搭建k8s集群

环境描述

系统环境
CentOS Linux release 7.6.1810 (Core）
Docker version 20.10.5
Kubernetes：1.18.2

初始化

升级系统内核到最新
关闭系统防火墙和Selinux
主机名解析
时间同步
禁用Swap

安装docker-ce

 yum install -y yum-utils device-mapper-persistent-data lvm2
 yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
 yum -y install docker-ce
 systemctl enable docker && systemctl start docker

修改docker默认配置

[root@k8s-master ~]# cat /etc/docker/daemon.json 
{
  "features": { "buildkit": true },
  "exec-opts": ["native.cgroupdriver=systemd"], 
  "live-restore": true,
  "log-driver":"json-file",
  "log-opts": {"max-size":"500m", "max-file":"3"}
}

重启docker-ce

systemctl restart docker

修改系统参数

文件描述符

 echo "* soft nofile 65536" >> /etc/security/limits.conf
 echo "* hard nofile 65536" >> /etc/security/limits.conf
 echo "* soft nproc 65536"  >> /etc/security/limits.conf
 echo "* hard nproc 65536"  >> /etc/security/limits.conf
 echo "* soft  memlock  unlimited"  >> /etc/security/limits.conf
 echo "* hard memlock  unlimited"  >> /etc/security/limits.conf

内核参数

 modprobe overlay
 modprobe br_netfilter
 cat  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1

# sysctl --system

安装kubelet、kubeadm、kubectl

# cat /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg

# yum install -y kubeadm-1.18.2-0.x86_64 kubelet-1.18.2-0.x86_64 kubctl-1.18.2-0.x86_64
# systemctl enable kubelet

初始化集群

# kubeadm init \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.18.2 \
--control-plane-endpoint 10.0.16.6 \
--apiserver-advertise-address 10.0.16.6 \
--pod-network-cidr 10.244.0.0/16 \
--token-ttl 0

说明

--image-repository 指定国内镜像源地址。由于国内网络问题，无法拉取到国外镜像站点的镜像。
--kubernetes-version 指定版本
--control-plane-endpoint 指定控制平面的固定访问点，可以为ip或者DNS域名。被用于集群管理员和集群组件的kubeconfig配置文件的API Server的访问地址。
--apiserver-advertise-address apiserver通告给其他组件的ip地址，一般为该master节点的用于集群内部通信的ip地址
--pod-network-cidr pod网络的地址范围，flannel插件默认为：10.244.0.0/16，calico插件默认为：192.168.0.0/16。
--token-ttl 共享令牌过期时间，默认为24h，0表示永不过期。

以下结果表示初始化完成

[root@k8s-master ~]# kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.18.2 --control-plane-endpoint 10.0.16.6 --apiserver-advertise-address 10.0.16.6 --pod-network-cidr 10.244.0.0/16 --token-ttl 0
W0712 11:14:39.213062   22029 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[init] Using Kubernetes version: v1.18.2
[preflight] Running pre-flight checks
        [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.5. Latest validated version: 19.03
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.0.16.6 10.0.16.6]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [10.0.16.6 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [10.0.16.6 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
W0712 11:15:13.312567   22029 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-scheduler"
W0712 11:15:13.313545   22029 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 25.002463 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.18" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: e1bins.buyxiwl762rf6r2n
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join 10.0.16.6:6443 --token e1bins.buyxiwl762rf6r2n \
    --discovery-token-ca-cert-hash sha256:03c8c64e6bb7bd1b9b5bf29d0b5afa84e209510d40563c0c60320a49bc60cef9 \
    --control-plane 

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 10.0.16.6:6443 --token e1bins.buyxiwl762rf6r2n \
    --discovery-token-ca-cert-hash sha256:03c8c64e6bb7bd1b9b5bf29d0b5afa84e209510d40563c0c60320a49bc60cef9

按照结果创建认证文件

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

部署flannel网络插件

# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

添加工作节点

在所有工作节点执行以下命令即可

kubeadm join 10.0.16.6:6443 --token e1bins.buyxiwl762rf6r2n \
    --discovery-token-ca-cert-hash sha256:03c8c64e6bb7bd1b9b5bf29d0b5afa84e209510d40563c0c60320a49bc60cef9

添加其他控制节点

控制平面中的节点需要共享Kubernetes CA、Etcd CA和Kube-proxy CA等的证书信息和私钥信息。 做法有两种：

手动将第一个控制平面上生成的证书及私钥文件添加到其他master节点
借助kubeadm init phase命令
本次我们采用第二种方法实现

[root@k8s-master ~]# kubeadm init phase upload-certs --upload-certs
I0712 11:45:04.132590    7667 version.go:252] remote version is much newer: v1.24.2; falling back to: stable-1.18
W0712 11:45:04.867697    7667 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
f238f686e0f33911989711d1d8765359387d92894ce396a05df68e7f9973713b

以上命令生成的secret生命周期为2h，超过时长后，需要重新运行以上生成。

# kubeadm join 10.0.16.6:6443 --token e1bins.buyxiwl762rf6r2n \
    --discovery-token-ca-cert-hash sha256:03c8c64e6bb7bd1b9b5bf29d0b5afa84e209510d40563c0c60320a49bc60cef9 \
    --control-plane --certificate-key f238f686e0f33911989711d1d8765359387d92894ce396a05df68e7f9973713b

# mkdir -p $HOME/.kube
# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# sudo chown $(id -u):$(id -g) $HOME/.kube/config