1. 环境准备
   系统要求：至少 2GB RAM（建议 4GB 或更多），网络连接。
   节点准备：至少 3 台机器，1 台作为 Master 节点，2 台作为 Worker 节点。
   安装sudo

apt update
apt install sudo
1
2
设置主机名（在每台机器上）：

sudo hostnamectl set-hostname <主机名>
1
替换 <主机名> 为 k8s-master、k8s-node1、k8s-node2

配置 /etc/hosts（在所有节点上）：
将所有节点的 IP 地址和主机名添加到 /etc/hosts 文件中。

root@k8s-node1:~# echo “192.168.0.147 k8s-master” >> /etc/hosts
root@k8s-node1:~# echo “192.168.0.217 k8s-node1” >> /etc/hosts

更新系统：

sudo apt update && sudo apt upgrade -y
1
2

1. 安装 containerd
   在所有节点上执行以下步骤：

安装 containerd：

sudo apt install -y containerd
1
2
2.2 更新containered到最新版本1.7
默认安装的版本是1.4，如果不更新，后面 init 的时候会报如下错误

[ERROR CRI]: container runtime is not running: output: time="2024-02-03T22:17:09+08:00" level=fatal msg="validate service connection: CRI v1 runtime API is not implemented for endpoint \"unix:///var/run/containerd/containerd.sock\": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService"
, error: exit status 1
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
[preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=...

1
2
3
4
5
6
到 https://github.com/containerd/containerd/releases 下载最新版本

解压缩文件
首先，您需要解压下载的压缩包。打开终端，切换到包含下载文件的目录，然后运行：

tar xzvf containerd-1.7.13-linux-amd64.tar.gz
sudo mv bin/* /usr/bin/
1
2
3
containerd --version 可以查看版本号为1.7

2.3 配置 containerd：
生成默认配置文件

sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
1
2
3
修改配置文件
nano /etc/containerd/config.toml
文件中 sandbox_image做如下修改，因为后面init的时候指定的是阿里云的
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true #这个很重要，否则，k8s启动起来后会自动停止，kubectl get pods -n kube-system 也会出现监听端口6443访问失败的报错
1
2
3
4
5
6
启用并启动 containerd：

sudo systemctl restart containerd
sudo systemctl enable containerd
1
2
sudo systemctl status containerd 可查看状态

1. 安装 Kubernetes
   在所有节点上执行以下步骤：

安装必需的包：首先，确保你的系统安装了 apt-transport-https、ca-certificates 和 curl：

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
1
2
添加 Kubernetes 的 GPG 密钥：

curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -
1
2
添加 Kubernetes 仓库：

echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
1
2
更新软件包列表：

sudo apt-get update
1
2
安装 kubeadm、kubelet 和 kubectl：

sudo apt-get install -y kubelet=1.28.2-00 kubeadm=1.28.2-00 kubectl=1.28.2-00

sudo apt-mark hold kubelet kubeadm kubectl
1
2
3
安装配置br_netfilter 模块：

sudo modprobe br_netfilter
1
确保 IP 转发被启用：

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

echo "net.bridge.bridge-nf-call-iptables=1" | sudo tee -a /etc/sysctl.conf

sudo sysctl -p

4. 初始化 Kubernetes 集群(在 Master 节点上执行)

1
2
3
4
5
6
7
8
9
10
4.2 初始化集群：(Master节点)
直接执行下面的会报错

sudo kubeadm init --pod-network-cidr=10.244.0.0/16
1
报错：

[ERROR ImagePull]: failed to pull image registry.k8s.io/kube-apiserver:v1.28.6: output: E0212 19:15:37.560180   22897 remote_image.go:171] "P

1
应该执行下面的

sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.2
1
以下是 kubeadm init 命令的输出。
``` root@ecs-2144:~# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containerssudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.6
unknown command "kubeadm" for "kubeadm init"
To see the stack trace of this error execute with --v=5 or higher
root@ecs-2144:~# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --image-repository=registry.aliyuncs.com/google_containers --kubernetes-version=v1.28.6
[init] Using Kubernetes version: v1.28.6
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.0.147]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.0.147 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.0.147 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 4.001658 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: c5ir0f.h8x43oj54kb1gppe
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.0.147:6443 --token c5ir0f.h8x43oj54kb1gppe \
--discovery-token-ca-cert-hash sha256:42dc8386b03f8c6c415e06153c4b978e2020ca48d19b7b8b383d1c5d311a36e7

```

1. 设置 kubectl（仅限 Master 节点）

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
1
2
3
4

1. 安装网络插件（在 Master 节点上）

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml --request-timeout='0'
1
2

不加–request-timeout=‘0’ 可能会导致超时

如果出现连接连接端口错误
运行 journalctl -u kubelet 可以看日志，如果看到以下错误

err="failed to load kubelet config file, path: /var/lib/kubelet/config.yaml, err>
1
可能是没有授权访问权限，运行以下即可

sudo chown root:root /var/lib/kubelet/config.yaml
sudo chmod 644 /var/lib/kubelet/config.yaml
1
2
然后重新运行kubelet
sudo systemctl restart kubelet //经测试只需要这一行即可
sudo systemctl status kubelet
sudo systemctl restart containerd
sudo systemctl status containerd

然后重新运行上面的 kubectl apply …
可能还会出现报错 unable to connect to the server: net/http: TLS handshake timeout
重新执行一遍一般就会成功

1. 将 Worker 节点加入集群
   在每个 Worker 节点上，运行在初始化 Master 节点时得到的 kubeadm join 命令。
   效果如下：

root@ecs-7d63:~# kubeadm join 192.168.0.147:6443 --token lj3ooj.2x39tu70gyx5uj3v --discovery-token-ca-cert-hash sha256:7ce5191c1581dfcee7b33457bdd9341fa1ee128a19ac248c8daf9e69a57a8b18
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:

• Certificate signing request was sent to apiserver and a response was received.
• The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
验证集群状态
在 M
aster 节点上，运行：
kubectl get nodes
1
你应该能看到所有节点的状态为 Ready。

支持基础安装完成，下一步就是配置k8s

开放端口
API Server:

6443: Kubernetes API server。这是最关键的端口，用于集群管理通信。
etcd:

2379-2380: 用于etcd服务器客户端API通信。只有Kubernetes的API server才需要访问etcd，所以这些端口只需要在Master节点之间开放。

Kubelet:

10250: Kubelet API。这个端口用于API server获取节点和Pod的信息。
Kube-proxy:

Kubernetes中的Controller Manager和Scheduler虽然主要与API Server进行通信，但它们也监听在特定端口上，主要用于健康检查和指标收集。这些端口主要用于集群内部通信，而不是外部访问。下面是Controller Manager和Scheduler所监听的端口：

Kubernetes Controller Manager
默认端口:
10252: 用于健康检查和指标（metrics）的非安全HTTP访问。
安全端口:
当配置了安全访问（例如，通过启用HTTPS或认证和授权），Controller Manager可以配置为通过安全端口提供服务，但这需要手动配置，包括证书和相关的安全设置。
Kubernetes Scheduler
默认端口:
10251: 用于健康检查和指标的非安全HTTP访问。

排错
列出所有系统pod
kubectl get pods -n kube-system

calico-kube-controllers-7ddc4f45bc-snh9v 1/1 Running 1 (2m10s ago) 158m
calico-node-5mnpd 1/1 Running 1 (2m10s ago) 158m
calico-node-s6w74 1/1 Running 0 156m
coredns-66f779496c-cvwjx 1/1 Running 1 (2m10s ago) 171m
coredns-66f779496c-qx7fr 1/1 Running 1 (2m10s ago) 171m
etcd-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-apiserver-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-controller-manager-k8s-master 1/1 Running 1 (2m10s ago) 171m
kube-proxy-k7c6l 1/1 Running 1 (2m10s ago) 171m
kube-proxy-stft6 1/1 Running 0 156m
kube-scheduler-k8s-master 1/1 Running 1 (2m10s ago) 171m

找出名称后，可以查看该pod的日志
kubectl logs -n kube-system

调用 kubectl get pods -n kube-system
如果响应
root@k8s-master:~# kubectl get pods -n kube-system
The connection to the server 192.168.0.147:6443 was refused - did you specify the right host or port?
说明kubelet停了，需要调用
sudo systemctl restart kubelet 重启，

journalctl -u kubelet 可查看kubelet日志