文档将介绍如何使用二进制部署Kubernetes v1.16高可用集群,而不是使用自动化部署(kubeadm)集群。在部署过程中,将详细列出各个组件启动参数,以及相关配置说明。部署完成后,将理解k8s各个组件的交互原理,并且可以快速解决实际问题。
* 环境及组件版本
Centos7.2
Kubernetes v1.16.10
Docker 18.09 .01(需要和k8s版本匹配)
Etcd 3.3.13
Flanneld 0.12.0
一、 环境准备
服务器准备
master节点
10.13.33.29 master-01 10.13.33.40 master-02 10.13.33.38 master-03
node节点
10.13.33.31 node-01
修改主机名
为对应服务器设置永久主机名
cat >> /etc/hosts <
更新PATH变量
k8s所有文件和配置都会存储在/opt/k8s/ 中,运行以下命令,配置环境变量
echo 'PATH=/opt/k8s/bin:$PATH' >>/etc/profile ##将k8s命令添加到环境变量中方便调用 source /etc/profil
二、服务器优化
所有节点配置
如果不能访问互联网请使用以下代理配置
echo "proxy=http://ip:port" >>/etc/yum.conf export http_proxy="http://ip:port"1、 创建相关目录
mkdir -p /opt/k8s/{bin,work} /etc/{kubernetes,etcd}/cert cd /opt/k8s/work wget wget https://github.com/kubernetes/kubernetes/archive/v1.16.10.tar.gz ##下载k8s2、 服务器时间写入硬件
timedatectl set-timezone Asia/Shanghai timedatectl set-local-rtc 0
3、配置时钟服务器地址
echo " # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst # Ignore stratum in source selection. stratumweight 0 # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Enable kernel RTC synchronization. rtcsync # In first three updates step the system clock instead of slew # if the adjustment is larger than 10 seconds. makestep 10 3 # Allow NTP client access from local network. #allow 192.168/16 # Listen for commands only on localhost. bindcmdaddress 127.0.0.1 bindcmdaddress ::1 # Serve time even if not synchronized to any NTP server. #local stratum 10 keyfile /etc/chrony.keys # Specify the key used as password for chronyc. commandkey 1 # Generate command key if missing. generatecommandkey # Disable logging of client accesses. noclientlog # Send a message to syslog if a clock adjustment is larger than 0.5 seconds. logchange 0.5 logdir /var/log/chrony #log measurements statistics tracking server 时钟ip1 iburst prefer server 时钟ip2 iburst server 127.127.1.0 allow 0/0 local stratum 11 " > /etc/chrony.conf systemctl restart chronyd ##重启时钟应用配置 systemctl status chronyd ##查看启动状态 systemctl enable chronyd ##开机自动启动 firewall-cmd --add-service=ntp --permanent ##放开对应的防火墙 firewall-cmd --add-service=ntp ##放开对应的防火墙 systemctl restart rsyslog systemctl restart crond timedatectl status chronyc sources -v ##验证时钟地址4、关闭其他非必要服务
systemctl stop postfix && systemctl disable postfix5、 持久化保存日志的目录
mkdir /var/log/journal #持久化保存日志的目录 mkdir /etc/systemd/journald.conf.d cat > /etc/systemd/journald.conf.d/99-prophet.conf << EOF [Journal] Storage=persistent Compress=yes SyncIntervalSec=5m RateLimitInterval=30s RateLimitBurst=1000 SystemMaxUse=10G SystemMaxFileSize=200M MaxRetentionSec=2week ForwardToSyslog=no EOF systemctl restart systemd-journald6、关闭防火墙
systemctl stop firewalld systemctl disable firewalld7、优化iptables
iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat iptables -P FORWARD ACCEPT8、关闭swap及SELINUX
swapoff -a sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab setenforce 0 sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config #如果开启了swap分区,kubelet会启动失败(可以通过设置参数——-fail-swap-on设置为false)9、优化内核等
echo " net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1 net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv4.neigh.default.gc_thresh1=4096 net.ipv4.neigh.default.gc_thresh2=6144 net.ipv4.neigh.default.gc_thresh3=8192 net.ipv4.neigh.default.gc_interval=60 net.ipv4.neigh.default.gc_stale_time=120 # 参考 https://github.com/prometheus/node_exporter#disabled-by-default kernel.perf_event_paranoid=-1 #sysctls for k8s node config net.ipv4.tcp_slow_start_after_idle=0 net.core.rmem_max=16777216 fs.inotify.max_user_watches=524288 kernel.softlockup_all_cpu_backtrace=1 kernel.softlockup_panic=0 kernel.watchdog_thresh=30 fs.file-max=2097152 fs.inotify.max_user_instances=8192 fs.inotify.max_queued_events=16384 vm.max_map_count=262144 fs.may_detach_mounts=1 net.core.netdev_max_backlog=16384 net.ipv4.tcp_wmem=4096 12582912 16777216 net.core.wmem_max=16777216 net.core.somaxconn=32768 net.ipv4.ip_forward=1 net.ipv4.tcp_max_syn_backlog=8096 net.ipv4.tcp_rmem=4096 12582912 16777216 net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 kernel.yama.ptrace_scope=0 vm.swappiness=0 # 可以控制core文件的文件名中是否添加pid作为扩展。 kernel.core_uses_pid=1 # Do not accept source routing net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.all.accept_source_route=0 # Promote secondary addresses when the primary address is removed net.ipv4.conf.default.promote_secondaries=1 net.ipv4.conf.all.promote_secondaries=1 # Enable hard and soft link protection fs.protected_hardlinks=1 fs.protected_symlinks=1 # 源路由验证 # see details in https://help.aliyun.com/knowledge_detail/39428.html net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.default.arp_announce = 2 net.ipv4.conf.lo.arp_announce=2 net.ipv4.conf.all.arp_announce=2 # see details in https://help.aliyun.com/knowledge_detail/41334.html net.ipv4.tcp_max_tw_buckets=5000 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_synack_retries=2 kernel.sysrq=1 " >> /etc/sysctl.conf sysctl -p ###nofile cat >> /etc/security/limits.conf <10、更新内核版本
echo Kernel_Version uname -srm export Kernel_Version=4.18.9-1 wget http://mirror.rc.usf.edu/compute_lock/elrepo/kernel/el7/x86_64/RPMS/kernel-ml{,-devel}-${Kernel_Version}.el7.elrepo.x86_64.rpm yum localinstall -y kernel-ml* grub2-set-default 'CentOS Linux (4.18.9-1.el7.elrepo.x86_64) 7 (Core)' shutdown -r -t 0 ##如果没有自行重启,进行手动重启 uname -srm11、使用systemd-modules-load加载内核模块
touch /etc/sysconfig/modules/ipvs.modules cat > /etc/sysconfig/modules/ipvs.modules << EOF modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 EOF chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
三、部署安装k8s组件
1、制作证书
##安装cfssl工作集 mkdir -p /opt/k8s/cert && cd /opt/k8s wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 mv cfssl_linux-amd64 /opt/k8s/bin/cfssl wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo chmod +x /opt/k8s/bin/* export PATH=/opt/k8s/bin:$PATH##创建更证书及配置文件 cd /opt/k8s mv ~/cfssl* ./ mv cfssl_linux-amd64 /opt/k8s/bin/cfssl mv cfssljson_linux-amd64 /opt/k8s/bin/cfssljson mv cfssl-certinfo_linux-amd64 /opt/k8s/bin/cfssl-certinfo chmod +x /opt/k8s/bin/* export PATH=/opt/k8s/bin:$PATH ##master1 cd /opt/k8s/work cat > ca-config.json < ##创建证书签名请求文件 cat > ca-csr.json < ##生成CA证书和私钥 cd /opt/k8s/work cfssl gencert -initca ca-csr.json | cfssljson -bare ca ls ca* ##将证书分发到各个节点##创建flannel证书 cat > flanneld-csr.json <
2、部署flannel
###安装flannel cd /opt/k8s/work/ mkdir flannel cp -f ~/k8s/ca*.pem /etc/kubernetes/cert/ wget https://github.com/coreos/flannel/releases/download/v0.12.0/flannel-v0.12.0-linux-amd64.tar.gz tar -xzvf flannel-v0.12.0-linux-amd64.tar.gz -C flannel cp flannel/{flanneld,mk-docker-opts.sh} /opt/k8s/bin/ chmod +x /opt/k8s/bin/* ##创建flanneld.service touch /etc/systemd/system/flanneld.service cat > /etc/systemd/system/flanneld.service << EOF [Unit] Description=Flanneld overlay address etcd agent After=network.target After=network-online.target Wants=network-online.target After=etcd.service Before=docker.service [Service] Type=notify ExecStart=/opt/k8s/bin/flanneld \\ -etcd-cafile=/etc/kubernetes/cert/ca.pem \\ -etcd-certfile=/etc/flanneld/cert/flanneld.pem \\ -etcd-keyfile=/etc/flanneld/cert/flanneld-key.pem \\ -etcd-endpoints=https://10.13.33.29:2379,https://10.13.33.38:2379,https://10.13.33.40:2379 \\ -etcd-prefix=/kubernetes/network \\ -iface=eth0 \\ -ip-masq ExecStartPost=/opt/k8s/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/docker Restart=always RestartSec=5 StartLimitInterval=0 [Install] WantedBy=multi-user.target RequiredBy=docker.service EOF ##启动flannel systemctl daemon-reload && systemctl enable flanneld && systemctl restart flanneld || systemctl status flanneld|grep Active systemctl status flanneld ##查看flanneld运行状态,依赖docker可能会启动失败,后面安装docker后会启动成功 ip addr show|grep flannel.13、安装docker
##更新yum源 mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/ wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum update -y yum install -y yum-utils device-mapper-persistent-data lvm2 nfs-utils ##安装依赖包 yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo ##使用阿里云的docker镜像站 yum makecache fast ##安装指定版本的docker yum -y install docker-ce-18.09.0-3.el7 docker-ce-cli-18.09.0-3.el7 containerd.io ##优化docker.service cat > /usr/lib/systemd/system/docker.service </etc/docker/daemon.json <