CentOS7 搭建 Kubernetes 集群
CentOS7 搭建 Kubernetes 集群完整指南
基于提供的文档,本文提供kubeadm快速搭建(推荐新手)和二进制手动搭建(生产可控)两种方案,所有步骤均适配CentOS7系统。
一、通用前置准备(两种方式都需执行)
1. 环境要求
| 资源 | 最低要求 | 推荐配置 |
|---|---|---|
| 操作系统 | CentOS7.x x86_64 | CentOS7.8+ x86_64 |
| 内存 | 2GB | 4GB+ |
| CPU | 2核 | 4核+ |
| 硬盘 | 30GB | 50GB+ |
| 网络 | 所有节点互通,能访问外网 | 固定IP,关闭防火墙/SELinux |
2. 节点规划(以3节点为例)
| 角色 | IP地址 | 主机名 |
|---|---|---|
| Master | 192.168.88.130 | k8s-master |
| Worker1 | 192.168.88.131 | k8s-node1 |
| Worker2 | 192.168.88.132 | k8s-node2 |
3. 所有节点系统初始化
以下命令在所有节点执行
# 1. 关闭防火墙systemctl stop firewalld&&systemctl disable firewalld systemctl status firewalld# 2. 关闭SELinuxsed-i's/enforcing/disabled/'/etc/selinux/config# 永久关闭setenforce0# 临时关闭# 3. 关闭Swap分区swapoff-a# 临时关闭sed-ri's/.*swap.*/#&/'/etc/fstab# 永久关闭# 4. 设置主机名(每个节点对应修改)hostnamectl set-hostname k8s-master# Master节点执行hostnamectl set-hostname k8s-node1# Worker1执行hostnamectl set-hostname k8s-node2# Worker2执行# 5. 配置hosts解析(所有节点执行)cat>>/etc/hosts<<EOF 192.168.88.130 k8s-master 192.168.88.131 k8s-node1 192.168.88.132 k8s-node2 EOF# 6. 配置桥接流量传递到iptablescat>/etc/sysctl.d/k8s.conf<<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOFsysctl--system# 生效配置# 7. 时间同步(报错就更换yum)yuminstallntpdate-yntpdate time.windows.com备份YUM源
mv/etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup或者
mv/etc/yum/repos.d/CentOS-Base.repo{,.date -I}下载新的CentOS-Base.repo 到/etc/yum.repos.d/
CentOS 5
wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repoCentOS 6
wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repoCentOS 7
wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo添加EPEL
CentOS 6
wget-O/etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repoCentOS 7
wget-O/etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo清除缓存
yum clean all加载缓存
yum makecache更新yum
yum update-y删除 yum 进程锁文件(CentOS 7 核心锁文件)
sudorm-f/var/run/yum.pid额外清理可能的 rpm 数据库锁(防止连带问题)
sudorm-f/var/lib/rpm/__db.00*二、方案一:kubeadm快速搭建(推荐)
1. 所有节点安装Docker(18.06.1版本)
# 配置阿里云Docker源wgethttps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo-O/etc/yum.repos.d/docker-ce.repo# 安装指定版本Dockeryum-yinstalldocker-ce-18.06.1.ce-3.el7# 启动并设置开机自启systemctlenabledocker&&systemctl startdocker# 配置阿里云镜像加速器cat>/etc/docker/daemon.json<<EOF { "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"] } EOFsystemctl restartdocker2. 所有节点安装kubeadm、kubelet、kubectl
# 配置阿里云K8s源cat>/etc/yum.repos.d/kubernetes.repo<<EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF# 安装指定版本(文档使用v1.17.0)yuminstall-ykubelet-1.17.0 kubeadm-1.17.0 kubectl-1.17.0# 设置kubelet开机自启systemctlenablekubelet# 重新启动主机reboot3. 部署Master节点(仅在Master执行)
# 初始化集群(指定阿里云镜像仓库,避免gcr.io无法访问)kubeadm init\--apiserver-advertise-address=192.168.88.130\--image-repository registry.aliyuncs.com/google_containers\--kubernetes-version v1.17.0\--service-cidr=10.96.0.0/12\--pod-network-cidr=10.244.0.0/16# 配置kubectl认证mkdir-p$HOME/.kubesudocp-i/etc/kubernetes/admin.conf$HOME/.kube/configsudochown$(id-u):$(id-g)$HOME/.kube/config# 验证Master组件状态kubectl get cs执行成功后会输出Worker节点加入命令,保存下来,格式如下:
kubeadm join 192.168.88.130:6443 --token 93upi2.0n366lz463re8rho \ --discovery-token-ca-cert-hash sha256:836d298f889d2a5cae622bd8eee1bad94bea6b548d1bce1adbf2dd4ed9e81bd14. 安装CNI网络插件(Flannel)
# 下载Flannel配置文件wgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml# 应用配置kubectl apply-fkube-flannel.yml# 等待Flannel Pod启动(约1-2分钟)kubectl get pods-nkube-system5. Worker节点加入集群(在所有Worker执行)
执行之前保存的kubeadm join命令:
kubeadmjoin192.168.88.130:6443--tokenesce21.q6hetwm8si29qxwn\--discovery-token-ca-cert-hash sha256:00603a05805807501d7181c3d60b478788408cfe6cedefedb1f97569708be9c56. 验证集群状态(在Master执行)
# 查看所有节点状态(所有节点应为Ready状态)kubectl get nodes# 测试部署Nginx验证集群kubectl create deployment nginx--image=nginx kubectl expose deployment nginx--port=80--type=NodePort# 查看Pod和Servicekubectl get pod,svc访问任意Worker节点的http://NodeIP:30000-32767端口,能看到Nginx欢迎页即搭建成功。
三、方案二:二进制手动搭建(生产环境推荐)
1. 环境准备
- 节点规划:Master(192.168.88.130)、Worker1(192.168.88.131)、Worker2(192.168.88.132)
- 所有节点完成通用前置准备
- 软件版本:Docker 19-ce、Kubernetes 1.19、Etcd 3.4.9
2. 部署Etcd集群(3节点高可用)
2.1 安装证书生成工具(仅在Master执行)
wgethttps://pkg.cfssl.org/R1.2/cfssl_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod+x cfssl*mvcfssl_linux-amd64 /usr/local/bin/cfsslmvcfssljson_linux-amd64 /usr/local/bin/cfssljsonmvcfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo2.2 生成Etcd证书(仅在Master执行)
mkdir-p~/TLS/etcd&&cd~/TLS/etcd# 生成CA证书cat>ca-config.json<<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "www": { "expiry": "87600h", "usages": ["signing", "key encipherment", "server auth", "client auth"] } } } } EOFcat>ca-csr.json<<EOF { "CN": "etcd CA", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing" } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成Etcd服务证书cat>server-csr.json<<EOF { "CN": "etcd", "hosts": [ "192.168.88.130", "192.168.88.131", "192.168.88.132" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing" } ] } EOFcfssl gencert-ca=ca.pem -ca-key=ca-key.pem-config=ca-config.json-profile=www server-csr.json|cfssljson-bareserver2.3 部署Etcd节点(所有Etcd节点执行)
# 下载Etcd二进制包wgethttps://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gztarzxvf etcd-v3.4.9-linux-amd64.tar.gzmkdir-p/opt/etcd/{bin,cfg,ssl}mvetcd-v3.4.9-linux-amd64/{etcd,etcdctl}/opt/etcd/bin/# 拷贝证书(从Master节点scp过来)scproot@192.168.88.130:~/TLS/etcd/ca*pem root@192.168.88.130:~/TLS/etcd/server*pem /opt/etcd/ssl/# 创建配置文件(每个节点修改ETCD_NAME和IP)cat>/opt/etcd/cfg/etcd.conf<<EOF #[Member] ETCD_NAME="etcd-1" # 节点2改为etcd-2,节点3改为etcd-3 ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://192.168.88.130:2380" # 修改为当前节点IP ETCD_LISTEN_CLIENT_URLS="https://192.168.88.130:2379" # 修改为当前节点IP #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.88.130:2380" # 修改为当前节点IP ETCD_ADVERTISE_CLIENT_URLS="https://192.168.88.130:2379" # 修改为当前节点IP ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.88.130:2380,etcd-2=https://192.168.88.131:2380,etcd-3=https://192.168.88.132:2380" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF# 创建systemd服务cat>/usr/lib/systemd/system/etcd.service<<EOF [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=/opt/etcd/cfg/etcd.conf ExecStart=/opt/etcd/bin/etcd \ --cert-file=/opt/etcd/ssl/server.pem \ --key-file=/opt/etcd/ssl/server-key.pem \ --peer-cert-file=/opt/etcd/ssl/server.pem \ --peer-key-file=/opt/etcd/ssl/server-key.pem \ --trusted-ca-file=/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \ --logger=zap Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF# 启动Etcdsystemctl daemon-reload systemctl start etcd systemctlenableetcd2.4 验证Etcd集群状态
ETCDCTL_API=3/opt/etcd/bin/etcdctl--cacert=/opt/etcd/ssl/ca.pem\--cert=/opt/etcd/ssl/server.pem--key=/opt/etcd/ssl/server-key.pem\--endpoints="https://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379"endpoint health所有节点显示healthy即部署成功。
3. 所有节点安装Docker(19-ce版本)
wgethttps://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgztarzxvf docker-19.03.9.tgzmvdocker/* /usr/bin/# 创建systemd服务cat>/usr/lib/systemd/system/docker.service<<EOF [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service Wants=network-online.target [Service] Type=notify ExecStart=/usr/bin/dockerd ExecReload=/bin/kill -s HUP$MAINPIDLimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TimeoutStartSec=0 Delegate=yes KillMode=process Restart=on-failure StartLimitBurst=3 StartLimitInterval=60s [Install] WantedBy=multi-user.target EOF# 配置镜像加速器mkdir/etc/dockercat>/etc/docker/daemon.json<<EOF { "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"] } EOF# 启动Dockersystemctl daemon-reload systemctl startdockersystemctlenabledocker4. 部署Master节点组件(仅在Master执行)
4.1 生成K8s证书
mkdir-p~/TLS/k8s&&cd~/TLS/k8s# 生成CA证书cat>ca-config.json<<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": ["signing", "key encipherment", "server auth", "client auth"] } } } } EOFcat>ca-csr.json<<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成apiserver证书cat>server-csr.json<<EOF { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "192.168.88.130", "192.168.88.131", "192.168.88.132", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOFcfssl gencert-ca=ca.pem -ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes server-csr.json|cfssljson-bareserver4.2 部署kube-apiserver
# 下载K8s二进制包wgethttps://dl.k8s.io/v1.19.0/kubernetes-server-linux-amd64.tar.gztarzxvf kubernetes-server-linux-amd64.tar.gzmkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}cpkubernetes/server/bin/kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bincpkubernetes/server/bin/kubectl /usr/bin/# 拷贝证书cp~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/# 创建token文件cat>/opt/kubernetes/cfg/token.csv<<EOF c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper" EOF# 创建apiserver配置文件cat>/opt/kubernetes/cfg/kube-apiserver.conf<<EOF KUBE_APISERVER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --etcd-servers=https://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379 \ --bind-address=192.168.88.130 \ --secure-port=6443 \ --advertise-address=192.168.88.130 \ --allow-privileged=true \ --service-cluster-ip-range=10.0.0.0/24 \ --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-mode=RBAC,Node \ --enable-bootstrap-token-auth=true \ --token-auth-file=/opt/kubernetes/cfg/token.csv \ --service-node-port-range=30000-32767 \ --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \ --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \ --tls-cert-file=/opt/kubernetes/ssl/server.pem \ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \ --client-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile=/opt/etcd/ssl/ca.pem \ --etcd-certfile=/opt/etcd/ssl/server.pem \ --etcd-keyfile=/opt/etcd/ssl/server-key.pem \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/opt/kubernetes/logs/k8s-audit.log" EOF# 创建systemd服务cat>/usr/lib/systemd/system/kube-apiserver.service<<EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf ExecStart=/opt/kubernetes/bin/kube-apiserver$KUBE_APISERVER_OPTSRestart=on-failure [Install] WantedBy=multi-user.target EOF# 启动apiserversystemctl daemon-reload systemctl start kube-apiserver systemctlenablekube-apiserver# 授权kubelet-bootstrap用户kubectl create clusterrolebinding kubelet-bootstrap\--clusterrole=system:node-bootstrapper\--user=kubelet-bootstrap4.3 部署kube-controller-manager
cat>/opt/kubernetes/cfg/kube-controller-manager.conf<<EOF KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --leader-elect=true \ --master=127.0.0.1:8080 \ --bind-address=127.0.0.1 \ --allocate-node-cidrs=true \ --cluster-cidr=10.244.0.0/16 \ --service-cluster-ip-range=10.0.0.0/24 \ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file=/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration=87600h0m0s" EOFcat>/usr/lib/systemd/system/kube-controller-manager.service<<EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart=/opt/kubernetes/bin/kube-controller-manager$KUBE_CONTROLLER_MANAGER_OPTSRestart=on-failure [Install] WantedBy=multi-user.target EOFsystemctl start kube-controller-manager systemctlenablekube-controller-manager4.4 部署kube-scheduler
cat>/opt/kubernetes/cfg/kube-scheduler.conf<<EOF KUBE_SCHEDULER_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --leader-elect \ --master=127.0.0.1:8080 \ --bind-address=127.0.0.1" EOFcat>/usr/lib/systemd/system/kube-scheduler.service<<EOF [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf ExecStart=/opt/kubernetes/bin/kube-scheduler$KUBE_SCHEDULER_OPTSRestart=on-failure [Install] WantedBy=multi-user.target EOFsystemctl start kube-scheduler systemctlenablekube-scheduler# 验证Master组件状态kubectl get cs5. 部署Worker节点组件(所有Worker执行)
5.1 拷贝二进制文件和证书(从Master节点scp)
mkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}/opt/cni/binscproot@192.168.88.130:/opt/kubernetes/bin/{kubelet,kube-proxy}/opt/kubernetes/bin/scproot@192.168.88.130:/usr/bin/kubectl /usr/bin/scproot@192.168.88.130:/opt/kubernetes/ssl/ca.pem /opt/kubernetes/ssl/scproot@192.168.88.130:/usr/lib/systemd/system/{kubelet,kube-proxy}.service /usr/lib/systemd/system/scp-rroot@192.168.88.130:/opt/cni/ /opt/5.2 部署kubelet
# 创建kubelet配置文件(修改hostname-override为当前节点主机名)cat>/opt/kubernetes/cfg/kubelet.conf<<EOF KUBELET_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=k8s-node1 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=lizhenliang/pause-amd64:3.0" EOF# 创建kubelet参数文件cat>/opt/kubernetes/cfg/kubelet-config.yml<<EOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /opt/kubernetes/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110 EOF# 生成bootstrap.kubeconfigKUBE_APISERVER="https://192.168.88.130:6443"TOKEN="c47ffb939f5ca36231d9e3121a252940"kubectl config set-cluster kubernetes\--certificate-authority=/opt/kubernetes/ssl/ca.pem\--embed-certs=true\--server=${KUBE_APISERVER}\--kubeconfig=bootstrap.kubeconfig kubectl config set-credentials"kubelet-bootstrap"\--token=${TOKEN}\--kubeconfig=bootstrap.kubeconfig kubectl config set-context default\--cluster=kubernetes\--user="kubelet-bootstrap"\--kubeconfig=bootstrap.kubeconfig kubectl config use-context default--kubeconfig=bootstrap.kubeconfigcpbootstrap.kubeconfig /opt/kubernetes/cfg/# 启动kubeletsystemctl daemon-reload systemctl start kubelet systemctlenablekubelet5.3 批准kubelet证书申请(在Master执行)
# 查看证书请求kubectl get csr# 批准请求(替换为实际的csr名称)kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A5.4 部署kube-proxy
# 创建kube-proxy配置文件(修改hostnameOverride为当前节点主机名)cat>/opt/kubernetes/cfg/kube-proxy.conf<<EOF KUBE_PROXY_OPTS="--logtostderr=false \ --v=2 \ --log-dir=/opt/kubernetes/logs \ --config=/opt/kubernetes/cfg/kube-proxy-config.yml" EOFcat>/opt/kubernetes/cfg/kube-proxy-config.yml<<EOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: k8s-node1 clusterCIDR: 10.0.0.0/24 EOF# 生成kube-proxy证书(在Master执行后scp到Worker)cd~/TLS/k8scat>kube-proxy-csr.json<<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOFcfssl gencert-ca=ca.pem -ca-key=ca-key.pem-config=ca-config.json-profile=kubernetes kube-proxy-csr.json|cfssljson-barekube-proxy# 生成kube-proxy.kubeconfigKUBE_APISERVER="https://192.168.88.130:6443"kubectl config set-cluster kubernetes\--certificate-authority=/opt/kubernetes/ssl/ca.pem\--embed-certs=true\--server=${KUBE_APISERVER}\--kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy\--client-certificate=./kube-proxy.pem\--client-key=./kube-proxy-key.pem\--embed-certs=true\--kubeconfig=kube-proxy.kubeconfig kubectl config set-context default\--cluster=kubernetes\--user=kube-proxy\--kubeconfig=kube-proxy.kubeconfig kubectl config use-context default--kubeconfig=kube-proxy.kubeconfigcpkube-proxy.kubeconfig /opt/kubernetes/cfg/# 启动kube-proxysystemctl start kube-proxy systemctlenablekube-proxy6. 部署CNI网络插件(在Master执行)
# 下载CNI插件wgethttps://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgztarzxvf cni-plugins-linux-amd64-v0.8.6.tgz-C/opt/cni/bin# 部署Flannelwgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.ymlsed-i's#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#g'kube-flannel.yml kubectl apply-fkube-flannel.yml# 验证节点状态kubectl get nodes四、集群验证
# 查看所有节点状态kubectl get nodes# 查看系统Pod状态kubectl get pods-nkube-system# 测试部署应用kubectl create deployment nginx--image=nginx kubectl expose deployment nginx--port=80--type=NodePort kubectl get svc nginx五、常见问题排查
- 节点NotReady:检查Flannel Pod是否正常运行,查看kubelet日志
journalctl -u kubelet - 镜像拉取失败:替换为阿里云镜像仓库,或提前下载镜像到节点
- 证书问题:检查证书有效期和hosts配置,重新生成证书
- 端口冲突:确保6443、2379-2380、10250等端口未被占用