二進制方式部署K8S-v1.23.6--（上）

1、環境準備

IP位址	主機	角色	系統
192.168.100.101	master-101	K8S叢集主節點	Ubuntu2004
192.168.100.102	master-102	K8S叢集主節點	Ubuntu2004
192.168.100.103	master-103	K8S叢集主節點	Ubuntu2004
192.168.100.104	node-104	K8S叢集從節點	Ubuntu2004
192.168.100.105	node-105	K8S叢集從節點	Ubuntu2004
192.168.100.111	wang.cluster.k8s	VIP

1-1、關閉防火牆

~]#ufw disable
~]#ufw status

1-2、時間同步

~]#apt install -y chrony
~]#systemctl restart chrony
~]#systemctl status chrony
~]#chronyc sources

1-3、主機名互相解析

~]#vim /etc/hosts
192.168.100.101 master-101
192.168.100.102 master-102
192.168.100.103 master-103
192.168.100.104 node-104
192.168.100.105 node-105
192.168.100.111 wang.cluster.k8s

1-4、禁用swap

~]#swapoff -a && sed -i 's|^/swap.img|#/swap.ing|g' /etc/fstab

1-5、驗證每個節點上IP、MAC 位址和 product_uuid 的唯一性

~]#ifconfig -a

~]#sudo cat /sys/class/dmi/id/product_uuid       # 檢視 product_uuid

1-6、系統核心參數調整

#如果已經調整，請忽略：
~]#echo "vm.swappiness = 0" >> /etc/sysctl.conf 
~]#echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
~]#echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
~]#echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf

1-7、安裝ipvs子產品

~]#apt -y install ipvsadm ipset sysstat conntrack

# 鎖定版本
~]#apt-mark hold ipvsadm

#将子產品加載到核心中(開機自動設定-需要重新開機機器生效)

~]#tee /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
overlay
nf_conntrack
ip_vs
ip_vs_lc
ip_vs_lblc
ip_vs_lblcr
ip_vs_rr
ip_vs_wrr
ip_vs_sh
ip_vs_dh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_tables
ip_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
xt_set
EOF

#加載子產品到核心中
~]#mkdir -pv /etc/modules.d
~]#tee /etc/modules.d/k8s.modules <<EOF
#!/bin/bash
modprobe -- br_netfilter
modprobe -- overlay
modprobe -- nf_conntrack
modprobe -- ip_vs
modprobe -- ip_vs_lc
modprobe -- ip_vs_lblc
modprobe -- ip_vs_lblcr
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- ip_vs_dh
modprobe -- ip_vs_fo
modprobe -- ip_vs_nq
modprobe -- ip_vs_sed
modprobe -- ip_vs_ftp
modprobe -- ip_tables
modprobe -- ip_set
modprobe -- ipt_set
modprobe -- ipt_rpfilter
modprobe -- ipt_REJECT
modprobe -- ipip
modprobe -- xt_set
EOF

~]#chmod 755 /etc/modules.d/k8s.modules && bash /etc/modules.d/k8s.modules && lsmod | grep -e ip_vs -e nf_conntrack

~]#sysctl --system

溫馨提示: 在 kernel 4.19 版本及以上将使用 nf_conntrack 子產品, 則在 4.18 版本以下則需使用nf_conntrack_ipv4 子產品

2、安裝Haproxy、Keepalived

描述: 由于是測試學習環境, 是以直接采用master節點機器，如果是正式環境建議獨立出來。

2-1、下載下傳安裝

#所有master節點執行：
#安裝下載下傳 haproxy (HA代理健康檢測) 與 keepalived (虛拟路由協定-主從)

[root@master-101 ~]#apt-cache madison haproxy keepalived
[root@master-101 ~]#apt install -y haproxy=2.0.13-2 keepalived
[root@master-101 ~]#apt-mark hold haproxy keepalived

#所有master節點執行：
#配置HAproxy
[root@master-101 ~]#tee /etc/haproxy/haproxy.cfg<<'EOF'
global
  user haproxy
  group haproxy
  maxconn 2000
  daemon
  log /dev/log local0
  log /dev/log local1 err
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  stats timeout 30s
  # Default SSL material locations

  ca-base /etc/ssl/certs
  crt-base /etc/ssl/private
  # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate

  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
  log     global
  mode    http
  option  httplog
  option  dontlognull
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  timeout http-request 15s
  timeout http-keep-alive 15s

# 注意: 管理HAproxy (可選)
# frontend monitor-in
#   bind *:33305
#   mode http
#   option httplog
#   monitor-uri /monitor

# 注意: 基于四層代理, 1644 3為VIP的 ApiServer 控制平面端口, 由于是與master節點在一起是以不能使用6443端口.
frontend k8s-master
  bind 0.0.0.0:16443
  bind 127.0.0.1:16443
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  default_backend k8s-master
# 注意: Master 節點的預設 Apiserver 是6443端口
backend k8s-master
  mode tcp
  option tcplog
  option tcp-check
  balance roundrobin
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server master-101 192.168.100.101:6443 check
  server master-102 192.168.100.102:6443 check
  server master-103 192.168.100.103:6443 check
EOF

#所有master節點執行：
#配置Keepalived
[root@master-101 ~]#mkdir /etc/keepalived
[root@master-101 ~]#tee /etc/keepalived/keepalived.conf <<'EOF'
! Configuration File for keepalived
global_defs {
  router_id LVS_DEVEL
script_user root
  enable_script_security
}
vrrp_script chk_apiserver {
  script "/etc/keepalived/check_apiserver.sh"
  interval 5
  weight -5
  fall 2
  rise 1
}
vrrp_instance VI_1 {
  state MASTER                  #另外兩個節點是backup
  interface enp1s0              #注意網口名稱
  mcast_src_ip 224.8.8.8        #各節點都一樣
  virtual_router_id 51
  priority 101
  advert_int 2
  authentication {
    auth_type PASS
    auth_pass 123456
  }
  virtual_ipaddress {
    192.168.100.111             #各節點vip都一樣
  }
}
EOF

#所有master節點執行：
# KeepAlived 健康檢查腳本
[root@master-101 ~]#tee /etc/keepalived/check_apiserver.sh <<'EOF'
#!/bin/bash
err=0
for k in $(seq 1 3)
do
  check_code=$(pgrep haproxy)
  if [[ $check_code == "" ]]; then
    err=$(expr $err + 1)
    sleep 1
    continue
  else
    err=0
    break
  fi
done
if [[ $err != "0" ]]; then
  echo "systemctl stop keepalived"
  /usr/bin/systemctl stop keepalived
  exit 1
else
  exit 0
fi
EOF

[root@master-101 ~]#chmod +x /etc/keepalived/check_apiserver.sh
[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now haproxy keepalived
[root@master-101 ~]#systemctl status haproxy keepalived
#測試一下vip是否能漂移，此處略

3、部署etcd

3-1、簽發etcd證書

#master-101執行：
#建立一個配置與相關檔案存放的目錄, 以及下載下傳擷取cfssl工具進行CA憑證制作與簽發
[root@master-101 ~]#mkdir -pv /app/k8s-init
[root@master-101 ~]#cd /app/k8s-init
#windows下載下傳cfssl相關工具，下載下傳位址：
https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl_1.6.1_linux_amd64 -o /usr/local/bin/cfssl

https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssljson_1.6.1_linux_amd64 -o /usr/local/bin/cfssljson

https://github.com/cloudflare/cfssl/releases/download/v1.6.1/cfssl-certinfo_1.6.1_linux_amd64 -o /usr/local/bin/cfssl-certinfo

#把下載下傳的檔案上傳到該目錄：
[root@master-101 k8s-init]#cp cfssl_1.6.1_linux_amd64 /usr/local/bin/cfssl
[root@master-101 k8s-init]#cp cfssljson_1.6.1_linux_amd64 /usr/local/bin/cfssljson
[root@master-101 k8s-init]#cp cfssl-certinfo_1.6.1_linux_amd64 /usr/local/bin/cfssl-certinfo
[root@master-101 k8s-init]#chmod +x /usr/local/bin/cfssl*
[root@master-101 k8s-init]#cfssl version
溫馨提示:
  cfssl : CFSSL 指令行工具
  cfssljson : 用于從cfssl程式中擷取JSON輸出并将證書、密鑰、證書簽名請求檔案CSR和Bundle寫入到檔案中
  cfssl-certinfo: 可以檢視證書資訊

#master-101執行：
#建立ca證書：
[root@master-101 k8s-init]#cfssl print-defaults csr > ca-csr.json

[root@master-101 k8s-init]#tee ca-csr.json <<'EOF'
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "beijing",
      "ST": "beijing",
      "O": "k8s",
      "OU": "System"
    }
  ],
  "ca": {
    "expiry": "87600h"
  }
}
EOF

#關鍵參數解析:
CN: Common Name，浏覽器使用該字段驗證網站是否合法，一般寫的是域名，非常重要。浏覽器使用該字段驗證網站是否合法
key：生成證書的算法
hosts：表示哪些主機名(域名)或者IP可以使用此csr申請的證書，為空或者""表示所有的都可以使用(本例中沒有`"hosts": [""]`字段)
names：常見屬性設定
  * C: Country， 國家
  * ST: State，州或者是省份
  * L: Locality Name，地區，城市
  * O: Organization Name，組織名稱，公司名稱(在k8s中常用于指定Group，進行RBAC綁定)
  * OU: Organization Unit Name，組織機關名稱，公司部門
  
溫馨提示: 如果将 expiry 設定為87600h 表示證書過期時間為十年。
==============================================================================================
#CA 證書政策配置檔案
[root@master-101 k8s-init]#cfssl print-defaults config > ca-config.json
[root@master-101 k8s-init]#tee ca-config.json <<'EOF'
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
        "expiry": "87600h",
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      },
      "etcd": {
        "expiry": "87600h",
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
# 關鍵參數解析:
default 預設政策，指定了證書的預設有效期是10年(87600h)
profile 自定義政策配置
  * kubernetes：表示該配置(profile)的用途是為kubernetes生成證書及相關的校驗工作
  * signing：表示該證書可用于簽名其它證書；生成的 ca.pem 證書中 CA=TRUE
  * server auth：表示可以該CA 對 server 提供的證書進行驗證
  * client auth：表示可以用該 CA 對 client 提供的證書進行驗證
  * expiry：也表示過期時間，如果不寫以default中的為準
  
======================================================================================== 
# 利用CA憑證簽名請求配置檔案 ca-csr.json 生成CA憑證和CA私鑰和CSR(證書簽名請求):
[root@master-101 k8s-init]#cfssl gencert -initca ca-csr.json | cfssljson -bare ca

#檢視證書資訊：
[root@master-101 k8s-init]#openssl x509 -in ca.pem -text -noout | grep "Not"

#master-101執行：
#配置ETCD證書相關檔案以及生成其證書
[root@master-101 k8s-init]#tee etcd-csr.json <<'EOF'
{
  "CN": "etcd",
  "hosts": [
    "127.0.0.1",
    "192.168.100.101",
    "192.168.100.102",
    "192.168.100.103",
    "etcd1",
    "etcd2",
    "etcd3"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "beijing",
      "ST": "beijing",
      "O": "etcd",
      "OU": "System"
    }
  ]
}
EOF

======================================================================================== 
#用ca證書簽發生成etcd證書
[root@master-101 k8s-init]#cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

[root@master-101 k8s-init]#openssl x509 -in etcd.pem -text -noout | grep "X509v3" -A1

3-2、部署etcd

#所有Master節點主機執行：
#下載下傳etcd軟體包
下載下傳位址：https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gz
#windows下載下傳後上傳

[root@master-101 ~]#tar xf etcd-v3.5.4-linux-amd64.tar.gz
[root@master-101 ~]#cd etcd-v3.5.4-linux-amd64/
[root@master-101 etcd-v3.5.4-linux-amd64]#cp -a etcd* /usr/local/bin/

[root@master-101 ~]#mkdir -pv /etc/etcd/pki
[root@master-101 ~]#cd /app/k8s-init/
[root@master-101 k8s-init]#cp *.pem /etc/etcd/pki/
[root@master-101 k8s-init]#scp /etc/etcd/pki/* 192.168.100.102:
[root@master-101 k8s-init]#scp /etc/etcd/pki/* 192.168.100.103:

#192.168.100.101執行：
[root@master-101 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd1
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.101:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.101:2380"

# [證書配置]
# ETCD_CERT_FILE=/etc/etcd/pki/etcd.pem
# ETCD_KEY_FILE=/etc/etcd/pki/etcd-key.pem
# ETCD_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem
# ETCD_CLIENT_CERT_AUTH=true
# ETCD_PEER_CLIENT_CERT_AUTH=true
# ETCD_PEER_CERT_FILE=/etc/etcd/pki/etcd.pem
# ETCD_PEER_KEY_FILE=/etc/etcd/pki/etcd-key.pem
# ETCD_PEER_TRUSTED_CA_FILE=/etc/kubernetes/pki/ca.pem

# [叢集配置]
# 本機位址用于通知用戶端，用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.101:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.101:2380"
# 描述叢集中所有節點的資訊，本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF

#192.168.100.102執行：
[root@master-102 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd2
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.102:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.102:2380"

# [叢集配置]
# 本機位址用于通知用戶端，用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.102:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.102:2380"
# 描述叢集中所有節點的資訊，本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF

#192.168.100.103執行：
[root@master-103 ~]#tee /etc/etcd/etcd.conf <<'EOF'
# [成員配置]
# member 名稱
ETCD_NAME=etcd3
# 存儲資料的目錄(注意需要建立)
ETCD_DATA_DIR="/var/lib/etcd/data"
# 用于監聽用戶端etcdctl或者curl連接配接
ETCD_LISTEN_CLIENT_URLS="https://192.168.100.103:2379,https://127.0.0.1:2379"
# 用于監聽叢集中其它member的連接配接
ETCD_LISTEN_PEER_URLS="https://192.168.100.103:2380"

# [叢集配置]
# 本機位址用于通知用戶端，用戶端通過此IPs與叢集通信;
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.103:2379"
# 本機位址用于通知叢集member與member通信
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.103:2380"
# 描述叢集中所有節點的資訊，本member根據此資訊去聯系其他member
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.100.101:2380,etcd2=https://192.168.100.102:2380,etcd3=https://192.168.100.103:2380"
# 叢集狀态建立叢集時候設定為new,若是想加入某個已經存在的叢集設定為existing
ETCD_INITIAL_CLUSTER_STATE=new
EOF

#所有master節點執行：
#建立etcd的service檔案，便于systemd管理：

[root@master-101 ~]#mkdir -pv /var/lib/etcd
[root@master-101 ~]#cat > /usr/lib/systemd/system/etcd.service <<EOF
[Unit]
Description=Etcd Server
Documentation=https://github.com/etcd-io/etcd
After=network.target
After=network-online.target
wants=network-online.target

[Service]
Type=notify
WorkingDirectory=/var/lib/etcd/
EnvironmentFile=-/etc/etcd/etcd.conf
ExecStart=/usr/local/bin/etcd \
  --client-cert-auth \
  --trusted-ca-file /etc/etcd/pki/ca.pem \
  --cert-file /etc/etcd/pki/etcd.pem \
  --key-file /etc/etcd/pki/etcd-key.pem \
  --peer-client-cert-auth \
  --peer-trusted-ca-file /etc/etcd/pki/ca.pem \
  --peer-cert-file /etc/etcd/pki/etcd.pem \
  --peer-key-file /etc/etcd/pki/etcd-key.pem
Restart=on-failure
RestartSec=5
LimitNOFILE=65535
LimitNPROC=65535

[Install]
WantedBy=multi-user.target
EOF

[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now etcd.service
[root@master-101 ~]#systemctl status etcd.service

#檢視etcd是否正常以及健康狀态：

# 利用 etcdctl 工具檢視叢集成員資訊
export ETCDCTL_API=3
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=table member list

# 叢集節點資訊
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=table endpoint status

# 叢集節點健康狀态
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem"  --write-out=table endpoint health

# 叢集節點性能測試
[root@master-101 ~]#etcdctl --endpoints=https://192.168.100.101:2379,https://192.168.100.102:2379,https://192.168.100.103:2379 --cacert="/etc/etcd/pki/ca.pem" --cert="/etc/etcd/pki/etcd.pem" --key="/etc/etcd/pki/etcd-key.pem" --write-out=tableendpoint check perf

4、部署containerd

#所有節點執行：
#下載下傳位址：https://github.com/containerd/containerd/releases/download/v1.6.4/cri-containerd-cni-1.6.4-linux-amd64.tar.gz
#windows下載下傳後上傳
[root@master-101 local]#mkdir cri-containerd-cni
[root@master-101 local]#tar xf cri-containerd-cni-1.6.4-linux-amd64.tar.gz -C cri-containerd-cni
[root@master-101 local]#tree cri-containerd-cni
/usr/local/cri-containerd-cni/
├── etc
│   ├── cni
│   │   └── net.d
│   │       └── 10-containerd-net.conflist
│   ├── crictl.yaml
│   └── systemd
│       └── system
│           └── containerd.service
├── opt
│   ├── cni
│   │   └── bin
│   │       ├── bandwidth
│   │       ├── bridge
│   │       ├── dhcp
│   │       ├── firewall
│   │       ├── host-device
│   │       ├── host-local
│   │       ├── ipvlan
│   │       ├── loopback
│   │       ├── macvlan
│   │       ├── portmap
│   │       ├── ptp
│   │       ├── sbr
│   │       ├── static
│   │       ├── tuning
│   │       ├── vlan
│   │       └── vrf
│   └── containerd
│       └── cluster
│           ├── gce
│           │   ├── cloud-init
│           │   │   ├── master.yaml
│           │   │   └── node.yaml
│           │   ├── cni.template
│           │   ├── configure.sh
│           │   └── env
│           └── version
└── usr
    └── local
        ├── bin
        │   ├── containerd
        │   ├── containerd-shim
        │   ├── containerd-shim-runc-v1
        │   ├── containerd-shim-runc-v2
        │   ├── containerd-stress
        │   ├── crictl
        │   ├── critest
        │   ├── ctd-decoder
        │   └── ctr
        └── sbin
            └── runc


#在所有節點上複制到上述檔案夾到對應目錄中
[root@master-101 local]#cd cri-containerd-cni/
[root@master-101 cri-containerd-cni]#cp -r etc/ /
[root@master-101 cri-containerd-cni]#cp -r opt/ /
[root@master-101 cri-containerd-cni]#cp -r usr/ /

#所有節點執行：
#配置建立并修改 config.toml
[root@master-101 ~]#mkdir -pv /etc/containerd
[root@master-101 ~]#containerd config default >/etc/containerd/config.toml
[root@master-101 ~]#ls /etc/containerd/config.toml

# pause 鏡像源
[root@master-101 ~]#sed -i "s#k8s.gcr.io/pause#registry.cn-hangzhou.aliyuncs.com/google_containers/pause#g"  /etc/containerd/config.toml

# 使用 SystemdCgroup
[root@master-101 ~]#sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml

# docker.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."docker.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://xlx9erfu.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml

# gcr.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml

# k8s.gcr.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."k8s.gcr.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/","https://registry.cn-hangzhou.aliyuncs.com/google_containers/"]' /etc/containerd/config.toml

# quay.io mirror
[root@master-101 ~]#sed -i '/registry.mirrors]/a\ \ \ \ \ \ \ \ [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]' /etc/containerd/config.toml
[root@master-101 ~]#sed -i '/registry.mirrors."quay.io"]/a\ \ \ \ \ \ \ \ \ \ endpoint = ["https://quay.mirrors.ustc.edu.cn"]' /etc/containerd/config.toml

#所有節點執行：
# 配置檔案設定永久生效
[root@master-101 ~]#cat <<EOF > /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF

[root@master-101 ~]#systemctl daemon-reload && systemctl enable --now containerd.service
[root@master-101 ~]#systemctl status containerd.service
[root@master-101 ~]#ctr version
[root@master-101 ~]#runc -v

#溫馨提示: 當預設 runc 執行提示 runc: symbol lookup error: runc: undefined symbol: seccomp_notify_respond 時，由于上述軟體包中包含的runc對系統依賴過多，是以建議單獨下載下傳安裝 runc 二進制項目(https://github.com/opencontainers/runc/)，如下：
wget https://github.com/opencontainers/runc/releases/download/v1.1.1/runc.amd64
# 執行權限賦予
chmod +x runc.amd64
# 替換掉 /usr/local/sbin/ 路徑原軟體包中的 runc
mv runc.amd64 /usr/local/sbin/runc

二進制方式部署K8S-v1.23.6--（上）

1、環境準備

2、安裝Haproxy、Keepalived

3、部署etcd

4、部署containerd

繼續閱讀

k8s Dashboard 調研

【k8s學習系列】第2篇，規模和更新部署k8s學習系列前言規模和更新部署總結

Kubernetes - Kubernetes 元件

k8s部署es叢集和kibana

kubernetes學習筆記--挂載GlusterFS存儲卷

Kubernetes - Xshell連接配接虛拟機 & 搭建Kubernetes基礎叢集

Kubernetes學習--資源管理方式

k8s資源管理1. 基礎2. 依賴3. Pod4. 控制器5. Service

3 第三章資源管理

kubernetes-雲原生技術進階第18講：Kubernetes 排程和資源管理第18講：Kubernetes 排程和資源管理一、Kubernetes 排程過程二、Kubernetes 基礎排程力三、Kubernetes 進階排程能力

通過serviceAccount的secret通路kubernetes API Server前提設定環境變量通過curl通路restAPI額外部分

cephadm離線搭建v17.2.0 Quincy版本Ceph叢集叢集規劃準備工作

使用jvm監控工具(jconsole、jvisualvm)通過jmx遠端連接配接kubernetes上的java應用

Error: docker-ce conflicts with 2:docker-1.13.1-53.git774336d.el7.centos.x86_64

golang建構Dockerfile，并打包成鏡像，運作在docker和k8s上

使用kubeadm+calico部署kubernetes v1.25.3