Kubeadm
一、kubeadm部署思路
kubeadm init:在使用kubeadm方式安装K8S集群时,可根据初始化配置文件或者配置参数选项快速地初始化生成一个K8S的master管理平台
kubeadm join:根据kubeadm init初始化的提示信息快速的将一个node节点或者其它master节点加入到K8S集群中
1)所有节点进行初始化,安装 容器运行时、kubeadm、kubelet、kubectl;
2)执行 kubeadm config print init-defaults 命令生成集群初始化配置文件并进行修改;
3)执行 kubeadm init 命令根据初始化配置文件初始化生成K8S master控制管理节点;
4)安装 cni 网络插件(flannel/calico);
5)在其它节点执行 kubeadm join 命令将将node节点或者其它master节点加入到K8S集群中。
二、基本架构
2.1 资源分配
| Server | IP | Components |
|---|---|---|
| Master01 | 192.168.2.100 | docker kubeadm kubelet kubectl flannel |
| Master02 | 192.168.2.102 | |
| Master03 | 192.168.2.103 | |
| Node01 | 192.168.2.105 | docker kubeadm kubelet kubectl flannel |
| Node02 | 192.168.2.106 | docker kubeadm ubelet kubectl flannel |
| Harbor | 192.168.2.104 | docker docker-compose harbor-offline-v1.2.2 |
1、在所有节点上安装Docker和kubeadm
2、部署Kubernetes Master
3、部署容器网络插件
4、部署 Kubernetes Node,将节点加入Kubernetes集群中
5、部署 Dashboard Web 页面,可视化查看Kubernetes资源
6、部署 Harbor 私有仓库,存放镜像资源
2.2 系统初始化操作(所有节点)
2.2.1关闭防火墙、selinux和swap分区
1、关闭防火墙和selinux
#关闭防火墙
systemctl disable firewalld --now
#关闭selinux
setenforce 0
sed -i 's/enforcing/disabled/' /etc/selinux/config
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
2、关闭交换分区
交换分区必须要关闭。
K8s的各个组件和容器都需要足够的内存来运行,而Swap的使用可能导致性能下降,甚至是应用程序的奔溃。
关闭Swap可以确保集群的可预测性和稳定性,避免不必要的磁盘交换。
swapoff -a
sed -ri 's/.*swap.*/#&/' /etc/fstab
#永久关闭swap分区,&符号在sed命令中代表上次匹配的结果
2.2.2 修改主机名,添加域名映射
1、修改主机名
hostnamectl set-hostname master01
hostnamectl set-hostname master02
hostnamectl set-hostname master03
hostnamectl set-hostname node01
hostnamectl set-hostname node02
2、修改本地hosts文件
vim /etc/hosts
192.168.2.100 master01
192.168.2.102 master02
192.168.2.103 master03
192.168.2.105 node01
192.168.2.106 node02
2.2.3 内核相关
1、内核升级
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm
cd /opt/
yum localinstall -y kernel-ml*
#更改内核启动方式
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
grubby --default-kernel
reboot
2、调整内核参数
cat > /etc/sysctl.d/k8s.conf <<EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
EOF
#生效参数
sysctl --system
3、所有节点实现Linux的资源限制
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
2.2.4 加载ip_vs模块
#加载 ip_vs 模块
for i in $(ls /usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs|grep -o "^[^.]*");do echo $i; /sbin/modinfo -F filename $i >/dev/null 2>&1 && /sbin/modprobe $i;done
2.2.5 时间同步
#通过ntp
yum -y install ntpdate
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
#修改时区
echo 'Asia/Shanghai' >/etc/timezone
#时间同步
ntpdate time2.aliyun.com
systemctl enable --now crond
crontab -e
*/30 * * * * /usr/sbin/ntpdate time2.aliyun.com
2.3 内核升级(可选)
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm -O /opt/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm
cd /opt/
yum localinstall -y kernel-ml*
#更改内核启动方式
grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
grubby --default-kernel
reboot
三、部署docker
3.1 通过yum安装docker(所有节点)
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
3.2 修改相关配置并启动docker
配置镜像加速,修改默认Cgroupdriver,修改日志存储格式。
1)使用Systemd管理的Cgroup来进行资源控制与管理,因为相对Cgroupfs而言,Systemd限制CPU、内存等资源更加简单和成熟稳定。
2)日志使用json-file格式类型存储,大小为100M,保存在/var/log/containers目录下,方便ELK等日志系统收集和管理日志。
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://k2anw3oh.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "500m", "max-file": "3"
}
}
EOF
systemctl daemon-reload
systemctl restart docker.service
systemctl enable docker.service --now
docker info | grep "Cgroup Driver"
四、 部署Kurbernetes的相关工具
4.1 相关工具简介
-
Kubeadm:作为部署工具,kubeadm可用于在裸机或云环境上快速部署整个Kubernetes集群。
它负责初始化主节点并启动其他节点,配置网络和认证,并确保集群的基本功能正常。 -
Kubelet:kubelet是在每个节点上运行的管理代理,负责启动、停止和监控容器,并与主控节点的API服务器进行通信。
kubelet还负责协调容器的调度、资源管理和容器的生命周期。 -
Kubectl:kubectl是与Kubernetes集群交互的命令行工具。
通过kubectl,可以执行各种操作,包括创建和管理应用程序、查看和修改集群资源、启动和停止Pod等。
kubectl是管理Kubernetes集群的主要工具之一。
4.2 安装kubeadm,kubelet和kubectl(所有节点)
#定义kubernetes源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
#安装
yum install -y kubelet-1.20.15 kubeadm-1.20.15 kubectl-1.20.15
#配置Kubelet使用阿里云的pause镜像
cat > /etc/sysconfig/kubelet <<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=systemd --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2"
EOF
#开机自启kubelet
systemctl enable kubelet.service --now
#K8S通过kubeadm安装出来以后都是以Pod方式存在,即底层是以容器方式运行,所以kubelet必须设置开机自启
五、高可用组件安装、配置
5.1 部署 Haproxy(所有 master 节点)
#yum安装haproxy
yum -y install haproxy
#修改配置文件
cat > /etc/haproxy/haproxy.cfg << EOF
global
log 127.0.0.1 local0 info
log 127.0.0.1 local1 warning
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option tcplog
option dontlognull
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
frontend monitor-in
bind *:33305
mode http
option httplog
monitor-uri /monitor
frontend k8s-master
bind *:6444
mode tcp
option tcplog
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
server k8s-master1 192.168.2.100:6443 check inter 10000 fall 2 rise 2 weight 1
server k8s-master2 192.168.2.102:6443 check inter 10000 fall 2 rise 2 weight 1
server k8s-master3 192.168.2.103:6443 check inter 10000 fall 2 rise 2 weight 1
EOF
5.2 部署Keepalived(所有 master 节点)
yum -y install keepalived
cd /etc/keepalived/
vim keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_HA1 #路由标识符,每个节点配置不同
}
vrrp_script chk_haproxy {
script "/etc/keepalived/check_haproxy.sh"
interval 2
weight 2
}
vrrp_instance VI_1 {
state MASTER #本机实例状态,MASTER/BACKUP,备机配置文件中设置BACKUP
interface ens33
virtual_router_id 51
priority 100 #本机初始权重,备机设置小于主机的值
advert_int 1
virtual_ipaddress {
192.168.2.200 #设置VIP地址
}
track_script {
chk_haproxy
}
}
5.3 编写状态监控脚本,启动haproxy和keepalived
vim /etc/keepalived/check_haproxy.sh
#!/bin/bash
if ! killall -0 haproxy; then
systemctl stop keepalived
fi
systemctl enable --now haproxy
systemctl enable --now keepalived
#观察VIP
ip a
六、部署Kurbernetes集群
6.1 设置集群初始化配置文件(master01 节点)
#生成配置模板,包含默认的 Kubernetes 集群配置
kubeadm config print init-defaults > /opt/kubeadm-config.yaml
cd /opt/
#修改配置文件
vim kubeadm-config.yaml
......
11 localAPIEndpoint:
12 advertiseAddress: 192.168.2.100 #指定当前master节点的IP地址
13 bindPort: 6443
21 apiServer:
22 certSANs: #在apiServer属性下面添加一个certsSANs的列表,添加所有master节点的IP地址和集群VIP地址
23 - 192.168.2.200
24 - 192.168.2.100
25 - 192.168.2.102
26 - 192.168.2.103
30 clusterName: kubernetes
31 controlPlaneEndpoint: "192.168.2.200:6444" #指定集群VIP地址
32 controllerManager: {
}
38 imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #指定镜像下载地址
39 kind: ClusterConfiguration
40 kubernetesVersion: v1.20.15 #指定kubernetes版本号
41 networking:
42 dnsDomain: cluster.local
43 podSubnet: "10.244.0.0/16" #指定pod网段,10.244.0.0/16用于匹配flannel默认网段,指定service网段
44 serviceSubnet: 10.96.0.0/16 #指定service网段
45 scheduler: {
}
#末尾再添加以下内容
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs #把默认的kube-proxy调度方式改为ipvs模式
#更新集群初始化配置文件
kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml
6.2 所有节点拉取镜像
#拷贝yaml配置文件给其他主机,通过配置文件进行拉取镜像
for i in master02 master03 node01 node02; do scp /opt/new.yaml $i:/opt/; done
kubeadm config images pull --config /opt/new.yaml
6.3 master01 节点进行初始化
kubeadm init --config new.yaml --upload-certs | tee kubeadm-init.log
#会初始化一个 Kubernetes 集群并生成相应的证书和密钥,并将相关信息保存在指定的配置文件中
#若初始化失败,进行的操作
kubeadm reset -f
ipvsadm --clear
rm -rf ~/.kube
再次进行初始化
#提示信息
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join 192.168.2.200:6444 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:ade0ff00903debf7670daab2726c83fca2281a6494d8bf311e741acae960efa4 \
--control-plane --certificate-key edbce007ed7a5de51614353db7e05f2985ba65e4a6387c2b94be52c1bde3f2d7
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.2.200:6444 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:ade0ff00903debf7670daab2726c83fca2281a6494d8bf311e741acae960efa4
6.4 环境配置(master01节点)
#配置 kubectl
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
#修改controller-manager和scheduler配置文件
vim /etc/kubernetes/manifests/kube-scheduler.yaml
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
......
#- --port=0 #搜索port=0,把这一行注释掉
systemctl restart kubelet
#部署网络插件flannel
#所有节点上传 flannel 镜像 flannel.tar 和网络插件 cni-plugins-linux-amd64-v1.3.0.tgz 到 /opt 目录
cd /opt
docker load < flannel.tar
mv /opt/cni /opt/cni_bak
mkdir -p /opt/cni/bin
tar zxvf cni-plugins-linux-amd64-v1.3.0.tgz -C /opt/cni/bin
#master节点上传 kube-flannel.yml 文件
kubectl apply -f kube-flannel.yml
6.5 所有节点加入集群
6.5.1 master 节点加入集群
kubeadm join 192.168.2.200:6444 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:5cfda84fcb9149e8c42639caa2ea180825cd8951b416decb337027dfd50cd4cb \
--control-plane --certificate-key 895f73bc55da2cbb3eff0c9abbd108a6a80dce63dceef73cc994ab4961b1c637
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
6.5.2 node 节点加入集群
kubeadm join 192.168.2.200:6444 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:5cfda84fcb9149e8c42639caa2ea180825cd8951b416decb337027dfd50cd4cb
6.6 查看集群信息
#在 master01 查看集群信息
kubectl get nodes
kubectl get pod -n kube-system
#返回所有运行 kube-system 命名空间中的 pod 的列表,以及每个 pod 的状态、运行时间和 IP 地址等信息
#kube-system 命名空间是用于存储 Kubernetes 系统组件和插件的命名空间
#查看这些组件和插件的状态和健康信息
补充 kubenertes集群组件状态异常的解决方法
kubectl get cs
需要修改这两个服务(组件)的配置文件
vim /etc/kubernetes/manifests/kube-controller-manager.yaml
vim /etc/kubernetes/manifests/kube-scheduler.yaml
然后重启kubelet服务
systemctl restart kubelet
kubectl get cs
六、部署Dashboard(K8s 仪表盘)
6.1 获取配置文件并修改
#获取配置文件
cd /opt
weget https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml
#编辑配置文件
vim recommended.yaml
#默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30001 #添加
type: NodePort #添加
selector:
k8s-app: kubernetes-dashboard
kubectl apply -f recommended.yaml
6.2 获取登录Token
#创建service account并绑定默认cluster-admin管理员集群角色
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
6.3 登录到Dashboard
不能使用Google浏览器访问
#使用输出的token登录Dashboard
https://NodeIP:30001
#token
eyJhbGciOiJSUzI1NiIsImtpZCI6ImpoM2g5bWtURFVyMXMtQmlydGFlb3ZFSXlJbDRPUFZsanFzY0FEYllja1kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tbDd0d3ciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZWM2MzU1OWMtNGQ1Ny00NTEzLTk3ODUtYmI2MTA5MDZhZjM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.QQ4DWZ0iuK7lp8WpkgcVUgi8io9q-8K2sjTKxG_4bojYY6B_kJAIUx-gVi3Z03nqMhT8KN4f2_MblfZAohCSPyaV98zH7SUx3priDd-1W-SHKiFoccj4MF_ZOK9dfC0HOtTjXYHPjxbsxlOnJ_mIBMjgCFk5i1CRKYBJDaPRy-YgbdpGyzjyCw56iHmT53wnVJyzQwckONSBcclR33lknOB7no2BSw0CwTsVOzkWkjQKu0YQMdScJPYzCcJbzH4uh1HRpgKqW7VwqMihcNJMFkmEKmT9lZFyNHw3xjqBA1MllW1L3nw3zJoE2-iappom7Bc1M7TlUPsw9rCFH2MPpA
