在centons7系统部署一套单master的k8s集群

架构图：

操作系统：CentOS Linux release 7.7.1908 (Core)

docker：docker-ce-20.10.14-3.el7.x86_64

kubernetes: 1.21

操作系统初始化配置

# 关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

# 关闭selinux

sed -i 's/enforcing/disabled/' /etc/selinux/config  # 永久
setenforce 0  # 临时

# 关闭swap

swapoff -a  # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab    # 永久

# 在master添加hosts

cat >> /etc/hosts << EOF
192.168.248.128 master
192.168.248.129 node1
192.168.248.130 node2
EOF

# 将桥接的IPv4流量传递到iptables的链

cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system  # 生效

# 时间同步

yum install ntpdate -y
ntpdate time.windows.com

安装docker并设置开机自启

systemctl start docker
systemctl enable docker
systemctl status docker

添加阿里云YUM软件源

cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装kubeadm，kubelet和kubectl

由于版本更新频繁，这里指定版本号部署：

yum install -y kubelet-1.21.0 kubeadm-1.21.0 kubectl-1.21.0
systemctl enable kubelet

Kubelet：负责与其他节点集群通信，并进⾏本节点Pod和容器⽣命周期的管理。

Kubeadm：Kubernetes的⾃动化部署⼯具，降低了部署难度，提⾼效率。

Kubectl：Kubernetes集群管理⼯具。

部署Kubernetes Master

在192.168.248.128（Master）执行。

kubeadm init \
  --apiserver-advertise-address=192.168.248.128 \
  --image-repository registry.aliyuncs.com/google_containers \
  --kubernetes-version v1.21.0 \
  --service-cidr=10.96.0.0/12 \
  --pod-network-cidr=10.244.0.0/16 \
  --ignore-preflight-errors=all

• --apiserver-advertise-address 集群通告地址
• --image-repository 由于默认拉取镜像地址k8s.gcr.io国内无法访问，这里指定阿里云镜像仓库地址
• --kubernetes-version K8s版本，与上面安装的一致
• --service-cidr 集群内部虚拟网络，Pod统一访问入口
• --pod-network-cidr Pod网络，，与下面部署的CNI网络组件yaml中保持一致

初始化完成后，最后会输出一个join命令，先记住，下面用。

拷贝kubectl使用的连接k8s认证文件到默认路径：

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

查看工作节点：

[root@master ~]# kubectl get nodes
NAME     STATUS     ROLES                  AGE   VERSION
master   NotReady   control-plane,master   13m   v1.21.0

注：由于网络插件还没有部署，还没有准备就绪 NotReady

加入Kubernetes Node

在192.168.248.129/130（Node）执行。

向集群添加新节点，执行在kubeadm init输出的kubeadm join命令：

kubeadm join 192.168.248.128:6443 --token sjnd0i.2m83rn0i9d90d51q \
        --discovery-token-ca-cert-hash sha256:1275c9fbe8de5dfb0a64f231c2c2df1509b38adc77bac8644e889ace822aaf44 

默认token有效期为24小时，当过期之后，该token就不可用了。这时就需要重新创建token，可以直接使用命令快捷生成：

kubeadm token create --print-join-command

查看token有效期

[root@master ~]# kubeadm token list
TOKEN                     TTL         EXPIRES                     USAGES                   DESCRIPTION                                                EXTRA GROUPS
sjnd0i.2m83rn0i9d90d51q   23h         2022-05-07T11:00:22+08:00   authentication,signing   The default bootstrap token generated by 'kubeadm init'.   system:bootstrappers:kubeadm:default-node-token

查看node是否加入集群

[root@master ~]# kubectl get nodes
NAME     STATUS     ROLES                  AGE     VERSION
master   NotReady   control-plane,master   32m     v1.21.0
node1    NotReady   <none>                 10s     v1.21.0
node2    NotReady   <none>                 8m17s   v1.21.0

部署容器网络（CNI）

Calico是一个纯三层的数据中心网络方案，是目前Kubernetes主流的网络方案。

下载YAML：

wget https://docs.projectcalico.org/manifests/calico.yaml

下载完后还需要修改里面定义Pod网络（CALICO_IPV4POOL_CIDR），与前面kubeadm init的 --pod-network-cidr指定的一样。

修改完后文件后，部署：

kubectl apply -f calico.yaml
kubectl get pods -n kube-system

下载完后还需要修改里面定义Pod网络（CALICO_IPV4POOL_CIDR），与前面kubeadm init的 --pod-network-cidr指定的一样。

修改完后文件后，部署：

kubectl apply -f calico.yaml
kubectl get pods -n kube-system

等Calico Pod都Running，节点也会准备就绪。

CoreDNS问题处理

通过上面发现coredns这个镜像下载错误，需要我们在所有节点手动下载一下，并修改一下镜像的tag

docker pull registry.aliyuncs.com/google_containers/coredns:1.8.0
docker tag registry.aliyuncs.com/google_containers/coredns:1.8.0 registry.aliyuncs.com/google_containers/coredns/coredns:v1.8.0

再次检查一下，发现网卡有问题

需要修改calico.yml文件

# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
- name: IP_AUTODETECTION_METHOD
value: "interface=ens33"
# Enable IPIP
- name: CALICO_IPV4POOL_IPIP
value: "Always"

重新部署calico插件：

[root@master ~]# kubectl apply -f calico.yaml

再次检查发现变成

[root@master ~]# kubectl get pod -n kube-system
NAME                                       READY   STATUS    RESTARTS   AGE
calico-kube-controllers-65898446b5-qtcgv   1/1     Running   0          61s
calico-node-7wcsl                          1/1     Running   0          62s
calico-node-8sjcz                          1/1     Running   0          62s
calico-node-f84fw                          1/1     Running   0          62s
coredns-545d6fc579-w5rj2                   1/1     Running   0          62m
coredns-545d6fc579-xr62w                   1/1     Running   0          62m
etcd-master                                1/1     Running   0          62m
kube-apiserver-master                      1/1     Running   0          62m
kube-controller-manager-master             1/1     Running   0          62m
kube-proxy-2qx8x                           1/1     Running   0          62m
kube-proxy-6khnn                           1/1     Running   0          58m
kube-proxy-znv97                           1/1     Running   0          56m
kube-scheduler-master                      1/1     Running   0          62m

[root@master ~]# kubectl get nodes
NAME     STATUS   ROLES                  AGE   VERSION
master   Ready    control-plane,master   66m   v1.21.0
node1    Ready    <none>                 62m   v1.21.0
node2    Ready    <none>                 59m   v1.21.0

测试kubernetes集群

在Kubernetes集群中创建一个pod，验证是否正常运行：

kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80 --type=NodePort
kubectl get pod,svc

[root@master ~]# kubectl get pod,svc
NAME                         READY   STATUS    RESTARTS   AGE
pod/nginx-6799fc88d8-648cn   1/1     Running   0          20m

NAME                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
service/kubernetes   ClusterIP   10.96.0.1      <none>        443/TCP        89m
service/nginx        NodePort    10.99.33.161   <none>        80:32213/TCP   20m

浏览器访问一下，服务是正常运行的

部署 Dashboard

Dashboard是官方提供的一个UI，可用于基本管理K8s资源。

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

默认Dashboard只能集群内部访问，修改Service为NodePort类型，暴露到外部：

默认Dashboard只能集群内部访问，修改Service为NodePort类型，暴露到外部：
vi recommended.yaml
...
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort
...

[root@master ~]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

[root@master ~]# kubectl get pods -n kubernetes-dashboard
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-5594697f48-s8nql   1/1     Running   0          47m
kubernetes-dashboard-5c785c8bcf-j8w8h        1/1     Running   0          47m

访问地址：https://192.168.248.130:30001

获取token

# 创建用户

[root@master ~]# kubectl create serviceaccount dashboard-admin -n kube-system
serviceaccount/dashboard-admin created

# 用户授权

[root@master ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created

# 获取用户Token

[root@master ~]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

Name: dashboard-admin-token-xrsjd
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 41162dc7-f1e6-4281-9cbd-645de6173c7f

Type: kubernetes.io/service-account-token

Data
====
token: eyJhbGciOiJSUzI1NiIsImtpZCI6InRWZnJkN3AwV09wV0FDQ3FWSXdfOHZFVmM2ZlNhb3FmMldNYWlVTXhGVEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4teHJzamQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNDExNjJkYzctZjFlNi00MjgxLTljYmQtNjQ1ZGU2MTczYzdmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.cYit0Q3XozLeEaGuSQpzyKcV-S5LynQdqvgpuKrKU01edzyGjU-30sJ3ta83i8ihcDCEzDu4Kn0eIytzy7ez3GbHtMQaHy3h7TC0H7CeRM2QeFhdPAYC5TcfVN_hcAosXeyoCbA2-YeS_GejYWy5Gsk7v5e5_ZhJKQ3JL6qLi5ePpQzzcWz2dzH6xNVAdum8PmKlRo4zcuwu_Ba58h2ePfZqq-txpb0WEpdRdpNwGvQ9tUSCHSCMsCoS3_n5VFfHihz1FpD42JV42DSLVsdTphP6cq5sacbkyWdz_ot2c-o90zuz4qvNz7iYvPoVyLjheNtyQLdDd0C_paeoqlQxpw
ca.crt: 1066 bytes
namespace: 11 bytes

输入token登录界面