1. 环境准备与系统配置
在开始部署Kubernetes集群之前,我们需要确保所有节点具备一致的运行环境。这里以CentOS 7为例,其他Linux发行版的命令可能需要相应调整。
1.1 系统基础配置
首先在所有节点执行以下操作:
# 关闭防火墙 systemctl disable --now firewalld # 关闭SELinux setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config # 关闭交换分区 swapoff -a sed -ri 's/.*swap.*/#&/' /etc/fstab # 设置时间同步 yum install -y chrony systemctl enable --now chronyd1.2 内核参数优化
Kubernetes对Linux内核参数有特定要求,需要调整以下参数:
cat > /etc/sysctl.d/k8s.conf <<EOF net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 fs.may_detach_mounts = 1 vm.overcommit_memory = 1 fs.file-max = 52706963 net.netfilter.nf_conntrack_max = 2310720 EOF sysctl --system1.3 安装基础工具
所有节点需要安装必要的工具包:
yum install -y wget vim net-tools nfs-utils telnet yum-utils device-mapper-persistent-data lvm2 git2. 容器运行时安装
Kubernetes支持多种容器运行时,这里我们以containerd为例进行安装。
2.1 安装containerd
# 下载containerd wget https://github.com/containerd/containerd/releases/download/v1.6.8/containerd-1.6.8-linux-amd64.tar.gz tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gz # 创建systemd服务 cat > /etc/systemd/system/containerd.service <<EOF [Unit] Description=containerd container runtime Documentation=https://containerd.io After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/local/bin/containerd Delegate=yes KillMode=process Restart=always LimitNOFILE=infinity [Install] WantedBy=multi-user.target EOF # 启动containerd systemctl daemon-reload systemctl enable --now containerd2.2 配置CNI插件
wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz mkdir -p /opt/cni/bin tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz3. Kubernetes组件安装
3.1 下载Kubernetes二进制文件
在master01节点执行:
wget https://dl.k8s.io/v1.25.0/kubernetes-server-linux-amd64.tar.gz tar -xzf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin cp kube-apiserver kube-controller-manager kube-scheduler kubectl kubelet kube-proxy /usr/local/bin/3.2 分发组件到其他节点
for NODE in k8s-master02 k8s-master03; do scp /usr/local/bin/kube* $NODE:/usr/local/bin/ done for NODE in k8s-node01 k8s-node02; do scp /usr/local/bin/kubelet kube-proxy $NODE:/usr/local/bin/ done4. 证书生成与配置
4.1 安装cfssl工具
wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 -O /usr/local/bin/cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64 -O /usr/local/bin/cfssljson chmod +x /usr/local/bin/cfssl*4.2 生成CA证书
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": ["signing", "key encipherment", "server auth", "client auth"], "expiry": "87600h" } } } } EOF cat > ca-csr.json <<EOF { "CN": "Kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Beijing", "L": "Beijing", "O": "Kubernetes", "OU": "CA" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca5. 高可用架构部署
5.1 使用HAProxy+Keepalived
在所有master节点安装HAProxy和Keepalived:
yum install -y haproxy keepalived配置HAProxy:
cat > /etc/haproxy/haproxy.cfg <<EOF global log 127.0.0.1 local0 maxconn 2000 daemon defaults log global mode tcp timeout connect 5s timeout client 50s timeout server 50s frontend k8s-api bind *:9443 default_backend k8s-api-servers backend k8s-api-servers balance roundrobin server k8s-master01 192.168.1.31:6443 check server k8s-master02 192.168.1.32:6443 check server k8s-master03 192.168.1.33:6443 check EOF配置Keepalived(master01节点):
cat > /etc/keepalived/keepalived.conf <<EOF vrrp_script chk_haproxy { script "killall -0 haproxy" interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 100 virtual_ipaddress { 192.168.1.36 } track_script { chk_haproxy } } EOF6. 核心组件部署
6.1 etcd集群部署
在所有master节点配置etcd:
cat > /etc/etcd/etcd.config.yml <<EOF name: $(hostname -s)>cat > /etc/kubernetes/apiserver <<EOF KUBE_API_ARGS="--etcd-servers=https://192.168.1.31:2379,https://192.168.1.32:2379,https://192.168.1.33:2379 \\ --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt \\ --etcd-certfile=/etc/kubernetes/pki/etcd/server.crt \\ --etcd-keyfile=/etc/kubernetes/pki/etcd/server.key \\ --client-ca-file=/etc/kubernetes/pki/ca.crt \\ --tls-cert-file=/etc/kubernetes/pki/apiserver.crt \\ --tls-private-key-file=/etc/kubernetes/pki/apiserver.key \\ --service-cluster-ip-range=10.96.0.0/12 \\ --service-node-port-range=30000-32767 \\ --enable-admission-plugins=NodeRestriction \\ --authorization-mode=Node,RBAC" EOF7. 网络插件安装
7.1 安装Calico网络插件
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml7.2 验证网络状态
kubectl get pods -n kube-system -l k8s-app=calico-node kubectl get pods -n kube-system -l k8s-app=calico-kube-controllers8. 集群验证与测试
8.1 验证节点状态
kubectl get nodes kubectl get cs8.2 部署测试应用
kubectl create deployment nginx --image=nginx kubectl expose deployment nginx --port=80 --type=NodePort kubectl get svc nginx9. 集群维护与扩展
9.1 添加新节点
- 在新节点上完成环境准备
- 安装容器运行时
- 安装kubelet和kube-proxy
- 加入集群
9.2 证书轮换
kubeadm alpha certs renew all10. 生产环境建议
- 启用集群审计日志
- 配置合理的资源配额和限制
- 设置Pod安全策略
- 定期备份etcd数据
- 监控集群健康状态
我在实际部署过程中发现,二进制部署虽然步骤繁琐,但能让我们更深入理解Kubernetes各组件的工作原理。特别是在排查问题时,这种部署方式能提供更清晰的排查路径。建议在测试环境充分验证后再应用到生产环境。
