部署k8s集群步骤 kubernetes实施步骤

admin

kubernetes的yum源
0 B* J# T( O) ecat > /etc/yum.repos.d/kubernetes.repo <<EOF
  F6 I6 z: B& ]( B8 X  r4 f0 x2 W[kubernetes]
name=kubernetes
baseurl=http://172.24.21.35/centos/kubernetes/
gpgcheck=0
8 z& p4 C. O" q6 i2 m9 L4 b5 JEOF
7 ?* k3 V; M2 L& Z  D

admin

kubeadm init --apiserver-advertise-address=172.24.21.55  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock [init] Using Kubernetes version: v1.28.0 [preflight] Running pre-flight checks         [WARNING Firewalld]: firewalld is active, please ensure ports [6443 10250] are open or your cluster may not function correctly         [WARNING HTTPProxy]: Connection to "https://172.24.21.55" uses proxy "http://172.24.118.199:3128". If that is not intended, adjust your proxy settings         [WARNING HTTPProxyCIDR]: connection to "10.177.100.0/12" uses proxy "http://172.24.118.199:3128". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration         [WARNING HTTPProxyCIDR]: connection to "10.233.0.0/16" uses proxy "http://172.24.118.199:3128". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration         [WARNING Hostname]: hostname "k8s-master" could not be reached         [WARNING Hostname]: hostname "k8s-master": lookup k8s-master on 114.114.114.114:53: read udp 172.24.21.55:51870->114.114.114.114:53: i/o timeout [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull'

admin

--apiserver-advertise-address   #声明监听ip地址
--image-repository registry.aliyuncs.com/google_containers     #指定仓库
--kubernetes-version   指定k8s的版本

--service-cidr=10.177.100.0/12   #service网段
- M8 x( J# [& t0 N' U; b% \  U7 y9 y8 m--pod-network-cidr=10.233.0.0/16    #pod网段
- s, [% D/ N6 x) Z--cri-socket   指定docker的中间链接软件

admin

--kubernetes-version=v1.17.2
+ e! J% ~' `2 n; K, h' P
版本号，根据自己的情况更改，一般应该和 kubeadm 的版本一致

! E1 `4 p9 W- u* m$ X) c3 y4 N通过如下命令获得

kubeadm version

7 S* @2 Z# |* Y! x4 m% C+ g输出的 GitVersion:"v1.20.4" 就是版本号了
8 N, h* l5 i5 c7 E7 D4 \- N
2 |7 A% Z- k2 @( N# ?! _: p--pod-network-cidr=10.244.0.0/16
3 o  n) b' n8 g, b) j
​ pod 使用的网络，可以自定义，这个根据自己的情况修改，不修改也可以
4 U6 l8 }+ j& c8 x3 J& o. _
​ 好像是固定的

--apiserver-advertise-address=192.168.1.200
​ master 节点的有效 IP 或者可以被解析的 DNS 名称，需要是 master 节点的有效网卡地址，比如 ens33, eth0 等。
7 w* t* x. L$ w: x
--ignore-preflight-errors=Swap
​ 忽略检查 Swap 时候的报错

4 |- ^- ?3 U1 ]+ V( H. B) B6 c--control-plane-endpoint

负载均衡的地址，支持dns解析名或者IP，添加该选项后支持高可用，如果使用dns 记得该dns一定要可以被解析

) Y0 [# ~' g6 m- ^" T4 J--upload-certs

配合高可用使用，可以自动上传证书
9 d: S/ D9 f( r6 r8 t, X

admin

vim deploy-kubeadm.yml
) |3 E+ s( l: N% l$ z( g1 p3 Y---
' {5 Q  U8 P8 S" n# S* x- |- name: Deploy  kubeadm  kubelet kubectl
! k1 |& _* A$ E  hosts: k8s
  gather_facts: no
; T  ?) a+ J; J+ L' [  vars:
    pkg_dir: /kubeadm-pkg
    pkg_names: ["kubelet", "kubeadm", "kubectl"]

% n% u. e4 Z  M6 D: K' M    # 变量 download_host 需要手动设置
    # 且值需要是此 playbook 目标主机中的一个
/ N# @# c3 _# J' ~5 h7 C    # 需要写在 inventory 文件中的名称
    download_host: "master"
    local_pkg_dir: "{{ playbook_dir }}/{{ download_host }}"
" I' p% u! L* }- e# z# @! w
4 Q6 U) I4 u  @. l  f% ~3 a  tasks:
    - name: 测试使用 -e 是否设置并覆盖了变量
$ X" x( ?) p7 {9 ^0 Z6 l      debug:
( g5 P7 E/ k" T3 |2 U9 f        msg: "{{ local_pkg_dir }} {{ download_host }}"
      tags:
" ^0 C" k2 r, z! h9 ~3 K        - deploy
        - test
! ?4 W' m9 ~, O' f" x* S
    - name: "只需要给 {{ download_host }}安装仓库文件"
0 H3 ^7 V, o& O6 H( n) J, q; E      when: inventory_hostname == download_host
, Z8 t% l/ B/ j1 V8 ?      copy:
        src: file/kubernetes.repo
, R, Q3 G# `/ ^) H9 [7 s        dest: /etc/yum.repos.d/kubernetes.repo
  d" I5 }+ ]  J9 m/ r$ S$ S      tags:
        - deploy
- w) C2 t3 Z/ C5 h
    - name: 创建存放 rmp 包的目录
/ ~" C$ F4 Y8 C# Y0 r( H      when: inventory_hostname == download_host
$ j  v8 `' ]: N# K, R( z      file:
        path: "{{ pkg_dir }}"
! y. m7 t5 `- ^8 E- j) }6 h) _, l        state: directory
# b6 T* H+ C- ~4 S* f1 y: d* }. `$ j      tags:
        - deploy

- C  P2 k: Z2 s+ l4 p+ K( @    - name:  下载软件包
2 K  A$ o6 c8 B0 h      when: inventory_hostname == download_host
3 y2 w$ q7 X3 X' c, I5 L' c1 R      yum:
        name: "{{ pkg_names }}"
        download_only: yes
' @. B8 n: I$ _. h1 s. B        download_dir: "{{ pkg_dir }}"
      tags:
: K# x1 j; z- @# z/ u: _  ~3 R( h2 y        - deploy
# ~5 E2 N4 |' c* w. C
    - name: 获取下载目录 "{{ pkg_dir }}" 中的文件列表
$ I  f2 e) L. C, Z) f: y. N      when: inventory_hostname == download_host
( I" ~# A# ~1 {1 F      shell: ls -1 "{{ pkg_dir }}"
: ^; x/ V+ v; _; H2 S      register: files
6 X! i8 V$ U& f9 M' g      tags:
        - deploy
) `3 A: y, O# U9 F& B8 q
* M1 F* ^5 G) ]7 R6 w7 W- Q0 G: ^    - name: 把远程主机下载的软件包传输到 ansible 本地
" \7 ?2 |6 v: j8 R1 {% N7 ~      when: inventory_hostname == download_host
2 N, `) U, r2 P      fetch:
        src: "{{ pkg_dir }}/{{ item }}"
' B- c3 |, x7 z) I! |# q3 o        dest: ./
      loop: "{{files.stdout_lines}}"
& f. D( O: l- @% `- g, \/ B  \      tags:
( B+ a4 o# N& r$ j- b        - deploy

% Q$ M( q7 u8 U: s" H) a    - name: 传输 rpm 包到远程节点
" b1 u: x" R+ P  `  C. n" u4 l9 }      when: inventory_hostname != download_host
      copy:
5 @0 |; R. x& T% u& Q' w        src: "{{ local_pkg_dir }}{{ pkg_dir }}"
        dest: "/"
; t7 k; y& p/ \0 q& m8 n0 T- k      tags:
: O0 H$ V" Q% w" l1 K, h        - deploy
8 H2 y& y: |! |) y' r' ^3 s9 W
  L+ w) ?- |! ^" ]9 a    - name: 正在执行从本地安装软件包
      shell:
* t( d' S: A9 N3 l, _: G, H        cmd: yum -y localinstall *
9 b" l3 N# I8 E4 r        chdir: "{{ pkg_dir }}"
3 t3 s4 f! Q, N2 T% S2 i9 k' Z        warn: no
' j1 ]* v0 b& {      async: 600
% d  @; d1 ?6 `' t7 v      poll: 0
      register: yum_info
      tags:
        - deploy

2 V* [0 o/ T& t; E7 e4 d0 _8 T6 o    - name: 打印安装结果
; n& X- M$ A5 Z+ \  Z6 O. k. p      debug: var=yum_info.ansible_job_id
      tags:
! Y" ?+ E$ m4 L- q# {% r        - deploy

* w/ s) {8 C0 L8 ~" W
# 查看kubernetes依赖的镜像
kubeadm config images list
6 O6 l- `( a$ n0 P. P7 _; [# |7 b1 d
# 不支持高可用的集群初始化
kubeadm init --kubernetes-version=v1.20.4 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=10.9.29.112 --ignore-preflight-errors=Swap

9 b9 f& K0 u! l* @1 t' v+ H  P, i# 支持高可用的集群初始化
kubeadm init --kubernetes-version=v1.20.4 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=masterIP --control-plane-endpoint=kube-lab  --ignore-preflight-errors=Swap --upload-certs
, B- v8 x3 ]) a7 \' I/ R2 C5 |; y

# 初始化成功后，会有以下信息，复制后直接在node节点使用即可加入集群
kubeadm join 10.9.29.112:6443 --token en6s67.08rnsg20dc5t8z4n \
( u2 `7 ?. r& z/ j8 r' G7 U    --discovery-token-ca-cert-hash sha256:7d034842b9ee7a6b17d9ce7088839f4570da1c61b29922f28e72b855c10003cc

0 g3 N9 ~- n# l. O# j( Q$ B. E# 如果是高可用，还会有一条，这个使用后会添加一个master进入集群
kubeadm join kub-lab:6443 --token s2ccws.tzb7v4olicidp032 \
    --discovery-token-ca-cert-hash sha256:29a2b437f79c5e4958c3d73e6c64fe0a4df24f0f3bcabd5ced28392d7a882e10 \
    --control-plane --certificate-key c0a9a1c4a067b20dca95447f809d95c973220244c740a47f71d5302e0a759ea7
+ D2 w$ i7 E8 t1 r9 T
9 k; Z" U: m3 F" m! c: Y

1320503165

cat > /etc/docker/daemon.json <<EOF
{
" v- S: O- l7 J' J) c% a"registry-mirrors":[
"https://docker.m.daocloud.io",
"https://huecher.io",
% a2 |% Y! D  `4 Y; ~3 }"https://dockerhub.timeweb.cloud",
/ C9 a7 E- W8 K) W  q3 ]3 e/ F"https://noohub.ru",
6 r( _0 n2 }: G. b; S"https://docker.aws19527.cn"
; `) h0 `& `/ Y) \]
}
. N% X2 T/ n8 Q  TEOF

1320503165

kubeadm init --apiserver-advertise-address=192.168.8.190  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock  
[init] Using Kubernetes version: v1.28.0
* ^6 z7 |# C4 a[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
0 f' a4 W5 B- j' Q1 y# V[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
W0914 17:05:50.073955    7690 checks.go:835] detected that the sandbox image "registry.k8s.io/pause:3.6" of the container runtime is inconsistent with that used by kubeadm. It is recommended that using "registry.aliyuncs.com/google_containers/pause:3.9" as the CRI sandbox image.
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
% _) B/ Q7 `2 o5 @6 [4 g[certs] Generating "apiserver" certificate and key
  ]# y$ [3 Q8 S& b0 ~4 l[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.176.0.1 192.168.8.190]
5 l$ I* r" q" n, I  `8 E[certs] Generating "apiserver-kubelet-client" certificate and key
& O; C3 d( q- t3 |8 Y2 M[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
/ i) F& J4 ]$ ^" y* D& Q' M! \% p/ s[certs] Generating "etcd/ca" certificate and key
4 V: t% }! m* N9 R9 h* W[certs] Generating "etcd/server" certificate and key
# p$ }6 ?  ]! ~/ x  X. Q[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
) C5 P. p9 A1 u: c" O: y" N) x, U; y+ _[certs] Generating "etcd/healthcheck-client" certificate and key
$ r# ?/ W% ^0 }2 ?[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
/ a0 W& L5 t3 {; c[kubeconfig] Writing "controller-manager.conf" kubeconfig file
8 j) O: y' `  x: y6 N1 A( C[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
# n8 a1 w6 b' h[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
% Z8 S' e" r6 L0 q$ S) U+ ^$ Y  t+ Y[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
5 O' z; _6 L- D+ v; {[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
" f& @- N, C5 \) U1 z  c! H[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
2 ~5 `/ _% s# z7 D: b0 v8 R. |- }[kubelet-start] Starting the kubelet
8 d  m* o; z1 s8 ^6 U[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.
6 M5 Z2 r3 T% R' y

1320503165

[root@kubernetes-master net]# kubeadm init --apiserver-advertise-address=192.168.8.190  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock  
[init] Using Kubernetes version: v1.28.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
! E/ d  |: n; v& M7 }[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
, I' [  c' k" V3 {[certs] Generating "ca" certificate and key
8 |1 }+ v0 ~& A% ]7 N$ z9 T5 c[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.176.0.1 192.168.8.190]
/ d- O) `3 Q. Q[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
0 [$ z) E* L9 J1 E6 g% R" m3 h[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
* ^% ?5 W& V  o) y. E* {1 i, D[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
! q7 V! b& ^5 T[certs] Generating "apiserver-etcd-client" certificate and key
+ N* F: w8 O; Z8 F: T0 W2 q" D[certs] Generating "sa" key and public key
3 ~$ v8 h. ?: D$ N' K1 X& @% K[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
* }& D6 ^! S" E, \$ H) t[kubeconfig] Writing "admin.conf" kubeconfig file
3 k$ v5 W3 w: A% J6 V1 u' d[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
8 {3 w, J' t% }3 ~! a[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
# z/ ]: T2 x9 A5 F, j[control-plane] Using manifest folder "/etc/kubernetes/manifests"
# V5 r) a: c/ t: O0 @$ r/ u[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
  q5 y4 P" M$ n9 ?: \[control-plane] Creating static Pod manifest for "kube-scheduler"
2 w* N8 o# @% v* _) r) B3 n1 Q[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
7 U  F4 G2 [' ?: M# P4 P& }[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
$ o* U5 ?" b' l* t2 l! e! X% }[kubelet-start] Starting the kubelet
9 b& U2 }, F  I[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
% b9 f# \2 V) p4 u3 T[apiclient] All control plane components are healthy after 17.005335 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
" A' q3 p4 j: Q* ]( e[upload-certs] Skipping phase. Please see --upload-certs
0 v  E& A/ j+ {6 v+ P  C% _* o[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
" C' T& `9 z! B7 |2 s[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
, g! r) r) v& X2 m/ {# O& w! A[bootstrap-token] Using token: ajiqtj.xwpscuol7csse0d9
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
: a4 B( e. u8 |$ Q$ S[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
; J! U0 |# @0 X; E[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
8 f' v7 |8 L/ D3 ]$ d( t[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!
" u- E) F8 V$ A/ [
% I  {6 M# x8 D; X2 jTo start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
6 `  @; u$ a6 `. Q3 M' p* d4 ~, |5 I  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
& T$ ~. a3 ?' [/ \9 B3 F8 S6 T" r  sudo chown $(id -u):$(id -g) $HOME/.kube/config

5 h: D$ b7 y4 g: {; AAlternatively, if you are the root user, you can run:
9 J9 g2 P+ Y2 P& U, D
  export KUBECONFIG=/etc/kubernetes/admin.conf

) F# L" b2 f5 J5 i1 `. l/ R: a! KYou should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
! N  s- B+ u1 K! X/ W. N  https://kubernetes.io/docs/conce ... inistration/addons/

$ @- O8 m* o2 Y8 L5 i& OThen you can join any number of worker nodes by running the following on each as root:
  x% |# c, ]2 Q, A' a: _
# N& J. f* Q  z+ g/ Mkubeadm join 192.168.8.190:6443 --token ajiqtj.xwpscuol7csse0d9 \
        --discovery-token-ca-cert-hash sha256:87ab51d4f77f290e00c0060990eb5efa886752e39b2e74721d96d2c41bb92699
[root@kubernetes-master net]#

admin

# 安装ipset和ipvsadm
        yum install ipset ipvsadmin -y
# 添加需要加载的模块写入脚本文件
4 L8 m2 l" |' c2 k+ C- N% p+ t, Gcat <<EOF > /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
7 u0 ]: n( g5 [; ?% S6 [0 V2 nEOF
& s* t( Q2 g, H# x( x# 为脚本文件添加执行权限
1 K) J" a* l% a: g; s        chmod +x /etc/sysconfig/modules/ipvs.modules
# 执行脚本文件
( N0 S/ J# Q  c, p. ]" g         /bin/bash /etc/sysconfig/modules/ipvs.modules
, \2 Q+ p/ G4 Q5 L. P  w5 w# 查看对应的模块是否加载成功
        lsmod | grep -e ip_vs -e nf_conntrack_ipv4