Ubuntu安装教程请参考Ubuntu K8S安装
以下内容根据Rocky Linux 9.5来配置
1. SELinux
确保SELinux状态是关闭或Permissive
sestatus
2. 关闭swap
默认情况下,swap已经是关闭状态
swapoff -a
执行完swapoff -a语句以后,再次检查/etc/fstab文件中是否有swap那一行,如果有,用#号注释掉。
否则会造成节点重启以后kubelet起不来。云环境不需要检查,但是普通个人环境默认应该是fstab有swap的。
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
3. 启用模块
先创建containerd.conf文件并写入以下两行
sudo tee /etc/modules-load.d/containerd.conf <<EOF
overlay
br_netfilter
EOF
启动模块
modprobe overlay
modprobe br_netfilter
4. 内核网络通信
/etc/sysctl.d/kubernetes.conf 这个文件名字无所谓,只要在这个文件夹内即可,有的人叫k8s.conf
cat << EOF | tee /etc/sysctl.d/kubernetes.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
5. 确认内核更变生效
sysctl --system
6. 准备Docker CE的源
这个步骤不需要也没问题的,这是为了通过docker的网站去安装containerd(但不安装docker)
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
替换国内源:
sed -i 's+https://download.docker.com+https://mirrors.tuna.tsinghua.edu.cn/docker-ce+' /etc/yum.repos.d/docker-ce.repo
7. 安装containerd
dnf install containerd.io -y
containerd config default | sudo tee /etc/containerd/config.toml >/dev/null 2>&1
以上命令做完之后,config.toml,国内服务器需要修改源
手动修改/etc/containerd/config.toml文件中的内容,将原内容为sandbox_image = "registry.k8s.io/pause:3.8"修改为sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9"
sed -i 's#registry.k8s.io/pause:3.8#registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9#g' /etc/containerd/config.toml
根据版本的不同,将会使用不同的pause版本,例如1.31使用的是3.10, 更早版本使用3.9。在启动kubeadm初始化的时候提示错误可以看出。
之后我们需要确保containerd使用CGroup并且确保自启动。
# 使用systemd CGroup
sed -e 's/SystemdCgroup = false/SystemdCgroup = true/g' -i /etc/containerd/config.toml
重启containerd,然后确认一下目前containerd的状态
systemctl restart containerd
systemctl status containerd
systemctl enable containerd
执行手动pull镜像命令如下(先按照要求启动containerd服务,然后再ctr)
ctr -n k8s.io i pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
# 或使用crictl,这是一个符合 Kubernetes CRI(容器运行时接口)规范的命令行工具
containerd安装也可以通过wget github的方式安装。
8. 安装kubectl特定版本
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.32/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.32/rpm/repodata/repomd.xml.key
EOF
国内换镜像源
sed -i 's|https://pkgs.k8s.io/core:/stable:/v1.32/rpm/|https://mirrors.tuna.tsinghua.edu.cn/kubernetes/core:/stable:/v1.32/rpm/|g' /etc/yum.repos.d/kubernetes.repo
dnf install -y kubeadm kubelet kubectl
9. 设置hosts和kubeadmin config并初始化
查看本机ip并设置hosts
vim /etc/hosts
10.128.0.3 k8scp #<-- 新增这一行
127.0.0.1 localhost
创建并设置kubeadm config
apiVersion: kubeadm.k8s.io/v1beta4
kind: ClusterConfiguration
# 推荐添加imageRepository 国内镜像进行初始化
imageRepository: "registry.cn-hangzhou.aliyuncs.com/google_containers" # <-- 国内镜像
kubernetesVersion: 1.30.9 #<-- Use the word stable for newest version
controlPlaneEndpoint: "k8scp:6443" #<-- 使用我们填写到 /etc/hosts 的地址而非IP
networking:
podSubnet: 192.168.0.0/16 #<-- Match the IP range from the CNI config file
如果使用flannel作为我们CNI网络插件,可以直接将Pod的网段改为10.244.0.0/16, 这样可以不需要安装helm就能直接部署Flannel。
初始化:
kubeadm init --config=kubeadm-config.yaml --upload-certs \
| tee kubeadm-init.out
#<-- Save output for future review
# output 输出获得
kubeadm join k8scp:6443 --token vapzqi.et2p9zbkzk29wwth \
--discovery-token-ca-cert-hash
,! sha256:f62bf97d4fba6876e4c3ff645df3fca969c06169dee3865aab9d0bca8ec9f8cd
不使用yaml文件直接用命令行初始化:
sudo kubeadm init \
--control-plane-endpoint "k8scp:8443" \
--kubernetes-version 1.32.0 \
--upload-certs \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--image-repository registry.aliyuncs.com/google_containers
最后记得确保kubelet自启动
systemctl enable kubelet
10. 使用非root账号查看
我们必须使用非root用户来运行命令
# -m 加/home/student, -s shell是/bin/bash
useradd -m -s /bin/bash student
#改个密码
passwd student
# Ubuntu给予sudo权限 权限组不是wheel, 而是sudo
usermod -aG sudo student
# 登出root 登录student
root@cp:˜# exit
logout
student@cp:˜$ mkdir -p $HOME/.kube
student@cp:˜$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
student@cp:˜$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 查看以下config配置是否有问题
student@cp:˜$ less .kube/config
#==============================
apiVersion: v1
clusters:
- cluster:
#<output_omitted>
11. CNI网络插件安装
网络插件一般用:calico, cilium(CKA指导使用)和flannel。
其中cilium和flannel都可以使用helm来安装, 也可不用。
需要注意的是,cilium版本和k8s版本也是有对应关系。可以在kubectl安装查看output(输出)是否有报错。
下面,我们先介绍安装helm的步骤。
提示:我们在未安装CNI网络插件的时候coredns会是Pending状态。
为了方便一会kubectl yaml文件,我们直接切换到非root用户:
helm
## dnf 这个源只在fedora有,所以我们使用脚本安装
sudo dnf install helm -y
以下链接已添加GitHub加速镜像:
curl -fsSL -o get_helm.sh https://ghfast.top/https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
cilium 安装方法1 helm
helm repo add cilium https://helm.cilium.io/
helm repo update
helm template cilium cilium/cilium --version 1.15.13 --namespace kube-system > cilium.yaml
cilium.yaml中默认cluster-pool-ipv4-cidr为cluster-pool-ipv4-cidr: "10.0.0.0/8",我们需要把他修改为我们实际部署pod的地址:
cluster-pool-ipv4-cidr: "192.168.0.0/16"
sed -i 's|cluster-pool-ipv4-cidr: "10.0.0.0/8"|cluster-pool-ipv4-cidr: "192.168.0.0/16"|g' cilium.yaml
请确保cilium.yaml不在root文件夹下,而在非root用户文件夹下,这样方便运行以下命令。
kubectl apply -f /home/student/cilium.yaml
# output
serviceaccount/cilium created
serviceaccount/cilium-operator created
secret/cilium-ca created
secret/hubble-server-certs created
configmap/cilium-config created
clusterrole.rbac.authorization.k8s.io/cilium created
clusterrole.rbac.authorization.k8s.io/cilium-operator created
clusterrolebinding.rbac.authorization.k8s.io/cilium created
clusterrolebinding.rbac.authorization.k8s.io/cilium-operator created
role.rbac.authorization.k8s.io/cilium-config-agent created
rolebinding.rbac.authorization.k8s.io/cilium-config-agent created
service/hubble-peer created
daemonset.apps/cilium created
deployment.apps/cilium-operator created
结果输出如下:
[student@k8scp ~]$ kubectl get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system cilium-c468w 1/1 Running 0 12m 10.10.0.137 k8s-worker1 <none> <none>
kube-system cilium-h9cpn 1/1 Running 0 9m37s 10.10.0.138 k8s-cp <none> <none>
kube-system cilium-operator-558df48bf4-p4vkz 1/1 Running 1 (10m ago) 12m 10.10.0.138 k8s-cp <none> <none>
kube-system cilium-operator-558df48bf4-zncbm 1/1 Running 0 12m 10.10.0.136 k8s-worker2 <none> <none>
kube-system cilium-qhlmx 1/1 Running 0 12m 10.10.0.136 k8s-worker2 <none> <none>
kube-system coredns-fcd6c9c4-cbxws 1/1 Running 0 24h 192.168.0.81 k8s-worker1 <none> <none>
kube-system coredns-fcd6c9c4-cpmhk 1/1 Running 0 24h 192.168.0.169 k8s-worker1 <none> <none>
kube-system etcd-k8s-cp 1/1 Running 3 (55m ago) 24h 10.10.0.138 k8s-cp <none> <none>
kube-system kube-apiserver-k8s-cp 1/1 Running 3 (55m ago) 24h 10.10.0.138 k8s-cp <none> <none>
kube-system kube-controller-manager-k8s-cp 1/1 Running 8 (10m ago) 24h 10.10.0.138 k8s-cp <none> <none>
kube-system kube-proxy-22knq 1/1 Running 1 (55m ago) 23h 10.10.0.136 k8s-worker2 <none> <none>
kube-system kube-proxy-8b2km 1/1 Running 1 (55m ago) 24h 10.10.0.138 k8s-cp <none> <none>
kube-system kube-proxy-mmgqm 1/1 Running 1 (55m ago) 23h 10.10.0.137 k8s-worker1 <none> <none>
kube-system kube-scheduler-k8s-cp 1/1 Running 8 (10m ago) 24h 10.10.0.138 k8s-cp <none> <none>
cilium 安装方法2 CLI
cilium 官方文档
先安装cilium CLI然后再利用cilium cli安装特定版本cilium。
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{
,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{
,.sha256sum}
自动下载最新版本CLI并安装成功后自动询问是否删除下载的文件。
cilium install --version 1.15.13
如果Pod网段不是默认网段(10.42.0.0/16),则通过以下方式添加:
cilium install --version 1.15.13 --set=ipam.operator.clusterPoolIPv4PodCIDRList="10.42.0.0/16"
flannel
使用flannel需要在初始化的时候,指定的pod的IP段是pod-network-cidr=10.244.0.0/16,或者使用helm安装来自定义flannel的网段。
如果在初始化的时候指定的pod是10.244.0.0/16则可以直接使用以下命令(本文档中的kubeadm-config指定了Pod的网段是192.168.0.0/16)
kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
否则需要使用helm:
kubectl create ns kube-flannel
kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
helm repo add flannel https://flannel-io.github.io/flannel/
helm install flannel --set podCidr="192.168.0.0/16" --namespace kube-flannel flannel/flannel
[student@k8s-cp ~]$ helm install flannel --set podCidr="192.168.0.0/16" --namespace kube-flannel flannel/flannel
# output
NAME: flannel
LAST DEPLOYED: {
DATETIME}
NAMESPACE: kube-flannel
STATUS: deployed
REVISION: 1
TEST SUITE: None
[student@k8s-cp ~]$ kubectl get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-flannel kube-flannel-ds-29wvm 1/1 Running 0 20s 10.10.0.136 k8s-worker2 <none> <none>
kube-flannel kube-flannel-ds-4pc2n 1/1 Running 0 20s 10.10.0.138 k8s-cp <none> <none>
kube-flannel kube-flannel-ds-p6hmt 1/1 Running 0 20s 10.10.0.137 k8s-worker1 <none> <none>
kube-system coredns-fcd6c9c4-bwj6s 1/1 Running 0 16m 192.168.2.2 k8s-worker1 <none> <none>
kube-system coredns-fcd6c9c4-wqbql 1/1 Running 0 41m 192.168.1.2 k8s-worker2 <none> <none>
kube-system etcd-k8s-cp 1/1 Running 0 41m 10.10.0.138 k8s-cp <none> <none>
kube-system kube-apiserver-k8s-cp 1/1 Running 0 41m 10.10.0.138 k8s-cp <none> <none>
kube-system kube-controller-manager-k8s-cp 1/1 Running 3 41m 10.10.0.138 k8s-cp <none> <none>
kube-system kube-proxy-6pppg 1/1 Running 0 41m 10.10.0.137 k8s-worker1 <none> <none>
kube-system kube-proxy-f7t5t 1/1 Running 0 41m 10.10.0.136 k8s-worker2 <none> <none>
kube-system kube-proxy-xtd6f 1/1 Running 0 41m 10.10.0.138 k8s-cp <none> <none>
kube-system kube-scheduler-k8s-cp 1/1 Running 3 41m 10.10.0.138 k8s-cp <none> <none>
12. 实现kubectl补全
student@cp:˜$ sudo dnf install bash-completion -y
# 如果没安装的话,就退出再登录 <exit and log back in>
student@cp:˜$ source <(kubectl completion bash)
student@cp:˜$ echo "source <(kubectl completion bash)" >> $HOME/.bashrc
现在输入kubectl des再按Tab就会自动补全了。
kubectl get nodes
# 输出
NAME STATUS ROLES AGE VERSION
cn-node1-cp1 Ready control-plane 133m v1.27.1
kubectl get pods -A
# 输出
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system cilium-h49dp 1/1 Running 0 15m
kube-system cilium-operator-788c7d7585-c2shl 0/1 Pending 0 15m
kube-system cilium-operator-788c7d7585-rn26s 1/1 Running 0 15m
kube-system coredns-5d78c9869d-2rw6j 1/1 Running 0 132m
kube-system coredns-5d78c9869d-b8shj 1/1 Running 0 132m
kube-system etcd-cn-node1-cp1 1/1 Running 4 (97m ago) 132m
kube-system kube-apiserver-cn-node1-cp1 1/1 Running 4 (97m ago) 132m
kube-system kube-controller-manager-cn-node1-cp1 1/1 Running 4 (97m ago) 132m
kube-system kube-proxy-5c758 1/1 Running 4 (97m ago) 132m
kube-system kube-scheduler-cn-node1-cp1 1/1 Running 4 (97m ago) 132m
13. Token过期问题(可跳过)
默认是24小时才过期。
我们可以通过以下方式查看
kubeadm token list
# 然后继续在cp node上使用student用户创建token
sudo kubeadm token create
>>27eee4.6e66ff60318da929
# 创建sha256
openssl x509 -pubkey \
-in /etc/kubernetes/pki/ca.crt | openssl rsa \
-pubin -outform der 2>/dev/null | openssl dgst \
-sha256 -hex | sed 's/ˆ.* //'
>>6d541678b05652e1fa5d43908e75e67376e994c3483d6683f2a18673e5d2a1b0
14. 加入集群
先到worker节点,新增hosts
root@worker:˜# vim /etc/hosts
10.128.0.3 k8scp #<-- Add this line
127.0.0.1 localhost
然后即可使用加入节点的方式加入,如果你的token已过期则根据新生成的token和sha256值对应调整即可。
kubeadm join \
--token 27eee4.6e66ff60318da929 \
k8scp:6443 \
--discovery-token-ca-cert-hash \
sha256:6d541678b05652e1fa5d43908e75e67376e994c3483d6683f2a18673e5d2a1b0
CP重新设置
在安装好CP之后,最快重新设置CP的方式就是直接重置。k8s提供直接重置命令:kubeadm reset。
其他的过期的相关信息可以参考Ubuntu k8s安装教程。
