1.因为我这里是用的腾讯云服务所以需要打开对应的安全组,如果是虚拟机的话配置对应的虚拟机即可这里就不做说明了网上有
1.建议升级内核至4.18版本以上否则可能会出现内存溢出的bug
2.k8s在1.24版本剔除了docker做为容器运行时,因此如果想继续使用docker需要安装cri-docker
3.如果开启ipvs还需要安装ipvsadm (可选)
软件 | 版本 |
---|---|
操作系统 | CentOS7.9_x64 |
docker | 20.10.22 |
cir-docker | 0.3.0 |
Kubernetes | 1.26.0 |
角色 | IP | 组件 |
---|---|---|
qcloud-host01 | 1.117.115.10 | |
qcloud-node01 | 134.175.228.10 | |
#升级系统
yum update -y --exclude=kernel*
#升级内核(下载最新的版本)
wget https://mirrors.aliyun.com/elrepo/kernel/el7/x86_64/RPMS/
rpm -ivh kernel-ml-*
grub2-set-default 0
grub2-mkconfig -o /boot/grub2/grub.cfg
#修改主机名
hostnamectl set-hostname qcloud-host01
#在原有配置后面添加
vi /etc/hosts
1.117.115.10 qcloud-host01
134.175.228.10 qcloud-node01
mkdir -p /var/log/journal
mkdir -p /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化保存到磁盘
Storage=persistent
# 压缩历史日志
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=1G
# 单日志文件最大 200M
SystemMaxFileSize=10M
# 日志保存时间 2 周
MaxRetentionSec=2week
# 不将日志转发到 syslog
ForwardToSyslog=no
EOF
systemctl restart systemd-journald && systemctl enable systemd-journald
yum install ipvsadm ipset sysstat conntrack -y
cat >> /etc/modules-load.d/ipvs.conf <<EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF
systemctl restart systemd-modules-load.service
lsmod | grep -e ip_vs -e nf_conntrack
#安装 libseccomp
yum -y install http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/libseccomp-2.5.2-1.el8.x86_64.rpm
#查看版本
rpm -qa | grep libseccomp
cat >> /etc/modules-load.d/k8s.conf <<EOF
overlay
br_netfilter
EOF
sudo modprobe overlay
sudo modprobe br_netfilter
# 设置所需的 sysctl 参数,参数在重新启动后保持不变
cat >> /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# 应用 sysctl 参数而不重新启动
sudo sysctl --system
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl-certinfo_1.6.3_linux_amd64
chmod +x cfssl_1.6.3_linux_amd64 cfssljson_1.6.3_linux_amd64 cfssl-certinfo_1.6.3_linux_amd64
mv cfssl_1.6.3_linux_amd64 /usr/local/bin/cfssl
mv cfssljson_1.6.3_linux_amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_1.6.3_linux_amd64 /usr/local/bin/cfssl-certinfo
# 证书目录
mkdir -p /opt/certificate/etcd/conf
mkdir -p /opt/certificate/kubernetes/conf
cd /opt/certificate/etcd/conf
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"etcd": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CA": {
"expiry": "87600h"
},
"CN": "etcd-cluster",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "etcd-cluster",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat > etcd-server-csr.json << EOF
{
"CN": "etcd-server",
"hosts": [
"1.117.115.10",
"134.175.228.10",
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "etcd-server",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=etcd \
etcd-server-csr.json | cfssljson -bare etcd-server
cat > etcd-client-csr.json << EOF
{
"CN": "etcd-client",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "etcd-client",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=etcd \
etcd-client-csr.json | cfssljson -bare etcd-client
mv *.pem ../
cd /opt/certificate/kubernetes/conf
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CA": {
"expiry": "87600h"
},
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "kubernetes",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat > kube-apiserver-csr.json <<EOF
{
"CN": "kube-apiserver",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"1.117.115.10",
"134.175.228.10",
"42.192.161.108",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "kube-apiserver",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-apiserver-csr.json | cfssljson -bare kube-apiserver
cat > front-proxy-ca-csr.json <<EOF
{
"CA": {
"expiry": "87600h"
},
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
#生成证书
cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare front-proxy-ca
cat > front-proxy-client-csr.json <<EOF
{
"CN": "front-proxy-client",
"key": {
"algo": "rsa",
"size": 2048
}
}
EOF
#生成证书
cfssl gencert \
-ca=front-proxy-ca.pem \
-ca-key=front-proxy-ca-key.pem \
-config=ca-config.json \
-profile=kubernetes front-proxy-client-csr.json | cfssljson -bare front-proxy-client
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "system:kube-controller-manager",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "system:kube-scheduler",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "system:kube-proxy",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
cat > admin-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"TS": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
openssl genrsa -out sa.key 2048
openssl rsa -in sa.key -pubout -out sa.pub
mv *.pem ../
mv sa.pub ../
mv sa.key ../
注意:docker跟containerd选一种就行
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-ce-cli containerd.io
systemctl start docker
systemctl enable docker
#设置国内镜像源
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com"
],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
},
"exec-opts": [
"native.cgroupdriver=systemd"
],
"storage-driver": "overlay2"
}
EOF
systemctl restart docker
#创建目录
mkdir -p /opt/bin/cri/dockerd
cd /opt/bin/cri/dockerd
#下载二进制包
wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.0/cri-dockerd-0.3.0.amd64.tgz
#解压
tar zxvf cri-dockerd-0.3.0.amd64.tgz
#
cd cri-dockerd-0.3.0.amd64/cri-dockerd
chmod +x cri-dockerd
cp cri-docker /opt/bin/cri/dockerd/
cat > /lib/systemd/system/cri-docker.service <<EOF
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/opt/bin/cri/dockerd/cri-dockerd --network-plugin=cni --pod-infra-container-image=imaxun/pause:3.9
ExecReload=/bin/kill -s HUP
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
cat > /lib/systemd/system/cri-docker.socket <<EOF
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service
[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
EOF
###启动服务
systemctl daemon-reload ; systemctl enable cri-docker --now
#下载二进制包 这3个都需要安装
wget https://github.com/containerd/containerd/releases/download/v1.6.15/cri-containerd-cni-1.6.15-linux-amd64
wget https://github.com/moby/buildkit/releases/download/v0.11.0/buildkit-v0.11.0.linux-amd64.tar.gz
wget https://github.com/containerd/nerdctl/releases/download/v1.1.0/nerdctl-1.1.0-linux-amd64.tar.gz
#解压containerd
tar zxvf cri-containerd-cni-1.6.15-linux-amd64
cp cri-containerd-cni-1.6.15-linux-amd64/usr/local/bin/* /usr/local/bin/
cp cri-containerd-cni-1.6.15-linux-amd64/usr/local/sbin/* /usr/local/sbin/
#buildkit
tar zxvf buildkit-v0.11.0.linux-amd64.tar.gz
cp buildkit-v0.11.0.linux-amd64/bin/* /usr/local/bin/
#nerdctl
tar zxvf nerdctl-1.1.0-linux-amd64.tar.gz
cp nerdctl-1.1.0-linux-amd64/nerdctl /usr/local/bin/
#配置环境变量
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
source /etc/profile
containerd 配置文件
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
#修改配置
sandbox_image = "imaxun/pause:3.9"
#使用 systemd 作为容器的 cgroup driver
SystemdCgroup = true
#然后再为镜像仓库配置一个加速器
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
#新增
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
endpoint = ["https://quay.tencentcloudcr.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io", "https://mirror.ccs.tencentyun.com"]
buildkit配置文件
mkdir -p /etc/buildkit
cat > /etc/buildkit/buildkitd.toml <<EOF
debug = true
# root is where all buildkit state is stored.
root = "/var/lib/buildkit"
[worker.oci]
enabled = false
[worker.containerd]
address = "/run/containerd/containerd.sock"
enabled = true
platforms = [ "linux/amd64"]
namespace = "default"
gc = true
# gckeepstorage sets storage limit for default gc profile, in MB.
gckeepstorage = 9000
# maintain a pool of reusable CNI network namespaces to amortize the overhead
# of allocating and releasing the namespaces
cniPoolSize = 16
EOF
nerdctl配置文件
mkdir -p /etc/nerdctl
cat > /etc/nerdctl/nerdctl.toml <<EOF
# This is an example of /etc/nerdctl/nerdctl.toml .
# Unrelated to the daemon's /etc/containerd/config.toml .
debug = false
debug_full = false
address = "unix:///run/containerd/containerd.sock"
namespace = "k8s.io"
snapshotter = "overlayfs"
cgroup_manager = "cgroupfs"
hosts_dir = ["/etc/containerd/certs.d", "/etc/docker/certs.d"]
experimental = true
cni_path = "/opt/cni/bin"
EOF
#配置环境变量
export NERDCTL_TOML=/etc/nerdctl/nerdctl.toml
source /etc/profile
containerd 服务
cat > /lib/systemd/system/containerd.service <<EOF
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Type=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999
[Install]
WantedBy=multi-user.target
EOF
###启动服务
systemctl daemon-reload ; systemctl enable containerd --now
buildkitd服务
cat > /lib/systemd/system/buildkit.service <<EOF
[Unit]
Description=BuildKit
Requires=buildkit.socket
After=buildkit.socket
Documentation=https://github.com/moby/buildkit
[Service]
Type=notify
ExecStart=/usr/local/bin/buildkitd --addr fd:// --config=/etc/buildkit/buildkitd.toml
[Install]
WantedBy=multi-user.target
EOF
cat > /lib/systemd/system/buildkit.socket <<EOF
[Unit]
Description=BuildKit
Documentation=https://github.com/moby/buildkit
[Socket]
ListenStream=%t/buildkit/buildkitd.sock
SocketMode=0660
[Install]
WantedBy=sockets.target
EOF
###启动服务
systemctl daemon-reload ; systemctl enable buildkit --now
以下部署步骤在规划的三个etcd节点操作一样,唯一不同的是etcd配置文件中的服务器IP要写当前的:
#创建目录
mkdir -p /opt/bin/etcd
mkdir -p /opt/cfg/etcd
cd /opt/bin/etcd
#下载
wget https://github.com/etcd-io/etcd/releases/download/v3.5.6/etcd-v3.5.6-linux-amd64.tar.gz
#解压
tar zxvf etcd-v3.5.6-linux-amd64.tar.gz
#受权
chmod +x etcdctl etcd
#配置环境变量
vi /etc/profile
export PATH=$PATH:/opt/bin/etcd
source /etc/profile
cat > /opt/cfg/etcd/etcd-conf.yml <<EOF
# 配置文档参考 https://doczhcn.gitbook.io/etcd/index/index-1/configuration
name: 'etcd01'
data-dir: /opt/data/etcd
wal-dir: /opt/data/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://172.17.0.17:2380'
listen-client-urls: 'https://172.17.0.17:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://1.117.115.10:2380'
advertise-client-urls: 'https://1.117.115.10:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'etcd01=https://1.117.115.10:2380'
initial-cluster-token: 'etcd-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/opt/certificate/etcd/etcd-server.pem'
key-file: '/opt/certificate/etcd/etcd-server-key.pem'
client-cert-auth: true
trusted-ca-file: '/opt/certificate/etcd/ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/opt/certificate/etcd/etcd-server.pem'
key-file: '/opt/certificate/etcd/etcd-server-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/opt/certificate/etcd/ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
EOF
cat > /usr/lib/systemd/system/etcd.service <<\EOF
[Unit]
Description=Etcd Service
Documentation=https://coreos.com/etcd/docs/latest
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
ExecStart=/opt/bin/etcd/etcd --config-file=/opt/cfg/etcd/etcd-conf.yml
Restart=on-failure
RestartSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl enable --now etcd.service
ETCDCTL_API=3 /opt/bin/etcd/etcdctl \
--cacert=/opt/certificate/etcd/ca.pem \
--cert=/opt/certificate/etcd/etcd-client.pem \
--key=/opt/certificate/etcd/etcd-client-key.pem \
--endpoints="https://1.117.115.10:2379" endpoint health --write-out=table
ETCDCTL_API=3 /opt/bin/etcd/etcdctl \
--cacert=/opt/certificate/etcd/ca.pem \
--cert=/opt/certificate/etcd/etcd-client.pem \
--key=/opt/certificate/etcd/etcd-client-key.pem \
--endpoints="https://1.117.115.10:2379" put /coreos.com/network/config \
'{ "Network": "172.1.0.0/16", "Backend": {"Type": "vxlan"}}'
#创建目录
mkdir -p /opt/bin/kubernetes/master
mkdir -p /opt/bin/kubernetes/node
mkdir -p /opt/cfg/kubernetes/master
mkdir -p /opt/cfg/kubernetes/node
mkdir -p /opt/cfg/kubernetes/admin
cd /opt/bin/kubernetes
#下载
wget https://dl.k8s.io/v1.26.0/kubernetes-server-linux-amd64.tar.gz
#解压
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes-server-linux-amd64/kubernetes/server/bin/kube-apiserver
#受权
chmod +x kubectl kube-apiserver kube-controller-manager kube-scheduler kube-proxy kube-proxy
#拷贝
cp -p kubectl /opt/bin/kubernetes/
cp -p kube-apiserver kube-controller-manager kube-scheduler /opt/bin/kubernetes/master/
cp -p kube-proxy kube-proxy /opt/bin/kubernetes/node/
#配置环境变量
vi /etc/profile
export PATH=$PATH:/opt/bin/kubernetes
source /etc/profile
#添加命令行自动补全
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc
export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > /opt/cfg/kubernetes/admin/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
cat > /opt/cfg/kubernetes/master/kube-apiserver.conf <<EOF
# 参数说明 https://kubernetes.io/zh-cn/docs/reference/command-line-tools-reference/kube-apiserver/
KUBE_APISERVER_OPTS="--v=2 \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=1.117.115.10 \
--service-cluster-ip-range=10.0.0.0/24 \
--service-node-port-range=1-50000 \
--etcd-servers=http://127.0.0.1:2379 \
--etcd-cafile=/opt/certificate/etcd/ca.pem \
--etcd-certfile=/opt/certificate/etcd/etcd-client.pem \
--etcd-keyfile=/opt/certificate/etcd/etcd-client-key.pem \
--client-ca-file=/opt/certificate/kubernetes/ca.pem \
--tls-cert-file=/opt/certificate/kubernetes/kube-apiserver.pem \
--tls-private-key-file=/opt/certificate/kubernetes/kube-apiserver-key.pem \
--kubelet-client-certificate=/opt/certificate/kubernetes/kube-apiserver.pem \
--kubelet-client-key=/opt/certificate/kubernetes/kube-apiserver-key.pem \
--service-account-key-file=/opt/certificate/kubernetes/sa.pub \
--service-account-signing-key-file=/opt/certificate/kubernetes/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/cfg/kubernetes/admin/token.csv \
--requestheader-client-ca-file=/opt/certificate/kubernetes/front-proxy-ca.pem \
--proxy-client-cert-file=/opt/certificate/kubernetes/front-proxy-client.pem \
--proxy-client-key-file=/opt/certificate/kubernetes/front-proxy-client-key.pem \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User \
--enable-aggregator-routing=true"
EOF
cat > /usr/lib/systemd/system/kube-apiserver.service <<EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/cfg/kubernetes/master/kube-apiserver.conf
ExecStart=/opt/bin/kubernetes/master/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl daemon-reload
systemctl enable kube-apiserver.service
systemctl restart kube-apiserver.service
#生成配置文件 kube-controller-manager.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/certificate/kubernetes/ca.pem \
--embed-certs=true \
--server=https://1.117.115.10:6443 \
--kubeconfig=/opt/cfg/kubernetes/master/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/opt/certificate/kubernetes/kube-controller-manager.pem \
--client-key=/opt/certificate/kubernetes/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=/opt/cfg/kubernetes/master/kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/opt/cfg/kubernetes/master/kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=/opt/cfg/kubernetes/master/kube-controller-manager.kubeconfig
cat > /opt/cfg/kubernetes/master/kube-controller-manager.conf <<EOF
# 参数说明 https://kubernetes.io/zh-cn/docs/reference/command-line-tools-reference/kube-controller-manager/
KUBE_CONTROLLER_MANAGER_OPTS="--v=2 \
--bind-address=127.0.0.1 \
--root-ca-file=/opt/certificate/kubernetes/ca.pem \
--cluster-signing-cert-file=/opt/certificate/kubernetes/ca.pem \
--cluster-signing-key-file=/opt/certificate/kubernetes/ca-key.pem \
--service-account-private-key-file=/opt/certificate/kubernetes/sa.key \
--kubeconfig=/opt/cfg/kubernetes/master/kube-controller-manager.kubeconfig \
--leader-elect=true \
--use-service-account-credentials=true \
--node-monitor-grace-period=40s \
--node-monitor-period=5s \
--pod-eviction-timeout=2m0s \
--controllers=*,bootstrapsigner,tokencleaner \
--allocate-node-cidrs=true \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-cidr=172.1.0.0/16 \
--node-cidr-mask-size-ipv4=24 \
--requestheader-client-ca-file=/opt/certificate/kubernetes/front-proxy-ca.pem"
EOF
cat > /usr/lib/systemd/system/kube-controller-manager.service <<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/cfg/kubernetes/master/kube-controller-manager.conf
ExecStart=/opt/bin/kubernetes/master/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
#生成配置文件 kube-scheduler.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/certificate/kubernetes/ca.pem \
--embed-certs=true \
--server=https://1.117.115.10:6443 \
--kubeconfig=/opt/cfg/kubernetes/master/kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=/opt/certificate/kubernetes/kube-scheduler.pem \
--client-key=/opt/certificate/kubernetes/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=/opt/cfg/kubernetes/master/kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=/opt/cfg/kubernetes/master/kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=/opt/cfg/kubernetes/master/kube-scheduler.kubeconfig
cat > /opt/cfg/kubernetes/master/kube-scheduler.conf <<EOF
KUBE_SCHEDULER_OPTS="--v=2 \
--leader-elect=true \
--kubeconfig=/opt/cfg/kubernetes/master/kube-scheduler.kubeconfig \
--bind-address=127.0.0.1"
EOF
cat > /usr/lib/systemd/system/kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/cfg/kubernetes/master/kube-scheduler.conf
ExecStart=/opt/bin/kubernetes/master/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl daemon-reload
systemctl enable kube-scheduler
systemctl restart kube-scheduler
mkdir /root/.kube/ -p
#生成配置文件 admin.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/certificate/kubernetes/ca.pem \
--embed-certs=true \
--server=https://1.117.115.10:6443 \
--kubeconfig=/opt/cfg/kubernetes/admin/admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=/opt/certificate/kubernetes/admin.pem \
--client-key=/opt/certificate/kubernetes/admin-key.pem \
--embed-certs=true \
--kubeconfig=/opt/cfg/kubernetes/admin/admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=admin \
--kubeconfig=/opt/cfg/kubernetes/admin/admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
cp /opt/cfg/kubernetes/admin/admin.kubeconfig /root/.kube/config
kubectl get cs
NAME STATUS MESSAGE ERROR
etcd-0 Healthy {"health":"true","reason":""}
controller-manager Healthy ok
scheduler Healthy ok
#生成随机认证key
a=`head -c 16 /dev/urandom | od -An -t x | tr -d ' ' | head -c6`
b=`head -c 16 /dev/urandom | od -An -t x | tr -d ' ' | head -c16`
#生成权限绑定文件
cat > /opt/cfg/kubernetes/admin/bootstrap.secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-token-$a
namespace: kube-system
type: bootstrap.kubernetes.io/token
stringData:
description: "The default bootstrap token generated by 'kubelet '."
token-id: $a
token-secret: $b
usage-bootstrap-authentication: "true"
usage-bootstrap-signing: "true"
auth-extra-groups: system:bootstrappers:default-node-token,system:bootstrappers:worker,system:bootstrappers:ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubelet-bootstrap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node-bootstrapper
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-autoapprove-bootstrap
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:default-node-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: node-autoapprove-certificate-rotation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:nodes
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
EOF
#生成配置文件
kubectl config set-cluster kubernetes \
--certificate-authority=../ca/ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=bootstrap-kubelet.kubeconfig
kubectl config set-credentials tls-bootstrap-token-user \
--token=$a.$b \
--kubeconfig=bootstrap-kubelet.kubeconfig
kubectl config set-context tls-bootstrap-token-user@kubernetes \
--cluster=kubernetes \
--user=tls-bootstrap-token-user \
--kubeconfig=bootstrap-kubelet.kubeconfig
kubectl config use-context tls-bootstrap-token-user@kubernetes \
--kubeconfig=bootstrap-kubelet.kubeconfig
#创建权限
kubectl apply -f bootstrap.secret.yaml
#如容器运行时安装的是containerd 下面配置修改为--container-runtime-endpoint=unix:///run/containerd/containerd.sock
cat > /opt/cfg/kubernetes/node/kubelet.conf <<EOF
KUBELET_OPTS="--v=2 \
--hostname-override=qcloud-host01 \
--bootstrap-kubeconfig=/opt/cfg/kubernetes/admin/bootstrap-kubelet.kubeconfig \
--kubeconfig=/opt/cfg/kubernetes/node/kubelet.kubeconfig \
--config=/opt/cfg/kubernetes/node/kubelet-conf.yml \
--container-runtime-endpoint=unix:///run/cri-dockerd.sock \
--pod-infra-container-image=imaxun/pause:3.9 \
--cert-dir=/opt/cfg/kubernetes/node/certificate"
EOF
cat > /opt/cfg/kubernetes/node/kubelet-conf.yml <<EOF
# 参数说明 https://kubernetes.io/zh-cn/docs/reference/config-api/kubelet-config.v1beta1/
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/certificate/kubernetes/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
cgroupsPerQOS: true
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /opt/cfg/kubernetes/node/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
EOF
cat > /usr/lib/systemd/system/kubelet.service <<EOF
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/cfg/kubernetes/node/kubelet.conf
ExecStart=/opt/bin/kubernetes/node/kubelet $KUBELET_OPTS
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl daemon-reload
systemctl enable kubelet
systemctl restart kubelet
cat > /opt/cfg/kubernetes/node/kubelet.conf <<EOF
KUBE_PROXY_OPTS="--v=2 \
--hostname-override=qcloud-host01 \
--config=/opt/cfg/kubernetes/node/kube-proxy-conf.yml"
EOF
cat > /opt/cfg/kubernetes/node/kube-proxy-conf.yml <<EOF
#配置说明https://kubernetes.io/zh-cn/docs/reference/config-api/kube-proxy-config.v1alpha1/
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ''
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /opt/cfg/kubernetes/node/kube-proxy.kubeconfig
qps: 5
clusterCIDR: 172.1.0.0/16
configSyncPeriod: 15m0s
conntrack:
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: qcloud-host01
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 5s
syncPeriod: 30s
ipvs:
minSyncPeriod: 5s
scheduler: "rr"
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs"
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
EOF
#生成配置文件 kube-proxy.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/certificate/kubernetes/ca.pem \
--embed-certs=true \
--server=https://1.117.115.10:6443 \
--kubeconfig=/opt/cfg/kubernetes/node/kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=/opt/certificate/kubernetes/kube-proxy.pem \
--client-key=/opt/certificate/kubernetes/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=/opt/cfg/kubernetes/node/kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-proxy \
--kubeconfig=/opt/cfg/kubernetes/node/kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=/opt/cfg/kubernetes/node/kube-proxy.kubeconfig
cat > /usr/lib/systemd/system/kube-proxy.service <<EOF
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/cfg/kubernetes/node/kubelet.conf
ExecStart=/opt/bin/kubernetes/node/kubelet $KUBELET_OPTS
[Install]
WantedBy=multi-user.target[root@qcloud-host01 node]# cat /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
EnvironmentFile=/opt/cfg/kubernetes/node/kube-proxy.conf
ExecStart=/opt/bin/kubernetes/node/kube-proxy $KUBE_PROXY_OPTS
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
EOF
#启动服务
systemctl daemon-reload
systemctl enable kube-proxy
systemctl restart kube-proxy
kubectl get node
NAME STATUS ROLES AGE VERSION
qcloud-host01 NotReady none v1.26.0
#NotReady是因为没有部署网络插件
#创建目录
mkdir -p /opt/cni/bin
cd /opt/cni/bin
#下载cni
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz
#解压
tar zxvf cni-plugins-linux-amd64-v1.1.1.tgz
#受权
cd cni-plugins-linux-amd64-v1.1.1
chmod +x *
cp * /opt/cni/bin/
wget https://github.com/flannel-io/flannel/blob/v0.20.2/Documentation/kube-flannel.yml
#修改 Network 对应clusterCIDR: 172.1.0.0/16
net-conf.json: |
{
"Network": "172.1.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
#部署
kubectl apply -f kube-flannel.yml
#部署完成后查看node是否正常
kubectl get node
NAME STATUS ROLES AGE VERSION
qcloud-host01 Ready none v1.26.0
#使用公网ip覆盖(否则云主机跨主机无法通讯)
kubectl annotate node qcloud-host01 flannel.alpha.coreos.com/public-ip-overwrite=1.117.115.10 --overwrite
wget https://github.com/coredns/deployment/blob/master/kubernetes/coredns.yaml.sed
#修改
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
cache 30
loop
reload
loadbalance
log
}
clusterIP: 10.0.0.2
#部署
kubectl apply -f coredns.yaml
wget https://github.com/kubernetes/ingress-nginx/blob/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml
#修改镜像
registry.k8s.io/ingress-nginx/controller:v1.5.1 替换为 chenmo/controller:v1.5.1
registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343 替换为 chenmo/kube-webhook-certgen:v20220916-gd32f8c343
#添加 ingressclass.kubernetes.io/is-default-class
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
name: nginx
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: k8s.io/ingress-nginx
#部署
kubectl apply -f deploy.yaml
#配置label
kubectl label nodes qcloud-host01 linux=qcloud-host01
kubectl label nodes qcloud-host01 node-role.kubernetes.io/lb=lb-qcloud-host01
kubectl label nodes qcloud-host01 node-role.kubernetes.io/master=
kubectl label nodes qcloud-host01 node-role.kubernetes.io/node=qcloud-host01
kubectl label nodes qcloud-node01 linux=qcloud-node01
kubectl label nodes qcloud-node01 node-role.kubernetes.io/node=qcloud-node01
#配置腾讯云容器仓库秘钥
kubectl create secret docker-registry qcloud --docker-server=ccr.ccs.tencentyun.com --docker-username=xxx --docker-password=xxx -n default