Centos7使用kubeadm 安装多主高可用kubernets:v.1.11集群

时间:2021-08-15 10:42:08

实验环境介绍:

本次实验环境是5个节点 3台master 2台node节点:

k8smaster01 192.168.111.128 软件:etcd k8smaster haproxy keepalived
k8smaster02 192.168.111.129 软件:etcd k8smaster haproxy keepalived
k8smaster03 192.168.111.130 软件:etcd k8smaster haproxy keepalived
k8snode01 192.168.111.131  软件:k8snode
k8snode02 192.168.111.132  软件:k8snode

VIP: 192.168.111.100

系统优化(在所有节点上操作)

关闭防火墙

systemctl stop firewalld.service
systemctl disable firewalld.service

关闭SELINUX和swap,优化内核参数

 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
 setenforce 0

# 临时关闭swap
# 永久关闭 注释/etc/fstab文件里swap相关的行
swapoff -a

# 配置转发相关参数,否则可能会出错
cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl --system

# 加载ipvs相关内核模块
# 如果重新开机,需要重新加载
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
lsmod | grep ip_vs

配置yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

yum clean all && yum makecache 

sudo yum install -y yum-utils device-mapper-persistent-data lvm2

配置hosts解析

192.168.111.128 k8smaster01
192.168.111.129 k8smaster02
192.168.111.130 k8smaster03
192.168.111.131 k8snode01
192.168.111.132 k8snode02

安装docker

v1.11.1版本推荐使用docker v17.03,v1.11,v1.12,v1.13, 也可以使用,再高版本官网不推荐使用,但是可以忽略。

这里安装18.06.0-ce

yum -y install docker-ce
systemctl enable docker && systemctl restart docker

 

安装 kubeadm, kubelet 和 kubectl(所有节点)

yum install -y kubelet kubeadm kubectl ipvsadm
systemctl enable kubelet && systemctl start kubelet

 

 配置haproxy代理和keepalived(如下操作在所有master节点上操作)

# 拉取haproxy镜像
docker pull haproxy:1.7.8-alpine
cat >/etc/haproxy/haproxy.cfg<<EOF
global
  log 127.0.0.1 local0 err
  maxconn 5000
  uid 99
  gid 99
  #daemon
  nbproc 1
  pidfile haproxy.pid

defaults
  mode http
  log 127.0.0.1 local0 err
  maxconn 5000
  retries 3
  timeout connect 5s
  timeout client 30s
  timeout server 30s
  timeout check 2s

listen admin_stats
  mode http
  bind 0.0.0.0:1080
  log 127.0.0.1 local0 err
  stats refresh 30s
  stats uri     /haproxy-status
  stats realm   Haproxy\ Statistics
  stats auth    will:will
  stats hide-version
  stats admin if TRUE

frontend k8s-https
  bind 0.0.0.0:8443
  mode tcp
  #maxconn 50000
  default_backend k8s-https

backend k8s-https
  mode tcp
  balance roundrobin
  server k8smaster01 192.168.111.128:6443 weight 1 maxconn 1000 check inter 2000 rise 2 fall 3
  server k8smaster02 192.168.111.129:6443 weight 1 maxconn 1000 check inter 2000 rise 2 fall 3
  server k8smaster03 192.168.111.130:6443 weight 1 maxconn 1000 check inter 2000 rise 2 fall 3
EOF
# 启动haproxy
docker run -d --name my-haproxy \
-v /etc/haproxy:/usr/local/etc/haproxy:ro \
-p 8443:8443 \
-p 1080:1080 \
--restart always \
haproxy:1.7.8-alpine
# 拉取keepalived镜像
docker pull osixia/keepalived:1.4.4

# 启动
# 载入内核相关模块
lsmod | grep ip_vs
modprobe ip_vs

# 启动keepalived
# ens33为本次实验192.168.111.0/24网段的所在网卡
docker run --net=host --cap-add=NET_ADMIN \
-e KEEPALIVED_INTERFACE=ens33 \
-e KEEPALIVED_VIRTUAL_IPS="#PYTHON2BASH:['192.168.111.100']" \
-e KEEPALIVED_UNICAST_PEERS="#PYTHON2BASH:['192.168.111.128','192.168.111.129','192.168.111.130']" \
-e KEEPALIVED_PASSWORD=hello \
--name k8s-keepalived \
--restart always \
-d osixia/keepalived:1.4.4

# 此时会配置 192.168.111.100 到其中一台机器
# ping测试
ping  192.168.111.100


# 如果失败后清理后,重新实验
#docker rm -f k8s-keepalived
#ip a del 192.168.111.100/32 dev ens33

配置kubelet(所有节点操作)

# 配置kubelet使用国内pause镜像
# 配置kubelet的cgroups

cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS="--cgroup-driver=cgroupfs  --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1"
EOF

# 启动
systemctl daemon-reload
systemctl enable kubelet && systemctl restart kubelet

配置k8smaster01(192.168.111.128上操作)

cd /etc/kubernetes
# 生成配置文件
cat >kubeadm-master.config<<EOF
apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
kubernetesVersion: v1.11.1
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers

apiServerCertSANs:
- "k8smaster01"
- "k8smaster02"
- "k8smaster03"
- "192.168.111.128"
- "192.168.111.129"
- "192.168.111.130"
- "192.168.111.100"
- "127.0.0.1"

api:
  advertiseAddress: 192.168.111.128
  controlPlaneEndpoint: 192.168.111.100:8443

etcd:
  local:
    extraArgs:
      listen-client-urls: "https://127.0.0.1:2379,https://192.168.111.128:2379"
      advertise-client-urls: "https://192.168.111.128:2379"
      listen-peer-urls: "https://192.168.111.128:2380"
      initial-advertise-peer-urls: "https://192.168.111.128:2380"
      initial-cluster: "k8smaster01=https://192.168.111.128:2380"
    serverCertSANs:
      - k8smaster01
      - 192.168.111.128
    peerCertSANs:
      - k8smaster01
      - 192.168.111.128

controllerManagerExtraArgs:
  node-monitor-grace-period: 10s
  pod-eviction-timeout: 10s

networking:
  podSubnet: 10.244.0.0/16

kubeProxy:
  config:
    mode: ipvs
    # mode: iptables
EOF

# 提前拉取镜像
# 如果执行失败 可以多次执行
kubeadm config images pull --config kubeadm-master.config

# 初始化
# 注意保存返回的 join 命令
kubeadm init --config kubeadm-master.config

# 初始化失败时使用
#kubeadm reset

# 将ca相关文件传至其他master节点
cd /etc/kubernetes/pki/ USER
=root CONTROL_PLANE_IPS="k8smaster02 k8smaster03" for host in ${CONTROL_PLANE_IPS}; do
   ssh "${USER}"@$host "mkdir -p /etc/kubernetes/pki/etcd"
scp ca.crt ca.key  sa.key  sa.pub front-proxy-ca.crt front-proxy-ca.key "${USER}"@$host:/etc/kubernetes/pki/ scp etcd/ca.crt etcd/ca.key "${USER}"@$host:/etc/kubernetes/pki/etcd/
  scp ../admin.conf "${USER}"@$host:/etc/kubernetes/

done

 

kubeadm init失败解决:

将阿里云image tag成官方的image,即可解决init失败问题。(v1.11.0有此问题)

docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver-amd64:v1.11.1 k8s.gcr.io/kube-apiserver-amd64:v1.11.1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy-amd64:v1.11.1 k8s.gcr.io/kube-proxy-amd64:v1.11.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd-amd64:3.2.18 k8s.gcr.io/etcd-amd64:3.2.18 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler-amd64:v1.11.1 k8s.gcr.io/kube-scheduler-amd64:v1.11.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager-amd64:v1.11.1 k8s.gcr.io/kube-controller-manager-amd64:v1.11.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.1.3 k8s.gcr.io/coredns:1.1.3 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1 k8s.gcr.io/pause-amd64:3.1 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1

 

配置k8smaster02(192.168.111.129上操作)

cd /etc/kubernetes
# 生成配置文件
cat >kubeadm-master.config<<EOF
apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
kubernetesVersion: v1.11.1
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers

apiServerCertSANs:
- "k8smaster01"
- "k8smaster02"
- "k8smaster03"
- "192.168.111.128"
- "192.168.111.129"
- "192.168.111.130"
- "192.168.111.100"
- "127.0.0.1"

api:
  advertiseAddress: 192.168.111.129
  controlPlaneEndpoint: 192.168.111.100:8443

etcd:
  local:
    extraArgs:
      listen-client-urls: "https://127.0.0.1:2379,https://192.168.111.129:2379"
      advertise-client-urls: "https://192.168.111.129:2379"
      listen-peer-urls: "https://192.168.111.129:2380"
      initial-advertise-peer-urls: "https://192.168.111.129:2380"
      initial-cluster: "k8smaster01=https://192.168.111.128:2380,k8smaster02=https://192.168.111.129:2380"
      initial-cluster-state: existing
    serverCertSANs:
      - k8smaster02
      - 192.168.111.129
    peerCertSANs:
      - k8smaster02
      - 192.168.111.129

controllerManagerExtraArgs:
  node-monitor-grace-period: 10s
  pod-eviction-timeout: 10s

networking:
  podSubnet: 10.244.0.0/16

kubeProxy:
  config:
    mode: ipvs
    # mode: iptables
EOF

# 配置kubelet
kubeadm alpha phase certs all --config kubeadm-master.config
kubeadm alpha phase kubelet config write-to-disk --config kubeadm-master.config
kubeadm alpha phase kubelet write-env-file --config kubeadm-master.config
kubeadm alpha phase kubeconfig kubelet --config kubeadm-master.config
systemctl restart kubelet

# 添加etcd到集群中
export KUBECONFIG=/etc/kubernetes/admin.conf 
kubectl exec -n kube-system etcd-k8smaster01 -- etcdctl --ca-file /etc/kubernetes/pki/etcd/ca.crt --cert-file /etc/kubernetes/pki/etcd/peer.crt --key-file /etc/kubernetes/pki/etcd/peer.key --endpoints=https://192.168.111.128:2379 member add k8smaster02 https://192.168.111.129:2380
kubeadm alpha phase etcd local --config kubeadm-master.config
# 提前拉取镜像
kubeadm config images pull --config kubeadm-master.config

# 部署
kubeadm alpha phase kubeconfig all --config kubeadm-master.config
kubeadm alpha phase controlplane all --config kubeadm-master.config
kubeadm alpha phase mark-master --config kubeadm-master.config

 

配置k8smaster03(192.168.111.130上操作)

 

cd /etc/kubernetes
# 生成配置文件
cat >kubeadm-master.config<<EOF
apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
kubernetesVersion: v1.11.1
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers

apiServerCertSANs:
- "k8smaster01"
- "k8smaster02"
- "k8smaster03"
- "192.168.111.128"
- "192.168.111.129"
- "192.168.111.130"
- "192.168.111.100"
- "127.0.0.1"

api:
  advertiseAddress: 192.168.111.130
  controlPlaneEndpoint: 192.168.111.100:8443

etcd:
  local:
    extraArgs:
      listen-client-urls: "https://127.0.0.1:2379,https://192.168.111.130:2379"
      advertise-client-urls: "https://192.168.111.130:2379"
      listen-peer-urls: "https://192.168.111.130:2380"
      initial-advertise-peer-urls: "https://192.168.111.130:2380"
      initial-cluster: "k8smaster01=https://192.168.111.128:2380,k8smaster02=https://192.168.111.129:2380,k8smaster03=https://192.168.111.130:2380"
      initial-cluster-state: existing
    serverCertSANs:
      - k8smaster03
      - 192.168.111.130
    peerCertSANs:
      - k8smaster03
      - 192.168.111.130

controllerManagerExtraArgs:
  node-monitor-grace-period: 10s
  pod-eviction-timeout: 10s

networking:
  podSubnet: 10.244.0.0/16

kubeProxy:
  config:
    mode: ipvs
    # mode: iptables
EOF
# 配置kubelet
kubeadm alpha phase certs all --config kubeadm-master.config
kubeadm alpha phase kubelet config write-to-disk --config kubeadm-master.config
kubeadm alpha phase kubelet write-env-file --config kubeadm-master.config
kubeadm alpha phase kubeconfig kubelet --config kubeadm-master.config
systemctl restart kubelet

# 添加etcd到集群中
KUBECONFIG=/etc/kubernetes/admin.conf
kubectl exec -n kube-system etcd-k8smaster01 -- etcdctl --ca-file /etc/kubernetes/pki/etcd/ca.crt --cert-file /etc/kubernetes/pki/etcd/peer.crt --key-file /etc/kubernetes/pki/etcd/peer.key --endpoints=https://192.168.111.128:2379 member add k8smaster03 https://192.168.111.130:2380
kubeadm alpha phase etcd local --config kubeadm-master.config
# 提前拉取镜像
kubeadm config images pull --config kubeadm-master.config

# 部署
kubeadm alpha phase kubeconfig all --config kubeadm-master.config
kubeadm alpha phase controlplane all --config kubeadm-master.config
kubeadm alpha phase mark-master --config kubeadm-master.config

配置使用kubectl (master 任意节点执行)

rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 查看node节点
 kubectl get nodes
 
# 只有网络插件也安装配置完成之后,才能会显示为ready状态
# 设置master允许部署应用pod,参与工作负载,现在可以部署其他系统组件

配置使用网络插件(任意master节点上操作)

# 下载配置
cd /etc/kubernetes
mkdir flannel && cd flannel
wget https://raw.githubusercontent.com/coreos/flannel/v0.10.0/Documentation/kube-flannel.yml
 
# 修改配置
# 此处的ip配置要与上面kubeadm的pod-network一致
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }
 
# 修改镜像
image: registry.cn-shanghai.aliyuncs.com/gcr-k8s/flannel:v0.10.0-amd64
 
# 如果Node有多个网卡的话,参考flannel issues 39701,
# https://github.com/kubernetes/kubernetes/issues/39701
# 目前需要在kube-flannel.yml中使用--iface参数指定集群主机内网网卡的名称,
# 否则可能会出现dns无法解析。容器无法通信的情况,需要将kube-flannel.yml下载到本地,
# flanneld启动参数加上--iface=<iface-name>
    containers:
      - name: kube-flannel
        image: registry.cn-shanghai.aliyuncs.com/gcr-k8s/flannel:v0.10.0-amd64
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        - --iface=ens33
 
# 启动
kubectl apply -f kube-flannel.yml
 
# 查看
kubectl get pods --namespace kube-system
kubectl get svc --namespace kube-system

配置node节点加入集群(所有的node节点上操作)

以下上master生成的,与你环境可能不符合  
kubeadm join 192.168.111.100:8443 --token uf9oul.7k4csgxe5p7upvdb --discovery-token-ca-cert-hash sha256:36bc173b46eb0545fc30dd5db2d27dab70a257bd406fd791647d991a69454595

node节点报错处理办法:

tail -f /var/log/message
Jul 19 07:52:21 localhost kubelet: E0726 07:52:21.336281   10018 summary.go:102] Failed to get system container stats for "/system.slice/kubelet.service": failed to get cgroup stats for "/system.slice/kubelet.service": failed to get container info for "/system.slice/kubelet.service": unknown container "/system.slice/kubelet.service"

在kubelet配置文件追加以下配置

/etc/sysconfig/kubelet

# Append configuration in Kubelet
--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice
 

 

这样一个集群环境配置完成里,其余的是自己添加附件吧。