erda 开源产品纳管自建k8s集群（一）

开源版本：

https://github.com/erda-project

管网：

https://www.erda.cloud/

华为云市场：

https://marketplace.huaweicloud.com/contents/a1210d06-82af-4552-915d-d3d9d10a13ea

aws云市场：

https://awsmarketplace.amazonaws.cn/marketplace/search/results?x=0&y=0&searchTerms=erda

阿里云产品：

https://www.aliyun.com/solution/terminusPaaS/?spm=5176.21213303.J_8058803260.115.6d4253c9NV96xG

前置要求

所有节点保持时钟一致

关闭swap分区

关闭iptables防火墙

关闭selinux

环境说明

## 角色定义

# vim /etc/hosts

master 10.15.26.250

node1  10.15.26.251

node2  10.15.26.252

node3  10.15.26.253

## 刚改主机名

# hostnamectl set-hostname [xxxx]

## 关闭防火墙

# systemctl stop firewalld && systemctl disable firewalld

部署 k8s 集群

安装 docker

## 安装必要的依赖工具

# yum install -y yum-utils device-mapper-persistent-data lvm2

## 导入 docker yum 源

# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

## 安装 docker-ce

# yum -y install docker-ce docker-ce-selinux

## 启动 docker 服务

# systemctl enable docker && systemctl start docker

## 更改 docker 中Cgroup Driver 为 systemd

# cat << EOF > /etc/docker/daemon.json

{

   "exec-opts": ["native.cgroupdriver=systemd"]

}

EOF

## 重启 docker 服务

# systemctl restart docker

安装 kubeadm

## 加载模块

# modprobe br_netfilter

## 允许 iptables 检查桥接流量

# cat <

br_netfilter

EOF

# cat <

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

EOF

# sudo sysctl --system

## 导入 kubernetes yum源

# cat < /etc/yum.repos.d/kubernetes.repo

[kubernetes]

name=Kubernetes

baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/

enabled=1

gpgcheck=0

repo_gpgcheck=0

gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg

EOF

## 安装 kubeadm、kubelet、kubectl

# yum install -y kubeadm-1.21.9 kubectl-1.21.9 kubelet-1.21.9

## 启动 kubelet 服务

# systemctl enable kubelet && systemctl start kubelet

master 节点生成配置文件

## 生成配置文件

# kubeadm config print init-defaults  > /etc/kubernetes/kubeadmin-config.yaml

## 修改配置文件

# cat /etc/kubernetes/kubeadmin-config.yaml

apiVersion: kubeadm.k8s.io/v1beta2

bootstrapTokens:

- groups:

 - system:bootstrappers:kubeadm:default-node-token

 token: abcdef.0123456789abcdef

 ttl: 24h0m0s

 usages:

 - signing

 - authentication

kind: InitConfiguration

localAPIEndpoint:

 advertiseAddress: 10.15.26.250 ##master节点地址

 bindPort: 6443

nodeRegistration:

 criSocket: /var/run/dockershim.sock

 name: node

 taints: null

---

apiServer:

 timeoutForControlPlane: 4m0s

apiVersion: kubeadm.k8s.io/v1beta2

certificatesDir: /etc/kubernetes/pki

clusterName: kubernetes

controllerManager: {}

dns:

 type: CoreDNS

etcd:

 local:

   dataDir: /var/lib/etcd

imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers ##更改镜像仓库地址

kind: ClusterConfiguration

kubernetesVersion: 1.21.0

networking:

 dnsDomain: cluster.local

 podSubnet: "192.168.0.0/16"

 serviceSubnet: 10.96.0.0/16

scheduler: {}

master 节点初始化

# kubeadm init --config=/etc/kubernetes/kubeadmin-config.yaml

......

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

 mkdir -p $HOME/.kube

 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

 sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

 export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.

Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:

 https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 10.15.26.250:6443 --token abcdef.0123456789abcdef \

       --discovery-token-ca-cert-hash sha256:bcc2606c473fdf9855190012552070d12245ab3b353bd7adc35157204c60fdb4

       

## 使 kubectl 正常工作，参考上步输出的结果

## root 用户

# export KUBECONFIG=/etc/kubernetes/admin.conf

# echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile

node 节点加入 k8s集群

# kubeadm join 10.15.26.250:6443 --token abcdef.0123456789abcdef \

>         --discovery-token-ca-cert-hash sha256:bcc2606c473fdf9855190012552070d12245ab3b353bd7adc35157204c60fdb4

[preflight] Running pre-flight checks

       [WARNING Hostname]: hostname "node2" could not be reached

       [WARNING Hostname]: hostname "node2": lookup node2 on 100.100.2.138:53: no such host

[preflight] Reading configuration from the cluster...

[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"

[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"

[kubelet-start] Starting the kubelet

[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:

* Certificate signing request was sent to apiserver and a response was received.

* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

集群信息

安装 flannel 网络插件

## 下载

# wget  https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml

## 修改 "Network": "192.168.0.0/16" 为安装时指定的 Pod CIDR（--pod-network-cidr）

## 部署 flannel

# kubectl apply -f kube-flannel.yml

部署 ingress

## 安装 helm

# wget https://get.helm.sh/helm-v3.8.1-linux-amd64.tar.gz

tar -zxvf helm-v3.8.1-linux-amd64.tar.gz

# mv linux-amd64/helm /usr/local/bin && chmod +x /usr/local/bin/helm

## 添加 repo

# helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

# helm repo update

## 编写 values.yaml

# cat < ingress-nginx-values.yaml

controller:

 image:

   registry: registry.cn-shanghai.aliyuncs.com/viper

   image: ingress-nginx-controller

   digest: sha256:bc30cb296e7548162afd9601f6b96261dcca8263e05b962694d1686b4d5a9584

 watchIngressWithoutClass: true

 hostNetwork: true

 hostPort:

   enabled: true

   ports:

     http: 80

     https: 443

 kind: DaemonSet

 nodeSelector:

   ingress: "true"

 admissionWebhooks:

   patch:

     image:

       registry: registry.cn-shanghai.aliyuncs.com/viper

       image: kube-webhook-certgen

       digest: sha256:78351fc9d9b5f835e0809921c029208faeb7fbb6dc2d3b0d1db0a6584195cfed

EOF

## 对 master 节点添加标签 ingress=true 并取消 master 节点污点（由于资源紧张，复用资源）

# kubectl label no master ingress=true

# kubectl taint no --all node-role.kubernetes.io/master-

## 部署 ingress-controller

# helm install ingress-nginx ingress-nginx/ingress-nginx --version=4.0.8 -f ingress-nginx-values.yaml -n ingress-nginx --create-namespace

集群信息

****更多功能及特性欢迎交流VX****

rr598199825

参考

kubeadm 安装参考：

https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/

calico 安装参考：

https://projectcalico.docs.tigera.io/archive/v3.20/getting-started/kubernetes/quickstart

erda 安装参考：

https://docs.erda.cloud/2.0/manual/install/helm-install/helm-install-demo.html