k8s最新版1.27安装教程 软件 版本 docker 最新版 containerd 1.6.6 kubernetes 1.27.0 calico 3.25
节点 IP 系统 功能 CPU 内存 硬盘 node1 10.80.10.1 centos7.9 k8s-master 4核心 8GB 20GB node2 10.80.10.2 centos7.9 k8s-node 4核心 8GB 20GB node3 10.80.10.3 centos7.9 k8s-master 4核心 8GB 20GB
node1、node2、node3
修改主机名:
1 2 3 4 5 6 # node1 # hostnamectl set-hostname k8s-master1 && bash # node2 # hostnamectl set-hostname k8s-node1 && bash # node3 # hostnamectl set-hostname k8s-node2 && bash
node1
修改hosts解析:
1 2 3 4 # vim /etc/hosts 10.80.10.1 k8s-master1 10.80.10.2 k8s-node1 10.80.10.3 k8s-node2
1 # for i in k8s-master1 k8s-node1 k8s-node2; do scp /etc/hosts ${i}:/etc; done
node1、node2、node3
配置免密:
1 2 3 4 5 # ssh-keygen -t rsa 回车 回车 回车 # for i in k8s-master1 k8s-node1 k8s-node2; do ssh-copy-id ${i}; done
关闭swap:
1 2 # swapoff -a # sed -ri 's/.*swap.*/#&/' /etc/fstab
加载内核参数:
1 2 3 4 5 6 7 8 9 10 # modprobe br_netfilter # cat > /etc/sysctl.d/k8s.conf << EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 EOF # sysctl -p /etc/sysctl.d/k8s.conf # lsmod | grep br_netfilter br_netfilter 22256 0 bridge 151336 1 br_netfilter
添加docker源和k8s源:
1 2 3 4 5 6 7 8 9 10 # yum install -y yum-utils device-mapper-persistent-data lvm2 # yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # cat > /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=0 EOF # yum makecache fast
下载安装containerd:
1 2 3 # yum install -y containerd.io-1.6.6 # mkdir -p /etc/containerd # containerd config default > /etc/containerd/config.toml
修改containerd配置文件:
1 2 3 4 5 # vim /etc/containerd/config.toml # 125行,修改配置 SystemdCgroup = true # 61行,修改配置 sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7"
启动containerd,设置开机自启:
1 2 3 # systemctl start containerd # systemctl enable containerd # systemctl status containerd
修改crictl配置文件:
1 2 3 4 5 6 7 8 # cat > /etc/crictl.yaml << EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF # systemctl restart containerd # systemctl status containerd
配置containerd镜像加速:
1 2 3 # vim /etc/containerd/config.toml # 145行,修改配置 config_path = "/etc/containerd/certs.d"
1 2 3 4 # mkdir -p /etc/containerd/certs.d/docker.io # vim /etc/containerd/certs.d/docker.io/hosts.toml [host."https://vh3bm52y.mirror.aliyuncs.com",host."https://registry.docker-cn.com"] capabilities = ["pull"]
1 2 # systemctl restart containerd # systemctl status containerd
下载安装docker:
1 # yum install -y docker-ce
启动docker,设置开机自启:
1 2 3 # systemctl start docker # systemctl enable docker # systemctl status docker
配置docker加速:
1 2 3 4 5 # vim /etc/docker/daemon.json { "registry-mirrors": ["https://pmn1o05g.mirror.aliyuncs.com","https://registry.docker-cn.com","https://docker.mirrors.ustc.edu.cn","https://dockerhub.azk8s.cn","http://hub-mirror.c.163.com"], "exec-opts": ["native.cgroupdriver=systemd"] }
1 2 3 # systemctl daemon-reload # systemctl restart docker # systemctl status docker
下载安装k8s:
1 # yum install -y kubelet-1.27.0 kubeadm-1.27.0 kubectl-1.27.0
设置kubelet开机自启:
1 # systemctl enable kubelet
node1
ctr导入镜像及打包k8s镜像:
1 2 3 4 5 6 7 8 9 10 # ctr -n=k8s.io images import k8s_1.27.0.tar.gz # ctr -n k8s.io images export k8s_1.27.0.tar.gz \ registry.aliyuncs.com/google_containers/coredns:v1.10.1 \ registry.aliyuncs.com/google_containers/etcd:3.5.7-0 \ registry.aliyuncs.com/google_containers/kube-apiserver:v1.27.0 \ registry.aliyuncs.com/google_containers/kube-controller-manager:v1.27.0 \ registry.aliyuncs.com/google_containers/kube-proxy:v1.27.0 \ registry.aliyuncs.com/google_containers/kube-scheduler:v1.27.0 \ registry.aliyuncs.com/google_containers/pause:3.7 \ registry.aliyuncs.com/google_containers/pause:3.9
kubeadm初始化k8s集群:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 # cd /root/ # kubeadm config print init-defaults > kubeadm.yaml # vim kubeadm.yaml # 12行,修改配置 advertiseAddress: 10.80.10.1 # 15行,修改配置 criSocket: unix:///run/containerd/containerd.sock # 17行,修改配置 name: k8s-master1 # 30行,修改配置 imageRepository: registry.aliyuncs.com/google_containers # 36行,添加配置 podSubnet: 10.244.0.0/16 # 尾行,添加配置 --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: ipvs --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd
1 # kubeadm init --config kubeadm.yaml --ignore-preflight-errors=SystemVerification
–image-repository registry.aliyuncs.com/google_container:手动指定国内源。 1 2 3 # mkdir -p $HOME/.kube # sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # sudo chown $(id -u):$(id -g) $HOME/.kube/config
1 2 3 # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master1 NotReady control-plane 5m15s v1.27.0
查看配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 # kubectl config view apiVersion: v1 clusters: - cluster: certificate-authority-data: DATA+OMITTED server: https://10.80.10.1:6443 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: DATA+OMITTED client-key-data: DATA+OMITTED
生成扩容master/node节点token:
1 2 # kubeadm token create --print-join-command kubeadm join 10.80.10.1:6443 --token ykya3m.7w9p7bif2jzli2mx --discovery-token-ca-cert-hash sha256:1e9b488208eff82870ea9803c2bd8135b4fd3f43827a2e1e434eaa8568fce348
node2、node3
扩容node节点:
1 # kubeadm join 10.80.10.1:6443 --token ykya3m.7w9p7bif2jzli2mx --discovery-token-ca-cert-hash sha256:1e9b488208eff82870ea9803c2bd8135b4fd3f43827a2e1e434eaa8568fce348 --ignore-preflight-errors=SystemVerification
node1
查看节点:
1 2 3 4 5 # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master1 NotReady control-plane 6m34s v1.27.0 k8s-node1 NotReady <none> 21s v1.27.0 k8s-node2 NotReady <none> 18s v1.27.0
node2、node3
工作节点打标签:
1 2 3 4 5 6 7 # kubectl label nodes k8s-node1 node-role.kubernetes.io/work=work # kubectl label nodes k8s-node2 node-role.kubernetes.io/work=work # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master1 NotReady control-plane 7m8s v1.27.0 k8s-node1 NotReady work 55s v1.27.0 k8s-node2 NotReady work 52s v1.27.0
node1
安装calico插件:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 calico在k8s中的功能: 1、支持网络隔离和多租户场景; 2、为pod提供独立的ip地址; 3、支持跨主机的容器通信,pod可以通过ip地址直接互相访问; 4、提供网络安全策略,支持网络流量控制和访问授权,实现网络安全隔离。 calico优点: 1、网络性能高:calico使用linux内核中的路由和过滤技术,避免了nat,因此可以提供更好的网络性能和更低的延迟。 2、高可用性:calico的组件可以配置为高可用模式,从而保证集群的稳定性和可用性。 3、安全:calico可以提供高级的安全策略和访问控制,以保护kubernetes集群中的容器和服务。 4、灵活性:calico的网络架构非常灵活,可以适应不同的应用场景和需求,支持不同的拓扑结构和部署模式。 5、社区活跃:calico是一个开源项目,拥有庞大的社区支持和活跃的开发者社区,可以获得及时的技术支持和更新。 在k8s集群,常见的网络插件对比分析: 1、flannel:是一个轻量级的cni插件,使用vxlan技术来实现网络的通信和隔离,适用于小规模集群。它使用iptables来实现nat,支持多种后端存储,包括etcd、consul、zookeeper等。 2、calico:是一个完全基于bgp协议的cni插件,可以实现高性能和高扩展性的网络功能。calico使用了IPIP、BGP和VXLAN技术,可以轻松扩展网络规模。它还支持网络安全策略、网络流量策略和网络监控等功能。 3、weave net:是一个简单易用的cni插件,使用虚拟路由和overlay网络实现容器之间的通信和隔离。它提供了一种快速、可靠和可扩展的解决方案,并支持多云环境。 4、cilium:是一个支持l3、l4和l7网络安全的cni插件,具有网络和安全功能集成,使用ebpf技术,可以实现更好的性能和可观测性。
ctr导入镜像及打包calico镜像:
1 2 3 4 5 # ctr -n=k8s.io images import calico_3.25.tar.gz # ctr -n k8s.io images export calico_3.25.tar.gz \ docker.io/calico/cni:v3.25.0 \ docker.io/calico/kube-controllers:v3.25.0 \ docker.io/calico/node:v3.25.0
安装calico插件:
版本对应:https://docs.tigera.io/calico/3.25/getting-started/kubernetes/requirements
1 2 3 4 5 6 # cd /usr/local/src/ # wget https://docs.tigera.io/archive/v3.25/manifests/calico.yaml --no-check-certificate # vim calico.yaml # 4568行,添加配置 - name: IP_AUTODETECTION_METHOD value: interface=ens33
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # kubectl apply -f calico.yaml # kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master1 Ready control-plane 12m v1.27.0 k8s-node1 Ready work 6m26s v1.27.0 k8s-node2 Ready work 6m23s v1.27.0 # kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-6c99c8747f-dhtz2 1/1 Running 0 21s calico-node-6sr8r 1/1 Running 0 21s calico-node-977t8 1/1 Running 0 21s calico-node-tjwqq 1/1 Running 0 21s coredns-7bdc4cb885-bhjqq 1/1 Running 0 12m coredns-7bdc4cb885-zgmpc 1/1 Running 0 12m etcd-k8s-master1 1/1 Running 0 12m kube-apiserver-k8s-master1 1/1 Running 0 12m kube-controller-manager-k8s-master1 1/1 Running 0 12m kube-proxy-9dh9b 1/1 Running 0 12m kube-proxy-n2f8r 1/1 Running 0 6m35s kube-proxy-nzplk 1/1 Running 0 6m38s kube-scheduler-k8s-master1 1/1 Running 0 12m
创建pod测试coredns:
1 2 3 4 5 6 7 # kubectl run busybox --image busybox:1.28 --restart=Never --rm -it busybox -- sh # ping www.baidu.com -c 3 # nslookup kubernetes.default.svc.cluster.local # exit # kubectl get svc -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 14m
busybox要用指定的1.28版本,不能用最新版本,最新版本的nslookup会解析不到dns和ip。