标签(空格分隔): kubernetes系列
一:关于k8s 1.24.x 之后的更新
从kubernetes 1.24开始,dockershim已经从kubelet中移除,但因为历史问题docker却不支持kubernetes
主推的CRI(容器运行时接口)标准,所以docker不能再作为kubernetes的容器运行时了,
即从kubernetesv1.24开始不再使用docker了。
但是如果想继续使用docker的话,可以在kubelet和docker之间加上一个中间层cri-docker。cri-docker是一个支持CRI标准的shim(垫片)。一头通过CRI跟kubelet交互,另一头跟docker api交互,从而间接的实现了kubernetes以docker作为容器运行时。
但是这种架构缺点也很明显,调用链更长,效率更低。
二:k8s 1.25.x 部署
2.1 系统环境准备
系统:
Centos7.9x64
主机名:
cat /etc/hosts
-----
172.16.10.11 flyfishsrvs01
172.16.10.12 flyfishsrvs02
172.16.10.13 flyfishsrvs03
172.16.10.14 flyfishsrvs04
172.16.10.15 flyfishsrvs05
172.16.10.16 flyfishsrvs06
172.16.10.17 flyfishsrvs07
------
本次部署前3台 flyfishsrvs01做master 其它2台 做slaved 的 node 节点
系统关闭firwalld,selinux ,清空防火墙iptables
2.2 系统初始化
1. 所有节点上关闭swap分区
swapoff -a ; sed -i '/fstab/d' /etc/fstab
2. 升级系统内核
导入elrepo gpg key
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
安装elrepo YUM源仓库
yum -y install https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
安装kernel-ml版本,ml为长期稳定版本,lt为长期维护版本
yum --enablerepo="elrepo-kernel" -y install kernel-ml.x86_64
设置grub2默认引导为0
grub2-set-default 0
重新生成grub2引导文件
grub2-mkconfig -o /boot/grub2/grub.cfg
更新后,需要重启,使用升级的内核生效。
reboot
重启后,需要验证内核是否为更新对应的版本
uname -r
3.添加网桥过滤及内核转发配置文件
cat <<EOF >/etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
#加载br_netfilter模块
# modprobe br_netfilter
#使之生效
sysctl -p /etc/sysctl.d/k8s.conf
#查看是否加载
# lsmod | grep br_netfilter
br_netfilter 22256 0
4. 安装ipset及ipvsadm
安装ipset及ipvsadm
yum -y install ipset ipvsadm
#配置ipvsadm模块加载方式.添加需要加载的模块
cat > /etc/sysconfig/modules/ipvs.module <<EOF
modprobe -- ip_vs
modprobe -- ip_vs_sh
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- nf_conntrack
EOF
授权、运行、检查是否加载
chmod 755 /etc/sysconfig/modules/ipvs.module && /etc/sysconfig/modules/ipvs.module
lsmod | grep -e ip_vs -e nf_conntrack
2.3 Docker安装准备
Docker安装环境准备
## 安装一些必要工具
yum install -y yum-utils device-mapper-persistent-data lvm2
## 配置docker镜像源
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
## 查看所有的可用版本
yum list docker-ce --showduplicates | sort -r
#安装旧版本 yum install docker-ce-cli-19.03.15-3.el7 docker-ce-19.03.15-3.el7
安装源里最新版本
yum install docker-ce
## 镜像加速器
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": ["https://uwtwp6l0.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
启动Docker服务
systemctl enable --now docker
systemctl start docker
2.4 部署cri-dockerd
到下面的链接下载最新版cri-docker
https://github.com/Mirantis/cri-dockerd/tags
下载:cri-dockerd-0.2.1.amd64.tgz
所有节点 都安装 cri-dockerd
# 拷贝二进制文件
# tar -xf cri-dockerd-0.2.1.amd64.tgz
# cp cri-dockerd/cri-dockerd /usr/bin/
# chmod +x /usr/bin/cri-dockerd
# 配置启动文件
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.service
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.7
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
EOF
# 生成socket 文件
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.socket
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service
[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
EOF
# 启动cri-docker并设置开机自动启动
systemctl daemon-reload ; systemctl enable cri-docker --now
systemctl is-active cri-docker
----
active
----
2.5 安装kubernetes
阿里云YUM源【国内主机】
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum clean all && yum makecache
所有节点均可安装
# 查看所有的可用版本
$ yum list kubeadm kubelet kubectl --showduplicates | sort -r
# 默认安装的版本就是最新版1.25.X,当然也可以指定版本安装 ,如 yum install kubelet-1.16.2 kubeadm-1.16.2 kubectl-1.16.2
$ yum install kubeadm kubelet kubectl
#安装后查看版本
$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"5835544ca568b757a8ecae5c153f317e5736700e", GitTreeState:"clean", BuildDate:"2022-09-21T14:32:18Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"linux/amd64"}
设置kubelet为开机自启动即可,由于没有生成配置文件,集群初始化后自动启动
$ systemctl enable kubelet
$ systemctl is-active kubelet
----
active
-----
为了实现docker使用的cgroupdriver与kubelet使用的cgroup的一致性,建议修改如下文件内容。
cat <<EOF > /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--cgroup-driver=systemd"
EOF
2.6 初始化集群
初始化集群
kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version=v1.25.2 --pod-network-cidr=10.244.0.0/16 --cri-socket /var/run/cri-dockerd.sock
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 172.16.10.11:6443 --token yli0zl.nl5e8b0j4o2spmns \
--discovery-token-ca-cert-hash sha256:a1d2d36ada33fb7a785b9849f833dfeabb683c8005363b6cd14953fc17ed9d6d
2.7 其它worker 节点加入集群
其它worker节点加入
kubeadm join 172.16.10.11:6443 --token yli0zl.nl5e8b0j4o2spmns --discovery-token-ca-cert-hash sha256:a1d2d36ada33fb7a785b9849f833dfeabb683c8005363b6cd14953fc17ed9d6d --cri-socket /var/run/cri-dockerd.sock
kubectl get node
2.8 配置 calico 网络插件
下载 calico 插件:
wget https://docs.projectcalico.org/manifests/calico.yaml --no-check-certificate
修改 网段
vim calico.yaml
-----
# no effect. This should fall within `--cluster-cidr`.
- name: CALICO_IPV4POOL_CIDR
value: "10.244.0.0/16"
# Disable file logging so `kubectl logs` works.
------
下载镜像:
cat calico.yaml |grep image
docker pull docker.io/calico/cni:v3.24.1
docker pull docker.io/calico/node:v3.24.1
docker pull docker.io/calico/kube-controllers:v3.24.1
kubectl apply -f calico.yaml
kubectl get pod -n kube-system
kubect get node
2.9 去掉master 节点的污点
#查看污点
kubectl describe node flyfishsrvs01 | grep -i taint
Taints: node-role.kubernetes.io/master:NoSchedule
#去除污点
kubectl taint node flyfishsrvs01 node-role.kubernetes.io/master:NoSchedule-
2.10 部署dashborad
wget https://raw.githubusercontent.com/cby-chen/Kubernetes/main/yaml/dashboard.yaml
目前最新版本v2.6.0
vim dashboard.yaml
----
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30001
type: NodePort
selector:
k8s-app: kubernetes-dashboard
----
kubectl apply -f dashborad.yaml
kubectl get pods -n kubernetes-dashboard
kubectl get pods,svc -n kubernetes-dashboard
创建用户:
wget https://raw.githubusercontent.com/cby-chen/Kubernetes/main/yaml/dashboard-user.yaml
kubectl apply -f dashboard-user.yaml
创建token
kubectl -n kubernetes-dashboard create token admin-user
2.11 登录浏览器访问
https://172.16.10.11:30001
输入token:
----
eyJhbGciOiJSUzI1NiIsImtpZCI6IkF2Rlg4Q1ZZemV0aVRyTklDc0JrRHVYV3c4eGFXRzVpYml1bm1yWlIzbzAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjYzOTE4ODcxLCJpYXQiOjE2NjM5MTUyNzEsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiNDNlY2FlN2MtMmZjMi00ZGRkLTgzNzQtZjQyZTczMmQyZDhjIn19LCJuYmYiOjE2NjM5MTUyNzEsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.Kw0Ys19fyfkBoH_BOY2QpaMcklddJll9odZXB_RaEAHBjDS3S_GeJX4kA4WnVUM80P5OlTvjjI13GS2vvSeLuROHknZINJEDUdSZDS5DuBrRlvvw_cR3gD5D3Wb_4rvEzCrgzDrbZDz-vaLv5m1zcTSUKBgdh2vqB2gNt1jAx8K3ujS4tI7A0HohsoHI89YN3tINeTXPG8x0V9-u7qTFrf6O-f--sLsAK5NJhnwvqkTXgCqdNwlCuWy_K0ga3-hOZdJeCvm0r_gAEpyogk_9qZjagQmyIAGOI79RWz_JdH7vPTLC5AsBQ-SSbyDo_mFos1r1aRLbgwhkJE5DdPiYfA
----
