版本

Kubernetes: V1.25

节点配置

节点名称	IP	配置	资源
master	10.211.55.11	Debian/2C2G	k8s-master
node1	10.211.55.12	Debian/2C2G	k8s-node1
node2	10.211.55.13	Debian/2C2G	k8s-node2
node3	10.211.55.14	Debian/2C2G	gitlab

Linux（Debian）

Mac上安装Parallels Desktop

配置镜像地址

关闭swap

安装时关闭swap功能

配置允许root用户远程登录

修改/etc/ssh/sshd_config文件

#将以下配置改为：PermitRootLogin yes
#PermitRootLogin prohibit-password

关闭防火墙

配置apt-get国内镜像源

1. 原文件备份

sudo cp /etc/apt/sources.list /etc/apt/sources.list.bak

2. 编辑源列表文件

sudo vim /etc/apt/sources.list

3.替换镜像源

# 默认注释了源码镜像以提高 apt update 速度，如有需要可自行取消注释
deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye main contrib non-free
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye main contrib non-free
deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-updates main contrib non-free
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-updates main contrib non-free

deb https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-backports main contrib non-free
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian/ bullseye-backports main contrib non-free

deb https://mirrors.tuna.tsinghua.edu.cn/debian-security bullseye-security main contrib non-free
# deb-src https://mirrors.tuna.tsinghua.edu.cn/debian-security bullseye-security main contrib non-free

4 更新

sudo apt-get update

检查

本阶段，需要检查三个地方：

• 确保每个节点上 MAC 地址和 product_uuid 的唯一性

  sudo cat /sys/class/dmi/id/product_uuid

• 是否允许检查桥接流量

  lsmod | grep br_netfilter

  如果有返回值则通过，如果没有则安装 sudo modprobe br_netfilter

cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# 设置所需的 sysctl 参数，参数在重新启动后保持不变
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

# 应用 sysctl 参数而不重新启动
sudo sysctl --system

• 检查必须的端口

  nc 127.0.0.1 6443

  若返回 (UNKNOWN) [127.0.0.1] 6443 (?) : Connection refused，即表示无程序占用该端口，正常。

安装容器进行时

docker

1. 卸载旧的docker

sudo apt-get remove docker docker-engine docker.io containerd runc

2. 添加docker apt 仓库

 sudo apt-get update
 sudo apt-get install -y \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

3. 添加docker 官方GPG key

 sudo mkdir -p /etc/apt/keyrings
 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

4. 设置docker apt仓库

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

5. 安装最新版的Docker Engine, containerd, and Docker Compose

sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

6. 配置docker阿里镜像

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://veb4dzm7.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

7. 测试docker是否安装成功

sudo docker run hello-world

设置docker开机自启

sudo systemctl start docker
sudo systemctl restart docker
sudo systemctl enable docker 

配置containerd

1. 配置SystemdCgroup

sudo mkdir -p /etc/containerd
## 用containerd的完整版默认配置覆盖掉。
containerd config default | sudo tee /etc/containerd/config.toml

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  ...
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    SystemdCgroup = true  ## 设置为true

2. 重启containerd

systemctl restart containerd

安装kubeadm、kubelet 和 kubectl

你需要在每台机器上安装以下的软件包：

• kubeadm：用来初始化集群的指令。
• kubelet：在集群中的每个节点上用来启动 Pod 和容器等。
• kubectl：用来与集群通信的命令行工具

1. 更新 apt 包索引并安装使用 Kubernetes apt 仓库所需要的包

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl

2. 下载 Google Cloud 公开签名秘钥：

sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg

3. 添加 Kubernetes apt 仓库：

echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

4. 更新 apt 包索引，安装 kubelet、kubeadm 和 kubectl，并锁定其版本：

sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

使用kubeadm 创建集群

配置主节点 （主节点）

sudo kubeadm init  
--pod-network-cidr=10.244.0.0/16 \
--apiserver-advertise-address=10.211.55.11 \
--ignore-preflight-errors=Swap
--image-repository='registry.cn-hangzhou.aliyuncs.com/google_containers' \
--v=5

返回信息

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:
（从节点执行）
kubeadm join 10.211.55.16:6443 --token ncp9wx.zimxhv2l219813za \
  --discovery-token-ca-cert-hash sha256:cdb84ea0ed0a9d076c9fcc1876387fe732fa32c3643031ec65ad22cf13e528d3

增加参数

(The connection to the server 10.211.55.11:6443 was refused - did you specify the right host or port?)

vim /etc/kubernetes/manifests/kube-controller-manager.yaml

--allocate-node-cidrs=true
--cluster-cidr=10.244.0.0/16

配置网络模块 （主节点）

wget https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml

kubectl apply -f kube-flannel.yml

重新安装

sudo kubeadm reset
rm -rf .kube/
sudo rm -rf /etc/kubernetes/
sudo rm -rf /var/lib/kubelet/
sudo rm -rf /var/lib/etcd

kubernetes-dashboard

账号密码登录

1. 创建令牌文件

   vim /etc/kubernetes/basic_auth_file

admin,admin,1

2. 修改kube-apiserver配置文件

vim /etc/kubernetes/manifests/kube-apiserver.yaml

– –basic-auth-file=/etc/kubernetes/pki/basic_auth_file

3. kubernetes-dashboard.yaml开启NodePort

# service 增加type=NodePort
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort  # 修改为NodePort，可以对外访问
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30000  # 对外暴露的端口，可以指定 30000-32767
  selector:
    k8s-app: kubernetes-dashboard

4. kubernetes-dashboard.yaml中增加basic登录认证

- --authentication-mode=basic,token

浏览器打不开

kubernetes-dashboard页面打不开

网页输入 thisonsafe