kubeadm搭建K8S集群
作者:@skyflask
转载本文请注明出处:https://www.cnblogs.com/skyflask/p/14620563.html
目录
1. 安装要求
2. 准备环境
3. 安装Docker/kubeadm/kubelet【所有节点】
4. 部署Kubernetes Master
5. 加入Kubernetes Node
6. 部署容器网络(CNI)
7. 测试kubernetes集群
8. 部署 Dashboard
9. 遇到的问题
一、环境准备
kubeadm是官方社区推出的一个用于快速部署kubernetes集群的工具。
这个工具能通过两条指令完成一个kubernetes集群的部署:
# 创建一个 Master 节点
1 | kubeadm init |
# 将一个 Node 节点加入到当前集群中
1 | kubeadm join <Master节点的IP和端口 > |
1. 安装要求
在开始之前,部署Kubernetes集群机器需要满足以下几个条件:
- 一台或多台机器,操作系统 CentOS7.x-86_x64
- 硬件配置:2GB或更多RAM,2个CPU或更多CPU,硬盘30GB或更多
- 集群中所有机器之间网络互通
- 可以访问外网,需要拉取镜像
- 禁止swap分区,swapoff -a 注释/etc/fstab里面关于swap的行
2. 准备环境
| 角色 | IP |
|---|---|
| k8s-master | 10.11.97.193 |
| k8s-node1 | 10.11.99.141 |
关闭防火墙:
1 2 | $ systemctl stop firewalld$ systemctl disable firewalld |
关闭selinux:
1 2 | $ sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久$ setenforce 0 # 临时 |
关闭swap:
1 2 | $ swapoff -a # 临时$ vim /etc/fstab # 永久 |
设置主机名:
1 | $ hostnamectl set-hostname <hostname> |
在master添加hosts:
1 2 3 4 | $ cat >> /etc/hosts << EOF10.11.97.193 k8s-master10.11.99.141 k8s-node1EOF |
将桥接的IPv4流量传递到iptables的链:
1 2 3 4 | $ cat > /etc/sysctl.d/k8s.conf << EOFnet.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1EOF |
$ sysctl --system # 生效
时间同步:
1 2 | $ yum install ntpdate -y$ ntpdate time.windows.com |
3. 安装Docker/kubeadm/kubelet【所有节点】
Kubernetes默认CRI(容器运行时)为Docker,因此先安装Docker。
3.1 安装Docker
1 2 3 | $ wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo$ yum -y install docker-ce$ systemctl enable docker && systemctl start docker |
配置镜像下载加速器:
1 2 3 4 5 6 7 | $ cat > /etc/docker/daemon.json << EOF{ "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]}EOF$ systemctl restart docker$ docker info |
3.2 添加阿里云YUM软件源
1 2 3 4 5 6 7 8 9 | $ cat > /etc/yum.repos.d/kubernetes.repo << EOF[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64enabled=1gpgcheck=0repo_gpgcheck=0gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpgEOF |
3.3 安装kubeadm,kubelet和kubectl
由于版本更新频繁,这里指定版本号部署:
1 2 | $ yum install -y kubelet-1.19.0 kubeadm-1.19.0 kubectl-1.19.0$ systemctl enable kubelet |
4. 部署Kubernetes Master
1 2 3 | https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-filehttps://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#initializing-your-control-plane-node |
在master上执行:
1 2 3 4 5 6 7 | $ kubeadm init \ --apiserver-advertise-address=10.11.97.193 \ --image-repository registry.aliyuncs.com/google_containers \ --kubernetes-version v1.19.0 \ --service-cidr=10.96.0.0/12 \ --pod-network-cidr=10.245.0.0/16 \ --ignore-preflight-errors=all |
- --apiserver-advertise-address 集群通告地址
- --image-repository 由于默认拉取镜像地址k8s.gcr.io国内无法访问,这里指定阿里云镜像仓库地址
- --kubernetes-version K8s版本,与上面安装的一致
- --service-cidr 集群内部虚拟网络,Pod统一访问入口
- --pod-network-cidr Pod网络,,与下面部署的CNI网络组件yaml中保持一致
或者使用配置文件引导:
1 2 3 4 5 6 7 8 9 10 | $ vi kubeadm.confapiVersion: kubeadm.k8s.io/v1beta2kind: ClusterConfigurationkubernetesVersion: v1.18.0imageRepository: registry.aliyuncs.com/google_containersnetworking: podSubnet: 10.245.0.0/16 serviceSubnet: 10.96.0.0/12$ kubeadm init --config kubeadm.conf --ignore-preflight-errors=all |
安装过程:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 | [root@k8s-node3 ~]# kubeadm init \> --apiserver-advertise-address=10.11.97.193 \> --image-repository registry.aliyuncs.com/google_containers \> --kubernetes-version v1.19.0 \> --service-cidr=10.96.0.0/12 \> --pod-network-cidr=10.245.0.0/16 \> --ignore-preflight-errors=allW0404 15:15:58.088052 1450 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io][init] Using Kubernetes version: v1.19.0[preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.5. Latest validated version: 19.03[preflight] Pulling images required for setting up a Kubernetes cluster[preflight] This might take a minute or two, depending on the speed of your internet connection[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'[certs] Using certificateDir folder "/etc/kubernetes/pki"[certs] Generating "ca" certificate and key[certs] Generating "apiserver" certificate and key[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.11.97.193][certs] Generating "apiserver-kubelet-client" certificate and key[certs] Generating "front-proxy-ca" certificate and key[certs] Generating "front-proxy-client" certificate and key[certs] Generating "etcd/ca" certificate and key[certs] Generating "etcd/server" certificate and key[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [10.11.97.193 127.0.0.1 ::1][certs] Generating "etcd/peer" certificate and key[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [10.11.97.193 127.0.0.1 ::1][certs] Generating "etcd/healthcheck-client" certificate and key[certs] Generating "apiserver-etcd-client" certificate and key[certs] Generating "sa" key and public key[kubeconfig] Using kubeconfig folder "/etc/kubernetes"[kubeconfig] Writing "admin.conf" kubeconfig file[kubeconfig] Writing "kubelet.conf" kubeconfig file[kubeconfig] Writing "controller-manager.conf" kubeconfig file[kubeconfig] Writing "scheduler.conf" kubeconfig file[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"[kubelet-start] Starting the kubelet[control-plane] Using manifest folder "/etc/kubernetes/manifests"[control-plane] Creating static Pod manifest for "kube-apiserver"[control-plane] Creating static Pod manifest for "kube-controller-manager"[control-plane] Creating static Pod manifest for "kube-scheduler"[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s[apiclient] All control plane components are healthy after 19.516063 seconds[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace[kubelet] Creating a ConfigMap "kubelet-config-1.19" in namespace kube-system with the configuration for the kubelets in the cluster[upload-certs] Skipping phase. Please see --upload-certs[mark-control-plane] Marking the node k8s-master as control-plane by adding the label "node-role.kubernetes.io/master=''"[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule][bootstrap-token] Using token: 9ibx2w.7lr713ygq3q6fz5d[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key[addons] Applied essential addon: CoreDNS[addons] Applied essential addon: kube-proxyYour Kubernetes control-plane has initialized successfully!To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/configYou should now deploy a pod network to the cluster.Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/Then you can join any number of worker nodes by running the following on each as root:kubeadm join 10.11.97.193:6443 --token 9ibx2w.7lr713ygq3q6fz5d \ --discovery-token-ca-cert-hash sha256:292e77baeb776c807f797812616215e018a384beefec1dc1fc5f164951ca0b7d [root@k8s-node3 ~]# |
拷贝kubectl使用的连接k8s认证文件到默认路径:
1 2 3 4 5 6 | mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/config$ kubectl get nodesNAME STATUS ROLES AGE VERSIONk8s-master Ready master 2m v1.18.0 |
5. 加入Kubernetes Node
在10.11.99.141上(Node)执行。
向集群添加新节点,执行在kubeadm init输出的kubeadm join命令:
1 | kubeadm join 10.11.97.193:6443 --token 9ibx2w.7lr713ygq3q6fz5d --discovery-token-ca-cert-hash sha256:292e77baeb776c807f797812616215e018a384beefec1dc1fc5f164951ca0b7d |
默认token有效期为24小时,当过期之后,该token就不可用了。这时就需要重新创建token,操作如下:
1 2 3 4 5 6 | $ kubeadm token create$ kubeadm token list$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'63bca849e0e01691ae14eab449570284f0c3ddeea590f8da988c07fe2729e924kubeadm join 10.11.97.193:6443 --token 9ibx2w.7lr713ygq3q6fz5d --discovery-token-ca-cert-hash sha256:292e77baeb776c807f797812616215e018a384beefec1dc1fc5f164951ca0b7d |
或者直接命令快捷生成:kubeadm token create --print-join-command
1 | https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/ |
6. 部署容器网络(CNI)
注意:只需要部署下面其中一个,推荐Calico。
Calico是一个纯三层的数据中心网络方案,Calico支持广泛的平台,包括Kubernetes、OpenStack等。
Calico 在每一个计算节点利用 Linux Kernel 实现了一个高效的虚拟路由器( vRouter) 来负责数据转发,而每个 vRouter 通过 BGP 协议负责把自己上运行的 workload 的路由信息向整个 Calico 网络内传播。
此外,Calico 项目还实现了 Kubernetes 网络策略,提供ACL功能。
https://docs.projectcalico.org/getting-started/kubernetes/quickstart
1 | wget https://docs.projectcalico.org/manifests/calico.yaml |
下载完后还需要修改里面定义Pod网络(CALICO_IPV4POOL_CIDR),与前面kubeadm init指定的一样
修改完后应用清单:
1 2 | $ kubectl apply -f calico.yaml$ kubectl get pods -n kube-system |
7. 测试kubernetes集群
- 验证Pod工作
- 验证Pod网络通信
- 验证DNS解析
在Kubernetes集群中创建一个pod,验证是否正常运行:
1 2 3 | $ kubectl create deployment nginx --image=nginx$ kubectl expose deployment nginx --port=80 --type=NodePort$ kubectl get pod,svc |
8. 部署 Dashboard
1 | wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml |
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | $ vi recommended.yaml...kind: ServiceapiVersion: v1metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboardspec: ports: - port: 443 targetPort: 8443 nodePort: 30001 selector: k8s-app: kubernetes-dashboard type: NodePort...$ kubectl apply -f recommended.yaml$ kubectl get pods -n kubernetes-dashboardNAME READY STATUS RESTARTS AGEdashboard-metrics-scraper-6b4884c9d5-gl8nr 1/1 Running 0 13mkubernetes-dashboard-7f99b75bf4-89cds 1/1 Running 0 13m |
访问地址:https://NodeIP:30001
创建service account并绑定默认cluster-admin管理员集群角色:
1 2 3 4 5 6 | # 创建用户$ kubectl create serviceaccount dashboard-admin -n kube-system# 用户授权$ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin# 获取用户Token$ kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}') |
使用输出的token登录Dashboard。
9. 遇到的问题
calico插件启动后,发现pod之间网络无法通讯,查看calico的pod不为ready状态:
经查看日志:
1 | Readiness probe failed: caliconode is not ready: BIRD is not ready: BGP not established with 10.11.99.144. |
BGP无法建立连接。
解决方法:指定出口网卡。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /*调整calicao 网络插件的网卡发现机制,修改IP_AUTODETECTION_METHOD对应的value值。官方提供的yaml文件中,ip识别策略(IPDETECTMETHOD)没有配置,即默认为first-found,这会导致一个网络异常的ip作为nodeIP被注册,<br>从而影响node-to-node mesh。我们可以修改成can-reach或者interface的策略,尝试连接某一个Ready的node的IP,以此选择出正确的IP。*/// calico.yaml 文件添加以下二行 - name: IP_AUTODETECTION_METHOD value: "interface=eth0" // 配置如下 # Cluster type to identify the deployment type - name: CLUSTER_TYPE value: "k8s,bgp" # Specify interface - name: IP_AUTODETECTION_METHOD value: "interface=eth0" # Auto-detect the BGP IP address. - name: IP value: "autodetect" # Enable IPIP - name: CALICO_IPV4POOL_IPIP value: "Always" # Enable or Disable VXLAN on the default IP pool. - name: CALICO_IPV4POOL_VXLAN value: "Never" |
修改参数后,重建pod,恢复正常:
分类:
kubernetes
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 基于Microsoft.Extensions.AI核心库实现RAG应用
· Linux系列:如何用heaptrack跟踪.NET程序的非托管内存泄露
· 开发者必知的日志记录最佳实践
· winform 绘制太阳,地球,月球 运作规律
· AI与.NET技术实操系列(五):向量存储与相似性搜索在 .NET 中的实现
· 超详细:普通电脑也行Windows部署deepseek R1训练数据并当服务器共享给他人
· 上周热点回顾(3.3-3.9)
· AI 智能体引爆开源社区「GitHub 热点速览」