主机准备
本次部署使用的系统为Rocky9.2,7个节点
[root@node1 ~]# uname -a
Linux node1 5.14.0-284.11.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue May 9 17:09:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
节点分配如下
| 序号 | 主机名 | IP地址 | 说明 |
|---|---|---|---|
| 1 | node1 | 192.168.202.129 | 部署haproxy使用的节点1 |
| 2 | node2 | 192.168.202.130 | 部署haproxy使用的节点2 |
| 3 | node3 | 192.168.202.131 | K8s master1 |
| 4 | node4 | 192.168.202.132 | K8s master2 |
| 5 | node5 | 192.168.202.134 | K8s master3 |
| 6 | node6 | 192.168.202.136 | Worker node1 |
| 7 | node7 | 192.168.202.137 | Worker node2 |
| 8 (只是IP) | lb | 192.168.202.140 | 作为VIP(浮动IP) |
主机名与IP地址解析配置
所有服务器都需要配置,编辑/etc/hosts文件,添加下面的主机解析配置
[root@node1 ~]# vim /etc/hosts
[root@node1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.202.129 node1
192.168.202.130 node2
192.168.202.131 node3
192.168.202.132 node4
192.168.202.134 node5
192.168.202.136 node6
192.168.202.137 node7
关闭主机的防火墙
所有主机都要配置
systemctl disable firewalld --now
关闭SELinux
所有主机都要配置
可以使用sestat查看SELinux是否是启用的状态
# 如果是关闭的话会显示disabled
[root@node7 ~]# sestatus
SELinux status: disabled
# 如果是开启的话会显示enabled
[root@node7 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: disabled
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
关闭SELinux
setenforce 0
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
配置时间同步
所有节点都要做,保证节点的时间一致
# 查看当前的时区,将时区设置为Asia/Shanghai
[root@node1 ~]# timedatectl
Local time: Mon 2023-09-25 23:22:02 CST
Universal time: Mon 2023-09-25 15:22:02 UTC
RTC time: Mon 2023-09-25 15:22:02
Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
# 如果时区不是Asia/Shanghai需要将节点都设置为这个时区
[root@node1 ~]# timedatectl set-timezone Asia/Shanghai
# 启动chronyd,作为时间同步的服务
[root@node1 ~]# systemctl enable chronyd --now
ipvs管理工具安装以及模块加载
在部署K8s master和worker节点上安装即可
[root@node1 ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -y
配置ipvs相关模块
# 添加模块配置文件, /etc/modules-load.d中的文件能够在启动时加载内核模块
cat >> /etc/modules-load.d/ipvs.conf /etc/systemd/system/etcd.service kube-apiserver-csr.json /etc/kubernetes/token.csv /etc/kubernetes/kube-apiserver.conf /etc/systemd/system/kube-apiserver.service /etc/kubernetes/kube-apiserver.conf /etc/systemd/system/kube-apiserver.service /etc/kubernetes/kube-apiserver.conf /etc/systemd/system/kube-apiserver.service admin-csr.json kube-controller-manager-csr.json kube-controller-manager.conf kube-controller-manager.service kube-scheduler-csr.json kube-scheduler.conf kube-scheduler.service /etc/containerd/config.toml
sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml
sed -i 's@registry.k8s.io/pause:3.6@registry.aliyuncs.com/google_containers/pause:3.9@' /etc/containerd/config.toml
运行containerd
systemctl enable containerd --now
安装runc
wget https://github.com/opencontainers/runc/releases/download/v1.1.9/runc.amd64
[root@node6 ~]# chmod +x runc.amd64
[root@node6 ~]# mv runc.amd64 /usr/local/sbin/runc
部署kubelet
在node3操作生成配置文件,然后复制到工作节点上
创建kubelet-bootstrap.kubeconfig
BOOTSTRAP_TOKEN=$(awk -F "," '{print $1}' /etc/kubernetes/token.csv)
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://192.168.202.140:6443 --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=cluster-admin --user=kubelet-bootstrap
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig
kubectl describe clusterrolebinding cluster-system-anonymous
kubectl describe clusterrolebinding kubelet-bootstrap
在node6和node7两台工作节点上创建目录
mkdir -p /etc/kubernetes/ssl
mkdir -p /var/lib/kubelet
mkdir -p /var/log/kubernetes
将文件拷贝到工作节点
scp kubelet-bootstrap.kubeconfig node6:/etc/kubernetes/
scp kubelet-bootstrap.kubeconfig node7:/etc/kubernetes/
scp ca.pem node6:/etc/kubernetes/ssl/
scp ca.pem node7:/etc/kubernetes/ssl/
在node6上创建kubelet配置文件
cat > /etc/kubernetes/kubelet.json /usr/lib/systemd/system/kubelet.service kube-proxy-csr.json /etc/kubernetes/kube-proxy.yaml /etc/kubernetes/kube-proxy.yaml /usr/lib/systemd/system/kube-proxy.service coredns.yaml
