基礎(chǔ)環(huán)境:centos7
當(dāng)前k8s版本: v1.13
集群清單:
| 節(jié)點 | IP |
|---|---|
| master | 192.168.0.101 |
| worker01 | 192.168.0.102 |
1. 準(zhǔn)備工作
創(chuàng)建服務(wù)器的時候矛洞,系統(tǒng)盤不要小于50G,另外再分配個不小于100G的獨立硬盤,內(nèi)存不要小于16G(master節(jié)點配置可以適當(dāng)調(diào)低,內(nèi)存8G,硬盤20G+20G)
- 關(guān)閉selinux
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config
- 關(guān)閉swap
使用free指令查看系統(tǒng)swap是否有開啟拴孤,如果開啟了,編輯 /etc/fstab甲捏,直接刪除掉swap列
- 給docker分配獨立硬盤
mkdir -p /var/lib/docker
fdisk -l
fdisk /dev/vdb # n p 3個回車 w
mkfs.ext4 /dev/vdb1
cat << EOF >> /etc/fstab
/dev/vdb1 /var/lib/docker ext4 defaults 1 1
EOF
mount -a
- 內(nèi)核參數(shù)修改
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
- 防火墻端口開放
一般生產(chǎn)環(huán)境可以簡單的關(guān)閉防火墻來開放接口演熟,最后通過云管理平臺來約束物理節(jié)點的端口訪問
service firewalld stop
systemctl disable firewalld
2. 安裝 k8s組件
-
kubeadm: 用來創(chuàng)建集群的工具,隨k8s版本升級司顿,易用性會越來越強 -
kubelet: 以服務(wù)模式運行芒粹,可以理解為k8s在物理節(jié)點上的代理,k8s通過它來控制分配在節(jié)點上的所有容器 -
kubectl: 日常和k8s對話的工具
# 使用阿里鏡像
cat <<EOF > /etc/yum.repos.d/k8s.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1"
EOF
# 安裝
yum install -y docker kubelet kubeadm kubectl
systemctl enable docker kubelet
建議安裝成功以后大溜,打一個基礎(chǔ)鏡像化漆,后面的物理節(jié)點可以直接克隆鏡像
3. 部署master節(jié)點
k8s的節(jié)點名稱顯示都是使用節(jié)點的主機名,所以所有的物理節(jié)點都需要按照集群架構(gòu)設(shè)置合理的主機名
hostnamectl set-hostname master
kubeadm init是初始化指令钦奋,目前的版本座云,k8s初始化的時候,第一件事是通知docker拉鏡像付材,時間會比較長朦拖,命令行也不會有提示,官方給的建議厌衔,先執(zhí)行如下指令預(yù)加載鏡像
官方推薦使用flannel做為集群內(nèi)部網(wǎng)絡(luò)模式璧帝,設(shè)置cidr為10.244.0.0/16,k8s將使用flannel模式初始化集群
cat <<EOF > kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1alpha3
kind: ClusterConfiguration
kubernetesVersion: stable
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
networking:
podSubnet: "10.244.0.0/16"
EOF
kubeadm config images pull --config kubeadm-config.yaml
kubeadm init --config kubeadm-config.yaml
在初始化過程中如果出現(xiàn)錯誤富寿,必須執(zhí)行kubeadm reset 重置才能再次初始化睬隶,安裝成功以后會出現(xiàn)如下消息提示
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join 192.168.0.101:6443 --token yu6t36.bitufx18dfy10od6 --discovery-token-ca-cert-hash sha256:bb247916192cd029421de621d7af3fee0894f96b77f216b8317f25d2c319ed52
提示里面的信息很重要锣夹!
其中kubeadm join 是工作節(jié)點加入集群的指令,第一次創(chuàng)建集群需要把這行代碼復(fù)制下來苏潜,后面需要使用到银萍,當(dāng)然萬一丟失了也沒關(guān)系,后面會介紹補救方法恤左。
我們需要將k8s系統(tǒng)生產(chǎn)的admin.conf拷貝到~/.kube/config砖顷,kubectl才能正常工作,否則kubectl執(zhí)行的錯誤如下:
[root@master ~]# kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
正常的執(zhí)行結(jié)果如下:
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master NotReady master 12m v1.13.1
接下來需要安裝flannel組件赃梧,這樣master節(jié)點才能變成Ready狀態(tài)
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
執(zhí)行正常屏幕會輸出
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.extensions/kube-flannel-ds-amd64 created
daemonset.extensions/kube-flannel-ds-arm64 created
daemonset.extensions/kube-flannel-ds-arm created
daemonset.extensions/kube-flannel-ds-ppc64le created
daemonset.extensions/kube-flannel-ds-s390x created
等一會使用kubectl可以看到master已經(jīng)處于Ready狀態(tài)
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 6m29s v1.13.1
4. 工作節(jié)點加入集群
使用鏡像創(chuàng)建工作節(jié)點,記得將節(jié)點改個名字
hostnamectl set-hostname worker01
使用上面master初始化成功屏幕輸出的kubeadm join...指令即可加入集群
kubeadm join 192.168.0.101:6443 --token yu6t36.bitufx18dfy10od6 --discovery-token-ca-cert-hash sha256:bb247916192cd029421de621d7af3fee0894f96b77f216b8317f25d2c319ed52
此步一般不會出錯豌熄,屏幕會出如下提示
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the master to see this node join the cluster.
我們回到master上去看看節(jié)點狀態(tài)
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 17m v1.13.1
worker01 NotReady <none> 3m30s v1.13.1
屏幕顯示節(jié)點已經(jīng)正常加入了授嘀,但是狀態(tài)是NotReady,此時master會通知節(jié)點創(chuàng)建2個pod(kube-flannel, kube-proxy)锣险,我們在master上可以通過kubectl觀測pod的創(chuàng)建進度
[root@master ~]# kubectl get pods -n kube-system -o wide |grep worker
kube-flannel-ds-amd64-pd9xv 1/1 Running 0 16m 192.168.0.102 worker01 <none>
kube-proxy-b4pgl 1/1 Running 0 16m 192.168.0.102 worker01 <none>
pod處于running以后蹄皱,工作節(jié)點狀態(tài)就會變成Ready了
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready master 20m v1.13.1
worker01 Ready <none> 7m11s v1.13.1
- 如果kubeadm join需要的token參數(shù)過期或者遺失怎么辦:
在master上執(zhí)行
[root@master ~]# kubeadm token create
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
qbyhi6.p8zg6r3eir4xqqmn 23h 2018-11-16T16:37:19+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
[root@master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
dfc5b832302e76b277ca2bf79ba86d43d5337d15b3abdaf90be052ad58f0f2a9
拼接出來的join指令如下
kubeadm join --token qbyhi6.p8zg6r3eir4xqqmn --discovery-token-ca-cert-hash sha256:dfc5b832302e76b277ca2bf79ba86d43d5337d15b3abdaf90be052ad58f0f2a9 192.168.0.101:6443
