.ustc.edu.cn/coreos/flannel:v0.14.0 quay.io/coreos/flannel:v0.14.0

#导出
docker save quay.io/coreos/flannel:v0.14.0 | gzip > flannel-014.tgz

#导入
docker load -i flannel-014.tgz

三、更换网络插件

​ sealos默认使用的calico插件,有些云平台可能不支持,导致主节点上的NodePort无法telnet,也无法访问。刚可能需要更换网络插件为flannel。

(1) 清空iptables规则

iptables -F &&  iptables -X &&  iptables -F -t nat &&  iptables -X -t nat

(2) 停用tunl0虚拟网卡

ip link set tunl0 down

(3) 删除calico的一些文件

rm -f /etc/cni/net.d/*
rm -rf /run/calico/

(4) 替换cni网络插件工具

#下载
wget -c https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz

#备份
mkdir /root/cni-bak
mv /opt/cni/bin/* cni-bak/

#解压
tar -xf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/

(5) 安装flannel插件

wget -c https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

kubectl apply -f kube-flannel.yml

(6) 重启docker和kubelet

systemctl restart docker
systemctl restart kubelet

(7) 修改iptables FORWARD 链中访问规则(如有需要)

iptables -P FORWARD ACCEPT

#或开启内核数据包转发参数
net.ipv4.ip_forward = 1
posted @ 2023-03-03 11:49  hovin  阅读(2300)  评论(0编辑  收藏  举报