一、Kubernetes高可用安装安装——1.18.4版本
(1)下载地址、安装方式
- K8S github地址:https://github.com/kubernetes/kubernetes
- Kubernetes安装方式:
Kubeadm安装:官方推荐,建议学习研究使用,所有服务跑成容器
二进制安装:生产环境使用,所有服务跑成物理机
Ansible安装
- 最新版本高可用安装步骤:
(2)实验环境
- 实际环境配置(这里的网络使用calico)
这里的虚拟ip为192.168.100.205,无需专门搭建keepalived的机器,在三台master上指定keepalived配置文件中的虚拟ip为192.168.100.205即可
- 实验环境配置(资源有限,网络使用flannel)
这里的虚拟ip为192.168.100.204,无需专门搭建keepalived的机器,在两台master上指定keepalived配置文件中的虚拟ip为192.168.100.204即可。
以上机器全部都要联网!!
Kubernetes的高可用主要指的是控制平面的高可用,即指多套Master节点组件和Etcd组件,工作节点通过负载均衡连接到各Master,即连接HAProxy反向代理去连接master,通过反向代理可以配置负载均衡,然后配合keepalived设置两台master的虚拟ip,实现高可用
Kubernetes高可用架构中etcd与Master节点组件混布方式的特点:
所需机器资源少
部署简单易于扩展
容易进行横向扩展
风险大,一台宿主机(master)挂了,master和etcd就都少一套(因为etcd和master部署在了一起,etcd会收集node节点的信息),集群冗余度受到的影响比较大
(3)实验步骤
- 本实验使用Keepalived+HAProxy实现Kubernetes的高可用,采用Kubeadm安装
1、在四台服务器上进行基础配置
四台服务操作差不多
#192.168.100.202配置 [root@Centos7 ~]# hostnamectl set-hostname k8s-master01 [root@Centos7 ~]# su [root@k8s-master01 ~]# systemctl disable --now firewalld [root@k8s-master01 ~]# setenforce 0 setenforce: SELinux is disabled [root@k8s-master01 ~]# mount /dev/cdrom /mnt/ [root@k8s-master01 ~]# cat <<aa>> /etc/hosts 192.168.100.202 k8s-master01 192.168.100.203 k8s-master02 192.168.100.205 k8s-node01 192.168.100.206 k8s-node02 aa [root@k8s-master01 ~]# vim /etc/sysconfig/selinux #修改selinux文件 SELINUX=disabled #保存退出 [root@k8s-master01 ~]# swapoff -a && sysctl -w vm.swappiness=0 #关闭交换空间,开启交换空间会影响k8s性能 vm.swappiness = 0 [root@k8s-master01 ~]# vim /etc/fstab #把自动挂载交换空间的配置项注释 # ## ## /etc/fstab ## Created by anaconda on Tue Jan 12 18:24:41 2021 ## ## Accessible filesystems, by reference, are maintained under '/dev/disk' ## See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info ## /dev/mapper/centos-root / xfs defaults 0 0 UUID=f9ce4501-7cf6-4d2b-903a-4fc1044410ef /boot xfs defaults 0 0 /dev/mapper/centos-home /home xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 #注释 /dev/cdrom /mnt iso9660 defaults 0 0 #保存退出 [root@k8s-master01 ~]# yum install ntpdate -y [root@k8s-master01 ~]# ntpdate time2.aliyun.com #同步时间 [root@k8s-master01 ~]# cat <<aaa>> /etc/rc.local ntpdate time2.aliyun.com aaa [root@k8s-master01 ~]# crontab -e #可以选择加计划任务,也可以不加 */5 * * * * ntpdate time2.aliyun.com [root@k8s-master01 ~]# ulimit -SHn 65535 #设置最大进程数
#192.168.100.203配置 [root@Centos7 ~]# hostnamectl set-hostname k8s-master02 [root@Centos7 ~]# su [root@k8s-master02 ~]# systemctl disable --now firewalld [root@k8s-master02 ~]# setenforce 0 setenforce: SELinux is disabled [root@k8s-master02 ~]# mount /dev/cdrom /mnt/ [root@k8s-master02 ~]# cat <<aa>> /etc/hosts 192.168.100.202 k8s-master01 192.168.100.203 k8s-master02 192.168.100.205 k8s-node01 192.168.100.206 k8s-node02 aa [root@k8s-master02 ~]# vim /etc/sysconfig/selinux #修改selinux文件 SELINUX=disabled #保存退出 [root@k8s-master02 ~]# swapoff -a && sysctl -w vm.swappiness=0 vm.swappiness = 0 [root@k8s-master02 ~]# vim /etc/fstab # # /etc/fstab # Created by anaconda on Tue Jan 12 18:24:41 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=f9ce4501-7cf6-4d2b-903a-4fc1044410ef /boot xfs defaults 0 0 /dev/mapper/centos-home /home xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 /dev/cdrom /mnt iso9660 defaults 0 0 #保存退出 [root@k8s-master01 ~]# yum install ntpdate -y [root@k8s-master02 ~]# ntpdate time2.aliyun.com [root@k8s-master02 ~]# cat <<aaa>> /etc/rc.local > ntpdate time2.aliyun.com > aaa [root@k8s-master02 ~]# ulimit -SHn 65535
#192.168.100.205配置 [root@Centos7 ~]# hostnamectl set-hostname k8s-node01 [root@Centos7 ~]# su [root@k8s-node01 ~]# systemctl disable --now firewalld [root@k8s-node01 ~]# setenforce 0 setenforce: SELinux is disabled [root@k8s-node01 ~]# mount /dev/cdrom /mnt/ [root@k8s-node01 ~]# cat <<aa>> /etc/hosts 192.168.100.202 k8s-master01 192.168.100.203 k8s-master02 192.168.100.205 k8s-node01 192.168.100.206 k8s-node02 aa [root@k8s-node01 ~]# vim /etc/sysconfig/selinux #修改selinux文件 SELINUX=disabled #保存退出 [root@k8s-node01 ~]# swapoff -a && sysctl -w vm.swappiness=0 vm.swappiness = 0 [root@k8s-node01 ~]# vim /etc/fstab # # /etc/fstab # Created by anaconda on Tue Jan 12 18:24:41 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=f9ce4501-7cf6-4d2b-903a-4fc1044410ef /boot xfs defaults 0 0 /dev/mapper/centos-home /home xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 /dev/cdrom /mnt iso9660 defaults 0 0 #保存退出 [root@k8s-master01 ~]# yum install ntpdate -y [root@k8s-node01 ~]# ntpdate time2.aliyun.com [root@k8s-node01 ~]# cat <<aaa>> /etc/rc.local > ntpdate time2.aliyun.com > aaa [root@k8s-node01 ~]# ulimit -SHn 65535
#192.168.100.206配置 [root@Centos7 ~]# hostnamectl set-hostname k8s-node02 [root@Centos7 ~]# su [root@k8s-node02 ~]# systemctl disable --now firewalld [root@k8s-node02 ~]# setenforce 0 setenforce: SELinux is disabled [root@k8s-node02 ~]# mount /dev/cdrom /mnt/ [root@k8s-node02 ~]# cat <<aa>> /etc/hosts 192.168.100.202 k8s-master01 192.168.100.203 k8s-master02 192.168.100.205 k8s-node01 192.168.100.206 k8s-node02 aa [root@k8s-node02 ~]# vim /etc/sysconfig/selinux #修改selinux文件 SELINUX=disabled #保存退出 [root@k8s-node02 ~]# swapoff -a && sysctl -w vm.swappiness=0 vm.swappiness = 0 [root@k8s-node02 ~]# vim /etc/fstab # # /etc/fstab # Created by anaconda on Tue Jan 12 18:24:41 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=f9ce4501-7cf6-4d2b-903a-4fc1044410ef /boot xfs defaults 0 0 /dev/mapper/centos-home /home xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 /dev/cdrom /mnt iso9660 defaults 0 0 #保存退出 [root@k8s-master01 ~]# yum install ntpdate -y [root@k8s-node02 ~]# ntpdate time2.aliyun.com [root@k8s-node02 ~]# cat <<aaa>> /etc/rc.local > ntpdate time2.aliyun.com > aaa [root@k8s-node02 ~]# ulimit -SHn 65535
2、配置master01节点免密登录其他节点
#过程操作全部都在master01节点上执行 [root@k8s-master01 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:I+Qfhb1MAGzWOknpb9k0x9mnAJOTaWlZmapuDaC7m5k root@k8s-master01 The key's randomart image is: +---[RSA 2048]----+ | ..+. B.o | | * .+% o | | =.o.o+* o | | o* ++.= . .| | .o+S=oo . o | | . o*o. . | | . o.o | | .+ o . | | Eo . | +----[SHA256]-----+ [root@k8s-master01 ~]# for i in k8s-master01 k8s-master02 k8s-node01 k8s-node02;do ssh-copy-id -i .ssh/id_rsa.pub $i;done
3、在全部节点上安装yum源
#全部节点操作相同 wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo yum makecache #增加yum缓存,过程中输入y
4、所有节点安装ipvsadm
#安装ipvsadm是因为ipvs性能比iptables性能好,以下操作全部节点相同 yum install ipvsadm ipset sysstat conntrack libseccomp -y #所有节点配置ipvs模块,在内核4.19版本nf_conntrack_ipv4已经改为nf_conntrack,本例安装的内核为4.18,使用nf_conntrack_ipv4即可,下面操作所有节点相同 modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 vi /etc/modules-load.d/ipvs.conf #配置开机自动加载 ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4 ip_tables ip_set xt_set ipt_set ipt_rpfilter ipt_REJECT ipip #保存退出 systemctl enable --now systemd-modules-load.service #编写完执行这个命令 lsmod | grep -e ip_vs -e nf_conntrack_ipv4 #检查是否加载,会输出以下信息 nf_conntrack_ipv4 15053 0 nf_defrag_ipv4 12729 1 nf_conntrack_ipv4 ip_vs_sh 12688 0 ip_vs_wrr 12697 0 ip_vs_rr 12600 0 ip_vs 141092 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr nf_conntrack 133387 2 ip_vs,nf_conntrack_ipv4 libcrc32c 12644 3 xfs,ip_vs,nf_conntrack
5、开启一些k8s集群中必须的内核参数,所有节点配置k8s内核
#下面操作所有节点相同 cat <<EOF > /etc/sysctl.d/k8s.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 fs.may_detach_mounts = 1 vm.overcommit_memory=1 vm.panic_on_oom=0 fs.inotify.max_user_watches=89100 fs.file-max=52706963 fs.nr_open=52706963 net.netfilter.nf_conntrack_max=2310720 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_intvl =15 net.ipv4.tcp_max_tw_buckets = 36000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_orphans = 327680 net.ipv4.tcp_orphan_retries = 3 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.ip_conntrack_max = 65536 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.tcp_timestamps = 0 net.core.somaxconn = 16384 EOF sysctl --system #输入完上面的命令,输入这两个命令使其生效 sysctl -p
6、基本组件安装
- 需要在每个节点上都安装以下的软件包:
**kubeadm: **用来初始化集群的指令;
**kubelet: **在集群中的每个节点上用来启动 pod 和 container 等;
**kubectl: **用来与集群通信的命令行工具。
kubeadm不能安装或管理 kubelet 或 kubectl ,所以得保证他们满足通过 kubeadm 安装的 Kubernetes 控制层对版本的要求。如果版本没有满足要求,可能导致一些意外错误或问题。
Kubernetes主要做Docker的容器化管理,总结一下如何查看k8s对应支持的docker版本的方法。
- 在GitHub可以查看所有Kubernetets版本信息:https://github.com/kubernetes/kubernetes/releases
- 这里的基本组件是主要安装的是集群中用到的各种组件,比如Docker-ce、Kubernetes各组件等。
#使用这条命令可以查看可用docker-ce版本: yum list docker-ce.x86_64 --showduplicates | sort -r #使用这条命令可以查看可用kubeadm版本: yum list kubeadm.x86_64 --showduplicates | sort -r
#下面操作所有节点相同 yum -y install docker-ce-17.09.1.ce-1.el7.centos #安装指定版本的docker,如果要安装最新版则yum install docker-ce -y yum install -y kubeadm-1.18.4-0.x86_64 kubectl-1.18.4-0.x86_64 kubelet-1.18.4-0.x86_64 #安装指定版本的kubeadm,同样安装最新版则yum install kubeadm -y systemctl enable --now docker #所有节点设置开机自启动Docker #默认配置的pause镜像使用gcr.io仓库,国内可能无法访问,所以这里配置Kubelet使用阿里云的pause镜像: DOCKER_CGROUPS=$(docker info | grep 'Cgroup' | cut -d' ' -f3) cat >/etc/sysconfig/kubelet<<EOF KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1" EOF #设置Kubelet开机自启动 systemctl daemon-reload
7、高可用组件安装
#下面操作只有master节点进行 yum install keepalived haproxy -y #通过yum安装keepalived和haporxy #所有Master节点配置HAProxy,操作相同 vim /etc/haproxy/haproxy.cfg #修改haproxy配置文件,全部删除,重新编写即可 global maxconn 2000 ulimit-n 16384 log 127.0.0.1 local0 err stats timeout 30s defaults log global mode http option httplog timeout connect 5000 timeout client 50000 timeout server 50000 timeout http-request 15s timeout http-keep-alive 15s frontend monitor-in bind *:33305 mode http option httplog monitor-uri /monitor listen stats bind *:8006 mode http stats enable stats hide-version stats uri /stats stats refresh 30s stats realm Haproxy\ Statistics stats auth admin:admin frontend k8s-master bind 0.0.0.0:16443 bind 127.0.0.1:16443 mode tcp option tcplog tcp-request inspect-delay 5s default_backend k8s-master backend k8s-master mode tcp option tcplog option tcp-check balance roundrobin default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 server k8s-master01 192.168.100.202:6443 check server k8s-master02 192.168.100.203:6443 check #保存退出,这里注意修改最后的master节点的ip地址
#这里修改keepalived的配置文件,两台master节点配置不一样 ————————————————————master01操作 [root@k8s-master01 ~]# vim /etc/keepalived/keepalived.conf #同样进去先删除之前的 ! Configuration File for keepalived global_defs { router_id LVS_DEVEL } vrrp_script chk_apiserver { script "/etc/keepalived/check_apiserver.sh" #keepalived用来指定健康指标的文件 interval 2 weight -5 fall 3 rise 2 } vrrp_instance VI_1 { state MASTER interface ens32 #网卡命令要一致 mcast_src_ip 192.168.100.202 #本机ip virtual_router_id 51 priority 100 #优先级为100 advert_int 2 authentication { auth_type PASS auth_pass K8SHA_KA_AUTH } virtual_ipaddress { 192.168.100.204 #虚拟ip } # track_script { #这里是注释的,表示先不进行健康检查,在集群建立好之后删除注释即可 # chk_apiserver # } } #保存退出 ————————————————————master02操作 [root@k8s-master02 ~]# vim /etc/keepalived/keepalived.conf ! Configuration File for keepalived global_defs { router_id LVS_DEVEL } vrrp_script chk_apiserver { script "/etc/keepalived/check_apiserver.sh" interval 2 weight -5 fall 3 rise 2 } vrrp_instance VI_1 { state BACKUP interface ens32 mcast_src_ip 192.168.100.203 virtual_router_id 51 priority 99 #这里可以看到优先级比master01的低,这样再开启健康检查后虚拟ip会在master01上 advert_int 2 authentication { auth_type PASS auth_pass K8SHA_KA_AUTH } virtual_ipaddress { 192.168.100.204 } # track_script { #这里的注释同样在集群开启之后再删除 # chk_apiserver # } } #保存退出
#在两台master节点上编写Keepalived健康检查文件 vim /etc/keepalived/check_apiserver.sh #两台都需要编写 #!/bin/bash err=0 for k in $(seq 1 5) do check_code=$(pgrep kube-apiserver) if [[ $check_code == "" ]]; then err=$(expr $err + 1) sleep 5 continue else err=0 break fi done if [[ $err != "0" ]]; then echo "systemctl stop keepalived" /usr/bin/systemctl stop keepalived exit 1 else exit 0 fi #保存退出 chmod +x /etc/keepalived/check_apiserver.sh #编写完成后添加可执行权限 #启动keepalived和haproxy systemctl enable --now haproxy systemctl enable --now keepalived
8、下载镜像
#下面是两台master的操作 kubeadm config images list #使用这条命令查看所需镜像 #因为这些镜像源都在国外,所以可以先缓存下载直接使用docker load上传镜像即可 [root@k8s-master01 ~]# ll 总用量 922352 -rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg -rw-r--r-- 1 root root 43932160 8月 4 13:21 coredns.tar.gz -rw-r--r-- 1 root root 290010624 8月 4 13:22 etcd.tar.gz -rw-r--r-- 1 root root 55390720 8月 4 13:22 flannel.tar.gz -rw-r--r-- 1 root root 174554624 8月 4 13:22 kube-apiserver.tar.gz -rw-r--r-- 1 root root 163945984 8月 4 13:22 kube-controller-manager.tar.gz -rw-r--r-- 1 root root 119103488 8月 4 13:23 kube-proxy.tar.gz -rw-r--r-- 1 root root 96841216 8月 4 13:23 kube-scheduler.tar.gz -rw-r--r-- 1 root root 692736 8月 4 13:23 pause.tar.gz #直接复制,批量上传镜像 docker load -i coredns.tar.gz docker load -i kube-apiserver.tar.gz docker load -i kube-proxy.tar.gz docker load -i pause.tar.gz docker load -i etcd.tar.gz docker load -i kube-controller-manager.tar.gz docker load -i kube-scheduler.tar.gz docker load -i flannel.tar.gz [root@k8s-master01 ~]# docker images #确认镜像已经上传 REPOSITORY TAG IMAGE ID CREATED SIZE k8s.gcr.io/kube-proxy v1.18.4 718fa77019f2 13 months ago 117MB k8s.gcr.io/kube-apiserver v1.18.4 408913fc18eb 13 months ago 173MB k8s.gcr.io/kube-controller-manager v1.18.4 e8f1690127c4 13 months ago 162MB k8s.gcr.io/kube-scheduler v1.18.4 c663567f869e 13 months ago 95.3MB k8s.gcr.io/pause 3.2 80d28bedfe5d 17 months ago 683kB k8s.gcr.io/coredns 1.6.7 67da37a9a360 18 months ago 43.8MB k8s.gcr.io/etcd 3.4.3-0 303ce5db0e90 21 months ago 288MB quay.io/coreos/flannel v0.11.0-amd64 ff281650a721 2 years ago 52.5MB
#两台node节点的操作 [root@k8s-node01 ~]# ll #上传镜像 总用量 171092 -rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg -rw-r--r-- 1 root root 55390720 8月 4 13:28 flannel.tar.gz -rw-r--r-- 1 root root 119103488 8月 4 13:28 kube-proxy.tar.gz -rw-r--r-- 1 root root 692736 8月 4 13:28 pause.tar.gz #批量上传镜像 docker load -i flannel.tar.gz docker load -i kube-proxy.tar.gz docker load -i pause.tar.gz [root@k8s-node01 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE k8s.gcr.io/kube-proxy v1.18.4 718fa77019f2 13 months ago 117MB k8s.gcr.io/pause 3.2 80d28bedfe5d 17 months ago 683kB quay.io/coreos/flannel v0.11.0-amd64 ff281650a721 2 years ago 52.5MB
9、开启kubelet,创建集群
#所有节点全部开机自启kubelet systemctl enable --now kubelet
#Master01节点初始化,初始化以后会在/etc/kubernetes目录下生成对应的证书和配置文件,之后其他Master节点加入Master01即可,下面操作只在master1上做 [root@k8s-master01 ~]# kubeadm init --kubernetes-version=v1.18.4 --control-plane-endpoint "192.168.100.204:16443" --upload-certs --pod-network-cidr=10.244.0.0/16 --service-cidr=10.1.0.0/16 。。。。。。 Your Kubernetes control-plane has initialized successfully! #提示这条信息表示成功 #初始化成功以后,会产生Token值,用于其他节点加入时使用,因此要记录下初始化成功生成的token值(令牌值),master节点加入就打master节点的token值,node节点加入就打node节点的token值
#下面的命令master01节点进行操作 [root@k8s-master01 ~]# mkdir -p $HOME/.kube [root@k8s-master01 ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [root@k8s-master01 ~]# chown $(id -u):$(id -g) $HOME/.kube/config 附加:初始化过程大致步骤如下: • [kubelet-start] 生成kubelet的配置文件”/var/lib/kubelet/config.yaml” • [certificates]生成相关的各种证书 • [kubeconfig]生成相关的kubeconfig文件 • [bootstraptoken]生成token记录下来,后边使用kubeadm join往集群中添加节点时会用到
#所有master节点配置环境变量,用于访问k8s集群 cat <<EOF >> /root/.bashrc export KUBECONFIG=/etc/kubernetes/admin.conf EOF source /root/.bashrc #在master01上查看集群状态 [root@k8s-master01 ~]# kubectl get nodes #可以看到现在只有当前master01节点在集群中 NAME STATUS ROLES AGE VERSION k8s-master01 NotReady master 10m v1.18.4 #采用初始化安装方式,所有的系统组件均以容器的方式运行并且在kube-system命名空间内,此时可以查看Pod状态: [root@k8s-master01 ~]# kubectl get pods -n kube-system -o wide #使用这条命令查看pod状态,可以看到有两个是pending状态 NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES coredns-66bff467f8-265b9 0/1 Pending 0 13m <none> <none> <none> <none> coredns-66bff467f8-4ktf9 0/1 Pending 0 13m <none> <none> <none> <none> etcd-k8s-master01 1/1 Running 0 13m 192.168.100.202 k8s-master01 <none> <none> kube-apiserver-k8s-master01 1/1 Running 3 13m 192.168.100.202 k8s-master01 <none> <none> kube-controller-manager-k8s-master01 1/1 Running 0 13m 192.168.100.202 k8s-master01 <none> <none> kube-proxy-425r9 1/1 Running 0 13m 192.168.100.202 k8s-master01 <none> <none> kube-scheduler-k8s-master01 1/1 Running 0 13m 192.168.100.202 k8s-master01 <none> <none> iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X #查看完后执行这条命令
10、Flannel组件的安装
NIC插件介绍
Calico 是一个安全的 L3 网络和网络策略提供者。
Canal 结合 Flannel 和 Calico, 提供网络和网络策略。
Cilium 是一个 L3 网络和网络策略插件, 能够透明的实施 HTTP/API/L7 策略。 同时支持路由(routing)和叠加/封装( overlay/encapsulation)模式。
Contiv 为多种用例提供可配置网络(使用 BGP 的原生 L3,使用 vxlan 的 overlay,经典 L2 和 Cisco-SDN/ACI)和丰富的策略框架。Contiv 项目完全开源。安装工具同时提供基于和不基于 kubeadm 的安装选项。
Flannel 是一个可以用于 Kubernetes 的 overlay 网络提供者。
Romana 是一个 pod 网络的层 3 解决方案,并且支持 NetworkPolicy API。Kubeadm add-on 安装细节可以在这里找到。
Weave Net 提供了在网络分组两端参与工作的网络和网络策略,并且不需要额外的数据库。
CNI-Genie 使 Kubernetes 无缝连接到一种 CNI 插件,例如:Flannel、Calico、Canal、Romana 或者 Weave。
提示:本方案使用flannel插件。
#在master01节点上,上传flannel.yml文件 [root@k8s-master01 ~]# ll 总用量 922368 -rw-------. 1 root root 1264 1月 12 2021 anaconda-ks.cfg -rw-r--r-- 1 root root 43932160 8月 4 13:21 coredns.tar.gz -rw-r--r-- 1 root root 290010624 8月 4 13:22 etcd.tar.gz -rw-r--r-- 1 root root 55390720 8月 4 13:22 flannel.tar.gz -rw-r--r-- 1 root root 14366 8月 3 16:07 flannel.yml -rw-r--r-- 1 root root 174554624 8月 4 13:22 kube-apiserver.tar.gz -rw-r--r-- 1 root root 163945984 8月 4 13:22 kube-controller-manager.tar.gz -rw-r--r-- 1 root root 119103488 8月 4 13:23 kube-proxy.tar.gz -rw-r--r-- 1 root root 96841216 8月 4 13:23 kube-scheduler.tar.gz -rw-r--r-- 1 root root 692736 8月 4 13:23 pause.tar.gz [root@k8s-master01 ~]# kubectl apply -f flannel.yml #执行命令 podsecuritypolicy.policy/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds-amd64 created daemonset.apps/kube-flannel-ds-arm64 created daemonset.apps/kube-flannel-ds-arm created daemonset.apps/kube-flannel-ds-ppc64le created daemonset.apps/kube-flannel-ds-s390x created [root@k8s-master01 ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE coredns-66bff467f8-cg9mb 1/1 Running 0 3m32s coredns-66bff467f8-f5ng5 1/1 Running 0 3m22s etcd-k8s-master01 1/1 Running 0 4m59s kube-apiserver-k8s-master01 1/1 Running 0 4m59s kube-controller-manager-k8s-master01 1/1 Running 0 4m59s kube-flannel-ds-amd64-h79fj 1/1 Running 0 50s #命令执行成功后会生产这个pod,如果没有就多执行几遍上面的命令 kube-proxy-4w8zc 1/1 Running 0 4m50s kube-scheduler-k8s-master01 1/1 Running 0 4m59s [root@k8s-master01 ~]# kubectl get -A pods -o wide #执行完成后再次查看pod状态,稍等一会会发现所有的pod都running了 NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES kube-system coredns-66bff467f8-cg9mb 1/1 Running 0 4m24s 10.244.0.2 k8s-master01 <none> <none> kube-system coredns-66bff467f8-f5ng5 1/1 Running 0 4m14s 10.244.0.3 k8s-master01 <none> <none> kube-system etcd-k8s-master01 1/1 Running 0 5m51s 192.168.100.202 k8s-master01 <none> <none> kube-system kube-apiserver-k8s-master01 1/1 Running 0 5m51s 192.168.100.202 k8s-master01 <none> <none> kube-system kube-controller-manager-k8s-master01 1/1 Running 0 5m51s 192.168.100.202 k8s-master01 <none> <none> kube-system kube-flannel-ds-amd64-h79fj 1/1 Running 0 102s 192.168.100.202 k8s-master01 <none> <none> kube-system kube-proxy-4w8zc 1/1 Running 0 5m42s 192.168.100.202 k8s-master01 <none> <none> kube-system kube-scheduler-k8s-master01 1/1 Running 0 5m51s 192.168.100.202 k8s-master01 <none> #标签设置,允许master部署pod,默认是不允许,但是是不推荐master部署pod的,但是由于资源配置的关系,可以配置master也可以部署pod [root@k8s-master01 ~]# kubectl describe nodes k8s-master01 |grep -E '(Roles|Taints)' #先查看污点,默认是有的 Roles: master Taints: node-role.kubernetes.io/master:NoSchedule [root@k8s-master01 ~]# kubectl taint nodes --all node-role.kubernetes.io/master- #去除当前集群所有主机的污点 ———————————————————————————————————————————————————————————————————————————————————————————————————————————————— 提示:部署完内部应用后可使用kubectl taint node master01 node-role.kubernetes.io/master="":NoSchedule重新设置Master为Master Only 状态。 node节点的taint(污点)和toleration(容忍) 使用kubeadm初始化的集群,出于安全考虑Pod不会被调度到Master Node上,也就是说Master Node不参与工作负载。这是因为当前的master节点被打上了node-role.kubernetes.io/master:NoSchedule的污点: #先看一下taint命令的语法格式,下面有taints各种污点的含义 kubectl taint node [node] key=value[effect] 其中[effect] 可取值: [ NoSchedule | PreferNoSchedule | NoExecute ] NoSchedule: 一定不能被调度 PreferNoSchedule: 尽量不要调度,实在没有地方调度的情况下,才考虑可以调度过来 NoExecute: 不仅不会调度, 还会立即驱逐Node上已有的Pod ———————————————————————————————————————————————————————————————————————————————————————————————————————————————— #查看master01节点,Taints为none就说明成功去掉了污点 [root@k8s-master01 ~]# kubectl describe nodes k8s-master01 |grep -E '(Roles|Taints)' Roles: master Taints: <none> #如果要重新使master打上污点,即恢复Master 的不可调度状态,执行如下命令,给master01再加上污点NoSchedule kubectl taint nodes k8s-master01 node-role.kubernetes.io/master=:NoSchedule
11、把各节点加入集群
#master02节点,这里的token值要看上面创建集群输出的token值,如果不小心看不到了,可以执行四、的集群初始化,重新创建 kubeadm reset #先初始化以下再加 kubeadm join 192.168.100.204:16443 --token pkdd2v.skh3vh49u6en6v20 \ --discovery-token-ca-cert-hash sha256:4265fce05ae1956366e82f04e87aa40b55e9806a55a556515867f760043fe629 \ --control-plane --certificate-key 6782fe5b7133c1fdf9ab9467124d08945ee37e9514bf441759ddd8f583f9296d
#node1节点与node2节点 kubeadm reset #先初始化以下再加 kubeadm join 192.168.100.204:16443 --token pkdd2v.skh3vh49u6en6v20 \ --discovery-token-ca-cert-hash sha256:4265fce05ae1956366e82f04e87aa40b55e9806a55a556515867f760043fe629
#在master01节点确认其他节点成功加入集群 [root@k8s-master01 ~]# kubectl get nodes #成功加入集群,状态都是ready NAME STATUS ROLES AGE VERSION k8s-master01 Ready master 12m v1.18.4 k8s-master02 Ready master 11m v1.18.4 k8s-node01 Ready <none> 10m v1.18.4 k8s-node02 Ready <none> 10m v1.18.4 [root@k8s-master01 ~]# kubectl get pod -n kube-system #都是running即可,如果有没有running的可以先等一会,可能是node节点在创建镜像 NAME READY STATUS RESTARTS AGE coredns-66bff467f8-l75z6 1/1 Running 0 8m15s coredns-66bff467f8-x4crp 1/1 Running 0 8m15s etcd-k8s-master01 1/1 Running 0 8m23s etcd-k8s-master02 1/1 Running 0 7m26s kube-apiserver-k8s-master01 1/1 Running 0 8m23s kube-apiserver-k8s-master02 1/1 Running 0 7m27s kube-controller-manager-k8s-master01 1/1 Running 1 8m23s kube-controller-manager-k8s-master02 1/1 Running 0 7m26s kube-flannel-ds-amd64-6rj6k 1/1 Running 0 5m16s kube-flannel-ds-amd64-dnv8s 1/1 Running 0 5m16s kube-flannel-ds-amd64-q8cgj 1/1 Running 0 5m16s kube-flannel-ds-amd64-wl4d6 1/1 Running 0 5m16s kube-proxy-66lsh 1/1 Running 0 6m37s kube-proxy-lfcfw 1/1 Running 0 6m34s kube-proxy-q7q45 1/1 Running 0 8m15s kube-proxy-zwwkc 1/1 Running 0 7m27s kube-scheduler-k8s-master01 1/1 Running 1 8m23s kube-scheduler-k8s-master02 1/1 Running 0 7m26s
至此,k8s高可用集群部署完成!!!!!
