本章就开始正式k8s集群搭建。使用的工具是k8s自带的kubeadm。当前使用的版本为v1.27.3。
在开始之前,需要先做一下准备工作。
1.由于国内网络的特殊性,k8s相关的镜像是无法直接下载的。因此必须预先拉下来相关的镜像。这里使用的方法是在containerd上挂载http proxy。步骤如下
nano /etc/crictl.yaml
修改如下,避免无法pull到image:
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
mkdir /etc/systemd/system/containerd.service.d
cat << EOF >/etc/systemd/system/containerd.service.d/http_proxy.conf
[Service]
Environment="HTTP_PROXY=http://192.168.31.98:1081"
Environment="HTTPS_PROXY=http://192.168.31.98:1081"
Environment="NO_PROXY=127.0.0.1,localhost,192.168.0.0/16"
EOF
systemctl daemon-reload
systemctl restart containerd
kubeadm config images list | xargs -I {} crictl --debug pull {}
crictl images
恢复方法:
rm -rf /etc/systemd/system/containerd.service.d
systemctl daemon-reload
systemctl restart containerd
依次执行完毕后,containerd会恢复正常。这种方式的好处是运行后没有痕迹。对于docker拉取镜像的方式还有很多别的解法,如使用国内镜像源等,大家可以自行尝试。
可以执行crictl命令查看是否已经下载成功镜像。
接下来正式开始第一步,初始化一个控制平面。在k8s-master01上执行
kubeadm init \
--control-plane-endpoint=mws-cluster001.cluster \
--cri-socket=unix:///run/containerd/containerd.sock \
--kubernetes-version=1.27.3 \
--pod-network-cidr=172.21.0.0/16 \
--service-cidr=172.22.0.0/16 \
--upload-certs
初始化成功后,会出现如下信息,包含了加入集群的token等信息:
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join mws-cluster001.cluster:6443 --token vgqta4.7c5w6j7us5v6o7cr \
--discovery-token-ca-cert-hash sha256:604bb4c5c101511be89dcaad4f284c1997b448b850f0c3c694f677260021e120 \
--control-plane --certificate-key 07559af46e45aa76bf920a2549a3bc0d448d6a56b7d8adaae01f4ab96421ea12
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join mws-cluster001.cluster:6443 --token vgqta4.7c5w6j7us5v6o7cr \
--discovery-token-ca-cert-hash sha256:604bb4c5c101511be89dcaad4f284c1997b448b850f0c3c694f677260021e120
禁用在控制面节点上部署POD
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
配置网络模块。可以从 https://kubernetes.io/zh/docs/concepts/cluster-administration/networking/ 这里查看可用的网络插件。这里使用Calico,具体安装文档见 https://projectcalico.docs.tigera.io/getting-started/kubernetes/ ,具体步骤如下:
kubectl create -f https://projectcalico.docs.tigera.io/manifests/tigera-operator.yaml
wget https://projectcalico.docs.tigera.io/manifests/custom-resources.yaml
nano custom-resources.yaml
修改IP池的CIDR范围为pod的ip范围:172.21.0.0/16
kubectl create -f custom-resources.yaml
等待完成
watch kubectl get pods -n calico-system
后续可以安装calico管理工具calicoctl,可以参见https://projectcalico.docs.tigera.io/maintenance/clis/calicoctl/install
在k8s-master02和k8s-master03节点上作为控制面分别执行:
kubeadm join mws-cluster001.cluster:6443 --token vgqta4.7c5w6j7us5v6o7cr \
--discovery-token-ca-cert-hash sha256:604bb4c5c101511be89dcaad4f284c1997b448b850f0c3c694f677260021e120 \
--control-plane --certificate-key 7f298a6b47137bb280fdfcc3f5107a14fcfe2dff4d2b12afe987c0d1ec09ed7b
如果cert已经过期,则需要执行
kubeadm init phase upload-certs --upload-certs
如果token已经过期,则需要执行
kubeadm token list
kubeadm token create
并替换掉命令中的token
如果没有 --discovery-token-ca-cert-hash 的值,可以执行:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
在k8snode01到k8snode04节点上作为普通节点分别执行:
kubeadm join mws-cluster001.cluster:6443 --token vgqta4.7c5w6j7us5v6o7cr \
--discovery-token-ca-cert-hash sha256:604bb4c5c101511be89dcaad4f284c1997b448b850f0c3c694f677260021e120
如果cert已经过期,则需要执行
kubeadm init phase upload-certs --upload-certs
如果token已经过期,则需要执行
kubeadm token list
kubeadm token create
并替换掉命令中的token
如果没有 --discovery-token-ca-cert-hash 的值,可以执行:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
至此,整个集群初始化完成
参考文档:
- https://kubernetes.io/zh/docs/setup/production-environment/