kubeadm安装k8s(版本1.26.4)

系统：20.04.5 LTS (Focal Fossa)

# 基础环境初始优化

1，配置时间同步（生产环境必须），添加hosts解析(必须)
2，关闭swap,ufw防火墙

#关闭swap
sed -ri 's$(^/swapfile)(.*)$#\1\2$g' /etc/fstab
swapoff /swapfile

#关闭防火墙
systemctl stop ufw
systemctl disable ufw

1
2
3
4
5
6
7

3，配置源

sed -i "s@http://.*archive.ubuntu.com@https://mirrors.tuna.tsinghua.edu.cn@g" /etc/apt/sources.list
sed -i "s@http://.*security.ubuntu.com@https://mirrors.tuna.tsinghua.edu.cn@g" /etc/apt/sources.list

apt update
apt upgrade #更新系统
apt install bash-completion telnet tree lrzsz net-tools vim iftop unzip wget curl  ethtool ntpdate #安装常用工具包

1
2
3
4
5
6

4，安装kubeadm,kubectl
指定版本1.26.4-00

#!/bin/bash
apt update && apt install apt-transport-https
curl -fsSL https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main"
apt-get update
apt-cache madison kubelet kubectl kubeadm |grep '1.26.4-00' 
apt install -y kubelet=1.26.4-00 kubectl=1.26.4-00 kubeadm=1.26.4-00

1
2
3
4
5
6
7
8

默认安装最新（二选一）

#导入 gpg key
sudo mkdir -p /usr/share/keyrings
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
#sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://download.yfklife.cn/blog/cloud/k8s/ubuntu-k8s-apt-key.gpg

#新加源文件
echo 'deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://mirrors.tuna.tsinghua.edu.cn/kubernetes/apt kubernetes-xenial main
' >>/etc/apt/sources.list.d/kubernetes.list

#更新，安装
apt-get update
apt-get install  kubelet kubeadm kubectl

1
2
3
4
5
6
7
8
9
10
11
12
13

# 转发IPv4并让iptables看到桥接流量（所有节点）

通过运行 lsmod | grep br_netfilter 来验证 br_netfilter 模块是否已加载。

若要显式加载此模块，请运行 sudo modprobe br_netfilter。

为了让 Linux 节点的 iptables 能够正确查看桥接流量，请确认 sysctl 配置中的 net.bridge.bridge-nf-call-iptables 设置为 1。例如：

cat >>/etc/modules-load.d/k8s.conf<<EOF
overlay
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
EOF

for i in $(cat /etc/modules-load.d/k8s.conf);do
sudo modprobe $i
done


# https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md
lsmod | grep -e ip_vs -e nf_conntrack_ipv4

#设置sysctl参数

cat >>/etc/sysctl.d/k8s.conf<<EOF
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
vm.swappiness = 0
fs.inotify.max_user_instances=81920
EOF

# 应用sysctl
sudo sysctl --system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

# 容器运行时（所有节点）

安装docker最新版本

清华大学开源站 (opens new window)

#阿里源，安装docker最新版本
curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
apt-get install docker-ce containerd.io 


#清华源，安装docker最新版本
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
#备用：curl -fsSL https://download.yfklife.cn/blog/cloud/docker/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce containerd.io

1
2
3
4
5
6
7
8
9
10
11
12
13

crictl image 查看镜像，会出现一个 WARN，一个 ERRO ,可以通过下面两个配置去除

crictl config runtime-endpoint unix:///run/containerd/containerd.sock
crictl config image-endpoint unix:///run/containerd/containerd.sock

1
2

从1.24开始，使用containerd 启动，使用cri 插件,默认是关闭

生成默认的配置文件: containerd config default > /etc/containerd/config.toml-default

启用cri插件

cp /etc/containerd/config.toml{,.bak}

containerd config default > /etc/containerd/config.toml

sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g'  /etc/containerd/config.toml
sed -i 's#sandbox_image = "registry.k8s.io#sandbox_image = "registry.aliyuncs.com/google_containers#g' /etc/containerd/config.toml
sed -i 's# max_container_log_line_size = 16384# max_container_log_line_size = 81920#g'  /etc/containerd/config.toml


#调整containerd数据目录，根据实际情况调整
systemctl stop containerd
cp -a /var/lib/containerd /data/containerd
mv /var/lib/containerd /var/lib/containerd_bak
ln -s  /data/containerd /var/lib/containerd


systemctl restart containerd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

参考配置 config.toml

如果服务器手动要拉取自签证书，拷贝pem 到 /etc/ssl/certs/ 下信任，或者配置参数 --plain-http

#disabled_plugins = ["cri"]

root = "/data/containerd" #持久化数据：镜像，卷
state = "/run/containerd" #运行时状态数据：socket、task目录
#subreaper = true
#oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
#  uid = 0
#  gid = 0

#[debug]
#  address = "/run/containerd/debug.sock"
#  uid = 0
#  gid = 0
#  level = "info"

# dev.idocker.io 是自签https证书，
[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."dev.idocker.io"]
      endpoint = ["https://dev.idocker.io"]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."idocker.io"]
      endpoint = ["https://idocker.io"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."dev.idocker.io".tls]
      insecure_skip_verify = true
    [plugins."io.containerd.grpc.v1.cri".registry.configs."idocker.io".tls]
      insecure_skip_verify = true

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
    SystemdCgroup = true

[plugins."io.containerd.grpc.v1.cri"]
    insecure_skip_verify = true
    device_ownership_from_security_context = false
    disable_apparmor = false
    disable_cgroup = false
    disable_hugetlb_controller = true
    disable_proc_mount = false
    disable_tcp_service = true
    enable_selinux = false
    enable_tls_streaming = false
    enable_unprivileged_icmp = false
    enable_unprivileged_ports = false
    ignore_image_defined_volumes = false
    max_concurrent_downloads = 3
    max_container_log_line_size = 2000000  #日志行号
    netns_mounts_under_state_dir = false
    restrict_oom_score_adj = false
    sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.6"
    selinux_category_range = 1024
    stats_collect_period = 10
    stream_idle_timeout = "4h0m0s"
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    systemd_cgroup = false
    tolerate_missing_hugetlb_controller = true
    unset_seccomp_profile = ""

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

# kubeadm安装k8s

# 提前拉取镜像

拉取镜像

kubeadm config images pull --kubernetes-version=1.26.4 --image-repository registry.aliyuncs.com/google_containers

# kubeadm初始化

# 使用config初始化方式

详细配置参数

kubeadm config print init-defaults --kubeconfig ClusterConfiguration --component-configs KubeProxyConfiguration --component-configs KubeletConfiguration > kubeadm-config.yaml

ClusterConfiguration (opens new window)

ipvs

Github ipvs配置 (opens new window)

kubeadm_

kubelet 过期时间查看：openssl x509 -in ./ca.crt -noout -text |grep Not，1.26 版本证书过期时间为10年

kubelet证书轮换 (opens new window)

# init 参数方式

kubeadm init参数说明 (opens new window)

 指定版本 --kubernetes-version=1.26.4 
 API Server将要广播的监听地址  --apiserver-advertise-address=10.0.0.215 
 API Server绑定的端口   --apiserver-bind-port 6443
 指定镜像仓库 --image-repository 10.0.0.200:80/google_containers 
 指定svc虚拟IP网段 --service-cidr=10.96.0.0/16
 指定pod 网段 --pod-network-cidr=10.244.0.0/16 
 忽略未关闭swap --ignore-preflight-errors=Swap
 --v=5

1
2
3
4
5
6
7
8

建议指定pod网段,不然得修改网络POD addons配置：

kubeadm init --kubernetes-version=1.26.4 --image-repository registry.aliyuncs.com/google_containers --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/16  --v=5 --ignore-preflight-errors=Swap`

mkdir -p $HOME/.kube
ln -sf  /etc/kubernetes/admin.conf  $HOME/.kube/config

1
2
3
4
5

# addons插件"Error registering network: failed to acquire lease"

在没有安装网络插件的时候coredns pod一直处于 ContainerCreating 状态

如果init 没有指定“--pod-network-cidr” calico会报错，Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox

curl https://raw.githubusercontent.com/projectcalico/calico/v3.24.5/manifests/canal.yaml -O
kubectl apply -f canal.yaml

1
2

podSubnet

如果已经创建了集群，查看pod子网：kubectl -n kube-system get cm kubeadm-config -o yaml

# kubeadm join过期

方式一

kubeadm token create --print-join-command

#如果是添加控制节点（初始化集群需要配置参数：controlPlaneEndpoint）
echo "$(kubeadm token create --print-join-command) --control-plane --certificate-key $(kubeadm init phase upload-certs --upload-certs |sed -n '$p')"

1
2
3
4
5

方式二

kubeadm token create #默认token过期时间24H

kubeadm_join_token=$(kubeadm token list |grep system:bootstrappers:kubeadm:default-node-token |awk 'NR==1{print $1}')
kubeadm_join_cert_hash=$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')

#把IP换成你的IP
echo "kubeadm join 192.168.108.100:6443 --token $kubeadm_join_token --discovery-token-ca-cert-hash sha256:$kubeadm_join_cert_hash"

1
2
3
4
5
6
7
8

如果此文章对您有帮助，点击 -->> 请博主喝咖啡

上次更新: 2025/03/28, 13:42:54

← k8s网络策略 kubeadm安装k8s-自签证书→