1.临时禁用selinux
setenforce 0
2.永久关闭
修改/etc/sysconfig/selinux文件设置
sed -i \'s/SELINUX=permissive/SELINUX=disabled/\' /etc/sysconfig/selinux
3.临时关闭swap
swapoff -a
4.永久关闭
注释/etc/fstab文件里swap相关的行
5.开启forward
Docker从1.13版本开始调整了默认的防火墙规则禁用了iptables filter表中FOWARD链,可能会引起Kubernetes集群中跨Node的Pod之间无法通信
iptables -P FORWARD ACCEPT#
6.配置转发相关参数
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl --system
7.加载ipvs相关内核模块
如果重新开机,需要重新加载modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr
modprobe ip_vs_sh
modprobe nf_conntrack_ipv4
lsmod | grep ip_vs
8.配置开启自动加载,防止出错
cat >/etc/modules-load.d/k8s-ipvs.conf<<EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
EOF
开启ip_forward
查看当前配置
cat /proc/sys/net/ipv4/ip_forward
临时修改配置
echo 1 > /proc/sys/net/ipv4/ip_forward
永久生效需要修改/etc/sysctl.conf文件,修改下面一行的值:
net.ipv4.ip_forward = 1
sysctl -p /etc/sysctl.conf
修改机器名称
vi /etc/hosts
输入
172.30.252.1 k8s-master
部署master节点
master 节点运行如下组件:
kube-apiserver
kube-proxy
kube-scheduler
kube-controller-manager
下载二进制安装包
进入kubernetes的github地址 https://github.com/kubernetes/kubernetes 找到需要安装的版本,选最新即可,比如CHANGELOG-1.8.md点击进去
下载Server Binaries, linux版本的地址是https://dl.k8s.io/v1.8.15/kubernetes-server-linux-amd64.tar.gz
下载后的文件列表如下:
https://cdn2.izhong.me/blog/k8s/k8s%20bin%E6%96%87%E4%BB%B6.JPG?x-oss-process=style/dolphin
将二进制文件复制到bin目录
sudo cp kube-apiserver kube-controller-manager kube-proxy kube-scheduler kubelet kubectl /usr/local/bin/
配置apiserver
和apiserver直接通信安全需要密钥,采用的是PKI体系,可以通过openssl来生成相关密钥,主要有ca.crt,server.crt,server.key
[root@ku0 kubernetes]# vi /etc/kubernetes/apiserver
KUBE_API_ADDRESS="--insecure-bind-address=172.30.252.157"
KUBE_API_PORT="--insecure-port=8010"
KUBE_ETCD_SERVERS="--etcd-servers=http://172.30.252.157:2379"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.99.100.0/16"
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,ServiceAccount,LimitRanger,ResourceQuota"
KUBE_API_LOG="--logtostderr=false --log-dir=/var/log/kubernetes --v=2"
KUBE_API_ARGS="--client-ca-file=/etc/kubernetes/pki/ca.crt --tls-cert-file=/etc/kubernetes/pki/server.crt --tls-private-key-file=/etc/kubernetes/pki/server.key"
设置systemd启动脚本
[jjzhong@k8s-master kubernetes]$ vi /etc/systemd/system/kube-apiserver.service
输入一下内容
[unit]
Description=Kubernetes API Server
After=etcd.service
Wants=etcd.service
[Service]
EnvironmentFile=/etc/kubernetes/apiserver
ExecStart=/usr/local/bin/kube-apiserver \\
$KUBE_ETCD_SERVERS \\
$KUBE_API_ADDRESS \\
$KUBE_API_PORT \\
$KUBE_SERVICE_ADDRESSES \\
$KUBE_ADMISSION_CONTROL \\
$KUBE_API_LOG \\
$KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
启动apiserver
[jjzhong@k8s-master kubernetes]$ sudo systemctl start kube-apiserver
[jjzhong@k8s-master kubernetes]$ sudo systemctl enable kube-apiserver
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /etc/systemd/system/kube-apiserver.service.
配置kubelet
新建一个公共配置文件, 涉及了一个/etc/kubernetes/kubeconfig文件,生成方式参考 https://izhong.me/index.php/archives/150/
[jjzhong@k8s-master kubernetes]$ vi config
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"
# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"
# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"
# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://172.30.252.157:8010"
#访问kubeapi的配置文件
KUBELET_CONFIG="--kubeconfig /etc/kubernetes/kubeconfig"
设置kubelet的配置文件
[jjzhong@k8s-master kubernetes]$ vi kubelet
KUBELET_ADDRESS="--address=172.30.252.157"
KUBELET_HOSTNAME="--hostname-override=k8s-master"
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"
KUBELET_ARGS="--cluster-dns=172.30.252.157 --cluster-domain=cluster.local --fail-swap-on=false"
设置kubelet systemd启动脚本
[jjzhong@k8s-master kubernetes]$ vi /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet Server2
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/kubelet
ExecStart=/usr/local/bin/kubelet --kubeconfig=/etc/kubernetes/kubeconfig \\
$KUBE_LOGTOSTDERR \\
$KUBE_LOG_LEVEL \\
$KUBE_CONFIG \\
$KUBELET_HOSTNAME \\
$KUBE_ALLOW_PRIV \\
$KUBELET_POD_INFRA_CONTAINER \\
$KUBELET_ARGS
Restart=on-failure
[Install]
WantedBy=multi-user.target
设置开机启动
systemctl enable kubelet
配置 controller-manager
增加controller-manager的配置文件
vi /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS="--service-account-private-key-file=/etc/kubernetes/pki/server.key --root-ca-file=/etc/kubernetes/pki/ca.crt "
增加controller-manager的systemd文件
vi /etc/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Scheduler
After=kube-apiserver.service
Requires=kube-apiserver.service
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/controller-manager
ExecStart=/usr/local/bin/kube-controller-manager \\
$KUBE_CONFIG \\
$KUBE_CONTROLLER_MANAGER_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
```\\
增加开机启动
[jjzhong@k8s-master kubernetes]$ sudo systemctl enable kube-controller-manager
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /etc/systemd/system/kube-controller-manager.service.
#### 配置 scheduler
增加scheduler配置文件
vi /etc/kubernetes/scheduler
KUBE_SCHEDULER_ARGS="--logtostderr=true --log-dir=/var/log/kubernetes --v=2"
增加scheduler的systemd文件
sudo vi /etc/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
After=kube-apiserver.service
Requires=kube-apiserver.service
[Service]
User=root
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/scheduler
ExecStart=/usr/local/bin/kube-scheduler \
$KUBE_CONFIG \
$KUBE_SCHEDULER_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
设置开机启动
systemctl enable kube-apiserver
#### 配置 kube-proxy
增加kube-proxy配置文件,目前无具体配置参数
vi /etc/kubernetes/proxy
KUBE_PROXY_ARGS=""
增加kube-proxy的systemd文件
[jjzhong@k8s-master kubernetes]$ vi /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube-Proxy Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/proxy
ExecStart=/usr/local/bin/kube-proxy \
$KUBE_LOGTOSTDERR \
$KUBE_LOG_LEVEL \
$KUBE_CONFIG \
$KUBE_PROXY_ARGS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
设置开机启动
[jjzhong@k8s-master kubernetes]$ sudo systemctl enable kube-proxy
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /etc/systemd/system/kube-proxy.service.
![请输入图片描述][1]
[1]: https://cdn2.izhong.me/blog/k8s/kubernetes.png?x-oss-process=style/dolphin