kubernetes集群实施步骤k8s实施步骤

admin · 发表于 2024-9-17 10:35:55

kubernetes集群实施步骤k8s实施步骤

一：准备环境
服务器规划：
名称             ip地址
k8s-master    172.24.118.182
k8s-node1       172.24.118.183
k8s-node2       172.24.118.184

服务器要求：
最小建议硬件配置： 4C  8G  50G
服务器可以访问互联网，可以联网下载docker镜像

  软件环境：
   软件                            版本
操作系统                         CentOS7.9_x86_64
   docker                            22及以上 (CE)
   kubernetes                      1.28

二：初始化配置

##关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config       #永久修改

setenforce 0       #临时生效

关闭swap
  swapoff -a #临时关闭swap分区
  sed -ri  's/.*swap.*/#&/'  /etc/fstab       ##永久关闭。默认操作系统安装时不分配swap分区

根据规划设置主机名：
  主节点：

[root@test111 ~]# hostnamectl  set-hostname kubernetes-master

  从节点：
#hostnamectl set-hostname kubernetes-node1
#hostnamectl set-hostname kubernetes-node2

网络桥接数据包通过iptables处理，启用内核参数：

cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

  或者使用sysctl.conf文件进行修改
sysctl -p ### sysctl.conf 文件生效
sysctl --system       #生效所有的内核参数文件

sysctl --system /etc/sysctl.d/k8s.conf

三、配置时间同步服务：
yum install -y chrony

  此处略过
主节点：
vim /etc/chrony.conf
server xxxx  iburst

allow  x.x.x.x/24

重启chronyd服务
即可

node节点：
vim /etc/chrony.conf
server xxxx  iburst

重启即可

确保时间同步即可

四、配置host域名解析

172.24.110.182 kubernetes-master
172.24.110.183 kubernetes-node1
172.24.110.184 kubernetes-node2

五、安装docker

wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
--2024-09-17 14:44:40--  https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Resolving mirrors.aliyun.com (mirrors.aliyun.com)... 124.95.172.94, 124.95.172.91, 124.95.153.241, ...
Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|124.95.172.94|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2081 (2.0K) [application/octet-stream]

Saving to: ‘/etc/yum.repos.d/docker-ce.repo’

100%[======================================================================================================================================================================================>] 2,081    --.-K/s in 0s

2024-09-17 14:44:40 (122 MB/s) - ‘/etc/yum.repos.d/docker-ce.repo’ saved [2081/2081]

[root@kubernetes-master ~]# yum install -y docker-ce
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.bfsu.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
docker-ce-stable                                                                                                                                                                                        | 3.5 kB  00:00:00
(1/2): docker-ce-stable/7/x86_64/updateinfo                                                                                                                                                             | 55 B  00:00:00
(2/2): docker-ce-stable/7/x86_64/primary_db                                                                                                                                                             | 152 kB  00:00:00
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 3:26.1.4-1.el7 will be installed
--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-26.1.4-1.el7.x86_64
--> Processing Dependency: containerd.io >= 1.6.24 for package: 3:docker-ce-26.1.4-1.el7.x86_64
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-26.1.4-1.el7.x86_64
--> Processing Dependency: docker-ce-rootless-extras for package: 3:docker-ce-26.1.4-1.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.119.2-1.911c772.el7_8 will be installed
---> Package containerd.io.x86_64 0:1.6.33-3.1.el7 will be installed
---> Package docker-ce-cli.x86_64 1:26.1.4-1.el7 will be installed
--> Processing Dependency: docker-buildx-plugin for package: 1:docker-ce-cli-26.1.4-1.el7.x86_64
--> Processing Dependency: docker-compose-plugin for package: 1:docker-ce-cli-26.1.4-1.el7.x86_64
---> Package docker-ce-rootless-extras.x86_64 0:26.1.4-1.el7 will be installed
--> Processing Dependency: fuse-overlayfs >= 0.7 for package: docker-ce-rootless-extras-26.1.4-1.el7.x86_64
--> Processing Dependency: slirp4netns >= 0.4 for package: docker-ce-rootless-extras-26.1.4-1.el7.x86_64
--> Running transaction check
---> Package docker-buildx-plugin.x86_64 0:0.14.1-1.el7 will be installed
---> Package docker-compose-plugin.x86_64 0:2.27.1-1.el7 will be installed
---> Package fuse-overlayfs.x86_64 0:0.7.2-6.el7_8 will be installed
--> Processing Dependency: libfuse3.so.3(FUSE_3.2)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
--> Processing Dependency: libfuse3.so.3(FUSE_3.0)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
--> Processing Dependency: libfuse3.so.3()(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
---> Package slirp4netns.x86_64 0:0.4.3-4.el7_8 will be installed
--> Running transaction check
---> Package fuse3-libs.x86_64 0:3.6.1-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================================================
Package                                                    Arch                                     Version                                                    Repository                                        Size
================================================================================================================================================================================================================================
Installing:
docker-ce                                                 x86_64                                  3:26.1.4-1.el7                                              docker-ce-stable                                  27 M
Installing for dependencies:
container-selinux                                           noarch                                  2:2.119.2-1.911c772.el7_8                                  extras                                              40 k
containerd.io                                              x86_64                                  1.6.33-3.1.el7                                              docker-ce-stable                                  35 M
docker-buildx-plugin                                        x86_64                                  0.14.1-1.el7                                                 docker-ce-stable                                  14 M
docker-ce-cli                                              x86_64                                  1:26.1.4-1.el7                                              docker-ce-stable                                  15 M
docker-ce-rootless-extras                                  x86_64                                  26.1.4-1.el7                                                 docker-ce-stable                                  9.4 M
docker-compose-plugin                                     x86_64                                  2.27.1-1.el7                                                 docker-ce-stable                                  13 M
fuse-overlayfs                                              x86_64                                  0.7.2-6.el7_8                                              extras                                              54 k
fuse3-libs                                                 x86_64                                  3.6.1-4.el7                                                 extras                                              82 k
slirp4netns                                                 x86_64                                  0.4.3-4.el7_8                                              extras                                              81 k

Transaction Summary
================================================================================================================================================================================================================================
Install  1 Package (+9 Dependent packages)

Total download size: 114 M
Installed size: 401 M
Downloading packages:
(1/10): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm                                                                                                                                           |  40 kB  00:00:00
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY                            ] 3.1 MB/s |  26 MB  00:00:28 ETA
Public key for docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm is not installed
(2/10): docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm                                                                                                                                                    |  14 MB  00:00:07
(3/10): containerd.io-1.6.33-3.1.el7.x86_64.rpm                                                                                                                                                       |  35 MB  00:00:19
(4/10): docker-ce-26.1.4-1.el7.x86_64.rpm                                                                                                                                                             |  27 MB  00:00:14
(5/10): docker-ce-cli-26.1.4-1.el7.x86_64.rpm                                                                                                                                                          |  15 MB  00:00:07
(6/10): docker-ce-rootless-extras-26.1.4-1.el7.x86_64.rpm                                                                                                                                              | 9.4 MB  00:00:04
(7/10): fuse-overlayfs-0.7.2-6.el7_8.x86_64.rpm                                                                                                                                                       |  54 kB  00:00:00
(8/10): fuse3-libs-3.6.1-4.el7.x86_64.rpm                                                                                                                                                             |  82 kB  00:00:00
(9/10): slirp4netns-0.4.3-4.el7_8.x86_64.rpm                                                                                                                                                          |  81 kB  00:00:00
(10/10): docker-compose-plugin-2.27.1-1.el7.x86_64.rpm                                                                                                                                                 |  13 MB  00:00:03
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                        3.9 MB/s | 114 MB  00:00:29
Retrieving key from https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Importing GPG key 0x621E9F35:
Userid    : "Docker Release (CE rpm) <docker@docker.com>"
Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
From    : https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                                                                                       1/10
setsebool:  SELinux is disabled.
  Installing : containerd.io-1.6.33-3.1.el7.x86_64                                                                                                                                                                      2/10
  Installing : docker-buildx-plugin-0.14.1-1.el7.x86_64                                                                                                                                                                   3/10
  Installing : slirp4netns-0.4.3-4.el7_8.x86_64                                                                                                                                                                         4/10
  Installing : fuse3-libs-3.6.1-4.el7.x86_64                                                                                                                                                                            5/10
  Installing : fuse-overlayfs-0.7.2-6.el7_8.x86_64                                                                                                                                                                      6/10
  Installing : docker-compose-plugin-2.27.1-1.el7.x86_64                                                                                                                                                                7/10
  Installing : 1:docker-ce-cli-26.1.4-1.el7.x86_64                                                                                                                                                                      8/10
  Installing : docker-ce-rootless-extras-26.1.4-1.el7.x86_64                                                                                                                                                             9/10
  Installing : 3:docker-ce-26.1.4-1.el7.x86_64                                                                                                                                                                         10/10
  Verifying  : docker-compose-plugin-2.27.1-1.el7.x86_64                                                                                                                                                                1/10
  Verifying  : fuse3-libs-3.6.1-4.el7.x86_64                                                                                                                                                                            2/10
  Verifying  : fuse-overlayfs-0.7.2-6.el7_8.x86_64                                                                                                                                                                      3/10
  Verifying  : slirp4netns-0.4.3-4.el7_8.x86_64                                                                                                                                                                         4/10
  Verifying  : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                                                                                       5/10
  Verifying  : containerd.io-1.6.33-3.1.el7.x86_64                                                                                                                                                                      6/10
  Verifying  : 3:docker-ce-26.1.4-1.el7.x86_64                                                                                                                                                                            7/10
  Verifying  : 1:docker-ce-cli-26.1.4-1.el7.x86_64                                                                                                                                                                      8/10
  Verifying  : docker-ce-rootless-extras-26.1.4-1.el7.x86_64                                                                                                                                                             9/10
  Verifying  : docker-buildx-plugin-0.14.1-1.el7.x86_64                                                                                                                                                                10/10

Installed:
  docker-ce.x86_64 3:26.1.4-1.el7

Dependency Installed:
  container-selinux.noarch 2:2.119.2-1.911c772.el7_8  containerd.io.x86_64 0:1.6.33-3.1.el7  docker-buildx-plugin.x86_64 0:0.14.1-1.el7  docker-ce-cli.x86_64 1:26.1.4-1.el7  docker-ce-rootless-extras.x86_64 0:26.1.4-1.el7
  docker-compose-plugin.x86_64 0:2.27.1-1.el7       fuse-overlayfs.x86_64 0:0.7.2-6.el7_8  fuse3-libs.x86_64 0:3.6.1-4.el7          slirp4netns.x86_64 0:0.4.3-4.el7_8

Complete!
[root@kubernetes-master ~]# systemctl enable docker.service ;systemctl start docker.service
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@kubernetes-master ~]# cat > /etc/docker/daemon.json  <<EOF
{
"registry-mirrors": ["https://q9n10oke.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com","https://docker.m.daocloud.io"],
"insecure-registries": ["8.141.94.237:5000"]
}
EOF
[root@kubernetes-master ~]# vim /etc/docker/daemon.json
[root@kubernetes-master ~]# systemctl restart docker.s
docker.service  docker.socket
[root@kubernetes-master ~]# systemctl restart docker.service
[root@kubernetes-master ~]# docker info
Client: Docker Engine - Community
Version: 26.1.4
Context: default
Debug Mode: false
Plugins:
  buildx: Docker Buildx (Docker Inc.)
Version:  v0.14.1
Path:    /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
Version:  v2.27.1
Path:    /usr/libexec/docker/cli-plugins/docker-compose

Server:
Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
Images: 0
Server Version: 26.1.4
Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d2d58213f83a351ca8f528a95fbd145f5654e957
runc version: v1.1.12-0-g51d5e94
init version: de40ad0
Security Options:
  seccomp
Profile: builtin
Kernel Version: 3.10.0-1160.24.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.7GiB
Name: kubernetes-master
ID: 7a997224-186c-4ccb-a45b-e0f1ed3e65e3
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
  8.141.94.237:5000
  127.0.0.0/8
Registry Mirrors:
  https://q9n10oke.mirror.aliyuncs.com/
  https://registry.docker-cn.com/
  http://hub-mirror.c.163.com/
  https://docker.m.daocloud.io/
Live Restore Enabled: false

node节点也同样方式安装，步骤略。

六、安装cri-dockerd （Docker与kubernetes通信的中间程序）所有节点都安装：

# wget https://github.com/Mirantis/cri- ... .2-3.el7.x86_64.rpm
--2024-09-17 15:04:04--  https://github.com/Mirantis/cri- ... .2-3.el7.x86_64.rpm
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubuserconten ... tion%2Foctet-stream [following]
--2024-09-17 15:04:05--  https://objects.githubuserconten ... tion%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9642368 (9.2M) [application/octet-stream]
Saving to: ‘cri-dockerd-0.3.2-3.el7.x86_64.rpm’

100%[======================================================================================================================================================================================>] 9,642,368 7.33MB/s in 1.3s

2024-09-17 15:04:07 (7.33 MB/s) - ‘cri-dockerd-0.3.2-3.el7.x86_64.rpm’ saved [9642368/9642368]

安装：

rpm -ivh cri-dockerd-0.3.2-3.el7.x86_64.rpm
Preparing...                         ################################# [100%]
Updating / installing...
1:cri-dockerd-3:0.3.2-3.el7       ################################# [100%]

配置参数：
指定docker依赖镜像地址为国内镜像地址：

vim /usr/lib/systemd/system/cri-docker.service

ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9

系统默认systemd重新加载：

systemctl daemon-reload

添加开机启动，并启动cri-docker 服务：

systemctl enable cri-docker.service && systemctl start cri-docker.service
Created symlink from /etc/systemd/system/multi-user.target.wants/cri-docker.service to /usr/lib/systemd/system/cri-docker.service.

七、部署kubernetes

kubeadm

kubeadm 是官方社区推出的一个用于快速部署kubernetes 集群的工具，这个工具通过kubeadm init和kubeadm join两条指令快速搭建kubernetes集群。

kubectl

kubectl 是kubernetes集群的命令行管理工具，除此之外还可以通过kubernetes-dashboard管理kubernetes集群。

kubelet

Kubelet 是 Master 节点安插在 Node 节点上的“眼线”，kubernetes通过kubelet来管理worker节点；在 Kubernetes 集群中，在每个 Node 上都会启动一个 kubelet 服务进程。该进程用于处理 Master 下发到本节点的任务，定期向 Master 汇报节点资源的使用情况，管理 Pod 及 Pod 中的容器。

配置yum源：

cat > /etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
EOF

安装kubeadm、kubelet和kubectl （所有节点）
yum install -y kubelet-1.28.2 kubeadm-1.28.2 kubectl-1.28.2

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.huaweicloud.com
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.tuna.tsinghua.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package kubeadm.x86_64 0:1.28.0-0 will be updated
---> Package kubeadm.x86_64 0:1.28.2-0 will be an update
---> Package kubectl.x86_64 0:1.28.0-0 will be updated
---> Package kubectl.x86_64 0:1.28.2-0 will be an update
---> Package kubelet.x86_64 0:1.28.0-0 will be updated
---> Package kubelet.x86_64 0:1.28.2-0 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================================================
Package                                           Arch                                              Version                                              Repository                                              Size
================================================================================================================================================================================================================================
Updating:
kubeadm                                           x86_64                                           1.28.2-0                                              kubernetes                                              11 M
kubectl                                           x86_64                                           1.28.2-0                                              kubernetes                                              11 M
kubelet                                           x86_64                                           1.28.2-0                                              kubernetes                                              21 M

Transaction Summary
================================================================================================================================================================================================================================
Upgrade  3 Packages

Total download size: 43 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): a24e42254b5a14b67b58c4633d29c27370c28ed6796a80c455a65acc813ff374-kubectl-1.28.2-0.x86_64.rpm                                                                                                    |  11 MB  00:00:05
(2/3): cee73f8035d734e86f722f77f1bf4e7d643e78d36646fd000148deb8af98b61c-kubeadm-1.28.2-0.x86_64.rpm                                                                                                    |  11 MB  00:00:05
(3/3): e1cae938e231bffa3618f5934a096bd85372ee9b1293081f5682a22fe873add8-kubelet-1.28.2-0.x86_64.rpm                                                                                                    |  21 MB  00:00:05
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                        3.8 MB/s |  43 MB  00:00:11
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating : kubelet-1.28.2-0.x86_64                                                                                                                                                                                     1/6
  Updating : kubectl-1.28.2-0.x86_64                                                                                                                                                                                     2/6
  Updating : kubeadm-1.28.2-0.x86_64                                                                                                                                                                                     3/6
  Cleanup : kubeadm-1.28.0-0.x86_64                                                                                                                                                                                     4/6
  Cleanup : kubectl-1.28.0-0.x86_64                                                                                                                                                                                     5/6
  Cleanup : kubelet-1.28.0-0.x86_64                                                                                                                                                                                     6/6
  Verifying  : kubectl-1.28.2-0.x86_64                                                                                                                                                                                     1/6
  Verifying  : kubelet-1.28.2-0.x86_64                                                                                                                                                                                     2/6
  Verifying  : kubeadm-1.28.2-0.x86_64                                                                                                                                                                                     3/6
  Verifying  : kubectl-1.28.0-0.x86_64                                                                                                                                                                                     4/6
  Verifying  : kubeadm-1.28.0-0.x86_64                                                                                                                                                                                     5/6
  Verifying  : kubelet-1.28.0-0.x86_64                                                                                                                                                                                     6/6

Updated:
  kubeadm.x86_64 0:1.28.2-0                                              kubectl.x86_64 0:1.28.2-0                                              kubelet.x86_64 0:1.28.2-0

Complete!

添加开机启动：

systemctl enable kubelet.service

查看需要的镜像：

[root@kubernetes-master ~]# kubeadm config images list
I0918 14:09:39.041429 30436 version.go:256] remote version is much newer: v1.31.0; falling back to: stable-1.28
registry.k8s.io/kube-apiserver:v1.28.14
registry.k8s.io/kube-controller-manager:v1.28.14
registry.k8s.io/kube-scheduler:v1.28.14
registry.k8s.io/kube-proxy:v1.28.14
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.9-0
registry.k8s.io/coredns/coredns:v1.10.1

八、部署集群，初始化kubernetes集群
初始化kubernetes

# 执行 kubeadm  init 命令

初始化完成后，根据提示信息，拷贝kubectl 工具认证到指定或者默认路劲
--kubernetes-version=1.28
指定要安装的 Kubernetes 版本。
--apiserver-advertise-address=x.x.x.x
指定集群master节点的IP地址，即apiserver所在节点的地址，并告知其他组件、节点apiserver在哪。
--image-repository registry.aliyuncs.com/google_containers
指定用于 Kubernetes 组件的容器镜像仓库。
--service-cidr=10.10.0.0/16
指定 Kubernetes service的IP地址范围。
--pod-network-cidr=10.122.0.0/16
指定 Kubernetes Pod的IP地址范围。
总的来说，这个命令将初始化一个版本号为1.28的kubernetes集群，并将172.31.246.16用作master节点，同时指定service和pod的IP地址范围。

在主节点上执行初始化
kubeadm init --apiserver-advertise-address=172.24.110.182 --node-name=kubernetes-master  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.2 --service-cidr=100.177.100.0/12 --pod-network-cidr=100.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock

示例：

[root@kubernetes-master ~]# kubeadm init --apiserver-advertise-address=172.24.110.182 --node-name=kubernetes-master  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.2 --service-cidr=100.177.100.0/12 --pod-network-cidr=100.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock
[init] Using Kubernetes version: v1.28.2
[preflight] Running pre-flight checks
      [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'

[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [100.176.0.1 172.24.110.182]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [172.24.110.182 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [172.24.110.182 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 10.505264 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: 0fqjub.taqnhr1lskcovh7d
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/conce ... inistration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.24.110.182:6443 --token 0fqjub.taqnhr1lskcovh7d \
      --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd

初始化完成。

相关镜像：

# docker images
REPOSITORY                                                       TAG    IMAGE ID    CREATED       SIZE
registry.aliyuncs.com/google_containers/kube-apiserver          v1.28.0 bb5e0dde9054 13 months ago 126MB
registry.aliyuncs.com/google_containers/kube-controller-manager v1.28.0 4be79c38a4ba 13 months ago 122MB
registry.aliyuncs.com/google_containers/kube-scheduler          v1.28.0 f6f496300a2a 13 months ago 60.1MB
registry.aliyuncs.com/google_containers/kube-proxy             v1.28.0 ea1030da44aa 13 months ago 73.1MB
registry.aliyuncs.com/google_containers/etcd                   3.5.9-0 73deb9a3f702 16 months ago 294MB
registry.aliyuncs.com/google_containers/coredns                v1.10.1 ead0a4a53df8 19 months ago 53.6MB
registry.aliyuncs.com/google_containers/pause                   3.9    e6f181688397 23 months ago 744kB

master节点配置:
检查kubectl版本：

# kubectl version --client

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

# 初始化成功后运行下面的命令
mkdir -p $HOME/.kube

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

chown $(id -u):$(id -g) $HOME/.kube/config

查看kubectl查看状态：

[root@kubernetes-master ~]# kubectl get node
NAME             STATUS    ROLES          AGE VERSION
kubernetes-master NotReady control-plane 19m v1.28.2

注：因为网络插件还没有部署，节点会处于"NotReady"状态。

查看kubernetes依赖的镜像

[root@kubernetes-master ~]# kubeadm config images list
I0917 15:50:35.949562 30410 version.go:256] remote version is much newer: v1.31.0; falling back to: stable-1.28
registry.k8s.io/kube-apiserver:v1.28.14
registry.k8s.io/kube-controller-manager:v1.28.14
registry.k8s.io/kube-scheduler:v1.28.14
registry.k8s.io/kube-proxy:v1.28.14
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.9-0
registry.k8s.io/coredns/coredns:v1.10.1

# master节点执行配置文件的复制（为了在node节点可以使用kubectl相关命令）
      scp /etc/kubernetes/admin.conf 192.168.8.190:/etc/kubernetes/
      scp /etc/kubernetes/admin.conf 192.168.8.191:/etc/kubernetes/
      scp /etc/kubernetes/admin.conf 192.168.8.192:/etc/kubernetes/
为保持权限正常，可以通过rsync的方式同步

[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 22' /etc/kubernetes/admin.conf root@172.24.110.183:/etc/kubernetes/
ssh: connect to host 172.24.110.183 port 22: Connection refused
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.2]
[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 60028' /etc/kubernetes/admin.conf root@172.24.110.183:/etc/kubernetes/
The authenticity of host '[172.24.110.183]:60028 ([172.24.110.183]:60028)' can't be established.
ECDSA key fingerprint is SHA256:Tvzi0ICzurMYEPySzerkOmwk/o7XHxmABVKRigofHzg.
ECDSA key fingerprint is MD5:f0:92:26:fd:da:d3:e4:db:be:36:b1:fe:d6:2b:65:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.24.110.183]:60028' (ECDSA) to the list of known hosts.
root@172.24.110.183's password:
sending incremental file list
admin.conf
      5,646 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 3,920 bytes  received 35 bytes  168.30 bytes/sec
total size is 5,646  speedup is 1.43
[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 60028' /etc/kubernetes/admin.conf root@172.24.110.184:/etc/kubernetes/
The authenticity of host '[172.24.110.184]:60028 ([172.24.110.184]:60028)' can't be established.
ECDSA key fingerprint is SHA256:Tvzi0ICzurMYEPySzerkOmwk/o7XHxmABVKRigofHzg.
ECDSA key fingerprint is MD5:f0:92:26:fd:da:d3:e4:db:be:36:b1:fe:d6:2b:65:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.24.110.184]:60028' (ECDSA) to the list of known hosts.
root@172.24.110.184's password:
sending incremental file list
admin.conf
      5,646 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=0/1)

sent 3,920 bytes  received 35 bytes  878.89 bytes/sec
total size is 5,646  speedup is 1.43

将node节点加入集群（去node节点执行）：
执行上述输出命 kubeadm join 命令，将该节点加入到kubernetes集群中：

kubeadm join 172.24.110.182:6443 --token 0fqjub.taqnhr1lskcovh7d  --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock

重新生成token值：

[root@kubernetes-master ~]# kubeadm token list
TOKEN                   TTL       EXPIRES             USAGES                DESCRIPTION                                              EXTRA GROUPS
0fqjub.taqnhr1lskcovh7d 23h       2024-09-18T07:21:06Z authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
[root@kubernetes-master ~]# kubeadm token delete 0fqjub.taqnhr1lskcovh7d
bootstrap token "0fqjub" deleted

[root@kubernetes-master ~]# kubeadm token list

创建一个十年的token
[root@kubernetes-master ~]# kubeadm token create --ttl 36500h
pllb0d.eyjtekjjc542k16c
创建一个5年的token
[root@kubernetes-master ~]# kubeadm token create --ttl 18250h
gpz9o9.terifm9742ermj6e

创建一个永久的token

[root@kubernetes-master ~]# kubeadm token create --ttl 0
nt8qzn.bb4tm414rnww2mt2

删除一个token：

[root@kubernetes-master ~]# kubeadm token list
TOKEN                   TTL       EXPIRES             USAGES                DESCRIPTION                                              EXTRA GROUPS
gpz9o9.terifm9742ermj6e 2y       2026-10-17T18:11:13Z authentication,signing <none>                                                    system:bootstrappers:kubeadm:default-node-token
nt8qzn.bb4tm414rnww2mt2 <forever> <never> authentication,signing <none>                                                    system:bootstrappers:kubeadm:default-node-token
pllb0d.eyjtekjjc542k16c 4y       2028-11-16T04:10:37Z authentication,signing <none>                                                    system:bootstrappers:kubeadm:default-node-token
[root@kubernetes-master ~]# kubeadm token delete nt8qzn.bb4tm414rnww2mt2
bootstrap token "nt8qzn" deleted

获取 CA 证书 Hash 值

[root@kubernetes-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd

或者这样生成也可以：

[root@kubernetes-master ~]# kubeadm token create --ttl 18250h --print-join-command
kubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd

正式执行加入其他节点，按照上面的返回结果执行时添加 --cri-socket=unix:///var/run/cri-dockerd.sock 　参数即可：
　kubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock

示例如下：

[root@kubernetes-node1 ~]# kubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock
[preflight] Running pre-flight checks
      [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

其他节点一样的执行，略。

检查节点运行：

[root@kubernetes-master ~]# kubectl get nodes
NAME             STATUS    ROLES          AGE VERSION
kubernetes-master NotReady control-plane 59m v1.28.2
kubernetes-node1 NotReady <none>       78s v1.28.2
kubernetes-node2 NotReady <none>       69s v1.28.2

注：因为网络插件还没有部署，节点会处于"NotReady"状态。

查看ｐｏｄ运行状态：

[root@kubernetes-master ~]# kubectl get pods -A
NAMESPACE    NAME                                     READY STATUS RESTARTS AGE
kube-system coredns-66f779496c-cqf5k                   0/1    Pending 0       60m
kube-system coredns-66f779496c-lnxt4                   0/1    Pending 0       60m
kube-system etcd-kubernetes-master                   1/1    Running 0       60m
kube-system kube-apiserver-kubernetes-master          1/1    Running 0       60m
kube-system kube-controller-manager-kubernetes-master 1/1    Running 0       60m
kube-system kube-proxy-676dx                         1/1    Running 0       2m37s
kube-system kube-proxy-kkt8g                         1/1    Running 0       60m
kube-system kube-proxy-qgpbt                         1/1    Running 0       2m46s
kube-system kube-scheduler-kubernetes-master          1/1    Running 0       60m

安装网络组件:

不建议安装kube-flannel的，安装calico.yaml

[root@kubernetes-master ~]# wget https://github.com/flannel-io/fl ... .2/kube-flannel.yml
--2024-09-17 16:27:41--  https://github.com/flannel-io/fl ... .2/kube-flannel.yml
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubuserconten ... tion%2Foctet-stream [following]
--2024-09-17 16:27:42--  https://objects.githubuserconten ... tion%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4459 (4.4K) [application/octet-stream]
Saving to: ‘kube-flannel.yml’

100%[======================================================================================================================================================================================>] 4,459    --.-K/s in 0s

2024-09-17 16:27:42 (17.4 MB/s) - ‘kube-flannel.yml’ saved [4459/4459]

执行安装（master节点）：

[root@kubernetes-master ~]#  kubectl apply -f calico.yaml
namespace/kube-flannel created
serviceaccount/flannel created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
[root@kubernetes-master ~]#

再次检查pod状态

[root@kubernetes-master ~]# kubeadm token list
TOKEN                   TTL       EXPIRES             USAGES                DESCRIPTION                                              EXTRA GROUPS
1kis96.cklh7okui7j4fcr0 2y       2026-10-17T18:16:02Z authentication,signing <none>                                                    system:bootstrappers:kubeadm:default-node-token
[root@kubernetes-master ~]#  kubectl get node
NAME             STATUS ROLES          AGE VERSION
kubernetes-master Ready control-plane 72m v1.28.2
kubernetes-node1 Ready <none>       14m v1.28.2
kubernetes-node2 Ready <none>       14m v1.28.2
[root@kubernetes-master ~]#  kubectl get pod -A
NAMESPACE    NAME                                     READY STATUS             RESTARTS AGE
kube-flannel kube-flannel-ds-k6mpb                      0/1    Init:0/2          0       45s
kube-flannel kube-flannel-ds-l68ft                      0/1    Init:1/2          0       45s
kube-flannel kube-flannel-ds-th9kz                      0/1    Init:1/2          0       45s
kube-system coredns-66f779496c-cqf5k                   0/1    ContainerCreating 0       72m
kube-system coredns-66f779496c-lnxt4                   0/1    ContainerCreating 0       72m
kube-system etcd-kubernetes-master                   1/1    Running          0       72m
kube-system kube-apiserver-kubernetes-master          1/1    Running          0       72m
kube-system kube-controller-manager-kubernetes-master 1/1    Running          0       72m
kube-system kube-proxy-676dx                         1/1    Running          0       14m
kube-system kube-proxy-kkt8g                         1/1    Running          0       72m
kube-system kube-proxy-qgpbt                         1/1    Running          0       14m
kube-system kube-scheduler-kubernetes-master          1/1    Running          0       72m

注：

   #worker节点是无法运行kubectl命令的，因为worker节点没有admin.conf文件
   #若需在worker节点使用kubectl命令，需要将admin.conf配置文件拷贝到worker节点，再执行以下命令：
   scp root@master:/etc/kubernetes/admin.conf /etc/kubernetes/
   echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile

安装kubernetes-dashboard(master)

[root@kubernetes-master ~]# wget  https://raw.githubusercontent.co ... oy/recommended.yaml
--2024-09-18 14:34:55--  https://raw.githubusercontent.co ... oy/recommended.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7621 (7.4K) [text/plain]
Saving to: ‘recommended.yaml’

100%[======================================================================================================================================================================================>] 7,621    --.-K/s in 0.001s

2024-09-18 14:34:55 (11.2 MB/s) - ‘recommended.yaml’ saved [7621/7621]

[root@kubernetes-master ~]# ls
calico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  recommended.yaml  sudo-1.9.5-3.el7.x86_64.rpm

[url=]recommended.yaml[/url]

#编辑recommended.yaml,找到service段落，做如下修改
#在service里添加nodeport，这样可以通过 <主机ip+port> 来访问dashboard
vim recommended.yaml

kind: Service
apiVersion: v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort  #增加此行，指定service类型为NodePort
  ports:
- port: 443
   targetPort: 8443
    nodePort: 32333 #增加此行，指定绑定的node的端口(默认的取值范围是：30000-32767), 如果不指定，会默认分配
  selector:
k8s-app: kubernetes-dashboard

#创建danshboard
kubectl create -f recommended.yaml

[root@kubernetes-master ~]# kubectl create -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

#查看所有pod
kubectl get pods --all-namespaces
[root@kubernetes-master ~]# kubectl get pods --all-namespaces
NAMESPACE             NAME                                        READY STATUS             RESTARTS       AGE
kube-flannel          kube-flannel-ds-k6mpb                      0/1    CrashLoopBackOff 263 (118s ago) 22h
kube-flannel          kube-flannel-ds-l68ft                      0/1    CrashLoopBackOff 263 (100s ago) 22h
kube-flannel          kube-flannel-ds-th9kz                      0/1    CrashLoopBackOff 262 (4m ago)    22h
kube-system          calico-kube-controllers-7d64c8fdd5-c8klr    1/1    Running          0             24m
kube-system          calico-node-574ht                         1/1    Running          0             24m
kube-system          calico-node-mgn28                         1/1    Running          0             24m
kube-system          calico-node-nglnx                         1/1    Running          0             24m
kube-system          coredns-66f779496c-cqf5k                   1/1    Running          0             23h
kube-system          coredns-66f779496c-lnxt4                   1/1    Running          0             23h
kube-system          etcd-kubernetes-master                      1/1    Running          0             23h
kube-system          kube-apiserver-kubernetes-master          1/1    Running          1 (12h ago)    23h
kube-system          kube-controller-manager-kubernetes-master 1/1    Running          15             23h
kube-system          kube-proxy-676dx                            1/1    Running          0             22h
kube-system          kube-proxy-kkt8g                            1/1    Running          0             23h
kube-system          kube-proxy-qgpbt                            1/1    Running          0             22h
kube-system          kube-scheduler-kubernetes-master          1/1    Running          16             23h
kubernetes-dashboard dashboard-metrics-scraper-5657497c4c-bggwp 0/1    ContainerCreating 0             23s
kubernetes-dashboard kubernetes-dashboard-746fbfd67c-8xbmk       0/1    ContainerCreating 0             23s

检查kubernets-dashboard状态：

[root@kubernetes-master ~]# kubectl get pod -n kubernetes-dashboard
NAME                                        READY STATUS             RESTARTS AGE
dashboard-metrics-scraper-5657497c4c-bggwp 0/1    ImagePullBackOff 0       2m36s
kubernetes-dashboard-746fbfd67c-8xbmk       0/1    ContainerCreating 0       2m36s

ImagePullBackOff问题解决方案
#查看该pod的详细信息

查看该pod的详细信息

[root@kubernetes-master ~]# kubectl describe pod/kubernetes-dashboard-746fbfd67c-8xbmk --namespace=kubernetes-dashboard
Name:          kubernetes-dashboard-746fbfd67c-8xbmk
Namespace:       kubernetes-dashboard
Priority:       0
Service Account:  kubernetes-dashboard
Node:          kubernetes-node1/172.24.110.183
Start Time:    Wed, 18 Sep 2024 14:45:16 +0800
Labels:          k8s-app=kubernetes-dashboard
               pod-template-hash=746fbfd67c
Annotations:    cni.projectcalico.org/containerID: 7651e89375fa07f03a7594f82dc3c5a14b4fb63afb6f85006dc7f1d5464ff625
               cni.projectcalico.org/podIP: 100.233.129.65/32
               cni.projectcalico.org/podIPs: 100.233.129.65/32
Status:          Pending
SeccompProfile: RuntimeDefault
IP:             100.233.129.65
IPs:
  IP:          100.233.129.65
Controlled By:  ReplicaSet/kubernetes-dashboard-746fbfd67c
Containers:
  kubernetes-dashboard:
Container ID:
Image:       kubernetesui/dashboard:v2.6.1
Image ID:
Port:       8443/TCP
Host Port:    0/TCP
Args:
   --auto-generate-certificates
   --namespace=kubernetes-dashboard
State:       Waiting
   Reason:    ImagePullBackOff
Ready:       False
Restart Count:  0
Liveness:    http-get https://:8443/ delay=30s timeout=30s period=10s #success=1 #failure=3
Environment: <none>
Mounts:
   /certs from kubernetes-dashboard-certs (rw)
   /tmp from tmp-volume (rw)
   /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-r9w2d (ro)
Conditions:
  Type             Status
  Initialized    True
  Ready          False
  ContainersReady False
  PodScheduled    True
Volumes:
  kubernetes-dashboard-certs:
Type:       Secret (a volume populated by a Secret)
SecretName:  kubernetes-dashboard-certs
Optional: false
  tmp-volume:
Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit:  <unset>
  kube-api-access-r9w2d:
Type:                   Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds:  3607
ConfigMapName:          kube-root-ca.crt
ConfigMapOptional:    <nil>
DownwardAPI:          true
QoS Class:                BestEffort
Node-Selectors:             kubernetes.io/os=linux
Tolerations:                node-role.kubernetes.io/master:NoSchedule
                           node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                           node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason    Age                From             Message
  ----    ------    ----                ----             -------
  Normal Scheduled  8m43s             default-scheduler  Successfully assigned kubernetes-dashboard/kubernetes-dashboard-746fbfd67c-8xbmk to kubernetes-node1
  Warning  Failed    34s (x2 over 5m55s)  kubelet          Failed to pull image "kubernetesui/dashboard:v2.6.1": rpc error: code = Canceled desc = context canceled
  Warning  Failed    34s (x2 over 5m55s)  kubelet          Error: ErrImagePull
  Normal BackOff 21s (x2 over 5m55s)  kubelet          Back-off pulling image "kubernetesui/dashboard:v2.6.1"
  Warning  Failed    21s (x2 over 5m55s)  kubelet          Error: ImagePullBackOff
  Normal Pulling 6s (x3 over 8m42s) kubelet          Pulling image "kubernetesui/dashboard:v2.6.1"

通过上述命令可以得到如下信息，其中有两个重要信息：

拉取失败的镜像为：kubernetesui/dashboard:v2.6.1

手动拉取镜像：

[root@kubernetes-master ~]# docker pull kubernetesui/dashboard:v2.6.1
v2.6.1: Pulling from kubernetesui/dashboard
596ae5b8318a: Pulling fs layer
596ae5b8318a: Pull complete
b721c920bca6: Pull complete
Digest: sha256:290bebc3cd96c22b6f89e7b21f5c2b16ce5c275a0ec2c2de10e0d8b9dd110289
Status: Downloaded newer image for kubernetesui/dashboard:v2.6.1
docker.io/kubernetesui/dashboard:v2.6.1

#打包镜像
docker save -o k8s-dashboard.tar kubernetesui/dashboard:v2.6.1

不再使用create ，而是使用apply更新：

[root@kubernetes-master ~]# kubectl apply -f recommended.yaml

Warning: resource namespaces/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
namespace/kubernetes-dashboard configured
Warning: resource serviceaccounts/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
serviceaccount/kubernetes-dashboard configured
Warning: resource services/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
service/kubernetes-dashboard configured
Warning: resource secrets/kubernetes-dashboard-certs is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/kubernetes-dashboard-certs configured
Warning: resource secrets/kubernetes-dashboard-csrf is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/kubernetes-dashboard-csrf configured
Warning: resource secrets/kubernetes-dashboard-key-holder is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
secret/kubernetes-dashboard-key-holder configured
Warning: resource configmaps/kubernetes-dashboard-settings is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
configmap/kubernetes-dashboard-settings configured
Warning: resource roles/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
role.rbac.authorization.k8s.io/kubernetes-dashboard configured
Warning: resource clusterroles/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard configured
Warning: resource rolebindings/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard configured
Warning: resource clusterrolebindings/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard configured
Warning: resource deployments/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/kubernetes-dashboard configured
Warning: resource services/dashboard-metrics-scraper is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
service/dashboard-metrics-scraper configured
Warning: resource deployments/dashboard-metrics-scraper is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
deployment.apps/dashboard-metrics-scraper configured

admin · 发表于 2024-9-17 16:35:24

kubernetes命令补全优化
# 加入~/.bashrc
vim ~/.bashrc
# 添加下面的
source <(kubectl completion bash)

source ~/.bashrc

admin · 发表于 2024-9-18 14:22:13

网络安装calico.yaml 组件：
[root@kubernetes-master ~]# curl https://docs.projectcalico.org/v3.18/manifests/calico.yaml -O
  % Total % Received % Xferd  Average Speed Time Time    Time  Current
                              Dload  Upload Total Spent Left  Speed
100  184k  100  184k 0    0  98813    0  0:00:01  0:00:01 --:--:-- 98793
[url=]calico.yaml[/url]

[root@kubernetes-master ~]# ls
calico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  sudo-1.9.5-3.el7.x86_64.rpm
[root@kubernetes-master ~]# vim calico.yaml
[root@kubernetes-master ~]# kubectl apply -f calico.yaml
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
serviceaccount/calico-node created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
error: resource mapping not found for name: "calico-kube-controllers" namespace: "kube-system" from "calico.yaml": no matches for kind "PodDisruptionBudget" in version "policy/v1beta1"
ensure CRDs are installed first

admin · 发表于 2024-9-18 15:14:52

删除pod ，kubernetes-dashboard
kubectl describe pod/kubernetes-dashboard-746fbfd67c-8xbmk --namespace=kubernetes-dashboard

kube-flannel          kube-flannel-ds-l68ft                      0/1    CrashLoopBackOff

解决方法：

检查 Pod 的事件或日志：使用 kubectl describe pod <pod-name> 查看 Pod 的事件和日志，找到启动失败的具体原因。

kubectl describe pod kube-flannel-ds-l68ft --namespace=kube-flannel
Name:                kube-flannel-ds-l68ft
Namespace:          kube-flannel
Priority:          2000001000
Priority Class Name:  system-node-critical
Service Account:    flannel
Node:                kubernetes-node1/172.24.110.183
Start Time:          Tue, 17 Sep 2024 16:33:08 +0800
Labels:             app=flannel
                  controller-revision-hash=c46b99f7f
                  k8s-app=flannel
                  pod-template-generation=2
                  tier=node
Annotations:       <none>
Status:             Running
IP:                172.24.110.183

修正配置或启动命令：根据日志信息修正容器的配置文件或启动命令。

检查资源限制：使用 kubectl top pod <pod-name> 检查 Pod 是否有足够的资源运行。

调整权限：确保容器以正确的用户身份运行，并且有适当的文件权限。

确认依赖服务：确保所有依赖的服务都已启动并运行正常。

重新拉取镜像：使用 kubectl get pod -o yaml 查看 Pod 定义，确认镜像名和标签正确，然后使用 kubectl delete pod <pod-name> 强制 Pod 重新拉取镜像。

kubectl get pod -o yaml
apiVersion: v1
items: []
kind: List
metadata:
  resourceVersion: ""

调整安全策略：根据日志信息调整相应的安全策略，以允许所需的操作。

在解决问题时，可能需要多次尝试，并且每次修改后都需要重新创建 Pod 来使更改生效。

admin · 发表于 2024-9-18 16:18:16

dashboard上面装的有问题，下面重新安装：

[root@kubernetes-master ~]# wget https://raw.githubusercontent.co ... oy/recommended.yaml
--2024-09-18 16:04:03--  https://raw.githubusercontent.co ... oy/recommended.yaml
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7621 (7.4K) [text/plain]
Saving to: ‘recommended.yaml’

100%[======================================================================================================================================================================================>] 7,621    --.-K/s in 0.001s

2024-09-18 16:04:04 (7.53 MB/s) - ‘recommended.yaml’ saved [7621/7621]
[url=]recommended.yaml[/url]
[root@kubernetes-master ~]# ls
calico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  recommended.yaml  recommended.yaml.bal  sudo-1.9.5-3.el7.x86_64.rpm
[root@kubernetes-master ~]# vim recommended.yaml
[root@kubernetes-master ~]# vim recommended.yaml

spec:
type: NodePort    ##添加的
  ports:
- port: 443
   targetPort: 8443
    nodePort: 32333    ###添加的
  selector:
k8s-app: kubernetes-dashboard

   containers:
      - name: kubernetes-dashboard
      image: kubernetesui/dashboard:v2.5.1
        imagePullPolicy: Never ##Always 改成Never
      ports:
         - containerPort: 8443
            protocol: TCP

#创建danshboard
kubectl create -f recommended.yaml

[root@kubernetes-master ~]# kubectl create -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

#查看所有pod
kubectl get pods --all-namespaces

[root@kubernetes-master ~]# kubectl get  pods --namespace kubernetes-dashboard
NAME                                        READY STATUS          RESTARTS AGE
dashboard-metrics-scraper-6fdb9d6cdd-nhs4j 0/1    ErrImagePull    0       95s
kubernetes-dashboard-79d57f5458-6kmlb       0/1    ImagePullBackOff 0       95s

查看报错信息：
#kubectl describe pod kubernetes-dashboard-79d57f5458-6kmlb --namespace kubernetes-dashboard

Warning  Failed       81s (x2 over 2m10s)  kubelet          Failed to pull image "kubernetesui/dashboard:v2.5.1": Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Normal Pulling       53s (x3 over 2m41s)  kubelet          Pulling image "kubernetesui/dashboard:v2.5.1"
  Warning  Failed       22s (x3 over 2m10s)  kubelet          Error: ErrImagePull
  Warning  Failed       22s                kubelet          Failed to pull image "kubernetesui/dashboard:v2.5.1": Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp 199.16.156.71:443: i/o timeout

#根据上述信息我们来到节点尝试拉取镜像

kubectl apply  -f recommended.yaml

admin · 发表于 2024-9-24 16:26:34

Step 1 : Configure Kernel Modules and Networking
Before setting up Kubernetes, certain kernel modules and sysctl parameters need to be configured to ensure proper networking between containers.

First, we load the necessary kernel modules (overlay and br_netfilter) that Kubernetes relies on.

cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# sysctl params required by setup, params persist across reboots
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                = 1
EOF

# Apply sysctl params without reboot
sudo sysctl --system

Step 2: Disable swap on all the Nodes
sudo swapoff -a
(crontab -l 2>/dev/null; echo "@reboot /sbin/swapoff -a") | crontab - || true
Step 3: Install Containerd Runtime On All The Nodes
sudo apt-get update && sudo apt-get install -y containerd
Step 4: Configure Containerd
sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i 's/          SystemdCgroup = false/          SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd
Step 5: Install Kubeadm & Kubelet & Kubectl on all Nodes
KUBERNETES_VERSION=1.30

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v$KUBERNETES_VERSION/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v$KUBERNETES_VERSION/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update && sudo apt-get install -y kubelet=1.30.0-1.1 kubectl=1.30.0-1.1 kubeadm=1.30.0-1.1

Step 6: Initialize Cluster
NODENAME=$(hostname -s)
POD_CIDR="10.30.0.0/16"
kubeadm init --pod-network-cidr=$POD_CIDR --node-name $NODENAME

An Open Letter to the SUSE Leadership Regarding…
John Carr  3 年前
Step 6: Copy Join command in workers
In this step, copy the kubeadm join command and follow Steps 1 to 5 on each of the other nodes.

step 7: Install CNI Plugin
Finally install a CNI. for your cluster in this example we are going to install calico for our cluster

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

Step 8 : Final result
now you should be able to run kubectl get nodes and all nodes and kube-system pods should be running

kubectl get nodes
kubectl get pods -A

admin · 发表于 2024-12-29 21:16:59

镜像最近有些变化了：

I1229 21:16:13.799696 2756 version.go:256] remote version is much newer: v1.32.0; falling back to: stable-1.28
registry.k8s.io/kube-apiserver:v1.28.15
registry.k8s.io/kube-controller-manager:v1.28.15
registry.k8s.io/kube-scheduler:v1.28.15
registry.k8s.io/kube-proxy:v1.28.15
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.9-0
registry.k8s.io/coredns/coredns:v1.10.1

admin · 发表于 2025-1-1 09:26:26

在使用kubernetes 32版本
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=192.168.8.190 --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version=v1.32.0 --service-cidr=172.29.16.0/23 --pod-network-cidr=172.22.16.0/23 --cri-socket=unix:///var/run/cri-dockerd.sock --v=5
I0101 09:17:08.895164 2766 kubelet.go:195] the value of KubeletConfiguration.cgroupDriver is empty; setting it to "systemd"
[init] Using Kubernetes version: v1.32.0
[preflight] Running pre-flight checks
I0101 09:17:08.912311 2766 checks.go:561] validating Kubernetes and kubeadm version
      [WARNING KubernetesVersion]: Kubernetes version is greater than kubeadm version. Please consider to upgrade kubeadm. Kubernetes version: 1.32.0. Kubeadm version: 1.31.x
I0101 09:17:08.912412 2766 checks.go:166] validating if the firewall is enabled and active
I0101 09:17:08.925133 2766 checks.go:201] validating availability of port 6443
I0101 09:17:08.925553 2766 checks.go:201] validating availability of port 10259
I0101 09:17:08.925679 2766 checks.go:201] validating availability of port 10257
I0101 09:17:08.925766 2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-apiserver.yaml
I0101 09:17:08.925857 2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-controller-manager.yaml
I0101 09:17:08.925909 2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-scheduler.yaml
I0101 09:17:08.925954 2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/etcd.yaml
I0101 09:17:08.925979 2766 checks.go:428] validating if the connectivity type is via proxy or direct
I0101 09:17:08.926074 2766 checks.go:467] validating http connectivity to first IP address in the CIDR
I0101 09:17:08.926142 2766 checks.go:467] validating http connectivity to first IP address in the CIDR
I0101 09:17:08.926178 2766 checks.go:102] validating the container runtime
I0101 09:17:08.927016 2766 checks.go:637] validating whether swap is enabled or not
I0101 09:17:08.927191 2766 checks.go:368] validating the presence of executable crictl
I0101 09:17:08.927293 2766 checks.go:368] validating the presence of executable conntrack
I0101 09:17:08.927331 2766 checks.go:368] validating the presence of executable ip
I0101 09:17:08.927369 2766 checks.go:368] validating the presence of executable iptables
I0101 09:17:08.927405 2766 checks.go:368] validating the presence of executable mount
I0101 09:17:08.927442 2766 checks.go:368] validating the presence of executable nsenter
I0101 09:17:08.927479 2766 checks.go:368] validating the presence of executable ethtool
I0101 09:17:08.927512 2766 checks.go:368] validating the presence of executable tc
I0101 09:17:08.927565 2766 checks.go:368] validating the presence of executable touch
I0101 09:17:08.927605 2766 checks.go:514] running all checks
I0101 09:17:08.941390 2766 checks.go:399] checking whether the given node name is valid and reachable using net.LookupHost
I0101 09:17:08.941828 2766 checks.go:603] validating kubelet version
I0101 09:17:09.013778 2766 checks.go:128] validating if the "kubelet" service is enabled and active
      [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
I0101 09:17:09.027024 2766 checks.go:201] validating availability of port 10250
I0101 09:17:09.027156 2766 checks.go:327] validating the contents of file /proc/sys/net/ipv4/ip_forward
I0101 09:17:09.027330 2766 checks.go:201] validating availability of port 2379
I0101 09:17:09.027432 2766 checks.go:201] validating availability of port 2380
I0101 09:17:09.027550 2766 checks.go:241] validating the existence and emptiness of directory /var/lib/etcd
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action beforehand using 'kubeadm config images pull'
I0101 09:17:09.030027 2766 images.go:80] WARNING: could not find officially supported version of etcd for Kubernetes v1.32.0, falling back to the nearest etcd version (3.5.15-0)
I0101 09:17:09.030090 2766 checks.go:832] using image pull policy: IfNotPresent
W0101 09:17:09.031052 2766 checks.go:846] detected that the sandbox image "registry.aliyuncs.com/google_containers/pause:3.9" of the container runtime is inconsistent with that used by kubeadm.It is recommended to use "registry.aliyuncs.com/google_containers/pause:3.10" as the CRI sandbox image.
I0101 09:17:09.033771 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-apiserver:v1.32.0
I0101 09:17:16.690625 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-controller-manager:v1.32.0
I0101 09:17:23.575148 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-scheduler:v1.32.0
I0101 09:17:29.427958 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-proxy:v1.32.0
I0101 09:17:37.054594 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/coredns:v1.11.3
I0101 09:17:43.574636 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/pause:3.10
I0101 09:17:44.929429 2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/etcd:3.5.15-0
[certs] Using certificateDir folder "/etc/kubernetes/pki"
I0101 09:17:58.489483 2766 certs.go:112] creating a new certificate authority for ca
[certs] Generating "ca" certificate and key
I0101 09:17:59.936877 2766 certs.go:473] validating certificate period for ca certificate
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [172.29.16.1 192.168.8.190]
[certs] Generating "apiserver-kubelet-client" certificate and key
I0101 09:18:01.377059 2766 certs.go:112] creating a new certificate authority for front-proxy-ca
[certs] Generating "front-proxy-ca" certificate and key
I0101 09:18:03.218799 2766 certs.go:473] validating certificate period for front-proxy-ca certificate
[certs] Generating "front-proxy-client" certificate and key
I0101 09:18:04.332875 2766 certs.go:112] creating a new certificate authority for etcd-ca
[certs] Generating "etcd/ca" certificate and key
I0101 09:18:06.977732 2766 certs.go:473] validating certificate period for etcd/ca certificate
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
I0101 09:18:10.455557 2766 certs.go:78] creating new public/private key files for signing service account users
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
I0101 09:18:10.855930 2766 kubeconfig.go:111] creating kubeconfig file for admin.conf
[kubeconfig] Writing "admin.conf" kubeconfig file
I0101 09:18:11.347740 2766 kubeconfig.go:111] creating kubeconfig file for super-admin.conf
[kubeconfig] Writing "super-admin.conf" kubeconfig file
I0101 09:18:11.688152 2766 kubeconfig.go:111] creating kubeconfig file for kubelet.conf
[kubeconfig] Writing "kubelet.conf" kubeconfig file
I0101 09:18:12.190293 2766 kubeconfig.go:111] creating kubeconfig file for controller-manager.conf
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
I0101 09:18:13.161357 2766 kubeconfig.go:111] creating kubeconfig file for scheduler.conf
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
I0101 09:18:13.708236 2766 images.go:80] WARNING: could not find officially supported version of etcd for Kubernetes v1.32.0, falling back to the nearest etcd version (3.5.15-0)
I0101 09:18:13.713834 2766 local.go:65] [etcd] wrote Static Pod manifest for a local etcd member to "/etc/kubernetes/manifests/etcd.yaml"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
I0101 09:18:13.714027 2766 manifests.go:103] [control-plane] getting StaticPodSpecs
I0101 09:18:13.714500 2766 certs.go:473] validating certificate period for CA certificate
I0101 09:18:13.714687 2766 manifests.go:129] [control-plane] adding volume "ca-certs" for component "kube-apiserver"
I0101 09:18:13.714767 2766 manifests.go:129] [control-plane] adding volume "etc-pki-ca-trust" for component "kube-apiserver"
I0101 09:18:13.714837 2766 manifests.go:129] [control-plane] adding volume "etc-pki-tls-certs" for component "kube-apiserver"
I0101 09:18:13.714857 2766 manifests.go:129] [control-plane] adding volume "k8s-certs" for component "kube-apiserver"
I0101 09:18:13.716746 2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-apiserver" to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
I0101 09:18:13.716863 2766 manifests.go:103] [control-plane] getting StaticPodSpecs
I0101 09:18:13.717331 2766 manifests.go:129] [control-plane] adding volume "ca-certs" for component "kube-controller-manager"
I0101 09:18:13.717415 2766 manifests.go:129] [control-plane] adding volume "etc-pki-ca-trust" for component "kube-controller-manager"
I0101 09:18:13.717453 2766 manifests.go:129] [control-plane] adding volume "etc-pki-tls-certs" for component "kube-controller-manager"
I0101 09:18:13.717498 2766 manifests.go:129] [control-plane] adding volume "flexvolume-dir" for component "kube-controller-manager"
I0101 09:18:13.717517 2766 manifests.go:129] [control-plane] adding volume "k8s-certs" for component "kube-controller-manager"
I0101 09:18:13.717561 2766 manifests.go:129] [control-plane] adding volume "kubeconfig" for component "kube-controller-manager"
I0101 09:18:13.719110 2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-controller-manager" to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[control-plane] Creating static Pod manifest for "kube-scheduler"
I0101 09:18:13.719208 2766 manifests.go:103] [control-plane] getting StaticPodSpecs
I0101 09:18:13.719600 2766 manifests.go:129] [control-plane] adding volume "kubeconfig" for component "kube-scheduler"
I0101 09:18:13.720666 2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-scheduler" to "/etc/kubernetes/manifests/kube-scheduler.yaml"
I0101 09:18:13.720760 2766 kubelet.go:68] Stopping the kubelet
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests"
[kubelet-check] Waiting for a healthy kubelet at http://127.0.0.1:10248/healthz. This can take up to 4m0s
[kubelet-check] The kubelet is healthy after 1.517289565s
[api-check] Waiting for a healthy API server. This can take up to 4m0s
[api-check] The API server is healthy after 17.003014698s
I0101 09:18:32.522198 2766 kubeconfig.go:665] ensuring that the ClusterRoleBinding for the kubeadm:cluster-admins Group exists
I0101 09:18:32.524875 2766 kubeconfig.go:738] creating the ClusterRoleBinding for the kubeadm:cluster-admins Group by using super-admin.conf
I0101 09:18:32.548427 2766 uploadconfig.go:112] [upload-config] Uploading the kubeadm ClusterConfiguration to a ConfigMap
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
I0101 09:18:32.566210 2766 uploadconfig.go:126] [upload-config] Uploading the kubelet component config to a ConfigMap
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
I0101 09:18:32.584736 2766 uploadconfig.go:131] [upload-config] Preserving the CRISocket information for the control-plane node
I0101 09:18:32.584775 2766 patchnode.go:31] [patchnode] Uploading the CRI Socket information "unix:///var/run/cri-dockerd.sock" to the Node API object "k8s-master" as an annotation
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: mkl5ok.ttqgpoybxarwwum8
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
I0101 09:18:32.662880 2766 clusterinfo.go:47] [bootstrap-token] loading admin kubeconfig
I0101 09:18:32.663948 2766 clusterinfo.go:58] [bootstrap-token] copying the cluster from admin.conf to the bootstrap kubeconfig
I0101 09:18:32.664531 2766 clusterinfo.go:70] [bootstrap-token] creating/updating ConfigMap in kube-public namespace
I0101 09:18:32.670237 2766 clusterinfo.go:84] creating the RBAC rules for exposing the cluster-info ConfigMap in the kube-public namespace
I0101 09:18:32.722880 2766 request.go:632] Waited for 52.518759ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... c/roles?timeout=10s
I0101 09:18:32.922885 2766 request.go:632] Waited for 193.402714ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s
I0101 09:18:32.928726 2766 kubeletfinalize.go:123] [kubelet-finalize] Assuming that kubelet client certificate rotation is enabled: found "/var/lib/kubelet/pki/kubelet-client-current.pem"
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
I0101 09:18:32.931276 2766 kubeletfinalize.go:177] [kubelet-finalize] Restarting the kubelet to enable client certificate rotation
I0101 09:18:33.171057 2766 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0101 09:18:33.171183 2766 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0101 09:18:33.325030 2766 request.go:632] Waited for 103.44617ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s
[addons] Applied essential addon: CoreDNS
I0101 09:18:33.550063 2766 request.go:632] Waited for 94.465297ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/api/v ... ccounts?timeout=10s
I0101 09:18:33.723795 2766 request.go:632] Waited for 151.789723ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... m/roles?timeout=10s
I0101 09:18:33.922760 2766 request.go:632] Waited for 187.41919ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/conce ... inistration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.8.190:6443 --token mkl5ok.ttqgpoybxarwwum8 \
      --discovery-token-ca-cert-hash sha256:6951f50d3ba9e40f8d175cab4b9711eeb164aa06969b72b2f12a6d881fea666c

admin · 发表于 2025-1-1 19:51:59

创建目录
根据自身实际情况创建指定路径，此路径用来存放k8s二进制文件以及用到的镜像文件

mkdir -p /approot1/k8s/{bin,images,pkg,tmp/{ssl,service}}
关闭防火墙
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "systemctl disable firewalld"; \
ssh $i "systemctl stop firewalld"; \
done
关闭selinux
临时关闭

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "setenforce 0"; \
done
永久关闭

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config"; \
done
关闭swap
临时关闭

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "swapoff -a"; \
done
永久关闭

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "sed -i '/ swap / s/^$.*$$/#\1/g' /etc/fstab"; \
done
开启内核模块
临时开启

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "modprobe ip_vs"; \
ssh $i "modprobe ip_vs_rr"; \
ssh $i "modprobe ip_vs_wrr"; \
ssh $i "modprobe ip_vs_sh"; \
ssh $i "modprobe nf_conntrack"; \
ssh $i "modprobe nf_conntrack_ipv4"; \
ssh $i "modprobe br_netfilter"; \
ssh $i "modprobe overlay"; \
done
永久开启

vim /approot1/k8s/tmp/service/k8s-modules.conf
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
nf_conntrack_ipv4
br_netfilter
overlay
分发到所有节点
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/tmp/service/k8s-modules.conf $i:/etc/modules-load.d/; \
done
启用systemd自动加载模块服务
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "systemctl enable systemd-modules-load"; \
ssh $i "systemctl restart systemd-modules-load"; \
ssh $i "systemctl is-active systemd-modules-load"; \
done
返回active表示自动加载模块服务启动成功

配置系统参数
以下的参数适用于3.x和4.x系列的内核

vim /approot1/k8s/tmp/service/kubernetes.conf
建议编辑之前，在 vim 里面先执行 :set paste ，避免复制进去的内容和文档的不一致，比如多了注释，或者语法对齐异常

# 开启数据包转发功能（实现vxlan）
net.ipv4.ip_forward=1
# iptables对bridge的数据进行处理
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-arptables=1
# 关闭tcp_tw_recycle，否则和NAT冲突，会导致服务不通
net.ipv4.tcp_tw_recycle=0
# 不允许将TIME-WAIT sockets重新用于新的TCP连接
net.ipv4.tcp_tw_reuse=0
# socket监听(listen)的backlog上限
net.core.somaxconn=32768
# 最大跟踪连接数，默认 nf_conntrack_buckets * 4
net.netfilter.nf_conntrack_max=1000000
# 禁止使用 swap 空间，只有当系统 OOM 时才允许使用它
vm.swappiness=0
# 计算当前的内存映射文件数。
vm.max_map_count=655360
# 内核可分配的最大文件数
fs.file-max=6553600
# 持久连接
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_intvl=30
net.ipv4.tcp_keepalive_probes=10
分发到所有节点
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/tmp/service/kubernetes.conf $i:/etc/sysctl.d/; \
done
加载系统参数
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "sysctl -p /etc/sysctl.d/kubernetes.conf"; \
done
清空iptables规则
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat"; \
ssh $i "iptables -P FORWARD ACCEPT"; \
done
配置 PATH 变量
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "echo 'PATH=$PATH:/approot1/k8s/bin' >> $HOME/.bashrc"; \
done
source $HOME/.bashrc
下载二进制文件
其中一台节点操作即可

github下载会比较慢，可以从本地上传到 /approot1/k8s/pkg/ 目录下

wget -O /approot1/k8s/pkg/kubernetes.tar.gz \
https://dl.k8s.io/v1.23.3/kubernetes-server-linux-amd64.tar.gz

wget -O /approot1/k8s/pkg/etcd.tar.gz \
https://github.com/etcd-io/etcd/ ... -linux-amd64.tar.gz
解压并删除不必要的文件

cd /approot1/k8s/pkg/
for i in $(ls *.tar.gz);do tar xvf $i && rm -f $i;done
mv kubernetes/server/bin/ kubernetes/
rm -rf kubernetes/{addons,kubernetes-src.tar.gz,LICENSES,server}
rm -f kubernetes/bin/*_tag kubernetes/bin/*.tar
rm -rf etcd-v3.5.1-linux-amd64/Documentation etcd-v3.5.1-linux-amd64/*.md
部署 master 节点
创建 ca 根证书
wget -O /approot1/k8s/bin/cfssl https://github.com/cloudflare/cf ... l_1.6.1_linux_amd64
wget -O /approot1/k8s/bin/cfssljson https://github.com/cloudflare/cf ... n_1.6.1_linux_amd64
chmod +x /approot1/k8s/bin/*
vim /approot1/k8s/tmp/ssl/ca-config.json
{
  "signing": {
"default": {
   "expiry": "87600h"
},
"profiles": {
   "kubernetes": {
      "usages": [
         "signing",
         "key encipherment",
         "server auth",
         "client auth"
      ],
      "expiry": "876000h"
   }
}
  }
}
vim /approot1/k8s/tmp/ssl/ca-csr.json
{
  "CN": "kubernetes",
  "key": {
"algo": "rsa",
"size": 2048
  },
  "names": [
{
   "C": "CN",
   "ST": "ShangHai",
   "L": "ShangHai",
   "O": "k8s",
   "OU": "System"
}
  ],
  "ca": {
"expiry": "876000h"
}
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
部署 etcd 组件
创建 etcd 证书
vim /approot1/k8s/tmp/ssl/etcd-csr.json
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

注意json的格式

{
  "CN": "etcd",
  "hosts": [
"127.0.0.1",
"192.168.91.19"
  ],
  "key": {
"algo": "rsa",
"size": 2048
  },
  "names": [
{
   "C": "CN",
   "ST": "ShangHai",
   "L": "ShangHai",
   "O": "k8s",
   "OU": "System"
}
  ]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
配置 etcd 为 systemctl 管理
vim /approot1/k8s/tmp/service/kube-etcd.service.192.168.91.19
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

etcd 参数

[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos

[Service]
Type=notify
WorkingDirectory=/approot1/k8s/data/etcd
ExecStart=/approot1/k8s/bin/etcd \
  --name=etcd-192.168.91.19 \
  --cert-file=/etc/kubernetes/ssl/etcd.pem \
  --key-file=/etc/kubernetes/ssl/etcd-key.pem \
  --peer-cert-file=/etc/kubernetes/ssl/etcd.pem \
  --peer-key-file=/etc/kubernetes/ssl/etcd-key.pem \
  --trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
  --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
  --initial-advertise-peer-urls=https://192.168.91.19:2380 \
  --listen-peer-urls=https://192.168.91.19:2380 \
  --listen-client-urls=https://192.168.91.19:2379,http://127.0.0.1:2379 \
  --advertise-client-urls=https://192.168.91.19:2379 \
  --initial-cluster-token=etcd-cluster-0 \
  --initial-cluster=etcd-192.168.91.19=https://192.168.91.19:2380 \
  --initial-cluster-state=new \
  --data-dir=/approot1/k8s/data/etcd \
  --wal-dir= \
  --snapshot-count=50000 \
  --auto-compaction-retention=1 \
  --auto-compaction-mode=periodic \
  --max-request-bytes=10485760 \
  --quota-backend-bytes=8589934592
Restart=always
RestartSec=15
LimitNOFILE=65536
OOMScoreAdjust=-999

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19;do \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
ssh $i "mkdir -m 700 -p /approot1/k8s/data/etcd"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
scp /approot1/k8s/tmp/ssl/{ca*.pem,etcd*.pem} $i:/etc/kubernetes/ssl/; \
scp /approot1/k8s/tmp/service/kube-etcd.service.$i $i:/etc/systemd/system/kube-etcd.service; \
scp /approot1/k8s/pkg/etcd-v3.5.1-linux-amd64/etcd* $i:/approot1/k8s/bin/; \
done
启动 etcd 服务
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kube-etcd"; \
ssh $i "systemctl restart kube-etcd --no-block"; \
ssh $i "systemctl is-active kube-etcd"; \
done
返回 activating 表示 etcd 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-etcd";done

返回active表示 etcd 启动成功，如果是多节点 etcd ，其中一个没有返回active属于正常的，可以使用下面的方式来验证集群

如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "ETCDCTL_API=3 /approot1/k8s/bin/etcdctl \
      --endpoints=https://${i}:2379 \
      --cacert=/etc/kubernetes/ssl/ca.pem \
      --cert=/etc/kubernetes/ssl/etcd.pem \
      --key=/etc/kubernetes/ssl/etcd-key.pem \
      endpoint health"; \
done
https://192.168.91.19:2379 is healthy: successfully committed proposal: took = 7.135668ms

返回以上信息，并显示 successfully 表示节点是健康的

部署 apiserver 组件
创建 apiserver 证书
vim /approot1/k8s/tmp/ssl/kubernetes-csr.json
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

注意json的格式

10.88.0.1 是 k8s 的服务 ip，千万不要和现有的网络一致，避免出现冲突

{
  "CN": "kubernetes",
  "hosts": [
"127.0.0.1",
"192.168.91.19",
"10.88.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
  ],
  "key": {
"algo": "rsa",
"size": 2048
  },
  "names": [
{
   "C": "CN",
   "ST": "ShangHai",
   "L": "ShangHai",
   "O": "k8s",
   "OU": "System"
}
  ]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
创建 metrics-server 证书
vim /approot1/k8s/tmp/ssl/metrics-server-csr.json
{
  "CN": "aggregator",
  "hosts": [
  ],
  "key": {
"algo": "rsa",
"size": 2048
  },
  "names": [
{
   "C": "CN",
   "ST": "ShangHai",
   "L": "ShangHai",
   "O": "k8s",
   "OU": "System"
}
  ]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server
配置 apiserver 为 systemctl 管理
vim /approot1/k8s/tmp/service/kube-apiserver.service.192.168.91.19
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

--service-cluster-ip-range 参数的 ip 网段要和 kubernetes-csr.json 里面的 10.88.0.1 是一个网段的

--etcd-servers 如果 etcd 是多节点的，这里要写上所有的 etcd 节点

apiserver 参数

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
ExecStart=/approot1/k8s/bin/kube-apiserver \
  --allow-privileged=true \
  --anonymous-auth=false \
  --api-audiences=api,istio-ca \
  --authorization-mode=Node,RBAC \
  --bind-address=192.168.91.19 \
  --client-ca-file=/etc/kubernetes/ssl/ca.pem \
  --endpoint-reconciler-type=lease \
  --etcd-cafile=/etc/kubernetes/ssl/ca.pem \
  --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
  --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
  --etcd-servers=https://192.168.91.19:2379 \
  --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.pem \
  --kubelet-client-certificate=/etc/kubernetes/ssl/kubernetes.pem \
  --kubelet-client-key=/etc/kubernetes/ssl/kubernetes-key.pem \
  --secure-port=6443 \
  --service-account-issuer=https://kubernetes.default.svc \
  --service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --service-account-key-file=/etc/kubernetes/ssl/ca.pem \
  --service-cluster-ip-range=10.88.0.0/16 \
  --service-node-port-range=30000-32767 \
  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem \
  --requestheader-allowed-names= \
  --requestheader-extra-headers-prefix=X-Remote-Extra- \
  --requestheader-group-headers=X-Remote-Group \
  --requestheader-username-headers=X-Remote-User \
  --proxy-client-cert-file=/etc/kubernetes/ssl/metrics-server.pem \
  --proxy-client-key-file=/etc/kubernetes/ssl/metrics-server-key.pem \
  --enable-aggregator-routing=true \
  --v=2
Restart=always
RestartSec=5
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19;do \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
scp /approot1/k8s/tmp/ssl/{ca*.pem,kubernetes*.pem,metrics-server*.pem} $i:/etc/kubernetes/ssl/; \
scp /approot1/k8s/tmp/service/kube-apiserver.service.$i $i:/etc/systemd/system/kube-apiserver.service; \
scp /approot1/k8s/pkg/kubernetes/bin/kube-apiserver $i:/approot1/k8s/bin/; \
done
启动 apiserver 服务
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kube-apiserver"; \
ssh $i "systemctl restart kube-apiserver --no-block"; \
ssh $i "systemctl is-active kube-apiserver"; \
done
返回 activating 表示 apiserver 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-apiserver";done

返回active表示 apiserver 启动成功

curl -k --cacert /etc/kubernetes/ssl/ca.pem \
--cert /etc/kubernetes/ssl/kubernetes.pem \
--key /etc/kubernetes/ssl/kubernetes-key.pem \
https://192.168.91.19:6443/api
正常返回如下信息，说明 apiserver 服务运行正常

{
  "kind": "APIVersions",
  "versions": [
"v1"
  ],
  "serverAddressByClientCIDRs": [
{
   "clientCIDR": "0.0.0.0/0",
   "serverAddress": "192.168.91.19:6443"
}
  ]
}
查看 k8s 的所有 kind （对象类别）

curl -s -k --cacert /etc/kubernetes/ssl/ca.pem \
--cert /etc/kubernetes/ssl/kubernetes.pem \
--key /etc/kubernetes/ssl/kubernetes-key.pem \
https://192.168.91.19:6443/api/v1/ | grep kind | sort -u
  "kind": "APIResourceList",
   "kind": "Binding",
   "kind": "ComponentStatus",
   "kind": "ConfigMap",
   "kind": "Endpoints",
   "kind": "Event",
   "kind": "Eviction",
   "kind": "LimitRange",
   "kind": "Namespace",
   "kind": "Node",
   "kind": "NodeProxyOptions",
   "kind": "PersistentVolume",
   "kind": "PersistentVolumeClaim",
   "kind": "Pod",
   "kind": "PodAttachOptions",
   "kind": "PodExecOptions",
   "kind": "PodPortForwardOptions",
   "kind": "PodProxyOptions",
   "kind": "PodTemplate",
   "kind": "ReplicationController",
   "kind": "ResourceQuota",
   "kind": "Scale",
   "kind": "Secret",
   "kind": "Service",
   "kind": "ServiceAccount",
   "kind": "ServiceProxyOptions",
   "kind": "TokenRequest",
配置 kubectl 管理
创建 admin 证书
vim /approot1/k8s/tmp/ssl/admin-csr.json
{
  "CN": "admin",
  "hosts": [
  ],
  "key": {
"algo": "rsa",
"size": 2048
  },
  "names": [
{
   "C": "CN",
   "ST": "ShangHai",
   "L": "ShangHai",
   "O": "system:masters",
   "OU": "System"
}
  ]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
创建 kubeconfig 证书
设置集群参数

--server 为 apiserver 的访问地址，修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口，切记，一定要带上https:// 协议，否则生成的证书，kubectl 命令访问不到 apiserver

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.91.19:6443 \
--kubeconfig=kubectl.kubeconfig
设置客户端认证参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=kubectl.kubeconfig
设置上下文参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig
设置默认上下文

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
分发 kubeconfig 证书到所有 master 节点
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
ssh $i "mkdir -p $HOME/.kube"; \
scp /approot1/k8s/pkg/kubernetes/bin/kubectl $i:/approot1/k8s/bin/; \
ssh $i "echo 'source <(kubectl completion bash)' >> $HOME/.bashrc"
scp /approot1/k8s/tmp/ssl/kubectl.kubeconfig $i:$HOME/.kube/config; \
done
部署 controller-manager 组件
创建 controller-manager 证书
vim /approot1/k8s/tmp/ssl/kube-controller-manager-csr.json
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

注意json的格式

{
"CN": "system:kube-controller-manager",
"key": {
      "algo": "rsa",
      "size": 2048
},
"hosts": [
   "127.0.0.1",
   "192.168.91.19"
],
"names": [
   {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:kube-controller-manager",
      "OU": "System"
   }
]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
创建 kubeconfig 证书
设置集群参数

--server 为 apiserver 的访问地址，修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口，切记，一定要带上https:// 协议，否则生成的证书，kubectl 命令访问不到 apiserver

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.91.19:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
设置客户端认证参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
设置上下文参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
设置默认上下文

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config \
use-context system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
配置 controller-manager 为 systemctl 管理
vim /approot1/k8s/tmp/service/kube-controller-manager.service
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

--service-cluster-ip-range 参数的 ip 网段要和 kubernetes-csr.json 里面的 10.88.0.1 是一个网段的

--cluster-cidr 为 pod 运行的网段，要和 --service-cluster-ip-range 参数的网段以及现有的网络不一致，避免出现冲突

controller-manager 参数

[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/approot1/k8s/bin/kube-controller-manager \
  --bind-address=0.0.0.0 \
  --allocate-node-cidrs=true \
  --cluster-cidr=172.20.0.0/16 \
  --cluster-name=kubernetes \
  --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \
  --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
  --leader-elect=true \
  --node-cidr-mask-size=24 \
  --root-ca-file=/etc/kubernetes/ssl/ca.pem \
  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --service-cluster-ip-range=10.88.0.0/16 \
  --use-service-account-credentials=true \
  --v=2
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19;do \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
scp /approot1/k8s/tmp/ssl/kube-controller-manager.kubeconfig $i:/etc/kubernetes/; \
scp /approot1/k8s/tmp/ssl/ca*.pem $i:/etc/kubernetes/ssl/; \
scp /approot1/k8s/tmp/service/kube-controller-manager.service $i:/etc/systemd/system/; \
scp /approot1/k8s/pkg/kubernetes/bin/kube-controller-manager $i:/approot1/k8s/bin/; \
done
启动 controller-manager 服务
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kube-controller-manager"; \
ssh $i "systemctl restart kube-controller-manager --no-block"; \
ssh $i "systemctl is-active kube-controller-manager"; \
done
返回 activating 表示 controller-manager 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-controller-manager";done

返回active表示 controller-manager 启动成功

部署 scheduler 组件
创建 scheduler 证书
vim /approot1/k8s/tmp/ssl/kube-scheduler-csr.json
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴

注意json的格式

{
"CN": "system:kube-scheduler",
"key": {
      "algo": "rsa",
      "size": 2048
},
"hosts": [
   "127.0.0.1",
   "192.168.91.19"
],
"names": [
   {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:kube-scheduler",
      "OU": "System"
   }
]
}
cd /approot1/k8s/tmp/ssl/
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
创建 kubeconfig 证书
设置集群参数

--server 为 apiserver 的访问地址，修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口，切记，一定要带上https:// 协议，否则生成的证书，kubectl 命令访问不到 apiserver

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.91.19:6443 \
--kubeconfig=kube-scheduler.kubeconfig
设置客户端认证参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
设置上下文参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
设置默认上下文

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config \
use-context system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
配置 scheduler 为 systemctl 管理
vim /approot1/k8s/tmp/service/kube-scheduler.service
scheduler 参数

[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
ExecStart=/approot1/k8s/bin/kube-scheduler \
  --authentication-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
  --authorization-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
  --bind-address=0.0.0.0 \
  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
  --leader-elect=true \
  --v=2
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19;do \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
scp /approot1/k8s/tmp/ssl/{ca*.pem,kube-scheduler.kubeconfig} $i:/etc/kubernetes/; \
scp /approot1/k8s/tmp/service/kube-scheduler.service $i:/etc/systemd/system/; \
scp /approot1/k8s/pkg/kubernetes/bin/kube-scheduler $i:/approot1/k8s/bin/; \
done
启动 scheduler 服务
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

for i in 192.168.91.19;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kube-scheduler"; \
ssh $i "systemctl restart kube-scheduler --no-block"; \
ssh $i "systemctl is-active kube-scheduler"; \
done
返回 activating 表示 scheduler 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-scheduler";done

返回active表示 scheduler 启动成功

部署 work 节点
部署 containerd 组件
下载二进制文件
github 下载 containerd 的时候，记得选择cri-containerd-cni 开头的文件，这个包里面包含了 containerd 以及 crictl 管理工具和 cni 网络插件，包括 systemd service 文件、config.toml 、 crictl.yaml 以及 cni 配置文件都是配置好的，简单修改一下就可以使用了

虽然 cri-containerd-cni 也有 runc ，但是缺少依赖，所以还是要去 runc github 重新下载一个

wget -O /approot1/k8s/pkg/containerd.tar.gz \
https://github.com/containerd/co ... -linux-amd64.tar.gz
wget -O /approot1/k8s/pkg/runc https://github.com/opencontainer ... d/v1.0.3/runc.amd64
mkdir /approot1/k8s/pkg/containerd
cd /approot1/k8s/pkg/
for i in $(ls *containerd*.tar.gz);do tar xvf $i -C /approot1/k8s/pkg/containerd && rm -f $i;done
chmod +x /approot1/k8s/pkg/runc
mv /approot1/k8s/pkg/containerd/usr/local/bin/{containerd,containerd-shim*,crictl,ctr} /approot1/k8s/pkg/containerd/
mv /approot1/k8s/pkg/containerd/opt/cni/bin/{bridge,flannel,host-local,loopback,portmap} /approot1/k8s/pkg/containerd/
rm -rf /approot1/k8s/pkg/containerd/{etc,opt,usr}
配置 containerd 为 systemctl 管理
vim /approot1/k8s/tmp/service/containerd.service
注意二进制文件存放路径

如果 runc 二进制文件不在 /usr/bin/ 目录下，需要有 Environment 参数，指定 runc 二进制文件的路径给 PATH ，否则当 k8s 启动 pod 的时候会报错 exec: "runc": executable file not found in $PATH: unknown

[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target

[Service]
Environment="PATH=$PATH:/approot1/k8s/bin"
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/approot1/k8s/bin/containerd
Restart=always
RestartSec=5
Delegate=yes
KillMode=process
OOMScoreAdjust=-999
LimitNOFILE=1048576
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity

[Install]
WantedBy=multi-user.target
配置 containerd 配置文件
vim /approot1/k8s/tmp/service/config.toml
root 容器存储路径，修改成磁盘空间充足的路径

bin_dir containerd 服务以及 cni 插件存储路径

sandbox_image pause 镜像名称以及镜像tag

disabled_plugins = []
imports = []
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/approot1/data/containerd"
state = "/run/containerd"
version = 2

[cgroup]
  path = ""

[debug]
  address = ""
  format = ""
  gid = 0
  level = ""
  uid = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216
  tcp_address = ""
  tcp_tls_cert = ""
  tcp_tls_key = ""
  uid = 0

[metrics]
  address = ""
  grpc_histogram = false

[plugins]

  [plugins."io.containerd.gc.v1.scheduler"]
deletion_threshold = 0
mutation_threshold = 100
pause_threshold = 0.02
schedule_delay = "0s"
startup_delay = "100ms"

  [plugins."io.containerd.grpc.v1.cri"]
disable_apparmor = false
disable_cgroup = false
disable_hugetlb_controller = true
disable_proc_mount = false
disable_tcp_service = true
enable_selinux = false
enable_tls_streaming = false
ignore_image_defined_volumes = false
max_concurrent_downloads = 3
max_container_log_line_size = 16384
netns_mounts_under_state_dir = false
restrict_oom_score_adj = false
sandbox_image = "k8s.gcr.io/pause:3.6"
selinux_category_range = 1024
stats_collect_period = 10
stream_idle_timeout = "4h0m0s"
stream_server_address = "127.0.0.1"
stream_server_port = "0"
systemd_cgroup = false
tolerate_missing_hugetlb_controller = true
unset_seccomp_profile = ""

[plugins."io.containerd.grpc.v1.cri".cni]
   bin_dir = "/approot1/k8s/bin"
   conf_dir = "/etc/cni/net.d"
   conf_template = "/etc/cni/net.d/cni-default.conf"
   max_conf_num = 1

[plugins."io.containerd.grpc.v1.cri".containerd]
   default_runtime_name = "runc"
   disable_snapshot_annotations = true
   discard_unpacked_layers = false
   no_pivot = false
   snapshotter = "overlayfs"

   [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
      base_runtime_spec = ""
      container_annotations = []
      pod_annotations = []
      privileged_without_host_devices = false
      runtime_engine = ""
      runtime_root = ""
      runtime_type = ""

      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]

   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]

      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
      base_runtime_spec = ""
      container_annotations = []
      pod_annotations = []
      privileged_without_host_devices = false
      runtime_engine = ""
      runtime_root = ""
      runtime_type = "io.containerd.runc.v2"

      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
         BinaryName = ""
         CriuImagePath = ""
         CriuPath = ""
         CriuWorkPath = ""
         IoGid = 0
         IoUid = 0
         NoNewKeyring = false
         NoPivotRoot = false
         Root = ""
         ShimCgroup = ""
         SystemdCgroup = true

   [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
      base_runtime_spec = ""
      container_annotations = []
      pod_annotations = []
      privileged_without_host_devices = false
      runtime_engine = ""
      runtime_root = ""
      runtime_type = ""

      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]

[plugins."io.containerd.grpc.v1.cri".image_decryption]
   key_model = "node"

[plugins."io.containerd.grpc.v1.cri".registry]
   config_path = ""

   [plugins."io.containerd.grpc.v1.cri".registry.auths]

   [plugins."io.containerd.grpc.v1.cri".registry.configs]

   [plugins."io.containerd.grpc.v1.cri".registry.headers]

   [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
      endpoint = ["https://docker.mirrors.ustc.edu.cn", "http://hub-mirror.c.163.com"]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
      endpoint = ["https://gcr.mirrors.ustc.edu.cn"]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
      endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/"]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
      endpoint = ["https://quay.mirrors.ustc.edu.cn"]

[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
   tls_cert_file = ""
   tls_key_file = ""

  [plugins."io.containerd.internal.v1.opt"]
path = "/opt/containerd"

  [plugins."io.containerd.internal.v1.restart"]
interval = "10s"

  [plugins."io.containerd.metadata.v1.bolt"]
content_sharing_policy = "shared"

  [plugins."io.containerd.monitor.v1.cgroups"]
no_prometheus = false

  [plugins."io.containerd.runtime.v1.linux"]
no_shim = false
runtime = "runc"
runtime_root = ""
shim = "containerd-shim"
shim_debug = false

  [plugins."io.containerd.runtime.v2.task"]
platforms = ["linux/amd64"]

  [plugins."io.containerd.service.v1.diff-service"]
default = ["walking"]

  [plugins."io.containerd.snapshotter.v1.aufs"]
root_path = ""

  [plugins."io.containerd.snapshotter.v1.btrfs"]
root_path = ""

  [plugins."io.containerd.snapshotter.v1.devmapper"]
async_remove = false
base_image_size = ""
pool_name = ""
root_path = ""

  [plugins."io.containerd.snapshotter.v1.native"]
root_path = ""

  [plugins."io.containerd.snapshotter.v1.overlayfs"]
root_path = ""

  [plugins."io.containerd.snapshotter.v1.zfs"]
root_path = ""

[proxy_plugins]

[stream_processors]

  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar"

  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar+gzip"

[timeouts]
  "io.containerd.timeout.shim.cleanup" = "5s"
  "io.containerd.timeout.shim.load" = "5s"
  "io.containerd.timeout.shim.shutdown" = "3s"
  "io.containerd.timeout.task.state" = "2s"

[ttrpc]
  address = ""
  gid = 0
  uid = 0
配置 crictl 管理工具
vim /approot1/k8s/tmp/service/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
配置 cni 网络插件
vim /approot1/k8s/tmp/service/cni-default.conf
subnet 参数要和 controller-manager 的 --cluster-cidr 参数一致

{
"name": "mynet",
"cniVersion": "0.3.1",
"type": "bridge",
"bridge": "mynet0",
"isDefaultGateway": true,
"ipMasq": true,
"hairpinMode": true,
"ipam": {
"type": "host-local",
"subnet": "172.20.0.0/16"
}
}
分发配置文件以及创建相关路径
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "mkdir -p /etc/containerd"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
ssh $i "mkdir -p /etc/cni/net.d"; \
scp /approot1/k8s/tmp/service/containerd.service $i:/etc/systemd/system/; \
scp /approot1/k8s/tmp/service/config.toml $i:/etc/containerd/; \
scp /approot1/k8s/tmp/service/cni-default.conf $i:/etc/cni/net.d/; \
scp /approot1/k8s/tmp/service/crictl.yaml $i:/etc/; \
scp /approot1/k8s/pkg/containerd/* $i:/approot1/k8s/bin/; \
scp /approot1/k8s/pkg/runc $i:/approot1/k8s/bin/; \
done
启动 containerd 服务
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable containerd"; \
ssh $i "systemctl restart containerd --no-block"; \
ssh $i "systemctl is-active containerd"; \
done
返回 activating 表示 containerd 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active containerd";done

返回active表示 containerd 启动成功

导入 pause 镜像
ctr 导入镜像有一个特殊的地方，如果导入的镜像想要 k8s 可以使用，需要加上 -n k8s.io 参数，而且必须是ctr -n k8s.io image import <xxx.tar> 这样的格式，如果是 ctr image import <xxx.tar> -n k8s.io 就会报错 ctr: flag provided but not defined: -n 这个操作确实有点骚气，不太适应

如果镜像导入的时候没有加上 -n k8s.io ，启动 pod 的时候 kubelet 会重新去拉取 pause 容器，如果配置的镜像仓库没有这个 tag 的镜像就会报错

for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/images/pause-v3.6.tar $i:/tmp/
ssh $i "ctr -n=k8s.io image import /tmp/pause-v3.6.tar && rm -f /tmp/pause-v3.6.tar"; \
done
查看镜像

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "ctr -n=k8s.io image list | grep pause"; \
done
部署 kubelet 组件
创建 kubelet 证书
vim /approot1/k8s/tmp/ssl/kubelet-csr.json.192.168.91.19
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴，有多少个node节点就创建多少个json文件，json文件内的 ip 也要修改为 work 节点的 ip，别重复了

{
"CN": "system:node:192.168.91.19",
"key": {
      "algo": "rsa",
      "size": 2048
},
"hosts": [
   "127.0.0.1",
   "192.168.91.19"
],
"names": [
   {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:nodes",
      "OU": "System"
   }
]
}
for i in 192.168.91.19 192.168.91.20;do \
cd /approot1/k8s/tmp/ssl/; \
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kubelet-csr.json.$i | cfssljson -bare kubelet.$i; \
done
创建 kubeconfig 证书
设置集群参数

--server 为 apiserver 的访问地址，修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口，切记，一定要带上https:// 协议，否则生成的证书，kubectl 命令访问不到 apiserver

for i in 192.168.91.19 192.168.91.20;do \
cd /approot1/k8s/tmp/ssl/; \
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.91.19:6443 \
--kubeconfig=kubelet.kubeconfig.$i; \
done
设置客户端认证参数

for i in 192.168.91.19 192.168.91.20;do \
cd /approot1/k8s/tmp/ssl/; \
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:node:$i \
--client-certificate=kubelet.$i.pem \
--client-key=kubelet.$i-key.pem \
--embed-certs=true \
--kubeconfig=kubelet.kubeconfig.$i; \
done
设置上下文参数

for i in 192.168.91.19 192.168.91.20;do \
cd /approot1/k8s/tmp/ssl/; \
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:$i \
--kubeconfig=kubelet.kubeconfig.$i; \
done
设置默认上下文

for i in 192.168.91.19 192.168.91.20;do \
cd /approot1/k8s/tmp/ssl/; \
/approot1/k8s/pkg/kubernetes/bin/kubectl config \
use-context default \
--kubeconfig=kubelet.kubeconfig.$i; \
done
配置 kubelet 配置文件
vim /approot1/k8s/tmp/service/config.yaml
clusterDNS 参数的 ip 注意修改，和 apiserver 的 --service-cluster-ip-range 参数一个网段，和 k8s 服务 ip 要不一样，一般 k8s 服务的 ip 取网段第一个ip， clusterdns 选网段的第二个ip

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
authentication:
  anonymous:
enabled: false
  webhook:
cacheTTL: 2m0s
enabled: true
  x509:
clientCAFile: /etc/kubernetes/ssl/ca.pem
authorization:
  mode: Webhook
  webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
cgroupsPerQOS: true
clusterDNS:
- 10.88.0.2
clusterDomain: cluster.local
configMapAndSecretChangeDetectionStrategy: Watch
containerLogMaxFiles: 3
containerLogMaxSize: 10Mi
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
  imagefs.available: 15%
  memory.available: 300Mi
  nodefs.available: 10%
  nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 40s
hairpinMode: hairpin-veth
healthzBindAddress: 0.0.0.0
healthzPort: 10248
httpCheckFrequency: 40s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
kubeAPIBurst: 100
kubeAPIQPS: 50
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeLeaseDurationSeconds: 40
nodeStatusReportFrequency: 1m0s
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
port: 10250
# disable readOnlyPort
readOnlyPort: 0
resolvConf: /etc/resolv.conf
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
tlsCertFile: /etc/kubernetes/ssl/kubelet.pem
tlsPrivateKeyFile: /etc/kubernetes/ssl/kubelet-key.pem
配置 kubelet 为 systemctl 管理
vim /approot1/k8s/tmp/service/kubelet.service.192.168.91.19
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴，有多少个node节点就创建多少个service文件，service 文件内的 ip 也要修改为 work 节点的 ip，别重复了

--container-runtime 参数默认是 docker ，如果使用 docker 以外的，需要配置为 remote ，并且要配置 --container-runtime-endpoint 参数来指定 sock 文件的路径

kubelet 参数

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes

[Service]
WorkingDirectory=/approot1/k8s/data/kubelet
ExecStart=/approot1/k8s/bin/kubelet \
  --config=/approot1/k8s/data/kubelet/config.yaml \
  --cni-bin-dir=/approot1/k8s/bin \
  --cni-conf-dir=/etc/cni/net.d \
  --container-runtime=remote \
  --container-runtime-endpoint=unix:///run/containerd/containerd.sock \
  --hostname-override=192.168.91.19 \
  --image-pull-progress-deadline=5m \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --network-plugin=cni \
  --pod-infra-container-image=k8s.gcr.io/pause:3.6 \
  --root-dir=/approot1/k8s/data/kubelet \
  --v=2
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "mkdir -p /approot1/k8s/data/kubelet"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
scp /approot1/k8s/tmp/ssl/ca*.pem $i:/etc/kubernetes/ssl/; \
scp /approot1/k8s/tmp/ssl/kubelet.$i.pem $i:/etc/kubernetes/ssl/kubelet.pem; \
scp /approot1/k8s/tmp/ssl/kubelet.$i-key.pem $i:/etc/kubernetes/ssl/kubelet-key.pem; \
scp /approot1/k8s/tmp/ssl/kubelet.kubeconfig.$i $i:/etc/kubernetes/kubelet.kubeconfig; \
scp /approot1/k8s/tmp/service/kubelet.service.$i $i:/etc/systemd/system/kubelet.service; \
scp /approot1/k8s/tmp/service/config.yaml $i:/approot1/k8s/data/kubelet/; \
scp /approot1/k8s/pkg/kubernetes/bin/kubelet $i:/approot1/k8s/bin/; \
done
启动 kubelet 服务
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kubelet"; \
ssh $i "systemctl restart kubelet --no-block"; \
ssh $i "systemctl is-active kubelet"; \
done
返回 activating 表示 kubelet 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active kubelet";done

返回active表示 kubelet 启动成功

查看节点是否 Ready
kubectl get node
预期出现类似如下输出，STATUS 字段为 Ready 表示节点正常

NAME          STATUS ROLES AGE VERSION
192.168.91.19 Ready <none> 20m v1.23.3
192.168.91.20 Ready <none> 20m v1.23.3
部署 proxy 组件
创建 proxy 证书
vim /approot1/k8s/tmp/ssl/kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
      "algo": "rsa",
      "size": 2048
},
"hosts": [],
"names": [
   {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:kube-proxy",
      "OU": "System"
   }
]
}
cd /approot1/k8s/tmp/ssl/; \
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
创建 kubeconfig 证书
设置集群参数

--server 为 apiserver 的访问地址，修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口，切记，一定要带上https:// 协议，否则生成的证书，kubectl 命令访问不到 apiserver

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://192.168.91.19:6443 \
--kubeconfig=kube-proxy.kubeconfig
设置客户端认证参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
设置上下文参数

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
设置默认上下文

cd /approot1/k8s/tmp/ssl/
/approot1/k8s/pkg/kubernetes/bin/kubectl config \
use-context default \
--kubeconfig=kube-proxy.kubeconfig
配置 kube-proxy 配置文件
vim /approot1/k8s/tmp/service/kube-proxy-config.yaml.192.168.91.19
这里的192.168.91.19需要改成自己的ip，不要一股脑的复制黏贴，有多少个node节点就创建多少个service文件，service 文件内的 ip 也要修改为 work 节点的 ip，别重复了

clusterCIDR 参数要和 controller-manager 的 --cluster-cidr 参数一致

hostnameOverride 要和 kubelet 的 --hostname-override 参数一致，否则会出现 node not found 的报错

kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
  kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
clusterCIDR: "172.20.0.0/16"
conntrack:
  maxPerCore: 32768
  min: 131072
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: "192.168.91.19"
metricsBindAddress: 0.0.0.0:10249
mode: "ipvs"
配置 proxy 为 systemctl 管理
vim /approot1/k8s/tmp/service/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target

[Service]
# kube-proxy 根据 --cluster-cidr 判断集群内部和外部流量
## 指定 --cluster-cidr 或 --masquerade-all 选项后
## kube-proxy 会对访问 Service IP 的请求做 SNAT
WorkingDirectory=/approot1/k8s/data/kube-proxy
ExecStart=/approot1/k8s/bin/kube-proxy \
  --config=/approot1/k8s/data/kube-proxy/kube-proxy-config.yaml
Restart=always
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
分发证书以及创建相关路径
如果是多节点，只需要在192.168.91.19后面加上对应的ip即可，以空格为分隔，注意将192.168.91.19修改为自己的ip，切莫一股脑复制

对应的目录也要确保和自己规划的一致，如果和我的有不同，注意修改，否则服务会启动失败

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "mkdir -p /approot1/k8s/data//kube-proxy"; \
ssh $i "mkdir -p /approot1/k8s/bin"; \
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
scp /approot1/k8s/tmp/ssl/kube-proxy.kubeconfig $i:/etc/kubernetes/; \
scp /approot1/k8s/tmp/service/kube-proxy.service $i:/etc/systemd/system/; \
scp /approot1/k8s/tmp/service/kube-proxy-config.yaml.$i $i:/approot1/k8s/data/kube-proxy/kube-proxy-config.yaml; \
scp /approot1/k8s/pkg/kubernetes/bin/kube-proxy $i:/approot1/k8s/bin/; \
done
启动 kube-proxy 服务
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "systemctl daemon-reload"; \
ssh $i "systemctl enable kube-proxy"; \
ssh $i "systemctl restart kube-proxy --no-block"; \
ssh $i "systemctl is-active kube-proxy"; \
done
返回 activating 表示 kubelet 还在启动中，可以稍等一会，然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active kubelet";done

返回active表示 kubelet 启动成功

部署 flannel 组件
flannel github

配置 flannel yaml 文件
vim /approot1/k8s/tmp/service/flannel.yaml
net-conf.json 内的 Network 参数需要和 controller-manager 的 --cluster-cidr 参数一致

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.flannel.unprivileged
  annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
  privileged: false
  volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  allowedHostPaths:
  - pathPrefix: "/etc/cni/net.d"
  - pathPrefix: "/etc/kube-flannel"
  - pathPrefix: "/run/flannel"
  readOnlyRootFilesystem: false
  # Users and groups
  runAsUser:
rule: RunAsAny
  supplementalGroups:
rule: RunAsAny
  fsGroup:
rule: RunAsAny
  # Privilege Escalation
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  # Capabilities
  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  defaultAddCapabilities: []
  requiredDropCapabilities: []
  # Host namespaces
  hostPID: false
  hostIPC: false
  hostNetwork: true
  hostPorts:
  - min: 0
max: 65535
  # SELinux
  seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
tier: node
app: flannel
data:
  cni-conf.json: |
{
   "name": "cbr0",
   "cniVersion": "0.3.1",
   "plugins": [
      {
      "type": "flannel",
      "delegate": {
         "hairpinMode": true,
         "isDefaultGateway": true
      }
      },
      {
      "type": "portmap",
      "capabilities": {
         "portMappings": true
      }
      }
   ]
}
  net-conf.json: |
{
   "Network": "172.20.0.0/16",
   "Backend": {
      "Type": "vxlan"
   }
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
tier: node
app: flannel
spec:
  selector:
matchLabels:
   app: flannel
  template:
metadata:
   labels:
      tier: node
      app: flannel
spec:
   affinity:
      nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
         nodeSelectorTerms:
         - matchExpressions:
            - key: kubernetes.io/os
            operator: In
            values:
            - linux
   hostNetwork: true
   priorityClassName: system-node-critical
   tolerations:
   - operator: Exists
      effect: NoSchedule
   serviceAccountName: flannel
   initContainers:
   - name: install-cni
      image: quay.io/coreos/flannel:v0.15.1
      command:
      - cp
      args:
      - -f
      - /etc/kube-flannel/cni-conf.json
      - /etc/cni/net.d/10-flannel.conflist
      volumeMounts:
      - name: cni
      mountPath: /etc/cni/net.d
      - name: flannel-cfg
      mountPath: /etc/kube-flannel/
   containers:
   - name: kube-flannel
      image: quay.io/coreos/flannel:v0.15.1
      command:
      - /opt/bin/flanneld
      args:
      - --ip-masq
      - --kube-subnet-mgr
      resources:
      requests:
         cpu: "100m"
         memory: "50Mi"
      limits:
         cpu: "100m"
         memory: "50Mi"
      securityContext:
      privileged: false
      capabilities:
         add: ["NET_ADMIN", "NET_RAW"]
      env:
      - name: POD_NAME
      valueFrom:
         fieldRef:
            fieldPath: metadata.name
      - name: POD_NAMESPACE
      valueFrom:
         fieldRef:
            fieldPath: metadata.namespace
      volumeMounts:
      - name: run
      mountPath: /run/flannel
      - name: flannel-cfg
      mountPath: /etc/kube-flannel/
   volumes:
   - name: run
      hostPath:
      path: /run/flannel
   - name: cni
      hostPath:
      path: /etc/cni/net.d
   - name: flannel-cfg
      configMap:
      name: kube-flannel-cfg
配置 flannel cni 网卡配置文件
vim /approot1/k8s/tmp/service/10-flannel.conflist
{
  "name": "cbr0",
  "cniVersion": "0.3.1",
  "plugins": [
{
   "type": "flannel",
   "delegate": {
      "hairpinMode": true,
      "isDefaultGateway": true
   }
},
{
   "type": "portmap",
   "capabilities": {
      "portMappings": true
   }
}
  ]
}
导入 flannel 镜像
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/images/flannel-v0.15.1.tar $i:/tmp/
ssh $i "ctr -n=k8s.io image import /tmp/flannel-v0.15.1.tar && rm -f /tmp/flannel-v0.15.1.tar"; \
done
查看镜像

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "ctr -n=k8s.io image list | grep flannel"; \
done
分发 flannel cni 网卡配置文件
for i in 192.168.91.19 192.168.91.20;do \
ssh $i "rm -f /etc/cni/net.d/10-default.conf"; \
scp /approot1/k8s/tmp/service/10-flannel.conflist $i:/etc/cni/net.d/; \
done
分发完 flannel cni 网卡配置文件后，节点会出现暂时的 NotReady 状态，需要等到节点都变回 Ready 状态后，再运行 flannel 组件

在 k8s 中运行 flannel 组件
kubectl apply -f /approot1/k8s/tmp/service/flannel.yaml
检查 flannel pod 是否运行成功
kubectl get pod -n kube-system | grep flannel
预期输出类似如下结果

flannel 属于 DaemonSet ，属于和节点共存亡类型的 pod ，k8s 有多少 node ，flannel 就有多少 pod ，当 node 被删除的时候， flannel pod 也会随之删除

kube-flannel-ds-86rrv 1/1    Running    0       8m54s
kube-flannel-ds-bkgzx 1/1    Running    0       8m53s
suse 12 发行版会出现 Init:CreateContainerError 的情况，此时需要 kubectl describe pod -n kube-system <flannel_pod_name> 查看报错原因，Error: failed to create containerd container: get apparmor_parser version: exec: "apparmor_parser": executable file not found in $PATH 出现这个报错，只需要使用 which apparmor_parser 找到 apparmor_parser 所在路径，然后做一个软连接到 kubelet 命令所在目录即可，然后重启 pod ，注意，所有 flannel 所在节点都需要执行这个软连接操作

部署 coredns 组件
配置 coredns yaml 文件
vim /approot1/k8s/tmp/service/coredns.yaml
clusterIP 参数要和 kubelet 配置文件的 clusterDNS 参数一致

apiVersion: v1
kind: ServiceAccount
metadata:
  name: coredns
  namespace: kube-system
  labels:
   kubernetes.io/cluster-service: "true"
   addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
  name: system:coredns
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - services
  - pods
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
  name: system:coredns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:coredns
subjects:
- kind: ServiceAccount
  name: coredns
  namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
  labels:
   addonmanager.kubernetes.io/mode: EnsureExists
data:
  Corefile: |
.:53 {
      errors
      health {
         lameduck 5s
      }
      ready
      kubernetes cluster.local in-addr.arpa ip6.arpa {
         pods insecure
         fallthrough in-addr.arpa ip6.arpa
         ttl 30
      }
      prometheus :9153
      forward . /etc/resolv.conf {
         max_concurrent 1000
      }
      cache 30
      reload
      loadbalance
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
  labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
  replicas: 1
  strategy:
type: RollingUpdate
rollingUpdate:
   maxUnavailable: 1
  selector:
matchLabels:
   k8s-app: kube-dns
  template:
metadata:
   labels:
      k8s-app: kube-dns
spec:
   securityContext:
      seccompProfile:
      type: RuntimeDefault
   priorityClassName: system-cluster-critical
   serviceAccountName: coredns
   affinity:
      podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
         podAffinityTerm:
            labelSelector:
            matchExpressions:
               - key: k8s-app
                  operator: In
                  values: ["kube-dns"]
            topologyKey: kubernetes.io/hostname
   tolerations:
      - key: "CriticalAddonsOnly"
      operator: "Exists"
   nodeSelector:
      kubernetes.io/os: linux
   containers:
   - name: coredns
      image: docker.io/coredns/coredns:1.8.6
      imagePullPolicy: IfNotPresent
      resources:
      limits:
         memory: 300Mi
      requests:
         cpu: 100m
         memory: 70Mi
      args: [ "-conf", "/etc/coredns/Corefile" ]
      volumeMounts:
      - name: config-volume
      mountPath: /etc/coredns
      readOnly: true
      ports:
      - containerPort: 53
      name: dns
      protocol: UDP
      - containerPort: 53
      name: dns-tcp
      protocol: TCP
      - containerPort: 9153
      name: metrics
      protocol: TCP
      livenessProbe:
      httpGet:
         path: /health
         port: 8080
         scheme: HTTP
      initialDelaySeconds: 60
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 5
      readinessProbe:
      httpGet:
         path: /ready
         port: 8181
         scheme: HTTP
      securityContext:
      allowPrivilegeEscalation: false
      capabilities:
         add:
         - NET_BIND_SERVICE
         drop:
         - all
      readOnlyRootFilesystem: true
   dnsPolicy: Default
   volumes:
      - name: config-volume
      configMap:
         name: coredns
         items:
         - key: Corefile
            path: Corefile
---
apiVersion: v1
kind: Service
metadata:
  name: kube-dns
  namespace: kube-system
  annotations:
prometheus.io/port: "9153"
prometheus.io/scrape: "true"
  labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
  selector:
k8s-app: kube-dns
  clusterIP: 10.88.0.2
  ports:
  - name: dns
port: 53
protocol: UDP
  - name: dns-tcp
port: 53
protocol: TCP
  - name: metrics
port: 9153
protocol: TCP
导入 coredns 镜像
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/images/coredns-v1.8.6.tar $i:/tmp/
ssh $i "ctr -n=k8s.io image import /tmp/coredns-v1.8.6.tar && rm -f /tmp/coredns-v1.8.6.tar"; \
done
查看镜像

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "ctr -n=k8s.io image list | grep coredns"; \
done
在 k8s 中运行 coredns 组件
kubectl apply -f /approot1/k8s/tmp/service/coredns.yaml
检查 coredns pod 是否运行成功
kubectl get pod -n kube-system | grep coredns
预期输出类似如下结果

因为 coredns yaml 文件内的 replicas 参数是 1 ，因此这里只有一个 pod ，如果改成 2 ，就会出现两个 pod

coredns-5fd74ff788-cddqf 1/1    Running    0       10s
部署 metrics-server 组件
配置 metrics-server yaml 文件
vim /approot1/k8s/tmp/service/metrics-server.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
k8s-app: metrics-server
  name: metrics-server
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
k8s-app: metrics-server
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
  name: system:aggregated-metrics-reader
rules:
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
k8s-app: metrics-server
  name: system:metrics-server
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  - nodes/stats
  - namespaces
  - configmaps
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
k8s-app: metrics-server
  name: metrics-server-auth-reader
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
  name: metrics-server
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
k8s-app: metrics-server
  name: metrics-server:system:auth-delegator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: metrics-server
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
k8s-app: metrics-server
  name: system:metrics-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:metrics-server
subjects:
- kind: ServiceAccount
  name: metrics-server
  namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
  labels:
k8s-app: metrics-server
  name: metrics-server
  namespace: kube-system
spec:
  ports:
  - name: https
port: 443
protocol: TCP
targetPort: https
  selector:
k8s-app: metrics-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
k8s-app: metrics-server
  name: metrics-server
  namespace: kube-system
spec:
  selector:
matchLabels:
   k8s-app: metrics-server
  strategy:
rollingUpdate:
   maxUnavailable: 0
  template:
metadata:
   labels:
      k8s-app: metrics-server
spec:
   containers:
   - args:
      - --cert-dir=/tmp
      - --secure-port=4443
      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      - --kubelet-insecure-tls
      - --kubelet-use-node-status-port
      - --metric-resolution=15s
      image: k8s.gcr.io/metrics-server/metrics-server:v0.5.2
      imagePullPolicy: IfNotPresent
      livenessProbe:
      failureThreshold: 3
      httpGet:
         path: /livez
         port: https
         scheme: HTTPS
      periodSeconds: 10
      name: metrics-server
      ports:
      - containerPort: 4443
      name: https
      protocol: TCP
      readinessProbe:
      failureThreshold: 3
      httpGet:
         path: /readyz
         port: https
         scheme: HTTPS
      initialDelaySeconds: 20
      periodSeconds: 10
      resources:
      requests:
         cpu: 100m
         memory: 200Mi
      securityContext:
      readOnlyRootFilesystem: true
      runAsNonRoot: true
      runAsUser: 1000
      volumeMounts:
      - mountPath: /tmp
      name: tmp-dir
   nodeSelector:
      kubernetes.io/os: linux
   priorityClassName: system-cluster-critical
   serviceAccountName: metrics-server
   volumes:
   - emptyDir: {}
      name: tmp-dir
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  labels:
k8s-app: metrics-server
  name: v1beta1.metrics.k8s.io
spec:
  group: metrics.k8s.io
  groupPriorityMinimum: 100
  insecureSkipTLSVerify: true
  service:
name: metrics-server
namespace: kube-system
  version: v1beta1
  versionPriority: 100
导入 metrics-server 镜像
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/images/metrics-server-v0.5.2.tar $i:/tmp/
ssh $i "ctr -n=k8s.io image import /tmp/metrics-server-v0.5.2.tar && rm -f /tmp/metrics-server-v0.5.2.tar"; \
done
查看镜像

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "ctr -n=k8s.io image list | grep metrics-server"; \
done
在 k8s 中运行 metrics-server 组件
kubectl apply -f /approot1/k8s/tmp/service/metrics-server.yaml
检查 metrics-server pod 是否运行成功
kubectl get pod -n kube-system | grep metrics-server
预期输出类似如下结果

metrics-server-6c95598969-qnc76 1/1    Running    0       71s
验证 metrics-server 功能

查看节点资源使用情况

kubectl top node
预期输出类似如下结果

metrics-server 启动会偏慢，速度取决于机器配置，如果输出 is not yet 或者 is not ready 就等一会再执行一次 kubectl top node

NAME          CPU(cores) CPU% MEMORY(bytes) MEMORY%
192.168.91.19 285m       4%    2513Mi       32%
192.168.91.20 71m       3%    792Mi          21%
查看指定 namespace 的 pod 资源使用情况

kubectl top pod -n kube-system
预期输出类似如下结果

NAME                            CPU(cores) MEMORY(bytes)
coredns-5fd74ff788-cddqf       11m       18Mi
kube-flannel-ds-86rrv          4m          18Mi
kube-flannel-ds-bkgzx          6m          22Mi
kube-flannel-ds-v25xc          6m          22Mi
metrics-server-6c95598969-qnc76 6m          22Mi
部署 dashboard 组件
配置 dashboard yaml 文件
vim /approot1/k8s/tmp/service/dashboard.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: dashboard-read-user
  namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dashboard-read-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: dashboard-read-clusterrole
subjects:
- kind: ServiceAccount
  name: dashboard-read-user
  namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dashboard-read-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - nodes
  - persistentvolumes
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  - volumeattachments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  - clusterroles
  - roles
  - rolebindings
  verbs:
  - get
  - list
  - watch

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
kind: Service
apiVersion: v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
- port: 443
   targetPort: 8443
  selector:
k8s-app: kubernetes-dashboard
  type: NodePort

---
apiVersion: v1
kind: Secret
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
apiVersion: v1
kind: Secret
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kube-system
type: Opaque
data:
  csrf: ""

---
apiVersion: v1
kind: Secret
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kube-system
type: Opaque

---
kind: ConfigMap
apiVersion: v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kube-system

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
  - apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
  - apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
matchLabels:
   k8s-app: kubernetes-dashboard
  template:
metadata:
   labels:
      k8s-app: kubernetes-dashboard
spec:
   containers:
      - name: kubernetes-dashboard
      image: kubernetesui/dashboard:v2.4.0
      imagePullPolicy: IfNotPresent
      ports:
         - containerPort: 8443
            protocol: TCP
      args:
         - --auto-generate-certificates
         - --namespace=kube-system
         - --token-ttl=1800
         - --sidecar-host=http://dashboard-metrics-scraper:8000
         # Uncomment the following line to manually specify Kubernetes API server Host
         # If not specified, Dashboard will attempt to auto discover the API server and connect
         # to it. Uncomment only if the default does not work.
         # - --apiserver-host=http://my-address:port
      volumeMounts:
         - name: kubernetes-dashboard-certs
            mountPath: /certs
            # Create on-disk volume to store exec logs
         - mountPath: /tmp
            name: tmp-volume
      livenessProbe:
         httpGet:
            scheme: HTTPS
            path: /
            port: 8443
         initialDelaySeconds: 30
         timeoutSeconds: 30
      securityContext:
         allowPrivilegeEscalation: false
         readOnlyRootFilesystem: true
         runAsUser: 1001
         runAsGroup: 2001
   volumes:
      - name: kubernetes-dashboard-certs
      secret:
         secretName: kubernetes-dashboard-certs
      - name: tmp-volume
      emptyDir: {}
   serviceAccountName: kubernetes-dashboard
   nodeSelector:
      "kubernetes.io/os": linux
   # Comment the following tolerations if Dashboard must not be deployed on master
   tolerations:
      - key: node-role.kubernetes.io/master
      effect: NoSchedule

---
kind: Service
apiVersion: v1
metadata:
  labels:
k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kube-system
spec:
  ports:
- port: 8000
   targetPort: 8000
  selector:
k8s-app: dashboard-metrics-scraper

---
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
matchLabels:
   k8s-app: dashboard-metrics-scraper
  template:
metadata:
   labels:
      k8s-app: dashboard-metrics-scraper
spec:
   securityContext:
      seccompProfile:
      type: RuntimeDefault
   containers:
      - name: dashboard-metrics-scraper
      image: kubernetesui/metrics-scraper:v1.0.7
      imagePullPolicy: IfNotPresent
      ports:
         - containerPort: 8000
            protocol: TCP
      livenessProbe:
         httpGet:
            scheme: HTTP
            path: /
            port: 8000
         initialDelaySeconds: 30
         timeoutSeconds: 30
      volumeMounts:
      - mountPath: /tmp
         name: tmp-volume
      securityContext:
         allowPrivilegeEscalation: false
         readOnlyRootFilesystem: true
         runAsUser: 1001
         runAsGroup: 2001
   serviceAccountName: kubernetes-dashboard
   nodeSelector:
      "kubernetes.io/os": linux
   # Comment the following tolerations if Dashboard must not be deployed on master
   tolerations:
      - key: node-role.kubernetes.io/master
      effect: NoSchedule
   volumes:
      - name: tmp-volume
      emptyDir: {}
导入 dashboard 镜像
for i in 192.168.91.19 192.168.91.20;do \
scp /approot1/k8s/images/dashboard-*.tar $i:/tmp/
ssh $i "ctr -n=k8s.io image import /tmp/dashboard-v2.4.0.tar && rm -f /tmp/dashboard-v2.4.0.tar"; \
ssh $i "ctr -n=k8s.io image import /tmp/dashboard-metrics-scraper-v1.0.7.tar && rm -f /tmp/dashboard-metrics-scraper-v1.0.7.tar"; \
done
查看镜像

for i in 192.168.91.19 192.168.91.20;do \
ssh $i "ctr -n=k8s.io image list | egrep 'dashboard|metrics-scraper'"; \
done
在 k8s 中运行 dashboard 组件
kubectl apply -f /approot1/k8s/tmp/service/dashboard.yaml
检查 dashboard pod 是否运行成功
kubectl get pod -n kube-system | grep dashboard
预期输出类似如下结果

dashboard-metrics-scraper-799d786dbf-v28pm 1/1    Running    0       2m55s
kubernetes-dashboard-9f8c8b989-rhb7z       1/1    Running    0       2m55s
查看 dashboard 访问端口
在 service 当中没有指定 dashboard 的访问端口，所以需要自己获取，也可以修改 yaml 文件指定访问端口

预期输出类似如下结果

我这边是将 30210 端口映射给 pod 的 443 端口

kubernetes-dashboard       NodePort 10.88.127.68 <none>       443:30210/TCP          5m30s
根据得到的端口访问 dashboard 页面，例如： https://192.168.91.19:30210

查看 dashboard 登录 token
获取 token 文件名称

kubectl get secrets -n kube-system | grep admin
预期输出类似如下结果

admin-user-token-zvrst                         kubernetes.io/service-account-token 3    9m2s
获取 token 内容

kubectl get secrets -n kube-system admin-user-token-zvrst -o jsonpath={.data.token}|base64 -d
预期输出类似如下结果

eyJhbGciOiJSUzI1NiIsImtpZCI6InA4M1lhZVgwNkJtekhUd3Vqdm9vTE1ma1JYQ1ZuZ3c3ZE1WZmJhUXR4bUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXp2cnN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhYTE3NTg1ZC1hM2JiLTQ0YWYtOWNhZS0yNjQ5YzA0YThmZWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.K2o9p5St9tvIbXk7mCQCwsZQV11zICwN-JXhRv1hAnc9KFcAcDOiO4NxIeicvC2H9tHQBIJsREowVwY3yGWHj_MQa57EdBNWMrN1hJ5u-XzpzJ6JbQxns8ZBrCpIR8Fxt468rpTyMyqsO2UBo-oXQ0_ZXKss6X6jjxtGLCQFkz1ZfFTQW3n49L4ENzW40sSj4dnaX-PsmosVOpsKRHa8TPndusAT-58aujcqt31Z77C4M13X_vAdjyDLK9r5ZXwV2ryOdONwJye_VtXXrExBt9FWYtLGCQjKn41pwXqEfidT8cY6xbA7XgUVTr9miAmZ-jf1UeEw-nm8FOw9Bb5v6A

到此，基于 containerd 二进制部署 k8s v1.23.3 就结束了

admin · 发表于 2025-1-1 20:38:40

生产环境关键性配置
修改Docker配置
Docker配置采用containerd作为Runtime无需配置
vim /etc/docker/daemon.json
{  "registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
  ],
"exec-opts": ["native.cgroupdriver=systemd"],
"max-concurrent-downloads": 10, # 并发下载的线程数
"max-concurrent-uploads": 5, # 并发上传的线程数
"log-opts": {
"max-size": "300m", # 限制日志文件大小，到此大小进行分割
"max-file": "2"       # 限制保存的日志数量，按实际情况修改
},
"live-restore": true # 重启docker进程不重启docker应用
}
修改证书有效期
通过Bootstrapping申请controller-manager颁发的证书，默认有效期为一年，在内部环境可以设置更长

vim /usr/lib/systemd/system/kube-controller-manager.service

# 设置证书有效期，因为证书最长的有效期应该是五年，设置再多可能也是五年，kubelet会在快过期的时候重新进行申请
--cluster-signing-duration=876000h0m0s \

# 在自动申请证书的时候进行自动颁发一个，在新版本中已经默认为true，所以不需要进行配置
# --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true \
修改kubelet配置文件
vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd"
Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml"
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 --image-pull-progress-deadline=30m"
ExecStart=
ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS
如果公司内有安全团队会进行漏扫，k8s默认的加密方式比较简单，更改加密方式

添加：--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

设置下载拉取镜像的时间，下载公网的镜像会比较慢，默认下载时间很短

添加：--image-pull-progress-deadline=30m

[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl restart kubelet
新版本的k8s配置文件都建议放在 /etc/kubernetes/kubelet-conf.yml ,慢慢的参数都会挪到这个配置文件中，包括上面的参数

[root@k8s-master01 ~]# vim /etc/kubernetes/kubelet-conf.yml
最后添加
rotateServerCertificates: true
allowedUnsafeSysctls:    # 默认不允许修改内核参数（并发量、文件打开数等）
- "net.core*"          # 设置参数允许修改内核，可能涉及到安全问题，按需配置
- "net.ipv4.*"
kubeReserved:          # 给k8s组件预留资源
  cpu: "1"
  memory: 1Gi
  ephemeral-storage: 10Gi
systemReserved:          # 给k8s系统预留资源
  cpu: "1"
  memory: 1Gi
  ephemeral-storage: 10Gi

[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl restart kubelet
修改主机ROLES、labels
查看目前ROLES为none，修改k8s-mastre01的ROLES为master

因为k8s对于k8s中的节点属于哪个角色是没有感知的，master节点就比node节点多安装几个组件而已，对于角色ROLES的定义需要人为的区分

[root@k8s-master01 ~]# kubectl get node
NAME          STATUS ROLES AGE VERSION
k8s-master01 Ready <none> 19h v1.23.8
k8s-master02 Ready <none> 19h v1.23.8
k8s-master03 Ready <none> 19h v1.23.8
k8s-node01    Ready <none> 19h v1.23.8
k8s-node02    Ready <none> 19h v1.23.8
k8s-node03    Ready <none> 19h v1.23.8
[root@k8s-master01 ~]# kubectl get node --show-labels
NAME          STATUS ROLES AGE VERSION LABELS
k8s-master01 Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master01,kubernetes.io/os=linux,node.kubernetes.io/node=
k8s-master02 Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master02,kubernetes.io/os=linux,node.kubernetes.io/node=
k8s-master03 Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master03,kubernetes.io/os=linux,node.kubernetes.io/node=
k8s-node01    Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node01,kubernetes.io/os=linux,node.kubernetes.io/node=
k8s-node02    Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node02,kubernetes.io/os=linux,node.kubernetes.io/node=
k8s-node03    Ready <none> 19h v1.23.8 beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node03,kubernetes.io/os=linux,node.kubernetes.io/node=
[root@k8s-master01 ~]# kubectl label node k8s-master01 node-role.kubernetes.io/master=''
node/k8s-master01 labeled
[root@k8s-master01 ~]# kubectl get node
NAME          STATUS ROLES AGE VERSION
k8s-master01 Ready master 19h v1.23.8
k8s-master02 Ready <none> 19h v1.23.8
k8s-master03 Ready <none> 19h v1.23.8
k8s-node01    Ready <none> 19h v1.23.8
k8s-node02    Ready <none> 19h v1.23.8
k8s-node03    Ready <none> 19h v1.23.8
生产建议
1、生产环境一定要用二进制组件安装
2、etcd一定要和系统盘分开，必须使用ssd硬盘
3、Docker数据盘和系统盘分开，也尽量使用ssd硬盘

		自动登录	找回密码
密码			注册