使用kubeadm+calico部署kubernetes v1.25.3

1、環境準備

主機名	IP位址	系統版本
k8s-master01 k8s-master01.wang.org​ kubeapi.wang.org kubeapi	10.0.0.101	Ubuntu2004
k8s-master02 k8s-master02.wang.org	10.0.0.102	Ubuntu2004
k8s-master03 k8s-master03.wang.org	10.0.0.103	Ubuntu2004
k8s-node01 k8s-node01.wang.org	10.0.0.104	Ubuntu2004
k8s-node02 k8s-node02.wang.org	10.0.0.105	Ubuntu2004
k8s-node03 k8s-node03.wang.org

1-1、設定主機名

#所有節點執行：
[root@ubuntu2004 ~]#hostnamectl set-hostname k8s-master01      

1-2、關閉防火牆

#所有節點執行：
[root@k8s-master01 ~]# ufw disable
[root@k8s-master01 ~]# ufw status      

1-3、時間同步

#所有節點執行：
[root@k8s-master01 ~]# apt install -y chrony
[root@k8s-master01 ~]# systemctl restart chrony
[root@k8s-master01 ~]# systemctl status chrony
[root@k8s-master01 ~]# chronyc sources      

1-4、主機名互相解析

#所有節點執行：
[root@k8s-master01 ~]#vim /etc/hosts

10.0.0.101 k8s-master01 k8s-master01.wang.org kubeapi.wang.org kubeapi
10.0.0.102 k8s-master02 k8s-master02.wang.org
10.0.0.103 k8s-master03 k8s-master03.wang.org
10.0.0.104 k8s-node01 k8s-node01.wang.org
10.0.0.105 k8s-node02 k8s-node02.wang.org
10.0.0.106 k8s-node03 k8s-node03.wang.org      

1-5、禁用swap

#所有節點執行：
[root@k8s-master01 ~]# sed -r -i '/\/swap/s@^@#@' /etc/fstab
[root@k8s-master01 ~]# swapoff -a
[root@k8s-master01 ~]# systemctl --type swap

#若不禁用Swap裝置，需要在後續編輯kubelet的配置檔案/etc/default/kubelet，設定其忽略Swap啟用的狀态錯誤，内容：KUBELET_EXTRA_ARGS="--fail-swap-on=false"      

2、安裝docker

#所有節點執行：

#安裝必要的一些系統工具
[root@k8s-master01 ~]# apt update
[root@k8s-master01 ~]# apt -y install apt-transport-https ca-certificates curl software-properties-common

#安裝GPG證書
[root@k8s-master01 ~]# curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | apt-key add -
OK
#寫入軟體源資訊
[root@k8s-master01 ~]# add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"

#更新并安裝Docker-CE
[root@k8s-master01 ~]# apt update
[root@k8s-master01 ~]# apt install -y docker-ce      

#所有節點執行：
kubelet需要讓docker容器引擎使用systemd作為CGroup的驅動，其預設值為cgroupfs，因而，我們還需要編輯docker的配置檔案/etc/docker/daemon.json，添加如下内容，其中的registry-mirrors用于指明使用的鏡像加速服務。

[root@k8s-master01 ~]# vim /etc/docker/daemon.json
{
    "registry-mirrors": [
        "https://docker.mirrors.ustc.edu.cn",
        "https://hub-mirror.c.163.com",
        "https://reg-mirror.qiniu.com",
        "https://registry.docker-cn.com"
],
    "exec-opts": ["native.cgroupdriver=systemd"],
    "log-driver": "json-file",
    "log-opts": {
    "max-size": "200m"
},
    "storage-driver": "overlay2"
}

[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl start docker
[root@k8s-master01 ~]# systemctl enable docker
[root@k8s-master01 ~]# docker version
Client: Docker Engine - Community
 Version:           20.10.21
#注：kubeadm部署Kubernetes叢集的過程中，預設使用Google的Registry服務k8s.gcr.io上的鏡像,由于2022年倉庫已經改為registry.k8s.io，國内可以直接通路，是以現在不需要鏡像加速或者綠色上網就可以拉鏡像了，如果使用國内鏡像請參考https://blog.51cto.com/dayu/5811307      

3、安裝cri-dockerd

#所有節點執行：
#下載下傳位址：https://github.com/Mirantis/cri-dockerd
[root@k8s-master01 ~]# apt install ./cri-dockerd_0.2.6.3-0.ubuntu-focal_amd64.deb -y

#完成安裝後，相應的服務cri-dockerd.service便會自動啟動
[root@k8s-master01 ~]#systemctl status cri-docker.service      

4、安裝kubeadm、kubelet和kubectl

#所有節點執行：
#在各主機上生成kubelet和kubeadm等相關程式包的倉庫，可參考阿裡雲官網
[root@k8s-master01 ~]# apt update
[root@k8s-master01 ~]# apt install -y apt-transport-https curl
[root@k8s-master01 ~]# curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
[root@k8s-master01 ~]#cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF


#更新倉庫并安裝
[root@k8s-master01 ~]# apt update 
[root@k8s-master01 ~]# apt install -y kubelet kubeadm kubectl

#注意：先不要啟動，隻是設定開機自啟動
[root@k8s-master01 ~]# systemctl enable kubelet

#确定kubeadm等程式檔案的版本
[root@k8s-master01 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:55:36Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"}      

5、整合kubelet和cri-dockerd

5-1、配置cri-dockerd

#所有節點執行：

[root@k8s-master01 ~]# vim /usr/lib/systemd/system/cri-docker.service

#ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd://
ExecStart=/usr/bin/cri-dockerd --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.8 --container-runtime-endpoint fd:// --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-cache-dir=/var/lib/cni/cache --cni-conf-dir=/etc/cni/net.d



#說明：
需要添加的各配置參數（各參數的值要與系統部署的CNI插件的實際路徑相對應）：
  --network-plugin：指定網絡插件規範的類型，這裡要使用CNI；
  --cni-bin-dir：指定CNI插件二進制程式檔案的搜尋目錄；
  --cni-cache-dir：CNI插件使用的緩存目錄；
  --cni-conf-dir：CNI插件加載配置檔案的目錄；
配置完成後，重載并重新開機cri-docker.service服務。

[root@k8s-master01 ~]# systemctl daemon-reload && systemctl restart cri-docker.service
[root@k8s-master01 ~]# systemctl status cri-docker      

5-2、配置kubelet

#所有節點執行：

#配置kubelet，為其指定cri-dockerd在本地打開的Unix Sock檔案的路徑，該路徑一般預設為“/run/cri-dockerd.sock“
[root@k8s-master01 ~]# mkdir /etc/sysconfig
[root@k8s-master01 ~]# vim /etc/sysconfig/kubelet
KUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=/run/cri-dockerd.sock"
[root@k8s-master01 ~]# cat /etc/sysconfig/kubelet
KUBELET_KUBEADM_ARGS="--container-runtime=remote --container-runtime-endpoint=/run/cri-dockerd.sock"

#說明：該配置也可不進行，而是直接在後面的各kubeadm指令上使用“--cri-socket unix:///run/cri-dockerd.sock”選項      

6、初始化第一個主節點

#第一個主節點執行：

#列出k8s所需要的鏡像
[root@k8s-master01 ~]# kubeadm config images list
registry.k8s.io/kube-apiserver:v1.25.3
registry.k8s.io/kube-controller-manager:v1.25.3
registry.k8s.io/kube-scheduler:v1.25.3
registry.k8s.io/kube-proxy:v1.25.3
registry.k8s.io/pause:3.8
registry.k8s.io/etcd:3.5.4-0
registry.k8s.io/coredns/coredns:v1.9.3

#使用阿裡雲拉取所需鏡像
[root@k8s-master01 ~]# kubeadm config images pull --image-repository=registry.aliyuncs.com/google_containers --cri-socket unix:///run/cri-dockerd.sock

[root@k8s-master01 ~]# docker images
REPOSITORY                                                        TAG       IMAGE ID       CREATED        SIZE
registry.aliyuncs.com/google_containers/kube-apiserver            v1.25.3   0346dbd74bcb   3 weeks ago    128MB
registry.aliyuncs.com/google_containers/kube-scheduler            v1.25.3   6d23ec0e8b87   3 weeks ago    50.6MB
registry.aliyuncs.com/google_containers/kube-controller-manager   v1.25.3   603999231275   3 weeks ago    117MB
registry.aliyuncs.com/google_containers/kube-proxy                v1.25.3   beaaf00edd38   3 weeks ago    61.7MB
registry.aliyuncs.com/google_containers/pause                     3.8       4873874c08ef   4 months ago   711kB
registry.aliyuncs.com/google_containers/etcd                      3.5.4-0   a8a176a5d5d6   5 months ago   300MB
registry.aliyuncs.com/google_containers/coredns                   v1.9.3    5185b96f0bec   5 months ago   48.8MB


[root@k8s-master01 ~]# kubeadm init --control-plane-endpoint="kubeapi.wang.org" --kubernetes-version=v1.25.3 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12 --token-ttl=0 --cri-socket unix:///run/cri-dockerd.sock --upload-certs --image-repository registry.aliyuncs.com/google_containers

#如提示以下資訊，代表初始化完成，請記錄資訊，以便後續使用：
.....
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of the control-plane node running the following command on each as root:

  kubeadm join kubeapi.wang.org:6443 --token ef0zsq.srn20wj0qqmbf0zf \
  --discovery-token-ca-cert-hash sha256:5c62350ec29e14de0b621ec4b485fe66f2bce33e9a75e48c662e497f26ef3c3a \
  --control-plane --certificate-key 3edf25d1328f195344b99dac624533a4b46c9de0d1ef3194c491d8733c7f0a1d

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join kubeapi.wang.org:6443 --token ef0zsq.srn20wj0qqmbf0zf \
  --discovery-token-ca-cert-hash sha256:5c62350ec29e14de0b621ec4b485fe66f2bce33e9a75e48c662e497f26ef3c3a 


[root@k8s-master01 ~]#  mkdir -p $HOME/.kube
[root@k8s-master01 ~]#  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master01 ~]#  sudo chown $(id -u):$(id -g) $HOME/.kube/config      

7、其他節點加入叢集

#k8s-master02、k8s-master03執行：

#k8s-master02、k8s-master03加入叢集：
[root@k8s-master03 ~]#kubeadm join kubeapi.wang.org:6443 --token ef0zsq.srn20wj0qqmbf0zf --discovery-token-ca-cert-hash sha256:5c62350ec29e14de0b621ec4b485fe66f2bce33e9a75e48c662e497f26ef3c3a --control-plane --certificate-key 3edf25d1328f195344b99dac624533a4b46c9de0d1ef3194c491d8733c7f0a1d  --cri-socket unix:///run/cri-dockerd.sock


#k8s-node01、k8s-node02、k8s-node03執行：
#k8s-node01、k8s-node02、k8s-node03加入叢集：
[root@k8s-node01 ~]#kubeadm join kubeapi.wang.org:6443 --token ef0zsq.srn20wj0qqmbf0zf --discovery-token-ca-cert-hash sha256:5c62350ec29e14de0b621ec4b485fe66f2bce33e9a75e48c662e497f26ef3c3a --cri-socket unix:///run/cri-dockerd.sock      

8、部署calico

#第一個主節點執行：
[root@k8s-master01 ~]#apt install zip unzip -y
[root@k8s-master01 ~]#unzip calico-3.24.4.zip 
[root@k8s-master01 ~]#cd calico-3.24.4/manifests/

[root@k8s-master01 ~]#kubectl apply -f calico.yaml 
[root@k8s-master01 ~]#kubectl get nodes
[root@k8s-master01 ~]#kubectl get pod -A