基础环境配置
swapoff -a sed -i '/swap/d' /etc/fstab systemctl stop firewalld systemctl disable firewalld setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config iptables -P FORWARD ACCEPT
添加docker源和安装docker
yum install -y yum-utils yum-config-manager --add-repo https://download.daocloud.io/docker/linux/centos/docker-ce.repo yum install -y --setopt=obsoletes=0 docker-ce-18.06.1.ce*
添加kubernetes源和安装kubeadm,kubelet,kubectl,ipvsadm
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF yum install -y kubelet kubeadm kubectl ipvsadm
修改内核参数
cat << EOF > /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness=0 EOF
加载内核模块
cat << EOF > /etc/modules-load.d/k8s.module.conf ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4 br_netfilter EOF modprobe ip_vs modprobe ip_vs_rr modprobe ip_vs_wrr modprobe ip_vs_sh modprobe nf_conntrack_ipv4 modprobe br_netfilter sysctl --system sysctl -p /etc/sysctl.d/k8s.conf
配置国内加速镜像,私有仓库
sed -i 's@ExecStart.*@& --registry-mirror=http://3272dd08.m.daocloud.io@' /usr/lib/systemd/system/docker.service systemctl daemon-reload systemctl enable docker systemctl start docker systemctl status docker
配置kubelet
DOCKER_CGROUPS=$(docker info | grep 'Cgroup' | cut -d' ' -f3) echo $DOCKER_CGROUPS cat >/etc/sysconfig/kubelet<<EOF KUBELET_EXTRA_ARGS="--cgroup-driver=$DOCKER_CGROUPS --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.1" EOF systemctl daemon-reload systemctl enable kubelet && systemctl restart kubelet
配置kubeadm
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: stable
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
apiServer:
certSANs:
- "master01"
- "master02"
- "master03"
- "192.168.xxx.xxa"
- "192.168.xxx.xxb"
- "192.168.xxx.xxc"
- "192.168.xxx.vip"
- "127.0.0.1"
controlPlaneEndpoint: 192.168.1.200:6443
etcd:
external:
endpoints:
- https://192.168.xxx.xxa:2379
- https://192.168.xxx.xxb:2379
- https://192.168.xxx.xxc:2379
caFile: /etc/etcd/certs/ca.pem
certFile: /etc/etcd/certs/etcd.pem
keyFile: /etc/etcd/certs/etcd-key.pem
networking:
podSubnet: 10.244.0.0/16
转化为新的配置文件
kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml
拉取镜像
kubeadm config images pull --config new.yaml
初始化
kubeadm init --config new.yaml
其他节点加入控制面
kubeadm join 192.168.xxx.vip:6443 --token 3lrpta.i6nyygp4fdyhdza3 --discovery-token-ca-cert-hash sha256:74151ca281c1034a7bcc45176d6f139b0e9d33a8929186e36d8a387d658c153c --experimental-control-plane
kubeconfig中的client-certificate-data字段值是证书的base64编码后的文本,将文本解码还原为证书格式
cat /etc/kubernetes/admin.conf | grep client-certificate-data | awk -F ': ' '{print $2}' | base64 -d > /root/client.crt
cat /etc/kubernetes/admin.conf | grep client-key-data | awk -F ': ' '{print $2}' | base64 -d > /root/client.key
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
安装pod网络
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml