1、主机及所需软件版本

操作系统版本:CentOS7

kubernetes版本:v1.20.5

containerd版本:1.4.4

crictl版本:v1.20.0

k8s-master: 172.21.204.110

k8s-node03: 172.21.204.113

2、主机初始化配置

# 替换CentOS 7的CentOS-Base.repo文件(用华为云的,可选)

cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
wget -O /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-7-reg.repo

或者(没有yum工具的情况下用curl -o)
curl -o /etc/yum.repos.d/CentOS-Base.repo https://repo.huaweicloud.com/repository/conf/CentOS-7-reg.repo

# 所有节点设置/etc/hosts主机名,请根据实际情况进行配置

vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.21.204.110 k8s-master
172.21.204.113 k8s-node03

# 验证mac地址uuid,保证各节点mac和uuid唯一

cat /sys/class/net/ens33/address
cat /sys/class/dmi/id/product_uuid

# 关闭防火墙

systemctl stop firewalld && systemctl disable firewalld

# 永久关闭seLinux(需重启系统生效)

setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

# 关闭系统交换分区swap(k8s要求关闭swap)

swapoff -a

#注释掉/etc/fstab中的swap
vi /etc/fstab
#/dev/mapper/centos-swap     swap      swap     defaults     0     0

#确认swap是否被禁用(输出空值即为禁用)
cat /proc/swaps
Filename                                Type            Size    Used    Priority

# 加载所需内核模块

cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# 加载ipvs模块(可选项,默认为iptables模式)
kuber-proxy代理支持iptables和ipvs两种模式,如果使用ipvs模式需要在初始化集群前所有节点加载ipvs模块并安装ipset工具,Linux kernel 4.19以上的内核版本使用nf_conntrack代替nf_conntrack_ipv4

cat > /etc/modules-load.d/ipvs.conf <<EOF
# Load IPVS at boot
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
EOF

systemctl enable --now systemd-modules-load.service

#确认内核模块加载成功
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
# or
cut -f1 -d " "  /proc/modules | grep -e ip_vs -e nf_conntrack_ipv4

#安装ipset、ipvsadm
yum install -y ipset ipvsadm

# 设置sysctl 参数,允许iptables检查桥接流量,这些参数在重新启动后仍然存在

cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
vm.swappiness                       = 0
net.bridge.bridge-nf-call-ip6tables = 1
EOF

#应用sysctl参数而无需重新启动
sudo sysctl --system

3、安装kubernetes组件

# 所有节点配置kubernetes软件源(使用阿里云镜像源)

cat > /etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

# 安装kubelet kubeadm kubectl组件,所有节点都需要执行(默认安装最新版本)

#默认安装最新版本
yum install -y kubelet kubeadm kubectl

#指定版本号安装
yum install -y kubelet-1.20.5-0.x86_64 kubeadm-1.20.5-0.x86_64 kubectl-1.20.5-0.x86_64

# 配置kubelet使用containerd作为容器运行时,指定cgroupDriver为systemd模式(两种方法实现)

方法一:
#配置kubelet使用containerd(所有节点都要配置cgroup-driver=systemd参数,否则node节点无法自动下载和创建pod)

cat > /etc/sysconfig/kubelet <<EOF
KUBELET_EXTRA_ARGS=--cgroup-driver=systemd
EOF

方法二:

#如果不想修改/etc/sysconfig/kubelet配置,kubeadm init必须使用yaml文件来初始化传递cgroupDriver参数,可以通过如下命令导出默认的初始化配置

kubeadm config print init-defaults > kubeadm-config.yaml

#然后根据自己的需求修改配置,比如修改imageRepository的值,kube-proxy模式为ipvs,需要注意的是由于使用containerd作为运行时,所以在初始化节点的时候需要指定cgroupDriver为systemd模式

apiVersion: kubeadm.k8s.io/v1beta2 
bootstrapTokens: 
- groups: 
  - system:bootstrappers:kubeadm:default-node-token 
  token: abcdef.0123456789abcdef 
  ttl: 24h0m0s 
  usages: 
  - signing 
  - authentication 
kind: InitConfiguration 
localAPIEndpoint: 
  advertiseAddress: 172.21.204.110  
  bindPort: 6443 
nodeRegistration: 
  criSocket: /run/containerd/containerd.sock  
  name: k8s-master 
  taints: 
  - effect: NoSchedule 
    key: node-role.kubernetes.io/master 
--- 
apiServer: 
  timeoutForControlPlane: 4m0s 
apiVersion: kubeadm.k8s.io/v1beta2 
certificatesDir: /etc/kubernetes/pki 
clusterName: kubernetes 
controllerManager: {} 
dns: 
  type: CoreDNS 
etcd: 
  local: 
    dataDir: /var/lib/etcd 
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers 
kind: ClusterConfiguration 
kubernetesVersion: v1.20.5 
networking: 
  dnsDomain: cluster.local 
  podSubnet: 192.168.0.0/16
  serviceSubnet: 10.96.0.0/12 
scheduler: {} 
--- 
apiVersion: kubeproxy.config.k8s.io/v1alpha1 
kind: KubeProxyConfiguration 
mode: ipvs 
--- 
apiVersion: kubelet.config.k8s.io/v1beta1 
kind: KubeletConfiguration 
cgroupDriver: systemd

# 设置kubelet开机自启

systemctl enable --now kubelet && systemctl restart kubelet

4、安装containerd容器组件

# 所有节点配置containerd软件源(containerd组件默认在docker-ce源中)

yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# 查看containerd.io可用版本

yum search containerd.io --showduplicates

# 安装最新版containerd.io

yum install -y containerd.io

# 创建containerd配置文件config.toml

mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml

# 修改config.toml文件中的sandbox_image、endpoint、systemd cgroup参数

vi /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri"] 字段下的sandbox_image修改为如下
sandbox_image="registry.aliyuncs.com/google_containers/pause:3.2"

[plugins."io.containerd.grpc.v1.cri".registry]字段下的endpoint修改为如下
endpoint = ["https://registry.cn-hangzhou.aliyuncs.com"]

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]字段下的SystemdCgroup修改为如下
SystemdCgroup = true

# 或者使用sed脚本一键修改config.toml文件

sed -i "s#k8s.gcr.io#registry.aliyuncs.com/google_containers#g" /etc/containerd/config.toml
sed -i '/containerd.runtimes.runc.options/a\ \ \ \ \ \ \ \ \ \ \ \ SystemdCgroup = true' /etc/containerd/config.toml
sed -i "s#https://registry-1.docker.io#https://registry.cn-hangzhou.aliyuncs.com#g" /etc/containerd/config.toml

# 重启containerd.io

systemctl daemon-reload
systemctl enable containerd && systemctl restart containerd

# 安装CRI客户端工具crictl
工具下载地址:https://github.com/kubernetes-sigs/cri-tools/releases/

wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz

sudo tar zxvf crictl-v1.20.0-linux-amd64.tar.gz -C /usr/local/bin

cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF

#或者执行以下语句添加参数
crictl config runtime-endpoint unix:/run/containerd/containerd.sock

# 验证是否可用

crictl pull nginx
crictl rmi nginx
crictl images

# 重启containerd和kubelet

systemctl daemon-reload
systemctl restart containerd && systemctl restart kubelet

# 最后确认kubelet和containerd版本

containerd --version
kubelet --version

5、在master节点启动集群

方法一:使用配置文件初始化

kubeadm init --config=kubeadm-config.yaml

方法二:使用参数初始化(指定版本、master地址、基础镜像源地址、自定义ip地址)

kubeadm init --kubernetes-version=v1.20.5 --apiserver-advertise-address=172.21.204.110 --image-repository registry.cn-hangzhou.aliyuncs.com/google_containers --service-cidr=10.96.0.0/16 --pod-network-cidr=192.168.0.0/16
简化版初始化(使用calico网络组件)
kubeadm init --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=192.168.0.0/16

简化版初始化(使用flannel网络组件)
kubeadm init --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16

# --image-repository:指定镜像源

# 执行初始化(这里使用calico网络组件初始化)

kubeadm init --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=192.168.0.0/16

# 启动之后,需要再执行以下,否则在使用kubectl的时候会报8080端口错误:

#非root用户
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

#root用户
export KUBECONFIG=/etc/kubernetes/admin.conf

6、部署calico网络组件(默认模式)

[root@k8s-master ~]# kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
serviceaccount/calico-node created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
poddisruptionbudget.policy/calico-kube-controllers created

7、node节点加入

kubeadm join 172.21.204.110:6443 --token 7pw2tl.x2121e9p3dgr7ktb \
    --discovery-token-ca-cert-hash sha256:694e2924e2cf2211cefba492faf0259d0810d6afb72c5e941120b2911d8d18ab

默认方式添加node节点即可,不需要加--cri-socket /run/containerd/containerd.sock参数指定cri为containerd,kubernetes会自动寻找和加载containerd容器运行时

#查看node状态

[root@k8s-master ~]# kubectl get node
NAME         STATUS   ROLES                  AGE     VERSION
k8s-master   Ready    control-plane,master   3d21h   v1.20.5
k8s-node03   Ready    <none>                 3d21h   v1.20.5

# 查看pod状态

[root@k8s-master ~]# kubectl get pod -A
NAMESPACE              NAME                                         READY   STATUS      RESTARTS   AGE
kube-system            calico-kube-controllers-69496d8b75-drq6n     1/1     Running     0          3d21h
kube-system            calico-node-4x5rf                            1/1     Running     0          3d21h
kube-system            calico-node-8bn96                            1/1     Running     0          3d21h
kube-system            coredns-7f89b7bc75-7pzx8                     1/1     Running     0          3d21h
kube-system            coredns-7f89b7bc75-8frqs                     1/1     Running     0          3d21h
kube-system            etcd-k8s-master                              1/1     Running     0          3d21h
kube-system            kube-apiserver-k8s-master                    1/1     Running     0          3d21h
kube-system            kube-controller-manager-k8s-master           1/1     Running     0          3d21h
kube-system            kube-proxy-4hxhl                             1/1     Running     0          3d20h
kube-system            kube-proxy-bshbb                             1/1     Running     0          3d20h
kube-system            kube-scheduler-k8s-master                    1/1     Running     0          3d21h

8、kube-proxy开启ipvs(可选)

#修改kube-proxy的configmap参数,设置mode值为ipvs
[root@k8s-master ~]# kubectl -n kube-system edit cm kube-proxy

#查看是否修改成功
[root@k8s-master ~]# kubectl -n kube-system get cm kube-proxy -o yaml | grep mode
    mode: "ipvs"

#重启kube-proxy pod        
[root@k8s-master ~]# kubectl -n kube-system delete pods -l k8s-app=kube-proxy
#确认ipvs模式是否开启成功
[root@k8s-master ~]# kubectl -n kube-system logs kube-proxy-4hxhl | grep ipvs
I0329 08:23:06.791059       1 server_others.go:258] Using ipvs Proxier.
[root@k8s-master ~]# kubectl -n kube-system logs kube-proxy-bshbb | grep ipvs
I0329 08:23:18.380155       1 server_others.go:258] Using ipvs Proxier.

日志中打印出Using ipvs Proxier,说明ipvs模式已经开启。

# 查看ipvs转发状态

[root@k8s-master ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.96.0.1:443 rr
  -> 172.21.204.110:6443          Masq    1      0          0
TCP  10.96.0.10:53 rr
  -> 192.168.235.193:53           Masq    1      0          0
  -> 192.168.235.194:53           Masq    1      0          0
TCP  10.96.0.10:9153 rr
  -> 192.168.235.193:9153         Masq    1      0          0
  -> 192.168.235.194:9153         Masq    1      0          0
TCP  10.109.203.63:80 rr
  -> 192.168.135.130:80           Masq    1      0          5
UDP  10.96.0.10:53 rr
  -> 192.168.235.193:53           Masq    1      0          0
  -> 192.168.235.194:53           Masq    1      0          0