一、K8S集群规划

本文以安装K8S V1.22.0为例。

K8S集群节点规划:
  K8S-master01、K8S-master02、K8S-master03:K8S集群控制节点;
  K8S-node01、K8S-node02:K8S集群工作节点;

K8S集群硬件要求:
  K8S-master01~03:CPU 2*2C;MEM 2G;DISK 100G;网络:nat模式;系统:centos7;IP:192.168.1.201~203/24;
  K8S-node01、K8S-node02:CPU 2*2C;MEM 4G;DISK 100G;网络:nat模式;系统:centos7;IP:192.168.1.204~205/24;
  k8s-master0lb:192.168.1.236;该VIP不要和公司内网IP重复;
  docker版本:19.03.*;
  pod网段:172.168.0.0./12;
  service网段:10.96.0.0/12;

部署注意事项:
  centos7需升级最新版本,避免与K8S高版本出现不兼容情况;
  pod,service,宿主机网段不能重复;
  VIP不能与公司内网(包括宿主机)其他IP重复;
  centos7需要升级最新,centos8可按需升级系统,但尽量更新软件版本;
  内核必须升级4.18以上,否则会引起各种问题,如:磁盘空间不足但实际有空间,pod网络不通;

二、kubeadm工具进行K8S集群部署

×××××××××××××××××××××××××××以下内容在master01执行×××××××××××××××××××××××××××
1、创建centos7虚拟机;
2、安装centos7系统;
3、设置系统IP、网关、DNS等;
BOOTPROTO=none
IPADDR=192.168.1.201
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.254
4、xshell连接K8S-master01主机,进行集群部署。
hostnamectl set-hostname k8s-master01
×××××××××××××××××××××××××××以下内容在master02执行×××××××××××××××××××××××××××
1、创建centos7虚拟机;
2、安装centos7系统;
3、设置系统IP、网关、DNS等;
BOOTPROTO=none
IPADDR=192.168.1.202
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.254
4、xshell连接K8S-master02主机,进行集群部署。
hostnamectl set-hostname K8S-master02
×××××××××××××××××××××××××××以下内容在master03执行×××××××××××××××××××××××××××
1、创建centos7虚拟机;
2、安装centos7系统;
3、设置系统IP、网关、DNS等;
BOOTPROTO=none
IPADDR=192.168.1.203
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.254
4、xshell连接K8S-master03主机,进行集群部署。
hostnamectl set-hostname K8S-master03
×××××××××××××××××××××××××××以下内容在node01执行×××××××××××××××××××××××××××
1、创建centos7虚拟机;
2、安装centos7系统;
3、设置系统IP、网关、DNS等;
BOOTPROTO=none
IPADDR=192.168.1.204
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.254
4、xshell连接K8S-node01主机,进行集群部署。
hostnamectl set-hostname K8S-node01
×××××××××××××××××××××××××××以下内容在node02执行×××××××××××××××××××××××××××
1、创建centos7虚拟机;
2、安装centos7系统;
3、设置系统IP、网关、DNS等;
BOOTPROTO=none
IPADDR=192.168.1.205
PREFIX=24
GATEWAY=192.168.1.254
DNS1=192.168.1.254
4、xshell连接K8S-node02主机,进行集群部署。
hostnamectl set-hostname K8S-node02


×××××××××××××××××××××××××××以下内容在所有节点执行×××××××××××××××××××××××××××
echo '
192.168.1.201  k8s-master01
192.168.1.202  k8s-master02
192.168.1.203  k8s-master03
192.168.1.204  k8s-node01
192.168.1.205  k8s-node02
192.168.1.236  k8s-master01-lb
' >>/etc/hosts
hostname;cat /etc/hosts
###添加centos7及k8s的国内repo源
cd;mv /etc/yum.repos.d{,.bak.`date +%y%m%d`};mkdir /etc/yum.repos.d/;cd /etc/yum.repos.d/
curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
curl -o /etc/yum.repos.d/centos7.repo http://mirrors.aliyun.com/repo/Centos-7.repo
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
cat <<eof> kubernetes.repo
[kubernetes]
name=kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgchek=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
eof
yum clean all;yum makecache fast;yum repolist all

yum -y install yum-utils device-mapper-persistent-data lvm2  #安装docker必备工具;
yum -y install conntrack-tools wget jq psmisc vim-enhanced net-tools telnet git ntpdate ntp ipvsadm ipset iptables curl sysstat libseccomp #安装系统所需工具;

##设置防火墙为iptables并设置空规则
systemctl stop firewalld && systemctl disable firewalld;yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
systemctl status firewalld;systemctl status iptables

##关闭selinux
setenforce 0 && sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
getenforce;grep -Ev '^#|^$' /etc/selinux/config

##关闭虚拟内存;
swapoff -a && sed -i '/ swap /s/^\(.*\)$/#\1/g' /etc/fstab 

##设置系统时区
timedatectl set-timezone Asia/Shanghai
timedatectl set-local-rtc 0                 #将当前UTC时间写入硬件时钟;

##同步各节点时间,若时间不同步可能引起证书不可用的情况;
yum -y install ntpdate                                              #centos7.9及以后版本不再使用该工具;
ntpdate ntp1.aliyun.com;hwclock --systohc                           #同步系统时钟及硬件时钟;
date;hwclock
cat <<eof>> /etc/crontab                                            #若是非root账户,则手动crontab -e添加定期同步时钟任务;
0 10 * * * root /usr/sbin/ntpdate ntp1.aliyun.com                   #各节点每天早上10:00同步时钟;
10 10 * * * root hwclock --systohc  #各节点每天早上10:10同步时钟;
eof

##设置所有节点limit并使之永久生效;
ulimit -SHn 65535
cat <<eof>> /etc/security/limits.conf
* soft nofile 655360
* hard nofile 131072
* soft nproc 655350
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
eof
tail /etc/security/limits.conf


×××××××××××××××××××××××××××以下内容在master01执行×××××××××××××××××××××××××××
###生成ssh密钥对
ssh-keygen -t rsa
    # ~~~默认enter
    # ~~~默认enter
cd /root/.ssh
for i in K8S-master01 K8S-master02 K8S-master03 K8S-node01 K8S-node02;do ssh-copy-id -i id_rsa.pub $i;done
    # ~~~yes
    #       目的主机密码;

×××××××××××××××××××××××××××以下内容在所有节点执行×××××××××××××××××××××××××××
yum -y update --exclude=kernel*             #centos7需要升级最新,centos8可按需升级系统;
cat /etc/system-release                     #centos版本升级为最新7.9;
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-devel-4.19.12-1.el7.elrepo.x86_64.rpm
wget http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/kernel-ml-4.19.12-1.el7.elrepo.x86_64.rpm
yum -y localinstall kernel-ml*
awk -F \' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg  #查看所有内核启动顺序;kernel-ml-4.19.12-1.el7.elrepo.x86_64
grub2-set-default 0         #设置序号为0的内核为默认启动项;
grub2-editenv list          #确认当前的默认启动内核;
reboot      #重启后使内核生效;
cat /etc/system-release && uname -a

##所有节点配置ipvs模块;内核4.18-版本为nf_conntrack_ipv4;内核4.19+版本已经修改为nf_conntrack;生产环境建议使用ipvs,不使用iptables;
#安装ipvsadm相关软件,已执行;
cat <<eof> /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
eof
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules
cat <<eof> /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_contrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
eof
systemctl enable --now systemd-modules-load.service
systemctl status systemd-modules-load.service

##开启K8S必需的内核参数,除前3条外其他为优化项。
cat  <<eof> /etc/sysctl.d/kubernetes.conf
net.bridge.bridge-nf-call-iptables=1    #前2条为开启网桥模式,必做,否则安装K8S会报错。
net.bridge.bridge-nf-call-ip6tables=1   #前2条为开启网桥模式,必做,否则安装K8S会报错。
net.ipv6.conf.all.disable_ipv6=1        #关闭IPv6,必做,否则安装K8S会报错。
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
net.ipv4.tcp_keepalive_time=600
net.ipv4.tcp_keepalive_probes=3
net.ipv4.tcp_keepalive_intvl=15
net.ipv4.tcp_max_tw_buckets=36000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_max_orphans=327680
net.ipv4.tcp_orphans_retries=3
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.ip_conntrack_max=65536
net.ipv4.tcp_max_syn_backlog=16384
net.ipv4.tcp_timestamps=0
net.core.somaxconn=16384
vm.swappiness=0                         #禁止使用swap空间,只有当系统OOM时才允许使用它;
vm.overcommit_memory=1                  #不检查物理内存是否够用;
vm.panic_on_oom=0                       #开启OOM;
fs.may_detach_mounts=1
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
eof
modprobe br_netfilter #加载模块,使得/proc/sys/net/bridge/bridge-nf-call-iptables、/proc/sys/net/bridge/bridge-nf-call-ip6tables文件存在:
sysctl -p /etc/sysctl.d/kubernetes.conf #加载指定文件;
sysctl --system #从所有系统目录中加载;
reboot
ls /proc/sys/net/bridge && lsmod |grep --color=auto -e ip_vs -e nf_conntrack    #检测是否加载成功;

 

kubernetes cp 下载文件_IP

kubernetes cp 下载文件_IP_02

##安装docker软件
#添加docker-ce.repo,已执行;
yum list --showduplicates docker-ce*
yum -y install docker-ce-19.03* docker-client-19.03*
mkdir /etc/docker
##native.cgroupdriver=systemd表示交由systemd进行cgroup执行隔离;日志修改为json-file存储类型,大小为100M;
cat > /etc/docker/daemon.json <<eof
{
    "exec-opts":["native.cgroupdriver=systemd"],
    "log-driver":"json-file",
    "log-opts":{
        "max-size":"100m"
    }
}
eof
mkdir -p /etc/systemd/system/docker.service.d
systemctl daemon-reload && systemctl --now enable docker
systemctl status docker
docker version

kubernetes cp 下载文件_kubernetes cp 下载文件_03

×××××××××××××××××××××××××××以下内容在所有master节点执行×××××××××××××××××××××××××××
##安装高可用组件
######若为单节点则无需执行,本节采用haproxy+keepalived进行高可用配置;如果使用云上的lb,则也不需执行该节(如腾讯云elb---》apiserver),但是阿里云slb因回环设置防止路由黑洞的原因,需要执行该节进行haproxy+keepalived安装(阿里云slb---》haproxy---》apiserver);
yum -y install haproxy keepalived
cp /etc/haproxy/haproxy.cfg{,.bak}
cat <<eof> /etc/haproxy/haproxy.cfg
global
    maxconn     2000
    ulimit-n    16384
    log         127.0.0.1 local0 err
    stats timeout 30s

defaults
    mode                    http
    log                     global
    option                  httplog
    timeout connect         5000
    timeout client          50000
    timeout server          50000
    timeout http-request    15s
    timeout http-keep-alive 15s

frontend monitor-in
    bind *:33305
    mode http
    option httplog
    monitor-uri /monitor

frontend K8S-master
    bind 0.0.0.0:16443
    bind 127.0.0.1:16443
    mode tcp
    option tcplog
    tcp-request inspect-delay 5s
    default_backend k8s-master

backend k8s-master
    mode tcp
    option tcplog
    option tcp-check
    balance roundrobin
    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
    server k8s-master01 192.168.1.201:6443 check
    server k8s-master02 192.168.1.202:6443 check   
    server k8s-master03 192.168.1.203:6443 check
eof


systemctl restart haproxy;systemctl status haproxy
##########k8s-master01执行如下内容#################################
cp /etc/keepalived/keepalived.conf{,.bak}
cat <<eof> /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   # notification_email {
   #   13802883042@139.com
   # }
   # smtp_server 127.0.0.1
   # smtp_connect_timeout 30
   router_id LVS_DEVEL
   script_user root
   enable_script_security
}

vrrp_script chk_apiserver {
    script "/etc/keepalived/check_apiserver.sh"
    interval 5
    weight -5
    fall 2
    rise 1
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33            #根据实际节点修改;
    mcast_src_ip 192.168.1.201 #根据实际节点修改;
    virtual_router_id 51
    priority 100
    advert_int 2
    # smtp alert
    # nopreempt
    # track_interface {
    #     bond0.736
    # }
    track_script {
        chk_apiserver #开启健康检查
    }
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.1.236
    }
}
eof
##########k8s-master02执行如下内容#################################
cp /etc/keepalived/keepalived.conf{,.bak}
cat <<eof> /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   # notification_email {
   #   13802883042@139.com
   # }
   # smtp_server 127.0.0.1
   # smtp_connect_timeout 30
   router_id LVS_DEVEL
   script_user root
   enable_script_security
}

vrrp_script chk_apiserver {
    script "/etc/keepalived/check_apiserver.sh"
    interval 5
    weight -5
    fall 2
    rise 1
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33            #根据实际节点修改;
    mcast_src_ip 192.168.1.202 #根据实际节点修改;
    virtual_router_id 51
    priority 101
    advert_int 2
    # smtp alert
    # nopreempt
    # track_interface {
    #     bond0.736
    # }
    track_script {
        chk_apiserver #开启健康检查
    }
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.1.236
    }
}
eof

##########k8s-master03执行如下内容#################################
cp /etc/keepalived/keepalived.conf{,.bak}
cat <<eof> /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   # notification_email {
   #   13802883042@139.com
   # }
   # smtp_server 127.0.0.1
   # smtp_connect_timeout 30
   router_id LVS_DEVEL
   script_user root
   enable_script_security
}

vrrp_script chk_apiserver {
    script "/etc/keepalived/check_apiserver.sh"
    interval 5
    weight -5
    fall 2
    rise 1
}

vrrp_instance VI_1 {
    state MASTER
    interface ens33            #根据实际节点修改;
    mcast_src_ip 192.168.1.203 #根据实际节点修改;
    virtual_router_id 51       
    priority 102
    advert_int 2
    # smtp alert
    # nopreempt
    # track_interface {
    #     bond0.736
    # }
    track_script {         
        chk_apiserver       #开启健康检查
    }
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.1.236
    }
}
eof

×××××××××××××××××××××××××××以下内容在所有master节点执行×××××××××××××××××××××××××××
cat <<eof> /etc/keepalived/check_apiserver.sh
#!/bin/bash
err=0
for k in $(seq 1 3)
do
    check_code=$(pgrep haproxy)
    if [[ $check_code == "" ]];then
        err=$(expr $err + 1)
        sleep 1
        continue
    else
        err=0
        break
    fi
done

if [[ $err != "0" ]];then
    echo "systemctl stop keepalived"
    /usr/bin/systemctl stop keepalived
    exit 1
else
    exit 0
fi
eof
chmod +x /etc/keepalived/check_apiserver.sh
systemctl enable --now haproxy;systemctl enable --now keepalived
systemctl status haproxy;systemctl status keepalived
ping 192.168.1.236 -c 5
netstat -anptu |grep 16443
telnet 192.168.1.201 6443
telnet 192.168.1.236 16443  #如果vip端口不通,则需排查防火墙,selinux、网络及软件配置问题。

kubernetes cp 下载文件_centos_04

kubernetes cp 下载文件_IP_05

 

×××××××××××××××××××××××××××以下内容在所有节点执行×××××××××××××××××××××××××××
##安装kubeadm;在前面已添加kubernetes.repo;
yum list kubeadm --showduplicates | sort -r
yum -y install kubeadm-1.22.0 kubectl-1.22.0 kubelet-1.22.0 #生产环境一般使用小版本≥5;该版本会要求下载K8S 1.15.*镜像;
yum list kube*
#默认配置的pause镜像使用改成人gcr.io仓库,以下修改kubelet为阿里云的pause镜像源;
cat <<eof> /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--cgroup-driver=systemd --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2"
eof
cat /etc/sysconfig/kubelet
systemctl enable --now kubelet.service
systemctl status kubelet.service
kubeadm version;kubelet --version;kubectl version

kubernetes cp 下载文件_kubernetes cp 下载文件_06

###初始化主节点;
×××××××××××××××××××××××××××以下内容在master01节点执行×××××××××××××××××××××××××××
cat <<EOF> kubeadm.yaml 
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.22.0
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
controlPlaneEndpoint: "192.168.1.236:16443"
networking:
  dnsDomain: cluster.local
  podSubnet: 172.168.0.0/12
  serviceSubnet: 10.96.0.0/12
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
  SupportIPVSProxyMode: true
mode: ipvs
EOF
for i in K8S-master02 K8S-master03;do scp kubeadm.yaml  $i:/root/kubeadm.yaml ;done

×××××××××××××××××××××××××××以下内容在所有master节点执行×××××××××××××××××××××××××××
###提前拉取镜像
kubeadm config images pull --config kubeadm.yaml
docker pull registry.aliyuncs.com/google_containers/coredns:1.8.4 && docker tag registry.aliyuncs.com/google_containers/coredns:1.8.4 registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.8.4 #K8S拉取coredns:v1.8.4;使用K8S拉取coredns并重新标记即可;
docker images

×××××××××××××××××××××××××××以下内容在master01节点执行×××××××××××××××××××××××××××
kubeadm init --config kubeadm.yaml --upload-certs  |tee kubeadm-init.log #初始化成功后,会产生token值,用于其他节点加入时使用,需要记录下来,但有时间限制;
systemctl status kubelet

kubernetes cp 下载文件_centos_07

kubernetes cp 下载文件_kubernetes cp 下载文件_08

×××××××××××××××××××××××××××以下内容在其他master节点执行×××××××××××××××××××××××××××
kubeadm join 192.168.1.236:16443 --token 4l6imf.zamuu4yh2lgtpy14 \
      --discovery-token-ca-cert-hash sha256:14fbcdb93973ad6e7d59212436f769f03aac9e76fa9e01ff7b3cd1b68dc29f96 \
      --control-plane --certificate-key a6282d409a071ac32b15376df671e7c40d0bc9477d607ea69959c212bdfdb74b
×××××××××××××××××××××××××××以下内容在所有worker节点执行×××××××××××××××××××××××××××
kubeadm join 192.168.1.236:16443 --token 4l6imf.zamuu4yh2lgtpy14 \
        --discovery-token-ca-cert-hash sha256:14fbcdb93973ad6e7d59212436f769f03aac9e76fa9e01ff7b3cd1b68dc29f96
×××××××××××××××××××××××××××以下内容在master01节点执行×××××××××××××××××××××××××××
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config                      #查询K8S集群有哪些node;由于采用扁平化网络,且未安装flannel插件,故status为NotReady;
kubectl label node k8s-node01 node-role.kubernetes.io/node=node #修改node的role标签;
kubectl label node k8s-node02 node-role.kubernetes.io/node=node #修改node的role标签;
kubectl get nodes
kubectl get pod -n kube-system
kubectl get svc

kubernetes cp 下载文件_kubernetes cp 下载文件_09