节点四台:master、node01、node02、harbor
安装软件:链接:https://pan.baidu.com/s/1iBM9ymdvmQi67DPJ93OF0w 密码:k2m6
设置系统主机名及host文件解析
#hostnamectl set-hostname k8s-master hostnamectl set-hostname k8s-node01 hostnamectl set-hostname k8s-node02
安装依赖包
#yum -y install conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git
设置防火墙为iptables规则并设置空规则
#systemctl stop firewalld&&systemctl disable firewalld #yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
关闭SElinux
# swapoff -a && sed -i '/ swap / s/^(.*)$/#1/g' /etc/fstab #setenforce 0 && sed -I 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
调整内核参数
#cat > kubernetes.conf << EOF net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 net.ipv4.ip_forward=1 net.ipv4.tcp_tw_recycle=0 vm.swappiness=0 #禁止使用swap空间 vm.overcommit_memory=1 #不检查物理内存 vm.panic_on_oom=0 fs.inotify.max_user_instances=8192 fs.inotify.max_user_watches=1048576 fs.file-max=52706963 fs.nr_open=52706963 net.ipv6.conf.all.disable_ipv6=1 net.netfilter.nf_conntrack_max=2310720 EOF
开机调用kubernetes.conf,并生效
#cp kubernetes.conf /etc/sysctl.d/kubernetes.conf #sysctl -p /etc/sysctl.d/kubernetes.conf
调整系统时区-安装系统时选择上海,这步跳过
设置时区 中国/上海
#timedatectl set-timezone Asia/Shanghai
将当前UTC时间写入硬件时钟
#timedatectl set-local-rtc 0
重启依赖于系统时间的服务
#systemctl restart rsyslog #systemctl restart crond
关闭系统邮件服务
#systemctl stop postfix&&systemctl disable postfix
设置系统日志服务rsyslogd和systemd journald
创建持久化目录
# mkdir /var/log/journal
创建journald配置文件
# mkdir /etc/systemd/journal.conf.d #cat > /etc/systemd/journal.conf.d/99-prophet.conf <<EOF [ Journal ] #持久化保存到磁盘 Storage=persistent #压缩历史日志 Compress=yes SyncIntervalSec=5m RateLimitInterval=30s RateLimitBurst=1000 #最大占用空间 SystemMaxUse=10G #单日志文件最大 200M SystemMaxFileSize=200M #日志保存时间 MaxRetentionSec=2week #不讲日志转发到 syslog ForwardToSyslog=no EOF #systemctl restart systemd-journald
升级系统内核为4.44版本
#rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
查看 /boot/grub2/grub.cfg是否存在menuentry 中是否包含 initrd16配置,如果没有重新安装
#cat /boot/grub2/grub.cfg|grep initrd16 #yum --enablerepo=elrepo-kernel install -y kernel-lt
设置开几重启内核
#grub2-set-default 'CentOS Linux (4.4.214-1.el7.elrepo.x86_64) 7 (core)' #reboot
检查下三台节点内核版本是否为4.44
#uname -r 4.4.214-1.el7.elrepo.x86_64
Kube-proxy开启ipvs前置条件
#modprobe br_netfilter #cat > /etc/sysconfig/modules/ipvs.modules << EOF #!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 EOF #chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod |grep -e ip_vs -e nf_conntrack_ipv4
安装docker
#yum -y install yum-utils device-mapper-persistent-data lvm2 #yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum update -y && yum install -y docker-ce
创建 /etc/docker 目录
#mkdir /etc/docker #grub2-set-default 'CentOS Linux (4.4.214-1.el7.elrepo.x86_64) 7 (core)'&&reboot
设置docker启动,开机自启
# systemctl start docker && systemctl enable docker
创建 daemon.json 配置文件,将存储日志的方式改为为 json file 格式存储,方便日后从 /var/log/container/ 下查找容器日志,之后就可以从 efk 中搜索索引信息了
#cat > /etc/docker/daemon.json << EOF { "registry-mirrors": ["https://registry.docker-cn.com"], "exec-opts": ["native.cgroupdriver=systemd"], #centos7中有两种cgroup组(cgroupfx, cgroupdriver)是由systemd做隔离 "log-driver": "json-file", "log-opts": { "max-size": "100m" } } EOF #mkdir -p /etc/systemd/system/docker.service.d #systemctl daemon-reload && systemctl restart docker && systemctl enable docker
安装kubeadm
#cat << EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg EOF #yum -y install kubeadm-1.15.1 kubectl-1.15.1 kubelet-1.15.1 #systemctl enable kubelet
导入kubernetes系统镜像,百度云盘链接:https://pan.baidu.com/s/1iBM9ymdvmQi67DPJ93OF0w 密码:k2m6
# tar xf kubeadm-basic.images.tar.gz
批量导入镜像脚本
# vim docker-load.sh #!/bin/bash ls /root/rpm/kubeadm-basic.images > /root/docker-load-list.txt cd /root/rpm/kubeadm-basic.images for i in $(cat /root/docker-load-list.txt) do docker load -i $i done #chmod a+x docker-load.sh #./docker-load.sh
在master节点操作,导出kubeadm-config.yaml配置文件
#kubeadm config print init-defaults > /etc/kubernetes/kubeadm-config.yaml #vim kubeadm-config.yaml 第12行:advertiseAddress:192.168.1.11 第34行:kubernetesVersion: v1.15.1 第36行下增加:podSubnet: "10.244.0.0/16" #pod网段
初始化master
#kubeadm init --config=/etc/kubernetes/kubeadm-config.yaml --experimental-upload-certs | tee kubeadm-init.log
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:69540b24d9d2eaa4fd9a9d533bfde8c6520ce7586366fa9e35474e94553532ba
# mkdir -p $HOME/.kube # cp -i /etc/kubernetes/admin.conf $HOME/.kube/config # chown $(id -u):$(id -g) $HOME/.kube/config # echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile # source ~/.bash_profile
保留安装文件
#mkdir install-k8s # mv /etc/kubernetes/kubeadm-config.yaml /etc/kubernetes/kubeadm-init.log /usr/local/kubernetes/install-k8s/
master安装flannel
#wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml # kubectl create -f kube-flannel.yml
没有镜像可以下载国内镜像,然后重新打标签,将镜像scp到node01和node02节点上,docker load即可
#docker pull lizhenliang/flannel:v0.11.0-amd64 #docker tag lizhenliang/flannel:v0.11.0-amd64 quay.io/coreos/flannel:v0.11.0-amd64
Node01和Node02节点加入k8s集群
#tail -5 /usr/local/kubernetes/install-k8s/kubeadm-init.log #kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:69540b24d9d2eaa4fd9a9d533bfde8c6520ce7586366fa9e35474e94553532ba
安装harbor仓库
#mv docker-compose /usr/local/bin/ #chmod a+x /usr/local/bin/docker-compose #tar xf harbor-offline-installer-v1.2.0.tgz -C /usr/local/harbor
修改harbor配置文件
#vim harbor.cfg 第五行:hostname = edwin.registry.docker.com 第九行:ui_url_protocol = https #mkdir -p /data/cert/&&cd /data/cert/
制作证书
生成server.key
#openssl genrsa -des3 -out server.key 2048
生成server.csr私钥
#openssl req -new -key server.key -out server.csr
# cp server.key server.key.bak
验证时不使用密码
# openssl rsa -in server.key.bak -out server.key
为生成证书签名
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
为生成的证书授予权限
# chmod a+x * # cd /usr/loacl/harbor/ # ./install.sh
为k8s集群下的主机配置hosts主机解析
# echo "192.168.1.11 edwin.registry.docker.com" >> /etc/hosts