离线安装k3s

本文档示例如何离线安装k3s，并在k3s上运行使用helm部署rancher. 这种部署架构rancher可以自动导入k3s集群。

• helm: v3.5.3
• k3s: v1.33.4+k3s1
• rancher: v2.12.1

操作步骤

准备镜像目录和 K3s 二进制文件

请按照以下步骤准备镜像目录和 K3s 二进制文件。

1. 从K3s GitHub Release页面获取你所运行的 K3s 版本的镜像 tar 文件。

2. 将 tar 文件放在 images 目录下，例如：

   mkdir -p /var/lib/rancher/k3s/agent/images/
   cp k3s-airgap-images-amd64-ssr.tar /var/lib/rancher/k3s/agent/images/
   

3. 将 k3s 二进制文件放在 /usr/local/bin/k3s 路径下，并确保拥有可执行权限。完成后，现在可以转到下面的安装 K3s 部分，开始安装 K3s。

   mv x86_64/k3s /usr/local/bin/k3s
   chmod +x /usr/local/bin/k3s
   

4. 下载 K3s 安装脚本：get.k3s.io 。将安装脚本放在每个离线节点的任意地方，并命名为 install.sh。

5. 运行 install.sh 脚本安装 K3s。

   关闭 SELinux 服务：

   setenforce 0 
   systemctl stop firewalld
   

   安装 K3s：

   chmod +x install.sh
   INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh
   

6. 查看系统 Pod

   [root@localhost offline]# kubectl get pods -A 
   NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
   kube-system   coredns-64fd4b4794-jtxbw                  1/1     Running     0          148m
   kube-system   helm-install-traefik-crd-pkd88            0/1     Completed   0          148m
   kube-system   helm-install-traefik-tk95b                0/1     Completed   2          148m
   kube-system   local-path-provisioner-774c6665dc-m72jb   1/1     Running     0          148m
   kube-system   metrics-server-7bfffcd44-h95l6            1/1     Running     0          139m
   kube-system   svclb-traefik-2318a276-8q69p              2/2     Running     0          147m
   kube-system   traefik-c98fdf6fb-78xxs                   1/1     Running     0          147m
   

7. 部署服务

   加载镜像：

   k3s ctr -n k8s.io image import nginx.tar
   

   部署 Deployment：

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: nginx-deployment
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: nginx
     template:
       metadata:
         labels:
           app: nginx
       spec:
         containers:
         - name: nginx
           image: nginx
           ports:
           - containerPort: 80
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: nginx-service
   spec:
     selector:
       app: nginx
     ports:
     - port: 80
       targetPort: 80
       nodePort: 30000
     type: NodePort
   

安装Rancher

安装cert-manager

部署CRD:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.2/cert-manager.crds.yaml

部署cert-manager：

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml

helm install cert-manager ./cert-manager-v1.18.2/cert-manager --insecure-skip-tls-verify   --namespace cert-manager   --create-namespace

helm rancher

加载镜像

进入目录：

cd rancher-deployments
bash load-image.sh

• load-image.sh

#!/bin/bash
for image in $(ls *.tar)
do
   k3s ctr -n k8s.io image import $image
done

helm安装

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
kubectl create ns cattle-system
helm install rancher ./charts/rancher-2.12.1/rancher/ --version v2.12.1  \
  --namespace cattle-system \
  --set hostname=rancher.cicd.com \
  --set replicas=1 \
  --set bootstrapPassword=zsQJvPMOe0nG0MyD

输出：

NAME: rancher
LAST DEPLOYED: Sat Feb 14 14:32:10 2026
NAMESPACE: cattle-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.

Check out our docs at https://rancher.com/docs/

## First Time Login

If you provided your own bootstrap password during installation, browse to https://rancher.cicd.com to get started.
If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:


echo https://rancher.cicd.com/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}')


To get just the bootstrap password on its own, run:


kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{ "\n" }}'

Happy Containering!

输出为：

https://rancher.cicd.com/dashboard/?setup=zsQJvPMOe0nG0MyD

导入集群

点击create:

Rancher会给出一个导入现有k3s的命令：

使用curl方式导入：

kubectl apply -f https://rancher.cicd.com/v3/import/xth92l5wmfc6vsqx6962cmp7djf27m955lr9fl5sg9j2b58bsblpmr_c-nhk5g.yaml

镜像操作

保存镜像

k3s ctr images export kubectl_v_1-33-1.tar docker.io/rancher/kubectl:v1.33.1

k3s中如何向节点导入镜像

k3s ctr -n k8s.io image import xx.tar
k3s ctr -n k8s.io images ls

当需要rancher显示需要dockerhub镜像时：

# 显示需要rancher/fleet:v0.13.1
# 但实际拉取的是docker.io/rancher/fleet:v0.13.1
k3s ctr -n k8s.io image tag rancher/fleet:v0.13.1 docker.io/rancher/fleet:v0.13.1

下载和retag镜像

拉取镜像：

k3s ctr image pull --all-platforms registry.cn-hangzhou.aliyuncs.com/rancher/rancher:v2.12.1

查看镜像架构:

$ k3s ctr image inspect --content registry.cn-hangzhou.aliyuncs.com/rancher/rancher-webhook:v0.8.1 |grep arch
    │   │            "architecture": "arm64",
    │   │            "architecture": "unknown",
    │   │            "architecture": "amd64",
    │   │            "architecture": "unknown",
    │   │   │   "architecture": "arm64",
    │   │   │   "architecture": "unknown",
    │   │   │   "architecture": "amd64",
        │   │   "architecture": "unknown",

retag镜像：

 k3s ctr image tag registry.cn-hangzhou.aliyuncs.com/rancher/rancher-webhook:v0.8.1 docker.io/rancher/rancher-webhook:v0.8.1