# 环境准备 | 角色 | 主机名 | ip地址 | 配置 | | :----- | -------- | --------------- | ------- | | master | master01 | 192.168.173.100 | 2C4G60G | | node01 | node01 | 192.168.173.101 | 2C2G60G | | node02 | node2 | 192.168.173.102 | 2C2G60G | # 环境初始化 ```bash # 网卡配置 # cat /etc/NetworkManager/system-connections/ens160.nmconnection [ipv4] method=manual address1=192.168.173.100/24,192.168.173.2 dns=114.114.114.114;114.114.115.115 # cat /etc/NetworkManager/system-connections/ens192.nmconnection [connection] autoconnect=false # 调用 nmcli 重启设备和连接配置 nmcli d d ens192 nmcli d r ens160 nmcli c r ens160 ``` ```bash # Rocky 系统软件源更换 sed -e 's|^mirrorlist=|#mirrorlist=|g' \ -e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \ -i.bak \ /etc/yum.repos.d/[Rr]ocky*.repo dnf makecache # 防火墙修改 firewalld 为 iptables systemctl stop firewalld systemctl disable firewalld yum -y install iptables-services systemctl start iptables iptables -F systemctl enable iptables service iptables save # 禁用 Selinux setenforce 0 sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config grubby --update-kernel ALL --args selinux=0 # 查看是否禁用,grubby --info DEFAULT # 回滚内核层禁用操作,grubby --update-kernel ALL --remove-args selinux # 设置时区 timedatectl set-timezone Asia/Shanghai ``` ```bash # 关闭 swap 分区 swapoff -a sed -i 's:/dev/mapper/rl-swap:#/dev/mapper/rl-swap:g' /etc/fstab # 修改主机名 hostnamectl set-hostname k8s-node01 # 安装 ipvs yum install -y ipvsadm # 开启路由转发 echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf sysctl -p # 加载 bridge yum install -y epel-release yum install -y bridge-utils modprobe br_netfilter echo 'br_netfilter' >> /etc/modules-load.d/bridge.conf echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.conf echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.conf sysctl -p ``` ```bash # 添加 docker-ce yum 源 # 中科大(ustc) sudo dnf config-manager --add-repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo cd /etc/yum.repos.d # 切换中科大源 sed -i 's#download.docker.com#mirrors.ustc.edu.cn/docker-ce#g' docker-ce.repo # 安装 docker-ce yum -y install docker-ce # 配置 daemon. cat > /etc/docker/daemon.json < /usr/lib/systemd/system/cri-docker.service [Unit] Description=CRI Interface for Docker Application Container Engine Documentation=https://docs.mirantis.com After=network-online.target firewalld.service docker.service Wants=network-online.target Requires=cri-docker.socket [Service] Type=notify ExecStart=/usr/bin/cri-dockerd --network-plugin=cni --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.8 ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always StartLimitBurst=3 StartLimitInterval=60s LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TasksMax=infinity Delegate=yes KillMode=process [Install] WantedBy=multi-user.target EOF # 添加 cri-docker 套接字 cat <<"EOF" > /usr/lib/systemd/system/cri-docker.socket [Unit] Description=CRI Docker Socket for the API PartOf=cri-docker.service [Socket] ListenStream=%t/cri-dockerd.sock SocketMode=0660 SocketUser=root SocketGroup=docker [Install] WantedBy=sockets.target EOF # 启动 cri-docker 对应服务 systemctl daemon-reload systemctl enable cri-docker systemctl start cri-docker systemctl is-active cri-docker ``` ```bash # 添加 kubeadm yum 源 cat < /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://pkgs.k8s.io/core:/stable:/v1.29/rpm/ enabled=1 gpgcheck=1 gpgkey=https://pkgs.k8s.io/core:/stable:/v1.29/rpm/repodata/repomd.xml.key exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni EOF # 安装 kubeadm 1.29 版本 yum install -y kubelet-1.29.0 kubectl-1.29.0 kubeadm-1.29.0 systemctl enable kubelet.service ``` ```bash # 初始化主节点 kubeadm init\ --apiserver-advertise-address=192.168.173.100\ --image-repository registry.aliyuncs.com/google_containers\ --kubernetes-version 1.29.2\ --service-cidr=10.10.0.0/12\ --pod-network-cidr=10.244.0.0/16\ --ignore-preflight-errors=all\ --cri-socket unix:///var/run/cri-dockerd.sock ``` ```bash # node 加入 kubeadm join 192.168.173.100:6443 --token jghzcm.mz6js92jom1flry0 \ --discovery-token-ca-cert-hash sha256:63253f3d82fa07022af61bb2ae799177d2b0b6fe8398d5273098f4288ce67793 --cri-socket unix:///var/run/cri-dockerd.sock # work token 过期后,重新申请 kubeadm token create --print-join-command ``` # 部署网络插件 ```bash https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico-with-kubernetes-api-datastore-more-than-50-nodes curl https://raw.githubusercontent.com/projectcalico/calico/v3.26.3/manifests/calico-typha.yaml -o calico.yaml CALICO_IPV4POOL_CIDR 指定为 pod 地址 # 修改为 BGP 模式 # Enable IPIP - name: CALICO_IPV4POOL_IPIP value: "Always" #改成Off kubectl apply -f calico-typha.yaml kubectl get pod -A ``` ## 固定网卡(可选) ```bash # 目标 IP 或域名可达 - name: calico-node image: registry.geoway.com/calico/node:v3.19.1 env: # Auto-detect the BGP IP address. - name: IP value: "autodetect" - name: IP_AUTODETECTION_METHOD value: "can-reach=www.google.com" kubectl set env daemonset/calico-node -n kube-system IP_AUTODETECTION_METHOD=can-reach=www.google.com ``` ```bash # 匹配目标网卡 - name: calico-node image: registry.geoway.com/calico/node:v3.19.1 env: # Auto-detect the BGP IP address. - name: IP value: "autodetect" - name: IP_AUTODETECTION_METHOD value: "interface=eth.*" ``` ```bash # 排除匹配网卡 - name: calico-node image: registry.geoway.com/calico/node:v3.19.1 env: # Auto-detect the BGP IP address. - name: IP value: "autodetect" - name: IP_AUTODETECTION_METHOD value: "skip-interface=eth.*" ``` ```bash # CIDR - name: calico-node image: registry.geoway.com/calico/node:v3.19.1 env: # Auto-detect the BGP IP address. - name: IP value: "autodetect" - name: IP_AUTODETECTION_METHOD value: "cidr=192.168.200.0/24,172.15.0.0/24" ``` # 修改kube-proxy 模式为 ipvs ```bash # kubectl edit configmap kube-proxy -n kube-system mode: ipvs kubectl delete pod -n kube-system -l k8s-app=kube-proxy ```