基于Debian 11使用二进制方式部署Kubernetes 1.28.2的详细步骤

一、前置准备（所有节点执行）

# 设置主机名及解析（按实际IP修改）
sudo hostnamectl set-hostname master01  # 控制节点
sudo hostnamectl set-hostname worker01  # 工作节点
 
# 更新系统并安装依赖
sudo apt update && sudo apt install -y \
    conntrack \
    nfs-common \
    ebtables \
    socat \
    curl \
    apt-transport-https \
    ca-certificates \
    gnupg2
 
# 禁用交换分区
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
 
# 加载内核模块
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
nf_conntrack
EOF
sudo modprobe -- br_netfilter ip_vs ip_vs_rr ip_vs_wrr nf_conntrack
 
# 内核参数调优
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system

二、安装容器运行时（所有节点）

# 安装containerd
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian bullseye stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update && sudo apt install -y containerd.io
 
# 配置containerd
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd

三、部署Kubernetes组件

1. 下载二进制文件（所有节点）

K8S_VER="v1.28.2"
ETCD_VER="v3.5.9"
 
# 下载Kubernetes组件
wget https://dl.k8s.io/${K8S_VER}/kubernetes-server-linux-amd64.tar.gz
tar -xzvf kubernetes-server-linux-amd64.tar.gz
sudo cp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubelet,kube-proxy} /usr/local/bin/
 
# 下载etcd
wget https://github.com/etcd-io/etcd/releases/download/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar -xzvf etcd-${ETCD_VER}-linux-amd64.tar.gz
sudo cp etcd-${ETCD_VER}-linux-amd64/{etcd,etcdctl} /usr/local/bin/

2. 证书生成（控制节点）

# 安装cfssl工具
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssl_1.6.4_linux_amd64 -o cfssl
curl -L https://github.com/cloudflare/cfssl/releases/download/v1.6.4/cfssljson_1.6.4_linux_amd64 -o cfssljson
chmod +x cfssl cfssljson && sudo mv cfssl cfssljson /usr/local/bin/
 
# 生成CA证书
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "usages": ["signing", "key encipherment", "server auth", "client auth"],
        "expiry": "87600h"
      }
    }
  }
}
EOF
 
cat > ca-csr.json <<EOF
{
  "CN": "Kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Shanghai",
      "L": "Shanghai",
      "O": "Kubernetes",
      "OU": "CA"
    }
  ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

3. 部署控制平面（控制节点）

# 创建etcd服务
sudo mkdir -p /var/lib/etcd /etc/etcd
sudo cp ca.pem /etc/etcd/
 
# 创建etcd systemd服务
cat <<EOF | sudo tee /etc/systemd/system/etcd.service
[Unit]
Description=etcd
Documentation=https://github.com/coreos/etcd
 
[Service]
ExecStart=/usr/local/bin/etcd \\
  --name master01 \\
  --data-dir /var/lib/etcd \\
  --cert-file=/etc/etcd/ca.pem \\
  --key-file=/etc/etcd/ca-key.pem \\
  --advertise-client-urls https://$(hostname -i):2379 \\
  --listen-client-urls https://0.0.0.0:2379 \\
  --listen-peer-urls http://0.0.0.0:2380
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-.target
EOF
 
# 启动etcd
sudo systemctl daemon-reload
sudo systemctl enable etcd --now

4. 部署kube-apiserver

# 创建配置文件
sudo mkdir -p /etc/kubernetes
cat <<EOF | sudo tee /etc/kubernetes/apiserver
KUBE_API_ARGS="--allow-privileged=true \\
  --apiserver-count=1 \\
  --etcd-servers=https://$(hostname -i):2379 \\
  --service-cluster-ip-range=10.96.0.0/12 \\
  --service-node-port-range=30000-32767 \\
  --client-ca-file=/etc/kubernetes/ca.pem \\
  --tls-cert-file=/etc/kubernetes/apiserver.pem \\
  --tls-private-key-file=/etc/kubernetes/apiserver-key.pem \\
  --kubelet-client-certificate=/etc/kubernetes/apiserver.pem \\
  --kubelet-client-key=/etc/kubernetes/apiserver-key.pem"
EOF
 
# 创建systemd服务
cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
 
[Service]
ExecStart=/usr/local/bin/kube-apiserver \$KUBE_API_ARGS
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-.target
EOF
 
# 启动服务
sudo systemctl daemon-reload
sudo systemctl enable kube-apiserver --now