1. 主机配置
cpu:1核心
内存:2GB
硬盘:50G
操作系统:CentOS8.2(下图为购买时的系统版本,已重装最新8.2)
腾讯云主机新用户购买有优惠,3年才298元。点此购买
2. 新机ssh安全加固(可跳过)
之前有过经历,主机遭受持续密码暴破攻击,所以有此操作。
# 1. 替换ssh默认端口号为18022,减少被扫描风险
sed -i 's/^[\s#]*Port[[:space:]].*$/Port 18022/g' /etc/ssh/sshd_config
# 2. 禁用ssh密码登录,改为密钥登录
# 制作密钥, 会提示输入2次密码,直接留空回车即可
ssh-keygen -t rsa -b 1024 -f /root/.ssh/id_backup
mv /root/.ssh/id_backup.pub /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# 重要:
# id_backup是私钥,下载到本地给ssh客户端使用。
# authorized_keys是公钥,放在主机服务端。
# 两个文件备份好,下次直接把authorized_keys放到服务端即可ssh连接,不需要重新制作。
# 关闭密码登录
sed -i 's/^[\s#]*PasswordAuthentication[[:space:]].*$/PasswordAuthentication no/g' /etc/ssh/sshd_config
# 3. 重启ssh服务(此操作之后,请在ssh客户端配置私钥登录)
service sshd restart
3. 安装k8s(此时最新版本为1.21)
3.1 系统初始化
# 1. 设置系统主机名以及 Host 文件的相互解析
hostnamectl set-hostname k8s-master01
# 填写的是本机小网IP
cat >> /etc/hosts << EOF
172.17.0.6 k8s-master01
EOF
# 2. 安装依赖包
yum install -y conntrack chrony ipvsadm ipset jq iptables curl sysstat libseccomp wget net-tools git
# 3. 设置防火墙为 Iptables 并设置空规则
systemctl stop firewalld && systemctl disable firewalld
yum -y install iptables-services && systemctl start iptables && iptables -F && service iptables save
# 4. 关闭swap
swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
# 5. 关闭selinux
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
# 6. 调整内核参数
cat > kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.overcommit_memory=1 # 不检查物理内存是否够用
vm.panic_on_oom=0 # 开启 OOM
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963 fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
# 执行后报此错误是正常的:
# sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory
# sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory
sysctl -p /etc/sysctl.d/kubernetes.conf
# 7. 调整时区
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的 UTC 时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
# 8. 关闭系统不需要服务
systemctl stop postfix && systemctl disable postfix
# 9. 设置 rsyslogd 和 systemd journald
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化保存到磁盘
Storage=persistent
# 压缩历史日志
Compress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间2周
MaxRetentionSec=2week
# 不将日志转发到
syslog ForwardToSyslog=no
EOF
systemctl restart systemd-journald
3.2 部署安装
# 1. kube-proxy开启ipvs的前置条件
modprobe br_netfilter
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
# 2. 安装 Docker 软件
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum update -y && yum install -y docker-ce
## 创建/etc/docker目录
mkdir /etc/docker
# 配置 daemon.
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": { "max-size": "100m" }
}
EOF
mkdir -p /etc/systemd/system/docker.service.d
# 重启docker服务
systemctl daemon-reload && systemctl restart docker && systemctl enable docker
# 3. 安装 Kubeadm(主从配置)
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF
yum -y install kubeadm kubectl kubelet
systemctl enable kubelet.service
# 4. 初始化主节点
kubeadm config print init-defaults > kubeadm-config.yaml
# ip设置为此节点的IP
sed -i "s/advertiseAddress: .*/advertiseAddress: 172.17.0.6/g" kubeadm-config.yaml
# 指定pod子网
sed -r -i "s|serviceSubnet: (.*)|podSubnet: \"10.244.0.0/16\"\n serviceSubnet: \1|g" kubeadm-config.yaml
# 指定主机名
sed -i "s/name: .*/name: k8s-master01/g" kubeadm-config.yaml
# 设置国内源
sed -i "s|imageRepository.*|imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers|g" kubeadm-config.yaml
#指定网络使用ipvs模式
cat <<EOF >> kubeadm-config.yaml
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
kubeProxy:
config:
mode: ipvs
EOF
# 这个镜像要手动先拉取并改名
# 否则无法从aliyuncs拉取,报错:[ERROR ImagePull]: failed to pull image registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.8.0: output: Error response from daemon: manifest for registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.8.0 not found: manifest unknown: manifest unknown, error: exit status 1
docker pull coredns/coredns
docker tag coredns/coredns:latest registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.8.0
docker rmi coredns/coredns:latest
# 执行初始化
kubeadm init --config=kubeadm-config.yaml --ignore-preflight-errors=NumCPU --upload-certs | tee kubeadm-init.log
# 按照上一条命令的提示,执行如下命令(请按实际情况执行):
# 这一步在k8s 1.21版本好像不用执行了,上面init完就可以了
# kubeadm join 172.17.0.6:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:b4e42301c67f7796d2a66641d75617a6c52e5e0579cb5bcad716c5d2cba066f2
# 配置kubectl
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
source ~/.bash_profile
# 5. 部署flannel网络
# 官网的kubeflannel.yml老是不能访问,我自己放了一个在github
kubectl apply -f https://codingsea.com/images/static_res/kubeflannel.yml
# 等待flannel pod安装完成,查看节点状态为ready
[root@VM-0-6-centos kubernetes]# kubectl get node
NAME STATUS ROLES AGE VERSION
node Ready control-plane,master 13m v1.21.2
# 修复coredns1.8 bug,否则coredns pod状态一直异常
# 错误日志为:E0627 18:12:23.287866 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.21.1/tools/cache/reflector.go:167: Failed to watch *v1.EndpointSlice: failed to list *v1.EndpointSlice: endpointslices.discovery.k8s.io is forbidden: User "system:serviceaccount:kube-system:coredns" cannot list resource "endpointslices" in API group "discovery.k8s.io" at the cluster scope
# 参考链接: https://githubmemory.com/repo/coredns/helm/issues/9
kubectl edit clusterrole system:coredns
# 在最后添加下面内容, 并等待一分钟左右,coredns恢复正常:
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
# 去除k8s-master01节点不允许调度POD的配置
kubectl taint node k8s-master01 node-role.kubernetes.io/master-
# 确认所有pod和node正常
kubectl get pod -n kube-system
kubectl get node -n kube-system
编程之海 版权所有丨如未注明,均为原创丨转载请注明转自:https://codingsea.com/k8s-install/