部署k8s集群步骤 kubernetes实施步骤

admin

kubernetes的yum源
cat > /etc/yum.repos.d/kubernetes.repo <<EOF
/ O! W9 |; ~' ]2 ~[kubernetes]
name=kubernetes
2 _! ^8 d- `" q* C# S: [# ^* dbaseurl=http://172.24.21.35/centos/kubernetes/
gpgcheck=0
EOF
' I, ?8 a) p! F# Z4 k# j. p

admin

kubeadm init --apiserver-advertise-address=172.24.21.55  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock [init] Using Kubernetes version: v1.28.0 [preflight] Running pre-flight checks         [WARNING Firewalld]: firewalld is active, please ensure ports [6443 10250] are open or your cluster may not function correctly         [WARNING HTTPProxy]: Connection to "https://172.24.21.55" uses proxy "http://172.24.118.199:3128". If that is not intended, adjust your proxy settings         [WARNING HTTPProxyCIDR]: connection to "10.177.100.0/12" uses proxy "http://172.24.118.199:3128". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration         [WARNING HTTPProxyCIDR]: connection to "10.233.0.0/16" uses proxy "http://172.24.118.199:3128". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration         [WARNING Hostname]: hostname "k8s-master" could not be reached         [WARNING Hostname]: hostname "k8s-master": lookup k8s-master on 114.114.114.114:53: read udp 172.24.21.55:51870->114.114.114.114:53: i/o timeout [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull'

admin

--apiserver-advertise-address   #声明监听ip地址
8 f" P$ a5 v+ a' m  b. E --image-repository registry.aliyuncs.com/google_containers     #指定仓库
3 G/ k+ x# v2 _) l4 Z) r7 V/ T( U--kubernetes-version   指定k8s的版本
9 X- y, p( M2 U$ P
--service-cidr=10.177.100.0/12   #service网段
--pod-network-cidr=10.233.0.0/16    #pod网段
" \4 W9 N% U; u9 M$ s2 [--cri-socket   指定docker的中间链接软件
. Z6 G9 u. {& u2 ^2 [% C

admin

--kubernetes-version=v1.17.2
) \! K; Y% a% ]
# k9 \3 V, b, q) V" S0 r版本号，根据自己的情况更改，一般应该和 kubeadm 的版本一致
% m  e4 B/ j; o, e( l& k
1 X: S9 X3 r9 D6 Q* y$ C通过如下命令获得

kubeadm version

输出的 GitVersion:"v1.20.4" 就是版本号了

--pod-network-cidr=10.244.0.0/16

​ pod 使用的网络，可以自定义，这个根据自己的情况修改，不修改也可以
; U0 R3 a+ E3 X9 `
( D& K) D$ ]+ z) c' L9 {​ 好像是固定的

) Y) L' A- m5 B3 ?7 w2 Z5 L% P) ?1 I, t8 n--apiserver-advertise-address=192.168.1.200
3 g" @. o2 g6 B9 C) C7 l8 s: |* z​ master 节点的有效 IP 或者可以被解析的 DNS 名称，需要是 master 节点的有效网卡地址，比如 ens33, eth0 等。

--ignore-preflight-errors=Swap
​ 忽略检查 Swap 时候的报错
+ c" C: f6 \) Q2 I
& r- X2 E2 w7 a; o--control-plane-endpoint
6 v, A  s7 r6 h% p  @
负载均衡的地址，支持dns解析名或者IP，添加该选项后支持高可用，如果使用dns 记得该dns一定要可以被解析

--upload-certs

: {" N' a3 u& ]8 j配合高可用使用，可以自动上传证书
% e; G& ?% A& r8 w% m, X

admin

vim deploy-kubeadm.yml
/ K4 ~* j8 O0 ~5 a---
- name: Deploy  kubeadm  kubelet kubectl
" O* Z3 I; H& @4 c  hosts: k8s
  gather_facts: no
4 H3 {* h  }! T4 o  vars:
" v( B3 ?2 P) z6 H3 O9 N    pkg_dir: /kubeadm-pkg
: M" x% W" f# W" [  n    pkg_names: ["kubelet", "kubeadm", "kubectl"]
- N1 R3 N% {/ ?& t3 h# c& N# K+ N
- D. P2 a' m( [1 X8 u1 S6 T    # 变量 download_host 需要手动设置
) Q! I) i  P  o; b8 N. P1 m5 R5 _    # 且值需要是此 playbook 目标主机中的一个
    # 需要写在 inventory 文件中的名称
    download_host: "master"
    local_pkg_dir: "{{ playbook_dir }}/{{ download_host }}"

4 C. E/ t  ^/ q  tasks:
! T" f" Z" m% s* J& h    - name: 测试使用 -e 是否设置并覆盖了变量
      debug:
" D" R5 g' F, r6 H        msg: "{{ local_pkg_dir }} {{ download_host }}"
$ R- b/ J) a( j9 }      tags:
        - deploy
        - test

    - name: "只需要给 {{ download_host }}安装仓库文件"
      when: inventory_hostname == download_host
      copy:
        src: file/kubernetes.repo
! G% J! h, s  c# ?1 f* @! A+ p        dest: /etc/yum.repos.d/kubernetes.repo
( K" E- e$ r3 w) I      tags:
5 D' U8 h  T/ m- O" Z  N        - deploy
4 K* r- ~( a" L8 c: L7 Z! T4 m
    - name: 创建存放 rmp 包的目录
0 j8 l3 R+ y0 c- `- L9 }      when: inventory_hostname == download_host
$ F3 k* I! i( J9 x      file:
        path: "{{ pkg_dir }}"
        state: directory
      tags:
        - deploy
4 q" `: t2 a1 h/ @+ ^; V- f
. u/ @* H1 u1 {+ ~% @2 w    - name:  下载软件包
      when: inventory_hostname == download_host
      yum:
; R. m  _) B% U1 z6 C        name: "{{ pkg_names }}"
        download_only: yes
& j5 v$ J- j" J# z' P7 r; ]! o3 }% q" o        download_dir: "{{ pkg_dir }}"
      tags:
        - deploy

    - name: 获取下载目录 "{{ pkg_dir }}" 中的文件列表
6 k0 Q3 M4 L( Z8 m. p& H      when: inventory_hostname == download_host
      shell: ls -1 "{{ pkg_dir }}"
      register: files
      tags:
2 h  a% H6 n- H; Z2 F        - deploy

, B2 n* M' G' z    - name: 把远程主机下载的软件包传输到 ansible 本地
      when: inventory_hostname == download_host
      fetch:
        src: "{{ pkg_dir }}/{{ item }}"
        dest: ./
      loop: "{{files.stdout_lines}}"
# x, P! Y2 c5 e- e; o      tags:
        - deploy
% O  ]+ O! i. A* u; F
    - name: 传输 rpm 包到远程节点
; a: t! N: e$ d7 Q  Y5 }      when: inventory_hostname != download_host
& w7 [: B- g  t      copy:
        src: "{{ local_pkg_dir }}{{ pkg_dir }}"
        dest: "/"
      tags:
        - deploy

8 c7 d; k% o, o( P  @    - name: 正在执行从本地安装软件包
" i# [  o" o( z; v& w, S9 M) |" N      shell:
" i( `6 {& [- Q/ ~0 n6 ^. l        cmd: yum -y localinstall *
        chdir: "{{ pkg_dir }}"
8 [* v0 Q0 q2 s, s" U$ p5 X        warn: no
3 |6 ]- h: ~  K7 R      async: 600
      poll: 0
5 B: P9 ^7 i0 P3 @. T      register: yum_info
7 H' _' K7 A& Y4 N' S2 a      tags:
        - deploy
. p: f+ W* O9 \( E. D  }
8 J# r9 ?7 u& H8 M- \0 j    - name: 打印安装结果
      debug: var=yum_info.ansible_job_id
      tags:
/ I" W4 ~& h/ q& s        - deploy


" R, X9 n. e0 \# 查看kubernetes依赖的镜像
kubeadm config images list

5 i$ h2 O6 g  D' b# 不支持高可用的集群初始化
: A* j8 Y$ C( ?+ l' o) Jkubeadm init --kubernetes-version=v1.20.4 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=10.9.29.112 --ignore-preflight-errors=Swap

& ~9 \/ v0 D" r5 O+ j2 i9 {' j7 x# F# 支持高可用的集群初始化
kubeadm init --kubernetes-version=v1.20.4 --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=masterIP --control-plane-endpoint=kube-lab  --ignore-preflight-errors=Swap --upload-certs

2 R; o% n# W4 h6 @' d/ A
6 i, L* }5 ]# ^6 M# 初始化成功后，会有以下信息，复制后直接在node节点使用即可加入集群
# e- Y" ~- {4 J/ Z5 Zkubeadm join 10.9.29.112:6443 --token en6s67.08rnsg20dc5t8z4n \
    --discovery-token-ca-cert-hash sha256:7d034842b9ee7a6b17d9ce7088839f4570da1c61b29922f28e72b855c10003cc
  O* W% l" h+ H$ h! U* V
; ~1 T% j3 u; {  ~. C/ s% }# 如果是高可用，还会有一条，这个使用后会添加一个master进入集群
2 F0 A. T$ w. d! `% S7 Wkubeadm join kub-lab:6443 --token s2ccws.tzb7v4olicidp032 \
: _: V9 W2 m! _4 C$ h" O    --discovery-token-ca-cert-hash sha256:29a2b437f79c5e4958c3d73e6c64fe0a4df24f0f3bcabd5ced28392d7a882e10 \
4 a( Z" N) t. t2 \4 Y    --control-plane --certificate-key c0a9a1c4a067b20dca95447f809d95c973220244c740a47f71d5302e0a759ea7

9 D7 P8 B" E! W- F: V2 H0 q

1320503165

cat > /etc/docker/daemon.json <<EOF
{
& I; c2 m) N+ a" @"registry-mirrors":[
"https://docker.m.daocloud.io",
' t: u$ l! g% D: u/ o! y"https://huecher.io",
3 S/ N& M: @9 j& |"https://dockerhub.timeweb.cloud",
"https://noohub.ru",
: u# v% w: i2 E9 x2 U; ["https://docker.aws19527.cn"
# {6 G* |5 I$ Y# f; B]
}
% @# ?$ M" B! T& O9 UEOF

1320503165

kubeadm init --apiserver-advertise-address=192.168.8.190  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock  
[init] Using Kubernetes version: v1.28.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
( }. h# b+ C; e8 M2 E4 T[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
& Q7 `2 r4 v* p' E! QW0914 17:05:50.073955    7690 checks.go:835] detected that the sandbox image "registry.k8s.io/pause:3.6" of the container runtime is inconsistent with that used by kubeadm. It is recommended that using "registry.aliyuncs.com/google_containers/pause:3.9" as the CRI sandbox image.
& A; }3 u6 W% I/ p0 \4 t: w9 M[certs] Using certificateDir folder "/etc/kubernetes/pki"
/ h& y& g2 K2 @[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
- \9 |# Q- O& U( \" s[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.176.0.1 192.168.8.190]
5 ~  V. u% K" P9 w6 I( A8 w[certs] Generating "apiserver-kubelet-client" certificate and key
% v9 a! L% t( L$ }. M4 W3 G% J[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
* X5 d/ H1 ^& r- R[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
" h" T# e# g# B+ [. h  C[certs] Generating "etcd/healthcheck-client" certificate and key
( s- O* ~$ H. }- O  t[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
7 A2 Y6 u* {7 Q5 W9 p5 ^[kubeconfig] Writing "controller-manager.conf" kubeconfig file
  e' M3 D: l, E/ Q" `6 q! o[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
0 |3 A7 s6 B9 f. V3 }# O[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
' d. K' ?5 C" J$ s) J/ R[control-plane] Creating static Pod manifest for "kube-controller-manager"
7 C* F5 I1 Z: H; i" u! ~[control-plane] Creating static Pod manifest for "kube-scheduler"
5 W8 Q* l8 }9 E. }[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
  \$ r9 N: j; e[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
1 z5 c9 I# k; {[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.
* C% q! z9 y. u4 K

1320503165

[root@kubernetes-master net]# kubeadm init --apiserver-advertise-address=192.168.8.190  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.0 --service-cidr=10.177.100.0/12 --pod-network-cidr=10.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock  
[init] Using Kubernetes version: v1.28.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
. d1 |# ]. v8 p/ {[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
3 W" x* r, v& L( V5 v9 z[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.176.0.1 192.168.8.190]
9 q3 E7 g. t$ A, ~[certs] Generating "apiserver-kubelet-client" certificate and key
8 E+ o- }# t" V9 D[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
0 u5 ?  ^  e/ Z% L[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
. g. N# Y% K. v; W. t[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
& s- g" N, q/ d: r0 _[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
# ]6 h: E/ Y0 }" ?! F( P+ v, P[kubeconfig] Writing "admin.conf" kubeconfig file
7 w" i0 H9 p% W# i[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
) Y4 q* ~$ j3 S* F, a' Z[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
" ^- g" V; c# D[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
& e" Q! z+ S4 {7 V[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
8 t5 `, F$ Y1 K; w& x; q" {2 Y[apiclient] All control plane components are healthy after 17.005335 seconds
* s8 y. ~( s: e! n/ t* R* x; a! o[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: ajiqtj.xwpscuol7csse0d9
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
% j0 B- D% f2 A- @' f* i, h[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
4 b+ a/ p" L: l7 o( O4 ?; p- h% V[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
9 z& ]2 z) V' U) q" m. [) A[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
9 \5 I) d* Z" v4 a2 C5 h[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
1 P1 M. ?7 u4 m7 X# n% M
! U$ J$ Y$ I0 p+ @* f+ rYour Kubernetes control-plane has initialized successfully!
) h* s' j" v) [" `
( _2 H+ B8 ?4 ~! ITo start using your cluster, you need to run the following as a regular user:
* m4 G7 m! L' {% g9 x) b
1 `( q7 X/ P; ?1 v; F  mkdir -p $HOME/.kube
5 e3 R# C3 T6 m1 i2 B: L  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
' o& ~+ M: N* U+ U, x6 g, S  sudo chown $(id -u):$(id -g) $HOME/.kube/config
9 W) l$ D. Q3 V. Z. L% F% ^
0 P  E2 L' j, G; v& \+ F# KAlternatively, if you are the root user, you can run:
( h( o  k' y8 o/ G5 ?9 h  u4 R
5 r5 D- \5 A1 A! f  S( ~% P  export KUBECONFIG=/etc/kubernetes/admin.conf
+ u- O& l6 X. e5 B" w7 |( {2 f
  s! B! H7 [2 z' pYou should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
3 \/ P9 T' l2 S: q9 V  https://kubernetes.io/docs/conce ... inistration/addons/
# L* m$ L" E( ^2 }, ?& X
Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.8.190:6443 --token ajiqtj.xwpscuol7csse0d9 \
# ^% o- ?) G/ z        --discovery-token-ca-cert-hash sha256:87ab51d4f77f290e00c0060990eb5efa886752e39b2e74721d96d2c41bb92699
[root@kubernetes-master net]#

admin

# 安装ipset和ipvsadm
        yum install ipset ipvsadmin -y
( x1 j6 X7 y- C# y! `% M# 添加需要加载的模块写入脚本文件
# z9 O, p, _7 C6 {cat <<EOF > /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
9 d  A: J- ?# D6 b6 ]* Ymodprobe -- ip_vs
3 U( x! m2 {$ f' U- ^' Q) Fmodprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
& O. T4 e9 W4 D  [. ~' C4 M  d2 ~4 |modprobe -- ip_vs_sh
- z( J6 J# `+ H0 _0 Nmodprobe -- nf_conntrack_ipv4
' I- ~& \: U  \( eEOF
0 ?2 x! }, A9 O0 f. b7 A* z# 为脚本文件添加执行权限
( Z) p+ j' K/ Z        chmod +x /etc/sysconfig/modules/ipvs.modules
, @! v( W$ p% t8 H# 执行脚本文件
         /bin/bash /etc/sysconfig/modules/ipvs.modules
# 查看对应的模块是否加载成功
3 Q1 P7 J9 `0 e7 N6 Z        lsmod | grep -e ip_vs -e nf_conntrack_ipv4