1试溯、關(guān)閉selinux&firewalld
systemctl stop firewalld && systemctl disable firewalld
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/g' /etc/selinux/config
2蔑滓、關(guān)閉swap
swapoff -a
sed -i 's/^[^#].*swap*/#&/g' /etc/fstab
3、安裝依賴及常用工具
yum install -y yum-utils device-mapper-persistent-data lvm2 wget vim yum-utils net-tools epel-release
添加加載的內(nèi)核模塊
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
4、加載內(nèi)核模塊
modprobe overlay
modprobe br_netfilter
5键袱、設(shè)置內(nèi)核參數(shù)
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables? = 1
net.ipv4.ip_forward? ? ? ? ? ? ? ? = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
6燎窘、應(yīng)用內(nèi)核參數(shù)
sysctl --system
7、添加docker源
cat <<EOF | sudo tee /etc/yum.repos.d/docker-ce.repo
[docker]
name=docker-ce
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
EOF
8蹄咖、安裝containerd
yum -y update && yum -y install containerd.io
# 指定版本使用containerd.io-x.x.x
# 需要升級(jí)系統(tǒng)則yum -y update
9褐健、配置containerd
mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
(1)修改cgroup Driver為systemd
在配置文件中如下位置添加SystemdCgroup = true
(2)鏡像加速
endpoint位置添加阿里云的鏡像源
$ vim /etc/containerd/config.toml
? ? [plugins."io.containerd.grpc.v1.cri".registry]
? ? ? [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
? ? ? ? [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
? ? ? ? ? endpoint = ["https://xxxxxxxx.mirror.aliyuncs.com"]
(3)更改sandbox_image
$ vim /etc/containerd/config.toml
...
? [plugins."io.containerd.grpc.v1.cri"]
? ? disable_tcp_service = true
? ? stream_server_address = "127.0.0.1"
? ? stream_server_port = "0"
? ? stream_idle_timeout = "4h0m0s"
? ? enable_selinux = false
? ? selinux_category_range = 1024
# 將這里改為aliyun的鏡像源
? ? sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.4.1"
10、啟動(dòng)服務(wù)
systemctl enable containerd && systemctl start containerd
11澜汤、(可選)如果你的環(huán)境中網(wǎng)絡(luò)代理去訪問外網(wǎng)蚜迅,containerd也需要單獨(dú)添加代理
mkdir /etc/systemd/system/containerd.service.d
cat > /etc/systemd/system/containerd.service.d/http_proxy.conf << EOF
[Service]
Environment="HTTP_PROXY=http://<proxy_ip>:<proxy_port>/"
Environment="HTTPS_PROXY=http://<proxy_ip>:<proxy_port>/"
Environment="NO_PROXY=x.x.x.x,x.x.x.x"
EOF
12、加載配置并重啟服務(wù)
systemctl daemon-reload && systemctl restart containerd
13俊抵、下載鏡像檢測(cè)containerd是否正常
ctr images pull docker.io/library/nginx:alpine
ctr是containerd自帶的命令行客戶端
14谁不、添加kubernetes 源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
15、安裝kubeadm徽诲,kubelet和kubectl
yum install -y kubelet-1.21.0 kubeadm-1.21.0 kubectl-1.21.0
systemctl enable kubelet
16刹帕、設(shè)置crictl
使用除docke以外的CRI時(shí),需要使用crictl來進(jìn)行鏡像管理谎替,相當(dāng)于docker-cli
Containerd 只支持通過 CRI 拉取鏡像的 mirror偷溺,也就是說,只有通過 crictl 或者 Kubernetes 調(diào)用時(shí) mirror 才會(huì)生效钱贯,通過 ctr 拉取是不會(huì)生效的挫掏。crictl是k8s內(nèi)部的鏡像管理命令。
cat << EOF >> /etc/crictl.yaml
runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock
timeout: 10
debug: false
EOF
17秩命、下載鏡像
crictl pull nginx:latest
crictl基本上與docker用法一致
18尉共、對(duì)接kubelet
vi /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd
19、master需要重新創(chuàng)建token硫麻,可以直接使用命令快捷生成:
kubeadm token create --print-join-command
生成的命令在worknode上執(zhí)行加入集群
若創(chuàng)建鏡像超時(shí)爸邢,可手工拉取kube-proxy、core-dns拿愧、pause
20杠河、master 節(jié)點(diǎn)再次執(zhí)行kubectl apply -f calico.yaml,使worknode節(jié)點(diǎn)部署calico網(wǎng)絡(luò)組建浇辜。
