系统要求
- CentOS Linux7系统默认是开启访问墙,由于Kubernetes的Master与工作的Node之间需要大量网络通信,由于访问墙中配置各个组件需要互相通信的端口号,由此我们直接关闭防火墙。
> sudo su
> systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
> systemctl stop firewalld
- 在主机上禁用SElinux,让容器可以读取主机文件系统。将SELINUX=enforcing修改disabled。
> vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
- Kubernetes需要容器运行的支持,其中有包括:Docker、Containerd、CRI-O和frakt 。我们推荐使用Docker。
> curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
> systemctl enable --now docker
> docker version
Client: Docker Engine - Community
Version: 20.10.3
API version: 1.41
Go version: go1.13.15
Git commit: 48d30b5
Built: Fri Jan 29 14:34:14 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
......
kubernetes集群安装方式
- yum install kubernetes方式安装,整个过程需要配置若干参数,整体较为复杂。
- Kubernetes从1.4版本后,引入kubeadm命令行工具,简化集群的过程,同时解决Kubernetes集群的高可用问题。
kubeadm对kubernets集群的安装
安装kubeadm和相关工具
- 配置yum源
> vi /etc/yum.repos.d/kubernetes.repo
[kuebrnetes]
name=Kubernetes Repository
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
- 使用yum install 命令安装kubeadam相关工具
> yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
> yum list installed | grep kub
kubeadm.x86_64 1.20.4-0 @kubernates
kubectl.x86_64 1.20.4-0 @kubernates
kubelet.x86_64 1.20.4-0 @kubernates
- 启动kubelet和docker服务,并设置开机自启
> systemctl start docker
> systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2021-04-02 14:34:04 CST; 3 weeks 4 days ago
Docs: https://docs.docker.com
Main PID: 20653 (dockerd)
Tasks: 63
Memory: 241.8M
CGroup: /system.slice/docker.service
└─20653 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
> systemctl start kubelet
> systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Mon 2021-02-22 14:11:48 CST; 2 months 1 days ago
Docs: https://kubernetes.io/docs/
Main PID: 14530 (kubelet)
Tasks: 20
Memory: 61.9M
CGroup: /system.slice/kubelet.service
└─14530 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubele...
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
> systemctl enable kubelet && systemctl start kubelet
> systemctl enable docker && systemctl start docker
修改使用kubeadm和相关工具安装kubernetes集群配置
> mkdir -p /opt/kubeadm
> cd /opt/kubeadm
> kubeadm config print init-defaults > init.default.yaml
> vi init.default.yaml
# 修改定制镜像仓库地址
# 原地址 k8s.gcr.io
# 新地址 docker.io/dustise
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
networking:
dnsDomain: cluster.local
#修改Pod的地址范围
#原范围 10.96.0.0/12
#新的范围 10.96.0.0/14
serviceSubnet: 10.96.0.0/14
扩展:10.96.241.0/12,这里/12表示子网掩码,我们常见的子网掩码是255.255.255.255。其实这里的255表示0-255,由8个二进制表示2^8个数, 实际255.255.255.255可以表示为11111111.11111111.11111111.11111111。如果从1的个数来算的话我们则可以表示为32。 而这里的12和32其实表示一个意思,不过一点要注意32和12都是从左到右开始排的。12我们可以表示为11111111. 11110000(2^7+2^6+2^5+2^4).00000000.00000000,子网掩码就是255.240(等比公式16(16-1)).0.0。 至于子网掩码的含义,就是子网设置的iP范围,只要子网非0的位置都是子网IP设置的范围。由此我们可以知道10.96.241.0/12的含义了, 10.96.241.0通过二进制表示为00001010.01100000.00000000.00000000。由此可知我们可以设置的最小IP与最大IP范围是 00001010.01100000.00000000.00000000-00001010.01101111.11111111.11111111。就是是10.96.0.1-10.111.255.254(第一个和最后七个不允许选择)。*
将docker镜像托管地址,修改成国内地址,并下载kubernetes的相关镜像
# 修改镜像托管地址
> echo '{"registry-mirrors":["https://registry.docker-cn.com"]}' > /etc/docker/daemon.json
# 下载kubernetes的相关镜像
> kubeadm config images pull --config=init-config.yaml
运行kubeadm init命令安装Master
注意:kubeadm init 安装过程不涉及网络插件CNI的初始化,因此kubeadm init 安装完成不具备网络功能。
> cd /opt/kubeadm
> kubeadm init --config=init-config.yaml
# 安装完成提示下面若干语句
......
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each
as root:
kubeadm join 10.211.55.30:6443--token ah9koe.nvuvz2v60iam0e0d \
--discovery-token-ca-cert-hash
ha256:9ded80601bc7f5568a9a7ece7ee13fd73be193777641054420a080f778b330fc
# 按提示的步骤处理
#创建一个普通用户
> useradd daiyongjun
#给用户分配sudo权限
> visudo
daiyongjun ALL=(ALL) NOPASSWD: ALL
> su daiyongjun
#在master节点安装的最后日志中,需要我们使用创建集群运行的用户
> mkdir -p $HOME/.kube
> sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
> sudo chown $(id -u):$(id -g) $HOME/.kube/config
注意:这里需要注意kubeadm init命令执行完成后的最后几行提示信息,其中包含加入节点的指令(kubeadm join)和所需的Token。
Kubernetes创建单机模式
kubeadm在Master上也安装了kubelet,在默认情况下并不参与工作负载。如果希望安装一个单机模式的Kubernetes环境,则可以执行下面的命令,让Master成为一个Node。
> kubectl taint nodes --all node-role.kubernetes.io/master
安装Node,加入集群
- 在Node节点上安装kubeadm和相关工具(同上所有步骤)
- 为kubeadm命令生成配置文件,创建文件join-config.yaml(文件内容如下)
> mkdir -p /opt/kubeadm
> cd /opt/kubeadm
> kubeadm config print join-defaults > join-default.yaml
> vi join-default.yaml
apiVersion: kubeadm.k8s.io/v1beta2
caCertPath: /etc/kubernetes/pki/ca.crt
discovery:
bootstrapToken:
#apiServerEndpoint的值是Master服务器的地址
apiServerEndpoint: 10.211.55.30:6443
#kubeadm init安装Master的最后一行提示信息
token: ah9koe.nvuvz2v60iam0e0d
unsafeSkipCAVerification: true
timeout: 5m0s
#kubeadm init安装Master的最后一行提示信息
tlsBootstrapToken: ah9koe.nvuvz2v60iam0e0d
kind: JoinConfiguration
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: dev-hadoop2
taints: null
- 执行kubeadm join命令,将本Node加入集群
> kubeadm join --config=join-config.yaml
......
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
#在Master节点通过命令查看kubernetes集群中的节点
> kubectl get nodes
NAME STATUS ROLES AGE VERSION
dev-hadoop1 Ready control-plane,master 65d v1.20.4
dev-hadoop2 Ready <none> 65d v1.20.4
dev-hadoop3 Ready <none> 65d v1.20.4
dev-hadoop4 Ready <none> 60d v1.20.4
dev-hadoop5 Ready <none> 51d v1.20.4
安装网络插件
安装网路插件有两种方式
1、安装CNI网络插件
2、安装weave插件 选择weave插件,执行下面的命令即可一键完成安装
> kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.extensions/weave-net created
验证Kubernetes集群是否安装完成
执行下面的命令,验证Kubernetes集群的相关Pod是否都正常创建并运行
> kubectl get pods --all-namespaces
