K8s集群平台
软硬件环境清单
架构:使用kubeadm实现k8s+docker+cri-dockerd实现集群部署
使用三台虚拟机实现
| 主机名 | IP地址 | 硬件 | 软件 |
| k8s-master | 192.168.12.203/24 | cpu:2颗2核 内 存:4GB HDD:20GB 网 络:NAT | VmWare17.6 Centos7.9 docker26.1.4 kubelet1.28.0 kubeadm1.28.0 kubectl1.28.0 cri-dockerd0.3.2 calico3.25 kuboard v3 |
| k8s-node1 | 192.168.12.204/24 | cpu:1颗2核 内 存:4GB HDD:20GB 网 络:NAT | VmWare17.6 Centos7.9 docker26.1.4 kubelet1.28.0 kubeadm1.28.0 kubectl1.28.0 cri-dockerd0.3.2-3 |
| k8s-node2 | 192.168.12.205/24 | cpu:1颗2核 内 存:4GB HDD:20GB 网 络:NAT | VmWare17.6 Centos7.9 docker26.1.4 kubelet1.28.0 kubeadm1.28.0 kubectl1.28.0 cri-dockerd0.3.2-3 |
替换yum源
配置静态
vi /etc/sysconfig/network-scripts/ifcfg-ens32例如:
# Generated by dracut initrd
NAME="ens32"
DEVICE="ens32"
ONBOOT=yes
NETBOOT=yes
UUID="7e65296d-c761-4002-80ab-0543cee4f60d"
IPV6INIT=yes
BOOTPROTO=none
IPADDR="192.168.88.200"
NETMASK="255.255.255.0"
GATEWAY="192.168.88.2"
DNS1="114.114.114.114"
TYPE=Ethernet
重启服务:
systemctl restart network关闭安全软件:
systemctl stop firewalld
systemctl disable firewalld
vi /etc/selinux/config
关闭swap空间
swapoff -a
sed -i '/swap/ s/^/#/' /etc/fstab
重启:
reboot域名映射
vim /etc/host
cat << EOF >> /etc/hosts
192.168.12.203 k8s-master
192.168.12.204 k8s-node1
192.168.12.205 k8s-node2
EOF
下载升级软件
[root@localhost ~]# yum install chrony vim tree net-tools wget -y
[root@localhost ~]# yum update -y
使用xftp上传新内核kernelkernel-ml-5.10.48
[root@localhost ~]# yum install kernel-ml-5.10.48-1.el7.x86_64.rpm -y设置grub2默认引导为0
[root@ocalhost ~]# grub2-set-default 0重新生成grub2引导文件
[root@ocalhost ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
重启:
reboot查看内核是否修改成功:
uname -r
设置主机名
[没有设置的进行设置]
[root@localhost ~]# hostnamectl set-hostname k8s-master
[root@localhost ~]# hostnamectl set-hostname k8s-node1
[root@localhost ~]# hostnamectl set-hostname k8s-node2[root@localhost ~]# reboot修改linux的内核参数,添加网桥过滤和地址转发功能
vim /etc/sysctl.d/k8s.conf编辑/etc/sysctl.d/k8s.conf文件,添加如下配置:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
重新加载配置
sysctl -p /etc/sysctl.d/k8s.conf
确认网桥转发已经是1:【查看是否生效】
sysctl net.bridge.bridge-nf-call-iptables
【注意:
配置ipvs功能,在kubernetes中service有两种代理模型,一种是基于iptables的,一种是基于ipvs的,两者比较的话,ipvs的性能明显要高一些,但是如果要使用它,需要手动载入ipvs模块
】
1 安装ipset和ipvsadm
yum install ipset ipvsadm -y【注意:
如果没有下载成功,出现以下状况,
请按照以下方式逐一排查:
1.查看网络是否通畅:
ping www.baidu.com2.注意这句话,查看一下yum源
cd /etc/yum.repos.d/
yum源文件中突然出现好多文件,请按照下面的方式进行处理:
重新拉入yum源
下载:
yum install ipset ipvsadm -y
下载完成,问题成功解决
】
2 添加需要加载的模块写入脚本文件
cat << EOF > /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
EOF3 为脚本文件添加执行权限
chmod +x /etc/sysconfig/modules/ipvs.modules4 执行脚本文件
/bin/bash /etc/sysconfig/modules/ipvs.modules5 查看对应的模块是否加载成功
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
设置时间同步
修改配置文件
vim /etc/chrony.conf 
启动chronyd服务
systemctl enable --now chronyddate
k8s环境准备
安装docker
三台主机都需要安装
配置docker源
curl -o /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
查看yum源库是否有增加:
安装docker:
yum install docker-ce -y配置镜像加速器及Cgroup Driver:
【
配置镜像加速器的方法:设置镜像加速器_镜像管理_用户指南(共享版)_容器镜像服务 SWR-华为云
华为云--->控制台--->登录[注册]--->登录容器镜像服务控制台--->在左侧导航栏选择“镜像资源 > 镜像中心”--->镜像加速器:容器镜像服务-控制台
】
vim /etc/docker/daemon.json {"exec-opts": ["native.cgroupdriver=systemd"],"registry-mirrors": [ "https://8cdf32a387b744b2940801aa00322980.mirror.swr.myhuaweicloud.com" ,"https://docker.1ms.run","https://docker.1panel.live/" ]}
启动并开机启动:
systemctl enable --now docker
查看镜像加速器是否添加成功:
docker info
驱动已更改:
安装cri-dockerd
三台主机都需安装
【
作用:Docker与Kubernetes通信的中间程序
】
【
K8s的1.24版本以后移除了docker-shim,而Docker Engine默认又不支持CRI规范,因而二者将无法直接完成整合,为此,Mirantis和Docker联合创建了cri-dockerd项目,用于为Docker Engine提供一个能够支持到CRI的规范,从而能够让Kubernetes基于CRI控制Docker ,所以想在K8s的1.24版本及以后的版本中使用docker,需要安装cri-dockerd,然后K8s集群通过cri-dockerd联系到docker(注意每个节点都要安装)
】
项目地址:https://github.com/Mirantis/cri-dockerd/releases
下载:【下不下来,用迅雷下,然后传到虚拟机】
wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.2/cri-dockerd-0.3.2-3.el7.x86_64.rpm
用rpm红帽管理器安装:
rpm -ivh cri-dockerd-0.3.2-3.el7.x86_64.rpm
配置服务并启动;
修改启动文件 /usr/lib/systemd/system/cri-docker.service:
vim /usr/lib/systemd/system/cri-docker.service注意:修改修改ExecStart=改行值
改前:
改后:
内容:
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-cache-dir=/var/lib/cni/cache --cni-conf-dir=/etc/cni/net.d启动cri-docker:
systemctl daemon-reloadsystemctl enable --now cri-docker
systemctl status cri-docker
docker的状态:
systemctl status docker
安装k8s
三台主机都需安装
配置阿里源:
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
查看yum源仓库有没有增加:
ls /etc/yum.repos.d/
【
安装k8s工具
-
kubeadm:用于初始化集群,并配置集群所需的组件并生成对应的安全证书和令牌;
-
kubelet:负责与 Master 节点通信,并根据 Master 节点的调度决策来创建、更新和删除 Pod,同时维护 Node 节点上的容器状态;
-
kubectl:用于管理k8集群的一个命令行工具;
】
yum install kubelet-1.28.0 kubeadm-1.28.0 kubectl-1.28.0 -y【
注意:版本兼容性要求严格,下载好不要随便升级
】
设置kubelet开机启动:【注意:不需要直启动,初始化过程会启动】
systemctl enable kubelet
拍摄快照:
关闭虚拟机,同时克隆两台机子
如上克隆两台,并设置虚拟机名字为k8s-node1,k8s-node2。
修改k8s-node1,k8s-node2的IP地址:
nmtui
删除再激活一下:
【右上角按两次,一次删除,一次激活】
修改虚拟机名字:
同上设置两台克隆好的机子。
由于所有虚拟机已经重启,所有我们需要看一个每一台虚拟机的各个服务有没有全部启动:
查看一下所有虚拟机网络是否通:
ping www.qq.com查看内核是否有问题:
uname -r
网桥转发有没有开:
sysctl net.bridge.bridge-nf-call-iptables
查看模块是否加载:
lsmod | grep -e ip_vs -e nf_conntrack_ipv4
查看时间是否同步:
date
查看docker是否启动:
systemctl status docker
查看cri是否启动:
systemctl status cri-docker
查看k8s是否启动:
systemctl enable kubelet
【
注意:
截止目前k8s的初始化已经完成,三台虚拟机检查完毕
】
集群搭建
k8s-master节点初始化:
kubeadm init --kubernetes-version=v1.28.0 --pod-network-cidr=10.224.0.0/16 --apiserver-advertise-address=192.168.12.203 --cri-socket unix:///var/run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers
节点初始化成功后-截图内容解释:
[init] Using Kubernetes version: v1.28.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.88.200]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.88.200 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.88.200 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 3.504069 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: r57wjp.3eow3y22q1rc22b7
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxyYour Kubernetes control-plane has initialized successfully! # 成功To start using your cluster, you need to run the following as a regular user:
# 普通账户执行:mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configAlternatively, if you are the root user, you can run:# root账户执行:export KUBECONFIG=/etc/kubernetes/admin.conf # 认证You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:https://kubernetes.io/docs/concepts/cluster-administration/addons/Then you can join any number of worker nodes by running the following on each as root:# 节点加入命令
kubeadm join 192.168.88.200:6443 --token r57wjp.3eow3y22q1rc22b7 \--discovery-token-ca-cert-hash sha256:8310ae1d4cb3cd90a5a5e394c86aa8ee111fd61af88068da36bc7607c93c4a43 【
注意:
如果master的节点初始化错误,请按照以下步骤执行:
说明 1:加入指令可以通过如下命令重复获取
kubeadm token create --print-join-command说明 2:初始化失败可以用 reset 指令重置,解决问题后重新初始化
kubeadm reset --cri-socket unix:///var/run/cri-dockerd.sock说明 3:查看日志
journalctl -f -u kubelet说明 4:token 失效处理
# 重新生成token
kubeadm token create
abcdef.0123456789abcdef # 获取ca证书sha256编码hash值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
b615fccddcd4e80fc6f9c5e477bfc7a053b017660b73fdeccf89c559739664d7# 将新的node节点加入到k8s集群中
kubeadm join node主机ip地址:6443 --token abcdef.0123456789abcdef \--discovery-token-ca-cert-hash sha256:b615fccddcd4e80fc6f9c5e477bfc7a053b017660b7】
k8s-master节点配置认证文件
根据初始化的提示完成认证
若当前为root账户,则使用下列命令配置认证
vim /etc/profile在底部更新环境变量:
export KUBECONFIG=/etc/kubernetes/admin.conf
让环境变量生效:
source /etc/profile
【
注意:
若当前为普通账户,则使用下列命令配置认证
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config】
node节点加入集群
根据初始化的信息提示,使用下面命令加入集群
在master查看令牌:
复制令牌到node1,node2:
kubeadm join 192.168.12.203:6443 --token d3lh75.7vk8icnd2ou1xj5g \--discovery-token-ca-cert-hash sha256:6df220fc63a5b97c8c81752081be849785d72d972c5727310eff89e043819636 --cri-socket unix:///var/run/cri-dockerd.sock
【
注意:
如果出现错误,显示cri-docker未开启:
kubeadm join 192.168.12.203:6443 --token d3lh75.7vk8icnd2ou1xj5g \
> --discovery-token-ca-cert-hash sha256:6df220fc63a5b97c8c81752081be849785d72d972c5727310eff89e043819636
按照以下方式解决:
查看cri-docket的状态:
systemctl status cri-docker
查看docker的状态:
systemctl status docker
找到问题,需要增加一条关于cri的路径记录:
kubeadm join 192.168.12.203:6443 --token d3lh75.7vk8icnd2ou1xj5g \--discovery-token-ca-cert-hash sha256:6df220fc63a5b97c8c81752081be849785d72d972c5727310eff89e043819636 --cri-socket unix:///var/run/cri-dockerd.sock
问题成功解决
】
使用kubectl工具查看节点状态:
master端进行:
kubectl get nodes
【注:由于网络插件还没有部署,节点会处于"NotReady"状态】
修改2个woker节点的标签名:
kubectl label node k8s-node1 node-role.kubernetes.io/worker=worker kubectl label node k8s-node2 node-role.kubernetes.io/worker=worker 
修改后角色方面由<none>变为worker:
配置calico网络插件
master端执行:
wget https://docs.projectcalico.org/manifests/calico.yaml修改配置:
vim calico.yaml 【小知识:
给文档每一行加上序号:
set nu过滤:
/ 语句】
去掉框内文字的注释并修改:
处理前:
处理后:【修改的网段要求和初始化设置的网段完全一样】
【注意:格式必须严格要求,稍有不同意就会出错】
在框住的下面增加两行内容:【注意:添加的网卡是自己的网卡,例如我的网卡是ens33,不知道就ip a查看网卡】
- name: IP_AUTODETECTION_METHOD
value: "interface=ens33" 
修改value的为never:
修改后:
【注意:使用空格作为间隔符,不要用tab键】保存,并退出。
应用配置:
kubectl apply -f calico.yaml 
查看node状态:【注意:若出现NotReady,需要等待片刻在重新查看(1分钟左右)】
kubectl get node
【说明三个节点(master,node1,node2)的网卡已全部通信】
查看网卡:
ip a
【增加了很多网卡】
查看详细的node节点信息:
kubectl get node -o wide
查看系统管理配件pods的所有状态:【注意 READY列都是1 表示以启动】
kubectl get pods -n kube-system
设置kubectl命令自动补全
【想设置就设置,不想设置就不设置,看心情,目前位置集群已经设置完毕】
[root@k8s-master ~]# yum install bash-completion -y
[root@k8s-master ~]# source /usr/share/bash-completion/bash_completion
[root@k8s-master ~]# source <(kubectl completion bash)
[root@k8s-master ~]# echo "source <(kubectl completion bash)" >> ~/.bashrc安装可视化平台
使用该软件,据说比较好用,网址:Kuboard_Kubernetes教程_K8S安装_管理界面
【有两种安装方式官网有详细介绍,建议用docker安装】
使用docker安装
在master端上执行:
拉去可视化平台:
docker run -d --restart=unless-stopped --name=kuboard -p 2728:80/tcp -p 10081:10081/tcp -e KUBOARD_ENDPOINT="http://192.168.12.203:2728" -e KUBOARD_AGENT_SERVER_TCP_PORT="10081" -v /root/kuboard-data:/data eipwork/kuboard:v3
【
注意:
# 注意:
# -p 2728:80/tcp \ # 宿主机端口可以修改为任意未使用端口
# -e KUBOARD_ENDPOINT="http://192.168.12.203:2728" \ # 改为k8s-master的ip
(原因:80端口的太多了,怕撞了。所以我自定义改为2728)
】
查看一下拉好的:
docker ps
浏览器访问并配置
打开浏览器输入:http://192.168.12.203:2728
登录
账户:admin
密码:Kuboard123
进入界面:
添加集群:
输入名称:k8s-test (不能有中文)
描述:自定
点击复制按钮,将脚本内容粘贴到k8s-master端后复制红色字段内容在粘贴回浏览器页面的 Token对话框中
Apiserver 地址:https://192.168.88.200:6443 (替换为你的k8s-master的ip)
点击确定
复制内容:
cat << EOF > kuboard-create-token.yaml
---
apiVersion: v1
kind: Namespace
metadata:name: kuboard---
apiVersion: v1
kind: ServiceAccount
metadata:name: kuboard-adminnamespace: kuboard---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: kuboard-admin-crb
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- kind: ServiceAccountname: kuboard-adminnamespace: kuboard---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:annotations:kubernetes.io/service-account.name: kuboard-adminname: kuboard-admin-tokennamespace: kuboard
EOFkubectl apply -f kuboard-create-token.yaml
echo -e "\033[1;34m将下面这一行红色输出结果填入到 kuboard 界面的 Token 字段:\033[0m"
echo -e "\033[31m$(kubectl -n kuboard get secret $(kubectl -n kuboard get secret kuboard-admin-token | grep kuboard-admin-token | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d)\033[0m"
填写表单:
集群概要:
各个节点展示:
服务部署
部署nginx服务
master端执行下列命令:
kubectl create deployment nginx --image=nginx:latest
kubectl expose deployment nginx --port=80 --type=NodePort
查看服务是否存在:【注意nginx映射端口】
kubectl get service
查看部署在哪里:【部署在node2上了】
kubectl get pods -o wide
查看当前端口号的映射:
kubectl get service
访问网址:http://192.168.12.203:31931
到监控软件中查看:
安装监控套件
点击:安装metrics-server
Metrics Server 是集群级别的资源利用率数据的聚合器。从 Kubelets收集资源指标,并通过 Metrics API 在 Kubernetes apiserver 中公开它们,以供 Horizontal Pod Autoscaler 和Vertical Pod Autoscaler 使用
-
点击:确定按钮
-
测试:可以刷新一下网页
kubectl top nodes
安装pod监控曲线面板
以nginx的pod为例,点击安装metrics-scraper按钮
采集完成:
