kubeadm系列-00-overview

文章目錄

• Overview
• 配置yum repo檔案
• 機器初始化的配置
• 軟體依賴
• kubelet.service
• kubeadm init
• 鏡像問題
• Containerd的常見配置
• 檢視鏡像
• 排查日志
• 修改證書
• 執行

Overview

Kubernetes 1.24 是正式棄用

Dockershim 的版本，本文主要描述一下安裝 Kubernetes 1.24 + containerd 1.6.6 作為 CRI 的叢集，主要是采用包管理器的方式來安裝，安裝的流程也可以參考官方文檔

軟體	版本	其他
kubernetes	1.24.1
containerd	1.6.6
runc	1.1.2
Centos	8 Stream
核心	5.18.5-1.el8.elrepo.x86_64

配置yum repo檔案

在 1.24 的版本，安裝的時候可能會遇到這個奇怪的問題,

gpgcheck=0 repo_gpgcheck=0

把這倆參數關掉就好

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

# 國内源也可以
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
       http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF           

複制

機器初始化的配置

如果是公有雲的，這些配置可能會跟公有雲本身的機器和系統初始化自帶的一些軟體和鏡像有關，是以下面這些指令并不一定100%全

，當然，如果缺什麼軟體或者配置的話，後面執行

kubeadm init

也會發現的

# Set SELinux in permissive mode (effectively disabling it)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
# 關閉防火牆
systemctl stop firewalld && systemctl disable firewalld
sysctl -w net.ipv4.ip_forward=1
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/ipv4/ip_forward
# 加載核心子產品
modprobe br_netfilter
modprobe overlay
# 時間同步
yum install ntpdate -y
# 友善排查ipvs的問題
yum install -y ipset ipvsadm           

複制

軟體依賴

如果不指定版本的話，以

yum install kubeadm

的操作，預設都是找最新的，是以是建議按下面的指令來安裝指定的版本

# 安裝1.24.1
sudo yum install -y kubelet-1.24.1-0 kubeadm-1.24.1-0 kubectl-1.24.1-0 --disableexcludes=kubernetes
# 安裝1.21.7
sudo yum install -y kubelet-1.21.7-0 kubeadm-1.21.7-0 kubectl-1.21.7-0 --disableexcludes=kubernetes
# 删除1.24.1
sudo yum remove -y kubelet-1.24.1-0 kubeadm-1.24.1-0 kubectl-1.24.1-0 --disableexcludes=kubernetes
# 删除1.21.7
sudo yum remove -y kubelet-1.21.7-0 kubeadm-1.21.7-0 kubectl-1.21.7-0 --disableexcludes=kubernetes           

複制

另外，作為依賴，在安裝 kubelet/kubeadm/kubectl 的時候，下面這些軟體也會被安裝，同樣需要注意一下版本的問題，不要出現版本差别太大的情況，如果是包管理器的方式安裝，一般這些軟體版本都是對應好的

cri-tools.x86_64 0:1.24.0-0                    
kubernetes-cni.x86_64 0:0.8.7-0                    
socat.x86_64 0:1.7.3.2-2.el7           

複制

kubelet.service

檢視一下 kubelet.service 的檔案結構，比較普通，但是需要知道，kubeadm 初始化的叢集，預設是把 kubelet 作為 service 來部署的，不像其他元件 kube-apiserver/etcd 那樣以 Static Pod 的形式運作

cat /etc/systemd/system/multi-user.target.wants/kubelet.service
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10

[Install]
WantedBy=multi-user.target           

複制

kubeadm init

實際上

kubeadm init

會做很多配置的檢查，比如會檢查到 cri runtime 是什麼等等，或者設定一下主機名之類的

# 設定主機名
hostnamectl set-hostname master           

複制

鏡像問題

在國内公有雲環境下，鏡像下載下傳卡住，其實可以先執行下面的指令确認一下，如果

ps -ef

一看，下面這個程序在國内肯定是拉不到鏡像的了，是以得想想配置的問題

kubeadm config images pull --kubernetes-version 1.24.1
# 用crictl下載下傳
/usr/bin/crictl -r unix:///var/run/containerd/containerd.sock pull k8s.gcr.io/kube-apiserver:v1.24.1           

複制

Containerd的常見配置

# 必須更換兩個endpoint，這個操作也可以直接修改kubeadm的初始化配置檔案
crictl config runtime-endpoint unix:///run/containerd/containerd.sock
crictl config image-endpoint unix:///run/containerd/containerd.sock
# 測試一下
crictl pull docker.io/library/redis:alpine3.13
# 替換成國内的鏡像           

複制

檢視鏡像

注意

ctr

檢視鏡像是需要帶 namespace 的

ctr --namespace k8s.io images list           

複制

排查日志

安裝過程中如果有任何問題，請仔細看清楚

kube init

之後的指令輸出，另外就是檢視 kubelet 以及 containerd 這兩個服務的日志，下面是可能會用到的排查指令

journalctl -xeu containerd --no-page -f
journalctl -xeu kubelet --no-page -f           

複制

修改證書

具體做法可以參考博文

執行

在對 kubeadm 分析的時候，筆者主要參考了兩個大版本，分别是 Kubernetes 1.21.7 以及 Kubernetes 1.24.1，老鐵們在閱讀的時候，如果有疑問的話，可以下載下傳這兩個版本的代碼進行參考，如果不特别标明，一般是指 Kubernetes 1.24.1 的代碼

下面的

kubeadm init

的日志，省去了一些個人的資訊，并且加入了一些步驟的注釋，相關資訊也可以通過

kubeadm init --help

指令來列印出來

# 建立的k8s版本
[init] Using Kubernetes version: v1.24.1
# 從這裡開始進入preflight的階段
[preflight] Running pre-flight checks
	[WARNING SystemVerification]: missing optional cgroups: blkio
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
# 從這裡進入證書的階段
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [ip-172-31-90-126 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.31.90.126]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [ip-172-31-90-126 localhost] and IPs [172.31.90.126 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [ip-172-31-90-126 localhost] and IPs [172.31.90.126 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
# 進入kubeconfig的階段
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
# 開始啟動kubelet
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
# 開始controlplane啟動的階段
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
# 健康檢查
[apiclient] All control plane components are healthy after 16.503764 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
# 給controlplane打上必要的label
[mark-control-plane] Marking the node ip-172-31-90-126 as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node ip-172-31-90-126 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule node-role.kubernetes.io/control-plane:NoSchedule]
# 建立token
[bootstrap-token] Using token: qlk4br.83yi47aqacj3cwzh
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
# 插件安裝的階段
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy           

複制

下面是接上面的流程之後的安裝成功的日志，會提示你去把 kubeconig 給配置好

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.31.90.126:6443 --token qlk4br.83yi47aqacj3cwzh \
	--discovery-token-ca-cert-hash sha256:cc121a0e581abbdedcbad370077c46e11da9d6ea60a201dd54be4c70893f98f4           

複制

其實對于 kubeadm 的了解，個人是這麼認為的，他做了很多腳本化的工作，這得益于 go 比較豐富的跟系統綁定的一些工具包，是以在調用的會很友善，另外就是用實際上，所有的這些檢查和安裝的工作，用腳本 shell 之類的也能寫的很好，實際上在本人以前搞 Kubernetes 1.8 以及之前的版本，部署都是用運維寫的腳本來做的，本質上是沒有太大的差別的，但是用 go 來寫，可以增加一些擴充性和健壯性，這是從文法層面上考慮的東西