Kubernetes接入CRI-O
1:环境
| 主机名 |
IP |
软件 |
系统 |
| kubernetes-master-1 |
10.0.0.11 |
cri-o |
CentOS Stream 9 |
| kubernetes-worker-1 |
10.0.0.12 |
cri-o |
CentOS Stream 9 |
2:基础配置
1:主机名
hostnamectl hostname kubernetes-master-1
hostnamectl hostname kubernetes-worker-1
2:配置Hosts解析
cat <<eof >>/etc/hosts
10.0.0.11 kubernetes-master-1
10.0.0.12 kubernetes-worker-1
eof
3:关闭SWAP分区 (三台节点操作)
# 临时关闭
swapoff -a
# 永远关闭swap分区,需要重启操作系统
sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab
4:防火墙配置 (三台节点操作)
systemctl disable firewalld --now
5:SELINUX配置 (三台节点操作)
# 临时关闭
setenforce 0
#永久生效
sed -ri 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
6:设置上海时区,东八区
timedatectl set-timezone Asia/Shanghai
7:升级内核的事情需要在7版本去做,但我是9版本,所以就不升级了
8:配置内核转发及网桥过滤
cat << EOF>>/etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
# 使它生效
sysctl -p /etc/sysctl.d/k8s.conf
9:启用内核模块
modprobe bridge
modprobe overlay
modprobe br_netfilter
10:查看是否加载
lsmod | grep br_netfilter
# 安装ipset及ipvsadm
yum -y install ipset ipvsadm
# 配置ipvsadm模块加载方式.添加需要加载的模块
cat << EOF>> ./ipvs.module
modprobe -- ip_vs
modprobe -- ip_vs_sh
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- nf_conntrack
EOF
# 赋予执行权限并执行。检查是否加载
chmod 755 ./ipvs.module && ./ipvs.module
lsmod | grep ip
3:安装CRI-O
1:下载CRI-O二进制包
wget https://github.com/cri-o/cri-o/releases/download/v1.24.1/cri-o.amd64.v1.24.1.tar.gz
2:解压
tar xf cri-o.amd64.v1.24.1.tar.gz
3:进入安装
cd cri-o
./install
4:启动
[root@kubernetes-master-1 cri-o]# systemctl daemon-reload
[root@kubernetes-master-1 cri-o]# systemctl enable --now crio
Created symlink /etc/systemd/system/cri-o.service → /usr/local/lib/systemd/system/crio.service.
Created symlink /etc/systemd/system/multi-user.target.wants/crio.service → /usr/local/lib/systemd/system/crio.service.
[root@kubernetes-master-1 cri-o]# systemctl status crio
● crio.service - Container Runtime Interface for OCI (CRI-O)
Loaded: loaded (/usr/local/lib/systemd/system/crio.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-09-27 07:22:57 CST; 16s ago
Docs: https://github.com/cri-o/cri-o
Main PID: 1765 (crio)
Tasks: 11
Memory: 60.8M
CPU: 134ms
CGroup: /system.slice/crio.service
└─1765 /usr/local/bin/crio
5:CRI-O的配置是非常多的,所以这个需要大家去研究一下,配置自己所需要的。
[root@kubernetes-master-1 ~]# cat /etc/crio/crio.conf
insecure_registries = ["6ze43vnb.mirror.aliyuncs.com"]
pause_image = "registry.aliyuncs.com/google_containers/pause:3.7"
# 创建一个仓库文件
[root@kubernetes-master-1 ~]# cat /etc/containers/registries.conf
[registries.search]
registries = ['docker.io']
[registries.insecure]
registries = []
6:重启crio
systemctl daemon-reload && systemctl restart crio
4:部署kubernetes集群
1:下载包
yum -y install kubeadm-1.24.1-0 kubelet-1.24.1-0 kubectl-1.24.1-0
2:启动kubelet
systemctl enable --now kubelet
3:设置crictl
cat << EOF >> /etc/crictl.yaml
runtime-endpoint: unix:///var/run/crio/crio.sock
image-endpoint: unix:///var/run/crio/crio.sock
timeout: 10
debug: false
EOF
4:这里只需要在master操作即可
kubeadm config print init-defaults > kubeadm-init.yaml
5:将如下内容放到yaml内
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 10.0.0.11
bindPort: 6443
nodeRegistration:
criSocket: unix:///var/run/crio/crio.sock
imagePullPolicy: IfNotPresent
name: kubernetes-master-1
taints:
- effect: "NoSchedule"
key: "node-role.kubernetes.io/master"
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: 1.24.1
networking:
dnsDomain: cluster.local
serviceSubnet: 20.1.0.0/16
podSubnet: 10.1.0.0/16
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
6:查看所需镜像列表
[root@kubernetes-master-1 ~]# kubeadm config images list --config kubeadm-init.yaml
registry.aliyuncs.com/google_containers/kube-apiserver:v1.24.1
registry.aliyuncs.com/google_containers/kube-controller-manager:v1.24.1
registry.aliyuncs.com/google_containers/kube-scheduler:v1.24.1
registry.aliyuncs.com/google_containers/kube-proxy:v1.24.1
registry.aliyuncs.com/google_containers/pause:3.7
registry.aliyuncs.com/google_containers/etcd:3.5.3-0
registry.aliyuncs.com/google_containers/coredns:v1.8.6
8:预拉取镜像
[root@kubernetes-master-1 ~]# kubeadm config images pull --config kubeadm-init.yaml
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-apiserver:v1.24.1
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-controller-manager:v1.24.1
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-scheduler:v1.24.1
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-proxy:v1.24.1
[config/images] Pulled registry.aliyuncs.com/google_containers/pause:3.7
[config/images] Pulled registry.aliyuncs.com/google_containers/etcd:3.5.3-0
[config/images] Pulled registry.aliyuncs.com/google_containers/coredns:v1.8.6
9:查看镜像
[root@kubernetes-master-1 ~]# crictl images
IMAGE TAG IMAGE ID SIZE
registry.aliyuncs.com/google_containers/coredns v1.8.6 a4ca41631cc7a 47MB
registry.aliyuncs.com/google_containers/etcd 3.5.3-0 aebe758cef4cd 301MB
registry.aliyuncs.com/google_containers/kube-apiserver v1.24.1 e9f4b425f9192 131MB
registry.aliyuncs.com/google_containers/kube-controller-manager v1.24.1 b4ea7e648530d 121MB
registry.aliyuncs.com/google_containers/kube-proxy v1.24.1 beb86f5d8e6cd 112MB
registry.aliyuncs.com/google_containers/kube-scheduler v1.24.1 18688a72645c5 52.3MB
registry.aliyuncs.com/google_containers/pause 3.7 221177c6082a8 718kB
10:初始化集群
[root@kubernetes-master-1 ~]# kubeadm init --config=kubeadm-init.yaml
......
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
echo "source <(kubectl completion bash)" >> ~/.bashrc
source ~/.bashrc
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 10.0.0.11:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:84bb78a295cacb1683b44f1a67a8ea2e9d63c39c85bb2e6ef4c5952dafb0e5b8
11:加入节点
[root@kubernetes-worker-1 ~]# kubeadm join 10.0.0.11:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:84bb78a295cacb1683b44f1a67a8ea2e9d63c39c85bb2e6ef4c5952dafb0e5b8
12:查看集群
[root@kubernetes-master-1 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kubernetes-master-1 Ready control-plane 84s v1.24.1
kubernetes-worker-1 Ready <none> 21s v1.24.1
# 部署网络插件(可有可无)
[root@kubernetes-master-1 ~]# wget https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
注:记得修改文件内的网段。
13:测试应用
apiVersion: v1
kind: Namespace
metadata:
name: nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: nginx
spec:
type: NodePort
selector:
app: nginx
ports:
- name: http
port: 80
targetPort: 80
[root@kubernetes-master-1 ~]# kubectl apply -f nginx.yaml
namespace/nginx created
deployment.apps/nginx created
service/nginx created
# 访问测试
[root@kubernetes-master-1 ~]# curl -I 10.0.0.12:32520
HTTP/1.1 200 OK
Server: nginx/1.23.1
Date: Tue, 27 Sep 2022 00:03:49 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 19 Jul 2022 15:23:19 GMT
Connection: keep-alive
ETag: "62d6cc67-267"
Accept-Ranges: bytes
