1.1 安装kubeadm环境准备
1.1.1 环境需求
环境:centos 7.4 +
硬件需求:CPU>=2c ,内存>=2G
1.1.2 环境机器列表
| ip | role | software | 备注 |
|---|---|---|---|
| 192.168.165.198 | k8s-master | kube-apiserver kube-schduler kube-controller-manager docker flannel kubelet | |
| 192.168.165.192 | k8s-node2 | kubelet kube-proxy docker flannel | |
| 192.168.165.193 | k8s-node3 | kubelet kube-proxy docker flannel | |
| 192.168.165.194 | k8s-node4 | kubelet kube-proxy docker flannel |
1.1.3 环境初始化
- 关闭防火墙及selinux
注意:所有节点都要执行
[root@localhost ~]# systemctl stop firewalld && systemctl disable firewalld
[root@localhost ~]# sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config && setenforce 0
setenforce: SELinux is disabled
- 关闭swap分区
注意:所有节点都要执行
[root@localhost ~]# swapoff -a
[root@localhost ~]# sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
- 分别在各个节点上设置主机名及配置hosts
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.165.198 k8s-master
192.168.165.192 k8s-node2
192.168.165.193 k8s-node3
192.168.165.194 k8s-node4
- 内核调整,将桥接的IPv4流量传递到iptables的链
[root@localhost ~]# cat > /etc/sysctl.d/k8s.conf << EOF
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> EOF
[root@localhost ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/k8s.conf ...
* Applying /etc/sysctl.conf ...
- 设置系统时区并同步时间服务器
[root@localhost ~]# yum install -y ntpdate
已加载插件:fastestmirror
Determining fastest mirrors
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base
extras
updates
(1/4): base/7/x86_64/group_gz
(2/4): extras/7/x86_64/primary_db
(3/4): base/7/x86_64/primary_db
(4/4): updates/7/x86_64/primary_db
正在解决依赖关系
--> 正在检查事务
---> 软件包 ntpdate.x86_64.0.4.2.6p5-29.el7.centos.2 将被 安装
--> 解决依赖关系完成
依赖关系解决
============================================================================================================================
Package 架构 版
============================================================================================================================
正在安装:
ntpdate x86_64 4.
事务概要
============================================================================================================================
安装 1 软件包
总下载量:87 k
安装大小:121 k
Downloading packages:
警告:/var/cache/yum/x86_64/7/base/packages/ntpdate-4.2.6p5-29.el7.centos.2.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f
ntpdate-4.2.6p5-29.el7.centos.2.x86_64.rpm 的公钥尚未安装
ntpdate-4.2.6p5-29.el7.centos.2.x86_64.rpm
从 file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 检索密钥
导入 GPG key 0xF4A80EB5:
用户ID : "CentOS-7 Key (CentOS 7 Official Signing Key) "
指纹 : 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
软件包 : centos-release-7-6.1810.2.el7.centos.x86_64 (@anaconda)
来自 : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : ntpdate-4.2.6p5-29.el7.centos.2.x86_64
验证中 : ntpdate-4.2.6p5-29.el7.centos.2.x86_64
已安装:
ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2
完毕!
[root@localhost ~]# ntpdate time.windows.com
4 Aug 17:13:02 ntpdate[17303]: adjust time server 20.189.79.72 offset -0.018538 sec
1.1.4 docker安装
如果没安装wget,需要安装yum install -y wget
[root@localhost ~]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
--2021-08-04 17:21:14-- https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
正在解析主机 mirrors.aliyun.com (mirrors.aliyun.com)... 113.96.109.93, 59.53.162.242, 124.225.134.243, ...
正在连接 mirrors.aliyun.com (mirrors.aliyun.com)|113.96.109.93|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:2081 (2.0K) [application/octet-stream]
正在保存至: “/etc/yum.repos.d/docker-ce.repo”
100%[=======================================================================================================================
2021-08-04 17:21:15 (154 MB/s) - 已保存 “/etc/yum.repos.d/docker-ce.repo” [2081/2081])
[root@localhost ~]# yum -y install docker-ce-18.06.1.ce-3.el7
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
docker-ce-stable
(1/2): docker-ce-stable/7/x86_64/primary_db
(2/2): docker-ce-stable/7/x86_64/updateinfo
正在解决依赖关系
--> 正在检查事务
---> 软件包 docker-ce.x86_64.0.18.06.1.ce-3.el7 将被 安装
--> 正在处理依赖关系 container-selinux >= 2.9,它被软件包 docker-ce-18.06.1.ce-3.el7.x86_64 需要
--> 正在处理依赖关系 libcgroup,它被软件包 docker-ce-18.06.1.ce-3.el7.x86_64 需要
--> 正在检查事务
---> 软件包 container-selinux.noarch.2.2.119.2-1.911c772.el7_8 将被 安装
--> 正在处理依赖关系 policycoreutils-python,它被软件包 2:container-selinux-2.119.2-1.911c772.el7_8.noarch 需要
---> 软件包 libcgroup.x86_64.0.0.41-21.el7 将被 安装
--> 正在检查事务
---> 软件包 policycoreutils-python.x86_64.0.2.5-34.el7 将被 安装
--> 正在处理依赖关系 policycoreutils = 2.5-34.el7,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 setools-libs >= 3.3.8-4,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libsemanage-python >= 2.5-14,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 audit-libs-python >= 2.1.3-4,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 python-IPy,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libqpol.so.1(VERS_1.4)(64bit),它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libqpol.so.1(VERS_1.2)(64bit),它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libapol.so.4(VERS_4.0)(64bit),它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 checkpolicy,它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libqpol.so.1()(64bit),它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在处理依赖关系 libapol.so.4()(64bit),它被软件包 policycoreutils-python-2.5-34.el7.x86_64 需要
--> 正在检查事务
---> 软件包 audit-libs-python.x86_64.0.2.8.5-4.el7 将被 安装
--> 正在处理依赖关系 audit-libs(x86-64) = 2.8.5-4.el7,它被软件包 audit-libs-python-2.8.5-4.el7.x86_64 需要
---> 软件包 checkpolicy.x86_64.0.2.5-8.el7 将被 安装
---> 软件包 libsemanage-python.x86_64.0.2.5-14.el7 将被 安装
---> 软件包 policycoreutils.x86_64.0.2.5-29.el7 将被 升级
---> 软件包 policycoreutils.x86_64.0.2.5-34.el7 将被 更新
---> 软件包 python-IPy.noarch.0.0.75-6.el7 将被 安装
---> 软件包 setools-libs.x86_64.0.3.3.8-4.el7 将被 安装
--> 正在检查事务
---> 软件包 audit-libs.x86_64.0.2.8.4-4.el7 将被 升级
--> 正在处理依赖关系 audit-libs(x86-64) = 2.8.4-4.el7,它被软件包 audit-2.8.4-4.el7.x86_64 需要
---> 软件包 audit-libs.x86_64.0.2.8.5-4.el7 将被 更新
--> 正在检查事务
---> 软件包 audit.x86_64.0.2.8.4-4.el7 将被 升级
---> 软件包 audit.x86_64.0.2.8.5-4.el7 将被 更新
--> 解决依赖关系完成
依赖关系解决
============================================================================================================================
Package 架构 版本
============================================================================================================================
正在安装:
docker-ce x86_64 18.
为依赖而安装:
audit-libs-python x86_64 2.8
checkpolicy x86_64 2.5
container-selinux noarch 2:2
libcgroup x86_64 0.4
libsemanage-python x86_64 2.5
policycoreutils-python x86_64 2.5
python-IPy noarch 0.7
setools-libs x86_64 3.3
为依赖而更新:
audit x86_64 2.8
audit-libs x86_64 2.8
policycoreutils x86_64 2.5
事务概要
============================================================================================================================
安装 1 软件包 (+8 依赖软件包)
升级 ( 3 依赖软件包)
总下载量:44 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/12): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm
(2/12): audit-libs-2.8.5-4.el7.x86_64.rpm
(3/12): audit-libs-python-2.8.5-4.el7.x86_64.rpm
(4/12): audit-2.8.5-4.el7.x86_64.rpm
(5/12): libcgroup-0.41-21.el7.x86_64.rpm
(6/12): libsemanage-python-2.5-14.el7.x86_64.rpm
(7/12): python-IPy-0.75-6.el7.noarch.rpm
(8/12): policycoreutils-python-2.5-34.el7.x86_64.rpm
(9/12): checkpolicy-2.5-8.el7.x86_64.rpm
(10/12): setools-libs-3.3.8-4.el7.x86_64.rpm
(11/12): policycoreutils-2.5-34.el7.x86_64.rpm
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/docker-ce-18.06.1.ce-3.el7.x86_64.rpm: Header V4 RSA/SHA512 Signa
docker-ce-18.06.1.ce-3.el7.x86_64.rpm 的公钥尚未安装
(12/12): docker-ce-18.06.1.ce-3.el7.x86_64.rpm
----------------------------------------------------------------------------------------------------------------------------
总计
从 https://mirrors.aliyun.com/docker-ce/linux/centos/gpg 检索密钥
导入 GPG key 0x621E9F35:
用户ID : "Docker Release (CE rpm) "
指纹 : 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
来自 : https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : audit-libs-2.8.5-4.el7.x86_64
正在更新 : policycoreutils-2.5-34.el7.x86_64
正在安装 : libcgroup-0.41-21.el7.x86_64
正在安装 : audit-libs-python-2.8.5-4.el7.x86_64
正在安装 : setools-libs-3.3.8-4.el7.x86_64
正在安装 : checkpolicy-2.5-8.el7.x86_64
正在安装 : python-IPy-0.75-6.el7.noarch
正在安装 : libsemanage-python-2.5-14.el7.x86_64
正在安装 : policycoreutils-python-2.5-34.el7.x86_64
正在安装 : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch
setsebool: SELinux is disabled.
正在安装 : docker-ce-18.06.1.ce-3.el7.x86_64
正在更新 : audit-2.8.5-4.el7.x86_64
清理 : policycoreutils-2.5-29.el7.x86_64
清理 : audit-2.8.4-4.el7.x86_64
清理 : audit-libs-2.8.4-4.el7.x86_64
验证中 : audit-libs-2.8.5-4.el7.x86_64
验证中 : audit-2.8.5-4.el7.x86_64
验证中 : docker-ce-18.06.1.ce-3.el7.x86_64
验证中 : libsemanage-python-2.5-14.el7.x86_64
验证中 : policycoreutils-2.5-34.el7.x86_64
验证中 : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch
验证中 : python-IPy-0.75-6.el7.noarch
验证中 : checkpolicy-2.5-8.el7.x86_64
验证中 : policycoreutils-python-2.5-34.el7.x86_64
验证中 : audit-libs-python-2.8.5-4.el7.x86_64
验证中 : setools-libs-3.3.8-4.el7.x86_64
验证中 : libcgroup-0.41-21.el7.x86_64
验证中 : policycoreutils-2.5-29.el7.x86_64
验证中 : audit-libs-2.8.4-4.el7.x86_64
验证中 : audit-2.8.4-4.el7.x86_64
已安装:
docker-ce.x86_64 0:18.06.1.ce-3.el7
作为依赖被安装:
audit-libs-python.x86_64 0:2.8.5-4.el7 checkpolicy.x86_64 0:2.5-8.el7 container-selinux.noarch 2:2.119.2-1.911c
python-IPy.noarch 0:0.75-6.el7 setools-libs.x86_64 0:3.3.8-4.el7
作为依赖被升级:
audit.x86_64 0:2.8.5-4.el7 audit-libs.x86_64 0:2.8.5-4.el7
完毕!
[root@localhost ~]# systemctl enable docker && systemctl start docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@localhost ~]# docker --version
Docker version 18.06.1-ce, build e68fc7a
1.1.5 添加kubernetes YUM软件源
[root@localhost ~]# cat > /etc/yum.repos.d/kubernetes.repo << EOF
> [kubernetes]
> name=Kubernetes
> baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
> enabled=1
> gpgcheck=0
> repo_gpgcheck=0
> gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package
> EOF
1.1.6 安装kubeadm,kubelet和kubectl
[root@localhost ~]# yum install -y kubelet-1.15.0 kubeadm-1.15.0 kubectl-1.15.0
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
kubernetes
kubernetes/primary
kubernetes
正在解决依赖关系
--> 正在检查事务
---> 软件包 kubeadm.x86_64.0.1.15.0-0 将被 安装
--> 正在处理依赖关系 kubernetes-cni >= 0.7.5,它被软件包 kubeadm-1.15.0-0.x86_64 需要
--> 正在处理依赖关系 cri-tools >= 1.11.0,它被软件包 kubeadm-1.15.0-0.x86_64 需要
---> 软件包 kubectl.x86_64.0.1.15.0-0 将被 安装
---> 软件包 kubelet.x86_64.0.1.15.0-0 将被 安装
--> 正在处理依赖关系 socat,它被软件包 kubelet-1.15.0-0.x86_64 需要
--> 正在处理依赖关系 conntrack,它被软件包 kubelet-1.15.0-0.x86_64 需要
--> 正在检查事务
---> 软件包 conntrack-tools.x86_64.0.1.4.4-7.el7 将被 安装
--> 正在处理依赖关系 libnetfilter_cttimeout.so.1(LIBNETFILTER_CTTIMEOUT_1.1)(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.
--> 正在处理依赖关系 libnetfilter_cttimeout.so.1(LIBNETFILTER_CTTIMEOUT_1.0)(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.
--> 正在处理依赖关系 libnetfilter_cthelper.so.0(LIBNETFILTER_CTHELPER_1.0)(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.x8
--> 正在处理依赖关系 libnetfilter_queue.so.1()(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.x86_64 需要
--> 正在处理依赖关系 libnetfilter_cttimeout.so.1()(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.x86_64 需要
--> 正在处理依赖关系 libnetfilter_cthelper.so.0()(64bit),它被软件包 conntrack-tools-1.4.4-7.el7.x86_64 需要
---> 软件包 cri-tools.x86_64.0.1.13.0-0 将被 安装
---> 软件包 kubernetes-cni.x86_64.0.0.8.7-0 将被 安装
---> 软件包 socat.x86_64.0.1.7.3.2-2.el7 将被 安装
--> 正在检查事务
---> 软件包 libnetfilter_cthelper.x86_64.0.1.0.0-11.el7 将被 安装
---> 软件包 libnetfilter_cttimeout.x86_64.0.1.0.0-7.el7 将被 安装
---> 软件包 libnetfilter_queue.x86_64.0.1.0.2-2.el7_2 将被 安装
--> 解决依赖关系完成
依赖关系解决
============================================================================================================================
Package 架构
============================================================================================================================
正在安装:
kubeadm x86_64
kubectl x86_64
kubelet x86_64
为依赖而安装:
conntrack-tools x86_64
cri-tools x86_64
kubernetes-cni x86_64
libnetfilter_cthelper x86_64
libnetfilter_cttimeout x86_64
libnetfilter_queue x86_64
socat x86_64
事务概要
============================================================================================================================
安装 3 软件包 (+7 依赖软件包)
总下载量:64 M
安装大小:271 M
Downloading packages:
(1/10): conntrack-tools-1.4.4-7.el7.x86_64.rpm
(2/10): 14bfe6e75a9efc8eca3f638eb22c7e2ce759c67f95b43b16fae4ebabde1549f3-cri-tools-1.13.0-0.x86_64.rpm
(3/10): 7143f62ad72a1eb1849d5c1e9490567d405870d2c00ab2b577f1f3bdf9f547ba-kubeadm-1.15.0-0.x86_64.rpm
(4/10): 3d5dd3e6a783afcd660f9954dec3999efa7e498cac2c14d63725fafa1b264f14-kubectl-1.15.0-0.x86_64.rpm
(5/10): libnetfilter_cttimeout-1.0.0-7.el7.x86_64.rpm
(6/10): libnetfilter_queue-1.0.2-2.el7_2.x86_64.rpm
(7/10): libnetfilter_cthelper-1.0.0-11.el7.x86_64.rpm
(8/10): socat-1.7.3.2-2.el7.x86_64.rpm
(9/10): 557c2f4e11a3ab262c72a52d240f2f440c63f539911ff5e05237904893fc36bb-kubelet-1.15.0-0.x86_64.rpm
(10/10): db7cb5cb0b3f6875f54d10f02e625573988e3e91fd4fc5eef0b1876bb18604ad-kubernetes-cni-0.8.7-0.x86_64.rpm
----------------------------------------------------------------------------------------------------------------------------
总计
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : libnetfilter_cttimeout-1.0.0-7.el7.x86_64
正在安装 : socat-1.7.3.2-2.el7.x86_64
正在安装 : kubectl-1.15.0-0.x86_64
正在安装 : cri-tools-1.13.0-0.x86_64
正在安装 : libnetfilter_queue-1.0.2-2.el7_2.x86_64
正在安装 : libnetfilter_cthelper-1.0.0-11.el7.x86_64
正在安装 : conntrack-tools-1.4.4-7.el7.x86_64
正在安装 : kubernetes-cni-0.8.7-0.x86_64
正在安装 : kubelet-1.15.0-0.x86_64
正在安装 : kubeadm-1.15.0-0.x86_64
验证中 : libnetfilter_cthelper-1.0.0-11.el7.x86_64
验证中 : kubeadm-1.15.0-0.x86_64
验证中 : kubernetes-cni-0.8.7-0.x86_64
验证中 : kubelet-1.15.0-0.x86_64
验证中 : libnetfilter_queue-1.0.2-2.el7_2.x86_64
验证中 : cri-tools-1.13.0-0.x86_64
验证中 : kubectl-1.15.0-0.x86_64
验证中 : socat-1.7.3.2-2.el7.x86_64
验证中 : libnetfilter_cttimeout-1.0.0-7.el7.x86_64
验证中 : conntrack-tools-1.4.4-7.el7.x86_64
已安装:
kubeadm.x86_64 0:1.15.0-0 kubectl.x86_64 0:1.15.0-0
作为依赖被安装:
conntrack-tools.x86_64 0:1.4.4-7.el7 cri-tools.x86_64 0:1.13.0-0 kubernetes-cni.x86_64 0:0.8.7-0 libnetfilter_cthelper.x86
完毕!
[root@localhost ~]# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service
2.1 部署Kubernetes Master
master初始化
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=192.168.165.198 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.15.0 --service-cidr=10.1.0.0/16
[init] Using Kubernetes version: v1.15.0
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
报错了,出现[WARNING IsDockerSystemdCheck],是由于docker的Cgroup Driver和kubelet的Cgroup Driver不一致导致的,此处选择修改docker的和kubelet一致
编辑文件/usr/lib/systemd/system/docker.service, 修改ExecStart=/usr/bin/dockerd --exec-opt native.cgroupdriver=systemd
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required
# for containers run by docker
# ExecStart=/usr/bin/dockerd
ExecStart=/usr/bin/dockerd --exec-opt native.cgroupdriver=systemd
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Uncomment TasksMax if your systemd version supports it.
# Only systemd 226 and above support this version.
#TasksMax=infinity
TimeoutStartSec=0
# set delegate yes so that systemd does not reset the cgroups of docker containers
Delegate=yes
# kill only the docker process, not all processes in the cgroup
KillMode=process
# restart the docker process if it exits prematurely
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
重启docker,可以看到docker info | grep Cgroup的输出变成了systemd
[root@k8s-master ~]# docker info | grep Cgroup
Cgroup Driver: cgroupfs
[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl restart docker
[root@k8s-master ~]# vi /usr/lib/systemd/system/docker.service
[root@k8s-master ~]# vi /usr/lib/systemd/system/docker.service
[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl restart docker
[root@k8s-master ~]# docker info | grep Cgroup
Cgroup Driver: systemd
再次执行,可以看到已经执行成功
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=192.168.165.198 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.15.0 --service-cidr=10.1.0.0/16 --pod-network-cidr=10.244.0.0/16
[init] Using Kubernetes version: v1.15.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.165.198 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.165.198 127.0.0.1 ::1]
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.1.0.1 192.168.165.198]
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 15.005161 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.15" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: 283bmn.5s8oey15nquac4mw
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.165.198:6443 --token 283bmn.5s8oey15nquac4mw \
--discovery-token-ca-cert-hash sha256:b4e5d42f49230d88eeed7f7af3c49d6f2f3d1c1146df1640545636e8490e3175
[root@k8s-master ~]#
根据提示操作,如果需要回退init,可以kubeadm reset,同时要删除$HOME/.kube/config和/var/lib/etcd,再次执行kubeadm init即可
[root@k8s-master ~]# mkdir -p $HOME/.kube
[root@k8s-master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
[root@k8s-master ~]#
在其他子节点执行下面命令即可加入集群,如果执行出错,可以加上 --v=2查看具体报错信息
[root@k8s-node3 ~]# kubeadm join 192.168.165.198:6443 --token m8x4sa.ohcpv36ddk5dlivb --discovery-token-ca-cert-hash sha256:98aa44463bafe37f911b91d87b550574ef255ad665ffa62b23ebe71cd65a6519
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.15" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Activating the kubelet service
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
[root@k8s-node3 ~]#
添加完节点后,可以通过kubectl get node查看当前节点,发现报错了,原因:kubernetes master没有与本机绑定,集群初始化的时候没有绑定,此时设置在本机的环境变量即可解决问题,如果在其他节点也出现了同样的报错,可以将/etc/kubernetes/admin.conf通过scp复制到其他节点,再设置环境变量即可解决
[root@k8s-master ~]# kubectl get node
The connection to the server localhost:8080 was refused - did you specify the right host or port?
[root@k8s-master ~]# echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile
[root@k8s-master ~]# source /etc/profile
[root@k8s-master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 13h v1.15.0
安装网络插件
只需要在master安装
[root@k8s-master ~]# wget https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml
[root@k8s-master ~]# kubectl apply -f kube-flannel.yml
[root@k8s-master ~]# ps -ef|grep flannel
root 913 890 0 14:22 ? 00:00:01 /opt/bin/flanneld --ip-masq --kube-subnet-mgr
root 10725 16706 0 14:42 pts/0 00:00:00 grep --color=auto flannel
到此位置,搭建已完成
测试k8s集群
root@k8s-master ~]# kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
[root@k8s-master ~]# kubectl expose deployment nginx --port=80 --type=NodePort
service/nginx exposed
[root@k8s-master ~]# kubectl get pods,svc
NAME READY STATUS RESTARTS AGE
pod/nginx-554b9c67f9-pnc5g 1/1 Running 0 4m26s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.1.0.1 443/TCP 18h
service/nginx NodePort 10.1.1.157 80:30755/TCP 4m8s
[root@k8s-master ~]# curl http://192.168.165.198:30755
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
如上所示,已经能访问到nginx了
PS:由于在之前,我漏掉了一个步骤,没有指定--pod-network-cidr=10.244.0.0/16,导致安装flannel持续报错,花费好多时间查找
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=192.168.165.198 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.15.0 --service-cidr=10.1.0.0/16 --pod-network-cidr=10.244.0.0/16
如果未指定--pod-network-cidr=10.244.0.0/16,则会出现下列报错
[root@k8s-master ~]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-bccdc95cf-rd6w2 0/1 ContainerCreating 0 17h
kube-system coredns-bccdc95cf-rkrtm 0/1 ContainerCreating 0 17h
kube-system etcd-k8s-master 1/1 Running 0 17h
kube-system kube-apiserver-k8s-master 1/1 Running 0 17h
kube-system kube-controller-manager-k8s-master 1/1 Running 0 17s
kube-system kube-flannel-ds-amd64-h4gj5 0/1 CrashLoopBackOff 39 3h1m
kube-system kube-flannel-ds-amd64-qv52d 0/1 CrashLoopBackOff 39 3h1m
kube-system kube-flannel-ds-amd64-tddjl 0/1 Error 40 3h1m
kube-system kube-flannel-ds-amd64-z2gbl 0/1 CrashLoopBackOff 39 3h1m
kube-system kube-proxy-4zkbp 1/1 Running 0 3h22m
kube-system kube-proxy-lrgz7 1/1 Running 0 17h
kube-system kube-proxy-nrxdd 1/1 Running 0 3h4m
kube-system kube-proxy-vws6d 1/1 Running 0 3h23m
kube-system kube-scheduler-k8s-master 1/1 Running 0 17h
查看其具体日志发现,报错为Error registering network: failed to acquire lease: node "k8s-node3" pod cidr not assigned
[root@k8s-master ~]# kubectl logs kube-flannel-ds-amd64-h4gj5
Error from server (NotFound): pods "kube-flannel-ds-amd64-h4gj5" not found
[root@k8s-master ~]# kubectl logs kube-flannel-ds-amd64-h4gj5 -n kube-system
I0805 06:17:12.825680 1 main.go:514] Determining IP address of default interface
I0805 06:17:12.826441 1 main.go:527] Using interface with name ens192 and address 192.168.165.193
I0805 06:17:12.826499 1 main.go:544] Defaulting external address to interface address (192.168.165.193)
I0805 06:17:13.020546 1 kube.go:126] Waiting 10m0s for node controller to sync
I0805 06:17:13.020895 1 kube.go:309] Starting kube subnet manager
I0805 06:17:14.021040 1 kube.go:133] Node controller sync successful
I0805 06:17:14.021153 1 main.go:244] Created subnet manager: Kubernetes Subnet Manager - k8s-node3
I0805 06:17:14.021176 1 main.go:247] Installing signal handlers
I0805 06:17:14.021348 1 main.go:386] Found network config - Backend type: vxlan
I0805 06:17:14.021504 1 vxlan.go:120] VXLAN config: VNI=1 Port=0 GBP=false DirectRouting=false
E0805 06:17:14.022070 1 main.go:289] Error registering network: failed to acquire lease: node "k8s-node3" pod cidr not assigned
I0805 06:17:14.022189 1 main.go:366] Stopping shutdownHandler...
上述报错是指未指定pod cidr,需要vim /etc/kubernetes/manifests/kube-controller-manager.yaml
command中增加两个参数:
--allocate-node-cidrs=true
--cluster-cidr=10.244.0.0/16
[root@k8s-master ~]# vi /etc/kubernetes/manifests/kube-controller-manager.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-controller-manager
tier: control-plane
name: kube-controller-manager
namespace: kube-system
spec:
containers:
- command:
- kube-controller-manager
- --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
- --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
- --bind-address=127.0.0.1
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
- --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
- --controllers=*,bootstrapsigner,tokencleaner
- --kubeconfig=/etc/kubernetes/controller-manager.conf
- --leader-elect=true
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --root-ca-file=/etc/kubernetes/pki/ca.crt
- --service-account-private-key-file=/etc/kubernetes/pki/sa.key
- --use-service-account-credentials=true
- --allocate-node-cidrs=true
- --cluster-cidr=10.244.0.0/16
image: registry.aliyuncs.com/google_containers/kube-controller-manager:v1.15.0
再执行systemctl restart kubelet,即可看到全部都变成了raedy的状态
[root@k8s-master ~]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-bccdc95cf-rd6w2 1/1 Running 0 18h
kube-system coredns-bccdc95cf-rkrtm 1/1 Running 0 18h
kube-system etcd-k8s-master 1/1 Running 0 18h
kube-system kube-apiserver-k8s-master 1/1 Running 0 18h
kube-system kube-controller-manager-k8s-master 1/1 Running 0 5m42s
kube-system kube-flannel-ds-amd64-h4gj5 1/1 Running 41 3h7m
kube-system kube-flannel-ds-amd64-qv52d 1/1 Running 40 3h7m
kube-system kube-flannel-ds-amd64-tddjl 1/1 Running 42 3h7m
kube-system kube-flannel-ds-amd64-z2gbl 1/1 Running 40 3h7m
kube-system kube-proxy-4zkbp 1/1 Running 0 3h27m
kube-system kube-proxy-lrgz7 1/1 Running 0 18h
kube-system kube-proxy-nrxdd 1/1 Running 0 3h10m
kube-system kube-proxy-vws6d 1/1 Running 0 3h28m
kube-system kube-scheduler-k8s-master 1/1 Running 0 18h
安装结束后一些配置文件路径:
[root@k8s-master manifests]# pwd
/etc/kubernetes/manifests
[root@k8s-master manifests]# ls
etcd.yaml kube-apiserver.yaml kube-controller-manager.yaml kube-scheduler.yaml
参考
- kubeadm 快速部署K8S集群