k8s1.15单机部署 - 码农教程

`准备`

机器	角色	部署服务
192.168.152.167	master	api-server, scheduler-server, controler-server, etcd, calico
192.168.152.168	node1	kubelet, kube-proxy, calico
192.168.152.169	node2	kubelet, kube-proxy, calico

`解析Hosts`

192.168.152.167 master
192.168.152.168 node1
192.168.152.169 node2

关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

禁用Selinux

setenforce 0
vim /etc/selinux/config
SELINUX=disabled

修改内核参数

 cat /etc/sysctl.d/k8s.conf 
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1

生效方法

modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf

安装ipvs

cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
$ chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4

安装ipset和ipvsadm

yum install ipset
yum install ipvsadm

服务器时间同步

yum install chrony -y
systemctl enable chronyd
systemctl start chronyd
chronyc sources

关闭swap分区

由于我这里在装系统的时候默认就没有设置swap分区，所以可以跳过，如果有swap分区，关闭方法如下：

swapoff -a
另外如果fstab中如果设置了自动挂载的配置项，则也需要注释掉

修改内核参数关闭swap分区的使用策略

vim /etc/sysctl.d/k8s.conf
vm.swappiness=0

安装docker

安装方法太简单了，直接按照官网最新的安装方法即可安装完成后，设置加速源

vi /etc/docker/daemon.json
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "registry-mirrors" : [
    "https://ot2k4d59.mirror.aliyuncs.com/"
  ]}

重启docker即可

设置k8s的仓库源

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
        http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装k8s

yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

指定版本安装

yum install kubelet-1.15.3 kubeadm-1.15.3 kubectl-1.15.3 --disableexcludes=kubernetes

设置开机启动

systemctl enable kubelet.service

到这里为止需要在每一台节点上，包括master上完成的操作，接下来我是克隆了两台同样的主机，只需改一下主机的IP地址，其他均不需再次操作了

更改kubeadm的证书期限

需要重新编译kubeadm，我们需要去github上下载k8s的源码包

cd /tmp
git clone https://github.com/kubernetes/kubernetes.git

运行一个容器，在容器里重新编译

docker run -it --rm -v /tmp/kubernetes:/go/src/k8s.io/kubernetes bairuijie/k8s-build:latest bash

进入到容器中，切换目录：cd /go/src/k8s.io/kubernetes

重新打开窗口，进到/tmp目录下，执行一下命令

vim ./cmd/kubeadm/app/constants/constants.go
CertificateValidity = time.Hour * 24 * 3650     #修改成10年的


vim cmd/kubeadm/app/util/pkiutil/pki_helpers.go
func NewSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
        serial, err := cryptorand.Int(cryptorand.Reader, new(big.Int).SetInt64(math.MaxInt64))
        if err != nil {
                return nil, err
        }
        if len(cfg.CommonName) == 0 {
                return nil, errors.New("must specify a CommonName")
        }
        if len(cfg.Usages) == 0 {
                return nil, errors.New("must specify at least one ExtKeyUsage")
        }

        certTmpl := x509.Certificate{
                Subject: pkix.Name{
                        CommonName:   cfg.CommonName,
                        Organization: cfg.Organization,
                },
                DNSNames:     cfg.AltNames.DNSNames,
                IPAddresses:  cfg.AltNames.IPs,
                SerialNumber: serial,
                NotBefore:    caCert.NotBefore,
                NotAfter:     time.Now().Add(kubeadmconstants.CertificateValidity).UTC(),    #引用一下 ，有的可能已经引用了，没有的则加上这么一段
                KeyUsage:     x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
                ExtKeyUsage:  cfg.Usages,
        }
        certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey)
        if err != nil {
                return nil, err
        }
        return x509.ParseCertificate(certDERBytes)
}

重新编译

make WHAT=cmd/kubeadm GOFLAGS=-v

编译成功后，将生成的新的kubeadm覆盖下旧的kubeadm即可

cp ./_output/local/bin/linux/amd64/kubeadm /usr/bin/kubeadm

初始化集群

导出默认的配置

 kubeadm config print init-defaults > kubeadm.yaml

修改默认配置文件

cat kubeadm.yaml 
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.152.167
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: master
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: gcr.azk8s.cn/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.15.3
networking:
  dnsDomain: cluster.local
  podSubnet: 192.168.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs

初始化

kubeadm init --config kubeadm.yaml

拷贝kubeconfig文件

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

添加节点

kubeadm join 192.168.152.167:6443 --token abcdef.0123456789abcdef 
    --discovery-token-ca-cert-hash sha256:deb5158b39948a4592ff48512047ea6e45b288c248872724a28f15008962178b

安装网络插件

下载calico配置文件

wget https://docs.projectcalico.org/v3.8/manifests/calico.yaml

修改calico配置文件

      containers:
        # Runs calico-node container on each Kubernetes node.  This
        # container programs network policy and routes on each
        # host.
        - name: calico-node
          image: calico/node:v3.8.2
          env:
            # Use Kubernetes API as the backing datastore.
            - name: DATASTORE_TYPE
              value: "kubernetes"
            - name: IP_AUTODETECTION_METHOD
              value: interface=ens33
            # Wait for the datastore.
            - name: WAIT_FOR_DATASTORE
              value: "true"
            # Set based on the k8s node name.
            - name: NODENAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            # Choose the backend to use.
            - name: CALICO_NETWORKING_BACKEND
              valueFrom:
                configMapKeyRef:
                  name: calico-config
                  key: calico_backend

安装calico

kubectl apply -f calico.yaml

查看pod是否启动

kubectl get pods -n kube-system

查看node状态

kubectl get nodes