设置主机名 [root@master ~]# hostnamectl set-hostname master.example.com [root@master ~]# bash [root@master ~]# hostname master.example.com [root@node1 ~]# hostnamectl set-hostname node1.example.com [root@node1 ~]# bash [root@node1 ~]# hostname node1.example.com [root@node2 ~]# hostnamectl set-hostname node2.example.com [root@node2 ~]# bash [root@node2 ~]# hostname node2.example.com 以下操作在三台机器都要进行 关闭防火墙关闭selinux [root@master ~]# systemctl disable --now firewalld.service Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@master ~]# vim /etc/selinux/config [root@master ~]# setenforce 0 关闭swap分区空间 [root@master ~]# vim /etc/fstab # # /etc/fstab # Created by anaconda on Fri Nov 12 08:04:53 2021 # # Accessible filesystems, by reference, are maintained under '/dev/disk/'. # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info. # # After editing this file, run 'systemctl daemon-reload' to update systemd # units generated from this file. # /dev/mapper/cs-root / xfs defaults 0 0 UUID=b63f82a7-55fa-4e7c-b94e-71f1a1e3cb74 /boot xfs defaults 0 0 # 把下面一行删除掉或注释即可 # 把下面一行删除掉或注释即可 /dev/mapper/cs-swap none swap defaults 0 0
[root@master ~]# vim /etc/hosts [root@master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.145.188 master master.example.com 192.168.145.189 node1 node1.example.com 192.168.145.190 node2 node2.example.com master上配置流量传递 [root@master ~]# vim /etc/sysctl.d/k8s.conf [root@master ~]# cat /etc/sysctl.d/ 99-sysctl.conf k8s.conf [root@master ~]# cat /etc/sysctl.d//k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 让配置生效 [root@master ~]# sysctl --system * Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ... kernel.yama.ptrace_scope = 0 * Applying /usr/lib/sysctl.d/50-coredump.conf ... kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e * Applying /usr/lib/sysctl.d/50-default.conf ... kernel.sysrq = 16 kernel.core_uses_pid = 1 kernel.kptr_restrict = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.promote_secondaries = 1 net.core.default_qdisc = fq_codel fs.protected_hardlinks = 1 fs.protected_symlinks = 1 * Applying /usr/lib/sysctl.d/50-libkcapi-optmem_max.conf ... net.core.optmem_max = 81920 * Applying /usr/lib/sysctl.d/50-pid-max.conf ... kernel.pid_max = 4194304 * Applying /etc/sysctl.d/99-sysctl.conf ... * Applying /etc/sysctl.d/k8s.conf ... * Applying /etc/sysctl.conf ...
以master为例子 root@master ~]# yum clean all 清理缓存 21 文件已删除 [root@master ~]# yum makecache 建立新的缓存 安装chrony时间同步 [root@master ~]# yum -y install chrony 配置chrony、并设置开机自启 [root@master ~]# vim /etc/chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). pool time1.aliyun.com iburst [root@master ~]# systemctl enable --now chronyd [root@master ~]# systemctl status chronyd ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendo> Active: active (running) since Sat 2021-12-18 6:11:23 CST; 2min 4s ago Docs: man:chronyd(8) man:chrony.conf(5) Main PID: 32676 (chronyd) Tasks: 1 (limit: 49298) Memory: 936.0K CGroup: /system.slice/chronyd.service └─32676 /usr/sbin/chronyd //在master上做免密登录 [root@master ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:iboOp9y7jAyN5tpKKu2MeJ/4FMGEpebXe6u8EgUKfIY root@master.example.com The key's randomart image is: +---[RSA 3072]----+ |. .oo | |.E.*. | | .=.o. | | o. o.. . | | . o.o S | | o ..o . | |o+o +.. . | |BBoX.+ . . | |O=X+@++o. | +----[SHA256]-----+ [root@master ~]# ssh-copy-id master [root@master ~]# ssh-copy-id node1 [root@master ~]# ssh-copy-id node2
准备工作完成后重启主机
Kubernetes默认CRI(容器运行时)为Docker,因此先安装Docker。
安装docker
以master为例子 三台机器全都要安装 [root@master ~]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo 安装Docker [root@master ~]# systemctl enable --now docker [root@master ~]# systemctl enable --now docker Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service. 查看版本号 [root@master ~]# docker --version Docker version 20.10.12, build e91ed57 配置加速器 [root@master ~]# mkdir -p /etc/docker [root@master ~]# cat > /etc/docker/daemon.json << EOF { "registry-mirrors": ["https://pvurwzu6.mirror.aliyuncs.com"] "exec-opts": ["native.cgroupdriver=systemd"], "log-driver": "json-file", "log-opts": { "max-size": "100m" }, "storage-driver": "overlay2" } EOF [root@master ~]# systemctl daemon-reload [root@master ~]# systemctl restart docker
[root@master ~]# cat > /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF 安装kubeadm,kubelet和kubectl [root@master ~]# yum install -y kubelet-1.20.0 kubeadm-1.20.0 kubectl-1.20.0 [root@master ~]# systemctl enable kubelet //设置开机自启,但是不启动 Created symlink /etc/systemd/system/multi-user.target.wants/kubelet.service → /usr/lib/systemd/system/kubelet.service. 以上操作在三台主机都要进行
master
kubeadm init \ //master主机的IP --apiserver-advertise-address=192.168.145.188 \ --image-repository registry.aliyuncs.com/google_containers \ //使用阿里云的谷歌镜像仓库,因为国内登陆不了谷歌官网 --kubernetes-version v1.20.0 \ //kubernetes版本号 --service-cidr=10.96.0.0/12 \ //service的网段 --pod-network-cidr=10.244.0.0/16 //pod的网段 [root@master ~]# kubeadm init \ > --apiserver-advertise-address=192.168.145.188 \ > --image-repository registry.aliyuncs.com/google_containers \ > --kubernetes-version v1.20.0 \ > --service-cidr=10.96.0.0/12 \ > --pod-network-cidr=10.244.0.0/16 [init] Using Kubernetes version: v1.20.0 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.12. Latest validated version: 19.03 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' ....................... Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: # 如果你想启用使用集群的话就要用下面的命令;如果是普通用户就执行下面的操作 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: 如果你是管理员用户就执行下面的操作,但是我们一般不会这样操作。 # 因为这是临时的,我们需要做成永久生效的。下面会有教程 export KUBECONFIG=/etc/kubernetes/admin.conf # 设置一个环境变量告诉系统使用的哪个配置文件 export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. # 你需要设置一个pod网络到集群中,使用下面的命令 Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: 下面的命令是用来在被控主机上执行的,在被控主机执行过会 这台主机就会被加入到集群中 kubeadm join 192.168.145.188:6443 --token 3sqb85.fgnkx1ewvmiikpjp \ --discovery-token-ca-cert-hash sha256:ff25704567e6e9271433aca5fa32aa27dc56c61e6cee21c88edd2cf46e8f6710 被拉去的镜像 [root@master ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry.aliyuncs.com/google_containers/kube-proxy v1.20.0 10cc881966cf 12 months ago 118MB registry.aliyuncs.com/google_containers/kube-scheduler v1.20.0 3138b6e3d471 12 months ago 46.4MB registry.aliyuncs.com/google_containers/kube-apiserver v1.20.0 ca9843d3b545 12 months ago 122MB registry.aliyuncs.com/google_containers/kube-controller-manager v1.20.0 b9fa1895dcaa 12 months ago 116MB registry.aliyuncs.com/google_containers/etcd 3.4.13-0 0369cf4303ff 15 months ago 253MB registry.aliyuncs.com/google_containers/coredns 1.7.0 bfe3a36ebd25 18 months ago 45.2MB registry.aliyuncs.com/google_containers/pause 3.2 80d28bedfe5d 22 months ago 683kB 根据官方推荐的方式做管理员的操作 把环境变量写成永久的 [root@master kubernetes]# pwd /etc/kubernetes [root@master kubernetes]# echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' > /etc/profile.d/k8s.sh [root@master kubernetes]# source /etc/profile.d/k8s.sh 查看是否有控制节点 [root@master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master.example.com NotReady control-plane,master 2m48s v1.20.0 安装pod网络插件 [root@master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml podsecuritypolicy.policy/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds created 加入Kubernetes Node [root@node1 ~]# kubeadm join 192.168.145.188:6443 --token 3sqb85.fgnkx1ewvmiikpjp \ > --discovery-token-ca-cert-hash sha256:ff25704567e6e9271433aca5fa32aa27dc56c61e6cee21c88edd2cf46e8f6710 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.12. Latest validated version: 19.03 [WARNING Hostname]: hostname "node1.example.com" could not be reached [WARNING Hostname]: hostname "node1.example.com": lookup node1.example.com on 192.168.145.2:53: no such host [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. node2同理 [root@node2 ~]# kubeadm join 192.168.145.188:6443 --token 3sqb85.fgnkx1ewvmiikpjp \ > --discovery-token-ca-cert-hash sha256:ff25704567e6e9271433aca5fa32aa27dc56c61e6cee21c88edd2cf46e8f6710 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING FileExisting-tc]: tc not found in system path [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.12. Latest validated version: 19.03 [WARNING Hostname]: hostname "node2.example.com" could not be reached [WARNING Hostname]: hostname "node2.example.com": lookup node2.example.com on 192.168.145.2:53: no such host [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. 在master查看受控节点 [root@master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION master.example.com Ready control-plane,master 11m v1.20.0 node1.example.com Ready <none> 2m44s v1.20.0 node2.example.com Ready <none> 57s v1.20.0
[root@master ~]# kubectl get ns [root@master ~]# kubectl get ns NAME STATUS AGE default Active 12m kube-node-lease Active 12m kube-public Active 12m kube-system Active 12m [root@master ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-7f89b7bc75-485pb 1/1 Running 0 13m coredns-7f89b7bc75-5rxfz 1/1 Running 0 13m etcd-master.example.com 1/1 Running 0 13m kube-apiserver-master.example.com 1/1 Running 0 13m kube-controller-manager-master.example.com 1/1 Running 0 13m kube-flannel-ds-79h4b 1/1 Running 0 2m47s kube-flannel-ds-gfs8s 1/1 Running 0 4m34s kube-flannel-ds-s7r5t 1/1 Running 0 6m35s kube-proxy-94cq2 1/1 Running 0 4m34s kube-proxy-czd2x 1/1 Running 0 2m47s kube-proxy-vffq9 1/1 Running 0 13m kube-scheduler-master.example.com 1/1 Running 0 13m
在Kubernetes集群创建一个pod 验证
创建一个deployment类型的的容器 名字叫nginx 镜像使用nginx root@master ~]# kubectl create deployment nginx --image nginx deployment.apps/nginx created 暴露端口号 [root@master ~]# kubectl expose deployment nginx --port=80 --type=NodePort service/nginx exposed 查看service的IP地址、端口号等 [root@master ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 17m nginx NodePort 10.103.57.41 <none> 80:31164/TCP 5s 访问测试 [root@master ~]# curl http://10.103.57.41 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>