K8S集群化部署

1.基础环境,2核+4G内存(CPU不能低于2核)
k8s-m1 192.168.66.110
k8s-m2 192.168.66.111
k8s-m3 192.168.66.112
虚拟IP设定为:192.168.66.166
2.三台初始化配置,分别在三台上操作

vim /etc/hosts
192.168.66.110 k8s-m1
192.168.66.111 k8s-m2
192.168.66.112 k8s-m3
hostnamectl set-hostname k8s-m1
hostnamectl set-hostname k8s-m2
hostnamectl set-hostname k8s-m3

关闭防火墙 SELINUX

systemctl stop firewalld && systemctl disable firewalld
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disable/' /etc/selinux/config

关闭swap

swapoff -a && sysctl -w vm.swappiness=0
sed -i 's/.*swap.*/#&/g' /etc/fstab

设置Docker所需参数

cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf

加载ip_vs模块

cat > /etc/sysconfig/modules/ipvs.modules <

安装docker19.03版本

yum -y install yum-utils device-mapper-persistent-data lvm2 wget epel-release ipvsadm vim ntpdate
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce-19.03.9
systemctl enable docker && systemctl start docker
cat > /etc/docker/daemon.json <

安装kube组件

cat > /etc/yum.repos.d/kubernetes.repo <

cfssl下载,在m1上操作

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
mkdir -p /etc/etcd/ssl && cd /etc/etcd/ssl

etcd ca配置

cat << EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "etcd": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

etcd ca证书

cat << EOF | tee ca-csr.json
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

生成 CA 凭证和私钥

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

etcd server证书

cat << EOF | tee server-csr.json
{
    "CN": "etcd",
    "hosts": [
    "192.168.66.110",
    "192.168.66.111",
    "192.168.66.112"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF

生成server证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server

查看目录文件,将4个pem文件拷贝至其他两台主节点,目录一致

[root@k8s-m1 ssl]# ll
总用量 36
-rw-r--r--. 1 root root  288 1月  30 13:45 ca-config.json
-rw-r--r--. 1 root root  956 1月  30 13:45 ca.csr
-rw-r--r--. 1 root root  209 1月  30 13:45 ca-csr.json
-rw-------. 1 root root 1679 1月  30 13:45 ca-key.pem
-rw-r--r--. 1 root root 1265 1月  30 13:45 ca.pem
-rw-r--r--. 1 root root 1013 1月  30 13:47 server.csr
-rw-r--r--. 1 root root  293 1月  30 13:47 server-csr.json
-rw-------. 1 root root 1679 1月  30 13:47 server-key.pem
-rw-r--r--. 1 root root 1338 1月  30 13:47 server.pem

etcd安装,三台主节点都需要操作,配置文件修改相应的地方

wget https://github.com/etcd-io/etcd/releases/download/v3.3.12/etcd-v3.3.12-linux-amd64.tar.gz
tar -zxf etcd-v3.3.12-linux-amd64.tar.gz
cd etcd-v3.3.12-linux-amd64 && cp etcd* /usr/local/bin/

配置etcd主文件

cat << EOF | tee /etc/etcd/etcd.conf
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.66.110:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.66.110:2379,http://127.0.0.1:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.66.110:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.66.110:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.66.110:2380,etcd02=https://192.168.66.111:2380,etcd03=https://192.168.66.112:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
#[Security]
ETCD_CERT_FILE="/etc/etcd/ssl/server.pem"
ETCD_KEY_FILE="/etc/etcd/ssl/server-key.pem"
ETCD_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_CLIENT_CERT_AUTH="true"
ETCD_PEER_CERT_FILE="/etc/etcd/ssl/server.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/ssl/server-key.pem"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/ssl/ca.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
EOF

配置启动脚本

cat << EOF | tee /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/etc/etcd/config
ExecStart=/usr/local/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS} \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=${ETCD_INITIAL_CLUSTER_STATE}  \
--cert-file=${ETCD_CERT_FILE} \
--key-file=${ETCD_KEY_FILE} \
--peer-cert-file=${ETCD_PEER_CERT_FILE} \
--peer-key-file=${ETCD_PEER_KEY_FILE} \
--trusted-ca-file=${ETCD_TRUSTED_CA_FILE} \
--client-cert-auth=${ETCD_CLIENT_CERT_AUTH} \
--peer-client-cert-auth=${ETCD_PEER_CLIENT_CERT_AUTH} \
--peer-trusted-ca-file=${ETCD_PEER_TRUSTED_CA_FILE}
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF

启动服务

systemctl daemon-reload && systemctl enable etcd && systemctl start etcd

三台主节点查看启动服务

[root@k8s-m2 etcd]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1290/master         
tcp        0      0 192.168.66.111:2379     0.0.0.0:*               LISTEN      1853/etcd           
tcp        0      0 127.0.0.1:2379          0.0.0.0:*               LISTEN      1853/etcd           
tcp        0      0 192.168.66.111:2380     0.0.0.0:*               LISTEN      1853/etcd           
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1036/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1290/master         
tcp6       0      0 :::22                   :::*                    LISTEN      1036/sshd

查看etcd集群是否健康

[root@k8s-m2 etcd]# etcdctl --ca-file=/etc/etcd/ssl/ca.pem --cert-file=/etc/etcd/ssl/server.pem --key-file=/etc/etcd/ssl/server-key.pem --endpoints="https://192.168.66.110:2379,https://192.168.66.111:2379,https://192.168.66.112:2379" cluster-health
member 1c7f4fcaf93a4f89 is healthy: got healthy result from https://192.168.66.111:2379
member 2236499add1299a8 is healthy: got healthy result from https://192.168.66.110:2379
member b2ca950c7544a007 is healthy: got healthy result from https://192.168.66.112:2379
cluster is healthy

三台主节点安装haproxy和keepalived,注意修改网卡名字和虚拟IP,其他两节点state修改为BACKUP
第二节点和第三节点priority修改为90和80

yum -y install haproxy keepalived
cat > /etc/keepalived/keepalived.conf << EOF 
vrrp_script check_haproxy {
    script "/etc/keepalived/check_haproxy.sh"
    interval 3
}
vrrp_instance VI_1 {
    state MASTER
    interface ens33
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
    192.168.66.166
    }
     track_script {
        check_haproxy
     }
}
EOF

haproxy检测脚本

cat > /etc/keepalived/check_haproxy.sh < /dev/null
if [[ \$? != 0 ]];then
        echo "haproxy is down,close the keepalived"
        systemctl stop keepalived
fi
EOF

haproxy配置文件

cat > /etc/haproxy/haproxy.cfg << EOF 
global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
#---------------------------------------------------------------------
frontend  k8s-api 
   bind *:8443
   mode tcp
   default_backend             apiserver
#---------------------------------------------------------------------
backend apiserver
    balance     roundrobin
    mode tcp
    server  k8s-m1 192.168.66.110:6443 check weight 1 maxconn 2000 check inter 2000 rise 2 fall 3
    server  k8s-m2 192.168.66.111:6443 check weight 1 maxconn 2000 check inter 2000 rise 2 fall 3
    server  k8s-m3 192.168.66.112:6443 check weight 1 maxconn 2000 check inter 2000 rise 2 fall 3
EOF

启动keepalived和haproxy

systemctl enable --now keepalived haproxy

分别查看IP地址,查看主节点

[root@k8s-m1 ssl]# ip addr
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:e3:b4:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.110/24 brd 192.168.66.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.66.166/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::78b1:b1f2:9042:937d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@k8s-m2 member]# ip addr
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:05:0f:0e brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.111/24 brd 192.168.66.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::b31c:59f5:e055:92ec/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

[root@k8s-m3 ~]# ip addr
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:19:10:b6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.112/24 brd 192.168.66.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::4966:3801:d39c:875b/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

在m1上操作,kubeadm初始化,编辑文件,修改为国内源

[root@k8s-m1 ssl]# vim /etc/kubernetes/kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
controlPlaneEndpoint: "192.168.66.166:8443"
imageRepository: registry.aliyuncs.com/google_containers
etcd:
  external:
    endpoints:
    - https://192.168.66.110:2379
    - https://192.168.66.111:2379
    - https://192.168.66.112:2379
    caFile: /etc/etcd/ssl/ca.pem
    certFile: /etc/etcd/ssl/server.pem
    keyFile: /etc/etcd/ssl/server-key.pem
networking:
  podSubnet: 10.244.0.0/16

---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs

开始安装,完毕之后会输如下信息,然后复制主节点加入命令到m2和m3执行。

[root@k8s-m1 ssl]# kubeadm init --config=kubeadm-config.yaml --upload-certs
.......
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
#主节点加入命令
  kubeadm join 192.168.66.166:8443 --token 3fx7og.b12jhx6d6l8rssv4 \
    --discovery-token-ca-cert-hash sha256:a050762cd04061030ffc6f0d9cb32171679195e4da8c094f6f0cb09bab88cca0 \
    --control-plane --certificate-key b0f0271ac70103fc2602f83010435df7c97d4ef0c7bcdaeb066f048a2411868d

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:
工作节点加入命令
kubeadm join 192.168.66.166:8443 --token 3fx7og.b12jhx6d6l8rssv4 \
    --discovery-token-ca-cert-hash sha256:a050762cd04061030ffc6f0d9cb32171679195e4da8c094f6f0cb09bab88cca0 

m1上创建配置文件

cd /root && mkdir .kube && cp /etc/kubernetes/admin.conf .kube/config

创建kube-flannel,配置文件已单独在其他文章内,复制之后直接运行

kubectl apply -f kube-flannel.yaml

查看集群节点状态和核心组件,是否健康

[root@k8s-m1 opt]# kubectl get nodes
NAME     STATUS   ROLES                  AGE     VERSION
k8s-m1   Ready    control-plane,master   4h16m   v1.20.2
k8s-m2   Ready    control-plane,master   4h13m   v1.20.2
k8s-m3   Ready    control-plane,master   4h13m   v1.20.2

[root@k8s-m1 opt]# kubectl get pods -n kube-system
NAME                             READY   STATUS    RESTARTS   AGE
coredns-7f89b7bc75-b5sdz         1/1     Running   0          29m
coredns-7f89b7bc75-rhsbj         1/1     Running   0          29m
kube-apiserver-k8s-m1            1/1     Running   0          29m
kube-apiserver-k8s-m2            1/1     Running   0          27m
kube-apiserver-k8s-m3            1/1     Running   0          26m
kube-controller-manager-k8s-m1   1/1     Running   0          29m
kube-controller-manager-k8s-m2   1/1     Running   0          27m
kube-controller-manager-k8s-m3   1/1     Running   0          26m
kube-flannel-ds-amd64-hq8qt      1/1     Running   0          14m
kube-flannel-ds-amd64-kggwn      1/1     Running   0          14m
kube-flannel-ds-amd64-r42gv      1/1     Running   0          14m
kube-proxy-ldplv                 1/1     Running   0          26m
kube-proxy-nz7gx                 1/1     Running   0          29m
kube-proxy-ttrbj                 1/1     Running   0          27m
kube-scheduler-k8s-m1            1/1     Running   0          29m
kube-scheduler-k8s-m2            1/1     Running   0          27m
kube-scheduler-k8s-m3            1/1     Running   0          26m

查看集群使用的代理模式

[root@k8s-m1 opt]# curl 127.0.0.1:10249/proxyMode
ipvs

默认master节点是不允许调度Pod,不然Pod一直处于Pending状态,这里开启允许

[root@k8s-m1 opt]# kubectl taint nodes --all node-role.kubernetes.io/master-
node/k8s-m1 untainted
node/k8s-m2 untainted
node/k8s-m3 untainted

关闭m1节点,模拟故障,查看虚拟IP已经在m2节点

[root@k8s-m2 member]# ip addr
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:05:0f:0e brd ff:ff:ff:ff:ff:ff
    inet 192.168.66.111/24 brd 192.168.66.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.66.166/32 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::b31c:59f5:e055:92ec/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

查看集群状态

[root@k8s-m2 .kube]# kubectl get nodes
NAME     STATUS     ROLES                  AGE     VERSION
k8s-m1   NotReady   control-plane,master   4h47m   v1.20.2
k8s-m2   Ready      control-plane,master   4h44m   v1.20.2
k8s-m3   Ready      control-plane,master   4h44m   v1.20.2

增加一台工作节点
1.将master节点上的kubernetes.repo复制到新节点
yum -y install kubeadm
安装docker,然后执行如下操作

[root@k8s-c1 kubernetes]# kubeadm join 192.168.66.166:8443 --token 3fx7og.b12jhx6d6l8rssv4 \
>     --discovery-token-ca-cert-hash sha256:a050762cd04061030ffc6f0d9cb32171679195e4da8c094f6f0cb09bab88cca0

在m2上查看集群状态

[root@k8s-m2 opt]# kubectl get nodes -o wide
NAME     STATUS     ROLES                  AGE     VERSION   INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION           CONTAINER-RUNTIME
k8s-c1   Ready                       12m     v1.20.2   192.168.66.113           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m1   NotReady   control-plane,master   5h19m   v1.20.2   192.168.66.110           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m2   Ready      control-plane,master   5h17m   v1.20.2   192.168.66.111           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m3   Ready      control-plane,master   5h16m   v1.20.2   192.168.66.112           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9

看到ROLES为空,可以手动增加角色状态

[root@k8s-m2 opt]# kubectl label node k8s-c1 node-role.kubernetes.io/worker=worker
node/k8s-c1 labeled
[root@k8s-m2 opt]# kubectl get nodes -o wide
NAME     STATUS     ROLES                  AGE     VERSION   INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION           CONTAINER-RUNTIME
k8s-c1   Ready      worker                 14m     v1.20.2   192.168.66.113           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m1   NotReady   control-plane,master   5h21m   v1.20.2   192.168.66.110           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m2   Ready      control-plane,master   5h19m   v1.20.2   192.168.66.111           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9
k8s-m3   Ready      control-plane,master   5h18m   v1.20.2   192.168.66.112           CentOS Linux 7 (Core)   3.10.0-1062.el7.x86_64   docker://19.3.9

创建一个deployment

[root@k8s-m2 opt]# kubectl get pods -o wide
NAME                       READY   STATUS    RESTARTS   AGE   IP           NODE     NOMINATED NODE   READINESS GATES
nginx-1-645d5c6669-x9tvw   1/1     Running   0          19s   10.244.4.4   k8s-c1              

停掉c1节点,模拟工作节点故障,大概几分钟后可以看到pod自动转移到其他节点

[root@k8s-m2 opt]# kubectl get pods -o wide
NAME                       READY   STATUS        RESTARTS   AGE     IP           NODE     NOMINATED NODE   READINESS GATES
nginx-1-645d5c6669-ltkpt   1/1     Running       0          58s     10.244.2.3   k8s-m3              
nginx-1-645d5c6669-x9tvw   1/1     Terminating   0          7m27s   10.244.4.4   k8s-c1              

其他一些操作

# 当一个POD长时间处于删除状态,强制删除
kubectl delete pod PODNAME --force --grace-period=0
# 集群剔除一个节点
kubectl delete node k8s-c1
# 节点重置
kubeadm reset
#重新加入节点
kubeadm join --token  : --discovery-token-ca-cert-hash sha256:
# 查看token,如果为空,token已过期
kubeadm token list
#创建token,永不过期,默认1天失效
kubeadm token create --ttl 0
# 查看hash
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

你可能感兴趣的:(K8S集群化部署)