序言
生产环境中部署Kubernetes集群,通常使用Kubeadm和二进制包的方式。使用kubeadm部署降低了k8s的部署难度,也隐藏了很多细节,不利于问题排查和内网条件下使用。因此,在实际工作中推荐使用二进制包部署Kubernetes集群。
环境准备
禁用SELinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
cat /etc/selinux/config | grep -v "#"
SELINUX=permissive
SELINUXTYPE=targeted
时间同步
使用Chrony实现K8S集群服务器的时间同步。
yum install chrony
# 启动命令
systemctl start chronyd
systemctl status chronyd
systemctl enable chronyd
# 修改配置文件/etc/chrony.conf
cat /etc/chrony.conf | grep -v "#"
server 192.168.2.138 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
allow 192.168.2.0/24
local stratum 10
logdir /var/log/chrony
#检查时间来源
chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* k8s-master 10 7 377 827 +7ns[-2074ns] +/- 5126ns
cat /etc/hosts
192.168.2.138 k8s-master
192.168.2.142 k8s-node1
192.168.2.143 k8s-node2
修改内核参数
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
关闭和禁用防火墙
systemctl stop firewalld && systemctl disable firewalld
加载ipvs模块
yum install ipset ipvsadm -y
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
lsmod | grep ip_vs
lsmod | grep -e ipvs -e nf_conntrack_ipv4
配置ssh进行免密登录
# master节点执行
ssh-keygen -t rsa
ssh-copy-id root@192.168.2.142
ssh-copy-id root@192.168.2.143
重启系统
reboot
二进制安装docker(所有节点)
#移除旧版本docker
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
#下载docker二进制包
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz
# 解压
tar -xvf docker-20.10.9.tgz
#拷贝二进制文件
cp docker/* /usr/bin/
# 启动测试
dockerd &
docker info
准备docker的service文件,将docker注册为系统服务
vim /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
#启动docker
systemctl enable docker && systemctl start docker
#验证
docker info
#修改docker配置
vim /etc/docker/daemon.json
{
"registry-mirrors": [ "https://rxazgoo0.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"max-concurrent-downloads": 10,
"log-driver": "json-file",
"log-level": "warn",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
#默认数据目录
"data-root": "/var/lib/docker"
}
#重启docker
systemctl daemon-reload
systemctl restart docker
二进制部署K8S
安装etcd(master节点)
创建目录
mkdir -p /opt/cluster/ssl/{rootca,etcd,kubernetes}
mkdir -p /opt/cluster/kubelet/ssl
mkdir -p /opt/cluster/log/{kube-apiserver,kube-controller-manager,kube-scheduler,kube-proxy,kubelet}
mkdir -p /opt/cluster/plugins/{calico,coredns}
mkdir -p /opt/cluster/etcd/{data,wal,cfg}
证书制作
工具准备
mkdir tools
cd tools
# cfssl下载地址:https://github.com/cloudflare/cfssl/releases
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64
mv cfssl_1.6.1_linux_amd64 cfssl
mv cfssl-certinfo_1.6.1_linux_amd64 cfssl-certinfo
mv cfssljson_1.6.1_linux_amd64 cfssljson
chmod +x cfssl*
cp cfssl* /usr/local/bin
制作证书
cd /opt/cluster/ssl
cat > cfssl-conf.json << "EOF"
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"common": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
EOF
cd /opt/cluster/ssl
cat > rootca/rootca-csr.json << "EOF"
{
"CN": "rootca",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [{
"C": "CN",
"ST": "YN",
"L": "KM",
"O": "LOCAL",
"OU": "LOCAL"
}]
}
EOF
cd /opt/cluster/ssl
#如果以后可能会扩容,可以在ip那多写几个ip预留出来,或者扩容时添加ip重新生成证书,重启etcd集群
cat > etcd/etcd-csr.json << "EOF"
{
"CN": "etcd-cluster",
"hosts": [
"127.0.0.1",
"192.168.2.138",
"192.168.2.142",
"192.168.2.143"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [{
"C": "CN",
"ST": "YN",
"L": "KM",
"O": "FENG",
"OU": "HAIYANG"
}]
}
EOF
cd /opt/cluster/ssl
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem --config=ca-conf.json -profile=kubernetes server-csr.json | cfssljson -bare server
# ls *pem
ca-key.pem ca.pem server-key.pem server.pem
# 证书传给其他机器
scp -r /opt/cluster/ssl 192.168.2.142:/opt/cluster/
scp -r /opt/cluster/ssl 192.168.2.143:/opt/cluster/
etcd下载和部署
下载和解压
#etcd在github维护,地址https://github.com/etcd-io/etcd
wget https://github.com/etcd-io/etcd/releases/download/v3.5.3/etcd-v3.5.3-linux-arm64.tar.gz
# 解压
tar -zxvf etcd-v3.5.3-linux-amd64.tar.gz
cp etcd-v3.5.3-linux-amd64/etcd* /usr/local/bin/
chmod +x /usr/local/bin/etcd*
#复制到其他机器
scp -r etcd-v3.5.1-linux-amd64/{etcd,etcdctl} root@192.168.2.142:/usr/local/bin
scp -r etcd-v3.5.1-linux-amd64/{etcd,etcdctl} root@192.168.2.143:/usr/local/bin
创建配置文件
vim /opt/cluster/etcd/cfg/etcd
#[Member]
ETCD_NAME="etcd01"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.2.138:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.2.138:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.2.138:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.2.138:2379"
ETCD_INITIAL_CLUSTER="etcd01=https://192.168.2.138:2380,etcd02=https://192.168.2.142:2380,etcd03=https://192.168.2.143:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
创建systemd管理etcd
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
# 指定配置文件
EnvironmentFile=/opt/cluster/etcd/cfg/etcd
ExecStart=/usr/local/bin/etcd \
--name=${ETCD_NAME} \
--data-dir=${ETCD_DATA_DIR} \
--listen-peer-urls=${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=/opt/cluster/ssl/etcd/server.pem \
--key-file=/opt/cluster/ssl/etcd/server-key.pem \
--peer-cert-file=/opt/cluster/ssl/etcd/server.pem \
--peer-key-file=/opt/cluster/ssl/etcd/server-key.pem \
--trusted-ca-file=/opt/cluster/ssl/etcd/ca.pem \
--peer-trusted-ca-file=/opt/cluster/ssl/etcd/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
#启动并设置开启启动
版权声明:本文为fengjiahu1111原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接和本声明。