节点四台:master、node01、node02、harbor
设置系统主机名及host文件解析
#hostnamectl set-hostname k8s-master hostnamectl set-hostname k8s-node01 hostnamectl set-hostname k8s-node02
安装依赖包
#yum -y install conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git
设置防火墙为iptables规则并设置空规则
#systemctl stop firewalld&&systemctl disable firewalld
#yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
关闭SElinux
# swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
#setenforce 0 && sed -I 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
调整内核参数
#cat > kubernetes.conf << EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0 #禁止使用swap空间
vm.overcommit_memory=1 #不检查物理内存
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
开机调用kubernetes.conf,并生效
#cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
#sysctl -p /etc/sysctl.d/kubernetes.conf
调整系统时区-安装系统时选择上海,这步跳过
设置时区 中国/上海
#timedatectl set-timezone Asia/Shanghai
将当前UTC时间写入硬件时钟
#timedatectl set-local-rtc 0
重启依赖于系统时间的服务
#systemctl restart rsyslog
#systemctl restart crond
关闭系统邮件服务
#systemctl stop postfix&&systemctl disable postfix
设置系统日志服务rsyslogd和systemd journald
创建持久化目录
# mkdir /var/log/journal
创建journald配置文件
# mkdir /etc/systemd/journal.conf.d
#cat > /etc/systemd/journal.conf.d/99-prophet.conf <<EOF
[ Journal ]
#持久化保存到磁盘
Storage=persistent
#压缩历史日志
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
#最大占用空间
SystemMaxUse=10G
#单日志文件最大 200M
SystemMaxFileSize=200M
#日志保存时间
MaxRetentionSec=2week
#不讲日志转发到 syslog
ForwardToSyslog=no
EOF
#systemctl restart systemd-journald
升级系统内核为4.44版本
#rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
查看 /boot/grub2/grub.cfg是否存在menuentry 中是否包含 initrd16配置,如果没有重新安装
#cat /boot/grub2/grub.cfg|grep initrd16
#yum --enablerepo=elrepo-kernel install -y kernel-lt
设置开几重启内核
#grub2-set-default 'CentOS Linux (4.4.214-1.el7.elrepo.x86_64) 7 (core)'
#reboot
检查下三台节点内核版本是否为4.44
#uname -r
4.4.214-1.el7.elrepo.x86_64
Kube-proxy开启ipvs前置条件
#modprobe br_netfilter
#cat > /etc/sysconfig/modules/ipvs.modules << EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
#chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod |grep -e ip_vs -e nf_conntrack_ipv4
安装docker
#yum -y install yum-utils device-mapper-persistent-data lvm2
#yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum update -y && yum install -y docker-ce
创建 /etc/docker 目录
#mkdir /etc/docker
#grub2-set-default 'CentOS Linux (4.4.214-1.el7.elrepo.x86_64) 7 (core)'&&reboot
设置docker启动,开机自启
# systemctl start docker && systemctl enable docker
创建 daemon.json 配置文件,将存储日志的方式改为为 json file 格式存储,方便日后从 /var/log/container/ 下查找容器日志,之后就可以从 efk 中搜索索引信息了
#cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://registry.docker-cn.com"],
"exec-opts": ["native.cgroupdriver=systemd"], #centos7中有两种cgroup组(cgroupfx, cgroupdriver)是由systemd做隔离
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
}
}
EOF
#mkdir -p /etc/systemd/system/docker.service.d
#systemctl daemon-reload && systemctl restart docker && systemctl enable docker
安装kubeadm
#cat << EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF
#yum -y install kubeadm-1.15.1 kubectl-1.15.1 kubelet-1.15.1
#systemctl enable kubelet
导入kubernetes系统镜像,本地资料中
# tar xf kubeadm-basic.images.tar.gz
批量导入镜像脚本
# vim docker-load.sh
#!/bin/bash
ls /root/rpm/kubeadm-basic.images > /root/docker-load-list.txt
cd /root/rpm/kubeadm-basic.images
for i in $(cat /root/docker-load-list.txt)
do
docker load -i $i
done
#chmod a+x docker-load.sh
#./docker-load.sh
在master节点操作,导出kubeadm-config.yaml配置文件
#kubeadm config print init-defaults > /etc/kubernetes/kubeadm-config.yaml
#vim kubeadm-config.yaml
第12行:advertiseAddress:192.168.1.11
第34行:kubernetesVersion: v1.15.1
第36行下增加:podSubnet: "10.244.0.0/16" #pod网段
初始化master
#kubeadm init --config=/etc/kubernetes/kubeadm-config.yaml --experimental-upload-certs | tee kubeadm-init.log
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:69540b24d9d2eaa4fd9a9d533bfde8c6520ce7586366fa9e35474e94553532ba
# mkdir -p $HOME/.kube
# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# chown $(id -u):$(id -g) $HOME/.kube/config
# echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
#source ~/.bash_profile
保留安装文件
#mkdir install-k8s
# mv /etc/kubernetes/kubeadm-config.yaml /etc/kubernetes/kubeadm-init.log /usr/local/kubernetes/install-k8s/
master安装flannel
#wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
# kubectl create -f kube-flannel.yml
没有镜像可以下载国内镜像,然后重新打标签,将镜像scp到node01和node02节点上,docker load即可
#docker pull lizhenliang/flannel:v0.11.0-amd64
#docker tag lizhenliang/flannel:v0.11.0-amd64 quay.io/coreos/flannel:v0.11.0-amd64
Node01和Node02节点加入k8s集群
#tail -5 /usr/local/kubernetes/install-k8s/kubeadm-init.log
#kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:69540b24d9d2eaa4fd9a9d533bfde8c6520ce7586366fa9e35474e94553532ba