yum安裝k8s集群（單master節(jié)點(diǎn)方式）

一、環(huán)境準(zhǔn)備

1、系統(tǒng)要求

按量付費(fèi)阿里云主機(jī)三臺(tái)

要求：centos7.6~7.8；以下為 https://kuboard.cn/install/install-k8s.html#%E6%A3%80%E6%9F%A5-centos-hostname 網(wǎng)站的檢驗(yàn)結(jié)果。

CentOS 版本本文檔是否兼容備注

7.8	😄	已驗(yàn)證
7.7	😄	已驗(yàn)證
7.6	😄	已驗(yàn)證
7.5	😞	已證實(shí)會(huì)出現(xiàn) kubelet 無(wú)法啟動(dòng)的問(wèn)題
7.4	😞	已證實(shí)會(huì)出現(xiàn) kubelet 無(wú)法啟動(dòng)的問(wèn)題
7.3	😞	已證實(shí)會(huì)出現(xiàn) kubelet 無(wú)法啟動(dòng)的問(wèn)題
7.2	😞	已證實(shí)會(huì)出現(xiàn) kubelet 無(wú)法啟動(dòng)的問(wèn)題

2、前置步驟（所有節(jié)點(diǎn)）

• centos 版本為 7.6 或 7.7、CPU 內(nèi)核數(shù)量大于等于 2，且內(nèi)存大于等于 4G
• hostname 不是 localhost，且不包含下劃線、小數(shù)點(diǎn)、大寫(xiě)字母
• 任意節(jié)點(diǎn)都有固定的內(nèi)網(wǎng) IP 地址(集群機(jī)器統(tǒng)一內(nèi)網(wǎng))
• 任意節(jié)點(diǎn)上 IP 地址 可互通（無(wú)需 NAT 映射即可相互訪問(wèn)），且沒(méi)有防火墻、安全組隔離
• 任意節(jié)點(diǎn)不會(huì)直接使用 docker run 或 docker-compose 運(yùn)行容器。Pod

#關(guān)閉防火墻： 或者阿里云開(kāi)通安全組端口訪問(wèn) systemctl stop firewalld systemctl disable firewalld#關(guān)閉 selinux： sed -i 's/enforcing/disabled/' /etc/selinux/config setenforce 0#關(guān)閉 swap： swapoff -a #臨時(shí) sed -ri 's/.*swap.*/#&/' /etc/fstab #永久#將橋接的 IPv4 流量傳遞到 iptables 的鏈： # 修改 /etc/sysctl.conf # 如果有配置，則修改 sed -i "s#^net.ipv4.ip_forward.*#net.ipv4.ip_forward=1#g" /etc/sysctl.conf sed -i "s#^net.bridge.bridge-nf-call-ip6tables.*#net.bridge.bridge-nf-call-ip6tables=1#g" /etc/sysctl.conf sed -i "s#^net.bridge.bridge-nf-call-iptables.*#net.bridge.bridge-nf-call-iptables=1#g" /etc/sysctl.conf sed -i "s#^net.ipv6.conf.all.disable_ipv6.*#net.ipv6.conf.all.disable_ipv6=1#g" /etc/sysctl.conf sed -i "s#^net.ipv6.conf.default.disable_ipv6.*#net.ipv6.conf.default.disable_ipv6=1#g" /etc/sysctl.conf sed -i "s#^net.ipv6.conf.lo.disable_ipv6.*#net.ipv6.conf.lo.disable_ipv6=1#g" /etc/sysctl.conf sed -i "s#^net.ipv6.conf.all.forwarding.*#net.ipv6.conf.all.forwarding=1#g" /etc/sysctl.conf # 可能沒(méi)有，追加 echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.all.forwarding = 1" >> /etc/sysctl.conf # 執(zhí)行命令以應(yīng)用 sysctl -p

二、安裝Docker環(huán)境（所有節(jié)點(diǎn)）

#1、安裝docker ##1.1、卸載舊版本 sudo yum remove docker \docker-client \docker-client-latest \docker-common \docker-latest \docker-latest-logrotate \docker-logrotate \docker-engine ##1.2、安裝基礎(chǔ)依賴 yum install -y yum-utils \ device-mapper-persistent-data \ lvm2##1.3、配置docker yum源 sudo yum-config-manager \ --add-repo \ http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo##1.4、安裝并啟動(dòng) docker yum install -y docker-ce-19.03.8 docker-ce-cli-19.03.8 containerd.io systemctl enable docker systemctl start docker##1.5、配置docker加速 sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-'EOF' {"registry-mirrors": ["https://t1gbabbr.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart docker

三、安裝k8s環(huán)境

1、安裝k8s、kubelet、kubeadm、kubectl（所有節(jié)點(diǎn)）

# 配置K8S的yum源 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpghttp://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF# 卸載舊版本 yum remove -y kubelet kubeadm kubectl# 安裝kubelet、kubeadm、kubectl yum install -y kubelet-1.17.3 kubeadm-1.17.3 kubectl-1.17.3#開(kāi)機(jī)啟動(dòng)和重啟kubelet systemctl enable kubelet && systemctl start kubelet ##注意，如果此時(shí)查看kubelet的狀態(tài)，他會(huì)無(wú)限重啟，等待接收集群命令，和初始化。這個(gè)是正常的。

2、初始化master節(jié)點(diǎn)（master節(jié)點(diǎn)）

#1、下載master節(jié)點(diǎn)需要的鏡像【選做】 #創(chuàng)建一個(gè).sh文件，內(nèi)容如下， #!/bin/bash images=(kube-apiserver:v1.17.3kube-proxy:v1.17.3kube-controller-manager:v1.17.3kube-scheduler:v1.17.3coredns:1.6.5etcd:3.4.3-0pause:3.1 ) for imageName in ${images[@]} ; dodocker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName done#2、初始化master節(jié)點(diǎn) kubeadm init \ --apiserver-advertise-address=172.26.165.243 \ --image-repository registry.cn-hangzhou.aliyuncs.com/google_containers \ --kubernetes-version v1.17.3 \ --service-cidr=10.96.0.0/16 \ --pod-network-cidr=192.168.0.0/16#service網(wǎng)絡(luò)和pod網(wǎng)絡(luò)；docker service create #docker container --> ip brigde #Pod ---> ip 地址，整個(gè)集群 Pod 是可以互通。255*255 #service ---> #3、配置 kubectl mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config#4、提前保存令牌 kubeadm join 172.26.165.243:6443 --token afb6st.b7jz45ze7zpg65ii \--discovery-token-ca-cert-hash sha256:e5e5854508dafd04f0e9cf1f502b5165e25ff3017afd23cade0fe6acb5bc14ab#5、部署網(wǎng)絡(luò)插件 #上傳網(wǎng)絡(luò)插件，并部署 #kubectl apply -f calico-3.13.1.yaml kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml#網(wǎng)絡(luò)好的時(shí)候，就沒(méi)有下面的操作了 calico： image: calico/cni:v3.14.0 image: calico/cni:v3.14.0 image: calico/pod2daemon-flexvol:v3.14.0 image: calico/node:v3.14.0 image: calico/kube-controllers:v3.14.0#6、查看狀態(tài)，等待就緒 watch kubectl get pod -n kube-system -o wide

3、worker加入集群

#1、使用剛才master打印的令牌命令加入 kubeadm join 172.26.248.150:6443 --token ktnvuj.tgldo613ejg5a3x4 \--discovery-token-ca-cert-hash sha256:f66c496cf7eb8aa06e1a7cdb9b6be5b013c613cdcf5d1bbd88a6ea19a2b454ec #2、如果超過(guò)2小時(shí)忘記了令牌，可以這樣做 kubeadm token create --print-join-command #打印新令牌 kubeadm token create --ttl 0 --print-join-command #創(chuàng)建個(gè)永不過(guò)期的令牌

4、搭建NFS作為默認(rèn)sc

4.1、配置NFS服務(wù)器

yum install -y nfs-utils #執(zhí)行命令 vi /etc/exports，創(chuàng)建 exports 文件，文件內(nèi)容如下： echo "/nfs/data/ *(insecure,rw,sync,no_root_squash)" > /etc/exports #/nfs/data 172.26.248.0/20(rw,no_root_squash) #執(zhí)行以下命令，啟動(dòng) nfs 服務(wù) # 創(chuàng)建共享目錄 mkdir -p /nfs/data systemctl enable rpcbind systemctl enable nfs-server systemctl start rpcbind systemctl start nfs-server exportfs -r #檢查配置是否生效 exportfs # 輸出結(jié)果如下所示 /nfs/data /nfs/data #測(cè)試Pod直接掛載NFS了 apiVersion: v1 kind: Pod metadata:name: vol-nfsnamespace: default spec:volumes:- name: htmlnfs:path: /nfs/data #1000Gserver: 自己的nfs服務(wù)器地址containers:- name: myappimage: nginxvolumeMounts:- name: htmlmountPath: /usr/share/nginx/html/

4.2、搭建NFS-Client

#服務(wù)器端防火墻開(kāi)放111、662、875、892、2049的 tcp / udp 允許，否則遠(yuǎn)端客戶無(wú)法連接。 #安裝客戶端工具 yum install -y nfs-utils#執(zhí)行以下命令檢查 nfs 服務(wù)器端是否有設(shè)置共享目錄 # showmount -e $(nfs服務(wù)器的IP) showmount -e 172.26.165.243 # 輸出結(jié)果如下所示 Export list for 172.26.165.243 /nfs/data *#執(zhí)行以下命令掛載 nfs 服務(wù)器上的共享目錄到本機(jī)路徑 /root/nfsmount mkdir /root/nfsmount # mount -t nfs $(nfs服務(wù)器的IP):/root/nfs_root /root/nfsmount #高可用備份的方式 mount -t nfs 172.26.165.243:/nfs/data /root/nfsmount # 寫(xiě)入一個(gè)測(cè)試文件 echo "hello nfs server" > /root/nfsmount/test.txt#在 nfs 服務(wù)器上執(zhí)行以下命令，驗(yàn)證文件寫(xiě)入成功 cat /data/volumes/test.txt

4.3、設(shè)置動(dòng)態(tài)供應(yīng)

4.3.1、創(chuàng)建provisioner（NFS環(huán)境前面已經(jīng)搭好）

字段名稱填入內(nèi)容備注

名稱	nfs-storage	自定義存儲(chǔ)類名稱
NFS Server	172.26.165.243	NFS服務(wù)的IP地址
NFS Path	/nfs/data	NFS服務(wù)所共享的路徑

# 先創(chuàng)建授權(quán) # vi nfs-rbac.yaml --- apiVersion: v1 kind: ServiceAccount metadata:name: nfs-provisioner --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata:name: nfs-provisioner-runner rules:- apiGroups: [""]resources: ["persistentvolumes"]verbs: ["get", "list", "watch", "create", "delete"]- apiGroups: [""]resources: ["persistentvolumeclaims"]verbs: ["get", "list", "watch", "update"]- apiGroups: ["storage.k8s.io"]resources: ["storageclasses"]verbs: ["get", "list", "watch"]- apiGroups: [""]resources: ["events"]verbs: ["watch", "create", "update", "patch"]- apiGroups: [""]resources: ["services", "endpoints"]verbs: ["get","create","list", "watch","update"]- apiGroups: ["extensions"]resources: ["podsecuritypolicies"]resourceNames: ["nfs-provisioner"]verbs: ["use"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata:name: run-nfs-provisioner subjects:- kind: ServiceAccountname: nfs-provisionernamespace: default roleRef:kind: ClusterRolename: nfs-provisioner-runnerapiGroup: rbac.authorization.k8s.io --- #vi nfs-deployment.yaml；創(chuàng)建nfs-client的授權(quán) kind: Deployment apiVersion: apps/v1 metadata:name: nfs-client-provisioner spec:replicas: 1strategy:type: Recreateselector:matchLabels:app: nfs-client-provisionertemplate:metadata:labels:app: nfs-client-provisionerspec:serviceAccount: nfs-provisionercontainers:- name: nfs-client-provisionerimage: lizhenliang/nfs-client-provisionervolumeMounts:- name: nfs-client-rootmountPath: /persistentvolumesenv:- name: PROVISIONER_NAME #供應(yīng)者的名字value: storage.pri/nfs #名字雖然可以隨便起，以后引用要一致- name: NFS_SERVERvalue: 172.26.165.243- name: NFS_PATHvalue: /nfs/datavolumes:- name: nfs-client-rootnfs:server: 172.26.165.243path: /nfs/data ##這個(gè)鏡像中volume的mountPath默認(rèn)為/persistentvolumes，不能修改，否則運(yùn)行時(shí)會(huì)報(bào)錯(cuò) #創(chuàng)建storageclass # vi storageclass-nfs.yaml apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:name: storage-nfs provisioner: storage.pri/nfs reclaimPolicy: Delete#擴(kuò)展"reclaim policy"有三種方式：Retain、Recycle、Deleted。 Retain #保護(hù)被PVC釋放的PV及其上數(shù)據(jù)，并將PV狀態(tài)改成"released"，不將被其它PVC綁定。集群管理員手動(dòng)通過(guò)如下步驟釋放存儲(chǔ)資源： 手動(dòng)刪除PV，但與其相關(guān)的后端存儲(chǔ)資源如(AWS EBS, GCE PD, Azure Disk, or Cinder volume)仍然存在。 手動(dòng)清空后端存儲(chǔ)volume上的數(shù)據(jù)。 手動(dòng)刪除后端存儲(chǔ)volume，或者重復(fù)使用后端volume，為其創(chuàng)建新的PV。Delete 刪除被PVC釋放的PV及其后端存儲(chǔ)volume。對(duì)于動(dòng)態(tài)PV其"reclaim policy"繼承自其"storage class"， 默認(rèn)是Delete。集群管理員負(fù)責(zé)將"storage class"的"reclaim policy"設(shè)置成用戶期望的形式，否則需要用 戶手動(dòng)為創(chuàng)建后的動(dòng)態(tài)PV編輯"reclaim policy"Recycle 保留PV，但清空其上數(shù)據(jù)，已廢棄

4.3.2、創(chuàng)建存儲(chǔ)類

#創(chuàng)建storageclass # vi storageclass-nfs.yaml apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:name: storage-nfs provisioner: storage.pri/nfs reclaimPolicy: Delete

"reclaim policy"有三種方式：Retain、Recycle、Deleted。

• Retain

• • 保護(hù)被PVC釋放的PV及其上數(shù)據(jù)，并將PV狀態(tài)改成"released"，不將被其它PVC綁定。集群管理員手動(dòng)通過(guò)如下步驟釋放存儲(chǔ)資源
• • • 手動(dòng)刪除PV，但與其相關(guān)的后端存儲(chǔ)資源如(AWS EBS, GCE PD, Azure Disk, or Cinder volume)仍然存在。
    • 手動(dòng)清空后端存儲(chǔ)volume上的數(shù)據(jù)。
    • 手動(dòng)刪除后端存儲(chǔ)volume，或者重復(fù)使用后端volume，為其創(chuàng)建新的PV。

• Delete

• • 刪除被PVC釋放的PV及其后端存儲(chǔ)volume。對(duì)于動(dòng)態(tài)PV其"reclaim policy"繼承自其"storage class"，
  • 默認(rèn)是Delete。集群管理員負(fù)責(zé)將"storage class"的"reclaim policy"設(shè)置成用戶期望的形式，否則需要用戶手動(dòng)為創(chuàng)建后的動(dòng)態(tài)PV編輯"reclaim policy"

• Recycle

• • 保留PV，但清空其上數(shù)據(jù)，已廢棄

4.3.3、改變默認(rèn)sc

##改變系統(tǒng)默認(rèn)sc https://kubernetes.io/zh/docs/tasks/administer-cluster/change-default-storage-class/#%e4%b8%ba%e4%bb%80%e4%b9%88%e8%a6%81%e6%94%b9%e5%8f%98%e9%bb%98%e8%ae%a4-storage-classkubectl patch storageclass storage-nfs -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

4.4、驗(yàn)證nfs動(dòng)態(tài)供應(yīng)

4.4.1、創(chuàng)建pvc

#vi pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata:name: pvc-claim-01# annotations:# volume.beta.kubernetes.io/storage-class: "storage-nfs" spec:storageClassName: storage-nfs #這個(gè)class一定注意要和sc的名字一樣accessModes:- ReadWriteManyresources:requests:storage: 1Mi

4.4.2、使用pvc

#vi testpod.yaml kind: Pod apiVersion: v1 metadata:name: test-pod spec:containers:- name: test-podimage: busyboxcommand:- "/bin/sh"args:- "-c"- "touch /mnt/SUCCESS && exit 0 || exit 1"volumeMounts:- name: nfs-pvcmountPath: "/mnt"restartPolicy: "Never"volumes:- name: nfs-pvcpersistentVolumeClaim:claimName: pvc-claim-01

5、安裝metrics-server

#1、先安裝metrics-server(yaml如下，已經(jīng)改好了鏡像和配置，可以直接使用)，這樣就能監(jiān)控到pod。node的資源情況（默認(rèn)只有cpu、memory的資源審計(jì)信息喲，更專業(yè)的我們后面對(duì)接 Prometheus） --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:name: system:aggregated-metrics-readerlabels:rbac.authorization.k8s.io/aggregate-to-view: "true"rbac.authorization.k8s.io/aggregate-to-edit: "true"rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: metrics-server:system:auth-delegator roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:auth-delegator subjects: - kind: ServiceAccountname: metrics-servernamespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata:name: metrics-server-auth-readernamespace: kube-system roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: extension-apiserver-authentication-reader subjects: - kind: ServiceAccountname: metrics-servernamespace: kube-system --- apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata:name: v1beta1.metrics.k8s.io spec:service:name: metrics-servernamespace: kube-systemgroup: metrics.k8s.ioversion: v1beta1insecureSkipTLSVerify: truegroupPriorityMinimum: 100versionPriority: 100 --- apiVersion: v1 kind: ServiceAccount metadata:name: metrics-servernamespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata:name: metrics-servernamespace: kube-systemlabels:k8s-app: metrics-server spec:selector:matchLabels:k8s-app: metrics-servertemplate:metadata:name: metrics-serverlabels:k8s-app: metrics-serverspec:serviceAccountName: metrics-servervolumes:# mount in tmp so we can safely use from-scratch images and/or read-only containers- name: tmp-diremptyDir: {}containers:- name: metrics-serverimage: mirrorgooglecontainers/metrics-server-amd64:v0.3.6imagePullPolicy: IfNotPresentargs:- --cert-dir=/tmp- --secure-port=4443- --kubelet-insecure-tls- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostnameports:- name: main-portcontainerPort: 4443protocol: TCPsecurityContext:readOnlyRootFilesystem: truerunAsNonRoot: truerunAsUser: 1000volumeMounts:- name: tmp-dirmountPath: /tmpnodeSelector:kubernetes.io/os: linuxkubernetes.io/arch: "amd64" --- apiVersion: v1 kind: Service metadata:name: metrics-servernamespace: kube-systemlabels:kubernetes.io/name: "Metrics-server"kubernetes.io/cluster-service: "true" spec:selector:k8s-app: metrics-serverports:- port: 443protocol: TCPtargetPort: main-port --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:name: system:metrics-server rules: - apiGroups:- ""resources:- pods- nodes- nodes/stats- namespaces- configmapsverbs:- get- list- watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: system:metrics-server roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: system:metrics-server subjects: - kind: ServiceAccountname: metrics-servernamespace: kube-system

參考鏈接：

https://www.yuque.com/leifengyang/kubesphere/grw8se

總結(jié)

以上是生活随笔為你收集整理的yum安装k8s集群（单master两个node、阿里云镜像源）的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。