CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群

文章目录

  • 1. 清空之前的策略
    • 1.1 kubeadm 重置
    • 1.2 刷新 IPtables 表
  • 2. 查看 Kubernetes 集群使用的镜像
  • 3. 搭建 harbor 仓库
    • 3.1 部署 docker
      • 3.1.1 准备镜像源
      • 3.1.2 安装 docker
      • 3.1.3 开机自启 docker
      • 3.1.4 修改内核参数,打开桥接
      • 3.1.5 验证生效
    • 3.2 准备 harbor 仓库的压缩包
    • 3.3 配置 harbor 仓库
    • 3.4 准备 harbor 仓库的证书
    • 3.5 准备解析文件
    • 3.6 部署 docker-compose 工具
    • 3.7 安装 harbor 仓库
    • 3.8 验证部署
    • 3.9 将 Kubernetes 所有镜像放入harbor 仓库
  • ==**第一个 error**==:**Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority**
  • ==**解决方法**==:将 harbor 的 证书 拷贝一份给 docker
  • ==**第二个 error**==:**denied: requested access to the resource is denied**
  • ==**解决方法**==:docker login 登陆 harbor 仓库
    • 3.9 将 Kubernetes 所有镜像放入harbor 仓库
  • 4. containerd 连接 harbor 仓库
    • 4.1 修改 Kubernetes 集群中 containerd 的配置文件
    • 4.2 将 harbor 仓库的证书发送给 Kubernetes 集群
    • 4.3 准备集群的解析文件
    • 4.4 重启 containerd
    • 4.5 验证连接
  • 5. 使用 kubeadm 引导集群
    • 5.1 修改初始化文件
    • 5.2 kubeadm 拉取需要的镜像
  • ==**第三个 error**==:私有仓库中没有合适的版本
  • ==**解决方法**==
    • 5.2 kubeadm 拉取需要的镜像
    • 5.3 再次初始化
    • 5.4 集群加入节点
    • 5.5 验证集群

1. 清空之前的策略

1.1 kubeadm 重置

[root@k8s1 ~]# kubeadm reset
[reset] Reading configuration from the cluster...
[reset] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[reset] WARNING: Changes made to this host by 'kubeadm init' or 'kubeadm join' will be reverted.
[reset] Are you sure you want to proceed? [y/N]: y
[preflight] Running pre-flight checks
The 'update-cluster-status' phase is deprecated and will be removed in a future release. Currently it performs no operation
[reset] Stopping the kubelet service
[reset] Unmounting mounted directories in "/var/lib/kubelet"
[reset] Deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki]
[reset] Deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf]
[reset] Deleting contents of stateful directories: [/var/lib/etcd /var/lib/kubelet /var/lib/dockershim /var/run/kubernetes /var/lib/cni]

The reset process does not clean CNI configuration. To do so, you must remove /etc/cni/net.d

The reset process does not reset or clean up iptables rules or IPVS tables.
If you wish to reset iptables, you must do so manually by using the "iptables" command.

If your cluster was setup to utilize IPVS, run ipvsadm --clear (or similar)
to reset your system's IPVS tables.

The reset process does not clean your kubeconfig files and you must remove them manually.
Please, check the contents of the $HOME/.kube/config file.
[root@k8s2 ~]# kubeadm reset
[root@k8s3 ~]# kubeadm reset

1.2 刷新 IPtables 表

[root@k8s1 ~]# iptables -F
[root@k8s1 ~]# iptables -F -t nat
[root@k8s2 ~]# iptables -F
[root@k8s2 ~]# iptables -F -t nat
[root@k8s3 ~]# iptables -F
[root@k8s3 ~]# iptables -F -t nat

2. 查看 Kubernetes 集群使用的镜像

  • 先打开网络
[root@foundation21 ~]# systemctl start firewalld.service 
[root@k8s1 ~]# crictl img
IMAGE                                                             TAG                 IMAGE ID            SIZE
docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin          v1.0.1              ac40ce6257406       3.82MB
docker.io/rancher/mirrored-flannelcni-flannel                     v0.17.0             9247abf086779       19.9MB
registry.aliyuncs.com/google_containers/coredns                   v1.8.4              8d147537fb7d1       13.7MB
registry.aliyuncs.com/google_containers/coredns                   v1.8.6              a4ca41631cc7a       13.6MB
registry.aliyuncs.com/google_containers/etcd                      3.5.0-0             0048118155842       99.9MB
registry.aliyuncs.com/google_containers/etcd                      3.5.1-0             25f8c7f3da61c       98.9MB
registry.aliyuncs.com/google_containers/kube-apiserver            v1.22.1             f30469a2491a5       31.3MB
registry.aliyuncs.com/google_containers/kube-apiserver            v1.22.2             e64579b7d8862       31.3MB
registry.aliyuncs.com/google_containers/kube-controller-manager   v1.22.1             6e002eb89a881       29.8MB
registry.aliyuncs.com/google_containers/kube-controller-manager   v1.22.2             5425bcbd23c54       29.8MB
registry.aliyuncs.com/google_containers/kube-proxy                v1.22.1             36c4ebbc9d979       35.9MB
registry.aliyuncs.com/google_containers/kube-proxy                v1.22.2             873127efbc8a7       35.9MB
registry.aliyuncs.com/google_containers/kube-scheduler            v1.22.1             aca5ededae9c8       15MB
registry.aliyuncs.com/google_containers/kube-scheduler            v1.22.2             b51ddc1014b04       15MB
registry.aliyuncs.com/google_containers/pause                     3.5                 ed210e3e4a5ba       301kB
registry.aliyuncs.com/google_containers/pause                     3.6                 6270bb605e12e       302kB

3. 搭建 harbor 仓库

3.1 部署 docker

3.1.1 准备镜像源

[root@k8s4 ~]# cd /etc/yum.repos.d/
[root@k8s4 yum.repos.d]# vim docker.repo
[docker]
name=docker-ce
baseurl=http://172.25.21.250/docker-ce
gpgcheck=0

3.1.2 安装 docker

[root@k8s4 yum.repos.d]# yum install -y docker-ce

3.1.3 开机自启 docker

[root@k8s4 yum.repos.d]# systemctl enable --now docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

3.1.4 修改内核参数,打开桥接

[root@k8s4 ~]# cd /etc/sysctl.d/
[root@k8s4 sysctl.d]# vim docker.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
[root@k8s4 sysctl.d]# sysctl --system

3.1.5 验证生效

[root@k8s4 sysctl.d]# docker info
Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 19.03.15
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc version: 12644e614e25b05da6fd08a38ffa0cfe1903fdec
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-957.el7.x86_64
 Operating System: Red Hat Enterprise Linux Server 7.6 (Maipo)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 991MiB
 Name: k8s4
 ID: RMUV:W2WV:GCXQ:QCE7:IXW4:ZGEY:JT55:DEOM:VPY5:UIU3:MXBO:EZ2S
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

3.2 准备 harbor 仓库的压缩包

官方网址:harbor仓库官方网站

[root@k8s4 ~]# ls
harbor-offline-installer-v1.10.1.tgz
[root@k8s4 ~]# tar zxf harbor-offline-installer-v1.10.1.tgz 

3.3 配置 harbor 仓库

  • 修改 harbor 仓库的域名
  • 修改证书的位置
  • 修改证书密钥的位置
  • 修改 harbor 仓库的登陆密码
[root@k8s4 ~]# cd harbor/
[root@k8s4 harbor]# ls
common.sh  harbor.v1.10.1.tar.gz  harbor.yml  install.sh  LICENSE  prepare
[root@k8s4 harbor]# vim harbor.yml 
hostname: reg.westos.org
  certificate: /data/certs/westos.org.crt
  private_key: /data/certs/westos.org.key
harbor_admin_password: westos

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第1张图片

3.4 准备 harbor 仓库的证书

  • 当前 k8s4 主机的系统版本是 RedHat 7.6,其 openssl 工具的版本较低,没有 --addext 命令(RedHat 8.2 版本上的 openssl 工具有)
[westos@foundation21 Desktop]$ cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.2 (Ootpa)
[westos@foundation21 Desktop]$ openssl req --help
......
 -addext val         Additional cert extension key=value pair (may be given more than once)

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第2张图片

  • RedHat 7.6 没有
[root@k8s4 harbor]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 (Maipo)
[root@k8s4 harbor]# openssl req --help

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第3张图片

  • 去 openssl 官方下载 1.1.1 版本(也可以去 阿里云镜像站 下载)

下载地址:openssl官方网站
阿里云镜像站下载地址:阿里云 | openssl

[root@k8s4 ~]# ls
harbor                                openssl11-1.1.1k-3.el7.x86_64.rpm
harbor-offline-installer-v1.10.1.tgz  openssl11-libs-1.1.1k-3.el7.x86_64.rpm
[root@k8s4 ~]# yum install -y openssl11*
  • 生成证书
    (证书的域名要和 harbor 仓库的域名一致)
[root@k8s4 ~]# mkdir /data/certs -p
[root@k8s4 ~]# cd /data/
[root@k8s4 data]# ls
certs
[root@k8s4 data]# openssl11 req -newkey rsa:4096 -nodes -sha256 -keyout /data/certs/westos.org.key -addext "subjectAltName = DNS:reg.westos.org" -x509 -days 365 -out /data/certs/westos.org.crt
Can't load /root/.rnd into RNG
139809964558144:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/root/.rnd
Generating a RSA private key
....................................................++++
.................................++++
writing new private key to '/data/certs/westos.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shannxi
Locality Name (eg, city) [Default City]:xi'an
Organization Name (eg, company) [Default Company Ltd]:westos
Organizational Unit Name (eg, section) []:cka
Common Name (eg, your name or your server's hostname) []:reg.westos.org
Email Address []:[email protected]
[root@k8s4 data]# ls certs/
westos.org.crt  westos.org.key

3.5 准备解析文件

[root@k8s4 data]# vim /etc/hosts
172.25.21.4     k8s4 reg.westos.org

3.6 部署 docker-compose 工具

[root@k8s4 ~]# mv docker-compose-Linux-x86_64-1.27.0 /usr/local/bin/docker-compose
[root@k8s4 ~]# chmod +x /usr/local/bin/docker-compose
[root@k8s4 ~]# docker-compose 			//命令可以正常执行

3.7 安装 harbor 仓库

[root@k8s4 ~]# cd harbor/
[root@k8s4 harbor]# ./install.sh 

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第4张图片

[root@k8s4 harbor]# docker-compose ps
      Name                     Command                  State                      Ports               
-------------------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up (healthy)                                      
harbor-db           /docker-entrypoint.sh            Up (healthy)   5432/tcp                           
harbor-jobservice   /harbor/harbor_jobservice  ...   Up (healthy)                                      
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)   127.0.0.1:1514->10514/tcp          
harbor-portal       nginx -g daemon off;             Up (healthy)   8080/tcp                           
nginx               nginx -g daemon off;             Up (healthy)   0.0.0.0:80->8080/tcp,              
                                                                    0.0.0.0:443->8443/tcp              
redis               redis-server /etc/redis.conf     Up (healthy)   6379/tcp                           
registry            /home/harbor/entrypoint.sh       Up (healthy)   5000/tcp                           
registryctl         /home/harbor/start.sh            Up (healthy)                    

3.8 验证部署

验证仓库是否部署成功,访问 harbor 控制面板
CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第5张图片CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第6张图片

3.9 将 Kubernetes 所有镜像放入harbor 仓库

  • 使用 ctr 命令导出镜像( ctr 命令很长)
[root@k8s1 ~]# ctr ns ls
NAME   LABELS 
k8s.io        
moby  
[root@k8s1 ~]# ctr -n k8s.io i export k8s-1.22.2.tar registry.aliyuncs.com/google_containers/coredns:v1.8.6 registry.aliyuncs.com/google_containers/etcd:3.5.1-0 registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.2 registry.aliyuncs.com/google_containers/kube-controller-manager:v1.22.2 registry.aliyuncs.com/google_containers/kube-proxy:v1.22.2 registry.aliyuncs.com/google_containers/kube-scheduler:v1.22.2 registry.aliyuncs.com/google_containers/pause:3.6
  • 将 镜像包 发送给 harbor 主机
[root@k8s1 ~]# scp k8s-1.22.2.tar k8s4:
  • docker load 命令上传镜像包
[root@k8s4 ~]# docker load -i k8s-1.22.2.tar 
16679402dc20: Loading layer [==================================================>]  657.7kB/657.7kB
2d10b4260c78: Loading layer [==================================================>]  718.9kB/718.9kB
287b21f53b5a: Loading layer [==================================================>]  29.92MB/29.92MB
Loaded image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.2
529dc7750f69: Loading layer [==================================================>]   28.4MB/28.4MB
Loaded image: registry.aliyuncs.com/google_containers/kube-controller-manager:v1.22.2
48b90c7688a2: Loading layer [==================================================>]   23.8MB/23.8MB
9e94f35577fb: Loading layer [==================================================>]  12.14MB/12.14MB
Loaded image: registry.aliyuncs.com/google_containers/kube-proxy:v1.22.2
701b343e4ffd: Loading layer [==================================================>]  13.64MB/13.64MB
Loaded image: registry.aliyuncs.com/google_containers/kube-scheduler:v1.22.2
1021ef88c797: Loading layer [==================================================>]  296.5kB/296.5kB
Loaded image: registry.aliyuncs.com/google_containers/pause:3.6
256bc5c338a6: Loading layer [==================================================>]  122.2kB/122.2kB
80e4a2390030: Loading layer [==================================================>]  13.46MB/13.46MB
Loaded image: registry.aliyuncs.com/google_containers/coredns:v1.8.6
6d75f23be3dd: Loading layer [==================================================>]  803.8kB/803.8kB
b6e8c573c18d: Loading layer [==================================================>]  1.076MB/1.076MB
d80003ff5706: Loading layer [==================================================>]  87.39MB/87.39MB
664dd6f2834b: Loading layer [==================================================>]  1.188MB/1.188MB
62ae031121b1: Loading layer [==================================================>]  8.426MB/8.426MB
Loaded image: registry.aliyuncs.com/google_containers/etcd:3.5.1-0
[root@k8s4 ~]# docker images
REPOSITORY                                                        TAG                              IMAGE ID            CREATED             SIZE
registry.aliyuncs.com/google_containers/etcd                      3.5.1-0                          25f8c7f3da61        5 months ago        293MB
registry.aliyuncs.com/google_containers/coredns                   v1.8.6                           a4ca41631cc7        6 months ago        46.8MB
registry.aliyuncs.com/google_containers/kube-apiserver            v1.22.2                          e64579b7d886        7 months ago        128MB
registry.aliyuncs.com/google_containers/kube-controller-manager   v1.22.2                          5425bcbd23c5        7 months ago        122MB
registry.aliyuncs.com/google_containers/kube-proxy                v1.22.2                          873127efbc8a        7 months ago        104MB
registry.aliyuncs.com/google_containers/kube-scheduler            v1.22.2                          b51ddc1014b0        7 months ago        52.7MB
registry.aliyuncs.com/google_containers/pause                     3.6                              6270bb605e12        7 months ago        683kB
goharbor/chartmuseum-photon                                       v0.9.0-v1.10.1                   0245d66323de        2 years ago         128MB
goharbor/harbor-migrator                                          v1.10.1                          a4f99495e0b0        2 years ago         364MB
goharbor/redis-photon                                             v1.10.1                          550a58b0a311        2 years ago         111MB
goharbor/clair-adapter-photon                                     v1.0.1-v1.10.1                   2ec99537693f        2 years ago         61.6MB
goharbor/clair-photon                                             v2.1.1-v1.10.1                   622624e16994        2 years ago         171MB
goharbor/notary-server-photon                                     v0.6.1-v1.10.1                   e4ff6d1f71f9        2 years ago         143MB
goharbor/notary-signer-photon                                     v0.6.1-v1.10.1                   d3aae2fc17c6        2 years ago         140MB
goharbor/harbor-registryctl                                       v1.10.1                          ddef86de6480        2 years ago         104MB
goharbor/registry-photon                                          v2.7.1-patch-2819-2553-v1.10.1   1a0c5f22cfa7        2 years ago         86.5MB
goharbor/nginx-photon                                             v1.10.1                          01276d086ad6        2 years ago         44MB
goharbor/harbor-log                                               v1.10.1                          1f5c9ea164bf        2 years ago         82.3MB
goharbor/harbor-jobservice                                        v1.10.1                          689368d30108        2 years ago         143MB
goharbor/harbor-core                                              v1.10.1                          14151d58ac3f        2 years ago         130MB
goharbor/harbor-portal                                            v1.10.1                          8a9856c37798        2 years ago         52.1MB
goharbor/harbor-db                                                v1.10.1                          18548720d8ad        2 years ago         148MB
goharbor/prepare                                                  v1.10.1                          897a4d535ced        2 years ago         192MB
  • 在 harbor 仓库中创建一个公开项目,存放 k8s 的镜像包
    CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第7张图片

  • docker push 命令上传镜像到 harbor 仓库

[root@k8s4 ~]# docker images | grep google_containers | awk '{print $1":"$2}' | awk -F/ '{system("docker tag "$0" reg.westos.org/k8s/"$3"")}'
[root@k8s4 ~]# docker images | grep reg.westos.org/k8s/
reg.westos.org/k8s/etcd                                           3.5.1-0                          25f8c7f3da61        5 months ago        293MB
reg.westos.org/k8s/coredns                                        v1.8.6                           a4ca41631cc7        6 months ago        46.8MB
reg.westos.org/k8s/kube-apiserver                                 v1.22.2                          e64579b7d886        7 months ago        128MB
reg.westos.org/k8s/kube-controller-manager                        v1.22.2                          5425bcbd23c5        7 months ago        122MB
reg.westos.org/k8s/kube-scheduler                                 v1.22.2                          b51ddc1014b0        7 months ago        52.7MB
reg.westos.org/k8s/kube-proxy                                     v1.22.2                          873127efbc8a        7 months ago        104MB
reg.westos.org/k8s/pause                                          3.6                              6270bb605e12        7 months ago        683kB

第一个 errorGet https://reg.westos.org/v2/: x509: certificate signed by unknown authority

  • docker 无 harbor 的证书,无访问 harbor 的权限
[root@k8s4 ~]# docker push reg.westos.org/k8s/etcd:3.5.1-0 
The push refers to repository [reg.westos.org/k8s/etcd]
Get https://reg.westos.org/v2/: x509: certificate signed by unknown authority

解决方法:将 harbor 的 证书 拷贝一份给 docker

[root@k8s4 ~]# cd /etc/docker/
[root@k8s4 docker]# mkdir certs.d
[root@k8s4 docker]# cd certs.d/
[root@k8s4 certs.d]# mkdir reg.westos.org
[root@k8s4 certs.d]# cd reg.westos.org/
[root@k8s4 reg.westos.org]# cp /data/certs/westos.org.crt .
[root@k8s4 reg.westos.org]# ls
westos.org.crt
[root@k8s4 reg.westos.org]# pwd
/etc/docker/certs.d/reg.westos.org

第二个 errordenied: requested access to the resource is denied

  • 下载可以匿名,上传需要认证。需要在终端登陆 harbor 仓库
[root@k8s4 reg.westos.org]# docker push reg.westos.org/k8s/etcd:3.5.1-0 
The push refers to repository [reg.westos.org/k8s/etcd]
62ae031121b1: Preparing 
664dd6f2834b: Preparing 
d80003ff5706: Preparing 
b6e8c573c18d: Preparing 
6d75f23be3dd: Preparing 
denied: requested access to the resource is denied

解决方法:docker login 登陆 harbor 仓库

[root@k8s4 reg.westos.org]# docker login reg.westos.org
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@k8s4 reg.westos.org]# cat /root/.docker/config.json 
{
	"auths": {
		"reg.westos.org": {
			"auth": "YWRtaW46d2VzdG9z"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.15 (linux)"
	}

3.9 将 Kubernetes 所有镜像放入harbor 仓库

[root@k8s4 ~]# docker images | grep westos | awk '{system("docker push "$1":"$2"")}'
  • 上传成功!!!
    CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第8张图片

4. containerd 连接 harbor 仓库

4.1 修改 Kubernetes 集群中 containerd 的配置文件

  • Kubernetes 修改 containerd 的配置文件 config.toml
  • 修改拉取镜像的地址
  • 修改仓库的证书路径
[root@k8s1 ~]# cd /etc/containerd/
[root@k8s1 containerd]# ls
config.toml
[root@k8s1 containerd]# vim config.toml
     sandbox_image = "reg.westos.org/k8s/pause:3.6"

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"
[root@k8s2 ~]# cd /etc/containerd/
[root@k8s2 containerd]# ls
certs.d  config.toml
[root@k8s2 containerd]# vim config.toml 
    sandbox_image = "reg.westos.org/k8s/pause:3.6"
      config_path = "/etc/containerd/certs.d"
[root@k8s3 ~]# vim /etc/containerd/config.toml 
    sandbox_image = "reg.westos.org/k8s/pause:3.6"
      config_path = "/etc/containerd/certs.d"

4.2 将 harbor 仓库的证书发送给 Kubernetes 集群

[root@k8s1 containerd]# pwd
/etc/containerd
[root@k8s1 containerd]# mkdir certs.d
[root@k8s1 containerd]# cd certs.d/
[root@k8s1 certs.d]# mkdir reg.westos.org
[root@k8s1 certs.d]# cd reg.westos.org/
[root@k8s1 reg.westos.org]# scp k8s4:/data/certs/westos.org.crt .
root@k8s4's password: 
westos.org.crt                                                                    100% 2155     2.1MB/s   00:00    
[root@k8s1 reg.westos.org]# ls
westos.org.crt
[root@k8s1 containerd]# pwd
/etc/containerd
[root@k8s1 containerd]# scp -r certs.d/ k8s2:/etc/containerd
westos.org.crt                                                                    100% 2155     2.8MB/s   00:00    
[root@k8s1 containerd]# scp -r certs.d/ k8s3:/etc/containerd
westos.org.crt                                                                    100% 2155     2.4MB/s   00:00    

4.3 准备集群的解析文件

[root@k8s1 reg.westos.org]# vim /etc/hosts
172.25.21.4     k8s4 reg.westos.org
[root@k8s2 reg.westos.org]# vim /etc/hosts
172.25.21.4     k8s4 reg.westos.org
[root@k8s3 reg.westos.org]# vim /etc/hosts
172.25.21.4     k8s4 reg.westos.org

4.4 重启 containerd

[root@k8s1 ~]# systemctl restart containerd.service 
[root@k8s2 ~]# systemctl restart containerd.service 
[root@k8s3 ~]# systemctl restart containerd.service 

4.5 验证连接

[root@k8s1 containerd]# crictl pull reg.westos.org/k8s/pause:3.6
Image is up to date for sha256:6270bb605e12e581514ada5fd5b3216f727db55dc87d5889c790e4c760683fee
  • harbor 仓库中记录了下载的经过

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第9张图片

5. 使用 kubeadm 引导集群

5.1 修改初始化文件

[root@k8s1 ~]# vim kubeadm-init.yaml 
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: "172.25.21.100:6443"		// 可以忽略这一点
controllerManager: {}
dns: {}
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: reg.westos.org/k8s			//指向私有仓库的位置
kind: ClusterConfiguration
kubernetesVersion: 1.22.1
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

5.2 kubeadm 拉取需要的镜像

第三个 error:私有仓库中没有合适的版本

[root@k8s1 ~]# kubeadm config images pull --config kubeadm-init.yaml
failed to pull image "reg.westos.org/k8s/kube-apiserver:v1.22.1": output: time="2022-04-21T20:24:15+08:00" level=fatal msg="pulling image: rpc error: code = NotFound desc = failed to pull and unpack image \"reg.westos.org/k8s/kube-apiserver:v1.22.1\": failed to resolve reference \"reg.westos.org/k8s/kube-apiserver:v1.22.1\": reg.westos.org/k8s/kube-apiserver:v1.22.1: not found"
, error: exit status 1
To see the stack trace of this error execute with --v=5 or higher

解决方法

  • docker 根据报错的信息去 阿里云镜像站 拉取镜像
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/pause:3.5
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.1
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/kube-controller-manager:v1.22.1
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/kube-scheduler:v1.22.1
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/kube-proxy:v1.22.1
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/etcd:3.5.0-0
[root@k8s4 ~]# docker pull registry.aliyuncs.com/google_containers/coredns:v1.8.4
  • 再改名,分组
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/pause:3.5 reg.westos.org/k8s/pause:3.5
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/kube-apiserver:v1.22.1 reg.westos.org/k8s/kube-apiserver:v1.22.1
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/kube-controller-manager:v1.22.1 reg.westos.org/k8s/kube-controller-manager:v1.22.1
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/kube-scheduler:v1.22.1 reg.westos.org/k8s/kube-scheduler:v1.22.1
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.22.1 reg.westos.org/k8s/kube-proxy:v1.22.1
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/etcd:3.5.0-0 reg.westos.org/k8s/etcd:3.5.0-0
[root@k8s4 ~]# docker tag registry.aliyuncs.com/google_containers/coredns:v1.8.4 reg.westos.org/k8s/coredns:v1.8.4
  • 上传到 harbor
[root@k8s4 ~]# docker push reg.westos.org/k8s/pause:3.5
The push refers to repository [reg.westos.org/k8s/pause]
dee215ffc666: Pushed 
3.5: digest: sha256:2f4b437353f90e646504ec8317dacd6123e931152674628289c990a7a05790b0 size: 526
[root@k8s4 ~]# docker push reg.westos.org/k8s/kube-apiserver:v1.22.1
The push refers to repository [reg.westos.org/k8s/kube-apiserver]
09a0fcc34bc8: Pushed 
71204d686e50: Pushed 
07363fa84210: Pushed 
v1.22.1: digest: sha256:d61567706f42ef70e6351e2fd5637e69bcef6d487442fbfa9d1fee15e694faa8 size: 949
[root@k8s4 ~]# docker push reg.westos.org/k8s/kube-controller-manager:v1.22.1
[root@k8s4 ~]# docker push reg.westos.org/k8s/kube-scheduler:v1.22.1
[root@k8s4 ~]# docker push reg.westos.org/k8s/kube-proxy:v1.22.1
[root@k8s4 ~]# docker push reg.westos.org/k8s/etcd:3.5.0-0
[root@k8s4 ~]# docker push reg.westos.org/k8s/coredns:v1.8.4

5.2 kubeadm 拉取需要的镜像

再次拉取成功!!!

[root@k8s1 ~]# kubeadm config images pull --config kubeadm-init.yaml
[config/images] Pulled reg.westos.org/k8s/kube-apiserver:v1.22.1
[config/images] Pulled reg.westos.org/k8s/kube-controller-manager:v1.22.1
[config/images] Pulled reg.westos.org/k8s/kube-scheduler:v1.22.1
[config/images] Pulled reg.westos.org/k8s/kube-proxy:v1.22.1
[config/images] Pulled reg.westos.org/k8s/pause:3.5
[config/images] Pulled reg.westos.org/k8s/etcd:3.5.0-0
[config/images] Pulled reg.westos.org/k8s/coredns:v1.8.4

5.3 再次初始化

  • 保留 join 命令
[root@k8s1 ~]# kubeadm init --config kubeadm-init.yaml --upload-certs

CKA 04_部署 harbor 仓库 containerd 连接 harbor 仓库 kubeadm 引导集群_第10张图片

5.4 集群加入节点

[root@k8s2 ~]# kubeadm join 172.25.21.100:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:31b8b3c4fda3fb790bd7d6bb3cca2dd0e6b6870eec9842a201493b0a78e45aee --control-plane --certificate-key 03fc498033a4f8e66cc8a74dbfdac7d8f40908d3fa7dd6b8f3a3014ac5aee3c4
[root@k8s3 ~]# kubeadm join 172.25.21.100:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:31b8b3c4fda3fb790bd7d6bb3cca2dd0e6b6870eec9842a201493b0a78e45aee --control-plane --certificate-key 03fc498033a4f8e66cc8a74dbfdac7d8f40908d3fa7dd6b8f3a3014ac5aee3c4

5.5 验证集群

[root@k8s1 ~]# kubectl get pod -A
NAMESPACE     NAME                           READY   STATUS    RESTARTS        AGE
kube-system   coredns-bdc44d9f-fgm8h         1/1     Running   0               8m15s
kube-system   coredns-bdc44d9f-zr4mf         1/1     Running   0               8m15s
kube-system   etcd-k8s1                      1/1     Running   0               8m35s
kube-system   etcd-k8s2                      1/1     Running   0               5m49s
kube-system   etcd-k8s3                      1/1     Running   0               3m44s
kube-system   kube-apiserver-k8s1            1/1     Running   0               8m21s
kube-system   kube-apiserver-k8s2            1/1     Running   0               5m51s
kube-system   kube-apiserver-k8s3            1/1     Running   0               3m45s
kube-system   kube-controller-manager-k8s1   1/1     Running   1 (5m40s ago)   8m34s
kube-system   kube-controller-manager-k8s2   1/1     Running   0               5m51s
kube-system   kube-controller-manager-k8s3   1/1     Running   0               3m45s
kube-system   kube-proxy-bnhvg               1/1     Running   0               5m51s
kube-system   kube-proxy-gkgxt               1/1     Running   0               8m15s
kube-system   kube-proxy-vnhjh               1/1     Running   0               3m45s
kube-system   kube-scheduler-k8s1            1/1     Running   1 (5m40s ago)   8m32s
kube-system   kube-scheduler-k8s2            1/1     Running   0               5m51s
kube-system   kube-scheduler-k8s3            1/1     Running   0               3m45s

你可能感兴趣的:(kubernetes,kubernetes,容器,云原生)