基础环境
操作系统:CentOS Linux release 7.9.2009 (Core)
内核版本:5.17.4-1.el7.elrepo.x86_64
CPU:16核
内存:32G
基础环境优化(所有节点)
操作系统优化
1、配置yum源
yum -y install wget
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
2、关闭防火墙
# 查看防火墙状态
firewall-cmd --state
# 临时停止防火墙
systemctl stop firewalld.service
# 禁止防火墙开机启动
systemctl disable firewalld.service
3、关闭selinux
# 查看selinux状态
getenforce
# 临时关闭selinux
setenforce 0
# 永久关闭selinux
sed -i 's/^ *SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
4、关闭swap
swapoff -a
# 永久关闭swap
sed -i.bak '/swap/s/^/#/' /etc/fstab
# 查看
free -g
5、调整内核参数
cat <<EOF> /etc/modules-load.d/k8s.conf
br_netfilter
EOF
cat <<EOF> /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter
# 开启iptables检查桥接流量
cat <<EOF> /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
# 应用 sysctl 参数而无需重新启动
sudo sysctl --system
6、开启ipvs
# 默认采用iptables进行数据包转发,效率较低
cat <<EOF> /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
# 加载模块
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
# 安装了ipset软件包
yum install ipset -y
# 安装管理工具ipvsadm
yum install ipvsadm -y
7、同步时间
yum install chrony -y
systemctl enable chronyd
systemctl start chronyd
[root@k8s-master: ~] 16:26:10
$ chronyc sources
210 Number of sources = 4
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^- de-user.deepinid.deepin.> 3 10 377 488 -690us[ -690us] +/- 127ms
^- electrode.felixc.at 3 10 377 576 +4076us[+7553us] +/- 136ms
^- pingless.com 2 10 337 808 -11ms[-7252us] +/- 133ms
^* dns2.synet.edu.cn 1 10 377 564 +11ms[ +14ms] +/- 30ms
[root@master ~]# date
Thu Apr 28 16:26:10 CST 2022
8、采用containerd
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 查看最新版本
yum list containerd --showduplicates | sort -r
yum install containerd -y
# 安装了`containerd.io-1.5.11-3.1.el7.x86_64`
containerd config default > /etc/containerd/config.toml
systemctl start containerd
systemctl enable containerd
# 修改cgroups为systemd
sed -i 's#SystemdCgroup = false#SystemdCgroup = true#' /etc/containerd/config.toml
# 修改基础设施镜像
sed -i 's#sandbox_image = "k8s.gcr.io/pause:3.5"#sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.6"#' /etc/containerd/config.toml
systemctl daemon-reload
systemctl restart containerd
# crictl 管理containerd
# 客户端地址: https://github.com/kubernetes-sigs/cri-tools/releases/
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.23.0/crictl-v1.23.0-linux-amd64.tar.gz
tar zxvf crictl-v1.23.0-linux-amd64.tar.gz -C /usr/local/bin
cat <<EOF> /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
# 验证是否可用
crictl pull nginx:alpine
crictl images
crictl rmi nginx:alpine
9、修改本地hostname
# k8s-master节点
hostnamectl set-hostname k8s-master
# k8s-node1节点
hostnamectl set-hostname k8s-node1
# k8s-node2节点
hostnamectl set-hostname k8s-node2
cat <<EOF> /etc/hosts
192.168.69.120 k8s-master
192.168.69.121 k8s-node1
192.168.69.122 k8s-node2
EOF
Master安装
1、安装kubeadm,kubelet,kubectl。yum安装
# 配置yum源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 安装
yum clean all
yum list kubeadm --showduplicates | sort -r
yum install -y kubelet-1.23.5-0 kubectl-1.23.5-0 kubeadm-1.23.5-0
[root@k8s-master: ~] 16:36:19
$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:57:37Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
# 指定运行时
cat <<EOF> /etc/sysconfig/kubelet
KUBELET_KUBEADM_ARGS="--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock"
EOF
# 启动kubelet
systemctl start kubelet
systemctl enable kubelet
初始化集群
kubeadm config print init-defaults > kubeadm.yaml
# 修改为
cat <<EOF> kubeadm.yaml
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.4.27 # apiserver 节点内网IP
bindPort: 6443
nodeRegistration:
criSocket: /run/containerd/containerd.sock # 修改为containerd
imagePullPolicy: IfNotPresent
name: master
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS # dns类型 type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers # 修改这个镜像能下载
kind: ClusterConfiguration
kubernetesVersion: 1.23.5 # k8s版本
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs # kube-proxy 模式
EOF
# kube-proxy 模式是 iptables,命令行
kubectl edit configmap kube-proxy -n kube-system修改
# 执行初始化
kubeadm init --config kubeadm.yaml
# 根据提示配置
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 保留加入集群配置
$ kubeadm token create --print-join-command
kubeadm join 192.168.69.120:6443 --token 0njl1o.upcr8ygoq0xddn8x --discovery-token-ca-cert-hash sha256:9a2c406a72fd633fc6e8xxxxxxxxxx
网络插件Calico
mkdir -p /root/i && cd /root/i
# 下载calico 部署文件
curl https://docs.projectcalico.org/manifests/calico.yaml -o /root/i/calico.yaml
查看一下版本`v3.22.2`,如果不是替换不生效
# 修改镜像
sed -i 's#docker.io/calico/cni:v3.22.2#registry.cn-shanghai.aliyuncs.com/wanfei/cni:v3.22.2#' /root/i/calico.yaml
sed -i 's#docker.io/calico/pod2daemon-flexvol:v3.22.2#registry.cn-shanghai.aliyuncs.com/wanfei/pod2daemon-flexvol:v3.22.2#' /root/i/calico.yaml
sed -i 's#docker.io/calico/node:v3.22.2#registry.cn-shanghai.aliyuncs.com/wanfei/node:v3.22.2#' /root/i/calico.yaml
sed -i 's#docker.io/calico/kube-controllers:v3.22.2#registry.cn-shanghai.aliyuncs.com/wanfei/kube-controllers:v3.22.2#' /root/i/calico.yaml
# 执行
kubectl apply -f /root/i/calico.yaml
