服务器信息

image.png

官网及下载地址

kubernetes官网：https://github.com/kubernetes/kubernetes/releases
安装版本1.21，下载地址在官网：https://dl.k8s.io/v1.21.1/kubernetes-server-linux-amd64.tar.gz
其他版本：https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG

配置yum源/etc/yum.repos.d/kubernetes.repo

[kubernetes]
name=Kubernetes
baseurl=http://yum.kubernetes.io/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0

配置阿里yum源/etc/yum.repos.d/kubernetes.repo

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

Master上的etcd、kube-apiserver、kube-controller-manager、kube-scheduler服务

etcd服务

官网：https://github.com/coreos/etcd/releases 
下载地址：https://github.com/etcd-io/etcd/releases/download/v3.5.0/etcd-v3.5.0-linux-amd64.tar.gz
cat <<EOF >/usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/bin/etcd
[Install]
WantedBy=multi-user.target
EOF

#启动etcd服务，验证
mkdir -p /var/lib/etcd
systemctl daemon-reload
systemctl enable etcd.service
systemctl start etcd.service
systemctl status etcd
etcdctl member list
etcdctl endpoint health

生成k8s证书

mkdir -p /etc/kubernetes/cert
cd /etc/kubernetes/cert/
#创建CA证书和私钥相关的文件
openssl genrsa -out ca.key 2048
#/CN=master主机名,ca根证书文件
openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8s-master" -days 5000 -out ca.crt

cat <<EOF >master_ssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = k8s-master
IP.1 = 10.244.0.1
IP.2 = 43.132.164.159
EOF
#服务端证书文件
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=k8s-master" -config master_ssl.cnf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
#客户端证书文件
openssl genrsa -out cs_client.key 2048
openssl req -new -key cs_client.key -subj "/CN=k8s-master" -config master_ssl.cnf -out cs_client.csr
openssl x509 -req -in cs_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out cs_client.crt

kube-apiserver 服务

mkdir -p /etc/kubernetes
#vi /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API server
After=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver $KUBE_API_ARGS

Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

cat <<EOF >/etc/kubernetes/apiserver
KUBE_API_ARGS="--etcd-servers=http://127.0.0.1:2379 --client-ca-file=/etc/kubernetes/cert/ca.crt --tls-private-key-file=/etc/kubernetes/cert/server.key --tls-cert-file=/etc/kubernetes/cert/server.crt --service-account-signing-key-file=/etc/kubernetes/cert/server.key --service-account-key-file=/etc/kubernetes/cert/server.key --service-account-issuer=https://kubernetes.default.svc --service-cluster-ip-range=10.244.0.0/16 --service-node-port-range=1-65535 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota --logtostderr=false --log-dir=/var/log/kubernetes --v=0 --allow-privileged=true"
EOF
systemctl enable kube-apiserver
systemctl start kube-apiserver
systemctl status kube-apiserver

安装controller-manager

#vi /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
EnvironmentFile=-/etc/kubernetes/controller-manager
ExecStart=/usr/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_ARGS

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

cat <<EOF >/etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig  --service-account-private-key-file=/etc/kubernetes/cert/server.key --root-ca-file=/etc/kubernetes/cert/ca.crt --log-dir=/var/log/kubernetes --v=0"
EOF

cat <<EOF >/etc/kubernetes/kubeconfig
apiVersion: v1
kind: Config
users:
- name: system:kube-controller-manager
  user:
    client-certificate: /etc/kubernetes/cert/cs_client.crt
    client-key: /etc/kubernetes/cert/cs_client.key
clusters:
- name: kubernetes
  cluster:
    certificate-authority: /etc/kubernetes/cert/ca.crt
    server: https://43.132.164.159:6443
contexts:
- name: system:kube-controller-manager@kubernetes 
  context:
    cluster: kubernetes
    user: system:kube-controller-manager
current-context: system:kube-controller-manager@kubernetes
preferences: {}
EOF

systemctl enable kube-controller-manager
systemctl start kube-controller-manager
systemctl status kube-controller-manager

安装kube-scheduler

#vi /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
After=kube-apiserver.service
Requires=kube-apiserver.service

[Service]
EnvironmentFile=-/etc/kubernetes/scheduler
ExecStart=/usr/bin/kube-scheduler $KUBE_SCHEDULER_ARGS

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

cat <<EOF >/etc/kubernetes/scheduler
KUBE_SCHEDULER_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF

systemctl enable kube-scheduler
systemctl start kube-scheduler
systemctl status kube-scheduler

master分发ca文件到node节点

cd /etc/kubernetes/cert/
scp ca.crt k8s-node1:/etc/kubernetes/cert/
scp ca.key k8s-node1:/etc/kubernetes/cert/

node 安装docker

yum -y install docker
systemctl enable docker
systemctl start docker
systemctl status docker
mkdir -p /etc/kubernetes/cert

生成kubelet证书

cd /etc/kubernetes/cert
openssl genrsa -out kubelet_client.key 2048
openssl req -new -key kubelet_client.key -subj "/CN=43.132.158.54" -out kubelet_client.csr
openssl x509 -req -in kubelet_client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -out kubelet_client.crt

node安装kubelet

#vi /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet Server
After=docker.service
Requires=docker.service

[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/bin/kubelet $KUBELET_ARGS

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

mkdir -p /var/lib/kubelet
mkdir -p /etc/kubernetes
cat <<EOF >/etc/kubernetes/kubelet
KUBELET_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig  --hostname-override=43.132.158.54 --logtostderr=false --log-dir=/var/log/kubernetes --v=0"
EOF

cat <<EOF >/etc/kubernetes/kubeconfig 
apiVersion: v1
kind: Config
users:
- name: default-auth
  user:
    client-certificate: /etc/kubernetes/cert/kubelet_client.crt
    client-key: /etc/kubernetes/cert/kubelet_client.key
clusters:
- name: kubernetes
  cluster:
    certificate-authority: /etc/kubernetes/cert/ca.crt
    server: https://43.132.164.159:6443
contexts:
- name: default-context 
  context:
    cluster: kubernetes
    namespace: default
    user: default-auth
current-context: default-context
preferences: {}
EOF

systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet

kubelet启动错误解决

#错误信息如下
E0630 19:37:16.179444   13614 server.go:292] "Failed to run kubelet" err="failed to run Kubelet: misconfiguration: kubelet cgroup driver: \"cgroupfs\" is different from docker cgroup driver: \"systemd\""
# 查看docker Cgroup Driver
[root@k8s-node1 ~]# docker info

#修改docker.service
vi /lib/systemd/system/docker.service
找到
--exec-opt native.cgroupdriver=systemd 
修改为：
--exec-opt native.cgroupdriver=cgroupfs
# 重启docker
systemctl daemon-reload
systemctl restart docker

node安装kube-proxy

#vi /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-proxy Server
After=network.target
Requires=network.target

[Service]
EnvironmentFile=-/etc/kubernetes/kube-proxy
ExecStart=/usr/bin/kube-proxy $KUBE_PROXY_ARGS

Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

cat <<EOF >/etc/kubernetes/kube-proxy
KUBE_PROXY_ARGS="--kubeconfig=/etc/kubernetes/kubeconfig  --logtostderr=false --log-dir=/var/log/kubernetes --v=2"
EOF

systemctl enable kube-proxy
systemctl start kube-proxy
systemctl status kube-proxy

master节点配置kubectl

mkdir /root/.kube
cat <<EOF >$HOME/.kube/config
apiVersion: v1
kind: Config
users:
- name: kubernetes-admin
  user:
    client-certificate: /etc/kubernetes/cert/cs_client.crt
    client-key: /etc/kubernetes/cert/cs_client.key
clusters:
- name: kubernetes 
  cluster:
    certificate-authority: /etc/kubernetes/cert/ca.crt
    server: https://








contexts:
- name: kubernetes-admin@kubernetes
  context:
    cluster: kubernetes
    user: kubernetes-admin
current-context: kubernetes-admin@kubernetes
preferences: {}
EOF

检查集群及节点状态

[root@k8s_master ~]# kubectl get node
NAME            STATUS   ROLES    AGE     VERSION
43.132.158.54   Ready    <none>   8m10s   v1.21.1
[root@k8s_master ~]# kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS    MESSAGE                         ERROR
scheduler            Healthy   ok                              
controller-manager   Healthy   ok                              
etcd-0               Healthy   {"health":"true","reason":""}

参考文档

• 二进制文件方式安装k8s 1.21