k8s1.25安装
环境初始化
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | yum install bash -completion vim ntpdate iptables lrzsz epel-release -y && exec bash systemctl stop firewalld systemctl disabled firewalld setenforce 0 sed -i 's/=enforcing/=disabled/g' /etc/selinux/config docker # step 1: 安装必要的一些系统工具 sudo yum install -y yum-utils device-mapper-persistent-data lvm2 # Step 2: 添加软件源信息 sudo yum-config-manager --add-repo https: //mirrors .aliyun.com /docker-ce/linux/centos/docker-ce .repo # Step 3 sudo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum .repos.d /docker-ce .repo # Step 4: 更新并安装Docker-CE sudo yum makecache fast sudo yum -y install docker-ce # Step 4: 开启Docker服务 sudo service docker start |
主机免密登录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | [root@k8s-master ~] # ssh-keygen Generating public /private rsa key pair. Enter file in which to save the key ( /root/ . ssh /id_rsa ): Created directory '/root/.ssh' . Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/ . ssh /id_rsa . Your public key has been saved in /root/ . ssh /id_rsa .pub. The key fingerprint is: SHA256:Zs+V+wNPaXRiainTUzIReEzp /KpjdTVZ9o7zNwWMzFU root@k8s-master The key's randomart image is: +---[RSA 2048]----+ | +oo .E| | . = . o| | * = .+| | O.Bo+| | S .oX O.| | o oo.O.O o| | o=.O o.| | o ..o.o| | ..o ..o| +----[SHA256]-----+ [root@k8s-master ~] # cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.50 k8s-master 192.168.10.51 k8s-node1 192.168.10.52 k8s-node2 [root@k8s-master ~] # ssh-copy-id k8s-node1 /usr/bin/ssh-copy-id : INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host 'k8s-node1 (192.168.10.51)' can't be established. ECDSA key fingerprint is SHA256:H9NvcSpsUXCcUziykpSN7WMrL /EomIaPP6/zJupGpUk . ECDSA key fingerprint is MD5:22:b4:00:26:09:7f:fd:fa:a0:7c:e8:d4:4f:fd:38:0d. Are you sure you want to continue connecting ( yes /no )? yes /usr/bin/ssh-copy-id : INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id : INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@k8s-node1's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'k8s-node1'" and check to make sure that only the key(s) you wanted were added. [root@k8s-master ~] # ssh-copy-id k8s-node2 /usr/bin/ssh-copy-id : INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host 'k8s-node2 (192.168.10.52)' can't be established. ECDSA key fingerprint is SHA256:zzldrfyVbfqWMww99687af8UEtUh+GCaM8rlUJmYhtE. ECDSA key fingerprint is MD5:c9:ec:f6:d3:60:fa:b8:d2:f8:7c:26:39:ce:5a:87:01. Are you sure you want to continue connecting ( yes /no )? yes /usr/bin/ssh-copy-id : INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id : INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@k8s-node2's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'k8s-node2'" and check to make sure that only the key(s) you wanted were added. [root@k8s-master ~] # ssh-copy-id k8s-master /usr/bin/ssh-copy-id : INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host 'k8s-master (192.168.10.50)' can't be established. ECDSA key fingerprint is SHA256:BbQyv46crWLZgDlqpA5fjHnDrl5oJwOAHh9tX526l9w. ECDSA key fingerprint is MD5:c1:55:d6:42:05:00:f5:49:78:fa: cd :b4:24:30:a6:a6. Are you sure you want to continue connecting ( yes /no )? yes /usr/bin/ssh-copy-id : INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id : INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@k8s-master's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'k8s-master'" and check to make sure that only the key(s) you wanted were added. [root@k8s-master ~] # scp /etc/hosts k8s-node1:/etc/hosts hosts 100% 234 126.8KB /s 00:00 [root@k8s-master ~] # scp /etc/hosts k8s-node2:/etc/hosts hosts 100% 234 106.1KB /s 00:00 |
关闭交换分区
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | swapoff -a vim /etc/fstab # # /etc/fstab # Created by anaconda on Sun Feb 7 10:14:45 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=ec65c557-715f-4f2b-beae-ec564c71b66b /boot xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 |
加载内核参数并加以设置
1 2 3 4 5 6 7 8 | modprobe br_netfilter echo "modprobe br_netfilter" >> /etc/profile cat > /etc/sysctl .d /k8s .conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF sysctl -p /etc/sysctl .d /k8s .conf |
加载ipvs 模块
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | cd /etc/sysconfig/modules/ cat /etc/sysconfig/modules/ipvs .modules #!/bin/bash ipvs_modules= "ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_nq ip_vs_sed ip_vs_ftp nf_conntrack" for kernel_module in ${ipvs_modules}; do /sbin/modinfo -F filename ${kernel_module} > /dev/null 2>&1 if [ 0 - eq 0 ]; then /sbin/modprobe ${kernel_module} fi done chmod +x ipvs.modules bash ipvs.modules lsmod | grep ip_vs ip_vs_ftp 13079 0 nf_nat 26787 1 ip_vs_ftp ip_vs_sed 12519 0 ip_vs_nq 12516 0 ip_vs_sh 12688 0 ip_vs_dh 12688 0 ip_vs_lblcr 12922 0 ip_vs_lblc 12819 0 ip_vs_wrr 12697 0 ip_vs_rr 12600 0 ip_vs_wlc 12519 0 ip_vs_lc 12516 0 ip_vs 145497 22 ip_vs_dh,ip_vs_lc,ip_vs_nq,ip_vs_rr,ip_vs_sh,ip_vs_ftp,ip_vs_sed,ip_vs_wlc,ip_vs_wrr,ip_vs_lblcr,ip_vs_lblc nf_conntrack 133095 2 ip_vs,nf_nat libcrc32c 12644 4 xfs,ip_vs,nf_nat,nf_conntrack |
安装containerd
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [root@k8s-all modules] # yum install containerd.io-1.6.6 -y [root@k8s-all containerd] # containerd config default > /etc/containerd/config.toml 打开 /etc/containerd/config .toml 把SystemdCgroup = false 修改成SystemdCgroup = true 把sandbox_image = "k8s.gcr.io/pause:3.6" 修改成 sandbox_image= "registry.aliyuncs.com/google_containers/pause:3.7" 找到config_path = "" ,修改成如下目录: config_path = "/etc/containerd/certs.d" [root@k8s-all containerd] #cat > /etc/crictl.yaml <<EOF runtime-endpoint: unix: ///run/containerd/containerd .sock image-endpoint: unix: ///run/containerd/containerd .sock timeout: 10 debug: false EOF [root@k8s-all containerd] #mkdir /etc/containerd/certs.d/docker.io/ -p [root@k8s-all containerd] #vim /etc/containerd/certs.d/docker.io/hosts.toml #写入如下内容: [host. "https://vh3bm52y.mirror.aliyuncs.com" ,host. "https://registry.docker-cn.com" ] capabilities = [ "pull" ] [root@k8s-all containerd] #systemctl restart containerd |
配置docker 镜像加速器
1 2 3 4 5 6 7 8 | sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon .json <<- 'EOF' { "registry-mirrors" : [ "https://g2aogmw8.mirror.aliyuncs.com" ] } EOF sudo systemctl daemon-reload sudo systemctl restart docker |
配置k8s 仓库
1 2 3 4 5 6 7 8 9 | cat <<EOF > /etc/yum .repos.d /kubernetes .repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF |
安装k8s
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | yum install -y kubelet-1.25.0 kubeadm-1.25.0 kubectl-1.25.0 && systemctl enable kubelet #设置容器运行时 crictl config runtime-endpoint /run/containerd/containerd .sock #使用kubeadm初始化k8s集群 [root@k8s-master ~] # kubeadm config print init-defaults > kubeadm.yaml [root@k8s-master ~] # vim kubeadm.yaml apiVersion: kubeadm.k8s.io /v1beta3 bootstrapTokens: - groups : - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.10.50 #控制节点IP bindPort: 6443 # 端口 nodeRegistration: criSocket: unix: ///run/containerd/containerd .sock #指定containerd容器运行时 imagePullPolicy: IfNotPresent name: k8s-master taints: null --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io /v1beta3 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: {} etcd: local : dataDir: /var/lib/etcd imageRepository: registry.cn-hangzhou.aliyuncs.com /google_containers #指定阿里云镜像仓库 kind: ClusterConfiguration kubernetesVersion: 1.25.0 #controlPlaneEndpoint: 192.168.40.199:16443 #高可用vip 端口 networking: dnsDomain: cluster. local podSubnet: 10.244.0.0 /16 #指定pod网段 serviceSubnet: 10.96.0.0 /12 scheduler: {} --- apiVersion: kubeproxy.config.k8s.io /v1alpha1 kind: KubeProxyConfiguration mode: ipvs # 设置网络模式 --- apiVersion: kubelet.config.k8s.io /v1beta1 kind: KubeletConfiguration cgroupDriver: systemd # 驱动 |
初始化集群并加入集群
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | [root@k8s-master ~] # kubeadm init --config=kubeadm.yaml --ignore-preflight-errors=SystemVerification To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin .conf $HOME/.kube /config sudo chown $( id -u):$( id -g) $HOME/.kube /config Alternatively, if you are the root user, you can run: export KUBECONFIG= /etc/kubernetes/admin .conf You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https: //kubernetes .io /docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.10.50:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert- hash sha256:3965be8b67be6c841add842c788fc4879e2efbe23ad543b68889fef28570fea7 [root@k8s-master ~] # mkdir -p $HOME/.kube [root@k8s-master ~] # [root@k8s-master ~] # sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@k8s-master ~] # [root@k8s-master ~] # sudo chown $(id -u):$(id -g) $HOME/.kube/config [root@k8s-master ~] # [root@k8s-master ~] # export KUBECONFIG=/etc/kubernetes/admin.conf node 加入集群 [root@k8s-node1 ~] # kubeadm join 192.168.10.50:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:3965be8b67be6c841add842c788fc4879e2efbe23ad543b68889fef28570fea7 --ignore-preflight-errors=SystemVerification [preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. [root@k8s-node2 ~] # kubeadm join 192.168.10.50:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:3965be8b67be6c841add842c788fc4879e2efbe23ad543b68889fef28570fea7 --ignore-preflight-errors=SystemVerification [preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. |
查看集群状态并给node 打标签
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | [root@k8s-master ~] # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master NotReady control-plane 7m57s v1.25.0 k8s-node1 NotReady <none> 6m53s v1.25.0 k8s-node2 NotReady <none> 6m11s v1.25.0 [root@k8s-master ~] # kubectl label nodes k8s-node2 node-role.kubernetes.io/work=work node /k8s-node2 labeled [root@k8s-master ~] # kubectl label nodes k8s-node1 node-role.kubernetes.io/work=work node /k8s-node1 labeled 您在 /var/spool/mail/root 中有新邮件 [root@k8s-master ~] # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master NotReady control-plane 10m v1.25.0 k8s-node1 NotReady work 9m5s v1.25.0 k8s-node2 NotReady work 8m23s v1.25.0 |
calico.yaml 安装
在线下载配置文件地址是: https://docs.projectcalico.org/manifests/calico.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | [root@k8s-master ~] # kubectl apply -f calico.yaml configmap /calico-config created customresourcedefinition.apiextensions.k8s.io /bgpconfigurations .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /bgppeers .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /blockaffinities .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /clusterinformations .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /felixconfigurations .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /globalnetworkpolicies .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /globalnetworksets .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /hostendpoints .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /ipamblocks .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /ipamconfigs .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /ipamhandles .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /ippools .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /kubecontrollersconfigurations .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /networkpolicies .crd.projectcalico.org created customresourcedefinition.apiextensions.k8s.io /networksets .crd.projectcalico.org created clusterrole.rbac.authorization.k8s.io /calico-kube-controllers created clusterrolebinding.rbac.authorization.k8s.io /calico-kube-controllers created clusterrole.rbac.authorization.k8s.io /calico-node created clusterrolebinding.rbac.authorization.k8s.io /calico-node created daemonset.apps /calico-node created serviceaccount /calico-node created deployment.apps /calico-kube-controllers created serviceaccount /calico-kube-controllers created poddisruptionbudget.policy /calico-kube-controllers created [root@k8s-master ~] # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master Ready control-plane 20m v1.25.0 k8s-node1 Ready work 19m v1.25.0 k8s-node2 Ready work 19m v1.25.0 |
测试网络
1 2 3 4 5 6 7 8 9 10 11 | [root@k8s-master ~] # kubectl run busybox --image docker.io/library/busybox:1.28 --image-pull-policy=IfNotPresent --restart=Never --rm -it busybox -- sh If you don't see a command prompt, try pressing enter. / # ping baidu.com PING baidu.com (110.242.68.66): 56 data bytes 64 bytes from 110.242.68.66: seq =2 ttl=127 time =558.154 ms 64 bytes from 110.242.68.66: seq =3 ttl=127 time =334.110 ms 64 bytes from 110.242.68.66: seq =4 ttl=127 time =598.778 ms ^C --- baidu.com ping statistics --- 6 packets transmitted, 3 packets received, 50% packet loss round-trip min /avg/max = 334.110 /497 .014 /598 .778 ms |
草都可以从石头缝隙中长出来更可况你呢
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏