CentOS9下v1.35版本K8s的部署
1.24版本移除 dockershim,需要使用 CRI,或额外安装支持 Docker 的插件。
一、规划及环境准备
k8s201、k8s202、k8s203都需要操作
1.1 规划
| 主机名 |
IP |
系统版本 |
配置 |
K8S版本 |
CRI版本 |
| k8s201 |
192.168.10.201 |
centos9 |
2C2G |
1.35 |
2.21.1 |
| k8s202 |
192.168.10.202 |
centos9 |
2C2G |
1.35 |
2.21.1 |
| k8s203 |
192.168.10.203 |
centos9 |
2C2G |
1.35 |
2.21.1 |
| harbor |
192.168.10.250 |
|
|
|
|
- 设置主机名 (分别在各节点执行)
1
2
3
| hostnamectl set-hostname k8s201
hostnamectl set-hostname k8s202
hostnamectl set-hostname k8s203
|
- 设置主机名解析
1
2
3
4
5
| cat >> /etc/hosts << EOF
192.168.10.201 k8s201
192.168.10.202 k8s202
192.168.10.203 k8s203
EOF
|
验证
1
2
3
| ping -c2 k8s201
ping -c2 k8s202
ping -c2 k8s203
|
- 关闭防火墙和
SELinux
1
2
3
| systemctl disable --now firewalld
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config
|
验证
1
2
| getenforce
systemctl status firewalld
|
- 关闭 Swap 分区
临时关闭
1
| swapoff -a && sysctl -w vm.swappiness=0
|
基于配置文件的关闭
1
| sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
|
验证
- 确保各个节点MAC地址或product_uuid唯一
1
| ip address show ens160 |grep ether |awk '{print $2}'
|
1
| cat /sys/class/dmi/id/product_uuid
|
1.2 内核模块与网络优化
- 加载基础内核模块
1
2
3
4
5
6
7
| cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter
|
- 加载 IPVS 模块 (用于 Service 高性能转发)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| cat <<EOF | tee /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipip
EOF
for kernel_module in $(cat /etc/modules-load.d/ipvs.conf); do
/sbin/modprobe $kernel_module
done
|
- 设置 Sysctl 网络参数
1
2
3
4
5
6
7
8
| cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
EOF
sysctl --system
|
1.3 安装容器运行时 CRI
- 安装最新版
1
2
3
| dnf install -y yum-utils
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
dnf install -y containerd.io
|
显示所有版本
1
| dnf list containerd.io --showduplicates
|
- 配置
containerd
1
2
| mkdir -p /etc/containerd
containerd config default | tee /etc/containerd/config.toml
|
- 开启 SystemdCgroup (必须,否则 Kubelet 无法启动)
1
| sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml
|
1
| grep SystemdCgroup /etc/containerd/config.toml
|
修改沙箱镜像源 (国内加速,否则 init 会卡死)
注意,按照实际情况替换
1
| sed -i 's|registry.k8s.io/pause:3.10.1|registry.aliyuncs.com/google_containers/pause:3.10.1|g' /etc/containerd/config.toml
|
1
| grep registry.k8s.io /etc/containerd/config.toml
|
- 开机自启
1
| systemctl enable --now containerd
|
- 验证
新建 crictl 的配置文件(可选)
否则, crictl 不知道去找哪个容器运行时。
1
2
3
4
5
6
| cat <<EOF > /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
|
1.4 下载 K8s
- 配置
yum 源
1
2
3
4
5
6
7
8
| cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/repodata/repomd.xml.key
EOF
|
- 安装最新版本
1
| dnf install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
|
安装最新版本
1
2
| KUBE_VERSION=1.35.0
dnf -y install kubeadm-${KUBE_VERSION} kubelet-${KUBE_VERSION} kubectl-${KUBE_VERSION}
|
查看所有版本
1
| dnf list kubelet kubeadm kubectl --showduplicates
|
- 验证
- 开机启动
1
| systemctl enable --now kubelet
|
二、获取镜像
- 获取镜像
1
| kubeadm config images list --kubernetes-version 1.35.0
|
国内地址
1
| kubeadm config images list --kubernetes-version 1.35.0 --image-repository registry.aliyuncs.com/google_containers
|
- 拉取镜像
1
2
3
4
5
6
7
| ctr image pull registry.k8s.io/kube-apiserver:v1.35.0
ctr image pull registry.k8s.io/kube-controller-manager:v1.35.0
ctr image pull registry.k8s.io/kube-scheduler:v1.35.0
ctr image pull registry.k8s.io/kube-proxy:v1.35.0
ctr image pull registry.k8s.io/coredns/coredns:v1.13.1
ctr image pull registry.k8s.io/pause:3.10.1
ctr image pull registry.k8s.io/etcd:3.6.6-0
|
加速地址
1
2
3
4
5
6
7
| ctr image pull registry.aliyuncs.com/google_containers/kube-apiserver:v1.35.0
ctr image pull registry.aliyuncs.com/google_containers/kube-controller-manager:v1.35.0
ctr image pull registry.aliyuncs.com/google_containers/kube-scheduler:v1.35.0
ctr image pull registry.aliyuncs.com/google_containers/kube-proxy:v1.35.0
ctr image pull registry.aliyuncs.com/google_containers/coredns/coredns:v1.13.1
ctr image pull registry.aliyuncs.com/google_containers/pause:3.10.1
ctr image pull registry.aliyuncs.com/google_containers/etcd:3.6.6-0
|
三、初始化、加入集群
3.1 初始化
- 生成配置文件
1
| kubeadm config print init-defaults > kubeadm.yml
|
- 修改关键配置项
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| advertiseAddress: 192.168.10.201
bindPort: 6443
name: k8s201
imageRepository: registry.aliyuncs.com/google_containers
serviceSubnet: 10.96.0.0/12
podSubnet: 10.244.0.0/16
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
|
advertiseAddressname 主节点的名称imageRepository,改为阿里云镜像仓库 podSubnet ,追加在 serviceSubnet 的下一行apiVersion,追加这一部分内容,包括 ---
1
| kubeadm config images list --config kubeadm.yml
|
- 启动
1
| kubeadm init --config=kubeadm.yml
|
忽略内存不足
1
| kubeadm init --config=kubeadm.yml --ignore-preflight-errors=Mem
|
忽略镜像
1
| kubeadm init --config=kubeadm.yml --image-pull-policy=IfNotPresent
|
跳过镜像拉取
1
| kubeadm init --config=kubeadm.yml --skip-phases=preflight/pull-images
|
- 添加kubectl的自动补全功能
1
| echo "source <(kubectl completion bash)" >> ~/.bashrc && source ~/.bashrc
|
- 让当前用户可以直接使用 kubectl 管理整个 Kubernetes 集群
1
2
3
| mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
|
- 查看控制面组件状态
1
2
| kubectl get componentstatuses
kubectl get cs
|
- 查看节点状态
- 意外情况,重新初始化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| kubeadm reset -f
rm -rf /var/lib/cni/ $HOME/.kube/config
rm -rf /etc/kubernetes/
rm -rf /var/lib/etcd/
rm -rf ~/.kube/
rm -rf /etc/cni/
ip link delete cni0
ip link delete flannel.1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
|
3.2 加入集群
1
2
| kubeadm join 192.168.10.201:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:2f55dde305d9df5c21b8d560adffd34dc69810d64788460d4fadb40517d4f561
|
重新获取加入集群的命令
1
2
| token=$(kubeadm token generate)
kubeadm token create $token --print-join-command --ttl=0
|
或
1
| kubeadm token create --print-join-command
|
3.3 安装 flannel 网络插件
- 下载
kube-flannel.yml
1
| wget https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
|
加速
1
| wget https://gh.bravexist.cn/https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
|
- 修改网段,和
kubeadm 里的 podSubnet 保持一致,不想每次都重新拉取镜像话,配置 imagePullPolicy
1
2
3
| 10.244.0.0/16
imagePullPolicy: IfNotPresent
|
imagePullPolicy 添加在 image 的下一行
- 启动
1
| kubectl apply -f kube-flannel.yml
|
- 验证
1
| kubectl get pods -A -o wide| grep kube-flannel
|
- 删除,(可选)
1
| kubectl delete -f kube-flannel.yml
|
3.4 安装 calico 网络插件
- 下载
1
| wget https://raw.githubusercontent.com/projectcalico/calico/v3.31.2/manifests/tigera-operator.yaml
|
加速下载
1
| wget https://gh.bravexist.cn/https://raw.githubusercontent.com/projectcalico/calico/v3.31.2/manifests/tigera-operator.yaml
|
- 安装 Tigera Operator
1
| kubectl apply -f tigera-operator.yaml
|
- 下载自定义资源配置文件
1
| wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/custom-resources.yaml
|
加速下载
1
| wget https://gh.bravexist.cn/https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/custom-resources.yaml
|
- 修改网段 (非常重要),修改
custom-resources.yaml 中的 cidr,确保它与你执行 kubeadm init 时定义的 --pod-network-cidr 完全一致。
1
| vim custom-resources.yaml
|
- 启动
Calico 实例
1
| kubectl apply -f custom-resources.yaml
|
启动时自动拉取的镜像列表
1
| kubectl get pods -n calico-system -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort | uniq
|
- 验证
1
| kubectl get pods -n calico-system -w
|
- 删除,(可选)
1
| kubectl delete -f custom-resources.yaml
|
四、验证 Pod 间互通
- 创建资源的配置文件
1
| vim test-network-linux-ds.yaml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| kind: DaemonSet
apiVersion: apps/v1
metadata:
name: linux-ds
spec:
selector:
matchLabels:
school: tyust
class: bitdata
template:
metadata:
labels:
school: tyust
class: bitdata
spec:
containers:
- image: alpine:3.23.2
stdin: true
name: mylinux
|
- 创建资源
1
| kubectl apply -f test-network-linux-ds.yaml
|
- 查看资源
1
| kubectl get pods -o wide
|
- 测试跨节点Pod之间的通信
1
| kubectl exec xxxxxxxxxx -- ping -c 3 xxxxxxxxxx
|
- 删除资源
1
| kubectl delete -f test-network-linux-ds.yaml
|
五、nerdctl 的安装
官方仓库
- 下载
1
| wget https://github.com/containerd/nerdctl/releases/download/v2.2.1/nerdctl-2.2.1-linux-amd64.tar.gz
|
加速下载
1
| wget https://g.bravexist.cn/https://github.com/containerd/nerdctl/releases/download/v2.2.1/nerdctl-2.2.1-linux-amd64.tar.gz
|
- 解压
1
| tar xf nerdctl-2.2.1-linux-amd64.tar.gz -C /usr/local/bin
|
- 命令补全
1
| source <(nerdctl completion bash)>
|
- 设置别名
1
| alias docker='nerdctl -n k8s.io'
|
六、总结
发现和旧版本差不多,唯一的区别就是旧版本使用的 docker ,自己对docker 的镜像拉取很熟悉。
而对 containerd 的镜像加速不了解,并且镜像也难以导出导入。
- 导出镜像,注意命名空间
-n k8s.io
1
| ctr -n k8s.io images export test.tar ghcr.io/flannel-io/flannel-cni-plugin:v1.8.0-flannel1
|
批量导出,可读性更好
1
| ctr -n k8s.io images list | tail -n +2 | egrep -v '^sha256|@' | awk '{name=$1; gsub(/[/:]/, "_", name); print "ctr -n k8s.io images export " name ".tar", $1}'
|
命名更加规范
1
| ctr -n k8s.io images list | tail -n +2 | egrep -v '^sha256|@' | awk '{name=$1; gsub(/[/:.]/, "_", name); print "ctr -n k8s.io images export " name ".tar", $1}'
|
- 导入镜像
1
| ctr images import test.tar
|
批量导入,注意命名空间 -n k8s.io
1
| for i in *.tar;do ctr -n k8s.io images import $i;done
|
- 验证镜像
