Kubernetes（k8s）高可用搭建

一、系统基础设置

1.1、关闭防火墙

systemctl stop firewalld
systemctl disable firewalld
1
2

1.2、关闭selinux

sed -i 's/enforcing/disabled/' /etc/selinux/config  # 永久
setenforce 0  # 临时
1
2

1.3、关闭swap

swapoff -a  # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab    # 永久
1
2

1.4、设置hostname

hostnamectl set-hostname zxhy-master 
#192.168.0.15 是我的虚拟IP，将来做负载均衡用的
cat >> /etc/hosts << EOF
192.168.0.15 zxhy-vip
192.168.0.14 zxhy-master
192.168.0.222 zxhy-slave1
192.168.0.77 zxhy-slave2
192.168.0.188 zxhy-slave3
192.168.0.193 zxhy-slave4
192.168.0.227 zxhy-slave5
EOF
1
2
3
4
5
6
7
8
9
10
11

1.5、将桥接的IPv4流量传递到iptables的链

cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system  # 生效
1
2
3
4
5

1.6、 时间同步

yum install ntpdate -y
ntpdate time.windows.com
1
2

1.7 配置开启 ipvs 的前提条件

modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
1
2
3
4
5

1.8、 安装iproute-tc和dig工具

yum install iproute-tc -y
yum -y install bind-utils

1
2
3

二、所有master节点部署keepalived

2.1 安装相关包和keepalived

yum install -y conntrack-tools libseccomp libtool-ltdl
yum install -y keepalived
1
2

2.2配置master节点

master1节点配置

cat > /etc/keepalived/keepalived.conf <<EOF 
! Configuration File for keepalived

global_defs {
   router_id k8s
}

vrrp_script check_haproxy {
    script "killall -0 haproxy"
    interval 3
    weight -2
    fall 10
    rise 2
}

vrrp_instance VI_1 {
    state MASTER 
    interface eth0
    virtual_router_id 51
    priority 250
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass ceb1b3ec013d66163d6ab
    }
    virtual_ipaddress {
        192.168.0.15
    }
    track_script {
        check_haproxy
    }

}
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

master2节点配置

cat > /etc/keepalived/keepalived.conf <<EOF 
! Configuration File for keepalived

global_defs {
   router_id k8s
}

vrrp_script check_haproxy {
    script "killall -0 haproxy"
    interval 3
    weight -2
    fall 10
    rise 2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 250
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass ceb1b3ec013d66163d6ab
    }
    virtual_ipaddress {
        192.168.0.15
    }
    track_script {
        check_haproxy
    }

}
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

2.3 启动和检查

在三台master节点都执行

# 启动keepalived
$ systemctl start keepalived.service
设置开机启动
$ systemctl enable keepalived.service
# 查看启动状态
$ systemctl status keepalived.service
1
2
3
4
5
6

启动后查看master1的网卡信息

ip a s eth0
1

如果是云服务器搭建的话，记得云服务器管理平台上申请虚拟IP地址，然后绑定虚拟IP地址到三台主节点服务器上，然后添加相应的网络策略，否侧ping不通虚拟ip

三、 部署haproxy

3.1 安装

yum install -y haproxy
1

3.2 配置

两台master节点的配置均相同，配置中声明了后端代理的两个master节点服务器，指定了haproxy运行的端口为16443等，因此16443端口为集群的入口

下面的文件主要需要修改ip地址 kubernetes-apiserver

cat > /etc/haproxy/haproxy.cfg << EOF
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2
    
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon 
       
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------  
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
#---------------------------------------------------------------------
# kubernetes apiserver frontend which proxys to the backends
#--------------------------------------------------------------------- 
frontend kubernetes-apiserver
    mode                 tcp
    bind                 *:16443
    option               tcplog
    default_backend      kubernetes-apiserver    
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend kubernetes-apiserver
    mode        tcp
    balance     roundrobin
    server      zxhy-nacos   192.168.0.14:6443 check
    server      zxhy-redis   192.168.0.77:6443 check
    server      zxhy-mysql   192.168.0.222:6443 check
#---------------------------------------------------------------------
# collection haproxy statistics message
#---------------------------------------------------------------------
listen stats
    bind                 *:1080
    stats auth           admin:awesomePassword
    stats refresh        5s
    stats realm          HAProxy\ Statistics
    stats uri            /admin?stats
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

3.3 启动和检查

三台master都启动

# 设置开机启动
$ systemctl enable haproxy
# 开启haproxy
$ systemctl start haproxy
# 查看启动状态
$ systemctl status haproxy
1
2
3
4
5
6

四、 所有节点安装Docker/kubeadm/kubelet

Kubernetes默认CRI（容器运行时）为Docker，因此先安装Docker。

4.1 安装Docker

$ wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
$ yum -y install docker-ce-24.0.5.el7
$ systemctl enable docker && systemctl start docker
$ docker --version
Docker version 24.0.5, build e68fc7a
1
2
3
4
5

我这使用的是华为云的镜像库，用阿里的可以自行修改

$ cat > /etc/docker/daemon.json << EOF
{
  "registry-mirrors": ["https://6f09bd673d1d4e8d98dab0ab278fc7c2.mirror.swr.myhuaweicloud.com"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m",
    "max-file": "5"
   }
}
EOF
# 重启docker服务
systemctl restart docker
1
2
3
4
5
6
7
8
9
10
11
12

4.2 cri-dockerd安装

下载 cri-dockerd 安装包

cd  /opt
wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.6/cri-dockerd-0.3.6.20231018204925.877dc6a4-0.el7.x86_64.rpm
1
2

安装服务

yum install -y cri-dockerd-0.3.6.20231018204925.877dc6a4-0.el7.x86_64.rpm
vim /usr/lib/systemd/system/cri-docker.service
#添加镜像源
--pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.7

systemctl daemon-reload
vim /usr/lib/systemd/system/cri-docker.socket
1
2
3
4
5
6
7

查看服务启动状态

# 设置开机启动
$ systemctl enable cri-docker
# 开启cri-docker
$ systemctl start cri-docker
# 查看启动状态
$ systemctl status cri-docker
1
2
3
4
5
6

查看CRI服务是否被禁止

vi /etc/containerd/config.toml 
#如果disabled_plugins中包含cri，删除“cri”即可
#disabled_plugins = [“cri”]
disabled_plugins = []
1
2
3
4

重启容器运行时

systemctl restart containerd 
1

4.3 添加阿里云YUM软件源

$ cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
1
2
3
4
5
6
7
8
9

4.4 安装kubeadm，kubelet和kubectl

由于版本更新频繁，这里指定版本号部署：

$ yum install -y kubelet-1.24.7 kubeadm-1.24.7 kubectl-1.24.7
$ systemctl enable kubelet
1
2

4.4 安装kubeadm-cni

network plugin is not ready: cni config uninitialized

五、部署Kubernetes Master

5.1 创建kubeadm配置文件

在具有vip的master上操作，这里为master1

$ mkdir /usr/local/kubernetes/manifests -p

$ cd /usr/local/kubernetes/manifests/

$ vi kubeadm-config.yaml

apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
localAPIEndpoint:
  advertiseAddress: 192.168.0.14
  bindPort: 6443
nodeRegistration:
  criSocket: unix:///var/run/cri-dockerd.sock
  imagePullPolicy: IfNotPresent
  name: zxhy-nacos
  taints: null
---
apiServer:
  certSANs:
    - zxhy-nacos
    - zxhy-redis
    - zxhy-mysql
    - zxhy-vip
    - 192.168.0.14
    - 192.168.0.222
    - 192.168.0.77
    - 192.168.0.15
    - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: "zxhy-vip:16443"
controllerManager: {}
dns: {}
etcd:
  local:    
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.24.7
networking: 
  dnsDomain: cluster.local  
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.1.0.0/16
scheduler: {}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

5.2 在master1节点执行

$ kubeadm init --config kubeadm-config.yaml

export KUBECONFIG=/etc/kubernetes/admin.conf
1
2
3

按照提示配置环境变量，使用kubectl工具：

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
$ kubectl get pods -n kube-system
1
2
3
4
5

按照提示保存以下内容，一会要使用：

kubeadm join zxhy-vip:16443 --token gp4qgj.3x8wal0o2gmbcpis --discovery-token-ca-cert-hash sha256:af5fe3bb4f2ada51967c34053e94ed4c703287e3e26487d6d8dbe450a2550013 --cri-socket=unix:///var/run/cri-dockerd.sock
#如果忘记复制，也可以利用这个命令重新生成下加入命令
kubeadm token create --print-join-command
1
2
3

六、安装集群网络

从官方地址获取到flannel的yaml，在master1上执行

mkdir /usr/local/kubernetes/manifests/flannel
cd /usr/local/kubernetes/manifests/flannel
wget -c https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
1
2
3

安装flannel网络

kubectl apply -f kube-flannel.yml 
1

检查

kubectl get pods -n kube-system
1

七、master2节点加入集群

7.1 复制密钥及相关文件

从master1复制密钥及相关文件到master2

# ssh root@192.168.0.222 mkdir -p /etc/kubernetes/pki/etcd

# scp /etc/kubernetes/admin.conf root@192.168.0.222:/etc/kubernetes
   
# scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} root@192.168.0.222:/etc/kubernetes/pki
   
# scp /etc/kubernetes/pki/etcd/ca.* root@192.168.0.222:/etc/kubernetes/pki/etcd
1
2
3
4
5
6
7

7.2 master2加入集群

执行在master1上init后输出的join命令,需要带上参数--control-plane表示把master控制节点加入集群

kubeadm join zxhy-vip:16443 --token gp4qgj.3x8wal0o2gmbcpis --discovery-token-ca-cert-hash sha256:af5fe3bb4f2ada51967c34053e94ed4c703287e3e26487d6d8dbe450a2550013 --control-plane --cri-socket=unix:///var/run/cri-dockerd.sock
1

按照提示配置环境变量，使用kubectl工具：

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
$ kubectl get nodes
$ kubectl get pods -n kube-system
1
2
3
4
5

7.3master3加入集群

跟节点2同样的操作

7.4检查状态

kubectl get node

kubectl get pods --all-namespaces
1
2
3

八、加入Kubernetes Node

8.1在node1、node2、node3上执行join命令

向集群添加新节点，执行在kubeadm init输出的kubeadm join命令：

kubeadm join zxhy-vip:16443 --token gp4qgj.3x8wal0o2gmbcpis --discovery-token-ca-cert-hash sha256:af5fe3bb4f2ada51967c34053e94ed4c703287e3e26487d6d8dbe450a2550013 --cri-socket=unix:///var/run/cri-dockerd.sock
1

8.2集群网络重新安装，因为添加了新的node节点

所有节点加入完成后安装flannel网络

#进入flannel网络
cd /usr/local/kubernetes/manifests/flannel
#删除之前的网络
kubectl delete -f kube-flannel.yml 
#重新初始化的网络
kubectl apply -f kube-flannel.yml 
1
2
3
4
5
6

8.3检查状态

kubectl get node

kubectl get pods --all-namespaces
1
2
3

九、测试kubernetes集群

在Kubernetes集群中创建一个pod，验证是否正常运行：

$ kubectl create deployment nginx --image=nginx
$ kubectl expose deployment nginx --port=80 --type=NodePort
$ kubectl get pod,svc
1
2
3

十、修改 kube-proxy网络模式，并重启kube-proxy

1、编辑kube-proxy 配置

kubectl edit cm kube-proxy -n kube-system
1

将mode: iptables 修改成 mode: ipvs

2、重启kube-proxy

kubectl get pod -n kube-system | grep kube-proxy |awk '{system("kubectl delete pod "$1" -n kube-system")}'
1

3、查看日志

kubectl logs -f -n kube-system kube-proxy-62fk7
1

十一、常用命令

#进入容器
kubectl exec -it nacos-0 bash
#查看dns服务器
cat /etc/resolv.conf
#查看无头服务访问地址
dig @10.1.0.10 nacos-headless.default.svc.cluster.local

#添加 尽量不调度 PreferNoSchedule 
kubectl taint nodes zxhy-mysql node-role.kubernetes.io/master:PreferNoSchedule
#去除污点NoSchedule，最后一个"-"代表删除
kubectl taint nodes zxhy-mysql node-role.kubernetes.io/master:NoSchedule-
1
2
3
4
5
6
7
8
9
10
11