浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 docker社区 docker社区 kubernetes集群实施步骤k8s实施步骤
12下一页
返回列表 发新帖
查看: 799|回复: 10

kubernetes集群实施步骤k8s实施步骤

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2024-9-17 10:35:55 | 显示全部楼层 |阅读模式
kubernetes集群实施步骤k8s实施步骤1 n* f$ _' U/ A/ A. T$ H

. S0 K% e8 `2 d) y5 P) {; _! T* @4 b9 B* F4 F9 h/ ?* Q
一:准备环境; q3 E2 h  U0 U  I! }: ]
   服务器规划:. P: a8 {" k8 B9 N
名称                ip地址2 v- c) f/ \9 v
k8s-master       172.24.118.182
+ c! \: D: @4 s3 \, E+ gk8s-node1        172.24.118.183
; U3 x3 W0 a% a" ?k8s-node2        172.24.118.184* K1 `& a; ]5 \" G; K

+ Y1 c4 R) D& D$ ]/ p! r0 V; K; w   服务器要求:+ N# w2 I) x2 N% i: O3 w
   最小建议硬件配置:    4C  8G  50G
( @$ Q' W' s6 y3 E1 _   服务器可以访问互联网,可以联网下载docker镜像
1 e) u# c- O, C2 E! p% b5 w8 n, A# d
  软件环境:+ l% H, z0 \8 J
       软件                               版本( L% W. `% e9 T" J$ M5 ^5 v
    操作系统                           CentOS7.9_x86_64
. d/ v. P2 X" T     docker                              22及以上 (CE)! B$ Y8 Z, _" c5 H
     kubernetes                         1.28( V. _7 P- |! F- v' k$ e  e5 \
1 x/ g4 D9 f% \- Z5 w: x! j* @! V8 z
! N/ j" @0 n. Z# \8 ?
二:初始化配置
6 Z) \, n$ v" B
. L$ U. _$ A4 ^# F# q9 z6 F$ l##关闭selinux* b, ]% ^/ Z' i& e1 y. M
sed -i 's/enforcing/disabled/'   /etc/selinux/config        #永久修改$ ~- F: H/ t6 u1 A% @
9 ^0 k$ o( R) P
setenforce 0        #临时生效
) |1 r* Y$ a( v# u; k) I; S
; i$ h& D  b' Y- k/ Z: j关闭swap
1 t# j7 C$ n" O( T# @  swapoff -a   #临时关闭swap分区, J1 Z+ o' l/ a, `$ P8 @8 t  ]
  sed -ri  's/.*swap.*/#&/'  /etc/fstab        ##永久关闭。    默认操作系统安装时不分配swap分区& {. e7 A6 Q  m0 d5 B1 e
/ k9 i9 u9 H6 d4 k- a  q* {  C( }
% K! k4 f! Z/ a1 L$ I& N

6 S  |* |  _7 V根据规划设置主机名:
% h4 P$ @+ D! X& k. f/ B  主节点:( o/ g  J( y' u  e
8 W. L+ z; a4 ?7 ^2 A$ O
[root@test111 ~]# hostnamectl  set-hostname kubernetes-master
, s6 B$ `/ l3 L6 Y4 r
: ^- Z0 W- f7 ~3 z/ Z- M3 n+ T  从节点:
$ f1 C! c! {$ e! h  P7 E( s$ ]    #hostnamectl set-hostname kubernetes-node1; a" C, P4 X- [% K& U; k
   #hostnamectl set-hostname kubernetes-node27 U! x& P: q3 U( a3 W! ]: Y+ m
& S- h, g( w1 P
网络桥接数据包通过iptables处理,启用内核参数:( a2 J7 M; z; l

7 o  d7 H" M9 Y" W, C! ]6 V, S
% i3 P( n. K/ b0 }4 O% l& \cat > /etc/sysctl.d/k8s.conf << EOF
: |& r, S, r% G1 @net.bridge.bridge-nf-call-ip6tables = 13 D2 W" ~0 n0 H% P, d, t0 }
net.bridge.bridge-nf-call-iptables = 1- W9 I  @& q5 @9 K. b
EOF
/ V7 z1 C' ^9 S$ ?( b/ y7 z/ M' z, R, G# j' j

" S9 e" s/ G0 m+ P( r' j; P! x: x) Z5 h, ]5 h6 n4 O
  或者使用sysctl.conf文件进行修改, S6 v1 C7 x( N5 f; Z; P) n
sysctl -p   ###    sysctl.conf 文件生效
" T* s6 D- O; L- S3 A8 psysctl --system        #生效   所有的内核参数文件3 D" [# e! `! b- N" g' w4 Q5 J! ~

. T4 F" p4 t  J8 \- \" D# x$ N$ osysctl --system /etc/sysctl.d/k8s.conf . f' Q+ l' y  N
8 x1 s- E( c  ]1 v8 C
三、配置时间同步服务:
# J  ?9 s6 T% h   yum install -y chrony
% v* R+ m3 y7 X" \
) F% Y6 o' o% d! s7 k& @8 D  此处略过
" b4 k. s3 X6 z6 L主节点:
1 z! \2 u* q4 U3 P( x3 vvim /etc/chrony.conf
6 u8 K( O: O2 _# V. r! gserver xxxx  iburst* {9 x; W( l+ V. z: t3 {1 [3 L

7 d, B4 i0 r9 m4 }6 yallow  x.x.x.x/24
; `7 _9 r! `+ S  x$ l( A* v; Q! I3 Z3 i9 M- i
重启chronyd服务& {' M7 R& @" O3 i7 a. f" q
即可. H! v+ I/ A; ^; }4 Z7 I: ?$ u0 s
( y7 M1 ?+ C2 R, N2 k
node节点:
6 K4 K4 ?3 S/ p4 y% q$ ]0 k! gvim /etc/chrony.conf, ~6 }# L5 z! V* h! |3 G
server xxxx  iburst
) p( D/ V: G0 Z( ^3 ?6 d. [5 s
, S+ v. d+ \3 w/ a重启即可
; V" v. M( F' P+ S5 n6 V  _% I+ k0 }( L4 H: E2 L& a7 z' x; n' S
确保时间同步即可2 I5 _$ o8 G( h4 j: i8 [4 }* `
1 v6 M, r+ p* r' n

& f8 R4 c3 B, i5 w! m四、配置host域名解析$ R9 y$ R+ \4 ?. Y
6 ~3 z/ `; q2 j4 q& B; {6 Y8 C

0 h3 Q; o; v2 i+ L# \8 G5 f* }+ d172.24.110.182 kubernetes-master
  f5 x2 Q, F( f2 D" L5 \& m. g. W; r$ N: ]172.24.110.183 kubernetes-node12 b* K) E$ o" l6 D
172.24.110.184 kubernetes-node2! J7 C* i. S) x7 b( [* _
2 F7 Q; ?0 E+ k4 z5 B
五、安装docker+ M/ {. v0 N, I- T# O; z/ I
1 Z6 S9 i: X- M- w# O& h
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
- i6 @. \6 M9 b# t--2024-09-17 14:44:40--  https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
! [+ q% ?; i( RResolving mirrors.aliyun.com (mirrors.aliyun.com)... 124.95.172.94, 124.95.172.91, 124.95.153.241, ...) }  _* s- m5 Q; f3 m! c
Connecting to mirrors.aliyun.com (mirrors.aliyun.com)|124.95.172.94|:443... connected.
; A& W9 R$ M/ _! R* m6 y  xHTTP request sent, awaiting response... 200 OK2 }( m/ ?1 \  z" W
Length: 2081 (2.0K) [application/octet-stream]
+ E* x3 V% [8 T! |8 N; y) h1 z3 w$ ]' k: ]
Saving to: ‘/etc/yum.repos.d/docker-ce.repo’* t7 `- Z; D" L2 }& C, g3 F

" {+ b) d, K- D  n100%[======================================================================================================================================================================================>] 2,081       --.-K/s   in 0s      & r1 q# l2 P6 {3 f% p( ^6 w
' l( s. L# L: ~3 e8 O
2024-09-17 14:44:40 (122 MB/s) - ‘/etc/yum.repos.d/docker-ce.repo’ saved [2081/2081]$ Y, _1 N) L1 k! G! d) l4 T
5 \+ S0 f) t5 u' s  G
* y. w& ^( y" R6 j  T, u! o+ Q
0 D+ f: @6 R# M6 @

' Y' ?' G! c' G0 i) }% e8 j. k# k. Q7 ^& Q3 v) }0 g
[root@kubernetes-master ~]# yum install -y docker-ce
3 h) \: F& ]0 q' J9 L7 N( sLoaded plugins: fastestmirror, langpacks
5 y* N2 A! {& [2 m' q0 kLoading mirror speeds from cached hostfile7 }: @+ Z/ {8 m6 Q
* base: mirrors.bfsu.edu.cn
, d0 h3 n7 d" k; y, o5 m$ A * extras: mirrors.tuna.tsinghua.edu.cn. n7 G' P% H$ v( ?
* updates: mirrors.tuna.tsinghua.edu.cn
" V* b( U; G. Edocker-ce-stable                                                                                                                                                                                         | 3.5 kB  00:00:00       J9 i2 }& R+ c& U5 m: s9 J; l
(1/2): docker-ce-stable/7/x86_64/updateinfo                                                                                                                                                              |   55 B  00:00:00     + J2 t2 N/ z1 M! \) R6 h0 e
(2/2): docker-ce-stable/7/x86_64/primary_db                                                                                                                                                              | 152 kB  00:00:00     
+ c" z5 f# L; a$ N$ ~1 cResolving Dependencies' |, M$ b+ R6 d& Z  ?6 z' W! m7 v
--> Running transaction check: X, l$ s0 A# a
---> Package docker-ce.x86_64 3:26.1.4-1.el7 will be installed
4 P- j- c4 Q8 A3 Q" t--> Processing Dependency: container-selinux >= 2:2.74 for package: 3:docker-ce-26.1.4-1.el7.x86_64
/ W4 h; z! M& J- H' L--> Processing Dependency: containerd.io >= 1.6.24 for package: 3:docker-ce-26.1.4-1.el7.x86_646 T* _2 B7 ^! a; N9 u
--> Processing Dependency: docker-ce-cli for package: 3:docker-ce-26.1.4-1.el7.x86_647 C) |- f! y  j) P) y0 T2 G' ~9 c
--> Processing Dependency: docker-ce-rootless-extras for package: 3:docker-ce-26.1.4-1.el7.x86_644 A. j+ M, k4 i* {1 ^4 O% @
--> Running transaction check
, l& v4 t7 p! S8 O- q+ a---> Package container-selinux.noarch 2:2.119.2-1.911c772.el7_8 will be installed- `, g1 V2 ?- p1 k, B0 J! O6 u
---> Package containerd.io.x86_64 0:1.6.33-3.1.el7 will be installed
7 J, B4 Z4 F3 \: Y( z$ F* |---> Package docker-ce-cli.x86_64 1:26.1.4-1.el7 will be installed& ^- c/ d* ?  s0 p5 N$ {5 l# @! c5 ^
--> Processing Dependency: docker-buildx-plugin for package: 1:docker-ce-cli-26.1.4-1.el7.x86_64
( B& j" ]' e7 D9 x4 F* c8 {: m' m--> Processing Dependency: docker-compose-plugin for package: 1:docker-ce-cli-26.1.4-1.el7.x86_64
6 b! b% h4 D7 j9 D+ z% S% M) x3 g---> Package docker-ce-rootless-extras.x86_64 0:26.1.4-1.el7 will be installed
2 q2 C. `! N- s% d--> Processing Dependency: fuse-overlayfs >= 0.7 for package: docker-ce-rootless-extras-26.1.4-1.el7.x86_64
5 h% \0 y* O  E3 F, }" T--> Processing Dependency: slirp4netns >= 0.4 for package: docker-ce-rootless-extras-26.1.4-1.el7.x86_64* H3 S$ o3 \' |+ J# z- ^# h
--> Running transaction check# l2 D. z0 a2 N) E% ?
---> Package docker-buildx-plugin.x86_64 0:0.14.1-1.el7 will be installed$ X2 z4 T8 U4 H2 B: I! u
---> Package docker-compose-plugin.x86_64 0:2.27.1-1.el7 will be installed
+ w$ [% J9 w# u) P---> Package fuse-overlayfs.x86_64 0:0.7.2-6.el7_8 will be installed1 W; M# Q0 B  E7 o" x" M
--> Processing Dependency: libfuse3.so.3(FUSE_3.2)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
5 u" R* O2 v8 a: _# ~$ C" `' d- }  \--> Processing Dependency: libfuse3.so.3(FUSE_3.0)(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
2 D5 Y/ S; A* O7 S) J: o--> Processing Dependency: libfuse3.so.3()(64bit) for package: fuse-overlayfs-0.7.2-6.el7_8.x86_64
) |4 z1 w* H; e; P---> Package slirp4netns.x86_64 0:0.4.3-4.el7_8 will be installed9 r# I; l- v: G* P1 k: M
--> Running transaction check% s8 J2 k$ V" D; d) [& X: w
---> Package fuse3-libs.x86_64 0:3.6.1-4.el7 will be installed
7 i4 q9 b! g, X3 @& E  C" ~--> Finished Dependency Resolution
# B" R* K/ p* ?. z. O1 }$ L2 |7 F/ A2 A0 c6 B( W" W
Dependencies Resolved- @: [5 q5 L& Q

! d2 w2 A7 B  \: C+ u- o================================================================================================================================================================================================================================+ F1 X" l! z( y* r
Package                                                      Arch                                      Version                                                       Repository                                           Size* b* v% c+ ~5 \- ~; M* [" W0 ~
================================================================================================================================================================================================================================
3 b2 W% `9 t( L/ j, pInstalling:
, z4 D3 ^) X# h+ P0 o( n' T docker-ce                                                    x86_64                                    3:26.1.4-1.el7                                                docker-ce-stable                                     27 M
, y, d& H: J& z# dInstalling for dependencies:
' O; Z4 V9 k% t9 O8 ^8 L) Q container-selinux                                            noarch                                    2:2.119.2-1.911c772.el7_8                                     extras                                               40 k7 i1 ?+ k$ e* _. H, M5 M
containerd.io                                                x86_64                                    1.6.33-3.1.el7                                                docker-ce-stable                                     35 M
' x$ `$ {" ^) c% h0 P& V/ p3 C8 u docker-buildx-plugin                                         x86_64                                    0.14.1-1.el7                                                  docker-ce-stable                                     14 M
* H. c5 v$ R& U+ [/ ^$ N% b docker-ce-cli                                                x86_64                                    1:26.1.4-1.el7                                                docker-ce-stable                                     15 M4 u/ M! w2 ]; M
docker-ce-rootless-extras                                    x86_64                                    26.1.4-1.el7                                                  docker-ce-stable                                    9.4 M4 S, A% U7 M& B; P9 [2 ^) u1 k
docker-compose-plugin                                        x86_64                                    2.27.1-1.el7                                                  docker-ce-stable                                     13 M' R. l5 I/ f2 H0 v! j  |
fuse-overlayfs                                               x86_64                                    0.7.2-6.el7_8                                                 extras                                               54 k% I. N  O+ K" {4 R& \: p" B  u
fuse3-libs                                                   x86_64                                    3.6.1-4.el7                                                   extras                                               82 k
2 [% W$ b; l8 o/ W- F slirp4netns                                                  x86_64                                    0.4.3-4.el7_8                                                 extras                                               81 k
! f7 k6 j0 K" \1 d0 d$ W7 L2 l* U9 m2 i$ `
Transaction Summary
. T8 e* m$ A9 m7 a7 j8 c================================================================================================================================================================================================================================
0 V' K" j* g( aInstall  1 Package (+9 Dependent packages)
( o" |4 d, v2 w* x* A- F& X7 p4 V$ r+ J0 V  v
Total download size: 114 M: r* {" R$ q' a3 I" l' f
Installed size: 401 M; O$ O, P+ X6 @7 W2 l8 Q1 P& ?
Downloading packages:5 f) f# I7 R; ~0 A. v3 ^
(1/10): container-selinux-2.119.2-1.911c772.el7_8.noarch.rpm                                                                                                                                             |  40 kB  00:00:00     / ]# C) |+ I* I% S) k, u0 u- U: `
warning: /var/cache/yum/x86_64/7/docker-ce-stable/packages/docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY                               ] 3.1 MB/s |  26 MB  00:00:28 ETA   @* A9 F( W/ \8 w" c! S) F& [8 b
Public key for docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm is not installed; |" N8 j! D) ^8 ]! d/ R, I
(2/10): docker-buildx-plugin-0.14.1-1.el7.x86_64.rpm                                                                                                                                                     |  14 MB  00:00:07     / ]% H# {7 R. N% t. x
(3/10): containerd.io-1.6.33-3.1.el7.x86_64.rpm                                                                                                                                                          |  35 MB  00:00:19     
2 u6 z9 E7 I0 _/ e(4/10): docker-ce-26.1.4-1.el7.x86_64.rpm                                                                                                                                                                |  27 MB  00:00:14     
0 ^8 ^9 P) t1 K0 M  B9 m5 ~(5/10): docker-ce-cli-26.1.4-1.el7.x86_64.rpm                                                                                                                                                            |  15 MB  00:00:07     
, X9 o% t: m& f" i( O(6/10): docker-ce-rootless-extras-26.1.4-1.el7.x86_64.rpm                                                                                                                                                | 9.4 MB  00:00:04     
  ^$ @6 L7 \, N" D(7/10): fuse-overlayfs-0.7.2-6.el7_8.x86_64.rpm                                                                                                                                                          |  54 kB  00:00:00     
0 q& w( v+ u9 o4 s! Q, e+ [(8/10): fuse3-libs-3.6.1-4.el7.x86_64.rpm                                                                                                                                                                |  82 kB  00:00:00     
' d* b7 r$ y7 J(9/10): slirp4netns-0.4.3-4.el7_8.x86_64.rpm                                                                                                                                                             |  81 kB  00:00:00       w4 m) {5 F' u0 {9 W  C& F4 t$ _' E
(10/10): docker-compose-plugin-2.27.1-1.el7.x86_64.rpm                                                                                                                                                   |  13 MB  00:00:03     
: v- k5 R: \3 K8 N--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
3 o" H6 v2 p8 G  ?7 b7 I; z! uTotal                                                                                                                                                                                           3.9 MB/s | 114 MB  00:00:29     
! `1 I1 \/ \' k' SRetrieving key from https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
" a: B* a* S' bImporting GPG key 0x621E9F35:( R# y0 n* A: u) S7 e2 T1 v& ]# H
Userid     : "Docker Release (CE rpm) <docker@docker.com>"
" l3 Z! R# Y/ T$ M8 |7 L; R, s Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f351 @) {1 X8 s4 D" J) T1 b
From       : https://mirrors.aliyun.com/docker-ce/linux/centos/gpg, ?; q! A, G# t% E
Running transaction check
. ^; D4 h+ I) _* x+ BRunning transaction test
& _' q7 f' t  STransaction test succeeded1 r0 |2 Y4 R1 z$ W6 C, L
Running transaction. f$ ?2 M& X, g4 |) M+ R: ]7 Z
  Installing : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                                                                                          1/10
# h/ L0 b  \, z9 j5 R0 Xsetsebool:  SELinux is disabled.
. x+ z* n8 U6 o3 e  t  Installing : containerd.io-1.6.33-3.1.el7.x86_64                                                                                                                                                                         2/10 % F% ~4 s& G& h; o+ j3 n. L& `% f
  Installing : docker-buildx-plugin-0.14.1-1.el7.x86_64                                                                                                                                                                    3/10 5 c/ p3 w. T' R7 `+ |2 o* t
  Installing : slirp4netns-0.4.3-4.el7_8.x86_64                                                                                                                                                                            4/10
: v, m8 V. N5 _0 p+ ?/ {6 r  Installing : fuse3-libs-3.6.1-4.el7.x86_64                                                                                                                                                                               5/10
+ q" s0 }6 o% ]& K% o# f  Installing : fuse-overlayfs-0.7.2-6.el7_8.x86_64                                                                                                                                                                         6/10 2 R+ G! a2 s4 o' @  |
  Installing : docker-compose-plugin-2.27.1-1.el7.x86_64                                                                                                                                                                   7/10
6 b7 n1 O3 q( c3 Z, g0 c+ G2 N, P  Installing : 1:docker-ce-cli-26.1.4-1.el7.x86_64                                                                                                                                                                         8/10 9 f6 K6 y1 y6 Q# \
  Installing : docker-ce-rootless-extras-26.1.4-1.el7.x86_64                                                                                                                                                               9/10
7 r+ o1 o8 ^) U  v  Installing : 3:docker-ce-26.1.4-1.el7.x86_64                                                                                                                                                                            10/10
$ }& a2 Y  u* W/ X. n  Verifying  : docker-compose-plugin-2.27.1-1.el7.x86_64                                                                                                                                                                   1/10 " P& |. {  R$ K" v6 k+ p
  Verifying  : fuse3-libs-3.6.1-4.el7.x86_64                                                                                                                                                                               2/10 * o+ k0 E: t& M7 L0 {
  Verifying  : fuse-overlayfs-0.7.2-6.el7_8.x86_64                                                                                                                                                                         3/10
& s* J9 D- f4 ^' M" Y  Verifying  : slirp4netns-0.4.3-4.el7_8.x86_64                                                                                                                                                                            4/10
+ ~. t" H- K  C  Verifying  : 2:container-selinux-2.119.2-1.911c772.el7_8.noarch                                                                                                                                                          5/10 . `3 f- R1 j5 w6 V. X7 ?! L& ~1 c
  Verifying  : containerd.io-1.6.33-3.1.el7.x86_64                                                                                                                                                                         6/10
, X* X3 _4 H& M: s0 A% J  Verifying  : 3:docker-ce-26.1.4-1.el7.x86_64                                                                                                                                                                             7/10 ( y& w$ i5 u- F2 X0 m7 z( b9 E6 e
  Verifying  : 1:docker-ce-cli-26.1.4-1.el7.x86_64                                                                                                                                                                         8/10 ; Q8 i7 v7 t3 d7 m8 n5 S( c
  Verifying  : docker-ce-rootless-extras-26.1.4-1.el7.x86_64                                                                                                                                                               9/10
3 t3 i7 U3 _& ?4 \! L  Verifying  : docker-buildx-plugin-0.14.1-1.el7.x86_64                                                                                                                                                                   10/10 ! {, L# l2 m" ~. F& \/ z

$ d. |2 E  k6 H9 D0 p$ n1 MInstalled:/ `- Q4 c3 r! v& K( u; x2 D. d
  docker-ce.x86_64 3:26.1.4-1.el7                                                                                                                                                                                               5 N( x/ y' i' X( J
+ C- V( c; @8 Z! \
Dependency Installed:
' P% \, q" j# Y- q  container-selinux.noarch 2:2.119.2-1.911c772.el7_8  containerd.io.x86_64 0:1.6.33-3.1.el7  docker-buildx-plugin.x86_64 0:0.14.1-1.el7  docker-ce-cli.x86_64 1:26.1.4-1.el7  docker-ce-rootless-extras.x86_64 0:26.1.4-1.el7 ) g2 i! Q5 q4 B8 p
  docker-compose-plugin.x86_64 0:2.27.1-1.el7         fuse-overlayfs.x86_64 0:0.7.2-6.el7_8  fuse3-libs.x86_64 0:3.6.1-4.el7             slirp4netns.x86_64 0:0.4.3-4.el7_8  
. \* U  N: ]: }( y/ f: |9 B& i8 g. Z
Complete!
9 R+ z4 Z4 _& H+ C[root@kubernetes-master ~]# systemctl enable docker.service ;systemctl start docker.service
* [* \& r7 a6 U) ^0 z7 cCreated symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service., C8 x% B% M8 Y1 w( L5 h
[root@kubernetes-master ~]# cat > /etc/docker/daemon.json  <<EOF9 Q1 f6 B1 _  b' J1 h
{- q& O  p- `# [$ N6 H
   "registry-mirrors": ["https://q9n10oke.mirror.aliyuncs.com","https://registry.docker-cn.com","http://hub-mirror.c.163.com","https://docker.m.daocloud.io"],
$ m1 ?7 S$ X1 L4 V   "insecure-registries": ["8.141.94.237:5000"]
% B8 z$ }5 z/ K# W0 a}
. m9 z3 ]9 n' r$ x: @9 o1 n- |EOF
7 ], Q: H6 s) M8 d$ B[root@kubernetes-master ~]# vim /etc/docker/daemon.json # G: M/ u& d/ Q$ Y" a2 {& p( [9 L  ~
[root@kubernetes-master ~]# systemctl restart docker.s9 D4 \% h! `/ J$ a/ G) O6 u1 d% \
docker.service  docker.socket   
& p: f: f, T6 u" o2 U; ~[root@kubernetes-master ~]# systemctl restart docker.service
; [  p/ j+ Q$ O/ }[root@kubernetes-master ~]# docker info 3 C) e/ o( g: n+ e; a
Client: Docker Engine - Community1 Y, x, q2 B2 ^: v
Version:    26.1.4
2 C% S1 }- E5 P+ I4 c9 y9 T Context:    default
* q5 d' G: I$ M* {7 W% D8 I Debug Mode: false
& f- ~' f) ^6 B) @0 i Plugins:- `) i4 f5 H6 Q# I
  buildx: Docker Buildx (Docker Inc.)
& y1 K: n4 H2 x    Version:  v0.14.1' I+ [4 K5 k2 w  o
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
0 K6 }! e9 U& k7 ?$ `  compose: Docker Compose (Docker Inc.)
5 d: X" O: S: B0 T, R    Version:  v2.27.1' c( R+ M+ n$ [+ o. _; X; p; @
    Path:     /usr/libexec/docker/cli-plugins/docker-compose/ {% K  M1 z! y  }. ~1 J

  ~1 a7 n. A7 e. v7 b( _$ TServer:
0 J2 @9 N: k" o  F, u# N8 K Containers: 0
# W& v4 [. Z5 i$ p5 x  Running: 0
+ `5 {( {; E) |" ?7 n5 A$ M4 W+ p  Paused: 0
1 o$ c# a' w9 `3 Z# e+ q/ L% u. ?  Stopped: 0
% g4 q" S3 ^/ _7 c0 e Images: 0
, F( o' }" u0 B7 D9 t4 A7 S: j Server Version: 26.1.4
0 ^1 t# _$ w8 ?9 E( c3 O Storage Driver: overlay2
2 I$ G& E* E  I6 x/ G  Backing Filesystem: xfs! ^' L  b! Y5 F2 g! ]1 n* }1 {
  Supports d_type: true
# q$ l: |& O/ V) y5 w; M1 ]  Using metacopy: false
' O, O7 x8 ?. m  Native Overlay Diff: true
. \" b0 g7 a. _! B  userxattr: false
2 F4 f; g3 v- _: t0 H Logging Driver: json-file% e& G( e* g9 A9 T; C/ C
Cgroup Driver: cgroupfs
# w+ ^" O# y" h4 ? Cgroup Version: 17 g$ h% e+ X  G
Plugins:) j- P4 W% @1 [% y
  Volume: local
1 R( S/ z' n" Q3 y& H  Network: bridge host ipvlan macvlan null overlay
+ C& U6 H) X+ z  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
+ p  Z$ V& Q9 j/ ?1 o4 { Swarm: inactive
! K) g" E3 [9 M9 ], n# I) ?. n8 i Runtimes: io.containerd.runc.v2 runc5 V& }3 Y1 Y) X4 h
Default Runtime: runc5 [9 Y, _8 o; c) K/ d  r
Init Binary: docker-init  |3 g3 C/ t! z* G- A+ I( _
containerd version: d2d58213f83a351ca8f528a95fbd145f5654e9577 T  C  J0 n# B3 H' F
runc version: v1.1.12-0-g51d5e94
4 ?! G% q' }9 T! V% W4 P init version: de40ad0
) s) n2 ]1 I1 i2 g( k% @ Security Options:
4 s% v. V! j% B. k2 }5 p  seccomp
. t' |' w. Z* Y9 d5 Z) b2 g/ t  F! E   Profile: builtin
/ B# A4 _4 j( H, v# o0 o% n Kernel Version: 3.10.0-1160.24.1.el7.x86_64. p" n. U7 M5 X' W. c7 E; l
Operating System: CentOS Linux 7 (Core)' l, C) M) f% i% q  l6 g
OSType: linux( u0 B3 A3 o* `" I* b
Architecture: x86_648 R/ x$ d8 q1 `4 _: B  z
CPUs: 42 c* C. B" ?. l# I7 r
Total Memory: 3.7GiB; N' A* d# U2 Y& N, Y0 a* _7 m
Name: kubernetes-master- P" ?1 ~- {/ p4 `8 g
ID: 7a997224-186c-4ccb-a45b-e0f1ed3e65e3# ?, O! x! N+ R% i0 u5 y' Y" I1 G8 \
Docker Root Dir: /var/lib/docker
' B4 o2 L6 m' B; k Debug Mode: false& U" F3 P7 Y; k+ V$ \
Experimental: false
2 [; L# M9 j/ a, q0 C0 X* ^6 l Insecure Registries:2 n, X5 q$ y' K  Z7 _( b
  8.141.94.237:5000+ ~/ d/ t, Y9 ]* n, I4 M8 p
  127.0.0.0/8
* k- u& S' M' R9 x0 i. t Registry Mirrors:
1 u, i0 t) U6 N7 f8 |8 }  w  https://q9n10oke.mirror.aliyuncs.com/. U' b. v6 Q$ |) K
  https://registry.docker-cn.com/
, ?/ k7 @4 i2 V+ p( m, o2 p! c  http://hub-mirror.c.163.com/
, z! [& X* G$ [4 j# ]3 t  https://docker.m.daocloud.io// D, I5 w4 C+ m
Live Restore Enabled: false
1 Z3 T8 J% i) R1 g
( k, Z9 S+ t) a6 C* E1 R3 w( K' S- E& f" a' c" F, ?& C# {! Z/ ~

9 O! `' |5 m4 k; n5 P* z* enode节点也同样方式安装,步骤略。  `8 H. d5 @) k3 [2 X! N7 }  m
: _8 j/ A- v7 f: \3 h
- Y/ [+ R$ m0 l$ p& {3 V
六、安装cri-dockerd (Docker与kubernetes通信的中间程序)所有节点都安装:
: S' w/ b. C4 {/ ~: [* j: o7 d. \# N$ j
3 i' Q6 |) R1 {3 a2 T3 V; ~4 O4 j- I* m- z' g4 D/ L
2 S( y0 L5 \- l% Z! y

! a# B5 Y+ t- [' {# i0 U) {3 k$ ^7 }# wget https://github.com/Mirantis/cri- ... .2-3.el7.x86_64.rpm
! N  w: D; i- l; B; [/ |6 R--2024-09-17 15:04:04--  https://github.com/Mirantis/cri- ... .2-3.el7.x86_64.rpm! G  e! ?: ^+ K9 o1 u0 s& p
Resolving github.com (github.com)... 20.205.243.166# A- \1 E% Y$ y0 Y' }' z0 k
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
/ ~% Q: G% y  y1 x4 l9 c2 ~HTTP request sent, awaiting response... 302 Found
( \4 T( J  S: M: x) ^, e% N6 O$ \Location: https://objects.githubuserconten ... tion%2Foctet-stream [following]7 j- ?% A- _5 E) }
--2024-09-17 15:04:05--  https://objects.githubuserconten ... tion%2Foctet-stream
% A3 s) v% x. ~$ ^6 rResolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, .... l) a' g* n8 t
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
4 k' S( t: F) _$ q* r! V( qHTTP request sent, awaiting response... 200 OK0 c  h. t0 u; q) E' S& K5 s9 z
Length: 9642368 (9.2M) [application/octet-stream]
8 E: |8 ?# Q0 R. ]* x9 E* [4 a4 uSaving to: ‘cri-dockerd-0.3.2-3.el7.x86_64.rpm’
  n+ |! o4 c4 l; H% ^
( s# t7 l0 Y( V: B8 t100%[======================================================================================================================================================================================>] 9,642,368   7.33MB/s   in 1.3s   8 y: p( L/ ~+ Y3 @. B+ K. J
. |5 ~1 `7 q1 M  C/ n2 F. P$ U& A3 G
2024-09-17 15:04:07 (7.33 MB/s) - ‘cri-dockerd-0.3.2-3.el7.x86_64.rpm’ saved [9642368/9642368]
$ S, a7 X* h2 k( i: \
1 H6 B. P  K2 t, T; v3 z; A+ Y( x" s6 |
  M+ \  o. e: k+ o  b4 z
安装:# Z% Q: p8 f8 k9 q$ x# [
  x6 t' p$ Q$ m' y
rpm -ivh cri-dockerd-0.3.2-3.el7.x86_64.rpm ; F! Q$ A* P) o( K/ a; C; `
Preparing...                          ################################# [100%]
$ [7 ]1 \3 U9 t- E& N! T! SUpdating / installing...
5 B  y# S3 K$ i9 c1 ~   1:cri-dockerd-3:0.3.2-3.el7        ################################# [100%]
9 s0 h. n( W  G- f" T: [5 @$ B; o0 Z, R' n

. ]# s$ b6 K8 c- E+ B配置参数:
, j- y0 ]8 W- y5 o6 t! \指定docker依赖镜像地址为国内镜像地址:  \) s: Y8 m( |0 }, ?# H

" b0 O8 U4 @' F& T7 F7 S3 Pvim /usr/lib/systemd/system/cri-docker.service! C1 }" v) J2 E# y* ]2 U
% @  z) ~4 }+ {& z) H+ `  @
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9
, b% e) ~5 i; {4 G3 |' M
4 j* }* U$ I( T/ l3 a
8 W  T1 t2 p9 @& j; J+ G* \/ d$ C8 s" C+ \, s) K$ I. C/ y" F2 U
系统默认systemd重新加载:
) T4 f1 m  Y3 N3 n2 `( \+ f9 ?
' c$ ^1 R# L5 Wsystemctl daemon-reload- O$ ?2 Y/ i- b+ V8 ]
4 G! [0 F  J8 x# o! }1 x6 O6 P
添加开机启动,并启动cri-docker 服务:& ?, B4 L0 Y9 v$ I2 @2 R
, |" m# j1 d/ g
systemctl enable cri-docker.service && systemctl start cri-docker.service5 T$ U& e" ^" n' H( G3 Z2 Y
Created symlink from /etc/systemd/system/multi-user.target.wants/cri-docker.service to /usr/lib/systemd/system/cri-docker.service.
6 k9 X/ F% q1 B5 B/ D3 O- Y8 k" N* H8 W& Q# D& ~, W
) O: Y7 h' G6 z  }( t
七、部署kubernetes9 ?( H& I) v3 S

/ ^( d6 m- m- b( d& F- o+ N
' p- u/ A' u4 r+ s( k) J% s0 m- b* k" C0 n5 J' }
7 D7 Z. [9 l+ `6 Z
kubeadm
' v) k- }6 z! V( [0 c" L1 G  P8 Q% [  a" R. C0 g1 D
kubeadm 是官方社区推出的一个用于快速部署kubernetes 集群的工具,这个工具通过kubeadm init和kubeadm join两条指令快速搭建kubernetes集群。
! N, i, r; h) }' e0 ~! p
# k' M- O' ]7 wkubectl# A+ P; m% y$ G% _. L9 _
- B) O# v& o# D, j8 e* B
kubectl 是kubernetes集群的命令行管理工具,除此之外还可以通过kubernetes-dashboard管理kubernetes集群。
8 ]" P/ s8 v! n& w$ M- g. ~+ a- u  n2 U* v
kubelet9 F4 |- }) U8 t
/ k8 k2 q" o7 q
Kubelet 是 Master 节点安插在 Node 节点上的“眼线”,kubernetes通过kubelet来管理worker节点;在 Kubernetes 集群中,在每个 Node 上都会启动一个 kubelet 服务进程。该进程用于处理 Master 下发到本节点的任务,定期向 Master 汇报节点资源的使用情况,管理 Pod 及 Pod 中的容器。% ?* s( y: g7 K4 n3 C' n& s' {. p

" ~- o0 s9 S4 Y8 B* k6 T( U) y, c
+ e5 e3 R" ~) ^: w7 N* y& x' z1 s, Q9 m. C% _" r5 h
配置yum源:
8 i' p5 M7 m! u. T/ K6 G( m$ O) g
cat > /etc/yum.repos.d/kubernetes.repo <<EOF 5 S! J7 h( A: A- z- Q
[kubernetes]
' j% ^6 |: z4 J# G name=Kubernetes* ?3 ]/ H4 I- W- E- j
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/- `& |" U9 A# k% B. T0 A% P- [
enabled=1
! H% s# i& {! M: c. J, I gpgcheck=0
- j: B# }6 g. x9 b( h EOF
; k7 A( v. ?6 i- x  M% z; A6 S3 O; L3 i9 @  d( x

1 c& c& t( {/ G7 o- |, l* S& H/ l: c安装kubeadm、kubelet和kubectl   (所有节点)( ?' }9 n$ [& S" P# J
yum install -y kubelet-1.28.2 kubeadm-1.28.2 kubectl-1.28.2
& ^3 P( |( [. L1 H+ i$ i3 q1 f3 L7 `; b

3 ^! L; U1 H. e# {1 P: v; r' wLoaded plugins: fastestmirror, langpacks( o; k7 \0 t; v' Z9 Z7 u
Loading mirror speeds from cached hostfile4 X) g- s, h5 W
* base: mirrors.huaweicloud.com; X1 F- O! b, Z/ @9 }
* extras: mirrors.tuna.tsinghua.edu.cn$ ~  w5 s# \/ ]6 D
* updates: mirrors.tuna.tsinghua.edu.cn3 y7 [3 [" F6 A9 d$ P& I! T! p
Resolving Dependencies
5 E8 j$ M9 t! L% X4 L--> Running transaction check# Q' }5 w, m( u. c
---> Package kubeadm.x86_64 0:1.28.0-0 will be updated) X, Y+ @6 G- a2 E7 Z( T
---> Package kubeadm.x86_64 0:1.28.2-0 will be an update
, ]5 ]) Q4 J+ N( t, o. T+ r2 ^---> Package kubectl.x86_64 0:1.28.0-0 will be updated
) m( L% |4 b' M7 F' |" G---> Package kubectl.x86_64 0:1.28.2-0 will be an update
# F& Z5 w: A& C. l---> Package kubelet.x86_64 0:1.28.0-0 will be updated% D# J  e' w4 ]# B- ?6 t
---> Package kubelet.x86_64 0:1.28.2-0 will be an update5 z7 e- o/ V9 N2 `
--> Finished Dependency Resolution$ O1 v8 H2 U( f& ]: X+ L  z

* D( `: f: c$ G# }: l, ~( ]8 ?( wDependencies Resolved- Q& x. B. K2 l' G2 h4 I

* s" a7 a; F  ^+ O$ i& C0 _9 S================================================================================================================================================================================================================================
# H8 B3 U* X6 g9 n+ ]: X Package                                              Arch                                                Version                                                 Repository                                               Size; n4 |$ C, o4 T; |4 F2 u$ f
================================================================================================================================================================================================================================* u. I* j1 y" s' L: v" C
Updating:$ S% p) @% k9 R  z; O! c4 n
kubeadm                                              x86_64                                              1.28.2-0                                                kubernetes                                               11 M  V; c  [+ o* `- |4 P
kubectl                                              x86_64                                              1.28.2-0                                                kubernetes                                               11 M# [# J. P; c6 {
kubelet                                              x86_64                                              1.28.2-0                                                kubernetes                                               21 M. R/ [+ X( B0 l4 x5 n( A1 d5 O. G

  g# ^) r0 T, [Transaction Summary2 \2 {) Z7 c/ z" J" \* F: p/ w( [
================================================================================================================================================================================================================================
! Y' [6 v3 m- `4 q% bUpgrade  3 Packages6 @0 O* ^9 j) n# v: R% l+ W

5 k# y* l9 z0 T1 w& Q+ c5 i. YTotal download size: 43 M* K8 B) u! }+ [8 B" a" ]: Y4 ?" S
Downloading packages:' o% e+ p' K9 l/ \( y
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.+ p8 w3 ^, K+ c1 O& W# B9 g. j
(1/3): a24e42254b5a14b67b58c4633d29c27370c28ed6796a80c455a65acc813ff374-kubectl-1.28.2-0.x86_64.rpm                                                                                                      |  11 MB  00:00:05     
$ t6 N/ S- S- G4 D( m9 A$ I5 a(2/3): cee73f8035d734e86f722f77f1bf4e7d643e78d36646fd000148deb8af98b61c-kubeadm-1.28.2-0.x86_64.rpm                                                                                                      |  11 MB  00:00:05     / k6 Y! a" P1 O  s
(3/3): e1cae938e231bffa3618f5934a096bd85372ee9b1293081f5682a22fe873add8-kubelet-1.28.2-0.x86_64.rpm                                                                                                      |  21 MB  00:00:05     
0 ^: C9 f+ U0 S. [5 r0 `--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------& ^& R) e2 ~  U3 v, Z" z. d
Total                                                                                                                                                                                           3.8 MB/s |  43 MB  00:00:11     
8 n$ L9 l: l7 ]+ t/ k0 uRunning transaction check
! B) {/ T- {; QRunning transaction test; ?/ N- _- b7 m6 ]8 i
Transaction test succeeded
/ B( ]' m& Y. d) eRunning transaction
7 f- X* }. J2 f3 ]; |( p  Updating   : kubelet-1.28.2-0.x86_64                                                                                                                                                                                      1/6
5 Y+ ^! g( J9 A' b* W/ k% G  Updating   : kubectl-1.28.2-0.x86_64                                                                                                                                                                                      2/6 & Z: _" ]7 D8 o6 \6 X0 N1 h
  Updating   : kubeadm-1.28.2-0.x86_64                                                                                                                                                                                      3/6
4 M+ m1 G. L, I8 H( f  Cleanup    : kubeadm-1.28.0-0.x86_64                                                                                                                                                                                      4/6
. z! n; k% f+ ]( `+ j  Cleanup    : kubectl-1.28.0-0.x86_64                                                                                                                                                                                      5/6
9 {8 b1 _2 w; I* p( v6 i( N) D  Cleanup    : kubelet-1.28.0-0.x86_64                                                                                                                                                                                      6/6 / j1 q, Z7 {" `6 m3 G
  Verifying  : kubectl-1.28.2-0.x86_64                                                                                                                                                                                      1/6 6 M4 @2 S1 q" E+ x
  Verifying  : kubelet-1.28.2-0.x86_64                                                                                                                                                                                      2/6 " f. g. x3 R. O2 Z6 x6 m
  Verifying  : kubeadm-1.28.2-0.x86_64                                                                                                                                                                                      3/6
# O; {; v. t" I. r# H  Verifying  : kubectl-1.28.0-0.x86_64                                                                                                                                                                                      4/6
0 P$ L3 u( N+ X4 F* J) F7 ]  Verifying  : kubeadm-1.28.0-0.x86_64                                                                                                                                                                                      5/6 - H8 A* W$ T9 k' @+ N
  Verifying  : kubelet-1.28.0-0.x86_64                                                                                                                                                                                      6/6 5 R3 J7 @8 W3 }5 Z$ Q
) ?* p3 H$ E* W/ h3 E
Updated:& _  q  z. \4 @
  kubeadm.x86_64 0:1.28.2-0                                                 kubectl.x86_64 0:1.28.2-0                                                 kubelet.x86_64 0:1.28.2-0                                                
% c( R7 U) U9 e) \2 l  t9 t- l7 _1 {2 n
Complete!, d1 t% @8 \1 O' O
1 K9 N9 N3 B4 ~9 X9 ~# g0 y
# c: T8 m. }3 t5 |6 M2 B. K
* N- k- J0 r5 _- W6 M* i& z7 p4 R
添加开机启动:
: g9 g, X' M3 f- E* f4 p; N
# ]- ?  p, D8 ]  C8 e4 E& ]2 rsystemctl enable kubelet.service1 S  N$ w8 C( c& `5 E  \, `0 L
4 _- `4 F7 Q+ W; _& w' K2 S2 C

/ L3 X) k4 r5 \" `0 A' ~$ S7 F% G" D8 g' ]1 `7 r' Z5 Z
查看需要的镜像:
/ Z* F# ~; Q" x% X& C& B& o' V! w% |. e. P
[root@kubernetes-master ~]# kubeadm config images list
" N. g8 [0 @/ V I0918 14:09:39.041429   30436 version.go:256] remote version is much newer: v1.31.0; falling back to: stable-1.28, s0 q7 ^' K8 n1 h
registry.k8s.io/kube-apiserver:v1.28.14
8 r* X  x/ M5 X( y8 Q0 i2 dregistry.k8s.io/kube-controller-manager:v1.28.14% k4 K' @4 m0 Z4 E
registry.k8s.io/kube-scheduler:v1.28.14
  t* G+ e9 O0 \) zregistry.k8s.io/kube-proxy:v1.28.14
/ y! v, D( @4 eregistry.k8s.io/pause:3.92 J% M5 d* g; g7 p3 w
registry.k8s.io/etcd:3.5.9-0
! l5 ^: k, N$ B) O8 Oregistry.k8s.io/coredns/coredns:v1.10.1
+ v4 |" j& B9 @1 {
1 d$ |" S. Z' F0 u% o& h  q8 |7 M( K' s  S! I

1 S. N! C0 M; e) F  n7 e7 |& W9 R8 w9 Z" U- |
八、部署集群,初始化kubernetes集群2 }; s& `7 ~! H- d6 _0 n
初始化kubernetes
9 Q/ r% e* h+ Z- a. ~
7 W! j. l7 z; j( u' U& X# [! d) T# 执行 kubeadm  init 命令% c. D- q+ s- V$ G: s

( T" Q' L6 L5 J初始化完成后,根据提示信息,拷贝kubectl 工具认证到指定或者默认路劲$ n% c( X, d" T# F
--kubernetes-version=1.28: x7 K" e4 v) Z
指定要安装的 Kubernetes 版本。: C% y, q( {  O
--apiserver-advertise-address=x.x.x.x# a0 u$ ]3 H! K* q, B4 H
指定集群master节点的IP地址,即apiserver所在节点的地址,并告知其他组件、节点apiserver在哪。
6 q8 _' W' [0 l  i--image-repository registry.aliyuncs.com/google_containers
' C8 Z: C7 T& H指定用于 Kubernetes 组件的容器镜像仓库。
; @- Z, d. Z* A) f/ i6 v# e+ Q  l+ k--service-cidr=10.10.0.0/16
# L2 [5 S- l0 a6 }指定 Kubernetes service的IP地址范围。) r8 N" S5 {' y
--pod-network-cidr=10.122.0.0/16  T; m' D: E8 H
指定 Kubernetes Pod的IP地址范围。
: h) h, x6 `6 k0 n* @总的来说,这个命令将初始化一个版本号为1.28的kubernetes集群,并将172.31.246.16用作master节点,同时指定service和pod的IP地址范围。$ Z  U3 a3 I; [4 {; f

$ k+ U7 |) d3 c7 A  T7 O2 a$ r- u
在主节点上执行初始化
8 x/ G. k( J; O4 S1 r4 x kubeadm init --apiserver-advertise-address=172.24.110.182 --node-name=kubernetes-master  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.2 --service-cidr=100.177.100.0/12 --pod-network-cidr=100.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock
! C5 f( G8 d# n+ o9 y4 K8 S  ?6 p0 J* r- r
示例:
- g- X1 l- c# A+ Q, G; e5 ?2 ~2 S8 z+ H! ]. G7 {( p
[root@kubernetes-master ~]# kubeadm init --apiserver-advertise-address=172.24.110.182 --node-name=kubernetes-master  --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version v1.28.2 --service-cidr=100.177.100.0/12 --pod-network-cidr=100.233.0.0/16  --cri-socket=unix:///var/run/cri-dockerd.sock 0 D, o/ H$ z$ p
[init] Using Kubernetes version: v1.28.2" P) R$ t8 q: C" T
[preflight] Running pre-flight checks
) \# I8 R) ~  W) S        [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'% p1 E- a& V. M! b( L* F
[preflight] Pulling images required for setting up a Kubernetes cluster8 ?7 A6 M" t0 p% |; b2 Z
[preflight] This might take a minute or two, depending on the speed of your internet connection9 J4 P( t' `3 l
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'2 d7 D- u3 {0 R+ f

) h& [" |4 R  T& [( C* Q1 {, v6 _7 M* @) l& S! z6 _1 n

8 }2 x" D3 O* @[certs] Using certificateDir folder "/etc/kubernetes/pki"
+ o. s3 u8 [9 F5 N9 _[certs] Generating "ca" certificate and key7 \# }0 b  A" [7 s. \
[certs] Generating "apiserver" certificate and key2 M! @8 U' @3 s/ ]
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes-master kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [100.176.0.1 172.24.110.182]+ T- O0 o/ e: T# R
[certs] Generating "apiserver-kubelet-client" certificate and key
5 [( W# ?; x" v4 r/ i[certs] Generating "front-proxy-ca" certificate and key
$ u% C& O- Q8 x2 u% {# O[certs] Generating "front-proxy-client" certificate and key6 W- N/ G% Q( M8 V* A
[certs] Generating "etcd/ca" certificate and key
2 Z) v/ y4 {/ u, f5 K" E: T% P[certs] Generating "etcd/server" certificate and key
& f; F, `' \( e$ a[certs] etcd/server serving cert is signed for DNS names [kubernetes-master localhost] and IPs [172.24.110.182 127.0.0.1 ::1], Q. p2 L" J: {- y1 G2 f
[certs] Generating "etcd/peer" certificate and key. w. ?4 S* l  d- |% f9 t& k5 |
[certs] etcd/peer serving cert is signed for DNS names [kubernetes-master localhost] and IPs [172.24.110.182 127.0.0.1 ::1]
6 n9 Y3 `+ V3 w, P' t[certs] Generating "etcd/healthcheck-client" certificate and key; e' E  x7 a. ]9 \# i) M
[certs] Generating "apiserver-etcd-client" certificate and key' c7 T4 W. k2 K
[certs] Generating "sa" key and public key, B1 S4 Y2 D/ a3 Y3 e2 Z
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"' }! |6 p8 V& x1 B1 J
[kubeconfig] Writing "admin.conf" kubeconfig file( W+ q( x4 ^. u0 A, Z2 R
[kubeconfig] Writing "kubelet.conf" kubeconfig file
- ~4 w% U8 O/ D, r$ C[kubeconfig] Writing "controller-manager.conf" kubeconfig file4 A! A) _2 u4 p% L; N& z2 K2 [
[kubeconfig] Writing "scheduler.conf" kubeconfig file2 h5 B. a2 w/ l9 I4 |* C7 L; k
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
0 t/ I& _/ E+ {, V& Z: y[control-plane] Using manifest folder "/etc/kubernetes/manifests"
5 z. X+ N# J# q, H0 h# [[control-plane] Creating static Pod manifest for "kube-apiserver"
( g$ g% J& f$ S: W7 h[control-plane] Creating static Pod manifest for "kube-controller-manager"- ^3 I5 X4 _/ G+ p/ O
[control-plane] Creating static Pod manifest for "kube-scheduler"! }4 w) @% m8 Q7 ~
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"# \" {' T+ w1 d3 T5 r
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
5 N6 o7 D" \2 `[kubelet-start] Starting the kubelet# F- w4 h; h5 K4 K+ Z/ }
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
+ d+ b8 }- q4 o; Q% n[apiclient] All control plane components are healthy after 10.505264 seconds. r: z9 J. }& ~
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
' j; w4 o# A1 s6 \9 V[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
: ]7 O, F+ ^  y8 C0 ~! |/ ~# l[upload-certs] Skipping phase. Please see --upload-certs0 \. K7 s5 |/ V' ], O% Y. B
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]/ n' i& D5 m$ ?. Z' y2 i  z
[mark-control-plane] Marking the node kubernetes-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]) o% A1 j+ I5 w3 M
[bootstrap-token] Using token: 0fqjub.taqnhr1lskcovh7d
; f% O! I5 `+ d- R[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
2 J; Q5 C- L# Y" I9 a[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
% m' A/ K) r, G" x[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials# f+ |; h- A& x+ g- s, K* f; m; g
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
1 p' n6 J+ c/ t0 u5 j7 B[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster, G6 e& S0 I1 S5 e6 M) n
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
% J6 N, ^. n8 h" B4 y4 i/ U% U[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
7 n! T- E0 _" {9 r- t9 Y* V[addons] Applied essential addon: CoreDNS
$ p7 ?, g+ n9 M: l- u[addons] Applied essential addon: kube-proxy; o' b( Q6 a- e5 ^: j5 `* S

" a) R* v6 [3 {& F3 h* xYour Kubernetes control-plane has initialized successfully!
$ S, x0 Q' M% P6 K' s( x! G
9 I5 y' ]: e8 y% q2 NTo start using your cluster, you need to run the following as a regular user:
8 n+ \7 H) b( }  ^6 W: {9 \
% v9 m# J; s) b/ G  mkdir -p $HOME/.kube
! Z, X& f# R0 `  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config& @+ E) g& |7 e% N' T. h+ R$ T- O
  sudo chown $(id -u):$(id -g) $HOME/.kube/config6 Z. y8 e" f9 V- p) L" t6 i' w

1 C# v9 D( Y4 u; UAlternatively, if you are the root user, you can run:& F! I; C) E* M; M; R- U

  k" f/ P; ]  ]) ~  export KUBECONFIG=/etc/kubernetes/admin.conf
* r4 q9 r( y, u& k
# p+ o3 J) I. Z: x) Z% \& X* cYou should now deploy a pod network to the cluster.. u* @6 b: F3 x  Z
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
, Z. u' x7 ?, |6 R  https://kubernetes.io/docs/conce ... inistration/addons/; [$ v0 f" U4 Z8 H" V' Y

- y, Y1 u. `% X- S8 T( X; b: jThen you can join any number of worker nodes by running the following on each as root:
+ b" r! K  g% d/ r/ b8 f' ?1 b3 Y% r
kubeadm join 172.24.110.182:6443 --token 0fqjub.taqnhr1lskcovh7d \
  H& I; e% C0 q5 R! U( ?        --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd
- V6 O1 U- Z: S' z; G% }1 U$ ?# d! r1 I( K# B

# Z; [1 g! [4 G: A
0 M0 V% O4 F  O8 r5 R6 N" d初始化完成。2 I! k5 B/ O  d1 R, w
' X3 T& \/ ]1 B( V  z

$ u1 i  J. w) t( V相关镜像:# l" s: l7 o! u' ]

: B! \- c) G4 D9 Z$ [+ l# docker images
. J/ t7 l' l1 D+ p  C0 XREPOSITORY                                                        TAG       IMAGE ID       CREATED         SIZE
( T* c* }1 f4 D- P+ s0 uregistry.aliyuncs.com/google_containers/kube-apiserver            v1.28.0   bb5e0dde9054   13 months ago   126MB
5 }4 a4 Q/ r! f, J- `# eregistry.aliyuncs.com/google_containers/kube-controller-manager   v1.28.0   4be79c38a4ba   13 months ago   122MB( @0 v& c! i" g4 V0 o9 y
registry.aliyuncs.com/google_containers/kube-scheduler            v1.28.0   f6f496300a2a   13 months ago   60.1MB2 v; J! y# R" \. c: g  q
registry.aliyuncs.com/google_containers/kube-proxy                v1.28.0   ea1030da44aa   13 months ago   73.1MB0 A: @" ?7 m, X4 _0 \9 V
registry.aliyuncs.com/google_containers/etcd                      3.5.9-0   73deb9a3f702   16 months ago   294MB
( m' d) E! p) M: qregistry.aliyuncs.com/google_containers/coredns                   v1.10.1   ead0a4a53df8   19 months ago   53.6MB
! H& v2 X) B, X! ?; {  g6 Kregistry.aliyuncs.com/google_containers/pause                     3.9       e6f181688397   23 months ago   744kB
2 n$ K/ r! k( k
7 X1 q2 T* y9 W' i; p! k3 w; X( q9 T. {
master节点配置:
7 A6 F, f3 R2 c+ ]检查kubectl版本:
  ~/ q7 ]3 O$ L' o5 X5 H6 }/ N4 A% m3 W3 K9 p
# kubectl version --client
( k# X- Y# o" {) X3 z, O$ [3 Y! O
Client Version: v1.28.2% c' W# b0 u# w1 l( k
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce31 x! {; B  @0 j. d/ w; b) o
  o" {1 }" d, l$ n
5 m) u* ~; V9 T' A2 J

' E: S# p7 t- w' l; v1 l% |6 o# i# y4 |
# 初始化成功后运行下面的命令; ?7 A$ Z3 _3 H) [; e8 U/ c
mkdir -p $HOME/.kube
2 Y! m2 X; x- r: n1 D8 _
& s0 ?1 L% q' w7 Y$ [. N+ o( N
2 ?3 p9 I) ]; U, Y$ Fcp -i /etc/kubernetes/admin.conf $HOME/.kube/config# a1 R0 R2 @5 t* V6 |
4 W/ ~$ d8 d1 ]* t" w2 Q, |
chown $(id -u):$(id -g) $HOME/.kube/config* j8 @( P+ Q/ N( A4 M9 A2 O
* d0 l% q9 }- F" Y# j/ ^
查看kubectl查看状态:
' M* B$ f2 s% n% M, v- W. F1 o( `* c- P( n, o' |( n4 \
[root@kubernetes-master ~]# kubectl get node& N, U* O& E  w+ `
NAME                STATUS     ROLES           AGE   VERSION
+ W+ ^" G# D7 N, C+ c& x$ Zkubernetes-master   NotReady   control-plane   19m   v1.28.2# o8 ^5 f) E6 ^: b
. i7 }3 S7 T$ @5 k, }; @
3 F4 _, l) z7 K7 c; W
注:因为网络插件还没有部署,节点会处于"NotReady"状态。
% V) z( r; `0 Q  i  m
: z8 ^, ^) _( ~7 K- Y7 _查看kubernetes依赖的镜像
1 O; }+ m7 x5 v4 T1 z
) F; |0 n5 T' z# a, O6 j[root@kubernetes-master ~]# kubeadm config images list5 Z8 i+ G) _- I# o8 @- r5 ?  I: `' o
I0917 15:50:35.949562   30410 version.go:256] remote version is much newer: v1.31.0; falling back to: stable-1.28
9 O, q) h" ^9 Tregistry.k8s.io/kube-apiserver:v1.28.14
$ \. Q9 ?4 b8 `2 _3 O2 Z6 zregistry.k8s.io/kube-controller-manager:v1.28.14
- [# V$ |1 @& a, f2 E7 Mregistry.k8s.io/kube-scheduler:v1.28.14
; `! K6 Q& O7 Z- F, C/ I2 xregistry.k8s.io/kube-proxy:v1.28.149 _  H: R7 ]) u" k/ @
registry.k8s.io/pause:3.9# Z( t4 U: _& Y" w
registry.k8s.io/etcd:3.5.9-0/ A5 A1 X! u8 F1 v* i0 o1 }  J
registry.k8s.io/coredns/coredns:v1.10.1" B+ o, @8 d$ s- p; \9 I2 q; c
9 ?* A7 Q2 z4 }0 `

8 E+ g& Q7 M$ M: R1 h9 P* I# master节点执行 配置文件的复制(为了在node节点可以使用kubectl相关命令)
! q& Y$ H2 ^5 e& u1 r. M        scp /etc/kubernetes/admin.conf 192.168.8.190:/etc/kubernetes/: Q1 M7 h/ o3 p3 a! y/ ^
        scp /etc/kubernetes/admin.conf 192.168.8.191:/etc/kubernetes/
+ n) `& I1 R6 O& x: v# X        scp /etc/kubernetes/admin.conf 192.168.8.192:/etc/kubernetes/8 G! b$ i% ]6 t4 ~6 e, O; F
为保持权限正常,可以通过rsync的方式同步
' K" W3 Y6 s! w( m% G+ I- V. W% c9 B2 Q2 d4 t

0 ~- l5 \$ r7 Y4 {+ k) _3 m& C9 W! r+ f' C7 |0 R3 a: [9 t' x
[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 22' /etc/kubernetes/admin.conf root@172.24.110.183:/etc/kubernetes/, j+ P' m) S0 r* r, N" N
ssh: connect to host 172.24.110.183 port 22: Connection refused
; m8 T+ L1 Q8 k( ]" K* N) \rsync: connection unexpectedly closed (0 bytes received so far) [sender]- r- S7 m  I0 H* M8 C7 ~' B
rsync error: unexplained error (code 255) at io.c(226) [sender=3.1.2]. v7 A9 M) T$ Z. r
[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 60028' /etc/kubernetes/admin.conf root@172.24.110.183:/etc/kubernetes/: p* U; L: M: F
The authenticity of host '[172.24.110.183]:60028 ([172.24.110.183]:60028)' can't be established.( V0 v! v% H: A* S. Z
ECDSA key fingerprint is SHA256:Tvzi0ICzurMYEPySzerkOmwk/o7XHxmABVKRigofHzg.4 ^. _7 `, a% q5 T' p- f1 Q
ECDSA key fingerprint is MD5:f0:92:26:fd:da:d3:e4:db:be:36:b1:fe:d6:2b:65:25.
& V. x2 o: `# yAre you sure you want to continue connecting (yes/no)? yes
1 G8 v0 X- F. t+ y$ J9 E2 ?Warning: Permanently added '[172.24.110.183]:60028' (ECDSA) to the list of known hosts.
' L# I5 H8 P! o$ {3 lroot@172.24.110.183's password: ( Y/ g7 k* I) I9 U' R  D; F1 w
sending incremental file list; m# w+ r! E' N7 E
admin.conf! `; {4 I) s1 @% H% G
          5,646 100%    0.00kB/s    0:00:00 (xfr#1, to-chk=0/1)
! X' Q0 D2 B" W' ^3 `% h: {/ _# d) W. w/ G/ m% _
sent 3,920 bytes  received 35 bytes  168.30 bytes/sec
8 o  L( a$ V3 |% k# ]8 f( @total size is 5,646  speedup is 1.43
5 h  l3 A+ w4 ?4 W: l/ g! k0 [1 m[root@kubernetes-master ~]# rsync -avzP -e 'ssh -p 60028' /etc/kubernetes/admin.conf root@172.24.110.184:/etc/kubernetes/
; c4 r) d1 O$ `- eThe authenticity of host '[172.24.110.184]:60028 ([172.24.110.184]:60028)' can't be established.
% `8 l6 n4 |8 ]ECDSA key fingerprint is SHA256:Tvzi0ICzurMYEPySzerkOmwk/o7XHxmABVKRigofHzg.1 c3 F/ t. _" p; A6 Z. p+ ~
ECDSA key fingerprint is MD5:f0:92:26:fd:da:d3:e4:db:be:36:b1:fe:d6:2b:65:25.
' F: B! k8 o5 m: [' c. {9 j* }- g( |Are you sure you want to continue connecting (yes/no)? yes. H' D7 d2 b# H+ M3 d
Warning: Permanently added '[172.24.110.184]:60028' (ECDSA) to the list of known hosts.
) {2 a8 U$ V. _6 i# F, ^root@172.24.110.184's password:
2 t! x  T7 x) {sending incremental file list9 O) z0 X) x9 u$ f
admin.conf" |1 m9 X  s' r7 U3 F+ v
          5,646 100%    0.00kB/s    0:00:00 (xfr#1, to-chk=0/1)3 Q2 ?& q- Q! c# p
- ~: G$ Y: v1 p4 D* U" q8 w
sent 3,920 bytes  received 35 bytes  878.89 bytes/sec
4 M9 ?: ?& ^( A- }7 j0 w! xtotal size is 5,646  speedup is 1.43$ |/ I4 p5 G. @0 X

; x+ d1 w, j/ \! v
. B8 i0 A1 I& R0 e4 W
9 I4 @- g3 V/ r( S将node节点加入集群(去node节点执行):  a, f; @" {# r% K' U/ h2 T8 b% v4 S
执行上述输出命 kubeadm join 命令,将该节点加入到kubernetes集群中:& p; f; Q) C2 T3 W+ P( ^

; ], }% |. x! U$ ]- t  [2 l6 J) xkubeadm join 172.24.110.182:6443 --token 0fqjub.taqnhr1lskcovh7d  --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock 2 c2 x: v$ ^2 Z
  |6 D: _3 D6 Q) B( U& ^( Y. N
重新生成token值:- L9 s! L9 {0 r( L) J
+ k" q9 g+ T- ?+ D0 j$ s$ T1 D
[root@kubernetes-master ~]# kubeadm token list6 N8 }0 W% d/ d7 j6 v2 O
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS7 S6 S( s- p# x4 y
0fqjub.taqnhr1lskcovh7d   23h         2024-09-18T07:21:06Z   authentication,signing   The default bootstrap token generated by 'kubeadm init'.   system:bootstrappers:kubeadm:default-node-token/ a" v: u9 \, u( ]
[root@kubernetes-master ~]# kubeadm token delete 0fqjub.taqnhr1lskcovh7d : K" ^! }: L# i& j) Z' t
bootstrap token "0fqjub" deleted
* c. Z( R$ Q& q0 N% K) c- k7 }* U( I: d; B4 v
[root@kubernetes-master ~]# kubeadm token list
' A! ^2 m4 m& ~- J/ v7 f
5 u9 N! S. }- [/ y创建一个十年的token" K% q0 E5 _# g. x6 ?* y
[root@kubernetes-master ~]# kubeadm token create --ttl 36500h# B* Z3 R% t: `& V; ?- @' Z
pllb0d.eyjtekjjc542k16c" d" L/ U' O$ |* R% r7 \
创建一个5年的token
0 Q$ o! Y0 A* k( U6 r) P8 @[root@kubernetes-master ~]# kubeadm token create --ttl 18250h; o9 T5 u& o- e1 D$ h9 O) z
gpz9o9.terifm9742ermj6e
" y' C. t4 j7 [/ {+ K* `/ I+ E2 u1 C: G
创建一个永久的token: V4 P8 p+ ^5 O# R
; I1 N; D9 }2 K' L! v
[root@kubernetes-master ~]# kubeadm token create --ttl 0  f4 y! o: Z8 }5 a
nt8qzn.bb4tm414rnww2mt2
* u( Y) H( X  b9 q. k: C, v7 X! E5 Z5 |& f
3 H3 ]' f. d4 t* _9 E
% @5 N% R( k) @' I
删除一个token:
& x1 L3 X* a- x' {
4 `4 J' f$ `3 J0 L% R# D[root@kubernetes-master ~]# kubeadm token list3 D% y7 T4 _1 U; L7 A
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS# a8 M! O. V: Z* P$ C8 b; B1 C
gpz9o9.terifm9742ermj6e   2y          2026-10-17T18:11:13Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token, S7 X, x: I  `  d5 t( o! ^
nt8qzn.bb4tm414rnww2mt2   <forever>   <never>   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token
' F! R! o% H8 _8 Fpllb0d.eyjtekjjc542k16c   4y          2028-11-16T04:10:37Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token0 B+ K, c" \; E, E5 Y+ J
[root@kubernetes-master ~]# kubeadm token delete nt8qzn.bb4tm414rnww2mt2 * _8 t: A% P0 n' X/ n( E8 T
bootstrap token "nt8qzn" deleted6 X' P+ w$ G9 Y" Z: S- b7 m1 I
  U; S( b. \- o8 I; [

* `# K5 g# }8 _. q8 R获取 CA 证书 Hash 值& k) d* R0 a" E( ]4 D

" R& J3 C# A) d) I, u& M, }: U# s[root@kubernetes-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'9 R! [) f, L( i, C0 b8 a
09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd
3 P) E4 p1 z' n* h8 u! W& A7 e

' _8 _7 D) M3 e4 A' v: V
4 V' ]7 I0 s3 f: h* q5 S: p- k6 P. ^( e8 G8 C
或者这样生成也可以:
4 y0 b6 C* g( z' X
; X0 f, z# |" b$ C1 d[root@kubernetes-master ~]# kubeadm token create --ttl 18250h --print-join-command
- R9 `4 ^: c+ z; ?) c* J  ]+ _4 S: Nkubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd & ^6 R. o. C8 \2 U+ }3 q/ N" B
4 m: n7 C8 U1 q- T
" a6 A( E7 X6 t3 H0 n" D5 q' |
) M- q7 P0 P9 F& C& g
正式执行加入其他节点,按照上面的返回结果执行时添加 --cri-socket=unix:///var/run/cri-dockerd.sock  参数即可:
; V7 Y, H$ b5 v# x9 Z' J1 X kubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock * a8 `% |' \: ~" w& _, i5 V

7 J2 t0 L6 f( }- y' c示例如下:9 c! G! |# s8 c, b4 B! l  Z
( m; i" ^3 N+ ^) v3 M
[root@kubernetes-node1 ~]# kubeadm join 172.24.110.182:6443 --token 1kis96.cklh7okui7j4fcr0 --discovery-token-ca-cert-hash sha256:09fc462e6d431bb00515cb001ebc5791f6197cf22d49a940000eb96c8d4085dd  --cri-socket=unix:///var/run/cri-dockerd.sock , }  O6 j$ {2 S3 {
[preflight] Running pre-flight checks; r- Q3 t9 O% D2 t, z) `8 ]' F& r+ Z
        [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
4 ?+ x% s+ t/ |, z9 N[preflight] Reading configuration from the cluster...
- s% p/ F3 i* \8 p0 R[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
: v" C. w6 S: \. k. K2 t, t[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"" Z( W. R; Y' M4 V# Y# _' n
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env". Y% ~/ N; G. ^
[kubelet-start] Starting the kubelet
, b8 l  l# X. j/ J2 K* S[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
  T( x/ E5 _& u1 o7 a( m1 Y7 Z/ w# }# _& J/ p  ~$ m
This node has joined the cluster:1 T" @. e' K( Z6 ?
* Certificate signing request was sent to apiserver and a response was received.7 i0 s! x- `& j4 O% k* E- o
* The Kubelet was informed of the new secure connection details.2 f# e( D) H$ {" `
# @; O4 s" @) }! F1 K0 C
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
8 e2 ^7 H/ W- w1 g1 K( a  C* F2 u% D( \3 r, H
其他节点一样的执行,略。
& t6 g( M) {$ o1 x! O3 W3 t/ z7 u- h7 h
. g# K0 k1 H4 E, Y7 N
检查节点运行:
1 _/ V6 t2 G/ I& i5 }5 W) r7 k8 ]) J& L/ M/ A  K/ d: a
[root@kubernetes-master ~]# kubectl get nodes 8 y1 O6 q( @/ @/ E+ K$ @6 C
NAME                STATUS     ROLES           AGE   VERSION
- s6 S6 z  @% j9 nkubernetes-master   NotReady   control-plane   59m   v1.28.2( X# [" A" x. b% F. S0 z! b3 X7 g
kubernetes-node1    NotReady   <none>          78s   v1.28.2) s1 C8 Y. t1 g* O
kubernetes-node2    NotReady   <none>          69s   v1.28.2
% H* f( m) d* K7 [$ h" U1 z
2 h% G, {; n+ A( {1 `8 U
6 v3 I: O# Z( R3 V; Q注:因为网络插件还没有部署,节点会处于"NotReady"状态。# N0 ^: }  Y, N) p: x

: t9 F( E! P- x5 |; R% s2 r) {查看pod运行状态:! V0 H9 f- m7 l% T% j  w0 @! g$ a

# i& k; i2 d7 Q% b  c[root@kubernetes-master ~]# kubectl get pods -A+ r1 ^$ M9 ~. e6 @; d3 S
NAMESPACE     NAME                                        READY   STATUS    RESTARTS   AGE
7 l' T- e0 N! |( x4 `kube-system   coredns-66f779496c-cqf5k                    0/1     Pending   0          60m* r! m  x5 C$ N  o& g# J
kube-system   coredns-66f779496c-lnxt4                    0/1     Pending   0          60m8 p) k$ ^  p7 }7 v& G
kube-system   etcd-kubernetes-master                      1/1     Running   0          60m7 X( d6 X* O; a& ~7 ?8 l, l
kube-system   kube-apiserver-kubernetes-master            1/1     Running   0          60m
2 v( `( g7 v& jkube-system   kube-controller-manager-kubernetes-master   1/1     Running   0          60m" z/ D+ X. _  B) Z2 j, S8 {
kube-system   kube-proxy-676dx                            1/1     Running   0          2m37s, b9 v: o- A: U* |4 g/ s6 h( Y9 s
kube-system   kube-proxy-kkt8g                            1/1     Running   0          60m
1 `! b; N7 `2 r$ E) t  S, Ckube-system   kube-proxy-qgpbt                            1/1     Running   0          2m46s3 L' @/ t# |' h2 F4 V3 S6 l
kube-system   kube-scheduler-kubernetes-master            1/1     Running   0          60m& x4 ~4 K. s8 e, R+ K  S! v

1 z$ v  r) ^. e7 ^( ]7 \5 V6 p- v4 l- H2 p
安装网络组件:/ \0 x* U5 Y+ z: ]% I: [
: W$ n1 _0 T/ R3 y2 q
不建议安装kube-flannel的,安装calico.yaml1 p, U. D( J! l5 F# Z4 w9 o3 B
2 v$ k! O) j; b0 c' j! x
[root@kubernetes-master ~]# wget https://github.com/flannel-io/fl ... .2/kube-flannel.yml
4 ~5 z* ~8 P' e4 F--2024-09-17 16:27:41--  https://github.com/flannel-io/fl ... .2/kube-flannel.yml' o7 q4 K! ^' I9 ~
Resolving github.com (github.com)... 20.205.243.166' C$ V/ \" J: G0 W# f
Connecting to github.com (github.com)|20.205.243.166|:443... connected./ O2 ^. _8 w  k9 h0 A$ o3 p
HTTP request sent, awaiting response... 302 Found
7 _& v# g& Z+ s: P; CLocation: https://objects.githubuserconten ... tion%2Foctet-stream [following]7 e) R( @' s: C0 w
--2024-09-17 16:27:42--  https://objects.githubuserconten ... tion%2Foctet-stream% y# L/ W! x; z9 C
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
& d) d8 q2 E1 b- gConnecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
( k) ?% `& N7 `/ B2 K% M9 ^HTTP request sent, awaiting response... 200 OK
+ O/ n: M; m' E4 r1 ELength: 4459 (4.4K) [application/octet-stream]: l$ w4 Z6 R1 H: U
Saving to: ‘kube-flannel.yml’
9 U+ h& k* y1 p7 e2 Q1 R+ r9 }/ r5 i# Z
100%[======================================================================================================================================================================================>] 4,459       --.-K/s   in 0s      
+ |1 P1 {5 P4 E% p6 ]+ R5 U/ P
2024-09-17 16:27:42 (17.4 MB/s) - ‘kube-flannel.yml’ saved [4459/4459]; ~+ Q- m7 a! U! A! e
/ Z3 B+ T: ]4 F* D2 M  k
, Q$ J$ y9 }4 [! E" {( C, n

- Q4 t. G8 t& o5 w7 q; F# x$ P# V执行安装(master节点)
; |6 J" N* f1 |# W. m, D2 G( W; W5 I
' F: x9 N4 }" Z' M. Q- M
, V: r: ^" q, c) ]' l[root@kubernetes-master ~]#  kubectl apply -f calico.yaml4 `6 B/ h$ C0 b1 H; C# }
namespace/kube-flannel created2 X! X+ o, [  G# o9 k$ M
serviceaccount/flannel created2 J4 ~* `; f  n0 K% L: }6 d
clusterrole.rbac.authorization.k8s.io/flannel created
+ P4 L. L3 M% A0 p8 F( U; |8 Y1 Nclusterrolebinding.rbac.authorization.k8s.io/flannel created! ]. i, k7 S+ f& M
configmap/kube-flannel-cfg created
: f7 v* [1 d6 g' q: S$ E- X7 y1 `; mdaemonset.apps/kube-flannel-ds created" v* \" A, }( B; m- j& e
[root@kubernetes-master ~]# ) S  {8 \( W9 R1 s
) b# \! u& c2 k6 b. i* v8 h1 J
, r0 k* P& s$ Q1 K/ i, D- i
' u' _4 b- r$ o  n/ y8 C8 x
再次检查pod状态
6 R. W8 B( `0 _' S. y, V$ e& u; `+ p, x. e8 S
[root@kubernetes-master ~]# kubeadm token list3 A1 Q% |/ o  s; f$ [" x
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
" s4 B5 l& s6 H( w( |7 B7 T0 M( Q1kis96.cklh7okui7j4fcr0   2y          2026-10-17T18:16:02Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token
" |9 g1 J  g& m[root@kubernetes-master ~]#  kubectl get node% O$ n4 T6 Z5 w7 G9 e; T. F% }
NAME                STATUS   ROLES           AGE   VERSION
  S7 x6 w' F9 T# |0 ]2 m$ K3 u  ckubernetes-master   Ready    control-plane   72m   v1.28.2: _" u7 M9 _7 m
kubernetes-node1    Ready    <none>          14m   v1.28.2; ?3 |% t& l* Q  h( ^
kubernetes-node2    Ready    <none>          14m   v1.28.2* S6 Z" {1 [* H/ U9 @3 U) D! s- X
[root@kubernetes-master ~]#  kubectl get pod -A  r" d3 d) l, }' T1 `; x
NAMESPACE      NAME                                        READY   STATUS              RESTARTS   AGE
! D7 S$ X8 H0 q5 Q, vkube-flannel   kube-flannel-ds-k6mpb                       0/1     Init:0/2            0          45s
2 t* `; [4 D7 `kube-flannel   kube-flannel-ds-l68ft                       0/1     Init:1/2            0          45s
; J# \9 ]* _5 r4 P1 O! V, Nkube-flannel   kube-flannel-ds-th9kz                       0/1     Init:1/2            0          45s9 y- N( ], W8 s8 T* h6 R1 ^4 P* L
kube-system    coredns-66f779496c-cqf5k                    0/1     ContainerCreating   0          72m- h+ J, p. ]- D. F9 z
kube-system    coredns-66f779496c-lnxt4                    0/1     ContainerCreating   0          72m( ?0 r' n* p5 L" x  }
kube-system    etcd-kubernetes-master                      1/1     Running             0          72m* ]: i5 ?4 \6 u
kube-system    kube-apiserver-kubernetes-master            1/1     Running             0          72m2 o7 Q7 Q% h0 l
kube-system    kube-controller-manager-kubernetes-master   1/1     Running             0          72m
4 I: N/ Y- m4 O; E) [# [5 lkube-system    kube-proxy-676dx                            1/1     Running             0          14m0 _$ c8 G- ?/ j' Y( z2 p7 t
kube-system    kube-proxy-kkt8g                            1/1     Running             0          72m
$ B. k/ f8 O' S& V. ykube-system    kube-proxy-qgpbt                            1/1     Running             0          14m5 U% |2 ]; _+ m/ ~/ |" y
kube-system    kube-scheduler-kubernetes-master            1/1     Running             0          72m3 {' I2 i( o1 B, q

; d7 J/ B; z3 A) {9 V5 F/ }8 ^$ @注:
& {9 s) O% l5 b  W" F  ~& g# k8 B: n2 ^( }3 a7 r9 `
      #worker节点是无法运行kubectl命令的,因为worker节点没有admin.conf文件& W* p* q) \) D
      #若需在worker节点使用kubectl命令,需要将admin.conf配置文件拷贝到worker节点,再执行以下命令:
5 R; ]% Z7 B4 x0 K0 ^     scp root@master:/etc/kubernetes/admin.conf /etc/kubernetes/
8 d" M  m+ N2 a/ I. X+ z      echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile5 s' T/ w8 {" f1 @4 ~

: V) T7 s5 i% @' H. A* J) v( W/ E. j9 D8 K

- ^. \& s  V, v/ w9 D% U4 b安装kubernetes-dashboard(master)3 H6 q! R, j. Y8 D8 p

5 ?8 h, F& r# i9 g6 M' K. M' g( y) }7 ?. d# Y6 L% O
[root@kubernetes-master ~]# wget  https://raw.githubusercontent.co ... oy/recommended.yaml
2 m& V9 H$ C# m8 g1 o9 z--2024-09-18 14:34:55--  https://raw.githubusercontent.co ... oy/recommended.yaml
2 F; n+ u+ R8 m  T1 nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.111.133, ...2 F- i2 r; C; {
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.4 _3 i1 j1 k: l9 S6 _
HTTP request sent, awaiting response... 200 OK; T! y7 ?2 @3 [% g3 i0 Z
Length: 7621 (7.4K) [text/plain]
' T  A0 W' P$ x3 m' jSaving to: ‘recommended.yaml’1 m2 O' }4 F2 s. N
* X4 `4 H' g# e- T  P! ~! n( Z
100%[======================================================================================================================================================================================>] 7,621       --.-K/s   in 0.001s  
) N( Z: T, e4 p1 g
/ ^: I+ H2 h. g6 _# v# R2024-09-18 14:34:55 (11.2 MB/s) - ‘recommended.yaml’ saved [7621/7621]; ~' ]. S* t  g: d9 o
9 B# Z1 ]0 z2 N, S: b6 a+ x' r; t
[root@kubernetes-master ~]# ls  _8 K8 E+ O2 `
calico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  recommended.yaml  sudo-1.9.5-3.el7.x86_64.rpm
' v# d, o) @  p; @" A  C- U+ n% ~0 C4 c9 T, e+ Y% o" e
[url=]recommended.yaml[/url]
4 ~) E7 E. b1 g8 v
/ @% @2 k1 L) U8 U+ K* O% k! _4 D  s) m; t0 |3 |. p$ C0 G
#编辑recommended.yaml,找到service段落,做如下修改
4 t2 ]. n9 M1 D' v, X/ U#在service里添加nodeport,这样可以通过 <主机ip+port> 来访问dashboard
. n! b, g3 d# Y0 d( \: ^" E8 x: hvim recommended.yaml' m  Q1 n! b, S( f8 [3 r
! z$ [8 J. X1 O7 Z9 o* h0 F$ q$ G
kind: Service+ Z/ K+ k/ `# y( g! ?) O$ V
apiVersion: v1
. I  o$ w  ]/ y- S7 b6 B% Xmetadata:
+ a  j. M2 W8 \, H# }- R7 ~' G  labels:. B+ |8 @! J: M
    k8s-app: kubernetes-dashboard
( Y$ [! `8 `7 R9 B3 i2 O) p  name: kubernetes-dashboard
3 }* S% M- W% s' _& P  namespace: kubernetes-dashboard
: |' n# r. n) Y8 E- V( S3 d% Ispec:  Z/ i7 z+ }3 S, @% V
  type: NodePort  #增加此行,指定service类型为NodePort
4 d$ Y! J8 ~9 r# F7 K, ?  ports:" [6 @3 a/ k) O+ L# K$ |- ?
    - port: 443
8 d; R  u% \; x/ e6 q- N) F      targetPort: 8443/ G$ A2 p; M) e
      nodePort: 32333   #增加此行,指定绑定的node的端口(默认的取值范围是:30000-32767), 如果不指定,会默认分配& a4 I0 [% F; g/ l, z
  selector:
4 X2 `8 u, j0 m! y; x    k8s-app: kubernetes-dashboard
! R7 N& d  h7 @% X, O- ?5 ^
4 ^, g* _, f# [. v% @6 r5 C1 g5 I" P# i8 t7 r) w
#创建danshboard
% f0 e( t0 j4 C' g! Wkubectl create -f recommended.yaml8 y6 K8 ?& B, J& Q0 y

2 U3 Y) a+ M5 i[root@kubernetes-master ~]# kubectl create -f recommended.yaml
# g5 Y  h* N6 G; A# l; G/ Jnamespace/kubernetes-dashboard created1 s* C* N# S$ z
serviceaccount/kubernetes-dashboard created
( H7 s3 r6 L" P) H' b' F: q7 k+ iservice/kubernetes-dashboard created4 z( h, a* D; p" E, A! t
secret/kubernetes-dashboard-certs created
" p( A1 l/ {0 J2 K  M7 Lsecret/kubernetes-dashboard-csrf created
! V# w  q9 d; J2 Q# p$ V+ ^secret/kubernetes-dashboard-key-holder created
* a% h3 {  Q* U6 {3 z5 ~. J: n& dconfigmap/kubernetes-dashboard-settings created
% R1 b1 p& r/ P, ^) c2 |: S! hrole.rbac.authorization.k8s.io/kubernetes-dashboard created9 k2 L2 p" L0 d/ e9 h
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created0 T+ f* r% C8 v
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
& Z# y: g7 @, Z# `; l& }clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
4 J2 d: ?' I3 U7 V6 P' P" ~deployment.apps/kubernetes-dashboard created$ N6 W  ~8 `- y) H" ?5 ?1 Z
service/dashboard-metrics-scraper created/ M# ]8 t" c1 J) E$ L
deployment.apps/dashboard-metrics-scraper created
& E2 L6 s6 _/ U' a, |
9 t4 z' p7 m- o$ r( {
5 y/ Z3 R4 ~8 y& |5 G. C$ E  J
2 i# V1 ?1 r4 ?3 R0 L4 O1 K5 |
, y' L' n" S6 a' ^5 X" S" y% C. [#查看所有pod% i' P& j; o7 P8 n* ^9 w; e/ S
kubectl get pods --all-namespaces. l6 T5 H6 }% |4 m3 c
[root@kubernetes-master ~]# kubectl get pods --all-namespaces
9 _) ^  Z* Z& m. `' |; t- H9 U" HNAMESPACE              NAME                                         READY   STATUS              RESTARTS         AGE2 x6 B4 {+ d. i+ f
kube-flannel           kube-flannel-ds-k6mpb                        0/1     CrashLoopBackOff    263 (118s ago)   22h
! q1 S$ t# A9 @7 @6 P# _kube-flannel           kube-flannel-ds-l68ft                        0/1     CrashLoopBackOff    263 (100s ago)   22h! L+ N5 o4 Z% J
kube-flannel           kube-flannel-ds-th9kz                        0/1     CrashLoopBackOff    262 (4m ago)     22h
3 s9 \4 t2 M$ X6 R$ okube-system            calico-kube-controllers-7d64c8fdd5-c8klr     1/1     Running             0                24m
9 {$ p- N* I8 j- g4 ^0 G4 U- Mkube-system            calico-node-574ht                            1/1     Running             0                24m' R0 [( r  s1 x0 M; J
kube-system            calico-node-mgn28                            1/1     Running             0                24m
9 }# F7 c. K$ Ikube-system            calico-node-nglnx                            1/1     Running             0                24m
! B, T. P% h! dkube-system            coredns-66f779496c-cqf5k                     1/1     Running             0                23h) p9 ^1 s3 w! E2 ~* }$ T' y- Q
kube-system            coredns-66f779496c-lnxt4                     1/1     Running             0                23h
$ [* X5 p3 W. [) ]  @6 j1 c* xkube-system            etcd-kubernetes-master                       1/1     Running             0                23h0 C+ i/ ~4 m2 H# Y
kube-system            kube-apiserver-kubernetes-master             1/1     Running             1 (12h ago)      23h
6 `) q: u( b* X& }9 F( mkube-system            kube-controller-manager-kubernetes-master    1/1     Running             15               23h$ b+ V2 B4 b4 P7 ?- P' h  N
kube-system            kube-proxy-676dx                             1/1     Running             0                22h
7 K+ a5 g7 D0 J! g5 [6 W. bkube-system            kube-proxy-kkt8g                             1/1     Running             0                23h% G$ |5 f. G" q8 q
kube-system            kube-proxy-qgpbt                             1/1     Running             0                22h
2 P- m' n( E5 n0 \kube-system            kube-scheduler-kubernetes-master             1/1     Running             16               23h' p; l2 s/ c( k. b* c
kubernetes-dashboard   dashboard-metrics-scraper-5657497c4c-bggwp   0/1     ContainerCreating   0                23s
% K2 c5 C2 O9 \1 Q% y9 @3 o# q0 V4 o4 Zkubernetes-dashboard   kubernetes-dashboard-746fbfd67c-8xbmk        0/1     ContainerCreating   0                23s
& G' p4 @* R+ S0 C# ]2 a; O* M) c( _( I$ i# L: l
检查kubernets-dashboard状态:
! ^+ a" i/ z% M8 Y
1 M* h3 |* m7 ?' Q% X[root@kubernetes-master ~]# kubectl get pod -n kubernetes-dashboard
/ W/ d" W. q' o; T( a+ lNAME                                         READY   STATUS              RESTARTS   AGE* A. I6 C  Y1 g1 _& d$ c. U7 a
dashboard-metrics-scraper-5657497c4c-bggwp   0/1     ImagePullBackOff    0          2m36s
: P" i: {& c: ~. c& l4 ?kubernetes-dashboard-746fbfd67c-8xbmk        0/1     ContainerCreating   0          2m36s4 _% `' b, E/ N/ o0 G- `3 f

9 q4 _0 {4 a8 F) W) [; R
* L) [4 Z: ]$ ?. d. _1 ]$ j+ Z1 L2 M+ [! U2 M  Y
ImagePullBackOff问题解决方案
8 K% g  B% N; u, v( a#查看该pod的详细信息
& k0 b) Q- E" x' x$ N
: \) {6 E: R) s查看该pod的详细信息
+ `4 A. P, \: E+ u, i* v  J3 ~3 m
+ \/ N8 e* S( z( ^[root@kubernetes-master ~]# kubectl describe pod/kubernetes-dashboard-746fbfd67c-8xbmk --namespace=kubernetes-dashboard. G3 @0 ?, N3 I9 S* i
Name:             kubernetes-dashboard-746fbfd67c-8xbmk. a% q* K; n  N/ c) d# [
Namespace:        kubernetes-dashboard
1 `! D% E7 n8 y( E% C1 bPriority:         0
( d& s% k0 @9 |1 V* s3 F7 RService Account:  kubernetes-dashboard* H6 F" L% ^1 |; z2 B( S4 s4 m1 N0 C
Node:             kubernetes-node1/172.24.110.183
2 v  O' V8 d) C& JStart Time:       Wed, 18 Sep 2024 14:45:16 +0800
" q7 i; m. y; K/ i0 a+ eLabels:           k8s-app=kubernetes-dashboard
; m) f/ r7 w( g$ L+ I% q( I& i5 \% {: u                  pod-template-hash=746fbfd67c
+ P- g- t$ y5 K4 F8 J# P1 oAnnotations:      cni.projectcalico.org/containerID: 7651e89375fa07f03a7594f82dc3c5a14b4fb63afb6f85006dc7f1d5464ff625
1 ]2 m* A+ K& F9 z, K( W* I% F                  cni.projectcalico.org/podIP: 100.233.129.65/32; y, f) B# N& j, I, V
                  cni.projectcalico.org/podIPs: 100.233.129.65/325 E  r* ^! [$ Q0 _8 {0 \) G1 Q
Status:           Pending
8 o, l8 K; Q% Y& P% r5 t) T! b7 }SeccompProfile:   RuntimeDefault
0 l  L6 U; t" r. D, AIP:               100.233.129.65" I$ Q: n" w' F' H3 y
IPs:
" }3 I- A( p9 g  IP:           100.233.129.65
( ?" Y% b' s# ~- KControlled By:  ReplicaSet/kubernetes-dashboard-746fbfd67c3 t! q- v8 h. m
Containers:9 f8 L: ]  ?. J) U- m( p
  kubernetes-dashboard:
6 _1 Q5 A2 ^/ R# Z3 E' y    Container ID:  
1 u$ G8 P1 l5 X; ?6 K9 x    Image:         kubernetesui/dashboard:v2.6.16 p2 }' o1 c: L! ^# q' _+ x' U( w
    Image ID:      7 T  X( g$ s8 Y+ @4 Q
    Port:          8443/TCP
9 ~& V7 X( B, W    Host Port:     0/TCP
  q/ S! A$ Q, n0 p    Args:
- d0 g( L1 i, p. c: }0 _4 e      --auto-generate-certificates
4 j1 i( ^4 z6 @' R      --namespace=kubernetes-dashboard
& `  |% j* C8 P1 B    State:          Waiting1 h2 d3 m- y1 Q9 E7 }0 ^* c
      Reason:       ImagePullBackOff
" S. i5 b+ }; n  W1 H' G3 a: S    Ready:          False
! z  M1 l, b" b8 V3 P    Restart Count:  0
9 h4 E7 o, B* Y" O7 }1 Y    Liveness:       http-get https://:8443/ delay=30s timeout=30s period=10s #success=1 #failure=3
! N5 W# n$ P+ g" x3 ^    Environment:    <none>! Q! Q# [1 ^( |8 {
    Mounts:
3 ?% u! k+ C) @. J9 @% ~      /certs from kubernetes-dashboard-certs (rw)3 p# y4 k$ E/ b: `/ R5 h. I
      /tmp from tmp-volume (rw)
1 p/ b- C3 O% f3 y- [# ~# S5 z      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-r9w2d (ro)
5 J( f* o. L" V4 Z9 S$ _Conditions:
" d- k6 E. ^7 r. |7 r7 ~  Type              Status) d3 b; P8 r0 X
  Initialized       True
3 a/ a( H& f/ u% W- @, o% n7 k  Ready             False ( \' u4 G; w" p
  ContainersReady   False % V% a6 C' ^1 G
  PodScheduled      True * k7 w5 ?$ ~& x
Volumes:
9 T: _5 D, E' d) M  kubernetes-dashboard-certs:7 F8 d" V8 ~; O) a2 e# g6 s
    Type:        Secret (a volume populated by a Secret)
0 [" ]3 s6 n! I9 T, U3 V    SecretName:  kubernetes-dashboard-certs
$ [! {" H- l- P6 y    Optional:    false
1 |, m( s1 |4 A! i/ v* J5 c0 I, D  tmp-volume:
+ ~$ B) u6 ?! x- W$ ?    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)  z2 s% q. S9 }
    Medium:     
& B/ I, w# p2 e! d    SizeLimit:  <unset>+ Z! M" b1 O; l
  kube-api-access-r9w2d:
$ w6 i- ^: y) y: v    Type:                    Projected (a volume that contains injected data from multiple sources)2 b; d/ y% f7 t( V% P( L7 w
    TokenExpirationSeconds:  3607
( `5 _. z! d# j4 z# Y+ l5 w2 a4 L* j; n    ConfigMapName:           kube-root-ca.crt" [" H/ }% _, [' w; F' O
    ConfigMapOptional:       <nil>3 F2 g3 C/ j  R8 _( M* t) h
    DownwardAPI:             true
4 |  G( ?/ G$ d5 aQoS Class:                   BestEffort
- G4 z" l& \  @! l" i% O/ {! aNode-Selectors:              kubernetes.io/os=linux3 X1 N! [& q0 {: R7 t1 a6 @
Tolerations:                 node-role.kubernetes.io/master:NoSchedule: ^3 O- O3 _# z% w6 z) y) x
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
) v: [% K$ H9 I9 W/ R! ^2 C                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
, q0 S+ C& C# o) }( YEvents:
2 |! D$ l" y7 {$ d, _  Type     Reason     Age                  From               Message
' G5 c, U, ]/ L, P8 T, ^9 w  ----     ------     ----                 ----               -------
- e; [! Q5 C, ?+ A6 F" q  Normal   Scheduled  8m43s                default-scheduler  Successfully assigned kubernetes-dashboard/kubernetes-dashboard-746fbfd67c-8xbmk to kubernetes-node1) |% F/ D$ U4 |9 e6 L
  Warning  Failed     34s (x2 over 5m55s)  kubelet            Failed to pull image "kubernetesui/dashboard:v2.6.1": rpc error: code = Canceled desc = context canceled3 K( d) k9 q: t' Q
  Warning  Failed     34s (x2 over 5m55s)  kubelet            Error: ErrImagePull3 J  T+ k0 N/ s# N7 m9 B+ N
  Normal   BackOff    21s (x2 over 5m55s)  kubelet            Back-off pulling image "kubernetesui/dashboard:v2.6.1"
6 \  y) J; G" [' Q+ a$ t  Warning  Failed     21s (x2 over 5m55s)  kubelet            Error: ImagePullBackOff9 o$ ?# D8 c5 ?3 R8 G% h
  Normal   Pulling    6s (x3 over 8m42s)   kubelet            Pulling image "kubernetesui/dashboard:v2.6.1"
+ z4 e. A/ f+ D. P9 A
$ [  d# ^! F9 X2 a* _! w7 h5 M' \, e  e+ O! L

6 q; f; l3 H3 B9 I/ f: C9 l, ^" W8 P! [0 X' I- u  ]% m

  v2 ]0 c% t, W$ g% h# f通过上述命令可以得到如下信息,其中有两个重要信息:
4 x9 F0 J8 c! O- r
$ P) B# ^7 d1 E1 N拉取失败的镜像为:kubernetesui/dashboard:v2.6.1
: I/ ~/ ]1 y; k: J8 W$ |5 s" F, q- ~. x
手动拉取镜像:
! J+ P( e# Q" L, K
! U2 I6 ?" s* f% v[root@kubernetes-master ~]# docker pull kubernetesui/dashboard:v2.6.1% B& p$ l) X9 p4 ?4 ~6 r, Z& U
v2.6.1: Pulling from kubernetesui/dashboard9 `3 S7 \5 X1 O( a& h! C
596ae5b8318a: Pulling fs layer
$ g  n; F6 w/ y( M596ae5b8318a: Pull complete - G/ c( P2 P" @) [
b721c920bca6: Pull complete & j  _  i! W7 k2 o+ }7 s. H1 J, I
Digest: sha256:290bebc3cd96c22b6f89e7b21f5c2b16ce5c275a0ec2c2de10e0d8b9dd110289, W0 P! y% [8 U: }4 k
Status: Downloaded newer image for kubernetesui/dashboard:v2.6.1
2 ?3 X4 ^  ^8 I+ y8 Wdocker.io/kubernetesui/dashboard:v2.6.1& H! \2 B1 |9 _$ }6 G0 T. l2 L2 {
$ m4 w+ Q% |: w4 k# ~

  f1 H. M! v1 Z- ~9 X
( Y2 s$ J, c8 V3 @* X#打包镜像
' Y+ B/ \0 f8 W2 ]: j& E6 Udocker save -o k8s-dashboard.tar kubernetesui/dashboard:v2.6.1
9 A, ^9 R* T% V. T
# u( w% G5 N& I5 g, r* f5 e. R4 \! W8 \* r9 ^) {" T, O5 X# D. Q
: h7 l; f* V) P  ^
: a$ h& k+ n& A0 X
不再使用create ,而是使用apply更新:6 m. @, ?; R8 h1 t6 z

) f, q8 Y1 j% e1 S; I% \[root@kubernetes-master ~]# kubectl apply -f recommended.yaml( ~0 a5 x2 y" g3 S9 d
  
% {+ ?1 a# H# b. t4 D8 @% h6 sWarning: resource namespaces/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.+ k. C- _5 r. X3 F" P* E9 f
namespace/kubernetes-dashboard configured
5 E2 ?5 F+ L+ {$ a; EWarning: resource serviceaccounts/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
! Y; S+ q4 o* P3 K6 X3 D1 K8 W6 {4 ^serviceaccount/kubernetes-dashboard configured
# g+ t# P( y9 P8 s1 J' d- BWarning: resource services/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
/ u- D3 S% D: I" hservice/kubernetes-dashboard configured
3 L; g" Q" l# J/ h8 C" j' t5 }Warning: resource secrets/kubernetes-dashboard-certs is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
4 V* d$ B1 L5 h0 u" Q! {: tsecret/kubernetes-dashboard-certs configured8 {$ T6 Y$ E  \
Warning: resource secrets/kubernetes-dashboard-csrf is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
1 D' l! F; x2 D  d& Y3 Z3 {secret/kubernetes-dashboard-csrf configured
1 L- l2 I- E6 c+ N; A+ ]3 i8 S/ b' RWarning: resource secrets/kubernetes-dashboard-key-holder is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
) s6 {- ?  t% }# m$ Esecret/kubernetes-dashboard-key-holder configured+ [* z, x3 O  H: E4 y: \) L6 G
Warning: resource configmaps/kubernetes-dashboard-settings is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
4 _. w3 |# }" M$ Jconfigmap/kubernetes-dashboard-settings configured, m% j' z& v& @
Warning: resource roles/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
/ K* F( D% w8 Q; {% G0 Brole.rbac.authorization.k8s.io/kubernetes-dashboard configured% f) S; g* I& ]* Z5 V2 e6 u
Warning: resource clusterroles/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
1 e8 u& O$ Z* C# L2 o" b4 [$ ^$ xclusterrole.rbac.authorization.k8s.io/kubernetes-dashboard configured
) F1 a6 r5 h# [4 p% c4 a* Q  Y2 R) \, EWarning: resource rolebindings/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
2 l' ^; s7 T$ qrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard configured
6 ~  o$ t5 M/ z4 CWarning: resource clusterrolebindings/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
4 e1 l% X- m' R0 ]0 p! L# hclusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard configured5 o% ]$ F: M" \3 r
Warning: resource deployments/kubernetes-dashboard is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.2 X) ?$ j- w# o: {
deployment.apps/kubernetes-dashboard configured
6 R/ [8 u; C5 j1 G9 V* c1 |( p$ [Warning: resource services/dashboard-metrics-scraper is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
8 q7 \: f/ [! s. x! ?service/dashboard-metrics-scraper configured
, y' Y9 R- m( i! i5 @Warning: resource deployments/dashboard-metrics-scraper is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.4 N1 j% L8 x3 x- y- e  A
deployment.apps/dashboard-metrics-scraper configured
: n, f- U" ^8 G9 x/ t$ N# N6 `" g1 Z# N* N0 K

/ j8 c6 Z4 m/ v* M4 J5 D; \8 H9 n6 W" c) ]7 j" l
5 K7 s7 p- E& [1 O$ a
! B# G7 q; o" o! \; l% P5 {! g
/ S, Z) ^" d. E# j0 }' \& L, s
+ v. |$ y8 c$ r7 L+ x% r8 [6 g
, d; \" \/ o# _4 M5 O
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-9-17 16:35:24 | 显示全部楼层
kubernetes命令补全优化
+ r% m% U' Q' X5 j3 V6 j. A# 加入~/.bashrc, U( G: q3 }0 [" v5 v" b8 Q" Z; p
vim ~/.bashrc
5 W* g4 Z: {6 D! z1 K# 添加下面的
: I' T: h$ _% Csource <(kubectl completion bash)6 V( B7 f* U" }
0 j- X% S% a) u! q$ L9 E: M! y
source ~/.bashrc
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-9-18 14:22:13 | 显示全部楼层
网络安装calico.yaml 组件:, |, A' r: V* \) v3 v* W
[root@kubernetes-master ~]# curl https://docs.projectcalico.org/v3.18/manifests/calico.yaml -O: l3 r7 ]% J+ O6 _: F3 M+ h6 T  s
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
( v( U) H* }& ?8 b) n+ {                                 Dload  Upload   Total   Spent    Left  Speed
, y2 D+ E8 c+ [' D' I100  184k  100  184k    0     0  98813      0  0:00:01  0:00:01 --:--:-- 98793
; u+ ~: x3 R/ a  B! g' Q[url=]calico.yaml[/url]
4 a, x2 Y" j+ c# u9 }, Q$ q7 `; U
7 f' r4 n& w# P' N* m* C6 v) W8 W' Q1 @, ~
[root@kubernetes-master ~]# ls
) ~2 i$ n) c% H* n$ P# p1 ?: Jcalico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  sudo-1.9.5-3.el7.x86_64.rpm
/ M$ }* J# x6 q2 ][root@kubernetes-master ~]# vim calico.yaml ' }7 n4 g+ Y1 V7 }1 }( ?9 Z
[root@kubernetes-master ~]# kubectl apply -f calico.yaml
. j0 M- h% x! D3 Cconfigmap/calico-config created
* I! W/ d* I" n! ~8 U( q/ |customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created4 B" f* Z) E5 x5 V3 _$ t2 @) j
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
5 T3 x  `2 ]0 ?9 Kcustomresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created' y5 s) ]* D! q; ]3 {
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created: e8 c8 H6 x+ [8 b. t
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created& [4 }! i5 r0 U) E8 Z
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
9 R  L6 g- \. s3 D3 P5 E# dcustomresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created/ F' h5 e; T# k: d6 W
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
/ W% }: r+ ?* e/ i- G! m6 xcustomresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
# @( A2 ^; b. ^" Y2 A: Qcustomresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
& S' S: G4 H' H' D4 scustomresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created8 `3 f  b* L- S# k7 e, h0 ]
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created- i1 R+ j: Y2 h$ G  S
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created& R; h4 z' ]9 B0 |" N
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
" b; x: A+ k9 A4 }5 [+ q0 Bcustomresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
) p5 i' [5 v' Q- B% _5 n! w( @; Lclusterrole.rbac.authorization.k8s.io/calico-kube-controllers created$ R; }& \( F4 u7 v8 y4 ?9 \( j
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created! s5 T) P: O$ S& S# U# M0 _
clusterrole.rbac.authorization.k8s.io/calico-node created# \8 w+ [( o% b6 G
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
2 z& R4 v' V$ n/ H% x; p8 ~daemonset.apps/calico-node created
9 @8 r; T' k2 |. f3 Kserviceaccount/calico-node created* e& n6 Y) Z" t, ]
deployment.apps/calico-kube-controllers created! f" O) P2 ]: I0 F; ]; h/ ^  h
serviceaccount/calico-kube-controllers created6 f" b3 R. H, o! n; s. H+ P# M
error: resource mapping not found for name: "calico-kube-controllers" namespace: "kube-system" from "calico.yaml": no matches for kind "PodDisruptionBudget" in version "policy/v1beta1"( H/ i% s* x( Y0 N
ensure CRDs are installed first; b) D3 _4 }! C5 e0 o$ d
. w1 X( h; M7 E; E3 L5 H! v

5 P7 A* U6 i$ F! Q$ B6 ?( ~8 \9 L5 O6 k
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-9-18 15:14:52 | 显示全部楼层
删除pod ,kubernetes-dashboard! b4 o& ?/ W7 q2 V! F
kubectl describe pod/kubernetes-dashboard-746fbfd67c-8xbmk --namespace=kubernetes-dashboard' X1 X6 ~/ r) V  B* c( e4 x: r
! H. y# d1 {: C- l. @

! L* u2 W) U- Y: L& [kube-flannel           kube-flannel-ds-l68ft                        0/1     CrashLoopBackOff
. @. z4 ?6 j3 R) z" Y& @$ ~% z4 C! E: m+ Q  o& x8 h  ?+ n
解决方法:) g% h% H" h# {. T) g
3 \) J  M7 n' O, A
检查 Pod 的事件或日志:使用 kubectl describe pod <pod-name> 查看 Pod 的事件和日志,找到启动失败的具体原因。
/ O6 L; s) X1 Y3 n1 g# K8 E
3 l1 H* N: T/ n  k/ C+ J% v  m  f% M- |1 Y
kubectl describe pod kube-flannel-ds-l68ft --namespace=kube-flannel2 v6 P+ a* o2 `3 R. J& W
Name:                 kube-flannel-ds-l68ft- p3 l5 [  y$ M, r  r. d
Namespace:            kube-flannel
5 g, \7 H; D5 i6 x, M% Q% K( CPriority:             2000001000& t4 g) |; f- z, ~' @3 J5 G
Priority Class Name:  system-node-critical, d  v) m! s7 P  i7 i( B. f
Service Account:      flannel
( b" q9 v# V3 |, kNode:                 kubernetes-node1/172.24.110.1836 G, q, b6 I9 j
Start Time:           Tue, 17 Sep 2024 16:33:08 +0800; |: b" o' ?/ y, m
Labels:               app=flannel
: I' _0 z" ^; U5 Y7 [0 J                      controller-revision-hash=c46b99f7f
1 z# t7 q( d8 q& v                      k8s-app=flannel
; ?* x; _! ^/ ]; K0 [                      pod-template-generation=2+ ]# z1 x; F! f3 X$ A$ E! k
                      tier=node
+ X7 U, ~4 Z; J" qAnnotations:          <none>0 c& K2 m% `. r0 g( w! S* C8 V( I2 x
Status:               Running1 {0 x% j+ N3 N6 B$ Y! U: w
IP:                   172.24.110.183
$ P% Q2 u  P+ ?+ i+ q, h0 R  Y. C+ P! z. h9 U- }; f& ~

6 N+ K+ |$ T7 ^1 u% Y9 H
/ p# T# _- v2 f! V# U. H0 M2 |, h修正配置或启动命令:根据日志信息修正容器的配置文件或启动命令。
% ^9 k& z+ ~6 b- p3 o" X" {" k! d( R9 r0 W0 T) L0 r
检查资源限制:使用 kubectl top pod <pod-name> 检查 Pod 是否有足够的资源运行。' L  f4 w9 x+ c4 F4 p

3 b/ U' C" y7 g" v8 |2 c; j* \7 U( l$ B( b0 p. F3 v. _  D% h
  |  U: ^( V/ w3 H% ?3 y  s
调整权限:确保容器以正确的用户身份运行,并且有适当的文件权限。
2 L* k. ^5 A# L' m, V* R& K7 F4 r  i
确认依赖服务:确保所有依赖的服务都已启动并运行正常。
" b  Z* x, h: I7 t4 A, [3 ^6 k, P  a
0 {' ~+ o9 q# p" p- D3 f. A3 B重新拉取镜像:使用 kubectl get pod -o yaml 查看 Pod 定义,确认镜像名和标签正确,然后使用 kubectl delete pod <pod-name> 强制 Pod 重新拉取镜像。5 u0 }& }3 F. Q' q

' F* x* V; [% y% d& }7 d) y+ L' k1 X! k1 T, O1 Y! S: @
kubectl get pod -o yaml
, D6 C7 w' h9 z: q# X0 {3 MapiVersion: v1& ?; v. x! k4 [$ e2 P" [/ |5 c# j
items: []
  Q) S& b# e. b3 v5 Hkind: List, [/ r& w. F! u* w
metadata:4 b2 W$ h5 c7 A  J. Q2 Z, u
  resourceVersion: ""
* ^. E; Z) N" d( L% g9 I# ?, j) r' c- \5 H
8 D: g/ J/ U( v
/ {, U: I- G" `7 B7 e, i$ v% j
调整安全策略:根据日志信息调整相应的安全策略,以允许所需的操作。
5 t; {  e1 E: {/ b$ b. j1 Y7 M8 S# D( z" B! l. f
在解决问题时,可能需要多次尝试,并且每次修改后都需要重新创建 Pod 来使更改生效。
( M, k0 \! a0 X: e# [) \. N
3 |, x8 X0 Q4 k) [- S+ K& X# z$ H" `" a* }0 G% p

' N' ]; D( y" w. {3 @" [& b) L9 N# n0 N+ x# V
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-9-18 16:18:16 | 显示全部楼层
dashboard上面装的有问题,下面重新安装:
! W' v& y' h- I8 ]9 Z4 X$ \( G: [: y
8 N2 S1 f2 w8 F4 M/ \3 I6 x% o# W/ ~8 v& i. R8 ]! h6 L9 p4 j3 L0 I
[root@kubernetes-master ~]# wget https://raw.githubusercontent.co ... oy/recommended.yaml
9 V6 D" K& q2 f! w, i--2024-09-18 16:04:03--  https://raw.githubusercontent.co ... oy/recommended.yaml
& }; c4 b7 m+ \. o4 \Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.109.133, ...
, ]* {8 x0 D7 t4 J2 vConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.! X" Q% t! d% s* F5 q# x
HTTP request sent, awaiting response... 200 OK
0 G" o) R* S' ?1 U3 P8 G& pLength: 7621 (7.4K) [text/plain]
+ x5 b( I2 u& c& j2 k9 kSaving to: ‘recommended.yaml’
/ `8 i3 d) ~5 G4 i" {! `; X8 p7 N& G/ {$ i/ K6 |. F4 Q9 X9 |
100%[======================================================================================================================================================================================>] 7,621       --.-K/s   in 0.001s  
2 f: S1 g% o/ d( h0 `$ c+ P, |4 g6 u9 o' h3 p; A, a. T) I7 ~: P
2024-09-18 16:04:04 (7.53 MB/s) - ‘recommended.yaml’ saved [7621/7621]
: t5 {8 Q. D' T2 ?4 _/ v  w' p# X[url=]recommended.yaml[/url]4 l+ i3 r+ [6 U8 M, x3 V
[root@kubernetes-master ~]# ls
: X: ^8 J: H! N) Q- E& I# i2 zcalico.yaml  cri-dockerd-0.3.2-3.el7.x86_64.rpm  kube-flannel.yml  qemu-guest-agent-1.5.3-ksyun.x86_64.rpm  recommended.yaml  recommended.yaml.bal  sudo-1.9.5-3.el7.x86_64.rpm
& g- x4 B2 j) l4 z% R[root@kubernetes-master ~]# vim recommended.yaml5 I/ x3 v) \" C7 E/ [+ E- e
[root@kubernetes-master ~]# vim recommended.yaml
$ ]9 [" ~! V4 a" s2 z% N* x- {0 |) W* t5 A& q  [" j& y
. X, D  U3 E# X
spec:
6 M; H3 G6 V# e$ u1 W type: NodePort      ##添加的
" @2 t" V, k  z! l' }+ N  ports:7 u: c& O% n( n  p
    - port: 443
' P, f' r6 N* f2 d2 _      targetPort: 84430 \% C# X# s+ `
      nodePort: 32333      ###添加的# `: f: E  U! q. V# e  j9 p8 Z
  selector:; j9 O9 r0 {( _
    k8s-app: kubernetes-dashboard
2 u9 J; q& Y2 y0 `5 J1 ~; C& Z
  ]- M- m; |* U$ O7 g" m7 X4 W1 h, [5 d$ i) j
% Z& s- V/ u$ M
      containers:4 ^& E- W4 g9 B& P) B+ X
        - name: kubernetes-dashboard/ Y2 s9 S# X" [3 J' N
          image: kubernetesui/dashboard:v2.5.17 T+ L# c% s) b- \: l3 `( A" u
          imagePullPolicy: Never    ##Always 改成Never, m8 u0 I5 [7 m4 K- _9 I
          ports:
( f7 l# G% [, b0 R& T1 b            - containerPort: 8443
; j) W+ z, k8 {% w9 i+ @2 D( h0 U7 H              protocol: TCP0 V, g& m* U. L# c; @/ Y  a
3 _6 \2 ?# |! U- @# t( i
+ }2 r: t1 A0 m$ M: _! x
9 O' ~! s  t  W! P, u
, J% g" K3 l1 v. W0 U0 c% k

& h$ C* Y. {% R5 f! O#创建danshboard8 {: i6 j$ F, M8 h* L
kubectl create -f recommended.yaml9 K2 D! a+ n  }, ~+ `( \

) `( L2 k1 y4 q% h2 b: r. d0 c. X, S1 t+ i; m

- M& O  Q; C1 ?' q3 U- u6 |4 d[root@kubernetes-master ~]# kubectl create -f recommended.yaml
. J1 q2 I0 Z& H) pnamespace/kubernetes-dashboard created
5 J/ F# H% f$ Z1 Eserviceaccount/kubernetes-dashboard created
- s4 N( @$ w: gservice/kubernetes-dashboard created; U+ j  ?1 Q+ t* |5 Z; n5 v
secret/kubernetes-dashboard-certs created
1 R7 m& Z. g1 Z4 v! psecret/kubernetes-dashboard-csrf created
' |: L6 h% P' F+ a( zsecret/kubernetes-dashboard-key-holder created
' ?/ c, E% V  r$ F* ^configmap/kubernetes-dashboard-settings created
: F) i5 I2 U% w" K8 X- @$ E" drole.rbac.authorization.k8s.io/kubernetes-dashboard created$ O9 |5 I! j( f+ {
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
2 L7 a7 ^4 p+ t4 E. x* g  prolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created* J$ Z  ^8 H% o8 P* b
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
8 A' u4 @" U9 @1 {% Ideployment.apps/kubernetes-dashboard created
& Q" n8 J! a$ L1 g: o* q4 p4 Lservice/dashboard-metrics-scraper created
2 a5 Z: Z& S, Q/ Udeployment.apps/dashboard-metrics-scraper created+ |2 G: X- m6 F; A" R
3 ~  m$ |0 Y+ ^( m- n5 j
2 q' D& @  z+ i' k( r; G
9 [7 n. p: h- G
#查看所有pod
+ ?3 `7 n# E; [- O4 X  ckubectl get pods --all-namespaces
8 X7 ]- s5 Y) {& S- I' k/ q* y& S* F, x+ t9 X* Y1 Y# x! g  `

+ p0 i9 O! {; P, u[root@kubernetes-master ~]# kubectl get  pods --namespace kubernetes-dashboard 6 c3 o* T4 s! ?" Z4 R" g2 s5 w0 ~
NAME                                         READY   STATUS             RESTARTS   AGE
1 l6 ]( v9 j/ h- Z0 K( [8 w; Adashboard-metrics-scraper-6fdb9d6cdd-nhs4j   0/1     ErrImagePull       0          95s
* t2 j( x1 m5 S+ T( l: e2 kkubernetes-dashboard-79d57f5458-6kmlb        0/1     ImagePullBackOff   0          95s  g+ S3 a$ K3 ], P
" `8 Q3 W+ |4 _
9 G: j2 l1 H0 S0 v8 M
查看报错信息:, R9 V9 ?" C  j5 a2 f. y
#kubectl describe pod kubernetes-dashboard-79d57f5458-6kmlb --namespace kubernetes-dashboard
! Y$ V/ j8 H* N* f3 @0 {: J+ Y: T" c# [" b' A. L9 a) q/ x9 t
Warning  Failed          81s (x2 over 2m10s)  kubelet            Failed to pull image "kubernetesui/dashboard:v2.5.1": Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)! R) r0 o9 m( d2 l0 a9 j
  Normal   Pulling         53s (x3 over 2m41s)  kubelet            Pulling image "kubernetesui/dashboard:v2.5.1"$ J. K6 O9 x$ o5 T$ K' O
  Warning  Failed          22s (x3 over 2m10s)  kubelet            Error: ErrImagePull$ W! l/ H: h5 m# L( t
  Warning  Failed          22s                  kubelet            Failed to pull image "kubernetesui/dashboard:v2.5.1": Error response from daemon: Get "https://registry-1.docker.io/v2/": dial tcp 199.16.156.71:443: i/o timeout3 l; D9 r% U. V& v
. j, U: w; V/ l: V9 E! e& d
# o+ b4 I! O5 x9 W9 V
#根据上述信息我们来到节点尝试拉取镜像
% L6 b9 L( O" f+ n  C, s; |/ }* l; J
5 J& R" |1 O3 ~1 Z

; I9 {5 t9 o9 ckubectl apply  -f recommended.yaml
# U. J; i; {% N) K; R& |
9 Z5 p. N# `, E4 i# W6 S& l+ g5 Y7 {, F4 K

; \" e$ [* n5 D- E8 e# s8 K7 |/ j$ Q% n. o4 r

: i7 E* F4 q# Z- J8 q' h* a$ |* Y6 X* S
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-9-24 16:26:34 | 显示全部楼层
Step 1 : Configure Kernel Modules and Networking
5 u0 v8 }0 i6 f) E$ ]Before setting up Kubernetes, certain kernel modules and sysctl parameters need to be configured to ensure proper networking between containers.
1 m% J4 ?. n8 c  G4 T8 A
% |/ w3 A+ \6 MFirst, we load the necessary kernel modules (overlay and br_netfilter) that Kubernetes relies on.2 m+ k0 Y& z; {. l; X7 A  j

4 G3 e2 l9 P! N; u/ ncat <<EOF | sudo tee /etc/modules-load.d/k8s.conf. c" m) {2 G7 _& j1 U3 N
overlay
0 q. s4 m) W6 ^5 a4 f* a: J' \6 e2 h: }br_netfilter, A) d$ O; ~% f
EOF0 K* t  ?, ]1 Z! O  K, q/ t) g, h

) s/ b' I$ K1 t/ ?6 Ysudo modprobe overlay
* _! G* l7 ]  N3 I  z3 G1 Rsudo modprobe br_netfilter
5 _/ U& ~& H% g, v8 J6 s$ T/ F7 m) x/ t8 ?
# sysctl params required by setup, params persist across reboots, p. v$ ]" N# l  w6 L& O3 e5 V  f
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
( R: J& @  ?+ u' ~4 H- q# ynet.bridge.bridge-nf-call-iptables  = 1
8 n5 m- {4 u7 C% R) h; Snet.bridge.bridge-nf-call-ip6tables = 1
. |3 i9 D$ a! D) unet.ipv4.ip_forward                 = 1, _- T: ]3 s9 Y/ p
EOF" M: _! G- [8 L1 D' z  I: v

# K8 ]' ~; y+ w5 q1 S6 ~1 g9 a8 f# Apply sysctl params without reboot9 s9 y: n0 t* N# \
sudo sysctl --system        
- o% U; u% A2 e) T; q& v- E5 G: b' w) w- u1 e4 Z+ }5 w& K: f9 w

& b+ P; h/ {% tStep 2: Disable swap on all the Nodes
  z, ?5 f# R0 i3 f/ B6 O) V# D5 Fsudo swapoff -a
$ P# m# F3 V& R1 N* \$ W- P  r(crontab -l 2>/dev/null; echo "@reboot /sbin/swapoff -a") | crontab - || true        / T7 V3 B4 j  K5 U9 N
Step 3: Install Containerd Runtime On All The Nodes+ n, `1 ]# }2 ^* \
sudo apt-get update && sudo apt-get install -y containerd        
; N" x1 g3 ?( K1 W  w" P* rStep 4: Configure Containerd
0 B9 Z' [6 p! p, G$ o/ Nsudo mkdir -p /etc/containerd; I: A( f! x% J
sudo containerd config default | sudo tee /etc/containerd/config.toml! b9 n8 I2 @. g2 s+ a& d
sudo sed -i 's/            SystemdCgroup = false/            SystemdCgroup = true/' /etc/containerd/config.toml
! O* G3 d+ p+ m+ I( Osudo systemctl restart containerd        & T$ f1 X9 N7 ]+ @% M- R
Step 5: Install Kubeadm & Kubelet & Kubectl on all Nodes$ a3 y+ P* I& |& n* g
KUBERNETES_VERSION=1.30
- x, P/ N+ U5 R. u5 e. q3 h- m' a3 z/ L# e# M, T
sudo mkdir -p /etc/apt/keyrings  E& K2 S0 h$ S+ `" ]6 J" }
curl -fsSL https://pkgs.k8s.io/core:/stable:/v$KUBERNETES_VERSION/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+ X8 ?/ x: A7 `7 A( H; j2 [echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v$KUBERNETES_VERSION/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list4 K: k1 H  V* h! {* d
sudo apt update && sudo apt-get install -y kubelet=1.30.0-1.1 kubectl=1.30.0-1.1 kubeadm=1.30.0-1.13 N. H. x+ s  Q3 v: R: M7 m

6 Y  C) u  `9 X* Y& h# X* DStep 6: Initialize Cluster
& U; t7 b2 F1 X1 q7 F0 ~" LNODENAME=$(hostname -s)
6 Q& T* Z2 A* `POD_CIDR="10.30.0.0/16"4 B6 H9 K! _+ B' R# |' K( }
kubeadm init   --pod-network-cidr=$POD_CIDR --node-name $NODENAME         , ~8 n* W; g: t) t; b) g
" W, F1 |' a( O8 f( P

) X7 e: N8 S5 H3 A. J" n: `- X
  t( p: \- m# t6 u4 o
An Open Letter to the SUSE Leadership Regarding…
5 V$ D: U( r( p7 g9 q  jJohn Carr  3 年前
* u6 `# _7 W, tStep 6: Copy Join command in workers% d: J. H; H, P
In this step, copy the kubeadm join command and follow Steps 1 to 5 on each of the other nodes.
3 s2 g! y7 B/ R) {+ @( r  _2 T. u8 i2 S
& `3 ~0 ?0 v! K
step 7: Install CNI Plugin2 s* D9 O, t8 I2 F
Finally install a CNI. for your cluster in this example we are going to install calico for our cluster) _# D6 k* U; @2 ?$ l. e$ E6 e
' C: d1 ]: F/ e6 {# [
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml        ' d5 f4 l; T. p( u/ @& _

: Y5 P* j9 H3 F# h: ~  \# K2 [5 e, T
Step 8 : Final result
5 M0 H$ u) \% m2 O8 b( _  {now you should be able to run kubectl get nodes and all nodes and kube-system pods should be running
; ~+ V4 V& n9 j' P0 e' y) c/ j: r7 I: H, Q- j7 L- W. Z3 Z+ u) c
8 s4 p# A1 N* U- V

6 P% o+ g6 s& W) w8 a3 z8 v9 Dkubectl get nodes
8 h, E  x+ m2 A* j6 Pkubectl get pods -A        : Z  c- L3 {' |+ R
% w, b, g. a5 Q( x$ l
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2024-12-29 21:16:59 | 显示全部楼层
镜像最近有些变化了:
) ?: @9 o0 v: U8 M% W, _& c. X5 J
5 `5 l7 A3 R9 W; t5 F9 ~5 N1 @, HI1229 21:16:13.799696    2756 version.go:256] remote version is much newer: v1.32.0; falling back to: stable-1.28( ?' H* ^+ [. Z! v
registry.k8s.io/kube-apiserver:v1.28.15
' h! o; q+ K8 s/ l* R. S& Bregistry.k8s.io/kube-controller-manager:v1.28.15
) w5 G9 o. Z* cregistry.k8s.io/kube-scheduler:v1.28.15
! C  V# t1 D, yregistry.k8s.io/kube-proxy:v1.28.15
' t' c0 q  g- x# ^/ mregistry.k8s.io/pause:3.9  ?, J1 Z+ P% h! C6 q" g; N
registry.k8s.io/etcd:3.5.9-0, ]$ U' j$ }  E* x" A( {" G
registry.k8s.io/coredns/coredns:v1.10.1
. Q  e0 ~5 H! m  s( a9 l
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2025-1-1 09:26:26 | 显示全部楼层
6 e5 {7 D. u0 t
在使用kubernetes 32版本- ~7 P. F1 y1 W. P, l) J' c, O
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=192.168.8.190 --image-repository registry.aliyuncs.com/google_containers  --kubernetes-version=v1.32.0 --service-cidr=172.29.16.0/23 --pod-network-cidr=172.22.16.0/23 --cri-socket=unix:///var/run/cri-dockerd.sock --v=5
8 k& c) O+ P" i0 A( rI0101 09:17:08.895164    2766 kubelet.go:195] the value of KubeletConfiguration.cgroupDriver is empty; setting it to "systemd"
. |! Q5 m% r  F# C[init] Using Kubernetes version: v1.32.0
; q! y, a1 ~7 f, y/ |+ ?+ O. Q5 Z[preflight] Running pre-flight checks
: \7 J9 D) [3 UI0101 09:17:08.912311    2766 checks.go:561] validating Kubernetes and kubeadm version
' H& v7 q# Z! j) a        [WARNING KubernetesVersion]: Kubernetes version is greater than kubeadm version. Please consider to upgrade kubeadm. Kubernetes version: 1.32.0. Kubeadm version: 1.31.x
6 U+ K- q% T% v8 G" G+ v, `: }6 D8 BI0101 09:17:08.912412    2766 checks.go:166] validating if the firewall is enabled and active
5 S2 B  S" {- `I0101 09:17:08.925133    2766 checks.go:201] validating availability of port 6443
1 o: a2 O. X- ^2 f  F4 b* I, |3 l2 dI0101 09:17:08.925553    2766 checks.go:201] validating availability of port 10259
+ Z: S4 |, ~' ~& W, w! f, s1 X% bI0101 09:17:08.925679    2766 checks.go:201] validating availability of port 10257
# V$ F3 A/ q% i4 WI0101 09:17:08.925766    2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-apiserver.yaml
  q6 L+ \- {# s5 ZI0101 09:17:08.925857    2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-controller-manager.yaml
% K' @  w2 }( J" k5 n/ ZI0101 09:17:08.925909    2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/kube-scheduler.yaml- h# z, B$ d5 _8 Y5 [
I0101 09:17:08.925954    2766 checks.go:278] validating the existence of file /etc/kubernetes/manifests/etcd.yaml3 Z( W8 n! m  P3 m+ K. v
I0101 09:17:08.925979    2766 checks.go:428] validating if the connectivity type is via proxy or direct
9 X6 L* a/ p6 M6 ]I0101 09:17:08.926074    2766 checks.go:467] validating http connectivity to first IP address in the CIDR
2 ~$ a# n" r' @% K# s, v4 h% i& VI0101 09:17:08.926142    2766 checks.go:467] validating http connectivity to first IP address in the CIDR8 P1 Z- z" _  O. g: ^1 Z  t
I0101 09:17:08.926178    2766 checks.go:102] validating the container runtime
1 x( P/ j0 T& a, m5 J) v( gI0101 09:17:08.927016    2766 checks.go:637] validating whether swap is enabled or not3 b% J5 }! O4 u' q( G, R! f
I0101 09:17:08.927191    2766 checks.go:368] validating the presence of executable crictl
+ {7 t5 L: v( U* a3 I. T. N2 gI0101 09:17:08.927293    2766 checks.go:368] validating the presence of executable conntrack
& Z: M( G  f8 x1 ^/ gI0101 09:17:08.927331    2766 checks.go:368] validating the presence of executable ip
1 l6 a# X0 a! G* A  mI0101 09:17:08.927369    2766 checks.go:368] validating the presence of executable iptables
. {& K0 Y4 T5 X+ nI0101 09:17:08.927405    2766 checks.go:368] validating the presence of executable mount, {. ]9 M& @3 s
I0101 09:17:08.927442    2766 checks.go:368] validating the presence of executable nsenter) a0 M1 @+ I. t6 s9 S" N
I0101 09:17:08.927479    2766 checks.go:368] validating the presence of executable ethtool& v5 ~) W* a. Y3 |$ W
I0101 09:17:08.927512    2766 checks.go:368] validating the presence of executable tc
6 P5 d$ x* {8 f$ K( tI0101 09:17:08.927565    2766 checks.go:368] validating the presence of executable touch/ F$ D6 T8 O; Q3 H
I0101 09:17:08.927605    2766 checks.go:514] running all checks3 `) i- a# ~: {( j
I0101 09:17:08.941390    2766 checks.go:399] checking whether the given node name is valid and reachable using net.LookupHost4 h8 H' n: Y% R8 t( U( X
I0101 09:17:08.941828    2766 checks.go:603] validating kubelet version
1 ]5 f" v- _, GI0101 09:17:09.013778    2766 checks.go:128] validating if the "kubelet" service is enabled and active
, L' Z9 ]) {3 g/ [# }        [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
: Z- q" m+ i! N$ V0 RI0101 09:17:09.027024    2766 checks.go:201] validating availability of port 102506 S7 S& Q0 G2 ?3 S! `
I0101 09:17:09.027156    2766 checks.go:327] validating the contents of file /proc/sys/net/ipv4/ip_forward3 d' T. B9 }  _; `
I0101 09:17:09.027330    2766 checks.go:201] validating availability of port 2379
: u, y2 v9 N9 {" k6 f# NI0101 09:17:09.027432    2766 checks.go:201] validating availability of port 2380. U2 x4 a# p/ F! f
I0101 09:17:09.027550    2766 checks.go:241] validating the existence and emptiness of directory /var/lib/etcd8 h$ c5 X0 |& j3 r* v, ~
[preflight] Pulling images required for setting up a Kubernetes cluster
- m4 K" @9 P+ {+ r1 i5 |[preflight] This might take a minute or two, depending on the speed of your internet connection, \% w8 d  R  ]( W' r
[preflight] You can also perform this action beforehand using 'kubeadm config images pull'# c: p* ]4 A4 h# C7 S/ a
I0101 09:17:09.030027    2766 images.go:80] WARNING: could not find officially supported version of etcd for Kubernetes v1.32.0, falling back to the nearest etcd version (3.5.15-0): A$ ]: d; i7 r: q' |
I0101 09:17:09.030090    2766 checks.go:832] using image pull policy: IfNotPresent
) H+ T+ O; e. l7 _( WW0101 09:17:09.031052    2766 checks.go:846] detected that the sandbox image "registry.aliyuncs.com/google_containers/pause:3.9" of the container runtime is inconsistent with that used by kubeadm.It is recommended to use "registry.aliyuncs.com/google_containers/pause:3.10" as the CRI sandbox image.  v; x% D/ h( s9 K3 L/ E7 I# D! V
I0101 09:17:09.033771    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-apiserver:v1.32.0
% p+ I/ s) z- J. @: ^4 VI0101 09:17:16.690625    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-controller-manager:v1.32.0
# k8 @" G4 _+ E% B+ a3 NI0101 09:17:23.575148    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-scheduler:v1.32.0
( s) E7 L; V9 C3 NI0101 09:17:29.427958    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/kube-proxy:v1.32.0
% ^" t9 G' b' P& W! W% y0 dI0101 09:17:37.054594    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/coredns:v1.11.3
6 g/ A# ^$ C" G9 E$ z9 ZI0101 09:17:43.574636    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/pause:3.106 j7 d4 n* Z9 Z9 [" h
I0101 09:17:44.929429    2766 checks.go:871] pulling: registry.aliyuncs.com/google_containers/etcd:3.5.15-03 ?; W- _- S* w5 k1 R0 I
[certs] Using certificateDir folder "/etc/kubernetes/pki"
3 i$ y6 q, J' L* e% lI0101 09:17:58.489483    2766 certs.go:112] creating a new certificate authority for ca
4 z1 z7 n$ y2 i3 \0 Q8 N, D[certs] Generating "ca" certificate and key; @$ o7 ^% @. K7 h
I0101 09:17:59.936877    2766 certs.go:473] validating certificate period for ca certificate% j* z5 Y9 a* N4 `1 T# e9 m
[certs] Generating "apiserver" certificate and key
! e- d2 P/ c& {  g& n[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [172.29.16.1 192.168.8.190]: [# e8 G' M0 d5 y) u! j
[certs] Generating "apiserver-kubelet-client" certificate and key
2 N% Y3 s8 h) G' u1 zI0101 09:18:01.377059    2766 certs.go:112] creating a new certificate authority for front-proxy-ca
! U6 p3 t% w$ O% X6 R. L[certs] Generating "front-proxy-ca" certificate and key
& t, z" T  z" _2 {2 [, YI0101 09:18:03.218799    2766 certs.go:473] validating certificate period for front-proxy-ca certificate
# {. D7 T! M! \4 }[certs] Generating "front-proxy-client" certificate and key' ~" Y- e: u2 u
I0101 09:18:04.332875    2766 certs.go:112] creating a new certificate authority for etcd-ca
) m9 g* G& A. c5 ][certs] Generating "etcd/ca" certificate and key
  u' P2 ^) J- o4 qI0101 09:18:06.977732    2766 certs.go:473] validating certificate period for etcd/ca certificate
+ Z0 z. P  i. u" |0 @3 y! x8 h[certs] Generating "etcd/server" certificate and key
/ g# X  u; q. }  L+ g& p[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]
( S- h2 \$ b1 l; }- t- B[certs] Generating "etcd/peer" certificate and key* D; p% {, A1 x. V6 Y
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.8.190 127.0.0.1 ::1]* \; \, w+ ~7 i8 g
[certs] Generating "etcd/healthcheck-client" certificate and key/ B6 X2 |6 T* p
[certs] Generating "apiserver-etcd-client" certificate and key
3 e9 T' ^( n0 Q4 E6 QI0101 09:18:10.455557    2766 certs.go:78] creating new public/private key files for signing service account users
& b+ \; w5 B6 }0 f1 ]' c; v3 H[certs] Generating "sa" key and public key
! m7 B! b/ Y4 s' m! `2 A; p[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
8 J) G  {) f2 X5 hI0101 09:18:10.855930    2766 kubeconfig.go:111] creating kubeconfig file for admin.conf  y1 ?( _$ i5 O0 U( }. e
[kubeconfig] Writing "admin.conf" kubeconfig file
4 w  i; S5 K0 N* n- t1 FI0101 09:18:11.347740    2766 kubeconfig.go:111] creating kubeconfig file for super-admin.conf/ D0 a+ k& f& C7 x7 C) k, V
[kubeconfig] Writing "super-admin.conf" kubeconfig file% F" C3 I+ ^6 j1 F3 S
I0101 09:18:11.688152    2766 kubeconfig.go:111] creating kubeconfig file for kubelet.conf, y3 p9 l* A  P8 H# A( s
[kubeconfig] Writing "kubelet.conf" kubeconfig file
/ |; d! M6 e% z- O. qI0101 09:18:12.190293    2766 kubeconfig.go:111] creating kubeconfig file for controller-manager.conf
4 i' m* B; e; ~# p[kubeconfig] Writing "controller-manager.conf" kubeconfig file
. h6 R6 }4 F& ]0 G2 U/ TI0101 09:18:13.161357    2766 kubeconfig.go:111] creating kubeconfig file for scheduler.conf+ ~1 n6 a4 j% ~. x
[kubeconfig] Writing "scheduler.conf" kubeconfig file4 K1 v  N7 H& Q# c4 d
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"9 {% @/ T2 ^" M9 j8 W/ f7 `3 H
I0101 09:18:13.708236    2766 images.go:80] WARNING: could not find officially supported version of etcd for Kubernetes v1.32.0, falling back to the nearest etcd version (3.5.15-0)
! P+ N( j# f, G' j2 |. |I0101 09:18:13.713834    2766 local.go:65] [etcd] wrote Static Pod manifest for a local etcd member to "/etc/kubernetes/manifests/etcd.yaml"
3 X: N7 c. [- u: m* ]- X) k[control-plane] Using manifest folder "/etc/kubernetes/manifests"; J& q$ A: H! c+ _: h, G
[control-plane] Creating static Pod manifest for "kube-apiserver"
+ }  \. V' Y5 [. T; CI0101 09:18:13.714027    2766 manifests.go:103] [control-plane] getting StaticPodSpecs
; P  i; E/ e& |' v+ B& ^I0101 09:18:13.714500    2766 certs.go:473] validating certificate period for CA certificate! K+ h; x, B. ?/ n5 K
I0101 09:18:13.714687    2766 manifests.go:129] [control-plane] adding volume "ca-certs" for component "kube-apiserver"$ T. Q+ @: A! q1 I2 v8 k( ~9 `! w
I0101 09:18:13.714767    2766 manifests.go:129] [control-plane] adding volume "etc-pki-ca-trust" for component "kube-apiserver"0 m9 w7 }% O' ^6 G  Q; c
I0101 09:18:13.714837    2766 manifests.go:129] [control-plane] adding volume "etc-pki-tls-certs" for component "kube-apiserver"
2 b; E! f7 A( i) S- s- eI0101 09:18:13.714857    2766 manifests.go:129] [control-plane] adding volume "k8s-certs" for component "kube-apiserver"+ |% \% k$ j# P0 }0 ]. }
I0101 09:18:13.716746    2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-apiserver" to "/etc/kubernetes/manifests/kube-apiserver.yaml"8 H5 n  p8 u* ~: f, @6 y  r
[control-plane] Creating static Pod manifest for "kube-controller-manager"8 J1 @+ l* f; n5 M
I0101 09:18:13.716863    2766 manifests.go:103] [control-plane] getting StaticPodSpecs
; n% }0 _9 Z* ~" D6 l% l# q+ y, DI0101 09:18:13.717331    2766 manifests.go:129] [control-plane] adding volume "ca-certs" for component "kube-controller-manager"
- X9 }8 H7 X. |7 m2 FI0101 09:18:13.717415    2766 manifests.go:129] [control-plane] adding volume "etc-pki-ca-trust" for component "kube-controller-manager"$ N8 X3 T5 P+ m- O! r3 Q2 ^
I0101 09:18:13.717453    2766 manifests.go:129] [control-plane] adding volume "etc-pki-tls-certs" for component "kube-controller-manager"
3 S: T4 Q, D% m6 a5 T2 @  `& XI0101 09:18:13.717498    2766 manifests.go:129] [control-plane] adding volume "flexvolume-dir" for component "kube-controller-manager"' F4 o( S/ t+ U$ {& t) G/ o
I0101 09:18:13.717517    2766 manifests.go:129] [control-plane] adding volume "k8s-certs" for component "kube-controller-manager"
3 C( x* V4 l+ l6 VI0101 09:18:13.717561    2766 manifests.go:129] [control-plane] adding volume "kubeconfig" for component "kube-controller-manager"& T5 U2 h! U9 A
I0101 09:18:13.719110    2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-controller-manager" to "/etc/kubernetes/manifests/kube-controller-manager.yaml") ~9 ]; x, r9 d% y9 M+ P% t: I9 X
[control-plane] Creating static Pod manifest for "kube-scheduler"
1 B) I, M$ ~5 s& B$ x+ P: \I0101 09:18:13.719208    2766 manifests.go:103] [control-plane] getting StaticPodSpecs$ c0 S& h' x0 ]* i
I0101 09:18:13.719600    2766 manifests.go:129] [control-plane] adding volume "kubeconfig" for component "kube-scheduler"
1 l' ?1 e# P+ q1 wI0101 09:18:13.720666    2766 manifests.go:158] [control-plane] wrote static Pod manifest for component "kube-scheduler" to "/etc/kubernetes/manifests/kube-scheduler.yaml"" E& O8 S' L7 ]4 {- p# D
I0101 09:18:13.720760    2766 kubelet.go:68] Stopping the kubelet
( v% L6 u. M9 g% x2 p2 B' H4 G: Q[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"4 M: A- x: _; o- [
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
9 X0 h: k, N5 u+ O$ v[kubelet-start] Starting the kubelet3 l1 }  n5 s( R" Q
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests"$ q* X' ]( L8 l: m
[kubelet-check] Waiting for a healthy kubelet at http://127.0.0.1:10248/healthz. This can take up to 4m0s
9 J5 g2 {! v4 b7 w1 a[kubelet-check] The kubelet is healthy after 1.517289565s
/ j1 L* e4 `. d5 X7 m$ Y[api-check] Waiting for a healthy API server. This can take up to 4m0s* F$ I2 _/ O/ i: D, ^( x* `
[api-check] The API server is healthy after 17.003014698s  k1 e/ I8 z) B# k* M& B& t
I0101 09:18:32.522198    2766 kubeconfig.go:665] ensuring that the ClusterRoleBinding for the kubeadm:cluster-admins Group exists
% ~$ t5 \" }, x4 N% nI0101 09:18:32.524875    2766 kubeconfig.go:738] creating the ClusterRoleBinding for the kubeadm:cluster-admins Group by using super-admin.conf2 k$ w- ~$ A" U" z
I0101 09:18:32.548427    2766 uploadconfig.go:112] [upload-config] Uploading the kubeadm ClusterConfiguration to a ConfigMap
% `0 X0 o: U$ n; N+ w! O: d( c[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
- z; e; d! r/ k4 c- ~5 A' lI0101 09:18:32.566210    2766 uploadconfig.go:126] [upload-config] Uploading the kubelet component config to a ConfigMap4 r4 e& j+ r0 e) G
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster7 a  z: I4 ^9 E- x2 K
I0101 09:18:32.584736    2766 uploadconfig.go:131] [upload-config] Preserving the CRISocket information for the control-plane node& P3 h, G" P; Y/ y5 r. \+ `
I0101 09:18:32.584775    2766 patchnode.go:31] [patchnode] Uploading the CRI Socket information "unix:///var/run/cri-dockerd.sock" to the Node API object "k8s-master" as an annotation
3 G" S2 ^+ H' f( }3 f7 b" f[upload-certs] Skipping phase. Please see --upload-certs5 o9 a  b  g" |( E* P6 n
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]( g  N6 q) U2 h* Q0 a; q+ \1 Z
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]* I0 O5 p: u: h2 h# m
[bootstrap-token] Using token: mkl5ok.ttqgpoybxarwwum8
2 [: w+ r, z/ |" O  a. D[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles9 u4 O8 Q1 t+ a. J! M1 v
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
# x) q, R! e- B6 j+ |1 _[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials3 K2 c, d% x: S& d2 ]" I
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token7 k3 [8 i& d8 [8 h7 A1 M
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
6 c4 v, L9 n, ?6 V[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
) y0 U5 d! H8 lI0101 09:18:32.662880    2766 clusterinfo.go:47] [bootstrap-token] loading admin kubeconfig8 l' l- G5 A$ a
I0101 09:18:32.663948    2766 clusterinfo.go:58] [bootstrap-token] copying the cluster from admin.conf to the bootstrap kubeconfig+ c1 D& t3 a$ B2 a
I0101 09:18:32.664531    2766 clusterinfo.go:70] [bootstrap-token] creating/updating ConfigMap in kube-public namespace- ?; t' z! T9 \* Q5 m1 A3 c, H* y
I0101 09:18:32.670237    2766 clusterinfo.go:84] creating the RBAC rules for exposing the cluster-info ConfigMap in the kube-public namespace* _* V) q" r% y. k4 Z
I0101 09:18:32.722880    2766 request.go:632] Waited for 52.518759ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... c/roles?timeout=10s# `; M5 ^7 T1 r# D: n6 m
I0101 09:18:32.922885    2766 request.go:632] Waited for 193.402714ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s* S9 p: |$ ~! Q6 j# k
I0101 09:18:32.928726    2766 kubeletfinalize.go:123] [kubelet-finalize] Assuming that kubelet client certificate rotation is enabled: found "/var/lib/kubelet/pki/kubelet-client-current.pem"
2 f* d: X  g, n, ]. G[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
& C3 U. R9 M" ]/ J* tI0101 09:18:32.931276    2766 kubeletfinalize.go:177] [kubelet-finalize] Restarting the kubelet to enable client certificate rotation6 z/ k+ {6 }4 U/ s2 b
I0101 09:18:33.171057    2766 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
' a6 \. Y. ?6 L4 [4 v- G8 tI0101 09:18:33.171183    2766 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false7 D) E  x6 m% x/ l3 p
I0101 09:18:33.325030    2766 request.go:632] Waited for 103.44617ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s
" V) ^. Q# Y& S6 S( i: C[addons] Applied essential addon: CoreDNS
: ^4 U$ O0 z2 ^1 i2 {  jI0101 09:18:33.550063    2766 request.go:632] Waited for 94.465297ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/api/v ... ccounts?timeout=10s/ W4 g8 g  [# ~) K) k' Q
I0101 09:18:33.723795    2766 request.go:632] Waited for 151.789723ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... m/roles?timeout=10s( C2 b1 [' j  Q8 c! ?1 D5 k" d3 ^
I0101 09:18:33.922760    2766 request.go:632] Waited for 187.41919ms due to client-side throttling, not priority and fairness, request: POST:https://192.168.8.190:6443/apis/ ... indings?timeout=10s
  l, }  a$ r+ ?: Z$ C$ R: ^1 F  {# o[addons] Applied essential addon: kube-proxy& c$ t0 i: ~. j" J
- _4 n1 h5 i) B1 |
Your Kubernetes control-plane has initialized successfully!
" g/ S& I! b3 H
3 Z, ?! Q# q& G# e; \* ITo start using your cluster, you need to run the following as a regular user:: Z" j) W2 C& D, X

" S, n8 d; T! w  ?% }4 }  mkdir -p $HOME/.kube' M: K. d( f( o' ~: K# d
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config' o* t2 |6 A& A3 O* F0 D/ o/ Y2 W
  sudo chown $(id -u):$(id -g) $HOME/.kube/config# i) B4 ]; a2 F1 t' k  t* Q
& o5 f% o* j( A* o$ \2 t0 [
Alternatively, if you are the root user, you can run:! `. {: l/ q& J  @8 P
8 o7 [8 x" F7 E+ R" ^7 Y. }' m
  export KUBECONFIG=/etc/kubernetes/admin.conf
1 y5 a. ?; l8 W+ i( Y( e
; e0 L: Z( B" q& e* s: KYou should now deploy a pod network to the cluster.
/ O) a+ o. s0 Z, m/ ~$ w# U) gRun "kubectl apply -f [podnetwork].yaml" with one of the options listed at:& W- k% b0 p$ {0 l
  https://kubernetes.io/docs/conce ... inistration/addons/9 B" ]; s4 ]0 k) p* l$ [
# j" X7 L5 M/ x4 i: [$ w
Then you can join any number of worker nodes by running the following on each as root:
, P4 Z, ]5 E$ R" J+ Y$ ]% y) E- |: z: |1 U+ k* X
kubeadm join 192.168.8.190:6443 --token mkl5ok.ttqgpoybxarwwum8 \
) N! J7 m$ \# m, o6 E/ K& m        --discovery-token-ca-cert-hash sha256:6951f50d3ba9e40f8d175cab4b9711eeb164aa06969b72b2f12a6d881fea666c
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2025-1-1 19:51:59 | 显示全部楼层
创建目录
+ x- @0 ?4 W- n: Z8 e8 r根据自身实际情况创建指定路径,此路径用来存放k8s二进制文件以及用到的镜像文件
/ ~; G3 s8 h( ^( D+ U$ z8 |8 I: x% J1 V/ _1 U: w$ D
mkdir -p /approot1/k8s/{bin,images,pkg,tmp/{ssl,service}}
& ^! {  P5 s$ Y关闭防火墙
  P( ]7 z  o9 z* afor i in 192.168.91.19 192.168.91.20;do \
! L% n% w6 B; j" _1 E; B( p" jssh $i "systemctl disable firewalld"; \" V3 ]3 M  L& I: C' E3 N
ssh $i "systemctl stop firewalld"; \
; i( y6 a/ }: v4 r" P5 q+ rdone" W2 m( Z/ D. t+ O/ l  R9 q
关闭selinux
9 V( \$ s, [( @9 K5 i; K+ _7 Q临时关闭
1 y$ k/ I0 Y5 y4 S- C  }
  V" |  W" v4 c2 u# K7 Efor i in 192.168.91.19 192.168.91.20;do \
/ ]5 `, ~% M* b9 ^ssh $i "setenforce 0"; \
) P& H" y( Z/ P0 A" B1 G0 g2 Vdone  h$ u* L; w) f, g- ?8 c( X# {
永久关闭
" `3 ]+ |9 u% ?" f/ u, y
3 V8 }) X9 G! Ofor i in 192.168.91.19 192.168.91.20;do \
- v6 F" ?+ A/ g3 y) f. j8 T& u7 z, Rssh $i "sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config"; \+ e3 `- c& s, e! r0 R
done+ c7 f9 z$ ]7 T8 i. K( b" G
关闭swap/ h; P" q( U) q8 f  ]) a
临时关闭
' j- T( j) Q# ?3 s/ Y
. k" V( \0 y( M" wfor i in 192.168.91.19 192.168.91.20;do \
9 \+ w2 X$ F: v+ Y* dssh $i "swapoff -a"; \  B5 g( ]( Y# B, m
done
8 t1 }% S+ j0 b% M* A; o永久关闭& O, `4 h  E! {+ N. l0 t/ ~7 I
/ i  U' [9 }& Y; U+ W; x# n
for i in 192.168.91.19 192.168.91.20;do \* x3 L& s; M  m; V
ssh $i "sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab"; \5 S1 a% I& Q0 e& }
done
& [4 b, y; Y5 x) \( b- t! |开启内核模块9 P& a- p6 ^1 R, V
临时开启, p$ t; [9 M; y4 {2 u; d; L7 H

7 b) z! p- |3 h) gfor i in 192.168.91.19 192.168.91.20;do \
  T* `" Z$ y4 `; d3 `ssh $i "modprobe ip_vs"; \
3 P: Q* R, Y9 O; c, R  jssh $i "modprobe ip_vs_rr"; \2 }0 Y0 r% Q( M; B5 c  p1 @
ssh $i "modprobe ip_vs_wrr"; \
  D6 O- N9 L4 q& T9 P5 }3 H; Fssh $i "modprobe ip_vs_sh"; \
2 |4 @6 c9 D! o4 E4 _* M1 a5 Dssh $i "modprobe nf_conntrack"; \
" {) `  R- z5 X+ Bssh $i "modprobe nf_conntrack_ipv4"; \
" V) O( l1 x- L5 I# n7 Fssh $i "modprobe br_netfilter"; \
! z; I  T& a$ v0 s9 U4 C- Issh $i "modprobe overlay"; \, _; v) t) E' D8 y, O* N# x
done
- Z1 h9 i7 D6 ]8 ~; r; c永久开启
0 j" d8 W# E; I6 b; x$ {* q1 x
- b" |$ f7 W* r& t" avim /approot1/k8s/tmp/service/k8s-modules.conf
" y3 y3 g9 a7 q# T% Aip_vs* ?5 W) r' f$ \9 r8 W1 }% E
ip_vs_rr
- Z% K2 `( g6 [2 R/ h9 l+ jip_vs_wrr2 m9 Y- p& E! @% Q6 J0 `
ip_vs_sh
$ V7 N6 e$ ?! z) lnf_conntrack
! V9 S% a- e6 J$ gnf_conntrack_ipv4+ ?- b  Z5 j3 D9 g! @1 s) {2 R
br_netfilter  l) z  l' z) O
overlay
5 P% s# P: g' A) t$ p& |. z分发到所有节点. I- j6 }8 Z1 G  o! h7 `
for i in 192.168.91.19 192.168.91.20;do \) p/ ?! ]* f5 a
scp /approot1/k8s/tmp/service/k8s-modules.conf $i:/etc/modules-load.d/; \. t. c1 P4 N7 c# ]4 M; ^
done( a' e" p& N6 |3 X0 d
启用systemd自动加载模块服务
+ p" S" t& s' Y- ^3 Nfor i in 192.168.91.19 192.168.91.20;do \, T, j. S6 q4 {
ssh $i "systemctl enable systemd-modules-load"; \
+ t+ {" L3 o  O& d  L2 w" pssh $i "systemctl restart systemd-modules-load"; \! C1 l6 z- o9 F
ssh $i "systemctl is-active systemd-modules-load"; \
1 d$ L6 S3 r$ Y  @1 S" @9 ]done! o/ V' w- U$ v) q* m# b
返回active表示 自动加载模块服务 启动成功2 g+ u* O+ m# P% {; J- N
4 m$ g; C/ a+ m( C! h" \
配置系统参数
) Q7 J0 v4 C9 `; n以下的参数适用于3.x和4.x系列的内核
) Z* A' ^" s4 g2 w& D2 |2 N9 i3 F! t' s  X% e6 a# M
vim /approot1/k8s/tmp/service/kubernetes.conf
( ^$ `7 R( I6 r2 m建议编辑之前,在 vim 里面先执行 :set paste ,避免复制进去的内容和文档的不一致,比如多了注释,或者语法对齐异常
0 u4 ~% n* t0 R2 z
7 Y- J# r% O3 d8 B# 开启数据包转发功能(实现vxlan)# ]' T  H6 k% I8 i/ D& h
net.ipv4.ip_forward=13 b/ a' [  |* l$ k/ `
# iptables对bridge的数据进行处理  ~( H  @6 D5 N+ v! M
net.bridge.bridge-nf-call-iptables=1
: A* b% N, }( O3 D+ t% [, Mnet.bridge.bridge-nf-call-ip6tables=17 |: Y  {- J) [2 a. y- _  k
net.bridge.bridge-nf-call-arptables=19 G  g. g; p3 r: E
# 关闭tcp_tw_recycle,否则和NAT冲突,会导致服务不通
, ]9 o' a! T4 [4 Y. gnet.ipv4.tcp_tw_recycle=03 b1 T7 c& n1 t6 e  n1 D5 V
# 不允许将TIME-WAIT sockets重新用于新的TCP连接
( a# U/ I3 t$ l/ c" {9 ^net.ipv4.tcp_tw_reuse=0: X" x. G! L+ w0 d. D- K
# socket监听(listen)的backlog上限3 q  R2 B3 {- J7 u/ l) b/ {
net.core.somaxconn=327683 a) T) @/ Y2 X- `5 A# B' B9 a8 |
# 最大跟踪连接数,默认 nf_conntrack_buckets * 4
; Q6 e& Z- }3 ~( vnet.netfilter.nf_conntrack_max=1000000' k& Y. n) G& x4 ?* n* i  |
# 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
3 y: b8 h, T6 Q9 ]8 e% _/ m7 E+ Hvm.swappiness=0% n; I0 K! q" s
# 计算当前的内存映射文件数。
1 `" t( f6 a( x8 q; N7 j) B: h  Tvm.max_map_count=655360& m# f7 T5 \1 `) _$ N8 W/ X
# 内核可分配的最大文件数# w6 f0 ~9 I* Z8 Q' b/ G
fs.file-max=65536006 N7 V( {7 e: I
# 持久连接
) ]; A9 D7 m- d6 O) Knet.ipv4.tcp_keepalive_time=600$ i6 K3 A2 E  X3 f! w5 p
net.ipv4.tcp_keepalive_intvl=30
4 Z! ?4 \$ }  y- b5 w" Bnet.ipv4.tcp_keepalive_probes=10
" r  N( B; @$ k* ]4 J& t分发到所有节点
' ~" ~5 v2 e' N2 H8 U+ G- s% S" Xfor i in 192.168.91.19 192.168.91.20;do \, O0 k- T8 F( y) ]6 ^: B  l6 k
scp /approot1/k8s/tmp/service/kubernetes.conf $i:/etc/sysctl.d/; \
0 z* d$ j, {, @% rdone
& i2 I  i1 L* p% \# q, y& R加载系统参数
4 W& Y; s- x9 {8 `for i in 192.168.91.19 192.168.91.20;do \( V" g; I5 m- q1 j' f
ssh $i "sysctl -p /etc/sysctl.d/kubernetes.conf"; \' ]3 }1 B0 E( E8 s
done
0 o* e8 x, j2 [* P% P9 s8 z清空iptables规则0 ?; H/ \3 E0 `& h/ G1 U( T
for i in 192.168.91.19 192.168.91.20;do \9 v) q$ u, t5 p) ~$ w0 h
ssh $i "iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat"; \1 j. ]! @! ~2 Y1 k( b
ssh $i "iptables -P FORWARD ACCEPT"; \
. p; m$ f2 ^2 \% E, J* \  Sdone7 x: D5 U' o: k8 p
配置 PATH 变量8 h/ H5 i2 K+ |3 M  M7 w1 E. b
for i in 192.168.91.19 192.168.91.20;do \
: ^! y, q3 T3 }6 }; kssh $i "echo 'PATH=$PATH:/approot1/k8s/bin' >> $HOME/.bashrc"; \
, D" N' Z1 ~9 k$ ]5 Ddone
7 d- K' b. a' Fsource $HOME/.bashrc) M9 V4 f3 F# Y7 ]; P. G0 q0 z
下载二进制文件
1 x& |; y, ?# S7 @其中一台节点操作即可
( B& v6 i, F( f/ i/ F4 c: g' q/ d3 d/ a1 u! T
github下载会比较慢,可以从本地上传到 /approot1/k8s/pkg/ 目录下
- d! D; n  P; ^1 O0 K; r# K" E' p5 I* o/ K' a
wget -O /approot1/k8s/pkg/kubernetes.tar.gz \
- |5 P: @: Y- m8 Q1 nhttps://dl.k8s.io/v1.23.3/kubernetes-server-linux-amd64.tar.gz  [! ~; z- N( g2 v1 U+ w

# U. l# ^( `, {" dwget -O /approot1/k8s/pkg/etcd.tar.gz \. [5 g3 T! w1 O7 l6 c
https://github.com/etcd-io/etcd/ ... -linux-amd64.tar.gz' Y9 D3 Q0 `* Z6 A, l
解压并删除不必要的文件) Z% L" W' P; \% @/ m
% M3 W% u% K1 C/ q7 q
cd /approot1/k8s/pkg/$ w# h* u2 \- T: `* ^
for i in $(ls *.tar.gz);do tar xvf $i && rm -f $i;done0 V# V4 E% ]2 o# {9 {
mv kubernetes/server/bin/ kubernetes/- i4 S* k8 b, v2 F5 R6 u8 [1 n
rm -rf kubernetes/{addons,kubernetes-src.tar.gz,LICENSES,server}
, Z9 t" L1 T3 K, f1 Y  krm -f kubernetes/bin/*_tag kubernetes/bin/*.tar. P/ f& M( U0 `+ h5 m
rm -rf etcd-v3.5.1-linux-amd64/Documentation etcd-v3.5.1-linux-amd64/*.md
$ f* R3 M1 ^9 R) k9 k0 h9 t6 m9 S8 j部署 master 节点0 @+ f# y9 }1 {% \9 b
创建 ca 根证书
8 v/ E9 r7 i8 {8 U/ jwget -O /approot1/k8s/bin/cfssl https://github.com/cloudflare/cf ... l_1.6.1_linux_amd64
6 x6 i- u1 v$ I' g& awget -O /approot1/k8s/bin/cfssljson https://github.com/cloudflare/cf ... n_1.6.1_linux_amd64
* P. [+ p% {+ w- Y9 Nchmod +x /approot1/k8s/bin/*/ H! |8 X- ^7 Q: M% }
vim /approot1/k8s/tmp/ssl/ca-config.json
" }  \9 N; V  {  c8 Q{+ S7 ?& R* m1 v! ?! @+ [
  "signing": {1 r! A3 c8 U4 b/ |! d
    "default": {
" d& I- Z+ c6 h* b% ~      "expiry": "87600h"( Q* R6 o1 i+ P3 o8 j$ t
    },
- v- l4 j! v1 d& Z# G    "profiles": {
; T" |8 F5 p9 r      "kubernetes": {
7 ]8 l- d' G8 o* p: F8 e. B        "usages": [
; X% o- h, n/ z( j0 H% {5 \) [            "signing",
* ^1 x; ]" q7 J8 Y6 M: X            "key encipherment",+ r" t* H2 D6 ^" S
            "server auth",2 j" ]; c. U/ r1 @# a( H" u
            "client auth"7 Q6 e. O! T6 v& S
        ],
8 d3 ?4 |5 ?4 i& A/ v* H0 t; m        "expiry": "876000h"
2 X2 D$ ~* A7 n3 E) F0 ?; `3 c( u      }: q4 e9 U6 r0 ^" W  W4 |2 F
    }% X) @9 P' ~. T
  }# p4 H" J' N3 b7 g$ v
}/ j$ H2 B+ R* W  O5 Y& c' P
vim /approot1/k8s/tmp/ssl/ca-csr.json/ I6 M9 _# `$ z8 {  B& S# z/ G
{. Q2 I1 m0 A$ X8 E) A
  "CN": "kubernetes",& J- f7 f) L, T2 `5 y. o
  "key": {2 y; K0 h1 a. K5 ^4 X
    "algo": "rsa",* W' g* v  v. h0 h
    "size": 2048, O+ p0 |/ F& |" ~9 x. ~3 ]
  },  S" s" {5 f/ M' w; W: P" [) @
  "names": [: Q" m8 y; l9 q* L+ A: c2 e2 G6 q
    {1 j: n; @$ a7 a
      "C": "CN",
" Y7 k; _7 v& T, h4 l) D: u      "ST": "ShangHai",
; T, v! ~2 [2 y      "L": "ShangHai",
" J7 ?# D7 e. r0 W7 n      "O": "k8s",- b; L% d. [$ b7 M/ {6 _7 Z
      "OU": "System"
  E6 c, y0 A! Y    }* V) h  z& H- D. C9 d
  ],/ c, i/ a* X% s3 v4 u+ A
  "ca": {6 J  J) J; X  a! e
    "expiry": "876000h"
5 J9 i! R3 c' { }9 p4 R5 W' _2 W' x6 r
}
/ r& O" S8 \0 o$ Ccd /approot1/k8s/tmp/ssl/3 f! _) N: ?" z) e& q  k, z% `
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
3 F$ V& X+ s) w: ?& P/ e部署 etcd 组件
1 C* k6 S. L+ [+ L7 |创建 etcd 证书
" g/ {5 N+ G( d- ]5 F5 Xvim /approot1/k8s/tmp/ssl/etcd-csr.json3 e$ Z" Y$ w' W
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴
9 w% V. Z/ _+ r" S# ~( m' J0 _3 L0 D" W7 _
注意json的格式  x" V# W0 A2 |% U/ l' R
, X( e! w) f& }9 P" V9 o# y9 g) I
{# x  e$ u" k. k
  "CN": "etcd",
1 i8 r6 Z# |* m, R1 u! Y) p  "hosts": [4 w2 P, N$ r7 K2 t
    "127.0.0.1",
1 Z# j8 [6 y! W& [) g" u    "192.168.91.19"
' [: |/ @5 i6 t# J2 [  ],' W  [5 Q$ ?+ ^7 P$ ~
  "key": {, s1 H6 C2 d6 t/ g
    "algo": "rsa",1 I5 |/ ?' o$ H$ ^' ]- U! l1 F0 f% P
    "size": 2048
6 w; `/ a+ y2 I# M6 h! g5 W  },7 E8 }1 L1 R& J7 Q& C3 n: t7 Q
  "names": [4 V% ^. X* F: h# ]
    {
: |5 y0 e5 \) p$ `6 n0 L4 j      "C": "CN",
, n: W0 @0 P# L4 p2 K      "ST": "ShangHai",% Y8 f) V, C# O
      "L": "ShangHai",; \% o( `% @4 i: I
      "O": "k8s",
1 H- K6 G2 z5 z( |7 y7 [      "OU": "System"
: j; X& T6 s( g2 c    }4 B; U! ^. O9 }
  ]
$ |: I* W" g* ?# k0 t}
* A% @/ k0 U0 p* rcd /approot1/k8s/tmp/ssl/- X/ \7 ]4 f3 S+ c' D
cfssl gencert -ca=ca.pem \, j* |/ C5 p% E: t1 `/ l
-ca-key=ca-key.pem \
. d. u! E' d7 u9 H: `-config=ca-config.json \
4 G0 o6 {1 J' V9 Y2 N2 G! k  H-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2 G1 q8 B& ^3 _5 {配置 etcd 为 systemctl 管理! `/ b* J  E9 Z2 g; g
vim /approot1/k8s/tmp/service/kube-etcd.service.192.168.91.19( H3 L& ~1 {5 k- ^% S
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴* _: u% O: {' v- n8 V
% Q5 A- w& p9 W1 k" H) z
etcd 参数
; a0 ~& J% @' @; l$ f" x8 Z- W; {: Y
[Unit], {: I9 p, l$ u5 B
Description=Etcd Server
- a+ L+ @3 W4 j+ I2 nAfter=network.target
* c" B4 h+ B  p# d& V9 s1 r3 AAfter=network-online.target
" H! M9 n4 a% SWants=network-online.target+ j. [4 Z  ?9 Q0 A9 d( p8 x( F
Documentation=https://github.com/coreos1 c  \; C2 `! ~! a) [9 `+ [6 h1 f

; A! v1 o5 ]8 t" B% W[Service]/ o; d# g5 N$ ?$ n& z; Q  Y6 P
Type=notify
2 n% x& }. b- T/ i6 ^/ G( JWorkingDirectory=/approot1/k8s/data/etcd7 z1 O! a! n. M% J& U0 x( m
ExecStart=/approot1/k8s/bin/etcd \6 r0 O/ J5 W1 x8 |0 J8 |
  --name=etcd-192.168.91.19 \
' W0 w+ Y  D5 o/ j, L; x( t  --cert-file=/etc/kubernetes/ssl/etcd.pem \0 M% u6 q7 Q. B4 y0 D; r# S
  --key-file=/etc/kubernetes/ssl/etcd-key.pem \
5 y% u9 s3 w* }! {9 w  --peer-cert-file=/etc/kubernetes/ssl/etcd.pem \% A7 D% u3 c! N- _8 l2 I
  --peer-key-file=/etc/kubernetes/ssl/etcd-key.pem \
6 B. F) T% b2 ]  --trusted-ca-file=/etc/kubernetes/ssl/ca.pem \* e" P1 V) z& d* k- h
  --peer-trusted-ca-file=/etc/kubernetes/ssl/ca.pem \
, |- J; c. B" q3 j8 d" W  --initial-advertise-peer-urls=https://192.168.91.19:2380 \( S3 Q  C' i6 L7 G6 p
  --listen-peer-urls=https://192.168.91.19:2380 \7 k) ~/ k# ]6 [2 S/ e8 m
  --listen-client-urls=https://192.168.91.19:2379,http://127.0.0.1:2379 \$ g6 P7 O- B$ Y/ A
  --advertise-client-urls=https://192.168.91.19:2379 \" o- J) ^+ _  z( d) q
  --initial-cluster-token=etcd-cluster-0 \
2 M+ X  z7 T, ?/ {. J  --initial-cluster=etcd-192.168.91.19=https://192.168.91.19:2380 \
) q$ `: n5 x5 ~* p# C/ _  --initial-cluster-state=new \
. J/ s6 W: ~" h5 R% p9 s3 L  --data-dir=/approot1/k8s/data/etcd \
* Q0 n6 M$ m3 ?$ R  --wal-dir= \
, Y) C3 q8 b7 D' F/ Y  --snapshot-count=50000 \" W% s  }; ?  C- H; E6 ?, v6 ]
  --auto-compaction-retention=1 \
- _2 H# n+ ^+ l; F8 R+ l( y  --auto-compaction-mode=periodic \
0 g* ~  c5 T7 f$ z$ Y+ J* ?  --max-request-bytes=10485760 \7 Y: g7 O3 o. |+ U8 h# ~
  --quota-backend-bytes=8589934592
: A' N  r2 t6 g. y( U' z2 v( rRestart=always7 Q/ C3 |" g* [0 b1 i4 w9 H
RestartSec=15' \0 x  I/ |% C8 p# v
LimitNOFILE=65536- |3 `5 h& ^* U0 [
OOMScoreAdjust=-9997 }3 k$ k- b4 A! A$ |
: A$ f! U7 a7 d, u
[Install]
' q3 h' q  v: W1 U8 [" H9 j! I' oWantedBy=multi-user.target* p' O) Y$ A( k* G) V' s* ]8 ]
分发证书以及创建相关路径# w( w" u  X6 `; ?
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制8 a7 j" W7 w% K3 X

% q! V3 y. k' d* [* h对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败& w% K) Z2 x8 G7 s" u0 }- J7 g+ u
' ~0 f: e' |3 N1 x$ W* d) ?7 V
for i in 192.168.91.19;do \4 N+ {, d; Z' u% s
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
0 @2 g8 i4 _# }7 j9 r8 I4 sssh $i "mkdir -m 700 -p /approot1/k8s/data/etcd"; \
6 A/ D) G" X3 T. s# t: p3 Ussh $i "mkdir -p /approot1/k8s/bin"; \
  t4 w( C! p, g1 M' ?$ jscp /approot1/k8s/tmp/ssl/{ca*.pem,etcd*.pem} $i:/etc/kubernetes/ssl/; \4 j& O% W+ T. g" [7 \1 Q, Z. c4 v
scp /approot1/k8s/tmp/service/kube-etcd.service.$i $i:/etc/systemd/system/kube-etcd.service; \
% [, A& Q6 u/ Nscp /approot1/k8s/pkg/etcd-v3.5.1-linux-amd64/etcd* $i:/approot1/k8s/bin/; \' S! e; l4 t' U5 m8 r( S$ _
done
& n6 [1 o' A6 Y8 s! u6 f! ], t启动 etcd 服务8 W6 a+ g. o( H# E
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制
# Z- v9 w) ^, W- s; r7 o
, I( Z6 _2 j+ Z% I# m! M+ ?% ffor i in 192.168.91.19;do \/ S2 e) u' A8 v8 B; o
ssh $i "systemctl daemon-reload"; \
& ~" ?" n+ p2 @( Z  [$ l. Nssh $i "systemctl enable kube-etcd"; \# x; n+ i. |/ H: y: L
ssh $i "systemctl restart kube-etcd --no-block"; \4 P9 R  J2 H9 I9 l% w  Z5 x$ ], U' w
ssh $i "systemctl is-active kube-etcd"; \6 s  A5 e1 ^& b) G  h8 J4 ?0 ^
done, [! W" S) y0 U1 C* X! R
返回 activating 表示 etcd 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-etcd";done
. ?( ~% R, }3 ^7 _
* A& b* h8 g# w8 @1 p返回active表示 etcd 启动成功,如果是多节点 etcd ,其中一个没有返回active属于正常的,可以使用下面的方式来验证集群
3 M& d( ?2 s7 h7 Z$ }9 h9 ^1 ]+ Y/ n
' x9 O" f  R$ ?5 ~" D0 a6 k如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制
9 V; w0 |! k* M1 {" J% B/ q5 C3 f2 ~5 q7 x( }/ l
for i in 192.168.91.19;do \, r9 n: U9 H/ o9 K
ssh $i "ETCDCTL_API=3 /approot1/k8s/bin/etcdctl \8 C7 e" P7 m# f
        --endpoints=https://${i}:2379 \! q' m0 w& f) s. q% }1 S+ Y
        --cacert=/etc/kubernetes/ssl/ca.pem \
6 k9 S& z8 Z6 V' a        --cert=/etc/kubernetes/ssl/etcd.pem \
  b& N7 L) `; Z1 e        --key=/etc/kubernetes/ssl/etcd-key.pem \
' o4 V2 T. A9 L        endpoint health"; \
1 c& _& o- ^% R) S* G" ]" f$ Vdone. J6 c; R" m+ s) ?9 e" S/ D
https://192.168.91.19:2379 is healthy: successfully committed proposal: took = 7.135668ms
. i5 ?3 s8 f- o/ E
9 W+ m9 q: I1 Z; u: @2 y6 E返回以上信息,并显示 successfully 表示节点是健康的) {" e" u; `! B! d- a: D

. X5 `- Q0 e! W部署 apiserver 组件
+ ]0 \" x: ~. E. J* a( U' s创建 apiserver 证书
, k5 M2 S% S. _/ k7 q1 R$ b5 Pvim /approot1/k8s/tmp/ssl/kubernetes-csr.json( B$ k! }# X' C7 f
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴# ^9 K: w. G9 Y4 d/ J* ^) e. L* k

6 `2 s  w- w( e注意json的格式4 d- ]. O8 a5 k) R$ b

4 x: c& F+ K& N' }6 S10.88.0.1 是 k8s 的服务 ip,千万不要和现有的网络一致,避免出现冲突
! ?& F4 {3 B2 e* z( X" s8 l/ H! x9 s3 }7 @( }4 L( Y4 _  C
{
; \9 f/ i) e# C0 [9 p" t  "CN": "kubernetes",
/ J% l" c6 n6 C1 P  "hosts": [9 R2 N* _) @, m
    "127.0.0.1",
% P# R4 ?& n. |3 `    "192.168.91.19",- t$ I3 z- H3 o  @; d- Z( e: d6 q
    "10.88.0.1",
5 E3 B* K  j9 ]5 _* k    "kubernetes",
- k. q/ g2 G' V+ h$ m    "kubernetes.default",
/ S* Z. V  F4 v+ i1 W) {    "kubernetes.default.svc",
  G& T8 |1 a+ O- k8 f    "kubernetes.default.svc.cluster",
5 O" B! N1 R3 y! v/ M1 b0 ^    "kubernetes.default.svc.cluster.local"( K; B% O" F, \& _# Z1 o
  ],
7 v+ `2 ^$ u  t+ C  "key": {; X$ H2 h. t1 {7 s
    "algo": "rsa",' K' b9 u$ O- A9 \, n5 S0 _
    "size": 20488 \2 x4 j: j/ n( y; ]- e! z# T3 H
  },
# M2 o* ?# S/ a  "names": [$ v2 z" G: {6 l3 `$ W  b8 c. P/ Q
    {
6 `3 M; }) S: O+ H+ K      "C": "CN",2 I# s/ K5 v+ q- D$ y5 |
      "ST": "ShangHai",2 o+ o. A2 r. x" M
      "L": "ShangHai",* m) A7 B! v$ D
      "O": "k8s",( ]* v) h  Q  ^* F  o+ x) g
      "OU": "System"
& g1 F% \! C# e1 D/ O    }+ X# s2 z6 I0 O( [! K# e' }
  ]5 z5 k; [) T9 L" C- `5 b& Z$ |
}4 I3 c; ]6 T% J. r: H5 N6 T
cd /approot1/k8s/tmp/ssl/
) B" ~1 j. J( @cfssl gencert -ca=ca.pem \3 h9 {3 k$ n" C0 }0 T7 a
-ca-key=ca-key.pem \
3 Y8 u9 P6 u2 V+ d! e-config=ca-config.json \) k) [3 Y6 M+ g2 g
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
6 Y. B$ I) v. u' f创建 metrics-server 证书6 m* @, b+ M* V: L% ]/ W! x: t
vim /approot1/k8s/tmp/ssl/metrics-server-csr.json! H  Z- ?3 i2 M% T: P" ]( @' p
{* t9 c) `0 Z2 Z
  "CN": "aggregator",: U3 z' C& w, A4 ?# U
  "hosts": [9 C; W" z& R4 w( }
  ],* J" O0 |6 ~% Q# d/ E0 O( ?: X
  "key": {% l3 P2 g) s) C; l1 ~1 Y
    "algo": "rsa",
  H9 x$ T& s) r  B' Z    "size": 2048
7 j: e* v, o- y* q' s7 c) p) I  },
5 q/ `+ l4 @% n  @" h) o  "names": [
7 x9 X% [# R  y: z    {
) x4 P# z3 ]. u1 H- r      "C": "CN",
! R6 t/ k9 o$ |, z9 B  }) P      "ST": "ShangHai",
8 A1 B' s: I: K$ }4 H/ B      "L": "ShangHai",
* b$ E" ]) P2 |+ W! u  d      "O": "k8s",( [/ C  I5 o* P2 c7 M. f1 a6 m
      "OU": "System"
2 [( \2 ?) M8 H' O# w( V8 X    }$ e' r3 X& x8 s$ x3 K
  ]: ]4 y! k# o+ o! Q* ]
}9 [% M+ Q4 o( v4 ^. b
cd /approot1/k8s/tmp/ssl/6 v+ F$ B) U. M% }, Y; O- l
cfssl gencert -ca=ca.pem \
; {$ }: ^: r; p-ca-key=ca-key.pem \
9 H+ y- g- T  Z$ |% K4 ^+ ?-config=ca-config.json \# c: `  c& q9 F
-profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server; s; W) r( g, P# n% l
配置 apiserver 为 systemctl 管理* p% a$ a3 f+ p; S8 b
vim /approot1/k8s/tmp/service/kube-apiserver.service.192.168.91.192 Z6 ?$ O" |- C3 Z
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴
5 i0 }7 h6 B! |6 E0 R% q1 g$ t$ m1 O
' ?; X( [- g; }3 ]- |% g% S- T! }--service-cluster-ip-range 参数的 ip 网段要和 kubernetes-csr.json 里面的 10.88.0.1 是一个网段的) I0 M/ S* J; H& `  X0 ?7 L
1 G+ [7 _' I  d# q6 y/ S+ w
--etcd-servers 如果 etcd 是多节点的,这里要写上所有的 etcd 节点
+ f1 O, m3 N4 J( p9 a. Q, S
5 A% g: q. e% l0 napiserver 参数
  S* }: ^4 j2 u% d+ B
: H2 Y; B6 b! r( g[Unit]
! j2 @4 @3 l/ d& vDescription=Kubernetes API Server6 R3 g! r! N4 b4 a$ P6 V
Documentation=https://github.com/GoogleCloudPlatform/kubernetes# v8 s, ^& j4 X# U( k
After=network.target
# ~  i% `, x0 p! ~% V( D4 o4 }( ^7 b" d
[Service]: T6 C" x  ]! ^9 T: C! s
ExecStart=/approot1/k8s/bin/kube-apiserver \9 t; P9 }% r9 c1 X3 N
  --allow-privileged=true \
* o, w) }$ K2 O- e1 y8 C3 P  --anonymous-auth=false \
$ f# u( e+ Q# r7 p3 q  --api-audiences=api,istio-ca \
. q8 m! o% e3 F" M& D5 G5 L' o/ Q  --authorization-mode=Node,RBAC \  B2 R& ?* e% y- k9 B
  --bind-address=192.168.91.19 \4 j4 n' n, n2 v9 y- t' I8 G8 U0 @
  --client-ca-file=/etc/kubernetes/ssl/ca.pem \
' e. t1 X* p9 f  --endpoint-reconciler-type=lease \
, I/ X! [9 Z3 c% ]) J  --etcd-cafile=/etc/kubernetes/ssl/ca.pem \" X1 E3 i1 B6 Y) d  j0 E
  --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
  U, V" W& c6 I# Z. R  --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \" t, b0 K8 g& N* I' }! ^3 X/ b$ |% |
  --etcd-servers=https://192.168.91.19:2379 \
" G/ V! u" B9 L* E- N) t  --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.pem \6 o6 j/ Z' \$ X/ V1 M: e4 B0 G+ ?
  --kubelet-client-certificate=/etc/kubernetes/ssl/kubernetes.pem \- Y  E& h5 x  H, i
  --kubelet-client-key=/etc/kubernetes/ssl/kubernetes-key.pem \
& }1 ~5 N# {4 i6 c  --secure-port=6443 \/ j/ c8 [- e: m1 N+ i; ]
  --service-account-issuer=https://kubernetes.default.svc \
' x0 r+ E8 n9 w  `, J9 E! C3 B: }  --service-account-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
/ t- d7 L7 D5 a# e' }! E  --service-account-key-file=/etc/kubernetes/ssl/ca.pem \
' |& z+ D- ~- F, k# s  --service-cluster-ip-range=10.88.0.0/16 \
6 i/ d4 X2 A' o/ J1 v- ]  --service-node-port-range=30000-32767 \' n3 q8 `3 W/ ~& l1 O) B' @4 F0 Q
  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
7 S- [. S: V  _5 d4 F  L9 |  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
& W& y4 W/ E$ i: l3 a5 |  --requestheader-client-ca-file=/etc/kubernetes/ssl/ca.pem \+ g& w. G2 S) h/ A; I  u6 A8 S( e+ Y
  --requestheader-allowed-names= \
3 f# a5 U, k5 g  --requestheader-extra-headers-prefix=X-Remote-Extra- \
: L. y4 h# R; U* b/ l* f  --requestheader-group-headers=X-Remote-Group \
# [: z9 m  B/ {% p  --requestheader-username-headers=X-Remote-User \  r  s8 i8 C5 ]: K% t+ S
  --proxy-client-cert-file=/etc/kubernetes/ssl/metrics-server.pem \. j6 v8 y6 P0 S: ]* W3 L( Y
  --proxy-client-key-file=/etc/kubernetes/ssl/metrics-server-key.pem \
1 h$ z+ N5 T  {" |  --enable-aggregator-routing=true \
$ t& U9 J& b, j8 P2 j  --v=2/ Z7 Z: E* d, {& m8 O
Restart=always! E. v/ Z4 N) ~4 w) p& U
RestartSec=5
- ?& x3 H$ \/ i1 }# L& C0 l, n6 dType=notify
1 u) ~1 R( G, ^8 R: O2 dLimitNOFILE=65536/ t* j$ a4 W! A& s) ~/ o
" h- E/ @# z: Q" q+ e! @& @; w! {
[Install]( V' \+ X- I/ w+ v
WantedBy=multi-user.target
; l9 d' m2 ^, h  M2 Q: q分发证书以及创建相关路径
6 i8 A  l! r  y/ Y- U- z- M' ]如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制% E2 A+ D- k! t
: z5 A7 Y. r. Y- I
对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败
. r  G- I' u9 X9 E4 D- t' V+ K1 h6 x) W7 A0 o! |
for i in 192.168.91.19;do \
/ _- t/ `6 B3 o' }ssh $i "mkdir -p /etc/kubernetes/ssl"; \
6 F) }- B; h: e  ussh $i "mkdir -p /approot1/k8s/bin"; \8 I* Q% t# `& F5 d; w8 S/ V
scp /approot1/k8s/tmp/ssl/{ca*.pem,kubernetes*.pem,metrics-server*.pem} $i:/etc/kubernetes/ssl/; \0 ?- h) |2 D& i% z+ Z9 K8 |, ?
scp /approot1/k8s/tmp/service/kube-apiserver.service.$i $i:/etc/systemd/system/kube-apiserver.service; \" [/ T! b8 D  W+ {( ~6 x
scp /approot1/k8s/pkg/kubernetes/bin/kube-apiserver $i:/approot1/k8s/bin/; \
9 q& D  L. j4 H- p. ]done+ Z: T+ P4 W7 f" w( E! F
启动 apiserver 服务. c" ?8 @/ {( b/ J: i1 W9 G
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制% _; [) q% B. o# ?3 y

( Q* b- J8 k" j1 {for i in 192.168.91.19;do \
1 y0 r& R( [% p/ z& l+ essh $i "systemctl daemon-reload"; \( U5 P1 q( }$ }0 |) F
ssh $i "systemctl enable kube-apiserver"; \/ `3 q5 \3 ?& c
ssh $i "systemctl restart kube-apiserver --no-block"; \+ X, ?5 E/ l8 q
ssh $i "systemctl is-active kube-apiserver"; \& ~: x9 Q+ {& s* y) O
done- N0 P; a% B9 D
返回 activating 表示 apiserver 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-apiserver";done
! o% N% d6 V' Y* B# F1 ~* h5 R# h& B( `) O/ F: G
返回active表示 apiserver 启动成功  j2 K$ k$ R. M) x  r

' M4 E1 O: m, [; `8 G9 N4 [- mcurl -k --cacert /etc/kubernetes/ssl/ca.pem \1 v7 Y9 Y6 V: }2 u
--cert /etc/kubernetes/ssl/kubernetes.pem \( _, C( O+ s7 ~+ P% |4 {; f3 p
--key /etc/kubernetes/ssl/kubernetes-key.pem \
3 [4 P' L% o. @- m  ^$ f  rhttps://192.168.91.19:6443/api
/ I" N* [8 i) W* v, h" W) |& P正常返回如下信息,说明 apiserver 服务运行正常
# X8 e6 b" X6 U& g2 o
. r( k9 p, M* f/ W' V9 I4 |: O{
1 g5 u0 p( R, C) ~7 k  "kind": "APIVersions",3 p" X5 F) s2 J5 v8 x( K
  "versions": [) ?" T- J4 C0 N7 S5 D8 `" m) L
    "v1"( n1 s% b) Y3 R6 A6 P( n  e; M
  ],# O& ?. v  a+ G5 A8 O- M, G# ~9 y
  "serverAddressByClientCIDRs": [
7 C3 M1 J5 u1 z* t    {
* [2 R( k# w/ C& b8 n      "clientCIDR": "0.0.0.0/0",
7 H) [- E( B8 |! B      "serverAddress": "192.168.91.19:6443"
5 Z/ L+ Y! T. Y5 ^' {. ~    }
- G3 o9 o+ {% B/ W  ]' \- H- V  x2 M! |
}  A& L9 Y5 q- {. N3 B
查看 k8s 的所有 kind (对象类别)
( D' W* m7 V6 j1 ]2 I$ e+ n& O' ]* q: @( G7 x' k4 k
curl -s -k --cacert /etc/kubernetes/ssl/ca.pem \
$ M* ?4 `/ `4 \% ~% E--cert /etc/kubernetes/ssl/kubernetes.pem \
3 u( e' {0 `0 I) D) [9 A& E--key /etc/kubernetes/ssl/kubernetes-key.pem \/ v) M+ [4 W* J  n3 Y% B/ G
https://192.168.91.19:6443/api/v1/ | grep kind | sort -u
% z" h# M' x6 D8 a: s+ Z0 x9 d  "kind": "APIResourceList",' q/ r. e8 b: o4 e  q6 e5 W7 T
      "kind": "Binding",- U( p9 \2 u% M* t
      "kind": "ComponentStatus",
5 O# F) Y( u7 [      "kind": "ConfigMap",
- K* c! u" K9 G# v$ c      "kind": "Endpoints",
; T. `$ A! H, Q! V) y; M* x! @      "kind": "Event",5 Y: E5 P/ c. ~( s2 X" I! Z) |
      "kind": "Eviction",
7 |! a8 ]9 L5 ~+ e      "kind": "LimitRange",
5 r: p' a" `: A3 x' P% h      "kind": "Namespace",# P, B+ {) R8 k$ }' L
      "kind": "Node",' v9 k1 v% M) J5 r& {9 }3 Q) r
      "kind": "NodeProxyOptions",2 |' L/ q; S3 L, l6 v3 h4 `
      "kind": "PersistentVolume",* g* r! N, z( H; H6 e2 F% a6 k' M
      "kind": "PersistentVolumeClaim",
& D; }6 T. G2 y' S      "kind": "Pod",
' B( {( H8 b2 R" ~/ o      "kind": "PodAttachOptions",
4 I( t8 o8 G& q      "kind": "PodExecOptions",
# o7 a# a: K# I" }, ~8 d$ t      "kind": "PodPortForwardOptions",  {% F6 w5 j' M
      "kind": "PodProxyOptions",/ N* j+ I( ^) Y0 X# K/ P% G! ~6 S
      "kind": "PodTemplate",6 Q; ]. x1 t5 Q% J; z( u
      "kind": "ReplicationController",
- C5 l5 |; O- K& B' H      "kind": "ResourceQuota",
& e; k% e* b  }- C3 y      "kind": "Scale",
5 n7 S: D; N. S% f      "kind": "Secret",
& E- n; N+ Y8 Y" n& a4 E% s      "kind": "Service",
- t$ u( n3 Y8 Y3 q2 z7 y- ]      "kind": "ServiceAccount",8 ~7 z7 |3 o4 @/ L& C* p
      "kind": "ServiceProxyOptions",
6 }3 l$ j! ]1 {$ h! i4 O: y      "kind": "TokenRequest",
) m6 Y6 V; N( {! H- A配置 kubectl 管理
! n0 g% v# t0 s# @! o, U创建 admin 证书
" V  i+ P! o+ U* S. R% T+ vvim /approot1/k8s/tmp/ssl/admin-csr.json9 B+ j5 u+ p4 M4 }
{
8 f- m( I9 g5 N; N) V9 F& I  "CN": "admin",
3 E: D, Z, \. {4 B7 \  "hosts": [/ S; q) v5 l2 a9 s. ?7 P
  ],# ^9 G0 ^4 z/ s- M, S& U7 L
  "key": {
" s( s; I3 P$ j4 `. L6 ~! T    "algo": "rsa",
5 }$ r2 \4 \; {& b* r$ t- R( k# R    "size": 2048
  \7 ~8 o3 H( U  },8 V8 u1 j4 M) q: q( G5 w' K
  "names": [
( ]: y$ N. ~4 b6 `    {
, a7 \. G3 ^) {& e, ]( U8 @      "C": "CN"," k8 ?4 {5 y4 C  Q
      "ST": "ShangHai",
5 t- d& w4 G2 R      "L": "ShangHai",8 o0 [# Q3 r  t8 N8 |* e& |
      "O": "system:masters",5 k6 P4 n) D/ S! Y, e# N: U( @
      "OU": "System"' s( _' @; [: h0 f7 W5 ]
    }
2 `; W& e, c9 f  H- l6 a  ]. H1 Z2 N, L6 c3 H: P
}" r5 @$ d, G$ z, r' B' I
cd /approot1/k8s/tmp/ssl/
0 ~7 u: ]. z6 h3 y' v* @cfssl gencert -ca=ca.pem \
8 g& P- h+ \$ _, @' k-ca-key=ca-key.pem \1 |2 o# j: l5 s: c$ ~# j
-config=ca-config.json \
; k$ F4 W' b& N5 P( Y1 s-profile=kubernetes admin-csr.json | cfssljson -bare admin
9 v! O: v- t& O( ?  L创建 kubeconfig 证书8 Y. O/ Z( W" a% [0 p  ]
设置集群参数
6 Z* S* A  |3 U, I0 T/ x$ S( d7 S( C% q5 l, j+ D9 z; f
--server 为 apiserver 的访问地址,修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口,切记,一定要带上https:// 协议,否则生成的证书,kubectl 命令访问不到 apiserver1 Y7 b9 @$ g  G
! w4 l( ]7 N' |& P
cd /approot1/k8s/tmp/ssl/3 ]0 a% {; f* }& S* u* W
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \7 S* P% G0 }& E6 K
--certificate-authority=ca.pem \& p' M$ H+ y) F5 E; t0 P$ w
--embed-certs=true \; z0 G; X# n; Q& b1 i1 t- a
--server=https://192.168.91.19:6443 \
% V2 F& W. O5 o4 p7 d+ E  m--kubeconfig=kubectl.kubeconfig
/ P3 J- }8 B0 ~% a3 u& v设置客户端认证参数1 M* Z0 u+ r5 A$ K% d7 X0 y4 S8 `# _
" t+ ?+ `1 W) ?
cd /approot1/k8s/tmp/ssl/
6 w, e, i% Q& s" u/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials admin \6 h( \' b9 D5 E$ q6 B  u
--client-certificate=admin.pem \, [5 Q4 P9 B) E# q' J
--client-key=admin-key.pem \8 M. Y: f0 v( M
--embed-certs=true \
0 {& ~+ o3 J; ?; [. s--kubeconfig=kubectl.kubeconfig4 {: B6 o( u1 n% G. s/ y
设置上下文参数2 r3 ^' C& `9 _& r$ G& |
- v9 K! F$ v4 }: t1 B
cd /approot1/k8s/tmp/ssl/) ?: T7 i8 s  D8 K* c, w1 K: c
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context kubernetes \8 g% D7 X, C) D$ q8 J  K& d' d7 E/ `# s
--cluster=kubernetes \5 s: R0 C$ g# ?* }6 f* J
--user=admin \; B9 h5 l. J2 S: y1 r% P2 e* M
--kubeconfig=kubectl.kubeconfig0 [( x; f( B# V- {
设置默认上下文
; h2 s; u* B9 x! u8 q6 v/ v( S% ~  U1 a
cd /approot1/k8s/tmp/ssl/3 Y9 t5 c+ t. T+ p& ~# B
/approot1/k8s/pkg/kubernetes/bin/kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
$ y2 s, s* `& \+ N% U1 A( `分发 kubeconfig 证书到所有 master 节点
( m0 i) w+ d3 Z, O+ ^( z如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制% x$ y& O* W( f/ w% h. c. \

0 ]1 ?; c) U2 t( I+ y9 yfor i in 192.168.91.19;do \5 C0 o% W% B, W5 T, }
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
2 F! g5 @- c; ]  b4 Gssh $i "mkdir -p /approot1/k8s/bin"; \
: Y3 S: ]- C2 S( w& j' U( Gssh $i "mkdir -p $HOME/.kube"; \9 d3 r6 s8 a* Q( i& A5 I
scp /approot1/k8s/pkg/kubernetes/bin/kubectl $i:/approot1/k8s/bin/; \( x' |: D: D  E4 f' e; r
ssh $i "echo 'source <(kubectl completion bash)' >> $HOME/.bashrc"
& d' {& A  T! Y8 y8 h  Rscp /approot1/k8s/tmp/ssl/kubectl.kubeconfig $i:$HOME/.kube/config; \
$ o8 T9 q; s$ x6 t, I, I% ~+ Vdone
$ q) T3 [$ `# s1 a5 J6 E; r部署 controller-manager 组件
( U  O: D$ m9 S: B% O6 J+ ]! T创建 controller-manager 证书# }/ E& R4 I1 N; E& Y; d8 I
vim /approot1/k8s/tmp/ssl/kube-controller-manager-csr.json2 P) n5 F6 c, M5 c! `1 [
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴
$ C$ x) n$ n( l: z1 o' E; u% A
! F5 c  P7 u6 m! i( L8 D) O) u注意json的格式
- j0 m+ {, O' z. f! F
  K+ Z- }! w; w6 p: ^{' g: i* r1 s9 k5 w  @) M' F. }
    "CN": "system:kube-controller-manager",$ n: S# C+ D3 M0 w" e5 w5 @+ ?2 Q
    "key": {
5 {0 y8 m3 @; o& e% k        "algo": "rsa",* w2 v9 g6 P  d- d) e; A
        "size": 20481 \7 t: d# V0 I" W, ~
    },
% }6 F3 O, [! D1 D$ `2 E    "hosts": [' _1 T  G/ J: V& {. A
      "127.0.0.1",2 F5 h" U( s& j( m7 `0 ~
      "192.168.91.19"
: N- l$ D4 T, k3 G0 b    ]," F+ I, W0 @; c& D" t# \2 C( `
    "names": [) ?. J3 n6 l3 O8 p6 w6 a
      {
- ?3 z/ \" N: `* x' _        "C": "CN"," g) l8 e2 e( P6 f# u6 s
        "ST": "ShangHai",: [$ o. L' F+ m0 k+ m! e
        "L": "ShangHai",
' E" i( u4 z, ~3 L0 q        "O": "system:kube-controller-manager",
4 f) J5 m, z2 e8 o        "OU": "System"
* m2 L8 U# @6 ~) d4 h      }
# E8 E/ J) ^  u# A, l    ]
. j; K3 Q/ }4 |1 U}
6 y9 v. B9 ~  l# ^cd /approot1/k8s/tmp/ssl/8 y9 B& f6 r# c6 Y
cfssl gencert -ca=ca.pem \
5 _1 N  o( H* Z-ca-key=ca-key.pem \
$ ~' N7 {! Q/ R4 u% [8 U-config=ca-config.json \, I) v" y7 K5 x/ M6 q  O+ `% N
-profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager( X+ A% q7 G; i: ]8 U
创建 kubeconfig 证书. o- W8 M# M) E% C5 G
设置集群参数
, r2 U! a0 W9 U
) O/ A, I1 O( ^# |9 C0 }5 Y' g8 F--server 为 apiserver 的访问地址,修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口,切记,一定要带上https:// 协议,否则生成的证书,kubectl 命令访问不到 apiserver" ~& ?7 K+ M/ q, ?

1 \  B- |, O) w( X8 d+ R; H, h' Acd /approot1/k8s/tmp/ssl/! O! u$ ~: m  I( B$ o; h9 \8 t
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
& N* }  \9 U7 y" Y; r- ?9 m--certificate-authority=ca.pem \, H; v3 ]# v  b* ~1 O9 X0 o3 h
--embed-certs=true \
( A( a  E+ z! J# q7 b' Q--server=https://192.168.91.19:6443 \. C* B. r7 s1 d5 Q+ V: K
--kubeconfig=kube-controller-manager.kubeconfig. y# U3 Z3 J& ]- c
设置客户端认证参数
. D8 Y+ v; Z& r8 Z$ S; H
% h" R2 [3 K  t/ e) A" ?2 }cd /approot1/k8s/tmp/ssl/$ h6 V0 ]+ r0 Q. g" H3 o
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:kube-controller-manager \
# S, j- \: w3 G1 s# {--client-certificate=kube-controller-manager.pem \
2 r+ w. e+ ]. k" B$ o& T--client-key=kube-controller-manager-key.pem \& N1 J; l! l! c8 r" j8 }
--embed-certs=true \
" ~7 @- @9 {) X) `  l; w--kubeconfig=kube-controller-manager.kubeconfig
. [8 B/ f$ G" S; L4 R设置上下文参数
0 X$ @( J' E3 J( x7 K4 y6 X; d( p4 i2 c+ v8 f' K; W
cd /approot1/k8s/tmp/ssl/. u( h; ^' D1 H7 m
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context system:kube-controller-manager \0 Z$ E; ^8 M2 M! R, |; I4 x9 ?* @
--cluster=kubernetes \  u# p$ C) S4 v: Z
--user=system:kube-controller-manager \* z% S7 _+ r/ R! i- W% |+ C
--kubeconfig=kube-controller-manager.kubeconfig  e5 k2 {" U/ m* T  Y6 Z- ~
设置默认上下文
. w) R  k- S  E5 C- L9 K" J+ O" h) T' L1 g9 r
cd /approot1/k8s/tmp/ssl/
; V' f+ M/ p) t5 x1 t1 D/approot1/k8s/pkg/kubernetes/bin/kubectl config \% B, Z/ D7 E1 O2 m3 l2 Y
use-context system:kube-controller-manager \* _; x+ n, }/ M7 U( F: V
--kubeconfig=kube-controller-manager.kubeconfig& E4 B  P. O9 D' R6 i
配置 controller-manager 为 systemctl 管理
$ O* f& h  t2 Zvim /approot1/k8s/tmp/service/kube-controller-manager.service. N5 J3 D! F3 c8 D; V' b7 \0 z
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴: p6 R8 @! L& r: U1 G
5 _7 U- P3 M  ?( s5 F. R
--service-cluster-ip-range 参数的 ip 网段要和 kubernetes-csr.json 里面的 10.88.0.1 是一个网段的
; j7 k, j2 I0 L4 u& ?) E& r7 T! F$ v
--cluster-cidr 为 pod 运行的网段,要和 --service-cluster-ip-range 参数的网段以及现有的网络不一致,避免出现冲突, c+ f: k0 R* }$ O
, F1 e" ?. m6 w  R/ s
controller-manager 参数2 T# o- R' J8 y
/ u/ u7 W2 Z- h
[Unit]
% J5 S# b; j$ V' _2 D0 bDescription=Kubernetes Controller Manager& K' k9 |6 x% N2 g
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
4 \' J* v) }( ~2 l2 @* W+ M# b- \( V& i" ?; R+ s# x+ k
[Service]
& ?7 ]+ t+ n4 d4 @3 Q5 _ExecStart=/approot1/k8s/bin/kube-controller-manager \- n# _( ~- u: Z/ b
  --bind-address=0.0.0.0 \' r0 l% U5 B! ^( [$ @$ ~+ K
  --allocate-node-cidrs=true \$ P8 L! Z* u8 m5 m
  --cluster-cidr=172.20.0.0/16 \3 v' t: r. {) C3 g* C
  --cluster-name=kubernetes \* m! B, i! h. \: P
  --cluster-signing-cert-file=/etc/kubernetes/ssl/ca.pem \4 R) Z2 N4 X3 A  e
  --cluster-signing-key-file=/etc/kubernetes/ssl/ca-key.pem \
3 i# K, k9 I/ H+ X6 u  --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
0 e0 X3 W/ d2 R) h9 g, l' o; A  --leader-elect=true \
. ]0 H  v4 B+ C; M. f, G& w  --node-cidr-mask-size=24 \5 {1 `7 d4 A1 L. O  @3 Y
  --root-ca-file=/etc/kubernetes/ssl/ca.pem \& |0 D& ]. q# C" u3 D9 h
  --service-account-private-key-file=/etc/kubernetes/ssl/ca-key.pem \
& ^4 O' H7 f) q& G" x  --service-cluster-ip-range=10.88.0.0/16 \2 v: o2 ?( h7 H
  --use-service-account-credentials=true \
; y- L) s4 D' i: ~* ~  --v=21 g+ b: _  Y5 L, t: Z
Restart=always
4 t3 @) n6 g) a. m: e* mRestartSec=5
  b% }3 ]& a! w# X
0 S# F* `- R) T4 r, B6 c[Install]
1 \; A  G0 |7 p1 x, {7 f: l  \WantedBy=multi-user.target( W& T+ x3 C; f  ^: u( t
分发证书以及创建相关路径8 a# T, e) H2 @8 g4 s- u  T
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制
5 h% R) g" H* u- G; D' {
. |* V6 T9 S6 C5 h8 g: \7 E( M对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败
. n2 M% a7 p7 r( p! s; Q& ]3 k/ d, a- B# b" r" n8 ]* m
for i in 192.168.91.19;do \' y1 T9 T! Q; v! H7 {
ssh $i "mkdir -p /etc/kubernetes/ssl"; \0 c7 C% _2 R0 p/ o
ssh $i "mkdir -p /approot1/k8s/bin"; \
  G; \7 Q( _$ ]) `* i- Cscp /approot1/k8s/tmp/ssl/kube-controller-manager.kubeconfig $i:/etc/kubernetes/; \8 O& ^9 B, F8 g8 ^
scp /approot1/k8s/tmp/ssl/ca*.pem $i:/etc/kubernetes/ssl/; \
$ F' x$ I9 [! q# Mscp /approot1/k8s/tmp/service/kube-controller-manager.service $i:/etc/systemd/system/; \8 T/ s$ i6 J5 C+ t# K3 n
scp /approot1/k8s/pkg/kubernetes/bin/kube-controller-manager $i:/approot1/k8s/bin/; \
5 x. S; j& q' m4 w3 K, @done
9 S; f/ I- C6 K! h2 h启动 controller-manager 服务
% Q/ s  X" s% ~- Z! B" |# Q( R如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制9 O* z6 d- m/ [7 I
# g$ \$ k+ V* e2 J
for i in 192.168.91.19;do \8 w8 H* B9 k; ?5 g6 I  c$ m
ssh $i "systemctl daemon-reload"; \
9 [  Y$ k! `/ H1 }* {; mssh $i "systemctl enable kube-controller-manager"; \8 r6 {( J! x5 J& V
ssh $i "systemctl restart kube-controller-manager --no-block"; \1 q' d& f5 q$ M$ g+ i2 |+ q% c0 O
ssh $i "systemctl is-active kube-controller-manager"; \) F/ Z5 t6 |4 D0 W$ w7 G
done! f: B/ l7 {) W( `
返回 activating 表示 controller-manager 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-controller-manager";done
/ `' T8 R6 B% l7 V1 ?
$ B. q/ ?7 f. z5 Z返回active表示 controller-manager 启动成功3 e* ?& _; c* @, k1 u& ^# d. Q3 {
1 i3 ]: \7 t& N( [
部署 scheduler 组件
1 Y  w) G" F# L8 `+ O5 Q& t创建 scheduler 证书
$ F4 i2 j0 |. S  t  O7 ]3 y5 s3 |vim /approot1/k8s/tmp/ssl/kube-scheduler-csr.json. C1 y9 T7 y( T/ }
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴8 _5 P9 H; }4 |

4 n8 i3 B! C7 e3 r9 G注意json的格式
, V3 d9 x7 @2 Q' Y% g+ x6 ?$ ], ]3 x: ^
{1 M  P: M! y0 p% l- s' M  r# g
    "CN": "system:kube-scheduler",  N) x9 |1 h5 Q" x, k: x1 X1 d
    "key": {6 v, Y( J1 p$ M" \" u* F4 A
        "algo": "rsa",
6 p! z& j8 D! l) O8 j: M' ?        "size": 2048
* P0 T3 _5 [0 s3 U  h    },
9 f5 q5 W! e: A9 `& O    "hosts": [: f( F0 U8 z, T! q
      "127.0.0.1",
! G( q; q" a: @7 ~/ B      "192.168.91.19", I" N1 Z/ b# S0 g* T4 t% ]8 ~
    ],
4 @% M- r5 d: g3 U    "names": [% i% F6 y* k: F7 w4 y. Y
      {1 ~: h, T0 R& Z
        "C": "CN",
: u7 x5 F, K$ L" R; o        "ST": "ShangHai",
. p) Y: b! I( \! l6 \0 ^  Q        "L": "ShangHai",
2 Y' O$ p2 P$ ?% |+ O        "O": "system:kube-scheduler",
& V4 @6 o; M. H2 i        "OU": "System"
( e/ @( c" H' B. L- N2 s3 Z( r; G8 @3 }      }
6 K7 @6 Q" G' `7 o    ]
* `3 {: {) y2 ~, u" D9 b" ?0 m}
- M* B- q4 k; V9 [: N: gcd /approot1/k8s/tmp/ssl/
. I, z4 m* c: u9 ^' u& X) ncfssl gencert -ca=ca.pem \" B3 m. E2 y" O) M3 w6 S5 w
-ca-key=ca-key.pem \
" P- n& S, S* C% E2 B-config=ca-config.json \
+ V2 |2 s& B7 v. m-profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
" b6 p- J# l# m. P创建 kubeconfig 证书! |3 q) g2 z8 c: a3 l+ u% }
设置集群参数
" A" ~! i4 N3 w8 u: f/ v  r5 Q* d* g0 S# S
--server 为 apiserver 的访问地址,修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口,切记,一定要带上https:// 协议,否则生成的证书,kubectl 命令访问不到 apiserver6 P, z$ V. }2 A! s1 t3 p& `7 z5 M# k

" r  ~' M+ M$ xcd /approot1/k8s/tmp/ssl/
* ^3 g& T" Z* v% z% o/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \( E# c% z9 h: w) B. R7 I
--certificate-authority=ca.pem \
% c3 \4 l  ]& ?3 ~--embed-certs=true \8 _% T& h- s0 |8 S7 R3 Q
--server=https://192.168.91.19:6443 \
% t2 ^8 {# S& s1 @+ ^--kubeconfig=kube-scheduler.kubeconfig2 y) o- j" r7 s$ F" r
设置客户端认证参数. v1 S. o2 L  x

7 P! n- I! Z/ L) pcd /approot1/k8s/tmp/ssl/. u5 d' ]% C6 F
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:kube-scheduler \7 k: `+ K8 r/ M; h
--client-certificate=kube-scheduler.pem \
# q( s& J8 v1 O--client-key=kube-scheduler-key.pem \
! Y* A& h. y' u# n$ ~--embed-certs=true \
# E3 Z: C! k5 D6 \* [$ z  R( H--kubeconfig=kube-scheduler.kubeconfig
2 R7 j# |# y% W, r9 n" K设置上下文参数
  y% [  e  R) `. \9 m
5 i, V$ e7 T! Y6 N1 Rcd /approot1/k8s/tmp/ssl/
1 Z7 W1 w3 w+ I6 P. L- |" v/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context system:kube-scheduler \3 k+ g6 @0 K$ L# B
--cluster=kubernetes \
4 [2 \8 _, I) ]& k0 {% ]' f--user=system:kube-scheduler \3 m6 A: \8 \3 @$ r' d7 C. H. ?
--kubeconfig=kube-scheduler.kubeconfig% j! c+ D, L- S# Y* ]' B& [
设置默认上下文
5 t. t( b& B' l5 h3 E4 Z* Q* U+ k0 v2 T) G5 f
cd /approot1/k8s/tmp/ssl/
  ~( Z' Q: ]7 U; A0 K5 R, S/approot1/k8s/pkg/kubernetes/bin/kubectl config \: h3 W5 g/ t+ u" g3 ]& v6 _
use-context system:kube-scheduler \
1 M- B2 d% z) M+ {7 V0 B4 t: s--kubeconfig=kube-scheduler.kubeconfig' x0 e; p9 O% }3 g/ O6 A$ H9 H
配置 scheduler 为 systemctl 管理
( b# \, R# j7 [& avim /approot1/k8s/tmp/service/kube-scheduler.service
; i* @! `$ U6 |; u* ^' Uscheduler 参数# O+ p6 k( B! Y# X" X+ o

1 q' q4 l" y9 |  n1 b9 r[Unit]
, q) B$ V' [5 j$ Z: jDescription=Kubernetes Scheduler
6 Q* T: o$ A. n  _# wDocumentation=https://github.com/GoogleCloudPlatform/kubernetes/ s* d, L3 c! M3 G8 x4 j

5 i. K$ Y- Y: }[Service]1 g! Y: ^& x8 f
ExecStart=/approot1/k8s/bin/kube-scheduler \" s, q6 W, r9 r9 @2 L& v
  --authentication-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
/ h! I5 c! w. f- A0 l: d- P; M  P  --authorization-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
3 W! }# R2 D" G# p$ B' k  --bind-address=0.0.0.0 \$ i. v4 I$ ^5 G/ j
  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
  e: d: y3 B4 E* [  --leader-elect=true \
/ D1 Q4 U0 j1 t" U- j  --v=2* Y  F! f, u+ P6 Z/ `1 o. p
Restart=always
& \3 E: L! t4 T/ ]RestartSec=5
, Y2 f" q1 R: Q% P. j% U
; `& I! s) D( `1 @. R/ t& w[Install]
# j; c/ \! @6 t( {4 U% E, ?WantedBy=multi-user.target. ]. b6 U5 D' H* C! K
分发证书以及创建相关路径+ [* K* C0 W5 g: k' x4 n7 @  q7 X
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制( U. t' }. N( c: J2 X6 L8 e
% ]! Z) U0 d  f1 C
对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败9 b& b) N/ D6 d# s0 y* H9 x
* O' m  ^. a) }
for i in 192.168.91.19;do \0 C/ d3 n1 C; O1 v* |
ssh $i "mkdir -p /etc/kubernetes/ssl"; \
1 b' i- W# a  s3 p# _ssh $i "mkdir -p /approot1/k8s/bin"; \
8 f' v! e: F( {+ kscp /approot1/k8s/tmp/ssl/{ca*.pem,kube-scheduler.kubeconfig} $i:/etc/kubernetes/; \
# M0 [$ p8 a" a+ F2 f' a- F& rscp /approot1/k8s/tmp/service/kube-scheduler.service $i:/etc/systemd/system/; \; D1 j2 S/ C3 C3 ~# R/ B4 @
scp /approot1/k8s/pkg/kubernetes/bin/kube-scheduler $i:/approot1/k8s/bin/; \4 X) x& }' n+ p; w: i
done
. ?# l, z3 G  x% G3 b: }启动 scheduler 服务, j* p& v. J, f
如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制+ |0 L& F8 j+ L
" o/ `# C! n! ?+ ]! o
for i in 192.168.91.19;do \4 K9 `& P; K8 [
ssh $i "systemctl daemon-reload"; \2 d0 A# M, t) ^% o9 G1 D
ssh $i "systemctl enable kube-scheduler"; \+ h: S' T8 s4 R6 j* R
ssh $i "systemctl restart kube-scheduler --no-block"; \
& u( [. S' P: G/ O( T' Ussh $i "systemctl is-active kube-scheduler"; \
, o/ c, W; g8 l8 b  Z9 S; s& l% w9 bdone
/ J0 P; E7 b  `返回 activating 表示 scheduler 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19;do ssh $i "systemctl is-active kube-scheduler";done* a$ P1 E) g$ `; Z# V* _) T
: u* ^! P" f3 j4 C) N. }6 {
返回active表示 scheduler 启动成功" c. C- b; {; D

5 x) Q) a7 Q* M部署 work 节点
) l) `- Y! |' f1 \* b' s部署 containerd 组件4 S8 a8 m% S2 U: i1 M. G
下载二进制文件
9 l& L$ P% S1 s/ bgithub 下载 containerd 的时候,记得选择cri-containerd-cni 开头的文件,这个包里面包含了 containerd 以及 crictl 管理工具和 cni 网络插件,包括 systemd service 文件、config.toml 、 crictl.yaml 以及 cni 配置文件都是配置好的,简单修改一下就可以使用了( W- \/ ]: C5 i1 P3 }! }2 c* O, w

& m9 i. B0 d9 s0 q  b虽然 cri-containerd-cni 也有 runc ,但是缺少依赖,所以还是要去 runc github 重新下载一个' ?/ Q* P+ D) Z- N" U2 \

* t8 K- h- M. X* vwget -O /approot1/k8s/pkg/containerd.tar.gz \! \! |% K* L' j! ]& V$ e* `
https://github.com/containerd/co ... -linux-amd64.tar.gz3 ~6 h" \/ o4 \
wget -O /approot1/k8s/pkg/runc https://github.com/opencontainer ... d/v1.0.3/runc.amd64
' b0 a* X) _  A3 s8 K, |mkdir /approot1/k8s/pkg/containerd; N6 `% ~5 h. R  W6 a
cd /approot1/k8s/pkg/
" `( B, H) }6 L4 ?for i in $(ls *containerd*.tar.gz);do tar xvf $i -C /approot1/k8s/pkg/containerd && rm -f $i;done, N6 A$ s0 O6 M* J% l3 n' |3 c
chmod +x /approot1/k8s/pkg/runc) d& D8 `, r7 @7 d, L# F
mv /approot1/k8s/pkg/containerd/usr/local/bin/{containerd,containerd-shim*,crictl,ctr} /approot1/k8s/pkg/containerd/
$ {1 S" ]2 K  N7 N+ T! V8 b1 omv /approot1/k8s/pkg/containerd/opt/cni/bin/{bridge,flannel,host-local,loopback,portmap} /approot1/k8s/pkg/containerd/5 k" a* ?7 ~% y; d( }5 K+ ?
rm -rf /approot1/k8s/pkg/containerd/{etc,opt,usr}. N2 k) _# _" a: U3 I5 H$ ]
配置 containerd 为 systemctl 管理0 a) B; U1 p- Q- l+ ]# h! u
vim /approot1/k8s/tmp/service/containerd.service
. d( L: M* O/ Y注意二进制文件存放路径
% q2 T& U0 \: S) K7 x: r3 `
# b* ^1 w2 n2 I  r( I  d4 z如果 runc 二进制文件不在 /usr/bin/ 目录下,需要有 Environment 参数,指定 runc 二进制文件的路径给 PATH ,否则当 k8s 启动 pod 的时候会报错 exec: "runc": executable file not found in $PATH: unknown
0 }4 X" f) K) ~
8 |' `* _* U( s; E4 K- k8 c[Unit]
7 Q' _- y/ ~, h) R+ x8 `Description=containerd container runtime4 K" s8 `& _4 C, D
Documentation=https://containerd.io
  |' z. Q1 q3 ~  P3 J; Y4 [% sAfter=network.target, w# b9 q! [  K, |" N
) ?. V) u/ @, z- Q7 H, B4 `! C2 e& @. M
[Service]
2 f$ D1 J" s' ^+ Z5 _5 W( k( F6 qEnvironment="PATH=$PATH:/approot1/k8s/bin"( G* Z7 O: ~) y9 S# k
ExecStartPre=-/sbin/modprobe overlay
) C% ]& V. {8 g. x. UExecStart=/approot1/k8s/bin/containerd9 C1 u6 l6 v( }, @) w6 f' ^4 V1 J! e
Restart=always; ^" X; @  g& Z7 N/ w
RestartSec=5, ~. G1 [% t2 ]7 K6 G7 I
Delegate=yes
- O% y4 ~! o3 JKillMode=process
: s; \5 n: L7 N/ oOOMScoreAdjust=-999
' [, u3 q0 Y; S  u& b* dLimitNOFILE=1048576, r. X$ p$ Q, R4 u! j) T- Q
# Having non-zero Limit*s causes performance problems due to accounting overhead
' n6 S) e9 E) @* q; n5 E( w0 S3 \# in the kernel. We recommend using cgroups to do container-local accounting." s5 V  p+ T, ?. y: Q6 p
LimitNPROC=infinity, J1 a" M4 k% X4 q1 o$ G
LimitCORE=infinity1 m. l7 j; v7 \6 w$ r
. I4 M( C2 m, W( s1 z9 R+ b
[Install]
: B, G! }, L3 f% ZWantedBy=multi-user.target
$ U+ u' K7 v3 L( e9 R配置 containerd 配置文件+ }: ^: j" r1 o5 y2 k: u
vim /approot1/k8s/tmp/service/config.toml
" L4 {* y& o) @8 G4 a# ], Y5 Nroot 容器存储路径,修改成磁盘空间充足的路径
0 C5 u6 ^5 h% f
: c* O* V! @/ hbin_dir containerd 服务以及 cni 插件存储路径" Y1 o$ T3 R' |3 ?/ S, ~" u/ a$ `
& P5 |$ y0 `0 N9 R  L
sandbox_image pause 镜像名称以及镜像tag0 m3 Z0 r. k% t  s, D& x
" ]9 {6 N# }3 s& L: F
disabled_plugins = []! H* B7 U7 a4 Q$ {
imports = []
( T* ?2 d) r9 r# t- a* hoom_score = 0
5 Q$ p7 R1 R# U0 uplugin_dir = ""
' i$ D) E7 ^0 o; i) L2 Krequired_plugins = []8 Y, y2 y/ s/ H  X% q9 h" f( ?
root = "/approot1/data/containerd"
3 \, a+ T" i+ _1 D+ Tstate = "/run/containerd"  a" i0 _4 c" S+ h* V' U
version = 2
8 p# F3 O+ |1 l) `2 V; K. U
) d, S5 W3 {* B8 C5 x2 ^; y$ H6 e[cgroup]
* E( I  l( Z0 f+ u  path = ""
$ B9 E: O4 h! \+ {8 A
. G+ F8 a$ H% x[debug]1 n9 z1 k9 p) `3 M7 H
  address = ""8 w1 f2 s- i2 z0 u. v- {
  format = ""7 \4 p! K+ D+ o
  gid = 05 W7 |; U) M$ @8 R+ C  S/ D* U- ^
  level = ""* F: x3 W; N( Y2 Z: Q
  uid = 0# L  t6 c3 }# \* {  K" y. N) }2 \

. }: Y) D6 J" m9 R+ |[grpc]
- `) {6 h; t5 b' X7 A& h5 w2 Z  address = "/run/containerd/containerd.sock"$ y& s, d* U" b
  gid = 0/ G) x, V$ G& v; {  X! W8 I
  max_recv_message_size = 16777216
+ M6 `6 F: R; E2 c. s  max_send_message_size = 16777216
) k" a2 x4 b; m  tcp_address = ""9 P- `! |/ j% A+ {8 o2 A; a2 @
  tcp_tls_cert = ""
9 w8 Z# P. E! l4 c1 m6 V' ^  tcp_tls_key = ""
: Z( U& j7 W" m3 f: ?# Z; U7 k$ P" ]' G  uid = 0
. f0 h/ Z* ]% Q2 }7 `  e" O# a  i5 O1 g
[metrics]
7 R# I# B1 E4 p  ?! Y! L3 s$ K  address = ""' t4 n* P# c( h: I4 T: w; h! T
  grpc_histogram = false
  y1 \- O' R5 M. B9 ?7 ?8 m7 e3 c+ J
[plugins]! e: y9 |: M8 q, V* i
! j9 Q" C6 Z' A& H! j3 C% I
  [plugins."io.containerd.gc.v1.scheduler"]( F0 e5 r% N6 [6 n" h. n% F- s/ c" S
    deletion_threshold = 0( v2 t% Q/ M0 E/ k* Z% s
    mutation_threshold = 100
% Y# O/ J' |! z    pause_threshold = 0.02. H' E+ l  \. t7 Y. C
    schedule_delay = "0s"
( k0 I' q- Z& J9 b9 n- }    startup_delay = "100ms"
1 L+ |$ |9 C  B7 ^8 c
9 s8 k4 E; k. O/ G$ }' z  [plugins."io.containerd.grpc.v1.cri"]
8 Z- l& R5 a# y9 t9 r    disable_apparmor = false$ H& E$ c4 c0 b
    disable_cgroup = false
' O6 U; e2 b1 h: Z2 |) ]    disable_hugetlb_controller = true# m% x) s/ N; D4 S9 w! _! G4 |
    disable_proc_mount = false
; L; y" i2 U" }) a& x( C8 u4 R& H    disable_tcp_service = true
# ^; \  M# d0 B* ]* L6 x& h    enable_selinux = false) a2 d  W- p( T3 @  Y5 p% p+ m1 t8 T
    enable_tls_streaming = false
% c7 A9 v8 O  m    ignore_image_defined_volumes = false
/ U. F$ i( _+ J3 \4 `. E: e    max_concurrent_downloads = 3$ J# I; s: G  g8 w& F1 ~* |& n" }
    max_container_log_line_size = 16384* z6 e: A! m/ `$ B( y: V& k
    netns_mounts_under_state_dir = false( q: T4 q4 k* Z! R2 s! e7 @: ?
    restrict_oom_score_adj = false+ i$ q0 ?% @6 X) _
    sandbox_image = "k8s.gcr.io/pause:3.6"
, N0 F4 c4 f7 _+ y3 ~    selinux_category_range = 10241 q# A* W( g4 b/ G1 Z+ u
    stats_collect_period = 102 Y9 w, M0 V2 m# r6 l5 \7 k
    stream_idle_timeout = "4h0m0s"
  {! c) b8 i5 {. z$ q7 I- d    stream_server_address = "127.0.0.1"# m6 q  @3 E: V9 X1 o0 H& g
    stream_server_port = "0"' w4 N3 ]3 o5 s% P4 j8 G
    systemd_cgroup = false
7 @* x  d8 o1 L9 \8 f0 A    tolerate_missing_hugetlb_controller = true& l/ W& p! b4 F) ^% m
    unset_seccomp_profile = "") M) [  V6 Q* h

# @' Y* ^; a7 X2 A. p6 _    [plugins."io.containerd.grpc.v1.cri".cni]
) O9 W& ]6 A) X. |7 w7 C      bin_dir = "/approot1/k8s/bin"6 p( y, O# F9 {( p3 t) q. ^' f
      conf_dir = "/etc/cni/net.d"* q4 {1 T' `! {, l
      conf_template = "/etc/cni/net.d/cni-default.conf", k% K5 M$ i. L- a" m, t
      max_conf_num = 1
/ U( a% g( `$ l( p& i7 o0 O' |) V% n0 @9 E! S; ?5 u
    [plugins."io.containerd.grpc.v1.cri".containerd]; J9 _5 U6 D0 `
      default_runtime_name = "runc"
0 L- \# Z) B5 j& w- e      disable_snapshot_annotations = true7 H, Z4 o: q( g5 R$ m* |, a' y; {; }
      discard_unpacked_layers = false
) x/ t5 B- f. I3 d/ ?. \1 @3 z      no_pivot = false% l# h4 b4 P+ m/ t
      snapshotter = "overlayfs"
! s5 m) L  R) L( c- B0 v4 {3 |6 ]8 t5 G1 T' d5 N- w/ V
      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]# z& i( i2 q6 x% T
        base_runtime_spec = ""0 Q) y! z0 N- ?  K; X% r  v
        container_annotations = []
& Y% V0 D) ?% X  Q        pod_annotations = []% p+ ]% i  l7 j( {* B7 `
        privileged_without_host_devices = false/ s9 N7 N) r9 Y7 [
        runtime_engine = ""
) b. e3 O8 X( H- x        runtime_root = ""0 Z3 ~- i  L% P3 t
        runtime_type = ""
+ n3 l( W: \3 w. X$ S$ v
" A% @8 R9 o: M  i& Y        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]; U, B% Q+ a  m$ E' I1 G) @5 e
2 y4 |6 l: D% L, T4 C9 R3 ~
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
3 t0 L( g- [/ _) t7 ~) Z; |& ?* k
" k# _; Z% I8 ?3 j" c, r        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
* ]$ j3 @; x2 Q) ?; Y          base_runtime_spec = ""
; x6 A! m6 O8 J% `; M8 @          container_annotations = []
( O5 l/ V! D/ n- Q  g- X8 X          pod_annotations = []% F: L3 k2 x& P9 z, _+ B4 E
          privileged_without_host_devices = false! @. X8 j# Y7 f4 }* f# _
          runtime_engine = ""! g3 p7 K, K$ T0 K2 D8 N8 o
          runtime_root = ""
4 Y' a1 g% Q3 f- v          runtime_type = "io.containerd.runc.v2"% T% b  h4 w9 K9 y& S2 w% o! t) V: W
3 Y: P! o: s" F5 w; K: E1 M# B& X! J4 k7 S
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]: V& [7 T8 I9 b9 {" Y
            BinaryName = ""9 m( _: j7 d6 c* d. v5 o& I
            CriuImagePath = ""
8 Y2 j  `/ ~. f, W" K# ?            CriuPath = ""; p( {/ T0 k  S/ K
            CriuWorkPath = ""
3 ?3 p1 Y$ R% Y" l( c            IoGid = 0* L3 A' Y9 i5 I4 K1 ~
            IoUid = 0
, g* z( V' B1 U7 U* }8 ~            NoNewKeyring = false
3 r6 ~  z/ p( T, q            NoPivotRoot = false( H7 T& p5 Q4 l
            Root = ""
9 P/ y6 \1 I8 q: W/ d            ShimCgroup = ""7 N8 F( i  M# o4 E$ P9 `6 G
            SystemdCgroup = true
6 O% Y9 n9 |0 H8 a& r: z
; o% M0 D: e7 g- ~( B9 ?      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]4 _. N. F6 E" ^1 `# Y3 Z
        base_runtime_spec = "". O6 \, q4 \& T: X. i5 S  A+ b
        container_annotations = []
8 J. o; H; a& h& @$ z( R0 `5 H; q        pod_annotations = []  w2 x* [+ Y/ S" H/ G% g$ s  X
        privileged_without_host_devices = false
6 x3 W: u/ C/ G; _1 X6 u4 `( ~        runtime_engine = "", D( T- A& n& [( @" Y' ?2 i: e& `2 S
        runtime_root = ""9 }. j. H. ^4 g5 u
        runtime_type = ""9 z9 H$ s+ p2 F+ T; Z0 v! s9 x
  e6 _7 k2 H: [; N( p0 E
        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]! b- J/ }$ i* ~2 U/ X2 E1 ?6 U

) W4 U: I$ ?! v# g$ ~6 |1 r, k    [plugins."io.containerd.grpc.v1.cri".image_decryption]7 i/ ~3 g" [& a" G* K
      key_model = "node"
5 q/ Q  F- M* k
9 W* l. t4 }. O2 D  d/ G    [plugins."io.containerd.grpc.v1.cri".registry]
5 y1 z; v7 Q. {$ h8 L4 y      config_path = ""
/ j# x1 Q% W0 _
5 k  q  B, g- `2 N* w' ]      [plugins."io.containerd.grpc.v1.cri".registry.auths]) {7 k: a& p; F* P
; \' N: ~1 t" U
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
: q- N9 ^5 ^; W7 Y" Z/ ?7 x- A4 u4 c: [3 X6 A4 A+ Z, m+ E! z
      [plugins."io.containerd.grpc.v1.cri".registry.headers]7 U# W8 F. o5 G, I
- O* l; t4 o* H( I- W1 \( Z% k0 ?
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
  R* E( q2 e9 X        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
& c$ W  T" [+ K7 V; i. T          endpoint = ["https://docker.mirrors.ustc.edu.cn", "http://hub-mirror.c.163.com"]
5 |3 g7 A4 M$ H        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]
$ }3 e2 h4 K- N% |          endpoint = ["https://gcr.mirrors.ustc.edu.cn"]' i. x  i$ Z, i" b3 j
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]+ x2 u$ b, ~! e$ b- K3 U
          endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/"]
" F0 |5 S' A, W7 ^        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]3 L8 N) d# o4 H9 q5 H3 ~7 ~( A, S
          endpoint = ["https://quay.mirrors.ustc.edu.cn"]
( l/ \, r9 n1 }/ Q
. z- t( M: F. t8 F! C# `  I1 [    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
- A4 _: o6 `4 d- J9 i      tls_cert_file = ""4 X2 q& n7 h5 J, N6 g2 D
      tls_key_file = ""6 A* J+ r9 ^, Q
* j0 R; V) O; L! x" C
  [plugins."io.containerd.internal.v1.opt"]
& Q: ^, C+ H/ p8 I8 m0 T. ]    path = "/opt/containerd"/ }) V( _  G/ m+ B* t6 H0 P$ R
1 Z! t  G9 `  C. k1 e1 J( N
  [plugins."io.containerd.internal.v1.restart"]
4 @2 v9 d$ w5 V& Y    interval = "10s"- D" c$ o2 y* W4 W0 \5 E
4 u* b: H5 ~- D- A6 O
  [plugins."io.containerd.metadata.v1.bolt"]* E; p# f, ?, a3 M) T/ L% |
    content_sharing_policy = "shared"3 a6 J: X' D1 O% r# V8 n+ T) d, i

- [/ l7 g9 U, R5 `' r& L  [plugins."io.containerd.monitor.v1.cgroups"]  O9 J* n# }& I9 ?6 B
    no_prometheus = false
+ i3 G% ^  O8 V1 B; T7 G$ [* G/ [# H4 I/ h
  [plugins."io.containerd.runtime.v1.linux"], M1 t$ {( r) P6 i4 s. m* }
    no_shim = false7 @) n9 ~& \. Y# r2 |. e
    runtime = "runc"
) `9 m+ `1 m8 F- l" h4 W: f    runtime_root = ""3 [$ _; h7 ^& Z7 B# \; T! L  z' G
    shim = "containerd-shim"
( B( n8 k6 U8 D) j" h3 P    shim_debug = false
" u1 ]+ a: T8 ^) ~: \
# d, g$ }* q9 k# o! [6 e" @4 x" t  [plugins."io.containerd.runtime.v2.task"]# z5 ?/ |9 s! Y+ A7 s1 k
    platforms = ["linux/amd64"]
; B+ K" Q  U8 D/ b3 m- o% c6 ]' ?; X; e! ]9 @4 N
  [plugins."io.containerd.service.v1.diff-service"]9 m5 Z+ v0 \4 r, z% U' U* e. G
    default = ["walking"]
- L( O0 m# |6 W
( q: k( v; U3 U* R5 d) u  [plugins."io.containerd.snapshotter.v1.aufs"]
; w1 ?$ q: D8 |1 a. V+ Z# J; o    root_path = ""9 H7 G1 t0 @( q4 j: z2 d
$ h9 F1 A6 T2 g6 {! L
  [plugins."io.containerd.snapshotter.v1.btrfs"]
; p' @( V3 X' K0 o4 ]# _    root_path = ""
' V1 a7 Y" E( O: z( @) `+ R( D
  [plugins."io.containerd.snapshotter.v1.devmapper"]
% ~* p- H# X/ T/ s9 O* K    async_remove = false" Y; Y- S7 P7 e
    base_image_size = ""
  X* H1 \( G) v3 c    pool_name = ""& t! w& _) W* \& d. [, h2 {
    root_path = ""- Y/ H5 {2 G0 l( g7 x8 Y& n- ^8 h

* I! D1 C8 o" S# j  [plugins."io.containerd.snapshotter.v1.native"], o  f. \4 Q+ S, S$ J* a; t6 {
    root_path = ""
6 d* H7 T4 K1 [) V2 [& z2 D8 c  {4 v1 `8 P2 d2 o, Z. }* }
  [plugins."io.containerd.snapshotter.v1.overlayfs"]
3 g0 s% ?. L+ H  j2 D" ~: I2 J    root_path = ""
* F, o' m+ V2 _2 y% x: [. }6 |; G3 p; I
  [plugins."io.containerd.snapshotter.v1.zfs"]
$ R& j4 p% h) z' U2 W1 I" `# V0 q+ ]    root_path = ""1 i! ?1 D3 L" @
! C" z/ i: V6 V: X8 O# W- Y
[proxy_plugins]
1 R7 t. T+ _5 {0 w) ~9 x" Q9 h) E0 k" t: m
[stream_processors]
) {' G+ B% O/ U, ^8 w8 V' k, F1 p5 ]1 m
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
) b8 ~9 O  c* v, V: d* |  e    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]5 [5 L0 |/ `/ x7 ?9 A
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]) `$ Z2 ^: W4 Q
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]* `% |% E3 C* _7 L: \9 n$ G' r
    path = "ctd-decoder") U  ]1 |+ M* K  N. b. H9 B0 h
    returns = "application/vnd.oci.image.layer.v1.tar"
! m$ c$ c1 w. N6 ~: ?( u4 }
  B  [- c4 T5 I5 G  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
7 S7 B6 r3 V* I7 Y! [$ |    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]$ o" l  W6 [5 Z
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
9 B+ s( m6 _2 W$ ~    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
( c+ p# F- i8 W& Q' a    path = "ctd-decoder"
2 X1 q) G" X. x- j" P    returns = "application/vnd.oci.image.layer.v1.tar+gzip"8 R/ N# D0 o2 N9 l7 G

/ X; b8 x: d8 W/ I  _9 B[timeouts]: b5 E1 ]2 j# C* q
  "io.containerd.timeout.shim.cleanup" = "5s"
* {6 o# G4 D' t+ x8 }: Q  "io.containerd.timeout.shim.load" = "5s"
8 I5 V% h4 f- `# V5 K7 j" u  "io.containerd.timeout.shim.shutdown" = "3s"! B) s9 N# \6 y+ Z) |6 G6 h3 w
  "io.containerd.timeout.task.state" = "2s"* Q2 H. j4 ]) ^2 F/ g
& @% g6 a" x% F  j5 n
[ttrpc]  E4 o2 m& x+ w6 m
  address = ""' n" |& q+ t0 i4 ]9 _: z
  gid = 0
8 L1 g4 w+ H! W6 N: p+ s  uid = 0* @% F3 E0 F( [6 O% Z0 E% g
配置 crictl 管理工具
: h9 L$ i2 M0 N& g+ A. c% jvim /approot1/k8s/tmp/service/crictl.yaml
" G, U+ ~, K$ {1 ^4 ^( \2 }runtime-endpoint: unix:///run/containerd/containerd.sock% {% f, ?' N8 Q; F1 b  a
配置 cni 网络插件
* d# ]; |* ?7 w5 c/ lvim /approot1/k8s/tmp/service/cni-default.conf  y' x6 l5 y" c3 M+ |( z
subnet 参数要和 controller-manager 的 --cluster-cidr 参数一致
# T) z; w7 x. a7 ?- X( j; M: H1 B" Q9 m( t: |; g4 ?& S8 C
{
* V/ I, c0 A; C6 A( f. k        "name": "mynet",$ \; ~8 V3 T/ u
        "cniVersion": "0.3.1",; _5 D! F7 c2 @5 E' u; \8 g1 t" C
        "type": "bridge",$ K2 a& L: k% m2 `. A2 J8 P( Z
        "bridge": "mynet0",$ n* g- i- [2 V
        "isDefaultGateway": true,
; G0 D& A$ |, a" E. }# j1 r8 v        "ipMasq": true,
' ]; ~# j6 \! ^7 o        "hairpinMode": true,
1 u5 \2 S/ L1 v# W5 i' h- V        "ipam": {
* E7 f4 Q/ e0 L3 a: ^                "type": "host-local",
; W5 Q) ]7 l, [& @4 k4 C+ {; g                "subnet": "172.20.0.0/16"* f0 z$ Z3 a; A5 J5 j
        }
; v* d7 V( o4 ]7 @}
, z8 N, b" l0 n分发配置文件以及创建相关路径$ D: q; c5 w* Y* Z/ o
for i in 192.168.91.19 192.168.91.20;do \( d/ g5 v7 M" @8 P( Y
ssh $i "mkdir -p /etc/containerd"; \
- K% J. j" t' h' Wssh $i "mkdir -p /approot1/k8s/bin"; \
" f1 s, b, _/ L  T. |" Lssh $i "mkdir -p /etc/cni/net.d"; \
) C0 E7 g* `( n4 A1 O6 H! s: z8 }! zscp /approot1/k8s/tmp/service/containerd.service $i:/etc/systemd/system/; \
3 b$ O8 A) T+ O* {scp /approot1/k8s/tmp/service/config.toml $i:/etc/containerd/; \
, H6 X# z) V# j; M7 qscp /approot1/k8s/tmp/service/cni-default.conf $i:/etc/cni/net.d/; \$ h$ A# k! z3 P  z+ z( N$ t  Q0 J* f
scp /approot1/k8s/tmp/service/crictl.yaml $i:/etc/; \% W% y3 o3 B, D! k0 j2 b6 P. }
scp /approot1/k8s/pkg/containerd/* $i:/approot1/k8s/bin/; \
: X! a: M; L3 z. Q) W0 Escp /approot1/k8s/pkg/runc $i:/approot1/k8s/bin/; \
! F2 H  i0 l, o& I. ?0 Ldone# h1 P0 `! P4 ~% A& h
启动 containerd 服务
/ |1 r/ D! G' `+ |9 w9 `' `for i in 192.168.91.19 192.168.91.20;do \
  h" h6 Y, l, J8 \. y% K7 g! j$ J( b6 Assh $i "systemctl daemon-reload"; \
1 H. N/ v3 h% L: assh $i "systemctl enable containerd"; \
6 Z, }+ P' m& Issh $i "systemctl restart containerd --no-block"; \+ N# e# b% j% T9 b8 y* B5 p- C0 \3 S
ssh $i "systemctl is-active containerd"; \7 _6 q' j! x) M( T
done
4 r& x9 ], |% d+ ^+ }6 o5 P% S返回 activating 表示 containerd 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active containerd";done
" F; G8 \+ T$ o7 {- ]3 |3 T5 L& s# f
返回active表示 containerd 启动成功
  s' ~) E0 B4 y8 ?
5 I0 v8 n+ W! Q* q0 Z+ p* _导入 pause 镜像% J2 S  d4 U2 S  k: j* h
ctr 导入镜像有一个特殊的地方,如果导入的镜像想要 k8s 可以使用,需要加上 -n k8s.io 参数,而且必须是ctr -n k8s.io image import <xxx.tar> 这样的格式,如果是 ctr image import <xxx.tar> -n k8s.io 就会报错 ctr: flag provided but not defined: -n 这个操作确实有点骚气,不太适应: p+ t' i) A+ w

% h9 g# @4 Q1 V4 ?; z% D如果镜像导入的时候没有加上 -n k8s.io ,启动 pod 的时候 kubelet 会重新去拉取 pause 容器,如果配置的镜像仓库没有这个 tag 的镜像就会报错
% O( O" V# }( h+ a) r  P2 G: f# O# I" y4 n; v; u9 q9 b) u+ U' }: g; E
for i in 192.168.91.19 192.168.91.20;do \
  i( S. {7 U! Z5 l  vscp /approot1/k8s/images/pause-v3.6.tar $i:/tmp// H. S- |. \# w
ssh $i "ctr -n=k8s.io image import /tmp/pause-v3.6.tar && rm -f /tmp/pause-v3.6.tar"; \
* ^6 ?, s3 p4 w3 w/ ^0 @* jdone
2 e; o( y) L5 H2 K1 c+ O7 \# M9 k查看镜像
5 S1 n$ c* n1 b* }0 _' Y
: }9 Y1 m: R2 j- n" A' Tfor i in 192.168.91.19 192.168.91.20;do \3 [$ W9 H: G6 n  o; H( @2 Z
ssh $i "ctr -n=k8s.io image list | grep pause"; \3 w: X3 Z5 U. g* e* q# Y
done8 j2 {. L/ ?/ g/ P% d
部署 kubelet 组件2 O& q* P$ U) O' H8 z  Y* P) D
创建 kubelet 证书5 c! _  a1 u/ Y! g4 J
vim /approot1/k8s/tmp/ssl/kubelet-csr.json.192.168.91.19' r6 T8 h3 P) X; P0 B3 H
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴,有多少个node节点就创建多少个json文件,json文件内的 ip 也要修改为 work 节点的 ip,别重复了
2 |! O" L6 m! |& @3 [9 t8 B+ _& U8 ~; a9 q' E& f$ p' X
{
0 q* c' D! e/ |+ Z8 i& @, f' o9 F    "CN": "system:node:192.168.91.19",
5 \( N3 K" d; J8 O8 ^6 {2 y    "key": {
9 S% I7 ]" c$ D% J$ p4 E& _        "algo": "rsa",1 c. z; m) X, K* v! Q4 {; b5 Q
        "size": 2048
/ c2 {, M! G# [% Y: v    },
# M* s$ E- i4 f1 M" g    "hosts": [2 @3 K) O$ i$ i, y  q0 a+ y
      "127.0.0.1",# _+ D' q4 U4 [) |
      "192.168.91.19"* I4 z% {) h( Y& W* B" }
    ],/ p3 y0 y+ |# q
    "names": [
) }# g' B. q* s% n0 C      {, c  A1 K7 x; q
        "C": "CN",
& A6 Y3 K5 D  p1 X        "ST": "ShangHai",# i4 v3 h# ^% u( l% f
        "L": "ShangHai",/ X) A0 }. L3 A* F: Y9 i8 m
        "O": "system:nodes",# k+ M3 }3 ~1 l# Y& \8 `, M6 V7 h/ e
        "OU": "System"
2 G$ S: W; p) z  X, h: F      }
7 S& n% U' \! t    ]
5 Y  Z. @- n* z, n% w3 R! U+ i3 e. h}
6 P2 @: X$ ?9 [- G0 W" u1 |# A6 Ufor i in 192.168.91.19 192.168.91.20;do \8 m, h9 I9 I0 r" R: c/ L
cd /approot1/k8s/tmp/ssl/; \0 s9 A# ^8 f5 N' t( ^: {  {* X7 Y6 |
cfssl gencert -ca=ca.pem \% k+ H4 E$ ^$ A  d6 Q& M' |
-ca-key=ca-key.pem \) f+ o& y1 Y; W, m; F% _
-config=ca-config.json \
- L& f" s; B: P+ T+ @* K-profile=kubernetes kubelet-csr.json.$i | cfssljson -bare kubelet.$i; \0 @7 U$ s( t* q( S6 W; g& H% x
done* m/ S* l$ D8 S
创建 kubeconfig 证书% s* _% E  D1 T6 f
设置集群参数8 z% O! F/ I+ b. Y

& c* u3 k8 O  A9 c8 m--server 为 apiserver 的访问地址,修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口,切记,一定要带上https:// 协议,否则生成的证书,kubectl 命令访问不到 apiserver
# a  X! `  I2 C$ o6 S
4 |1 w. {6 `$ }! wfor i in 192.168.91.19 192.168.91.20;do \
' E, E1 A7 K6 a2 Hcd /approot1/k8s/tmp/ssl/; \- D2 Y4 _5 s8 O7 `; f
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \! L: }3 l, X. S3 K' ?- J: |
--certificate-authority=ca.pem \- M; j# d2 Y1 Z2 ?+ O- B
--embed-certs=true \
5 Y, @2 b+ M7 D3 _: f--server=https://192.168.91.19:6443 \
& n; {! {$ V) ~- r- W--kubeconfig=kubelet.kubeconfig.$i; \; u5 w& b) }6 E1 [3 G
done/ H% |7 i- X# ^
设置客户端认证参数! h8 @+ _+ }% W/ B
- D+ m8 w! @: E, t0 ]# \' e/ O5 a
for i in 192.168.91.19 192.168.91.20;do \
8 g5 w3 K- P9 _- zcd /approot1/k8s/tmp/ssl/; \) s( d+ Z/ j! Q" V  P4 U
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials system:node:$i \" j5 Z( {! `# B, [
--client-certificate=kubelet.$i.pem \
( O6 x7 @! g5 \7 u+ a--client-key=kubelet.$i-key.pem \/ [4 L+ u6 N1 I7 V- ], A% t8 @
--embed-certs=true \( z0 f+ |% S2 W
--kubeconfig=kubelet.kubeconfig.$i; \( n4 ]6 Y, w$ @6 ?" f6 v
done
; b1 a) k# V7 f! D设置上下文参数
4 v: O) e+ D" Q. {
* `0 B' `* _/ g# ]( kfor i in 192.168.91.19 192.168.91.20;do \
+ k# H4 U# i& m5 c. v& Ucd /approot1/k8s/tmp/ssl/; \# B' U0 w/ F! X; Z" V% y
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context default \
. G5 A- N! ^, y# Q& l! x--cluster=kubernetes \
, n/ O7 x5 i  F, O5 S--user=system:node:$i \
( R! M/ W) ]. T4 j$ F--kubeconfig=kubelet.kubeconfig.$i; \! J0 f9 ]7 m4 S8 Z3 o  o" u3 d
done
& G: h3 z2 w  ~4 ]) P/ S设置默认上下文) D  n5 R  u3 k
. ^6 F7 q: P8 u4 s
for i in 192.168.91.19 192.168.91.20;do \
" e% u! c$ k3 Q/ {  Rcd /approot1/k8s/tmp/ssl/; \" X5 w. t$ `0 E9 y* F* E
/approot1/k8s/pkg/kubernetes/bin/kubectl config \
6 H/ @' {4 c( Z4 k/ N/ |7 guse-context default \- O, a1 k" ~7 b" N+ z! V2 `
--kubeconfig=kubelet.kubeconfig.$i; \6 u3 g# y; y+ R# U$ Y% m4 Y
done
: d+ @# A7 s1 n; w, Z+ ~  I配置 kubelet 配置文件* h9 L$ R/ H; G$ T
vim /approot1/k8s/tmp/service/config.yaml; n) m- Z% f* E( g2 D, @
clusterDNS 参数的 ip 注意修改,和 apiserver 的 --service-cluster-ip-range 参数一个网段,和 k8s 服务 ip 要不一样,一般 k8s 服务的 ip 取网段第一个ip, clusterdns 选网段的第二个ip/ g4 g* {& S- P/ d2 q

: d8 J6 G3 S2 I) V# J7 q3 H; V# Tkind: KubeletConfiguration
% ^4 \) d8 r" T) G( F- b( s2 Z$ papiVersion: kubelet.config.k8s.io/v1beta1
0 C7 Y4 V! h, g& c- U8 Q- [address: 0.0.0.0
) y- M# E: ?! c6 R4 B3 Hauthentication:" Y% x& r5 ~- Q  D) }  u; f, C
  anonymous:! r" B  |$ i# L, X
    enabled: false' w: k/ u/ B% M
  webhook:* i1 I9 \  I7 U) i
    cacheTTL: 2m0s
" Z4 J( F6 D" f- n8 M    enabled: true: A' q: S4 W6 o2 T5 H
  x509:( _8 Q( S7 {) m1 {: b4 D
    clientCAFile: /etc/kubernetes/ssl/ca.pem
4 G+ M6 B; F; r0 P+ mauthorization:
) P2 s0 E* ]* b) h: W  mode: Webhook( R% V4 [: `+ ~9 i( C
  webhook:/ f. ^1 |# A' V
    cacheAuthorizedTTL: 5m0s2 x6 u+ I) b1 b
    cacheUnauthorizedTTL: 30s3 ]1 r' Q) v9 o! z7 B2 u5 C% r$ `
cgroupDriver: systemd
# |7 Z6 K0 Y  V* ~9 `0 N; `cgroupsPerQOS: true/ V& [5 J3 I) n$ O4 p& ]7 ?
clusterDNS:, t& \  ~! j) k' U" X
- 10.88.0.22 n4 c! u0 V- ?7 e! C
clusterDomain: cluster.local; R+ B3 v- R  ~6 P9 Z
configMapAndSecretChangeDetectionStrategy: Watch5 o7 i, S* X$ y
containerLogMaxFiles: 3
3 B8 i+ U: I% h; ^4 ScontainerLogMaxSize: 10Mi( i; b: [3 h8 @* u) z
enforceNodeAllocatable:
; R2 ?3 j; ^% ~. m/ A* e, B8 H, I- pods
) r: G3 x( d% deventBurst: 10" i( x) X8 ^8 t7 j$ F( N+ {
eventRecordQPS: 5
% u" g) B; n! D, v5 bevictionHard:2 w5 @7 Y' K: t8 r% j! s: h
  imagefs.available: 15%( H6 @; A! w$ W# X6 s
  memory.available: 300Mi
. ^; i) u; \1 J4 T. n. V  nodefs.available: 10%
  ~& p& ?6 M1 ]# G7 H  nodefs.inodesFree: 5%6 y/ e' T* {6 K/ n, q  d
evictionPressureTransitionPeriod: 5m0s
9 S7 {) F% |& z) `/ |2 jfailSwapOn: true
. t0 n, ^3 h. |: l. G+ K9 V1 Q3 o# TfileCheckFrequency: 40s
+ W0 P1 X) K6 p" B6 m& BhairpinMode: hairpin-veth
. ]) C9 O* s. \healthzBindAddress: 0.0.0.0
/ @0 r/ c1 D8 Y0 x; GhealthzPort: 10248( k: C& f$ M$ Q+ S; d. v( ^
httpCheckFrequency: 40s
  \- N+ B" ]0 a- M, T! e: |5 HimageGCHighThresholdPercent: 85
  M8 M- n; h5 q  }$ b/ t1 j. J/ QimageGCLowThresholdPercent: 80/ x2 I) G2 o1 W! k
imageMinimumGCAge: 2m0s) d1 j. @' j7 z9 i# e
kubeAPIBurst: 100
' w6 q1 l2 y" E7 c5 E2 IkubeAPIQPS: 500 _. @! S( N1 K/ V1 @' S: S6 t2 w
makeIPTablesUtilChains: true! v% o, j, `. z- k8 h' q
maxOpenFiles: 10000005 ?' Z" ~) k' u- {# D/ A3 a( ~
maxPods: 1105 V# L+ `* \- S6 `
nodeLeaseDurationSeconds: 40) w) x8 k7 s, e0 [7 n
nodeStatusReportFrequency: 1m0s
1 ?8 _) T; q4 [nodeStatusUpdateFrequency: 10s
' f$ Y/ o! \0 V% h, W1 [oomScoreAdj: -999
2 Z' y. O' k: t" Q/ d; M: S' |podPidsLimit: -1
8 i. P) Y$ V8 }6 R* qport: 10250. {2 @" A) g  o6 p. M6 g9 L0 }3 ?# G- d
# disable readOnlyPort' R$ i1 J  t1 f  p6 ]' k
readOnlyPort: 0$ f1 X. a: N4 `7 B9 I
resolvConf: /etc/resolv.conf/ e0 w* P7 d. d5 Q& |; k+ d
runtimeRequestTimeout: 2m0s
, o( L1 {& K, b$ q; v* f( o7 qserializeImagePulls: true' N, |' O6 m# Y
streamingConnectionIdleTimeout: 4h0m0s+ h. M! f5 M8 J1 J/ J; ^) u1 \
syncFrequency: 1m0s
7 z' `9 ]' {, ^' F1 m* r: QtlsCertFile: /etc/kubernetes/ssl/kubelet.pem$ f* J5 P) O; X
tlsPrivateKeyFile: /etc/kubernetes/ssl/kubelet-key.pem
4 b8 W: n6 A% t$ `" `配置 kubelet 为 systemctl 管理
! u6 O! }3 r* R2 {0 w+ e: v2 w" jvim /approot1/k8s/tmp/service/kubelet.service.192.168.91.19: @" ^% t; x- G7 d5 [3 ~! M
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴,有多少个node节点就创建多少个service文件,service 文件内的 ip 也要修改为 work 节点的 ip,别重复了
9 D' d2 M; I6 j7 U. ?, h
( @, Q- [! k, D2 \--container-runtime 参数默认是 docker ,如果使用 docker 以外的,需要配置为 remote ,并且要配置 --container-runtime-endpoint 参数来指定 sock 文件的路径  V& S/ ?6 n) f; Q4 A

4 m2 r! Y" Z$ x! g) lkubelet 参数
$ ]5 x) ~( b. z1 U) I# Q8 \3 M8 K& \
[Unit]
6 X* t4 ~: M4 W  w7 i6 |+ T+ P+ `Description=Kubernetes Kubelet, \/ b8 f  a  T$ b8 t% M/ o3 _
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
0 L1 m6 v' e( H# _/ D0 ], r' V
[Service]
! @( j7 `! Q4 n" j; eWorkingDirectory=/approot1/k8s/data/kubelet
$ K. G$ s. g( ~# t3 R' DExecStart=/approot1/k8s/bin/kubelet \1 L) {; I5 y, S" x/ t/ W5 @0 C& [
  --config=/approot1/k8s/data/kubelet/config.yaml \
8 f( [! ~! y, v# x  r7 U) ?  --cni-bin-dir=/approot1/k8s/bin \) E8 y$ @6 u" F( E: w
  --cni-conf-dir=/etc/cni/net.d \
2 \' H7 O6 G0 ^8 {) u* Z" h1 p  --container-runtime=remote \" c3 c4 a0 Y) G# o2 M) m0 n
  --container-runtime-endpoint=unix:///run/containerd/containerd.sock \
+ A" k' \9 a7 y5 T4 A  @; [  --hostname-override=192.168.91.19 \
8 ~1 s% x+ I4 r1 x7 p8 g+ L  --image-pull-progress-deadline=5m \% j4 S) C/ {; z% u# T8 a) a
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \* [7 G" F2 R5 `+ O
  --network-plugin=cni \
' v9 q0 _- V3 w$ U! t1 p1 a  --pod-infra-container-image=k8s.gcr.io/pause:3.6 \
" L! V" J6 K' f7 v* m$ |  --root-dir=/approot1/k8s/data/kubelet \0 e' a' M1 g/ ]: H  j7 H
  --v=2
- u: c4 n9 G" _6 O" `% |' M$ LRestart=always$ J8 U' ^- h) m' ^+ l1 v  c& O4 ?
RestartSec=55 L# o. \  T5 \# M; i, p' t, L" |

) y* q' A6 W& g# a[Install]
5 u( S- F3 v- A: X/ ^5 qWantedBy=multi-user.target
6 S" r* G; [5 x  [& I, ~分发证书以及创建相关路径
" ]7 h& {4 c4 ]- a7 w如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制
4 O% E' G. H! \, L% `* q6 ^, r9 H: X: [6 e9 e4 z' E; F
对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败/ b+ R- t% U1 \, e
- P# ~) w2 m1 m% i' W6 L3 A
for i in 192.168.91.19 192.168.91.20;do \1 |3 i1 E5 x! u# U- o- S" s
ssh $i "mkdir -p /approot1/k8s/data/kubelet"; \5 N% l$ P; f9 m$ N" ^9 l; r! e
ssh $i "mkdir -p /approot1/k8s/bin"; \
3 @) X! M! h9 j2 T" ^ssh $i "mkdir -p /etc/kubernetes/ssl"; \
& k6 l# s% B; L, x1 B- j; R( Dscp /approot1/k8s/tmp/ssl/ca*.pem $i:/etc/kubernetes/ssl/; \
- p8 i$ Y* I$ I& O7 {5 h; nscp /approot1/k8s/tmp/ssl/kubelet.$i.pem $i:/etc/kubernetes/ssl/kubelet.pem; \
% R% I4 o! x6 E5 T! l( i5 m/ Gscp /approot1/k8s/tmp/ssl/kubelet.$i-key.pem $i:/etc/kubernetes/ssl/kubelet-key.pem; \* K8 |* J9 R4 {% t
scp /approot1/k8s/tmp/ssl/kubelet.kubeconfig.$i $i:/etc/kubernetes/kubelet.kubeconfig; \
# G0 [2 [  I- E9 ^; @3 m5 N3 _scp /approot1/k8s/tmp/service/kubelet.service.$i $i:/etc/systemd/system/kubelet.service; \/ A4 M' V  |( w2 L
scp /approot1/k8s/tmp/service/config.yaml $i:/approot1/k8s/data/kubelet/; \! S: Z, m/ c8 R* U# B4 E
scp /approot1/k8s/pkg/kubernetes/bin/kubelet $i:/approot1/k8s/bin/; \9 h/ C1 b5 v+ E
done
, x3 r, Y7 H; |% h) N启动 kubelet 服务
! I% B% \/ O8 Wfor i in 192.168.91.19 192.168.91.20;do \4 b% h% l( l7 F
ssh $i "systemctl daemon-reload"; \$ W, s5 |4 N9 s% G+ ?' t
ssh $i "systemctl enable kubelet"; \5 g8 y2 G) ?; D" \+ B8 d
ssh $i "systemctl restart kubelet --no-block"; \
2 z/ I6 i  C9 f3 Cssh $i "systemctl is-active kubelet"; \
; Y$ W: ~# Y: W6 V; H7 W' G( k- `done3 i& s" b7 [2 e3 p3 I
返回 activating 表示 kubelet 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active kubelet";done) ^# Q! z- z/ L

0 v, V6 u3 h8 j2 |返回active表示 kubelet 启动成功5 i1 Q. @# g- N4 {7 v

  j- W" |4 V8 H9 ?& B查看节点是否 Ready
1 Z+ a$ n1 X7 B9 akubectl get node
2 r% n1 P. ]! x5 L; Q预期出现类似如下输出,STATUS 字段为 Ready 表示节点正常! }; d6 n! v6 }2 |1 Y) p

2 e  F0 w; E( M, FNAME            STATUS   ROLES    AGE   VERSION
2 n5 J0 g- H* {192.168.91.19   Ready    <none>   20m   v1.23.3' b; `0 Z# v8 y! L! u  v, m8 @
192.168.91.20   Ready    <none>   20m   v1.23.32 R8 P8 B- @+ F
部署 proxy 组件
+ g7 M& Y# |! ^  k7 k! Y创建 proxy 证书0 b  z4 C; c  C: l
vim /approot1/k8s/tmp/ssl/kube-proxy-csr.json
1 X! j& x; |0 Q" ~( Y6 d{
- E1 ]( n6 z* k* e# `5 Y    "CN": "system:kube-proxy",9 V( `' r/ C6 Q1 W$ l/ E# l6 y
    "key": {2 ~4 O) A2 p5 |; B. Y* ]3 ?
        "algo": "rsa",/ s( p  S  Q/ D" k4 Q/ e& C9 j7 j! L
        "size": 20480 ^- k9 q+ @/ g% M' I1 u+ {
    },6 L! D8 X# q; d5 D9 c& Y
    "hosts": [],1 y- }! A: P) [1 y! }- {
    "names": [
" z' g* C9 f6 l! M$ c( |% Q1 j      {3 U) O( _5 f3 T9 j
        "C": "CN",
$ P1 C+ g5 k" B2 r7 ~4 |; s/ T        "ST": "ShangHai",
3 A5 U4 E. l1 c6 @6 h. ~        "L": "ShangHai",3 {5 q  P9 {  O7 H- o$ y* L
        "O": "system:kube-proxy",
+ b' B$ v# g  b0 x6 d7 s        "OU": "System"/ H; y( m9 f: ]' g
      }2 S6 P% a; M+ \. l1 P" Q+ T
    ], O" ]! I5 B9 o
}
) h  \" b1 Y. {cd /approot1/k8s/tmp/ssl/; \- s4 |7 n0 F2 s+ G- q
cfssl gencert -ca=ca.pem \
/ T0 V+ P2 p7 d& x: o; @) u; |-ca-key=ca-key.pem \  d/ k! k1 s: I1 ]- r* K; a) ~7 |
-config=ca-config.json \
: ?! M' n, X3 n) `# D-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy6 D$ p' }8 b# r* v/ \8 Q9 Y& \
创建 kubeconfig 证书
- p! R" L0 Q& q: p设置集群参数
+ P% U1 Z2 u$ H7 v
/ M$ f: E, X$ |* Q  q" i3 J# [--server 为 apiserver 的访问地址,修改成自己的 ip 地址和 service 文件里面指定的 --secure-port 参数的端口,切记,一定要带上https:// 协议,否则生成的证书,kubectl 命令访问不到 apiserver
- e, t9 n& X8 i; r5 d0 k
: d& o9 {7 H* `# U3 T% _) \& ?cd /approot1/k8s/tmp/ssl/
/ @, _* D5 V' H) y7 f+ p5 a/approot1/k8s/pkg/kubernetes/bin/kubectl config set-cluster kubernetes \
7 Q& S" L- ~: b- o--certificate-authority=ca.pem \( t9 b6 [! k; ?5 l* c1 s0 K
--embed-certs=true \
0 b, J* Q3 B6 e. N--server=https://192.168.91.19:6443 \: \4 U, o5 O; d6 T- j# C& V  t
--kubeconfig=kube-proxy.kubeconfig9 s) V9 ^, k  ~) m7 u
设置客户端认证参数0 _7 E) Y, a* `* x2 x
+ }: ^, W* j' i$ ?6 N
cd /approot1/k8s/tmp/ssl/
& F/ ^9 P' V0 q$ B/approot1/k8s/pkg/kubernetes/bin/kubectl config set-credentials kube-proxy \! t# W7 A! |' M3 z
--client-certificate=kube-proxy.pem \/ d4 X" n4 o! O5 y0 e
--client-key=kube-proxy-key.pem \
2 F! V: j+ P/ V  ]9 ?1 I9 B--embed-certs=true \' I& e  n+ F8 a( X# ]. t; q
--kubeconfig=kube-proxy.kubeconfig0 M) x0 h' ^8 s, h$ @* h
设置上下文参数& h; s: W- }% o1 U

/ {1 @* i6 t. Jcd /approot1/k8s/tmp/ssl/2 l' F% l  m6 k, x8 x3 @
/approot1/k8s/pkg/kubernetes/bin/kubectl config set-context default \
. e) h1 k6 ^* b2 e; l- x; ^( }--cluster=kubernetes \
4 o/ Z7 V& W) b! u( ?0 K' _5 E--user=kube-proxy \- y9 P. g7 \, k2 a( }
--kubeconfig=kube-proxy.kubeconfig
) G2 {% _, ^: l6 G9 c6 W设置默认上下文, }4 N+ [% \) x" e* F
- x" x% D) u  I/ K2 ~" B* Q3 S) ?
cd /approot1/k8s/tmp/ssl/
& U6 Y3 k" q/ ~/approot1/k8s/pkg/kubernetes/bin/kubectl config \4 v9 c3 k; e  q$ {
use-context default \
, C: X9 j* ~* x7 l6 c/ Y--kubeconfig=kube-proxy.kubeconfig
: Y7 ]+ p) j9 r9 @( s1 L6 v. p1 C配置 kube-proxy 配置文件( g3 `3 j- p9 W+ Y% p
vim /approot1/k8s/tmp/service/kube-proxy-config.yaml.192.168.91.19& s1 n5 \/ l* ]7 S$ R8 S& C( X, D3 x4 Y
这里的192.168.91.19需要改成自己的ip,不要一股脑的复制黏贴,有多少个node节点就创建多少个service文件,service 文件内的 ip 也要修改为 work 节点的 ip,别重复了" G/ z- b( i$ U4 w4 e

  V0 V7 t) e! R' rclusterCIDR 参数要和 controller-manager 的 --cluster-cidr 参数一致5 O6 V( o$ t- C) T5 B8 A7 j

; R1 O2 S( e0 Y  j3 xhostnameOverride 要和 kubelet 的 --hostname-override 参数一致,否则会出现 node not found 的报错
$ r8 S) ^' b! G$ u7 r
. `! t8 v3 T- w) t. W% T4 nkind: KubeProxyConfiguration
& S( X6 Q  [( x2 ]apiVersion: kubeproxy.config.k8s.io/v1alpha1
  O# z- i$ ?; w( }  ZbindAddress: 0.0.0.0: X3 R' h, K0 Q. K( ?+ o" E1 z
clientConnection:# d- {3 s; u2 E. z
  kubeconfig: "/etc/kubernetes/kube-proxy.kubeconfig"
* V: q6 h2 Q5 c5 _: i1 u  U4 dclusterCIDR: "172.20.0.0/16"
5 G, C) |* ~# h  G( uconntrack:7 P# {$ ^- w" w6 u$ S- v
  maxPerCore: 327684 J2 i) S- ]) T" f
  min: 1310727 a: \. g4 I/ k$ B( J
  tcpCloseWaitTimeout: 1h0m0s
& ?6 F( U) x$ s& r  tcpEstablishedTimeout: 24h0m0s
* K0 \0 ~5 ~7 p0 m7 R0 |6 k! b. qhealthzBindAddress: 0.0.0.0:10256% s! \9 n5 l# ]- z4 \
hostnameOverride: "192.168.91.19": Y- m8 A) B1 x# m
metricsBindAddress: 0.0.0.0:10249
9 {0 x: ^! V) i8 |/ _, }0 Q9 b9 @; wmode: "ipvs"# u: o3 h6 L, _/ A
配置 proxy 为 systemctl 管理
5 H8 k) c7 g7 t+ a5 vvim /approot1/k8s/tmp/service/kube-proxy.service1 H5 [. v( j" Z- I7 K! ~
[Unit]
) {( U5 Z; U+ u; b' a# w+ m( x" yDescription=Kubernetes Kube-Proxy Server& W; _8 Q/ p3 s; E
Documentation=https://github.com/GoogleCloudPlatform/kubernetes/ x; L- Y2 k5 s  n' ?4 X
After=network.target/ P* Y) M9 z& B6 B2 A

; o, l1 V! ]' V[Service]9 i6 x0 D9 ]- z1 m6 x" i: [
# kube-proxy 根据 --cluster-cidr 判断集群内部和外部流量
) U% d. W) I9 h## 指定 --cluster-cidr 或 --masquerade-all 选项后
! @2 `4 ?( i$ W" R9 K) Y## kube-proxy 会对访问 Service IP 的请求做 SNAT
3 Q% u$ G1 v6 a$ D4 dWorkingDirectory=/approot1/k8s/data/kube-proxy- a  R: x/ g. ]/ v: D
ExecStart=/approot1/k8s/bin/kube-proxy \) o4 v' R" y* _! w
  --config=/approot1/k8s/data/kube-proxy/kube-proxy-config.yaml* b$ Q; S. u* M
Restart=always( f: L/ r; W: ~1 Y, e0 C5 `
RestartSec=5) I+ O0 R9 X) ]
LimitNOFILE=65536( D) _1 Y' ^, [5 g

, c# U6 ]5 B' `[Install]
# k; }0 S6 p' P" mWantedBy=multi-user.target9 T6 {% f( ]/ Q- E6 K" ~
分发证书以及创建相关路径
5 G8 \. k+ s5 b2 z如果是多节点,只需要在192.168.91.19后面加上对应的ip即可,以空格为分隔,注意将192.168.91.19修改为自己的ip,切莫一股脑复制8 [6 d& ~8 H8 I& j

" L8 d* E0 D& o3 d% i* s对应的目录也要确保和自己规划的一致,如果和我的有不同,注意修改,否则服务会启动失败
& U: _: x/ h' q; @) h
6 ]6 y3 ^$ q9 {# f; c8 wfor i in 192.168.91.19 192.168.91.20;do \
& u/ A8 H* u4 G8 a/ O+ \# Ussh $i "mkdir -p /approot1/k8s/data//kube-proxy"; \" O7 X: o9 k2 f3 Z4 c  F/ A& |
ssh $i "mkdir -p /approot1/k8s/bin"; \
9 J; g5 O6 O8 A) e' I, f2 H8 ossh $i "mkdir -p /etc/kubernetes/ssl"; \
9 B5 j% B3 d; K6 R! hscp /approot1/k8s/tmp/ssl/kube-proxy.kubeconfig $i:/etc/kubernetes/; \8 \0 j" |; a2 h
scp /approot1/k8s/tmp/service/kube-proxy.service $i:/etc/systemd/system/; \& _* ~$ n1 Z3 q
scp /approot1/k8s/tmp/service/kube-proxy-config.yaml.$i $i:/approot1/k8s/data/kube-proxy/kube-proxy-config.yaml; \3 {) y$ v& k5 k+ f' Z
scp /approot1/k8s/pkg/kubernetes/bin/kube-proxy $i:/approot1/k8s/bin/; \. G9 F' W: k6 M  q
done
: k5 d$ X$ p; V启动 kube-proxy 服务
# U! v# z" T4 j, S' j3 m$ N$ mfor i in 192.168.91.19 192.168.91.20;do \6 g9 J9 V2 B8 u* ^9 n& }
ssh $i "systemctl daemon-reload"; \
5 ^3 T* t2 h" V! F, d% Bssh $i "systemctl enable kube-proxy"; \
5 b, E/ g9 C7 ~! o' M7 V" O( @' `ssh $i "systemctl restart kube-proxy --no-block"; \. m3 y7 ]9 \& w* \) v  d
ssh $i "systemctl is-active kube-proxy"; \8 _6 e6 ]: Z3 O3 r7 k/ P3 S4 a5 B
done! p/ o+ U* `. l- J* a
返回 activating 表示 kubelet 还在启动中,可以稍等一会,然后再执行 for i in 192.168.91.19 192.168.91.20;do ssh $i "systemctl is-active kubelet";done( S, ?  _  v' \3 {& r2 t, W: j
! ]& ~& a- C  U6 z" n1 a0 W
返回active表示 kubelet 启动成功/ ?: Z9 T' I, r2 P! b: a2 j6 |1 ?

$ p4 n) \* u2 C( ~% h部署 flannel 组件9 q4 t, G2 Z# o% E
flannel github* E& J5 E6 k: H+ S
. i1 x& S* O2 C& b
配置 flannel yaml 文件: _6 v6 ?3 h4 b/ X- a
vim /approot1/k8s/tmp/service/flannel.yaml
) v5 W( o, X- x7 |net-conf.json 内的 Network 参数需要和 controller-manager 的 --cluster-cidr 参数一致
+ m' u+ w/ j1 {, R1 ~! V+ _4 J% Q' e, h4 Q; Q. ]' j0 W8 {- ]
---
( }6 `5 r  ?, B( NapiVersion: policy/v1beta1
% }: t+ F  P% Y" z  ^0 {% kkind: PodSecurityPolicy
6 g/ q* w) _0 I- B0 y5 Qmetadata:
  F9 c: D/ E. p4 P$ H+ _  name: psp.flannel.unprivileged
# U, E+ t2 g5 a0 P; B  annotations:
1 _5 Z+ @4 H, w/ V& j    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
" a) U9 n3 @( O    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default* z2 u8 y  s5 [
    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
" ?! H- E2 G' i, L# ]4 p    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
- a3 a3 ~' ]8 n# i% |spec:
3 D! g; d1 S# Y+ y1 M7 g; y- `6 z0 ?  privileged: false, w. T, F8 `+ b. I8 x+ {0 T. K8 Q( Y7 c
  volumes:
% b; s5 K/ W$ |1 d* o/ j- J1 N  - configMap+ r+ `* E- U4 L3 ]
  - secret
+ G( w1 L8 [- h. p$ `  - emptyDir
. X1 Y% P4 L+ c' r. t3 k  - hostPath
9 C2 H6 F. j; V" [1 T, X  allowedHostPaths:# j% Y2 V6 }! _2 }
  - pathPrefix: "/etc/cni/net.d"$ W! ~0 G. }5 K8 v, ?( j# m
  - pathPrefix: "/etc/kube-flannel"
9 P9 _2 a) U; u6 q' q- d  - pathPrefix: "/run/flannel"8 f# c* @9 w$ Y( E
  readOnlyRootFilesystem: false: n0 U" _" Z  ]+ _
  # Users and groups
- o' e. n+ b3 g& d9 j0 f$ ]  runAsUser:
" `, o7 O: F9 L& q8 ], s* q! a    rule: RunAsAny+ y+ y0 d0 ^" t, v, }6 |9 ?5 ~; M2 _, ]' [
  supplementalGroups:
) H4 ]# s& Y0 |7 i! C% N1 p7 i" C: p    rule: RunAsAny3 m7 g  r: O% O! e; t
  fsGroup:
; }7 @# m1 d: m6 {    rule: RunAsAny; K* s- O9 e4 W( ?  m% w+ ^
  # Privilege Escalation* F: V9 u7 Z) Q; X  ^2 m) P, o- D
  allowPrivilegeEscalation: false
# D! r5 _. I/ f) g. u  defaultAllowPrivilegeEscalation: false
# N; y- u+ q7 f" o  # Capabilities
% y/ D! ^3 r; x9 u3 m$ y' r  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
" t: Q: q& ]3 i, ?. |- S( J! M3 j  defaultAddCapabilities: []% a4 z* L( \7 q2 S! {
  requiredDropCapabilities: []
* {2 K  J/ B* I3 M3 n  # Host namespaces! S: p7 Y2 a' m/ N7 N# `
  hostPID: false+ F  @3 U" i: `4 d1 \
  hostIPC: false
1 }" t8 ]7 Z; w5 |) N" B2 M  hostNetwork: true- s+ n5 M$ Y  ]$ p. h9 \
  hostPorts:, G5 O4 ^! h2 a! H, k1 u
  - min: 0
. p6 K8 ?+ p1 c0 |( k6 n8 T    max: 655354 Y5 \7 f! K+ w  d* X: Z4 M8 \
  # SELinux; k' t: B1 G1 u& Z! u+ C. s
  seLinux:
" z7 W  N6 J4 ?! W& V7 O    # SELinux is unused in CaaSP( _& E2 Y& X2 }* ]+ o6 T3 Z2 y
    rule: 'RunAsAny'
( R$ Y- ]0 K  u---3 l' B: g! U5 t- p2 W) m; J0 l
kind: ClusterRole% v! @* ]9 V8 @' j' `2 f8 }
apiVersion: rbac.authorization.k8s.io/v1
; c0 X5 z6 D" Umetadata:
% \" h2 p, _8 ?5 w" c5 `6 P  name: flannel
; P" I" B2 R2 ^rules:
. n4 `7 w+ b2 e! r+ J+ o" l/ t7 Z- apiGroups: ['policy']  J8 E; m- {9 X3 E2 R
  resources: ['podsecuritypolicies']
4 ?* o) m/ ?7 A# y" _; N5 j  verbs: ['use']
* r: p( N( ]' r, K- c  resourceNames: ['psp.flannel.unprivileged']5 r7 X) d5 }! c' P3 I1 m& Q) g
- apiGroups:
% h6 u4 Y6 I8 \% L  - ""+ J3 f/ l, o5 T/ H' K3 o- G
  resources:+ [8 T3 U& Z7 u
  - pods
: ~: D0 i: @  _; j( O  verbs:( _2 l% @5 a6 t2 v
  - get- v# Z* M' @, H; t
- apiGroups:) e; r# Q" M! b8 }! d) q
  - ""
# e; c9 |" w/ A5 F3 x& J8 X  resources:9 B- z9 ~" _* u
  - nodes9 U, z% t6 ]- f  n% K3 u, ]: s
  verbs:
8 O7 H6 _& ?- E: q+ `  - list0 a0 X! t+ }- W+ k# n
  - watch
. X4 G3 A# g3 [; ]5 i- apiGroups:
/ K( ]- L( k  G  - ""1 ?5 U( F8 }: F1 g+ d; h* q* i
  resources:3 a& F. z/ Y9 G8 n
  - nodes/status
2 ^% Q! l; N- b: p+ W( J- f  verbs:: H3 p; d/ z9 c
  - patch
9 y' z; t7 {7 l  }---! f: `% P) ]6 ]
kind: ClusterRoleBinding4 F: a# i( j4 Q) A& M
apiVersion: rbac.authorization.k8s.io/v1- U) D6 o# @' w0 g7 P; p
metadata:
/ J4 ]% f, @4 s% V( L0 B  name: flannel
6 z4 {9 x, S- W/ |% s8 Q! t8 YroleRef:- L( ]* Z+ W' g. m
  apiGroup: rbac.authorization.k8s.io
8 O. |& D: v8 G+ R1 a& p: T  kind: ClusterRole
+ e: P6 W+ l" [( q9 g+ X, U  name: flannel' I& ^: V6 ^  l* ]
subjects:
0 D6 i. x" T5 _8 t7 Q- kind: ServiceAccount5 h% j8 I6 u+ C( ?
  name: flannel
9 }0 ]8 S; n; z" d, i. u- d  namespace: kube-system
. a8 e" s, Z' j4 t# s2 l---/ |$ P7 o. C4 ]1 s
apiVersion: v1
& P1 p' k$ b. L/ L; Bkind: ServiceAccount
. M# `6 S/ l8 }0 n- g$ F) o6 G# [metadata:
( H+ h% `2 J/ g2 Q/ k) u  name: flannel
2 O" i- B% F$ n3 s, L) \/ b  namespace: kube-system2 Y% i$ F/ \* R0 [5 {6 j. J9 C- _
---
; E/ G" n0 L9 \; H0 [$ E. T  P8 Dkind: ConfigMap! _" t% `1 p' p# `
apiVersion: v1
; k2 d4 z8 P4 f0 ^& X9 m0 @metadata:1 M! t( {9 _7 P
  name: kube-flannel-cfg
# k5 p4 m2 K, r) _5 U  namespace: kube-system+ @/ f8 ~. @; I6 ?! M
  labels:6 r# G% w% [/ ~* u' o( `9 b8 T  x0 o
    tier: node
- X& H7 v1 R1 m0 `, j    app: flannel" f7 |! R0 l. l/ v  ~3 l" O3 d3 I* w; {
data:% M: n; M( B, j- y
  cni-conf.json: |1 p4 j( b: m* I0 F6 s! G
    {
+ \6 A# r: K( k3 h  p' e( e* n      "name": "cbr0",
7 b+ q* J( M) d# E# J, W1 Y      "cniVersion": "0.3.1",4 v+ G/ ^1 G5 @- p
      "plugins": [
' |; p$ i: B7 b* ~6 A. ^        {
& ]6 h' }( ]4 z          "type": "flannel",& e; v& k5 H3 t1 v; j
          "delegate": {
( j9 \: L. [' J8 {5 E            "hairpinMode": true,
1 d6 B2 o: J0 g4 @% b8 A$ A$ W9 [            "isDefaultGateway": true1 R% s( e) X3 @8 k0 R% J" E1 H! q
          }0 \4 Z3 _& y) n
        },1 u5 I" {, t/ R4 n) \2 I
        {/ P, U3 ?# O# s1 O; X( I
          "type": "portmap",  G  d: @7 J5 @. i3 u; l( T
          "capabilities": {$ \; y7 c2 H8 L" H) U9 K" J3 s
            "portMappings": true- R/ G" j/ |$ }# i6 n
          }+ M. X, U8 v3 B% W  W( {+ e
        }0 S, x8 i3 W' I; o4 p
      ]
7 s1 }% r, y4 P0 T" V2 J$ K    }
, N7 n& W$ k4 U0 H* e  net-conf.json: |6 K7 `/ ]2 L+ @2 d  B
    {
; T9 J1 v& D. V/ H      "Network": "172.20.0.0/16",  D. ]2 i' q5 `, p) }
      "Backend": {
% N  u  ]! ~  C/ H! U8 ]$ a+ y        "Type": "vxlan"9 }( B3 Z3 I  L/ _9 Z  A
      }
  {: y7 K% Z9 t& w2 E    }
. V, E) P$ N6 E) Z- n4 a---& ~; M' j, N* k  c) T+ p3 T$ o
apiVersion: apps/v1
# A7 N: h( S& B7 j# C' dkind: DaemonSet/ V6 S* Q! v7 C; T) Z/ K4 V  G
metadata:
! }& [, I5 U: k2 z+ F  name: kube-flannel-ds
; A/ f- F: Z7 t# y% P  namespace: kube-system
  f$ D! e# J/ h8 p/ ^  labels:
. H. i. J& y+ R0 }    tier: node1 \+ D/ K& @% _7 U6 X2 m
    app: flannel
3 A$ F3 [/ k4 @spec:
1 Q1 z4 ?0 g  ^  g! E$ |/ v7 G  |  selector:
  Q! C, p. K  l    matchLabels:5 v; t, Q( x' B- J( U: _
      app: flannel* a5 b6 F- \6 n2 ?- Q! m: b
  template:9 w6 o3 i. a5 o. X
    metadata:; M- Q& w" O! k
      labels:+ a1 @9 a$ A6 ?3 w; v9 i- O  C) `
        tier: node
1 ]6 A, t$ L0 V+ f; K; j        app: flannel1 j3 B1 g5 @7 X
    spec:% O4 Z5 K& F3 Q5 J3 K4 n
      affinity:
" a9 S" f2 H7 G) u2 u1 j        nodeAffinity:3 A) Z- S1 [# N. |. a9 @8 @; D( B
          requiredDuringSchedulingIgnoredDuringExecution:
- A  n( K7 @/ C: Y            nodeSelectorTerms:
9 `# c+ B  s5 V0 c; ~            - matchExpressions:& y0 e/ E- S* D* r+ R
              - key: kubernetes.io/os
. ?5 m9 u  E7 p1 _# j+ v                operator: In" M( B2 u  A1 ^. d! o: O
                values:
6 o& U; M) ^' J" ?1 }6 c  g& `/ d+ q                - linux1 I8 W7 j" y$ u
      hostNetwork: true
- \7 G: D. }/ m      priorityClassName: system-node-critical
. G3 X0 f6 Z8 R2 a# }      tolerations:. o, p1 g! T4 p: {1 {, D8 D5 X7 `. @6 O
      - operator: Exists
* w, h' ?3 B. i% A        effect: NoSchedule5 p. L" g# m3 u) P
      serviceAccountName: flannel# M) b; _& }! f. w
      initContainers:' `! q9 h) x4 q
      - name: install-cni0 j/ U) ]3 K0 ]  l3 |
        image: quay.io/coreos/flannel:v0.15.1
: }7 @3 ]$ l9 K7 ^5 k' g( @        command:4 C* w5 t* J4 a  F9 |
        - cp
3 `/ G  @) }) F+ C        args:$ g2 ?; \, W6 K" s  \6 x2 f
        - -f, c( a3 h1 @! m* y6 ]8 m
        - /etc/kube-flannel/cni-conf.json0 p$ u  u& d: Y7 h
        - /etc/cni/net.d/10-flannel.conflist
. a9 A3 ~: l7 s; U        volumeMounts:! W- i" R' B" r/ F* w% Y2 q6 f9 g
        - name: cni2 r8 o0 Z* `% C5 u/ c2 l
          mountPath: /etc/cni/net.d
- M" F+ U5 ]. e" E& H, |7 `8 N        - name: flannel-cfg: `4 V: e: J& \5 F+ T2 ?# K/ u
          mountPath: /etc/kube-flannel// O! d' B  }/ U0 D, c& T! m+ A
      containers:1 K: z2 ~  G2 ]" o' h. s
      - name: kube-flannel
. Q) o: d" L% L( B  y; Y7 t        image: quay.io/coreos/flannel:v0.15.1& g; v2 `, R0 F8 |$ [
        command:6 V5 P( ^3 G6 V; `. F# m
        - /opt/bin/flanneld
9 P5 F9 o5 h0 G+ [' K1 ~4 G        args:
" G3 b4 a3 a3 d! v9 g3 f/ V        - --ip-masq2 p4 J2 ^9 h2 |+ R
        - --kube-subnet-mgr
5 b6 j& \& F7 b: ~5 i" b& L        resources:
$ X5 d% [! D0 d% d. H          requests:" t( i7 `* e4 |. F% [% \
            cpu: "100m"8 k: X2 ~$ J2 @9 y# o: z! C5 f1 F$ t- q! |
            memory: "50Mi"
0 k( f* s& J7 H$ T9 N: A% G          limits:% ]/ J& x8 C9 f0 D: s
            cpu: "100m"6 M  [  Q8 q& w  O/ R: G' f) y( }
            memory: "50Mi"
2 c- J/ V8 t8 q7 ^4 k2 o( [        securityContext:( t" t( w4 R1 Z; m% _- ]
          privileged: false
6 d$ ?1 w7 A" p1 e% y2 S5 x          capabilities:
. H& F) G" G$ |- q1 n( [' f            add: ["NET_ADMIN", "NET_RAW"], P5 @! y6 ~. d/ g+ `( C- W4 s& {4 n
        env:( Z" M+ f- E. r) b5 N! j
        - name: POD_NAME8 P1 j3 s) `0 u0 V* v
          valueFrom:
- Q6 ^6 c+ ?+ V1 ]: v1 g            fieldRef:
0 ^" X( x) N( A1 G% _              fieldPath: metadata.name2 Y; L5 o% c: ]
        - name: POD_NAMESPACE8 Y% q/ w) `7 ]% a" v. ~2 W1 y
          valueFrom:
. S& e! f$ _# Q            fieldRef:) h2 S4 @  P* P. ]! {! e
              fieldPath: metadata.namespace  R' f$ H! K9 x' G7 I
        volumeMounts:# f" x7 T9 p. d; F( E
        - name: run
' h% T# g) e/ E2 Z- o- t. W' N          mountPath: /run/flannel
! [; K1 S, d: a1 b4 m+ p! h        - name: flannel-cfg; I; O& d- x' L% s1 o+ z* b
          mountPath: /etc/kube-flannel/
, ]4 _) _, X; |2 S" f4 v3 K      volumes:7 c3 j& F7 J3 ?3 M9 Z
      - name: run
$ o6 m2 Z+ A- ?/ k! H        hostPath:8 a9 B6 J8 H- i3 s
          path: /run/flannel( l& H  e# k( x4 ^7 e% M5 w$ w
      - name: cni( Q/ Z! h# T1 }5 _% |
        hostPath:+ G3 a  ^5 X1 v4 w
          path: /etc/cni/net.d! D. R9 j3 n  R  h- e; n
      - name: flannel-cfg& y# o( w3 G$ M9 d- O: y$ U
        configMap:; R+ [7 v$ p4 m5 \0 W9 V7 P
          name: kube-flannel-cfg4 y0 B$ h. w$ q
配置 flannel cni 网卡配置文件
: i. n: H0 a3 h% l" wvim /approot1/k8s/tmp/service/10-flannel.conflist7 B% @# j0 ]5 n/ L$ q
{
8 {  N$ [' M/ g+ b# }4 _8 o; Q  "name": "cbr0",
4 ]) B& b% V3 r3 x, R0 X/ q: M- D  "cniVersion": "0.3.1",( ]5 F4 `5 _9 c5 @* p: J) f8 b. e
  "plugins": [
  b& P  }7 y7 Q' W: i( {2 M. u    {
7 x. ?6 C) |2 \3 Y+ u      "type": "flannel",5 U0 V; e# @! L+ J
      "delegate": {% L/ h6 T% y8 g4 O+ s: Z7 a& u. _
        "hairpinMode": true,9 f8 j" _6 A" [0 `+ ~% O
        "isDefaultGateway": true# o+ r# G4 e3 ~3 \- Z: k; ?+ T; \
      }
- g, G9 k4 R! B. u    },
1 x4 I5 \/ f' i# ?4 w* T4 ?    {$ b0 x, u% H9 D; w' D( s
      "type": "portmap",
- @# D5 p2 m1 g+ `) I      "capabilities": {1 L$ v: F- m& V# t
        "portMappings": true
0 c  C* V9 f6 ?3 ?: Z* k7 y' H3 z" I      }# \$ f9 P+ A2 M8 ^
    }7 b9 C# u# @2 k8 }% w" w  Q# y1 R
  ]; Z. W- |/ P: ?1 F
}. ?+ L' K/ N, o2 j" y: s0 `
导入 flannel 镜像
( Z- c( j* v; |) C! w2 Jfor i in 192.168.91.19 192.168.91.20;do \
7 }/ ]0 ~5 [8 J7 ^- e2 o* Z: J- B- gscp /approot1/k8s/images/flannel-v0.15.1.tar $i:/tmp// ]6 E. Y- p+ C. ?
ssh $i "ctr -n=k8s.io image import /tmp/flannel-v0.15.1.tar && rm -f /tmp/flannel-v0.15.1.tar"; \
( C7 @4 `1 q3 ]$ R* w) xdone% M! f& i8 Z9 ~) r" U. q
查看镜像+ @* ?! r. _7 V8 ^* ]3 Q

* ~& a4 G3 u" a/ N2 H9 [* C+ U, Tfor i in 192.168.91.19 192.168.91.20;do \
& [! w% p( W) w4 H1 [, r$ L7 q' S- }ssh $i "ctr -n=k8s.io image list | grep flannel"; \. k9 u( l' H. n' n
done* Z& Q" k7 A* u" Z8 B0 l# j7 n
分发 flannel cni 网卡配置文件
& g$ d* `4 f% t  ~! Sfor i in 192.168.91.19 192.168.91.20;do \
1 F5 K% G/ M2 Y5 c! Cssh $i "rm -f /etc/cni/net.d/10-default.conf"; \( ?0 p8 F" q, A  f" w/ K
scp /approot1/k8s/tmp/service/10-flannel.conflist $i:/etc/cni/net.d/; \. T/ D* m: H: l7 Y7 S9 F8 k5 I
done
. p& K4 j2 Y+ S6 L分发完 flannel cni 网卡配置文件后,节点会出现暂时的 NotReady 状态,需要等到节点都变回 Ready 状态后,再运行 flannel 组件' G0 b+ T+ G. }; u+ C% ?/ k6 f6 {- V

! L5 H) `# A& E& p0 t5 M7 ~+ Q在 k8s 中运行 flannel 组件
& \4 j6 z: P% n. l2 V& o# e! Skubectl apply -f /approot1/k8s/tmp/service/flannel.yaml
7 ~. g  U. w" `+ o; C5 [6 j检查 flannel pod 是否运行成功' M7 ?, d4 i( q
kubectl get pod -n kube-system | grep flannel1 R1 k; L& Y1 ~7 P1 x
预期输出类似如下结果7 v$ X( V- I% y6 c/ u# q

! X) v7 g) w! _; w8 X/ ~flannel 属于 DaemonSet ,属于和节点共存亡类型的 pod ,k8s 有多少 node ,flannel 就有多少 pod ,当 node 被删除的时候, flannel pod 也会随之删除
) h  L. \9 _. _7 o0 A; a) C/ x# e- J8 `; `
kube-flannel-ds-86rrv   1/1     Running       0          8m54s
% w' O  L# U! G+ `2 @( k+ q& v4 Jkube-flannel-ds-bkgzx   1/1     Running       0          8m53s6 i9 j4 P) Y3 s$ {& ]) ?2 E% c
suse 12 发行版会出现 Init:CreateContainerError 的情况,此时需要 kubectl describe pod -n kube-system <flannel_pod_name> 查看报错原因,Error: failed to create containerd container: get apparmor_parser version: exec: "apparmor_parser": executable file not found in $PATH 出现这个报错,只需要使用 which apparmor_parser 找到 apparmor_parser 所在路径,然后做一个软连接到 kubelet 命令所在目录即可,然后重启 pod ,注意,所有 flannel 所在节点都需要执行这个软连接操作& W3 a: l- B' T; X2 f' n2 a
' U# z, I3 m* `( i) @6 v- \
部署 coredns 组件
5 b' _& W  a/ d  V  |# C配置 coredns yaml 文件8 f- s6 y  L2 |5 y6 C
vim /approot1/k8s/tmp/service/coredns.yaml
4 ?. H7 d3 V+ y. C$ c2 I3 dclusterIP 参数要和 kubelet 配置文件的 clusterDNS 参数一致( S& e1 g% N# j
* e% k8 Y+ s6 I3 \' t) q, q+ p
apiVersion: v1
7 ]# i, q' n: \; P) e6 [2 qkind: ServiceAccount
: Y; w1 m: \! G6 v; a% I, Mmetadata:( q8 |3 O) ^- |3 {
  name: coredns+ U8 W$ P4 N5 S  I$ d4 G
  namespace: kube-system
1 `0 Z+ U6 y: S! i  labels:
5 @/ E% R& O+ H) V! R: c. Q* `+ ]      kubernetes.io/cluster-service: "true"7 F! k- F) C- o: q' @1 _; i4 ?. u
      addonmanager.kubernetes.io/mode: Reconcile# Y; S+ G; H7 j6 E* Q
---
2 B7 t2 o/ V0 h8 X2 {  ZapiVersion: rbac.authorization.k8s.io/v17 F9 J& V5 F' U+ }( c+ d, z, z. h6 A
kind: ClusterRole6 B. l% L! D* K% c- ?# O
metadata:" T- O, Q0 r  A& T% E
  labels:
1 U+ f  X" }% s    kubernetes.io/bootstrapping: rbac-defaults) P6 o: l3 B3 f: d1 r" ~
    addonmanager.kubernetes.io/mode: Reconcile) T  r0 u+ r( D9 A4 K: @
  name: system:coredns5 b9 z3 v3 U3 g- L/ g" ?0 q
rules:( f5 H. T: m: U
- apiGroups:
1 ^) O6 a: _5 r  - ""  x$ R9 W5 z' R$ f* f4 f7 }6 v- ^( D
  resources:& r2 N- J/ }3 m* Y5 N0 `6 B$ U
  - endpoints6 e0 H5 ?# M7 x' V& Y  d, ?; W' G0 V
  - services; M7 ]1 Y! h  Y. H# s$ c8 O
  - pods
( ?) }0 C! _8 F3 M- s% p4 `# _) I1 P  - namespaces4 c+ I1 p8 ~, R: g
  verbs:
3 Z: Y" A& h! m- ]* H; }- _- m) y- }  - list
2 I; Z3 F* M, e2 y  - watch% c: Y# C" z/ }  G! L
- apiGroups:7 i- ?$ K; o+ v4 c
  - ""
+ g- O2 ?3 h* s. Z) l1 W  resources:5 o6 O! [; r0 {9 B+ a: w, Q7 a' ~! \
  - nodes
7 T* n5 Q$ y- X2 z+ H7 E2 v8 G  verbs:
9 A- X, R9 s2 H+ e  - get0 ~1 v) _6 S7 ^- V4 |1 L6 I
- apiGroups:
$ A6 Q- k7 ]4 i5 k  - discovery.k8s.io
# G, B" F( @. H( r6 W! K' W) ]  resources:8 y- l: x( ~; {! Z0 E+ x# e
  - endpointslices
9 Q4 n( u% L# ]5 z! V  verbs:. \0 b7 n! X5 D8 V* r/ \$ D: O) |
  - list# h4 b8 h* @  X/ }1 C( {7 \0 X- ^
  - watch" _- @0 g7 Z* x' t; Z9 D
---
  S: H$ b6 }# g3 X) ^apiVersion: rbac.authorization.k8s.io/v1
# ], {) T! _3 s- s& qkind: ClusterRoleBinding
0 Y" Y4 t  y$ [2 _  @0 w" }" Vmetadata:
8 y1 J9 h- _' f: C. G: D  annotations:
8 X5 y6 T. X2 M0 F  F) j3 _" j    rbac.authorization.kubernetes.io/autoupdate: "true"
; x% t9 G6 w2 K% D3 j; X4 S# {2 {  labels:5 ]6 w* r/ j3 C1 N
    kubernetes.io/bootstrapping: rbac-defaults
% q% n) G+ h2 \" q% l: |: n    addonmanager.kubernetes.io/mode: EnsureExists& C; f- D+ V4 |; n
  name: system:coredns
+ u! p; |$ h( p% V2 |6 |4 ]  VroleRef:
0 ]: M$ u& K( \$ ^3 Z% n; k  apiGroup: rbac.authorization.k8s.io
) c" y# j& A0 X' f  kind: ClusterRole. }4 E8 T! U6 |3 E# B' t
  name: system:coredns- I1 @2 F+ Q; A0 W
subjects:8 g' |6 |* v3 e. c+ x) o" \0 b
- kind: ServiceAccount
7 r/ k, q6 _  s- ]* T  name: coredns
  T& I) R3 ~! M' Y$ }. g  namespace: kube-system
1 J3 {" q* j( y) \; x) D6 t) v9 F) [/ @4 o---5 h/ g+ B) {+ c4 ?3 ]2 X$ P
apiVersion: v1
3 P0 r2 f1 G( d  k' Skind: ConfigMap% _' ^- z# s& q- F+ m9 Q+ A6 m
metadata:
' x2 Z: A$ W% n  name: coredns; ?/ X+ j, G( C0 j, F2 |' W! N
  namespace: kube-system  A3 I3 h  e5 f1 l2 q
  labels:. W6 e+ }1 a* E& C1 |& n2 o
      addonmanager.kubernetes.io/mode: EnsureExists+ q1 m- m! g$ w5 I2 g0 E
data:3 a" R/ C; l9 o
  Corefile: |
0 l/ c5 J+ ~% Q    .:53 {
3 x: @8 o2 n9 V/ c3 j        errors
$ L0 V. ]4 X5 U! o        health {
! T( f% a, g& V% u& v* C            lameduck 5s
- d1 `# v' n1 s/ ^        }! S5 Z$ h) O" f* S+ w, Y0 Q' n1 L
        ready* R0 V7 a1 S% [% X: R" X
        kubernetes cluster.local in-addr.arpa ip6.arpa {8 g! u7 w# I  l- l6 j, Y3 x
            pods insecure6 I# }7 ~8 h5 u
            fallthrough in-addr.arpa ip6.arpa( K3 Y. v% h) e& C
            ttl 30+ L. O  `& y$ n4 A' H
        }, i0 l4 O4 b9 b+ ?
        prometheus :91535 s3 ~' K; D$ \, M, q
        forward . /etc/resolv.conf {
( |: f- v  G  p/ Z& l8 t8 j6 Z            max_concurrent 1000
, }& ]; c5 T2 Y: n( Q        }
! L4 h: A4 O6 |9 n        cache 30( B' E# l& ^8 R" N* |/ `$ m
        reload
0 o9 ]. j) {0 J5 Q7 e0 I4 m. A' j        loadbalance
& X6 y$ c* H/ O" {. k( x3 A+ I    }$ J1 O+ |- L7 b8 E0 A+ v$ ^
---6 i' ^0 R/ C5 ~+ C* F+ Q0 N
apiVersion: apps/v12 ^8 Y# ?6 X' X& Y6 {- i1 M
kind: Deployment# h! T& o  x' s* z* C$ E% z5 l4 C
metadata:
' _+ B9 ~& G( G  name: coredns
. E+ |/ m4 r( L7 M. B! Z. {/ o  namespace: kube-system9 s" }' S% A  D$ F
  labels:, a4 r# V* g0 |1 X
    k8s-app: kube-dns+ G5 k. X0 P0 s
    kubernetes.io/cluster-service: "true"3 \9 N$ E: r( l  M+ E
    addonmanager.kubernetes.io/mode: Reconcile9 c2 ^+ Q) L! y- N2 _
    kubernetes.io/name: "CoreDNS"
5 c! @- S$ }1 r7 f8 J8 b: ~spec:
# f2 Z4 m2 D3 Z9 U  replicas: 1) l! t) q' A& H9 |+ g
  strategy:
( |! p$ ^2 o2 v" u    type: RollingUpdate
, S7 C* x0 ^$ X3 ^/ G5 W+ f    rollingUpdate:
$ @2 Q# |; a/ o' N2 H      maxUnavailable: 19 q% k. l0 p& d6 d+ Q& L$ F
  selector:
5 c( Y/ W8 a/ Y* y2 s    matchLabels:
. i, o% Q& `: W+ W# Q      k8s-app: kube-dns1 L; H' Q& r$ e$ P
  template:% g  n$ c/ W% y$ t/ g
    metadata:' i9 D1 J+ |4 N2 r0 ?$ K- g3 n
      labels:" v8 D8 w8 l0 j5 M4 e7 g+ \$ M
        k8s-app: kube-dns
: a7 J, \* Z7 {% z  c: e# I    spec:
9 e# |( s5 {7 Z5 w- J6 s2 W      securityContext:
0 U! ]0 g; \7 {- v) p1 a/ L        seccompProfile:' [; m' ]" v- d) L7 i* O
          type: RuntimeDefault
" c3 Q" U2 V$ b" L8 s      priorityClassName: system-cluster-critical; @2 `9 d- q; ?9 p: O
      serviceAccountName: coredns
5 _5 T6 h9 w' ^. f* @0 A9 ?      affinity:( l: a( T: Q# `/ U3 S) G4 a
        podAntiAffinity:
0 U( S+ [  b# E6 Z1 n: h          preferredDuringSchedulingIgnoredDuringExecution:
& o! G+ Q; r: C2 F& ]          - weight: 100
2 ^3 B0 P% l, Y( f            podAffinityTerm:
; e' l% j: I2 z7 \: {+ w2 T8 L              labelSelector:
; n" a* d. q7 j* i8 x                matchExpressions:2 Z1 E; C' J- p; i; b
                  - key: k8s-app
5 t- m0 H: ?- r                    operator: In
# \/ G9 W6 a, |5 m1 O* }                    values: ["kube-dns"]
, v! A# Y: a: O. s$ }. l* X; Y              topologyKey: kubernetes.io/hostname
! h* @: T, U4 q      tolerations:4 f6 @$ P2 M" r) l( ^: k6 @
        - key: "CriticalAddonsOnly"+ f, }! F# v' I9 Z' t' Q: X* {
          operator: "Exists"
# C9 ]3 y0 Y; m" {% R      nodeSelector:
5 l. D/ ]; \1 g. i- ]" q        kubernetes.io/os: linux
& P( S' u8 c) z" L- L; f      containers:$ b4 u# r" w! e# e
      - name: coredns$ R( ^) c- o4 L" G0 e7 I* K
        image: docker.io/coredns/coredns:1.8.6
3 m+ m, Y7 |3 y7 v        imagePullPolicy: IfNotPresent
# j: F' R/ y- R! Q" |) }        resources:; {9 |- a1 A0 s, H- J+ _
          limits:
, @. e" j" c4 y# e- s9 N            memory: 300Mi
; `1 u' n* i$ l          requests:: U9 ?6 _" O4 m" G$ c! q& H
            cpu: 100m9 G* |% }* k: ~
            memory: 70Mi
/ K1 Q; _: v* v( z+ [1 o        args: [ "-conf", "/etc/coredns/Corefile" ]5 j, T0 a. {4 M
        volumeMounts:
' }9 x; M0 `" K' w        - name: config-volume
4 C. t$ F2 f0 n! b+ Z2 H# r          mountPath: /etc/coredns9 B$ q6 p  R% I6 k
          readOnly: true8 d: J4 Q0 t* @- l+ y2 H% f
        ports:& Y& S: V  T# |/ M9 A: S; A  N; Q
        - containerPort: 53
/ o( ?  ?. Y" A$ D2 S' Q  j          name: dns: ~$ h3 g! F: G. F) c
          protocol: UDP& D' |# [; j! t
        - containerPort: 53/ J% ]; p7 X1 U6 C
          name: dns-tcp' E1 U! L# X) x* \; \
          protocol: TCP* ]  K; x4 R& \5 Y. K
        - containerPort: 91538 t' U0 S- ?" q% s: N
          name: metrics
, E- `5 q8 @8 u4 ~          protocol: TCP! C5 G4 V6 d' z& j& z% U: s6 \
        livenessProbe:1 i6 X5 |8 t: u
          httpGet:1 G* Q/ e( X- ^6 h; d
            path: /health
8 O6 L9 K, x7 f% p            port: 8080! `# t4 N" g, R  F) p1 k
            scheme: HTTP
8 R9 |) g/ a1 _& U$ c          initialDelaySeconds: 60
3 E1 i% D+ {6 t  `* X          timeoutSeconds: 59 Z6 n! L% w! `/ H( q( m- O/ W  H7 n
          successThreshold: 1. \, c% ^9 w: a. U; ?8 K: ^
          failureThreshold: 57 o6 _( i  J$ L1 P) A/ u0 ]/ x8 d8 e
        readinessProbe:
, e' [6 }5 ^* A3 y$ w          httpGet:8 ^- G* b2 J! H9 g9 J
            path: /ready
! y' C1 ?  d/ Z9 W3 d8 S* H, U            port: 8181# c, O& \! B6 H3 d7 N
            scheme: HTTP4 [. T/ p9 U% l4 h4 W, `) r# n& c% n
        securityContext:! X1 {( F. u% P6 n! k( r
          allowPrivilegeEscalation: false
* P' l, a. i) t0 \7 M          capabilities:% i. A1 K6 Z; i6 a( G, j
            add:2 Z, o, b3 _: Z6 G5 q( @6 A5 t  x
            - NET_BIND_SERVICE% k5 J- A9 f5 ]- j1 D
            drop:! k6 Q( b3 u, U# _1 O4 w
            - all
* ^9 q# A$ v3 D! Z3 N. M          readOnlyRootFilesystem: true& D8 Y8 t! k7 O& s% z  q/ s8 z
      dnsPolicy: Default4 h" `1 R7 E$ o% G# o
      volumes:( T1 o# i8 m- O& q
        - name: config-volume
- l' S1 B2 Z: n. f          configMap:
& |2 X  e( J- I, m- w) B            name: coredns
$ r) d) |  S6 c5 R& H1 ~# ?9 d            items:, x4 e: O4 _+ K% s3 Y3 f$ f
            - key: Corefile
) ^9 Q" U& A3 s# o5 `. X              path: Corefile
: T4 w6 Y; O# y# A8 f---7 K7 r& j" {( O2 ]0 Y$ ~
apiVersion: v18 G7 Q  c; }9 f  B* j# Y
kind: Service
6 U+ r: c* }) h3 lmetadata:5 z, ^4 \4 B# [- \3 C  G! m
  name: kube-dns4 _# a6 D0 g  `+ x9 y5 k
  namespace: kube-system
! A2 g* S) p1 C7 K; I5 |  annotations:6 u$ }" n& p4 c8 e! l
    prometheus.io/port: "9153"
- r6 I! B( ^8 t6 @2 {/ [. {; {, t) {    prometheus.io/scrape: "true"1 t6 z( O2 w, i2 U  \1 ]& P7 f
  labels:
2 p# l' o  _5 I8 M7 B    k8s-app: kube-dns( |6 O( I1 Q  J/ z) }: c$ z
    kubernetes.io/cluster-service: "true"
+ U2 X( D: O5 P0 @+ J6 G4 t, z- y    addonmanager.kubernetes.io/mode: Reconcile5 R0 T( T* z3 z8 _/ T/ i, a
    kubernetes.io/name: "CoreDNS"
. N" }& a1 L& k6 k# E1 Zspec:
( Q7 }5 E9 g. ^4 l  selector:6 ~; V; u( x& x% U4 f
    k8s-app: kube-dns% n9 a8 `& }+ P- ~+ Z
  clusterIP: 10.88.0.20 l) b$ q$ f  `8 f$ X
  ports:
' v7 l! \6 o# A- A) N' @3 p5 h  k  - name: dns( D8 h" j  J$ Q* b/ x) u& K
    port: 531 m3 T2 E# U3 f6 |1 u
    protocol: UDP. y; W+ S9 d2 e2 g) W9 _2 W1 i
  - name: dns-tcp
) q. w9 J" ]# X; C( p8 l    port: 53, D8 N$ d" |$ {& l8 I  p, N! z3 R& g( h
    protocol: TCP$ u  f8 V: X) E' Y$ r
  - name: metrics
. \$ H7 b) T) G( G+ z# ^    port: 9153
  D, k: Q9 B5 j3 W# K' r5 L    protocol: TCP0 G  q! u, \( J+ j2 d8 Z+ R
导入 coredns 镜像
4 G# x- X7 [1 ?( p8 o7 u! z% L  v7 nfor i in 192.168.91.19 192.168.91.20;do \7 H. c# x5 y- y, O- s4 H" s2 ?
scp /approot1/k8s/images/coredns-v1.8.6.tar $i:/tmp/
% K4 t6 M& ~  essh $i "ctr -n=k8s.io image import /tmp/coredns-v1.8.6.tar && rm -f /tmp/coredns-v1.8.6.tar"; \+ ~# |9 p7 ?/ d2 n; A/ i9 j
done8 t3 b1 o5 W. U
查看镜像
( m% J3 X7 [) n4 A- k. I9 B+ J: v+ C  U" V
for i in 192.168.91.19 192.168.91.20;do \
5 U4 @4 \; w) w) {% W6 qssh $i "ctr -n=k8s.io image list | grep coredns"; \
0 h( m5 E& W# w! T/ Ndone1 i6 A; x- h5 n$ S: q) [4 o
在 k8s 中运行 coredns 组件
$ F8 p' L* t/ hkubectl apply -f /approot1/k8s/tmp/service/coredns.yaml
/ t( e( J5 F7 w% }( h7 ~* ^检查 coredns pod 是否运行成功
; w* I) ^) O* ?1 B+ Ukubectl get pod -n kube-system | grep coredns9 T: _- q. z- Y: ~0 j' V( g
预期输出类似如下结果
* y+ O$ L! E# S& L! E
/ v" |5 {( a; Z& |3 h因为 coredns yaml 文件内的 replicas 参数是 1 ,因此这里只有一个 pod ,如果改成 2 ,就会出现两个 pod( x; h3 N2 E/ |* h0 f
% B7 E! A+ D- u. h( K
coredns-5fd74ff788-cddqf   1/1     Running       0          10s
9 g, W2 K  R; m- k$ h3 [/ ^$ H' L部署 metrics-server 组件" s1 F8 g5 C, j8 y( M% k& ~- W
配置 metrics-server yaml 文件
1 T( {1 g% [3 w: p- H7 M1 V+ Cvim /approot1/k8s/tmp/service/metrics-server.yaml/ Q: I$ O2 b  N/ W8 Y% p& @
apiVersion: v1( Q1 _8 I1 \2 S8 G8 l
kind: ServiceAccount# s0 o4 \- K6 ^! A0 j; e  L
metadata:
/ e, [3 C# [$ i1 K% B' K  labels:. ]8 h2 c+ b. _& }
    k8s-app: metrics-server
& _7 C9 \* b- z  name: metrics-server
4 r- j+ k1 B6 |, @' T& m( \1 [  namespace: kube-system
9 Y5 q9 ?: n- k1 J, G* u4 ]7 k---5 e/ y  S9 {( J+ E$ \3 x3 ]
apiVersion: rbac.authorization.k8s.io/v1
; t! h+ J& C8 O% F9 l* |kind: ClusterRole, q) X; X7 w# ^, ?$ N) ^; p- L* E4 F
metadata:) D  ?& Q/ C) M4 G2 I% ~& }: K6 I
  labels:) j1 W/ h) U& H
    k8s-app: metrics-server
/ M, t2 M' b4 |! I# Z: n1 v7 a    rbac.authorization.k8s.io/aggregate-to-admin: "true"( ?, ~& g, x6 J3 @' c4 k8 _
    rbac.authorization.k8s.io/aggregate-to-edit: "true"0 ~/ ^; U+ B3 I4 t$ g; D$ i
    rbac.authorization.k8s.io/aggregate-to-view: "true"3 u- X) ]" f- Y0 F- C% t. N; F+ V
  name: system:aggregated-metrics-reader8 D* Y) d2 I) v) F
rules:
1 D" d! f& g+ D; G' z8 l4 G$ U- apiGroups:
) y# ^- H9 V1 i1 A% M; d8 X  - metrics.k8s.io
7 N' i$ b- T* ~2 q( v8 H  resources:* K( T$ d4 \- }& k+ \
  - pods
( h5 P, H1 a- M% |' x' L& N  - nodes
4 w0 J/ G0 V$ n' D& |  verbs:
5 g2 `0 R* C* \  - get2 J2 _" l* r' r( v& d
  - list
1 L+ m; b: R# o, f9 t* U7 @$ Y! }1 F, J  - watch
, ?' l/ \4 Z& Y: P  n, U---
1 B# ^" U- ~* |% B2 japiVersion: rbac.authorization.k8s.io/v1
$ y) U/ R, W0 W4 e- Kkind: ClusterRole7 k: n5 B  ?1 p* @0 E% W
metadata:% j7 C' y. v$ D5 P
  labels:. U* B5 ~  E+ G
    k8s-app: metrics-server2 H$ P) j- D) P' f6 j( B! _
  name: system:metrics-server
8 a1 r: Q. d1 o" Qrules:
* n5 K1 }' Y+ A# F- apiGroups:
7 I' C; y) Z/ L$ c7 N; f  - ""! S: }* N; m- w9 E4 t5 N+ A
  resources:4 n: ]/ S5 \) j: _$ E
  - pods" N8 g# h  |7 M- F
  - nodes
. g, c. \  D3 ~  z. S! ^8 G6 Q8 p. e  - nodes/stats$ b) I# Z. p4 z. `5 t6 g
  - namespaces( W* W" \' Y5 J. b* u
  - configmaps+ c: c6 E' M# ?9 j4 U3 m$ i$ e
  verbs:8 ?1 N5 [8 s" h) @0 N" v
  - get
' Z2 Y# G; X; W! I0 ]0 ^  - list
; I' n8 g1 n. Z  - watch
' C0 t" I. Z$ \+ ~. P4 Q---
6 {6 W+ ^+ g2 T" z: w' i8 S2 QapiVersion: rbac.authorization.k8s.io/v1
* S) [0 A. N4 ]kind: RoleBinding! i' _* f) B9 u; C* J- {* h
metadata:9 s& |9 X& l: B' r6 |$ O2 C8 Z2 H2 M
  labels:
& [# G2 S1 n" w0 j    k8s-app: metrics-server& e$ v! C" ?' W+ P, D! A) k
  name: metrics-server-auth-reader
2 o. y3 @5 n1 I) ]% n* _5 Y4 `  namespace: kube-system
9 h1 P! [: T7 B- T) Z" wroleRef:
, D: S' r" a1 U  apiGroup: rbac.authorization.k8s.io6 L) z, G( l# |: K! p2 W2 y  t
  kind: Role
0 f; y& {$ Y) M+ S& n0 Q  y  name: extension-apiserver-authentication-reader
2 g( P2 A. z8 p, tsubjects:2 n( B9 w% N5 f  n8 q9 D
- kind: ServiceAccount3 k/ z" D" `, ]
  name: metrics-server
+ k0 R. H4 [9 q3 G7 j- z" |  j4 n  namespace: kube-system
1 U5 N+ f3 i7 j$ k2 K---
4 w4 t9 W6 a9 }$ B. d  {9 V! HapiVersion: rbac.authorization.k8s.io/v1
( r) J  X' m: G1 `% `3 V/ gkind: ClusterRoleBinding# O; D+ L# y- o8 ~, S- e0 Y: ?9 N
metadata:* u0 [# p6 ?# d& E
  labels:
% ^4 U& R! e2 I5 U    k8s-app: metrics-server, A" F3 J; a" o! @
  name: metrics-server:system:auth-delegator
* K* ~* u+ ~, y* [& N7 M8 L. ^roleRef:0 ~6 H4 e; C9 y# D% x  X
  apiGroup: rbac.authorization.k8s.io. }) a* f" m8 `9 c: O5 u2 c+ X% n8 k
  kind: ClusterRole
$ L8 W- X2 O/ e& P4 ?  name: system:auth-delegator- G* N. Q( I% a0 p9 m
subjects:% s, c7 }; \% M! e8 s2 i/ N
- kind: ServiceAccount
. [/ ?, n4 V1 }! ~" \  name: metrics-server' v- w. {/ f- C' Z; H* m0 P( ]6 S# h
  namespace: kube-system
. {" y  r1 |7 c1 Y/ l---
& T8 u/ F& }% e% z* JapiVersion: rbac.authorization.k8s.io/v1
8 |4 Z$ ^# G7 r. @) }( Okind: ClusterRoleBinding
) N0 i( B! f6 Jmetadata:. d+ a* Y' o/ I# u- |6 s. {
  labels:
0 x  T$ v% z2 t) h& ]9 Q( u* t  e* P    k8s-app: metrics-server
" L. z1 a4 E( w9 ^! t  name: system:metrics-server/ c5 p: y  Y6 Y' ]# H8 @7 n
roleRef:
* j- z2 J% ^4 E- s% P& T# L* b  apiGroup: rbac.authorization.k8s.io/ f: {4 p$ }$ N1 A  f9 @. S% n
  kind: ClusterRole
# b9 v. G, d) c) A1 i( u  name: system:metrics-server7 t% J6 M. ?' h5 l% E* x8 U
subjects:. M8 _1 ], e4 y6 ]
- kind: ServiceAccount
/ A' a* y7 {6 A; Z9 B' a7 N  name: metrics-server
! ~3 ~1 b, U/ R  namespace: kube-system8 q+ @8 D( }& a% W- N
---* n% K8 G& ~5 A: E+ g7 o
apiVersion: v1/ G: h/ F( V/ m& _
kind: Service% {8 G* A8 l) D3 W+ t* |9 q
metadata:7 X. f: W( d9 g' v8 y; ?
  labels:! [2 v0 \( l+ f6 I& H& ?: J
    k8s-app: metrics-server
" B& G# x/ j1 U0 Q( v0 t  name: metrics-server
) Z1 z8 r7 k* o' a  namespace: kube-system9 V1 [/ g" H, H% B5 a) ~8 c) l5 Z
spec:
) X( \% B  o' H  ?! R5 v  ports:" ?; S+ @( ?. R; W: g. W% M+ X
  - name: https
5 T0 ~5 C6 @4 q6 h3 h; z2 c  n    port: 443) X# w: @' o! X6 Z# n8 b
    protocol: TCP1 D: T: w& t: p+ P. R9 ?8 q" X
    targetPort: https
: Z) P+ J. i( x0 w# Q9 A& E  W* ?% _  selector:) P2 L1 h" a* V
    k8s-app: metrics-server) v+ O% k; J, G. Q% g. H  e+ T
---! h9 W/ Y) D  K, H$ i
apiVersion: apps/v1
/ }5 V9 d) K1 ckind: Deployment9 W$ c9 W: t4 {: f
metadata:
& x# N5 K7 i- L  labels:. f& j% o/ o1 k: T; Q- |. l5 ]8 f
    k8s-app: metrics-server- L( _& e# @, i. B0 A: }
  name: metrics-server
3 F& U) M9 F4 V  o2 i9 k  namespace: kube-system& o/ ~/ @: K6 g. }+ K( }; L  y
spec:
/ `! G' {! \( J, r  selector:& r- q4 c0 y! F/ P/ e
    matchLabels:  b) S& l% K! \$ U% g& h) v* C
      k8s-app: metrics-server
- }) @; V! ^/ w2 n  strategy:
. W: g6 z) S- A# T8 m- A    rollingUpdate:/ k0 C: B# ]' s
      maxUnavailable: 0
! u# P8 e7 u# O' b% s2 }- D  template:
: }8 l; x& a. n8 S) y    metadata:) j. L+ N% {1 k$ w
      labels:
, a7 C+ K$ v7 I) c        k8s-app: metrics-server
% s. C5 m# E9 _' K! M    spec:
" g, J* ~+ V4 {; I" P      containers:
& `% m& z1 w8 H- p$ f      - args:
0 M+ s: j% \3 q! D8 h/ O        - --cert-dir=/tmp$ H- d) W: G) k$ M: T5 i' t' N  u
        - --secure-port=4443
2 n) ^$ D: ~; K/ V        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname' E3 ?7 q% J# \2 ?7 w, }3 a
        - --kubelet-insecure-tls
' y; o+ o$ \+ _1 T2 f5 @6 V' r        - --kubelet-use-node-status-port8 I! j0 C: `* u( R/ i8 Q: X
        - --metric-resolution=15s, Y1 [; G4 @( f
        image: k8s.gcr.io/metrics-server/metrics-server:v0.5.2/ m2 m9 F$ R# K3 k4 r
        imagePullPolicy: IfNotPresent
9 c( L5 {# C: M1 G" C' V3 V        livenessProbe:4 K7 O. W; o1 j( U) h: V
          failureThreshold: 3
7 Z: I3 Z/ O! m) P7 }- h          httpGet:
2 e  U. n7 v- S# U9 }3 t9 E            path: /livez
  P6 }: k  S) j" M  d! P            port: https  \2 Y; }+ k, a2 g. T, x
            scheme: HTTPS+ M" t7 J/ M1 {* Q" ]8 T
          periodSeconds: 10
. k2 t, |" e! K        name: metrics-server: O* i0 O0 P# H: v3 a( f
        ports:
; i. A8 ~3 X4 O# E5 |% i, M        - containerPort: 4443! N1 O, D) `) r- d& x
          name: https
  {6 H# f# }. ~' u! }          protocol: TCP: d/ h, m1 B6 ^; i& |7 E2 W! @
        readinessProbe:; y& P  _9 ~: f
          failureThreshold: 3, G% t1 L8 P! H9 x$ d' D0 e4 e4 ^
          httpGet:6 |. N+ q" t. T* Y
            path: /readyz
- p7 W: J9 @; r9 g; F            port: https! h! n; K; y" h. R! Z5 J7 I
            scheme: HTTPS3 C  n( R3 @4 j2 _8 y, W
          initialDelaySeconds: 20
# u1 l; w3 Y5 E3 \- o          periodSeconds: 10* E5 n3 S5 S9 b4 c; L
        resources:
& M% j9 b  E5 S: G/ r7 g. R          requests:
, Z+ L  U! ?$ U* U. X( f            cpu: 100m
) a3 D' |' F4 K9 V! Z            memory: 200Mi
: Q! Q. w- w+ ?/ A  f5 r4 @        securityContext:, v1 h& h/ \# S- {
          readOnlyRootFilesystem: true
7 h7 e" Y0 {5 y; S2 v          runAsNonRoot: true4 f* O, o- P8 b/ k
          runAsUser: 10003 }, _! W9 E& X; W
        volumeMounts:
3 o9 f, j8 X8 Y; x; L        - mountPath: /tmp
. d$ h5 L  j3 n! i" o9 q          name: tmp-dir
; l3 D6 ]/ E4 I      nodeSelector:0 U* B6 D3 d2 h' p# {9 R, P
        kubernetes.io/os: linux
. h. ?# _/ T6 d: l; s* }0 z  _& c  C7 }      priorityClassName: system-cluster-critical
4 z7 V  {' t$ e      serviceAccountName: metrics-server
% t, h6 H4 u# ?, F# ]      volumes:, O  e9 d) W4 D: q3 D; N
      - emptyDir: {}6 A* G, x6 {6 w0 }) D# A
        name: tmp-dir
. `/ B* c) z0 o4 F6 K3 C---- S8 o* P" t+ f5 d: L' @) m4 q# c
apiVersion: apiregistration.k8s.io/v1
! P, L+ j9 }! r; h2 j' Fkind: APIService
7 f5 q% M3 L0 P  wmetadata:
/ a! u& t( Q' q- n$ J6 k# D+ ]1 x  labels:/ K" F' x. @% [6 _
    k8s-app: metrics-server
# {, _- S$ b. }0 @  name: v1beta1.metrics.k8s.io; d2 A4 r: \5 }* K% S% I1 w* R
spec:
, Z9 K: A, O7 c9 J( `' B  group: metrics.k8s.io
5 D* a# g( ]0 T* ?# x7 l7 p( k+ J  groupPriorityMinimum: 100- }3 ]3 P- u% J" U  P& X
  insecureSkipTLSVerify: true
2 p. t+ W) E8 L, N$ D2 d1 \+ T  service:1 l* u0 c+ S9 E" {# C  w+ r0 j, W  S/ e
    name: metrics-server, G" y9 [" W* N
    namespace: kube-system' }& m9 O; L' n$ R. r
  version: v1beta15 v! }* n% @1 h9 R
  versionPriority: 1006 u2 w( Q1 [8 F4 ]# Z- x- z
导入 metrics-server 镜像
% b2 U& i* X# {6 j8 _" hfor i in 192.168.91.19 192.168.91.20;do \
* j$ S  s" o8 _# Zscp /approot1/k8s/images/metrics-server-v0.5.2.tar $i:/tmp/  z6 p8 s  ^7 ]( ]' K
ssh $i "ctr -n=k8s.io image import /tmp/metrics-server-v0.5.2.tar && rm -f /tmp/metrics-server-v0.5.2.tar"; \
( O7 a# K- i, a% o6 o, h$ ydone
1 E7 q+ m; k3 V9 g" W9 z& J查看镜像4 O0 |% L/ C' M7 z' p. U3 ^5 I) h

2 P+ B$ m  q) O1 Mfor i in 192.168.91.19 192.168.91.20;do \! R& }3 k# K2 G, a- i$ E
ssh $i "ctr -n=k8s.io image list | grep metrics-server"; \
5 H! E2 c6 n8 S5 ~6 x  i7 [5 N4 n9 }done0 K" I6 \( B, d3 s7 @
在 k8s 中运行 metrics-server 组件
- u7 Y8 K7 Q8 t# a& o  kkubectl apply -f /approot1/k8s/tmp/service/metrics-server.yaml
' Y) W) L' I, p" T检查 metrics-server pod 是否运行成功
9 l4 q' }$ A( t6 I8 V) _kubectl get pod -n kube-system | grep metrics-server
2 H1 k$ u8 N* }; D" |预期输出类似如下结果+ s1 V9 z- z7 v! t6 m
( Q5 e! p* Y! |; R
metrics-server-6c95598969-qnc76   1/1     Running       0          71s. p% r: S7 g; `
验证 metrics-server 功能0 U8 n* `/ g* z3 G1 x
& E* J6 M5 M8 i: ]+ a$ i- o! b- ^- [2 _+ r
查看节点资源使用情况& z5 Z) G  J( J7 v

1 C- Z2 `- S2 {$ J3 xkubectl top node3 A& N0 B6 f7 g" M: x
预期输出类似如下结果# T" P" ~" W" D6 G. }

% \8 G' j7 m4 U: E6 `1 K! v) `3 Fmetrics-server 启动会偏慢,速度取决于机器配置,如果输出 is not yet 或者 is not ready 就等一会再执行一次 kubectl top node
% R; R) b0 Y! u. X- s  Q' d0 h( M
* P2 m' {& N4 |& ^3 S# E. _NAME            CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%  h& s: M9 L- ^9 C
192.168.91.19   285m         4%     2513Mi          32%  O, w$ J" z3 ^8 Q
192.168.91.20   71m          3%     792Mi           21%
6 I7 x. ]- x( }# \; g查看指定 namespace 的 pod 资源使用情况% U" z7 e$ j. ]* |& E9 C

8 M- J- \1 |2 i) {kubectl top pod -n kube-system' M" ~" E( t9 F4 T  m
预期输出类似如下结果
: X% X9 b6 s7 {7 w9 E2 g2 R3 z' z" ~
NAME                              CPU(cores)   MEMORY(bytes)
# I6 t4 p% ], P5 zcoredns-5fd74ff788-cddqf          11m          18Mi
  E, `+ o- _2 @% ?9 l4 F  z+ akube-flannel-ds-86rrv             4m           18Mi+ H2 l  w3 z+ v: z
kube-flannel-ds-bkgzx             6m           22Mi
% R5 d1 ^1 E4 B& kkube-flannel-ds-v25xc             6m           22Mi; s  D% X' |7 {6 ^2 ?6 w
metrics-server-6c95598969-qnc76   6m           22Mi' h9 b( L0 T3 F" [/ I. b
部署 dashboard 组件  x  g; Y6 Q9 k/ t- Q4 V1 P
配置 dashboard yaml 文件
, @- r3 d! p+ h- X6 P, Mvim /approot1/k8s/tmp/service/dashboard.yaml+ J0 p, P9 p7 f
---
3 h& e* F; z& n0 b, dapiVersion: v1
  E$ `- b% e! H0 H; Pkind: ServiceAccount8 j" P( }& X9 ]) d
metadata:/ v  a6 Q/ T# y
  name: admin-user& m; a& F* N0 }8 s0 u9 {/ Q. H6 d
  namespace: kube-system3 e3 A% {9 h5 n8 u' f0 u+ d

" ]# t1 X# `" A. J( F( k. O3 \/ [---
5 f& [( F8 R, |$ O) F1 g* KapiVersion: rbac.authorization.k8s.io/v1
( U9 j- O' S0 f2 N4 C- bkind: ClusterRoleBinding# G$ w2 a( V) E, c" A+ G
metadata:6 ?! w& x3 T1 N* A" Q# Y
  name: admin-user4 ]3 k4 ~+ M5 Y4 Y# K
roleRef:
$ K- c9 ~# o$ c7 [& B1 W  apiGroup: rbac.authorization.k8s.io
' I/ b# S9 w+ i( W1 B% ?  kind: ClusterRole  ~1 B% t  |* Q9 V3 I
  name: cluster-admin2 D/ H3 f2 w9 U
subjects:
5 Z% y8 n) Y  m# j- kind: ServiceAccount
, a0 u! d3 K& B- U  v1 V  name: admin-user
4 `5 `# [1 M1 z1 {  namespace: kube-system
( l+ r; B, i  y8 H3 q% n9 _% k6 X" U( n/ w
---
1 l8 |" {( ?* v/ X9 G$ O( vapiVersion: v1
: N7 W; _: E+ `8 Okind: ServiceAccount
( g0 K& J" r: p% R) w: i+ umetadata:
5 Z9 E7 X+ A1 R  name: dashboard-read-user
5 U- s3 z* Z& Z( d' V8 n" p  namespace: kube-system) s/ I* }* ~) t3 u% N& B/ g
* I' p+ O6 O" h7 X0 t6 O: |. l
---/ F6 w" W8 T5 |
apiVersion: rbac.authorization.k8s.io/v15 R: @9 d5 A1 ~) z4 b+ |
kind: ClusterRoleBinding
, ?' U6 |. B6 V* j& b: I$ Kmetadata:7 P& d: I- C7 c/ B" T
  name: dashboard-read-binding% }& h6 r/ `6 R! g7 l
roleRef:8 X  D7 j1 B' G3 P
  apiGroup: rbac.authorization.k8s.io
  k8 v) w" z) R  kind: ClusterRole" f  I  G% l8 R
  name: dashboard-read-clusterrole
4 n" q0 Z7 n. o6 k9 w# u( Esubjects:. F) R% F0 X6 z/ ~' j) c+ F
- kind: ServiceAccount
; w) S- L- l8 T6 u- E: j  name: dashboard-read-user. v* I; o! c+ |5 J) ~3 q4 u
  namespace: kube-system
) A; P9 U0 ?, m3 ~& d  e4 l& q" w8 O  E
---
/ j& V& w- m( C/ z7 d/ d5 vapiVersion: rbac.authorization.k8s.io/v1
" l8 G; j: L: ^: |8 Y) Hkind: ClusterRole( ]4 V( K3 J: V. Y
metadata:
$ R/ l: T- @, C  h3 F" Z5 U  name: dashboard-read-clusterrole
( a2 j1 B0 T  Z, P* c/ nrules:+ P$ @3 C! H: ^" U+ g
- apiGroups:
2 a: |! I2 P7 z' O: c  - ""
; d1 F8 Y0 i: C# X  resources:
: Q2 z! W/ j) E  - configmaps6 F7 u+ g. Q. ~, J
  - endpoints! r5 O( X: n$ c" c
  - nodes7 G8 t' A- Z( B# t: C: F: W
  - persistentvolumes2 {/ }2 O) L2 `4 i8 A1 J
  - persistentvolumeclaims
% h  K- Z1 W+ j8 \$ y1 p  - persistentvolumeclaims/status
  p* M* E/ {0 G% [6 Y: p# K( D  - pods
/ L6 V' I) W, {2 }/ F$ [1 z0 e/ c  - replicationcontrollers
* |7 \- d4 ^$ r- E  - replicationcontrollers/scale
: y* y( Z, `# {( s- n4 [3 T; f  - serviceaccounts
, G, X7 `) g; ?: ]# p7 [$ M$ f  - services
1 ~; |( k' S% l. m! l  - services/status0 V$ m) w  }+ w3 O
  verbs:
$ Z1 R2 p' S, o. w$ N. n, G6 l  - get: Q0 O, K& i: A8 V+ q
  - list0 A, Z  l3 }# r1 a6 t$ s
  - watch% Y+ f: j. n! W4 }
- apiGroups:
% [/ d. m* A) x6 K' X: Y( K  - ""9 p9 |5 n* P: H0 q8 J- Q/ E
  resources:0 I2 O& d8 u& x- J! t/ t; `
  - bindings
3 |  B$ X5 i8 n% U8 M  - events- `5 @! u( q( n2 j2 m& y/ p
  - limitranges" ?  ~0 X* {/ s/ K  U, n
  - namespaces/status. ^! l6 _# }# T+ @1 _
  - pods/log3 k" f& f7 f6 M) O5 p, H
  - pods/status
9 R, g5 N5 M/ ~* b7 G6 m6 o  - replicationcontrollers/status6 r- H2 t# ~5 T! W$ P& k
  - resourcequotas
; [- ]: R  r3 O. U  - resourcequotas/status6 g4 P( z& h5 I) B" C, C9 ~, I# o
  verbs:5 W* I7 V! a; X/ J) ?
  - get9 o% \$ c5 |" _( g
  - list/ J6 x% G0 ?% p  L9 K
  - watch
, u3 |: @6 S, J8 Y: A& ]& @1 r; Y+ t; B- apiGroups:
  u% C" Q; M7 Q; L0 O5 v: p  - ""5 Z/ d  {3 o1 B- k; x9 w2 L& ?
  resources:
, q7 J; R( o2 B6 v/ v0 J% Q  - namespaces- E" ^) y$ m- G7 q: H
  verbs:
8 q# O0 r0 i. }( D2 R% x- J  - get+ P7 \* d" S' O6 C
  - list) Z! B8 i" x! a5 p: O7 U& ]$ K
  - watch
1 n1 S3 _3 g+ g  w! X( s- apiGroups:: L8 R" Z8 J" @9 {7 S2 h0 a! u0 Z
  - apps' f2 \- X; j$ w4 V3 w$ \/ f
  resources:
; P% F3 }. [5 {  - controllerrevisions
( o6 e* n9 y. d1 X. `# R  - daemonsets
4 N) f* F) B/ d7 d  - daemonsets/status
( M8 ?: n, b/ J$ W- ]$ _: Q) @  - deployments" A2 n5 d, [, c
  - deployments/scale% \" u: O: v! M" I
  - deployments/status
, I1 D2 ?. T9 e: o& f  - replicasets# [2 O5 k7 X, n+ c: A7 c: _
  - replicasets/scale' e; V7 i$ a4 j" o
  - replicasets/status
  z% w) w- q. E* p% l3 n" J5 A  - statefulsets
+ R& e" n* C6 Q  F- N  - statefulsets/scale) `0 n3 L4 Q3 n$ z5 l
  - statefulsets/status
5 i# h9 f5 Y9 `# D; y3 _  verbs:) L4 D+ b# I4 |# n. A! H- s
  - get' A3 {8 f. G( _! ^# M/ H
  - list
1 g# s& @2 I" B- ]$ w  - watch1 T- a8 W! R# E& C7 O: I
- apiGroups:
/ E# @0 b/ u  _; Q4 _1 ~  - autoscaling$ k# C1 g3 R2 }& C4 c3 H' c& V
  resources:2 H  F& \4 b7 U3 x$ s5 O
  - horizontalpodautoscalers
+ J3 T: ]- D$ ]6 w% k  - horizontalpodautoscalers/status
0 g/ ?) v. U  k, t- |  verbs:
# v' m7 b: ~0 N! q3 n  - get, K+ W* ~& @# t
  - list
+ N( H3 p( I) N) c7 _* P  - watch& F/ O8 R5 T) l* _* y# P
- apiGroups:6 ?9 A) {( y2 r
  - batch& e& P) l! h* r$ T" c3 l
  resources:
  ?1 _6 I" {+ y) y  - cronjobs2 X) C6 j- c9 g, b' V9 f: z
  - cronjobs/status$ i( q. o  ]  I$ ?1 B. x3 `* v/ W
  - jobs
- E1 F3 p; n6 ?8 M4 h1 S  - jobs/status! f2 c; M& [! \$ l1 b
  verbs:! |% H% ?8 U  F
  - get
$ _8 _& \/ h6 g0 V" A% H- |' o  - list
4 J$ R6 @7 B5 u8 i( d( c9 P  - watch
( h/ @- i; }) Z' l5 \7 M- apiGroups:) I, L7 O6 p3 Y- b; P
  - extensions
/ ]9 h% q1 _4 l! [. ]# I  ]5 [  resources:) |* P, y: T- Z6 @% Q2 c+ ~9 N
  - daemonsets& z1 k5 [1 n4 V: M
  - daemonsets/status
. ?: o& J: t9 L* Z- y  I  - deployments2 ]6 |* p3 D2 }% j6 R
  - deployments/scale
) N/ }7 B1 F5 Z4 e, Q9 a- q& C4 Z  - deployments/status
/ X8 ~: @( e0 F& n/ o. `$ h7 n$ f  - ingresses
4 c  R1 s% b7 t: y+ D  m  - ingresses/status7 O' ~6 D3 b" W0 F4 ~
  - replicasets8 L. z& C$ O+ B  x
  - replicasets/scale
# b& ]' t+ u0 s3 q7 C1 M* U8 y; F  - replicasets/status) E3 N" ]8 c% Z9 M: J2 l3 N. @
  - replicationcontrollers/scale
- V1 R+ Z8 W! t8 t) r, _/ g+ v  verbs:
, o+ ?* X5 S) U: I$ k  - get
! d. [* _8 R% B  - list
4 V( V! s* k( r0 v9 K: g: @  - watch
5 H1 f. s: U5 h$ h: E' f- apiGroups:
1 S$ l: e1 x* t: J5 _! D  - policy
9 E' D2 P0 n9 i* r0 Q8 y' J  resources:
' s0 i2 A  v, X* P* x& r' g  n  - poddisruptionbudgets
. m& w; B% k, [  - poddisruptionbudgets/status
' k: n- ]) i3 \7 ^  verbs:
: c! Z# z! I7 k8 R: `! d  - get
8 A; j/ M' B* W2 g4 ^0 n" o0 T5 q  - list
, _: \/ P. Y- f: @: s9 f8 ~& k. G  - watch$ Z9 c( C- g  B( M9 H8 n
- apiGroups:7 C8 C8 N" @# t2 V2 L& Z4 T
  - networking.k8s.io2 k+ E0 d# ]# W, [% ]$ O% T
  resources:
8 z! d" @5 U( q! f7 n; k2 E# F$ k  - ingresses
2 Z0 E2 I  t0 U; ^& y* W  - ingresses/status
' k$ u. r) C8 L8 x; p! Q0 b+ r  - networkpolicies  `0 R6 ~3 E$ {) I4 ]8 \
  verbs:
3 J3 u/ y8 M7 F* w0 c  - get/ h+ `$ I' u, J8 C0 L
  - list6 B0 S! A4 W2 s; [4 h
  - watch
; x2 `; n' O- Q3 _4 @8 m- apiGroups:
3 ~# K5 X! Q( u5 Z$ s/ W5 L! y  - storage.k8s.io
6 W1 |+ c* C6 U; j" p  resources:2 K1 y% o* Z' c/ P
  - storageclasses- g. G3 K0 ?2 ]# X- z6 K
  - volumeattachments
* ^0 J1 p* _  d* f# O8 y  verbs:8 i5 \" K8 z# U) L$ z% v- f$ a+ t
  - get
. b$ ]! Q4 q, }7 F, c  - list. B: Q' \, l1 @. m# P# y
  - watch
1 q" N) C0 }1 t- apiGroups:3 Y1 f# ]/ w0 |% B! w& N
  - rbac.authorization.k8s.io
, U* u9 P+ r$ W8 Z. c  resources:
! h  D% U0 z8 V7 h! y/ K5 L  - clusterrolebindings
! {$ Q/ _- X5 G# ~  - clusterroles
5 J# u( F- x$ o1 ~5 Y  - roles
; }# V! h7 h/ |& x$ |  - rolebindings7 o4 U$ R& w" q, |
  verbs:
0 D) S0 V6 o" F( l/ D8 t/ n6 o" n  - get, F, D5 `0 N: w0 q+ b
  - list, o. `8 H. o/ |; j4 o5 q" L
  - watch* H! e. g) m  c- s7 ]$ o: d

8 G0 S1 d9 ~' L& {---. A+ C0 V" a" i9 D- N! P( i
apiVersion: v1) p, [, p- b5 O9 ~
kind: ServiceAccount% V- e8 W* b# \9 z9 q
metadata:
* V5 W1 n) w7 X9 D! k  labels:: [" @2 `/ R& @/ m- \$ }4 T5 `
    k8s-app: kubernetes-dashboard
; z# l# J& s$ l! ]2 m9 ~% p* F  name: kubernetes-dashboard2 ?$ s+ ^1 t- {; p  |, E) t) _
  namespace: kube-system/ e4 ^' J# e: v! ~' v
& Y  t/ D* l/ Y4 f; U  b# l
---
: K6 M) H. j3 F& j) ~kind: Service
5 b7 N, }- w- J8 m  J$ Z, W% z3 yapiVersion: v1
' L& g; G% t8 W; Q" a" H, tmetadata:
7 Z  j, n+ A9 X& t  labels:
* {0 w; i4 n  [0 o    k8s-app: kubernetes-dashboard
- S" y: m, T+ f    kubernetes.io/cluster-service: "true"
9 n) p" h: t. w8 S  name: kubernetes-dashboard" x. o% g9 V  O# q$ Z+ ]
  namespace: kube-system
9 N. \2 c; a$ ~  J  Bspec:& {8 b+ u: l) X4 |0 W  z
  ports:" N/ p0 e( d# [6 \
    - port: 443/ C1 _! X+ y# I4 R$ I
      targetPort: 8443
9 x: L' S+ y: G- U$ C! @* D  selector:+ o4 m+ f6 I; ]# o9 t
    k8s-app: kubernetes-dashboard
8 e4 {( R$ j% [$ V$ S" S9 t  type: NodePort
, d8 d, f4 _* @9 q, y1 s+ K/ t) Y: l$ ]& h8 `3 S5 o
---
# [8 N5 n1 {; _0 ]apiVersion: v1
) |  g; m: U( Z, t6 N# nkind: Secret7 M6 Z) L! @$ N+ i. `
metadata:
& s* z2 j9 z! Q* k2 f% {  labels:
  n- k  w- P- b' B    k8s-app: kubernetes-dashboard
( u( K( m- a2 Z$ W3 N$ H* I  name: kubernetes-dashboard-certs
* {: Z& i1 h; t" r: C  namespace: kube-system
5 o) }% B, Z  c# `1 e  ftype: Opaque1 B5 B) t$ o4 l! C, T7 f

, ?4 \6 a1 Z& V2 ]( }---
/ A- B2 r: Z8 b( K; t4 [7 MapiVersion: v1
4 Y- E; B; y6 e$ u" ~( b% ]0 ekind: Secret
( h5 T! l5 T, s( P5 ~9 {, B4 i' i/ hmetadata:+ g) L& o& W) {, [" S1 u3 I
  labels:
  N7 F8 m. w1 o* e3 N    k8s-app: kubernetes-dashboard" P! h& X5 D2 D7 L" @- m8 O! m! O
  name: kubernetes-dashboard-csrf
+ ^% Y5 ^# ^' n# @  namespace: kube-system: u; W3 L: S- x1 n
type: Opaque
; |) M! m( }& M( gdata:3 a: [. x1 ~' K& v9 f3 M1 C
  csrf: """ e" m# i; X0 i& E  g
/ m0 U( F: t) U
---/ [- I) R0 N0 Q9 S5 M4 {/ _2 M
apiVersion: v1
2 F* {! a# g; E( f8 xkind: Secret
4 O. }6 y, j; x+ Nmetadata:
* Y, d  H- P3 ]9 @0 ~  labels:
8 l2 z9 X% J1 R, G0 G: F    k8s-app: kubernetes-dashboard2 m( w7 T" @) h6 I
  name: kubernetes-dashboard-key-holder$ U# u8 S. ^% X8 b$ m) j9 ?
  namespace: kube-system( i6 R1 x1 O, w( T+ t7 q
type: Opaque0 C0 c7 [+ v2 U3 U! e! g
* ^# t$ V. P; S- z  }
---7 F/ E/ v( A: N( \2 f2 j  P
kind: ConfigMap
: N6 U; D* a) Z0 l. ~/ [7 j/ BapiVersion: v15 J! t# r7 V( F7 J
metadata:
7 M% _) Y1 V5 S$ o6 t; g* F0 |  labels:
9 _/ |, O- n! B7 I/ i7 d. h8 d    k8s-app: kubernetes-dashboard
8 Y3 L; G  ]1 f  name: kubernetes-dashboard-settings: x% `- M) k+ G, H
  namespace: kube-system
) L0 z7 w: {# s  z+ \5 X1 }' x  Z8 X  k
---
; X$ ?# |# M7 i, Q2 A7 lkind: Role
/ v3 `% V7 f8 }5 o$ H$ I; \apiVersion: rbac.authorization.k8s.io/v1
, T: J+ w! Z& _. c; j: |% B4 u# nmetadata:' h) O2 @. r# g% D% u7 v) g9 H
  labels:- P* o0 F) q/ S
    k8s-app: kubernetes-dashboard
" F) N0 `8 t/ M% l  name: kubernetes-dashboard
8 Z+ G3 v4 N  K: {% \  namespace: kube-system- V6 [8 L) d' P5 \! r
rules:  t! @, r9 \* Y0 ~; F9 n3 O) i& x$ @8 s- n
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.9 \9 p* B8 K8 v
  - apiGroups: [""]' {; o- _. r' a. a
    resources: ["secrets"]
: A. ?7 g; y4 U; _: C) F7 I" L    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]# d  |) w5 p% W% G' `7 ^7 Z: ?
    verbs: ["get", "update", "delete"]
9 R+ _* r3 R' w4 n    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.% x2 |2 j- ?7 l, j8 o
  - apiGroups: [""]
0 ^+ f% |8 s( z; T6 g    resources: ["configmaps"]% S* O; E3 s7 @% ~
    resourceNames: ["kubernetes-dashboard-settings"]
; f3 T  m2 T' Q: z7 c! s  t    verbs: ["get", "update"]
& X& }: s7 x6 \& v    # Allow Dashboard to get metrics.
! E* M! c- }" Q# {* n, r6 I) r$ ^, `  - apiGroups: [""]
1 ?$ `, X+ ]  L/ [3 w    resources: ["services"]. K% m. B9 p2 O; i4 h: |
    resourceNames: ["heapster", "dashboard-metrics-scraper"]1 [/ p. \: `3 x. v' y: z$ B
    verbs: ["proxy"]
) X" f8 t) O( N, {1 D+ M  - apiGroups: [""]" u9 h0 C3 c4 j* N% q
    resources: ["services/proxy"]. ]7 P6 ^6 M# Q1 q" d6 p
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
( T3 ?" `! M; s# [. R8 o0 s9 @( v    verbs: ["get"]
, x8 N4 u# K1 q& h# U- p( O$ k% k/ j) l+ U2 l% u5 d; y$ K
---& R/ v0 I7 n5 J1 {/ R; Q
kind: ClusterRole
5 \1 N& {" }$ \. s9 l: A( _. k* p& _3 kapiVersion: rbac.authorization.k8s.io/v1
  S/ ?: M' C# `metadata:# V1 C+ V; C$ g- x
  labels:
: u7 l% T( S: r% \. D+ I    k8s-app: kubernetes-dashboard
6 I0 d2 V" S$ J  name: kubernetes-dashboard
' L6 c" T$ G3 g5 `/ S2 {# qrules:
8 G9 n2 P! x: X9 g/ J1 c) [  [  # Allow Metrics Scraper to get metrics from the Metrics server
0 m3 _: v' W0 h6 i- G* D  - apiGroups: ["metrics.k8s.io"]
. x, b* a+ w: C( d  Y. ^    resources: ["pods", "nodes"]
; }7 a& v/ Y+ X    verbs: ["get", "list", "watch"]8 z+ _, P" ?* ?* i
; L8 a  |; l" g2 G) I9 C  x
---
3 b, m! p9 G# W: u# kapiVersion: rbac.authorization.k8s.io/v12 J7 g; G3 D& L. {- N, X5 {# _
kind: RoleBinding
+ J+ A1 A. a% t) |5 Gmetadata:
0 S( H! q) W: R: h; _" q$ S  labels:# B! V% ]5 \$ e" \
    k8s-app: kubernetes-dashboard
6 _+ E, Z1 w; k" W& Q  name: kubernetes-dashboard
( H0 N9 w$ c4 c3 R) U3 g0 J  namespace: kube-system' ~* v0 i4 |8 C+ y
roleRef:
$ |4 D" e, b/ K+ f' E) T  L1 M- d  apiGroup: rbac.authorization.k8s.io
' W3 O7 W' K* y4 Y+ d  l8 {  kind: Role
9 ]4 m4 ^8 I3 |7 `' b6 b  name: kubernetes-dashboard7 ?6 v1 |+ Q+ e9 Z* W0 S
subjects:0 A* ^5 L' R# p  Q
  - kind: ServiceAccount8 T( S$ W" K# K7 @
    name: kubernetes-dashboard  m4 |% O  Z$ j& q% j
    namespace: kube-system
* |. a* I( x* D5 X7 o7 e: _' g# S0 d/ ^" C
---2 b! W: Q6 F" E& J* o* h4 M
apiVersion: rbac.authorization.k8s.io/v1' M7 W5 m/ B& j1 {9 T  }# r! q
kind: ClusterRoleBinding
9 d$ J/ c8 x9 Pmetadata:
6 u" X2 m5 g  A" i+ O  name: kubernetes-dashboard+ G: p" f  H; d) i- q# Q1 q; {
roleRef:
: _; F  M" k5 O3 L2 X7 @# @6 b% ~  apiGroup: rbac.authorization.k8s.io
8 \5 K  u! Z8 ^- W  kind: ClusterRole
! _3 Y0 m- B5 d7 s6 f  name: kubernetes-dashboard
, {4 r- ^* C; W+ E' f" m( s2 O& fsubjects:
' h9 \# J9 o3 ~' d% H- V& b  - kind: ServiceAccount( A) O0 k' e: L/ b8 g0 A0 e
    name: kubernetes-dashboard
7 L4 t2 @' D! E2 q. [, N    namespace: kube-system6 W# }5 L* g; Y, v7 n
. @1 l$ m7 u* d
---
' ^% H7 h: \, qkind: Deployment7 E7 Y; ?) d* ^5 {
apiVersion: apps/v17 S( O0 k) ?: J$ z( X3 R: C& Q
metadata:
- f& ?5 j5 h8 L: S7 @2 w  labels:0 u  q0 |  H9 o6 s5 f# V6 G
    k8s-app: kubernetes-dashboard
- C. |( {7 H9 L9 H2 H( n6 ?  name: kubernetes-dashboard$ q  `4 w0 B- L
  namespace: kube-system
8 F4 e3 s- j0 ^" ]! rspec:! f& k5 E1 g& u
  replicas: 1
" H3 j# R6 A! Y; Q  revisionHistoryLimit: 102 b7 J  x8 X* Z* _+ \/ g
  selector:+ v2 {3 J1 t! l3 ^& E
    matchLabels:9 D8 s( F2 ?* ]) L  Q
      k8s-app: kubernetes-dashboard
+ c. x8 z/ g% j; ]  template:8 _" d# x1 k* \& o+ v: B
    metadata:" o: S. s) Q" b* Z/ H
      labels:0 @# p+ l7 _( n9 W
        k8s-app: kubernetes-dashboard
" D4 Z7 P# ^% z6 j' E! [    spec:' V+ Q) l$ e. [$ |* E  \
      containers:
% {  H+ c! {; P8 M7 A6 c. ]! w: |! A        - name: kubernetes-dashboard
$ [) ?6 M+ e, n- V0 @          image: kubernetesui/dashboard:v2.4.0. V* X7 Y6 S& H9 r: ~5 E
          imagePullPolicy: IfNotPresent
: x. ]9 V- n* Y9 I3 e7 V/ {+ `6 T          ports:2 X" M3 H  F- f* z
            - containerPort: 8443
) U( s9 m, W3 y6 G* Q% m. g5 ]9 G7 F9 H              protocol: TCP
6 x4 k& ^+ ~5 Z          args:3 Y1 e8 q. I/ b
            - --auto-generate-certificates
. R" \+ t% x, l% m  y2 W) ?            - --namespace=kube-system
* B2 \" k6 v6 O( e2 k- b* i            - --token-ttl=1800
9 ~. H3 U' r3 Y7 y            - --sidecar-host=http://dashboard-metrics-scraper:8000
; G% V; x/ u7 k9 ?% w2 S& h            # Uncomment the following line to manually specify Kubernetes API server Host. V- h, D4 q( W6 c- i. {  j
            # If not specified, Dashboard will attempt to auto discover the API server and connect
  o) y6 X6 ^0 z7 E( f$ r% Q            # to it. Uncomment only if the default does not work.
& ^4 f7 U& g, ^9 |( q2 h5 f9 v' |9 l            # - --apiserver-host=http://my-address:port
, \1 B) h# N$ e1 y& m          volumeMounts:$ c0 n& n+ u5 Q1 ?
            - name: kubernetes-dashboard-certs
5 P5 w* P2 ~: A* t5 Z              mountPath: /certs2 x9 ?$ C# j' |7 F" l2 q. M; n) y: W
              # Create on-disk volume to store exec logs7 j- D4 J$ @0 G. S
            - mountPath: /tmp
  n  c3 h) f* \+ E              name: tmp-volume
) k5 ^, Z( A9 \" h, y/ ?          livenessProbe:) f! c4 r1 b" t2 ]3 w* r; l1 R
            httpGet:" @% ~2 m7 c) f1 ]2 S( {' j  q
              scheme: HTTPS7 j$ N& W! \& X& I6 t
              path: /9 ~( N1 \# f! d, ^! x( a4 Y4 V, ~
              port: 8443
4 X1 u& {7 V7 i8 E8 ^% |, K" G            initialDelaySeconds: 307 _) \2 B1 b: I4 n3 q2 k4 N
            timeoutSeconds: 30
2 R- X0 U, h) u* h0 a- Y  z2 B& ^          securityContext:
# ?" b$ h1 M* F. m            allowPrivilegeEscalation: false- y. q8 P+ ]1 ^
            readOnlyRootFilesystem: true
0 w5 z9 |  G. I8 T; v            runAsUser: 1001
9 ~$ j8 l0 C7 W/ p$ t+ a            runAsGroup: 2001: W: X# s" H$ T& f
      volumes:% }' d/ l1 v9 y% F
        - name: kubernetes-dashboard-certs( G  D: P1 V8 H# F9 V+ `3 L
          secret:# y: E. K3 m4 P; u
            secretName: kubernetes-dashboard-certs! G6 Z3 N. x& I( y' ]% @
        - name: tmp-volume3 |* ]0 x1 P5 f2 f' Q1 t
          emptyDir: {}' F6 I3 i6 S/ j
      serviceAccountName: kubernetes-dashboard
2 u5 q* n7 T& m; ~+ F* z      nodeSelector:5 l( r$ V( m, g/ e( `2 {  M+ p
        "kubernetes.io/os": linux6 u# @( L+ S" ]0 `. c3 g
      # Comment the following tolerations if Dashboard must not be deployed on master
1 X! M3 V+ g+ \' F; z1 @+ }' Z9 q7 u      tolerations:, x$ H+ }& X7 u2 ]% h( X9 ^
        - key: node-role.kubernetes.io/master" R1 B8 S& m" t: V' x5 d
          effect: NoSchedule5 o4 R9 \5 b) a0 @
1 e2 Q6 |4 G0 ^
---' D- ^! g$ J+ c
kind: Service! v2 Y9 U1 m) o3 B& |
apiVersion: v1% T" d- Q" Z1 Y. x1 E
metadata:' S6 O4 T0 \* o+ Z
  labels:
- A. A0 `& v; Z1 P6 h! F) V/ g    k8s-app: dashboard-metrics-scraper
! U5 a% b$ ?2 O  }( b$ o( j  name: dashboard-metrics-scraper4 K& D, A: `& n" a; v. `7 d0 A* X
  namespace: kube-system. z* e- T- b) o4 M5 Z
spec:
8 Q( l: m$ v, y! e1 y  ports:
  w; Q& ^+ X+ G. W. c    - port: 8000/ f! |! b- y: `* |( |3 T
      targetPort: 8000
+ B# |' d, F" ]  selector:
+ l. a  [5 i% L  a9 ?, ^    k8s-app: dashboard-metrics-scraper
: C0 Y6 {  h; O7 G2 e5 f# T+ y
! ^$ ?: i4 q8 l" a. g---
, u$ N: l$ W- s. {kind: Deployment
$ k# A4 C$ R6 b$ a) X3 J: S$ z$ n6 M2 aapiVersion: apps/v15 {' J' ~3 c3 g* o0 @
metadata:
' N! D5 l- n# P0 r0 D( _  labels:
" p3 H. ^; E+ o& s2 t    k8s-app: dashboard-metrics-scraper
& c/ }4 H: n8 x  p  name: dashboard-metrics-scraper+ Y2 m! M6 ~0 a/ `( h$ K
  namespace: kube-system  d! @; e6 ^( \. N
spec:
: y  N& A# G( d- q& Z3 C  replicas: 1
0 ^; E7 C. a( ?' o; x0 ?+ K  revisionHistoryLimit: 103 P6 W( P- Q7 M" e0 }/ `+ I8 n2 P4 M
  selector:
; W* H  k4 H# O+ H, D$ d; K    matchLabels:
: k3 g7 T( @' u# x% f7 G; }7 ?      k8s-app: dashboard-metrics-scraper3 A, Z2 l( Y8 t9 a! z
  template:" ^) X9 e  Q2 \
    metadata:
* O4 b# X& ^& p) B: |      labels:
2 {% s9 ^& v! B  Z  @) E6 n        k8s-app: dashboard-metrics-scraper- R7 \. U) x) E6 c
    spec:
9 b4 [" f+ i9 m4 G      securityContext:
4 O( s7 b- u( e! W, c1 T: i        seccompProfile:  T9 O) u3 u: O/ r: u  P1 [6 b- ]2 S
          type: RuntimeDefault# t* l3 G4 ~0 J3 N
      containers:
' K9 s8 f# S1 z        - name: dashboard-metrics-scraper
7 S8 E) h1 B4 k* e6 L          image: kubernetesui/metrics-scraper:v1.0.7
9 J( \3 T2 I/ a" L" F/ w+ s          imagePullPolicy: IfNotPresent
* S% R1 k& h( j6 u. b          ports:* M( s8 [1 L& d4 Q! k* Y5 l4 x
            - containerPort: 8000
  W2 N: T: s2 t) f, d              protocol: TCP
9 K: p; T5 L  f2 N          livenessProbe:
( R/ x- H  x  Z; i            httpGet:5 G3 X/ }" x- L" c( o
              scheme: HTTP
$ ]% p) R- Q3 Y" _              path: /
: N5 ~1 y7 L9 U7 Z; Q* P4 I              port: 8000
) {1 |1 ~7 @. f            initialDelaySeconds: 30
) A5 I  [: _8 A9 Z  Z! i            timeoutSeconds: 30* R9 y7 O3 i/ }3 k& V3 a9 D
          volumeMounts:
& R  ~1 w& z9 S6 j          - mountPath: /tmp
  N5 R9 M+ L1 _- U            name: tmp-volume
- X, B) }6 A1 P* r( K: f' E7 a' a          securityContext:
& O5 o( x8 q: S! W5 ?            allowPrivilegeEscalation: false, W6 p7 U( Y& S4 Q9 @
            readOnlyRootFilesystem: true+ {$ D+ M3 ]# P& H6 W
            runAsUser: 1001
% d/ O, s1 F& `1 k( H5 Q! j            runAsGroup: 2001/ V: f5 R5 g& d- B
      serviceAccountName: kubernetes-dashboard
: O& A3 Z$ i  ?& E; k; x! V  ]      nodeSelector:
; u- l9 @! I) w7 H& j        "kubernetes.io/os": linux. @* ~6 y1 s7 H( w- F
      # Comment the following tolerations if Dashboard must not be deployed on master! S5 ~3 z5 n& ^( \/ L
      tolerations:
  H: Q& |; H: S; A7 i        - key: node-role.kubernetes.io/master
5 c4 L( g7 o# t" K3 [+ v  \          effect: NoSchedule
, R/ X) X1 ^8 ?# c      volumes:7 D! N) E, R- V7 x8 H
        - name: tmp-volume) [" W- R& U/ ^3 P5 M  H/ l& V3 a, V! ~
          emptyDir: {}
7 ^+ s2 X3 @" j6 F0 l! N( t, m, S导入 dashboard 镜像7 ^8 O! P" B# [
for i in 192.168.91.19 192.168.91.20;do \
* l% C7 V. d5 D. r  D/ n3 A2 dscp /approot1/k8s/images/dashboard-*.tar $i:/tmp/
/ M3 _' T& y, r1 N5 b& gssh $i "ctr -n=k8s.io image import /tmp/dashboard-v2.4.0.tar && rm -f /tmp/dashboard-v2.4.0.tar"; \8 \) i( F  N+ W3 Z- g& l4 u6 f
ssh $i "ctr -n=k8s.io image import /tmp/dashboard-metrics-scraper-v1.0.7.tar && rm -f /tmp/dashboard-metrics-scraper-v1.0.7.tar"; \
9 K8 q  }# p2 L* `$ J7 Ldone
% m! `3 K( ]" {$ s查看镜像) p6 R8 i4 C, D7 U7 C

: G& X& x: W# Q0 {for i in 192.168.91.19 192.168.91.20;do \" b: w# L0 f; r9 {6 `+ a, z8 u
ssh $i "ctr -n=k8s.io image list | egrep 'dashboard|metrics-scraper'"; \: _' C% ^$ u1 i3 O
done& [6 \* B8 S0 t2 e7 f
在 k8s 中运行 dashboard 组件5 k; S3 f% H6 B8 P; V0 n( o8 [7 T
kubectl apply -f /approot1/k8s/tmp/service/dashboard.yaml9 j+ ^" p" a) s% m
检查 dashboard pod 是否运行成功
3 }4 h: {+ c, ~  N$ ^' [% _5 Z  {  kkubectl get pod -n kube-system | grep dashboard8 b1 b% |9 R8 _$ a6 X5 T; {
预期输出类似如下结果
  ~2 E. C! L4 `9 ^8 \! [8 L. B  P# `" O! G# c: `
dashboard-metrics-scraper-799d786dbf-v28pm   1/1     Running       0          2m55s
4 H) o. R3 }8 A9 W- s1 C0 Lkubernetes-dashboard-9f8c8b989-rhb7z         1/1     Running       0          2m55s' S- a# |9 J& J; t7 R* v9 o- w: |, ]
查看 dashboard 访问端口
; t5 M7 T- ~' m7 f在 service 当中没有指定 dashboard 的访问端口,所以需要自己获取,也可以修改 yaml 文件指定访问端口8 B$ B) G, u; l0 q

$ U1 t4 b# a* O" o预期输出类似如下结果
) P! y4 L9 }+ N" |1 n# u' X
7 k& a$ N3 {0 u0 V, J+ h我这边是将 30210 端口映射给 pod 的 443 端口8 d( T4 V+ R0 D) d; _8 j8 F* B
" v. S2 L1 C7 {! |
kubernetes-dashboard        NodePort    10.88.127.68    <none>        443:30210/TCP            5m30s
! z/ b3 M7 M) `; c7 a- W# y根据得到的端口访问 dashboard 页面,例如: https://192.168.91.19:302105 w3 X: a' T! b8 J5 P

8 z4 C" C0 `" Q9 G查看 dashboard 登录 token
* V0 F3 B3 b1 F" J5 g获取 token 文件名称
9 D7 P. V  l$ p1 P& M! v* ^! m' G: W! t! o. _  @* w
kubectl get secrets -n kube-system | grep admin
6 n5 A% w( a1 G& `3 \! Q. u( Q: F预期输出类似如下结果
" d5 m* a# B* N1 h& Z/ y
  I& P/ t- [$ V  \1 k' |" padmin-user-token-zvrst                           kubernetes.io/service-account-token   3      9m2s- _9 A- B) n1 d. Z) |
获取 token 内容  ~9 k$ S, R5 w: U& A2 U' l
2 t# y; p1 K. s( k: A, R% x
kubectl get secrets -n kube-system admin-user-token-zvrst -o jsonpath={.data.token}|base64 -d) T& p( d% u+ u9 o' f
预期输出类似如下结果& {: V+ J: K) y8 Z/ l

( y4 _7 o0 B, o# [8 ?eyJhbGciOiJSUzI1NiIsImtpZCI6InA4M1lhZVgwNkJtekhUd3Vqdm9vTE1ma1JYQ1ZuZ3c3ZE1WZmJhUXR4bUUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXp2cnN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhYTE3NTg1ZC1hM2JiLTQ0YWYtOWNhZS0yNjQ5YzA0YThmZWYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.K2o9p5St9tvIbXk7mCQCwsZQV11zICwN-JXhRv1hAnc9KFcAcDOiO4NxIeicvC2H9tHQBIJsREowVwY3yGWHj_MQa57EdBNWMrN1hJ5u-XzpzJ6JbQxns8ZBrCpIR8Fxt468rpTyMyqsO2UBo-oXQ0_ZXKss6X6jjxtGLCQFkz1ZfFTQW3n49L4ENzW40sSj4dnaX-PsmosVOpsKRHa8TPndusAT-58aujcqt31Z77C4M13X_vAdjyDLK9r5ZXwV2ryOdONwJye_VtXXrExBt9FWYtLGCQjKn41pwXqEfidT8cY6xbA7XgUVTr9miAmZ-jf1UeEw-nm8FOw9Bb5v6A
$ i; k: j0 z& n  L
! f' H% T2 r* K到此,基于 containerd 二进制部署 k8s v1.23.3 就结束了$ Q9 s7 Y- _2 c  j: ~8 g  |

" a/ M! n: g: Q$ S
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2025-1-1 20:38:40 | 显示全部楼层
生产环境关键性配置
2 x3 {. o  e5 N* U. T: L2 E+ _修改Docker配置
' G! `! ?3 m. k2 D: c1 K3 rDocker配置 采用containerd作为Runtime无需配置: H/ I6 B4 U: A0 l* x& w) ~# Y
vim /etc/docker/daemon.json2 D0 M+ f: A# J, W
{  "registry-mirrors": [) ~/ P1 N9 w" J; ~/ \
    "https://registry.docker-cn.com",. [" v2 d5 s/ M2 B. Z. N
    "http://hub-mirror.c.163.com",/ _4 ~* J( [$ s# g1 F/ n
    "https://docker.mirrors.ustc.edu.cn"; \% l9 j) k2 M2 ^: h% s3 h5 q
  ],5 `- e5 C& W* @9 I3 Q/ t2 l
"exec-opts": ["native.cgroupdriver=systemd"],
# A/ Q' M3 o# w' A) }' P "max-concurrent-downloads": 10,   # 并发下载的线程数7 R. l: c3 |7 F8 q
"max-concurrent-uploads": 5,   # 并发上传的线程数
# Z7 U# c. u* l" L( O "log-opts": {6 i- l7 Z% i( q
   "max-size": "300m",   # 限制日志文件大小,到此大小进行分割+ p& V  @+ I! c7 H! B' j
   "max-file": "2"        # 限制保存的日志数量,按实际情况修改# I' [" V% [2 B& A( I5 X
},$ S$ n/ j  J( k, w1 q9 p5 m+ i8 r
"live-restore": true    # 重启docker进程不重启docker应用4 O3 R/ t# t. @6 }0 g
}
6 T/ j9 S" ]" }" I/ F8 t修改证书有效期
6 j5 Q$ P1 s# _/ U通过Bootstrapping申请controller-manager颁发的证书,默认有效期为一年,在内部环境可以设置更长8 `! x2 D! N+ f0 u8 M$ Q/ M

0 a; v& S( y% Q* e vim /usr/lib/systemd/system/kube-controller-manager.service/ m) c( {+ a) _4 \5 j5 I% u% ]0 `
9 O3 C( s! W, a. `$ O% t; T
# 设置证书有效期,因为证书最长的有效期应该是五年,设置再多可能也是五年,kubelet会在快过期的时候重新进行 申请
- l$ i& L  G' y) f0 G; ]0 y, g6 I--cluster-signing-duration=876000h0m0s \ " c- N8 A; C" u# J; ]0 y

3 o7 |* [3 e$ B8 Y0 @# 在自动申请证书的时候进行自动颁发一个,在新版本中已经默认为true,所以不需要进行配置- L( p! E" ]# x1 F% h
# --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true \7 H2 p) z1 }4 h5 b, y4 {
修改kubelet配置文件
8 K6 p$ ^3 e: z4 ?0 Qvim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
: j! ?* q3 `, W1 M( a[Service]
4 G( l$ m. {1 z  G% I0 c6 IEnvironment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
7 K( B: F3 `9 [Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd"$ q: Y' c/ F& r5 W
Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml"
& f* y) A* y. y; ^, R+ k4 Q' UEnvironment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384    --image-pull-progress-deadline=30m"
0 K# n, D4 }& e2 W, s, ?ExecStart=% u! B/ N2 a) G
ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS
1 l, O' x) d. `如果公司内有安全团队会进行漏扫,k8s默认的加密方式比较简单,更改加密方式1 a! Z. j, G: n9 V9 J
( p' s# a. E) K3 {  {
添加:--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
5 ^& {% z; l7 P- i- q  r0 R. }1 {3 l5 k# f6 q% y0 n, Z
设置下载拉取镜像的时间,下载公网的镜像会比较慢,默认下载时间很短
9 e! J6 z3 V' s2 v
- a7 V: g, V* O' D添加:--image-pull-progress-deadline=30m
2 b+ i: c1 R0 s" S( o+ `) E0 r
9 I8 U! ^% y. l0 g( f+ Z0 b/ @[root@k8s-master01 ~]# systemctl daemon-reload* _7 X* Y; s. O, Q0 T
[root@k8s-master01 ~]# systemctl restart kubelet
3 L& B$ f6 E/ |  e% ?# C新版本的k8s配置文件都建议放在 /etc/kubernetes/kubelet-conf.yml ,慢慢的参数都会挪到这个配置文件中,包括上面的参数
4 N7 `) w8 o9 N7 u% @
& i4 c# W2 \3 a6 @0 }/ m1 V  h# H9 G[root@k8s-master01 ~]# vim /etc/kubernetes/kubelet-conf.yml
! c# O5 B, t5 T6 w  P& P3 J7 E, O$ C9 p最后添加
5 l* t9 N( {$ u# \rotateServerCertificates: true
$ G/ B+ b0 M- i+ F) K3 _. h. uallowedUnsafeSysctls:     # 默认不允许修改内核参数(并发量、文件打开数等)
0 X, J) b( t" U6 c; |8 {  y - "net.core*"            # 设置参数允许修改内核,可能涉及到安全问题,按需配置
& J  z; C0 A% o: ~. B/ P - "net.ipv4.*"
& @5 u# r% Q0 `( K# \4 M0 T) q# R5 D, AkubeReserved:             # 给k8s组件预留资源
4 T) @' S+ y3 n3 E  cpu: "1"+ b  F3 W, m9 H$ Y( h/ W
  memory: 1Gi
: O! J8 [2 q3 q* m1 o% Y  ephemeral-storage: 10Gi1 E  e5 `, b5 i/ U
systemReserved:           # 给k8s系统预留资源     2 f" |! G/ x: J! ^& G8 ^9 |
  cpu: "1"
" N6 Z! `5 l1 Q& U) ~; F  memory: 1Gi
; {3 g+ `; l; H: |- _6 P  ephemeral-storage: 10Gi3 h( F3 ]4 M7 _/ |+ Z
+ E* H9 }' C: f6 [1 b9 W3 o
[root@k8s-master01 ~]# systemctl daemon-reload; Q1 P) q% h! P
[root@k8s-master01 ~]# systemctl restart kubelet
# [2 o- U% `& O, w; @2 M修改主机ROLES、labels2 `' O! S# x7 k8 I4 w9 q! @& R
查看目前ROLES为none,修改k8s-mastre01的ROLES为master
( t8 m4 o! ]- {  [2 I4 _# r$ [" C* S5 N) I. c7 p
因为k8s对于k8s中的节点属于哪个角色是没有感知的,master节点就比node节点多安装几个组件而已,对于角色ROLES的定义需要人为的区分1 Y9 S3 w& d: [& o) R7 u
/ F! c0 ~, X, y4 H  H" D! o
[root@k8s-master01 ~]# kubectl get node
2 f1 C5 w$ m' z% l1 q. f* ~NAME           STATUS   ROLES    AGE   VERSION
9 q- \% h% Y8 o6 p2 Kk8s-master01   Ready    <none>   19h   v1.23.8
5 H. ^4 p: A, d7 u/ ^" Uk8s-master02   Ready    <none>   19h   v1.23.8
; s" s; K- R( [: x) Zk8s-master03   Ready    <none>   19h   v1.23.8
( Y- C1 P* f) Dk8s-node01     Ready    <none>   19h   v1.23.8; ^- Q; j, I& H2 h, {4 o5 G( r
k8s-node02     Ready    <none>   19h   v1.23.85 C/ ?7 s* o2 t) v6 ^% ^. h
k8s-node03     Ready    <none>   19h   v1.23.86 f" g, l! H" @3 \
[root@k8s-master01 ~]# kubectl get node --show-labels
& P: g6 V: N, W* f7 qNAME           STATUS   ROLES    AGE   VERSION   LABELS3 v/ n5 n% I% u% B
k8s-master01   Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master01,kubernetes.io/os=linux,node.kubernetes.io/node=
3 g1 q9 X4 G' J6 @k8s-master02   Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master02,kubernetes.io/os=linux,node.kubernetes.io/node=5 A( [7 B% G0 Z3 J
k8s-master03   Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-master03,kubernetes.io/os=linux,node.kubernetes.io/node=2 h$ [+ I4 g' T* D0 _
k8s-node01     Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node01,kubernetes.io/os=linux,node.kubernetes.io/node=2 v" ]8 L' O. e9 I' n% ~9 D
k8s-node02     Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node02,kubernetes.io/os=linux,node.kubernetes.io/node=! |: y4 _. S/ |
k8s-node03     Ready    <none>   19h   v1.23.8   beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=k8s-node03,kubernetes.io/os=linux,node.kubernetes.io/node=9 k' _0 L1 }( q# V* `( e
[root@k8s-master01 ~]# kubectl label node k8s-master01 node-role.kubernetes.io/master=''
* A, H& V% S: a5 ^# }/ A" T! Lnode/k8s-master01 labeled: s& _, \. S$ T) [
[root@k8s-master01 ~]# kubectl get node
0 E* }$ r  N0 S# xNAME           STATUS   ROLES    AGE   VERSION
  F: j  w" N% T& p: F+ ?k8s-master01   Ready    master   19h   v1.23.87 A/ Z8 h4 z% n+ K) Z; |+ o  W$ z5 L
k8s-master02   Ready    <none>   19h   v1.23.8
! K6 _& \( ?+ F. G  `; Sk8s-master03   Ready    <none>   19h   v1.23.8  N) m  H& q; ~) }+ J1 S7 h5 F/ \
k8s-node01     Ready    <none>   19h   v1.23.8) N; O. t' _9 Z9 V, w- z9 C
k8s-node02     Ready    <none>   19h   v1.23.8
7 S0 u8 x9 G3 A$ uk8s-node03     Ready    <none>   19h   v1.23.8
5 Q( e# l. C* y生产建议
: |" F$ a  q0 P6 g. O1 s! S6 S1、生产环境一定要用二进制组件安装6 a4 f# m* t" _% [
2、etcd一定要和系统盘分开,必须使用ssd硬盘0 [# n# x" Y7 o# N# X
3、Docker数据盘和系统盘分开,也尽量使用ssd硬盘
- q& N1 L9 D7 D* B. A; h7 ]
* h; h4 I4 n! Z* J7 G! W/ L
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 00:25 , Processed in 0.043092 second(s), 28 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表