k8s部署

XiaoJi
956 阅读6分钟

部署步骤

禁用swap分区,使用以下命令,亦可以手动注释/etc/fstab下的swap分区

swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

开放端口

on master server

firewall-cmd --add-port={6443,2379-2380,10250,10251,10252,5473,179,5473}/tcp --permanent
firewall-cmd --add-port={4789,8285,8472}/udp --permanent
firewall-cmd --reload

Bash on worker server

firewall-cmd --add-port={10250,30000-32767,5473,179,5473}/tcp --permanent
firewall-cmd --add-port={4789,8285,8472}/udp --permanent
firewall-cmd --reload

安装kubeadm、kubectl、kubelet等工具

在ubuntu或者debian系统中

如果直接按照官网的步骤来部署,可能由于梯子的域名解析或者不稳定,导致key下载不下来,apt update同步失败

sudo mkdir /etc/apt/keyrings
sudo curl -fsSLo /etc/apt/keyrings/apt-key.gpg https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg
echo "deb [signed-by=/etc/apt/keyrings/apt-key.gpg] https://apt.kubernetes.io/ kubernetes-xenial main"| sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt install -y kubelet=1.26.3-00 kubeadm=1.26.3-00 kubectl=1.26.3-00

在openEuler或者centOS系统中

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
sudo systemctl enable --now kubelet

配置内核模块

内核模块加载配置

# Enable kernel modules
sudo modprobe overlay && sudo modprobe br_netfilter
 
# Add some settings to sysctl
sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
 
# Reload sysctl
sudo sysctl --system

注意,如果是在centos系统中,有可能由于配置文件加载顺序的问题,/etc/sysctl.d/kubernetes.conf中的参数,会被最后加载的/etc/sysctl.conf中的参数覆盖,此时要么修改/etc/sysctl.conf中的相关参数,要么 sudo sysctl -p /etc/sysctl.d/kubernetes.conf指定路径加载参数

在ubuntu或者debian系统中

ipvs(可选,为kube-proxy开启ipvs的配置)

可以直接modprobe加载模块,也可以写在配置文件中

sudo modprobe ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4

如果是配置文件,则ubuntu对应/etc/modules

modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4

在openEuler或者centOS系统中

ipvs(可选,为kube-proxy开启ipvs的配置)

可以直接modprobe加载模块,也可以写在配置文件中

sudo modprobe ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4

如果是openEuler中,配置文件对应/etc/sysconfig/modules/ipvs.modules

cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4

安装容器运行时(Container Runtime)

安装docker

在ubuntu或者debian系统中

安装依赖工具

sudo apt update
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

设置ali源

curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"

安装

#更新并安装Docker-ce
sudo apt-get -y update
sudo apt install -y docker-ce
#安装docker-compose
sudo apt install -y docker-compose
#配置docker开机启动
sudo systemctl enable docker

在openEuler或者centOS系统中

安装依赖工具

sudo yum install -y device-mapper-persistent-data

设置ali源

sudo yum-config-manager \
    --add-repo \
    http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

记得要手动修改/etc/yum.repo.d/docker-ce.repo中的$releasever字段,改成8

安装

sudo yum install docker-ce docker-ce-cli containerd.io docker-compose-plugin

调整cgroups的驱动

安装后默认cgroups驱动使用cgroupfs ,需要调整为systemd,因此,编辑docker配置文件,执行:sudo vi /etc/docker/daemon. json,这里面也可以配置镜像源地址

sudo mkdir -p /etc/docker  # 如果没有这个目录先创建,然后添加 daemon.json 文件
sudo vi /etc/docker/daemon.json


{
  "exec-opts": ["native.cgroupdriver=systemd"]
}

重启docker,执行:

sudo systemctl daemon-reload && sudo systemctl restart docker

检查当前cgroups驱动,执行:

sudo docker info | grep -i cgroup

如果这里不调整cgroups驱动类型,后面启动kubelet会失败

初始化master节点

可以直接使用命令指定init参数

sudo kubeadm init --pod-network-cidr 172.16.0.0/16 \
--apiserver-advertise-address=192.168.56.130 \
--image-repository registry.cn-hangzhou.aliyuncs.com/google_containers

也可以通过配置文件来设置

然后接下来在 master 节点配置 kubeadm 初始化文件,可以通过如下命令导出默认的初始化配置:

kubeadm config print init-defaults > kubeadm.yaml

修改配置文件(根据每个人电脑配置不同,修改如下参数)

#1、需要替换master节点IP
advertiseAddress: 192.168.197.139   
#2、配置使用containerd
criSocket: unix:///var/run/containerd/containerd.sock  
#3、阿里的源  K8S使用的,不是容器镜像使用的。 翻墙速度可以的话这里不用其他换
imageRepository: registry.aliyuncs.com/google_containers 
#4、cgroupDriver 切换为systemd
cgroupDriver: systemd 
#5、注明版本
kubernetesVersion: 1.26.3
#6、配置cidr ip端
networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12
  podSubnet: 10.244.0.0/16 # Pod 网段,flannel插件需要使用这个网段
  
nodeRegistration:
  criSocket: unix:///var/run/containerd/containerd.sock
  imagePullPolicy: IfNotPresent
  # 名字替换成master节点的hostname
  name: ubuntu-master 
  taints: null

接着运行初始化命令

sudo kubeadm init --config kubeadm.yaml

如果出现奇怪的报错,t "unix:///var/run/containerd/containerd.sock": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService" 则试着重启containerd服务

sudo rm /etc/containerd/config.toml
systemctl restart containerd

终于成功初始化

还需要做以下几个配置,不然调用kubectl相关命令会出现refused的错误

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

添加节点

根据提示,在每个单独的节点上运行以下命令即可

kubeadm join 192.168.15.234:6443 --token abcdef.0123456789abcdef \
        --discovery-token-ca-cert-hash sha256:55568f7f72f6b875543ea24ebf0975e6aab91e898577ad5ad5a2cb476d63025e

配置网络CNI插件

flannel

github.com/flannel-io/…中下载文件

然后

kubectl apply -f kube-flannel.yml

配置nginx样例测试

vim nginx-deployment.yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx-servie
  name: nginx-service
spec:
  ports:	# 对外暴露的端口
  - nodePort: 30013
    port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: nginx-pod
  type: NodePort   # NodePort类型可以对外暴露端口

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-deploy
  name: nginx-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-pod
  template:
    metadata:
      labels:
        app: nginx-pod
    spec:
      containers:
      - image: nginx:latest 		# 镜像名称
        name: nginx
        ports:
        - containerPort: 80
        resources: {}
  • 创建deployment
    • kubectl apply -f nginx-deployment.yaml 样例配置失败,查看日志
Events:
  Type     Reason                  Age                   From               Message
  ----     ------                  ----                  ----               -------
  Normal   Scheduled               56m                   default-scheduler  Successfully assigned default/nginx-deploy-54844bd945-t9vn4 to huangji-ubuntu200
4-k8s-subnode2
  Warning  FailedCreatePodSandBox  56m                   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup n
etwork for sandbox "4112f80b3f2de8b5417ccc76f179b52e52b78004a159d23aae10daa04b3079d8": plugin type="calico" failed (add): stat /var/lib/calico/nodename: no 
such file or directory: check that the calico/node container is running and has mounted /var/lib/calico/
  Normal   SandboxChanged          100s (x256 over 56m)  kubelet            Pod sandbox changed, it will be killed and re-created.

此时查看

尝试解决,必须要所有节点kubeadm reset,然后全部删除以下文件

sudo rm -rf /var/lib/calico/ && sudo rm -rf /etc/cni/net.d/10-calico.conflist && sudo rm -rf /etc/cni/net.d/calico-kubeconfig

重新部署后,使用flannel完美解决问题

常见问题

系统组件镜像拉取失败

一般是由于k8s.io访问失败导致的,需要手动指定使用aliyun的源

sudo kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers

 

同时可以配置kubeadm-config来设置默认镜像源,修改其中的image路径相关字段

kubectl edit cm -n kube-system kubeadm-config

 

同时可以记录到kubeadm.yaml配置文件中

 

如果配置了config仍然未生效,则可以配置deploy,修改其中的images路径相关字段

kubectl edit deploy coredns -n kube-system

 

describe pod 报错 Readiness probe failed: HTTP probe failed with statuscode: 503

 

关闭防火墙,在所有node上执行

sudo systemctl stop firewalld

kubeadm init初始化时由于registry.k8s.io/pause:3.6导致初始化失败

修改/etc/containerd/config.toml

如果/etc/containerd/config.toml不存在,则手动创建并导出默认配置

mkdir /etc/containerd 
containerd config default > /etc/containerd/config.toml

修改pause镜像为阿里源镜像

[plugins."io.containerd.grpc.v1.cri"]  
device_ownership_from_security_context = false  
disable_apparmor = false  
disable_cgroup = false  
disable_hugetlb_controller = true  
disable_proc_mount = false  
disable_tcp_service = true  
enable_selinux = false  
enable_tls_streaming = false  
enable_unprivileged_icmp = false  
enable_unprivileged_ports = false  
ignore_image_defined_volumes = false  
max_concurrent_downloads = 3  
max_container_log_line_size = 16384  
netns_mounts_under_state_dir = false  
restrict_oom_score_adj = false  
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"  
selinux_category_range = 1024  
stats_collect_period = 10  
stream_idle_timeout = "4h0m0s"  
stream_server_address = "127.0.0.1"  
stream_server_port = "0"

containerd报错OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/k8s

查看libseccomp版本

sudo rpm -qa | grep libseccomp

如果libseccomp低于2.4版本,则需要手动卸载libseccomp,再安装符合要求的版本

avatar
文章
阅读
粉丝