初始化k8s多结点集群

本实践将在 Ubuntu 22.04.3LTS 系统上进行安装测试
docker版本 24.0.6
kubeadm版本 v1.28 次新版本
cir-docker 版本 v0.3.4 用来适配docker和k8s

基础软件安装

# docker 当前版本 Client: Docker Engine - Community
 Version:    24.0.6
# cri-dockerd 当前版本v0.3.4 https://github.com/Mirantis/cri-dockerd

wget ...../v0.3.4/cri-dockerd_0.3.4.3-0.ubuntu-jammy_amd64.deb
apt install ./cri-dockerd_0.3.4.3-0.ubuntu-jammy_amd64.deb
vim /lib/systemd/system/cri-docker.service
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --pod-infra-container-image registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9

#systemctl daemon-reload
#systemctl restart cri-docker

# 更新安装三件套
sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list

apt-mark unhold kubelet kubeadm kubectl
apt-get autoremove kubelet kubeadm kubectl
apt-get update
#apt-cache madison kubelet
apt-get install -y kubelet kubeadm kubectl
apt-mark hold kubelet kubeadm kubectl

创建集群

官方资料参考 创建集群

# https://kubernetes.io/zh-cn/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/ 
# 安装配置集群
# kubeadm init --help
kubeadm init \
    --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers \
    --control-plane-endpoint="home.local.com" \
    --apiserver-advertise-address= local_ip \
    --pod-network-cidr=10.10.0.0/16 \
    --service-cidr=10.20.0.0/16 \
    --token-ttl=0 \
    --cri-socket unix:///run/cri-dockerd.sock \
    --upload-certs

# kubeadm config images list --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers
# kubeadm config images pull --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers

kubeadm reset --cri-socket unix:///run/cri-dockerd.sock
# unix:///var/run/containerd/containerd.sock
##################
kubectl taint nodes --all node-role.kubernetes.io/control-plane-

kubectl label node slave-node node-role.kubernetes.io/worker=worker
###################################  
vim /etc/kubernetes/manifests/kube-apiserver.yaml
- kube-apiserver
###################################

安装成功提示日志

[init] Using Kubernetes version: v1.28.2
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [aip-dev.jianke.com aip-master-node kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.20.0.1 172.17.240.83]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [aip-master-node localhost] and IPs [172.17.xxx.xxx 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [aip-master-node localhost] and IPs [172.17.xxx.xxx 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
W0927 11:49:39.433405   10590 endpoint.go:57] [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "admin.conf" kubeconfig file
W0927 11:49:39.570771   10590 endpoint.go:57] [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "kubelet.conf" kubeconfig file
W0927 11:49:39.880883   10590 endpoint.go:57] [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
W0927 11:49:40.024566   10590 endpoint.go:57] [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 8.587821 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
be68bf0d7c0b60c085ddccacb6604a5ec1574560d0070ebb863ebe0557e85335
[mark-control-plane] Marking the node aip-master-node as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node aip-master-node as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: laq5s9.rsniw4r91yhh0d9d
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
W0927 11:49:51.443749   10590 endpoint.go:57] [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of the control-plane node running the following command on each as root:

  kubeadm join home.local.com:6448 --token laq5s9.rsniw4r91yhh0d9d \
    --discovery-token-ca-cert-hash sha256:c67fbcc90d026413c544e11171276f10dc6c2d441976f361cc96698cb1a8180fe4d \
    --control-plane --certificate-key be68bf0d7c0b60c085dd2ccacb6604a5e2c1574560d0070ebb863ebe0557e85335 \
        --cri-socket unix:///run/cri-dockerd.sock

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join home.local.com:6448 --token laq5s9.rsniw4r91yhh0d9d \
    --discovery-token-ca-cert-hash sha256:c67fbcc910d0643c544e11171276f210dc6cd441976f361cc96698cb1a8180fe4d \
        --cri-socket unix:///run/cri-dockerd.sock

其他命令参考

kubectl drain aip-slave-node --ignore-daemonsets --delete-emptydir-data
kubectl delete node aip-slave-node