您好,登錄后才能下訂單哦!
這篇文章主要介紹“kubernetes環境的搭建步驟”,在日常操作中,相信很多人在kubernetes環境的搭建步驟問題上存在疑惑,小編查閱了各式資料,整理出簡單好用的操作方法,希望對大家解答”kubernetes環境的搭建步驟”的疑惑有所幫助!接下來,請跟著小編一起來學習吧!
部署集群沒有特殊說明均使用 root 用戶執行命令
IP | HOSTNAME | MEM | DISK | EXPLAIN |
---|---|---|---|---|
192.168.1.61 | k8s-master | 8G | 40G | k8s 控制平臺節點 |
192.168.1.154 | k8s-node1 | 16G | 40G | k8s 工作節點1 |
192.168.1.62 | k8s-node2 | 16G | 40G | k8s 工作節點2 |
192.168.1.207 | k8s-node3 | 16G | 40G | k8s 工作節點3 |
SoftWare | Version |
---|---|
CentOS | CentOS Linux release 8.2.2004 (Core) |
Kubernetes | v1.20.1 |
Docker | v20.10.1 |
Purpose | Commands |
---|---|
保證集群各節點互通 | ping -c <ip> |
保證MAC地址唯一 | ip link 或者 ifconfig -a |
保證集群內主機名唯一 | 查詢 hostnamectl status , 或者 hostnamectl set-hostname <hostnaem> |
保證系統產品UUID唯一 | dmidecode -s system-uuid 或者 sudo cat /sys/class/dmi/id/product_uuid |
# 修改MAC地址參考命令如下: # 1、關閉網卡 ifconfig eth0 down # 2、修改mac ifconfig eth0 hw ether 00:E0:18:EE:ED # 3、開啟網卡 ifconfig eth0 up
?如果 product_uuid 不唯一,請考慮重裝 CentOS 系統!!
k8s-master 節點端口檢查:
協議 | 方向 | 端口范圍 | 作用 | 使用者 |
---|---|---|---|---|
TCP | 入站 | 6443* | Kubernetes API 服務器 | 所有組件 |
TCP | 入站 | 2379-2380 | etcd server client API | kube-apiserver,etcd |
TCP | 入站 | 10250 | Kubelet API | Kubelet 自身、控制平面組件 |
TCP | 入站 | 10251 | Kube-scheduler | kube-scheduler 組件 |
TCP | 入站 | 10252 | kube-controller-manager | kube-controller-manager 組件 |
k8s-node* 節點端口檢查:
協議 | 方向 | 端口范圍 | 作用 | 使用者 |
---|---|---|---|---|
TCP | 入站 | 10250 | Kubelet-API | kubelet 組件、控制平面組件 |
TCP | 入站 | 30000-32767 | NodePort服務*** | 所有組件 |
如果你對主機的防火墻配置不是很自信,則可以關掉防火墻:
systemctl disable --now firewalld 或者清除 iptables 規則(iptables -F)【慎用】
分別在各節點配置 hosts 映射:
cat >> /etc/hosts <<EOF 192.168.1.61 k8s-master 192.168.1.154 k8s-node1 192.168.1.62 k8s-node2 192.168.1.207 k8s-node3 EOF
K8s-master 生成 ssh 密鑰,分發公鑰到各節點:
# 生成 ssh 密鑰,直接一路回車 ssh-keygen -t rsa # 復制剛剛生成的密鑰到各節點可信列表中,需分別輸入各主機密碼 ssh-copy-id root@k8s-master ssh-copy-id root@k8s-node1 ssh-copy-id root@k8s-node2 ssh-copy-id root@k8s-node3
swap 僅當內存不夠時會使用硬盤塊充當額外內存,硬盤的IO較內存差距極大,禁用swap以提供性能,各節點均需執行:
swapoff -a sed -i 's/.*swap.*/#&/' /etc/fstab
關閉SELinux,否則kubelet 掛載目錄時可能報錯 Permission denied
,可以設置為permissive
或disabled
,permissive
會提示warn信息 ,各節點均需執行:
setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
timedatectl set-timezone Asia/Shanghai systemctl enable --now chronyd # 查看同步狀態, 輸出 [root@ecs-2aae ~]# timedatectl status Local time: Sun 2020-12-27 21:59:02 CST Universal time: Sun 2020-12-27 13:59:02 UTC RTC time: Sun 2020-12-27 13:58:31 Time zone: Asia/Shanghai (CST, +0800) System clock synchronized: yes NTP service: active RTC in local TZ: no [root@ecs-2aae ~]# ## # systemctl clok synchronronize: yes 表示時鐘已同步 # NTP service: active 表示開啟了時鐘同步服務 ############################################################# # 將當前的 UTC 時間寫入硬件時鐘 timedatectl set-local-rtc 0 # 重啟依賴于系統時間的服務器 systemctl restart rsyslog && systemctl restart crond
所有節點均需安裝部署 docker, 可參見《CentOS8 安裝docker》
無特殊說明,各節點均需執行如下步驟
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 EOF
各節點均需安裝 kubeadm、kubelet,kubectl僅 k8s-master 節點續約安裝(作為 worker 節點, kubectl 無法使用, 可以不裝)
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes systemctl enable --now kubelet
#安裝bash自動補全插件 yum install bash-completion -y #設置kubectl與kubeadm命令補全,下次login生效 kubectl completion bash > /etc/bash_completion.d/kubectl kubeadm completion bash > /etc/bash_completion.d/kubeadm
由于國內網絡因素,kubernetes鏡像需要從mirrors站點或通過dockerhub用戶推送的鏡像拉取:
#查看指定k8s版本需要哪些鏡像 [root@ecs-2aae ~]# kubeadm config images list k8s.gcr.io/kube-apiserver:v1.20.1 k8s.gcr.io/kube-controller-manager:v1.20.1 k8s.gcr.io/kube-scheduler:v1.20.1 k8s.gcr.io/kube-proxy:v1.20.1 k8s.gcr.io/pause:3.2 k8s.gcr.io/etcd:3.4.13-0 k8s.gcr.io/coredns:1.7.0 [root@ecs-2aae ~]#
在 /opt/soft/kuberetes
目錄下,新建腳本pull-k8s-images.sh
,內容如下:
#!/bin/bash # Script For Quick Pull K8S Docker Images # by WUXH <wuxiaohui1026@163.com> KUBE_VERSION=v1.20.1 PAUSE_VERSION=3.2 CORE_DNS_VERSION=1.7.0 ETCD_VERSION=3.4.13-0 # pull kubernetes images from hub.docker.com docker pull kubeimage/kube-proxy:$KUBE_VERSION docker pull kubeimage/kube-controller-manager:$KUBE_VERSION docker pull kubeimage/kube-apiserver:$KUBE_VERSION docker pull kubeimage/kube-scheduler:$KUBE_VERSION # pull aliyuncs mirror docker images docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION # retag to k8s.gcr.io prefix docker tag kubeimage/kube-proxy:$KUBE_VERSION k8s.gcr.io/kube-proxy:$KUBE_VERSION docker tag kubeimage/kube-controller-manager:$KUBE_VERSION k8s.gcr.io/kube-controller-manager:$KUBE_VERSION docker tag kubeimage/kube-apiserver:$KUBE_VERSION k8s.gcr.io/kube-apiserver:$KUBE_VERSION docker tag kubeimage/kube-scheduler:$KUBE_VERSION k8s.gcr.io/kube-scheduler:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION k8s.gcr.io/pause:$PAUSE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION k8s.gcr.io/coredns:$CORE_DNS_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION k8s.gcr.io/etcd:$ETCD_VERSION # untag origin tag, the images won't be delete. docker rmi kubeimage/kube-proxy:$KUBE_VERSION docker rmi kubeimage/kube-controller-manager:$KUBE_VERSION docker rmi kubeimage/kube-apiserver:$KUBE_VERSION docker rmi kubeimage/kube-scheduler:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION
腳本添加可執行權限,執行腳本拉取鏡像:
chmod +x pull-k8s-images.sh ./opt/soft/kuberetes/pull-k8s-images.sh
拉取完成,執行 docker images
查看鏡像:
kubeadm init --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.20.1 --pod-network-cidr 10.244.0.0/16
輸出如下:
[root@ecs-2aae ~]# kubeadm init --image-repository=registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.20.1 [init] Using Kubernetes version: v1.20.1 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.1. Latest validated version: 19.03 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [ecs-2aae kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.61] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [ecs-2aae localhost] and IPs [192.168.1.61 127.0.0.1 ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [ecs-2aae localhost] and IPs [192.168.1.61 127.0.0.1 ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" [control-plane] Creating static Pod manifest for "kube-scheduler" [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [apiclient] All control plane components are healthy after 7.501971 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.20" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node ecs-2aae as control-plane by adding the labels "node-role.kubernetes.io/master=''" and "node-role.kubernetes.io/control-plane='' (deprecated)" [mark-control-plane] Marking the node ecs-2aae as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: xksx1a.t09ok8h7w6ixnyva [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 \ --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f [root@ecs-2aae ~]#
可能故障
故障1:k8s node節點加入集群報錯[WARNING IsDockerSystemdCheck]: detected “cgroupfs“ as the Docker cgroup driver. # 解決 cat <<EOF> /etc/docker/daemon.json { "exec-opts": ["native.cgroupdriver=systemd"] } EOF #重啟docker systemctl restart docker
為日常使用集群的用戶添加kubectl使用權限,配置master認證
[root@ecs-2aae ~]# mkdir -p ~/.kube [root@ecs-2aae ~]# cp -i /etc/kubernetes/admin.conf ~/.kube/admin.conf [root@ecs-2aae ~]# chown $(id -u):$(id -g) ~/.kube/admin.conf [root@ecs-2aae ~]# echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> /etc/profile [root@ecs-2aae ~]# . /etc/profile
安裝網絡組件,以flannel為例
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml podsecuritypolicy.policy/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds created [root@k8s-master ~]#
這句話其實就是Master節點執行kubeadm init
成功之后輸出的最后一句話,我們拿到Node節點中直接執行即可
kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 \ --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f
輸出:
[root@k8s-node1 ~]# kubeadm join 192.168.1.61:6443 --token 379rcy.4k2gsoggyjxzo4u9 --discovery-token-ca-cert-hash sha256:a8f563cd1c742fa64eef6db0420401ecb57556281199989449f872da9f50609f [preflight] Running pre-flight checks [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.1. Latest validated version: 19.03 [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: ### 節點加入成功啦 * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. [root@k8s-node1 ~]#
[root@k8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master Ready control-plane,master 67m v1.20.1 k8s-node1 Ready <none> 40m v1.20.1 k8s-node2 Ready <none> 32m v1.20.1 k8s-node3 Ready <none> 30m v1.20.1 [root@k8s-master ~]#
?: 如果節點是 NoReady 狀態,可以稍微等一會兒,集群節點會自動拉起 flannel 鏡像,由于網絡可能稍慢!!
到此,關于“kubernetes環境的搭建步驟”的學習就結束了,希望能夠解決大家的疑惑。理論與實踐的搭配能更好的幫助大家學習,快去試試吧!若想繼續學習更多相關知識,請繼續關注億速云網站,小編會繼續努力為大家帶來更多實用的文章!
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。