tags: environment
- kube-node1:172.27.129.105
- kube-node2:172.27.129.111
- kube-node3:172.27.129.112
可以使用 vagrant 和 Vagrantfile 创建三台虚机:
$ cd vagrant
$ vagrant up本文档中的 etcd 集群、master 节点、worker 节点均使用这三台机器。
修改每台机器的 /etc/hosts 文件,添加主机名和 IP 的对应关系:
$ grep kube-node /etc/hosts
172.27.129.105 kube-node1 kube-node1
172.27.129.111 kube-node2 kube-node2
172.27.129.112 kube-node3 kube-node3在每台机器上添加 k8s 账户,可以无密码 sudo:
$ sudo useradd -m k8s
$ sudo visudo
$ sudo grep '%wheel.*NOPASSWD: ALL' /etc/sudoers
%wheel ALL=(ALL) NOPASSWD: ALL
$ sudo gpasswd -a k8s wheel在每台机器上添加 docker 账户,将 k8s 账户添加到 docker 组中,同时配置 dockerd 参数:
$ sudo useradd -m docker
$ sudo gpasswd -a k8s docker
$ sudo mkdir -p /etc/docker/
$ cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://hub-mirror.c.163.com", "https://docker.mirrors.ustc.edu.cn"],
"max-concurrent-downloads": 20
}如果没有特殊指明,本文档的所有操作均在 kube-node1 节点上执行,然后远程分发文件和执行命令。�
设置 kube-node1 可以无密码登录所有节点的 k8s 和 root 账户:
[k8s@kube-node1 k8s]$ ssh-keygen -t rsa
[k8s@kube-node1 k8s]$ ssh-copy-id root@kube-node1
[k8s@kube-node1 k8s]$ ssh-copy-id root@kube-node2
[k8s@kube-node1 k8s]$ ssh-copy-id root@kube-node3
[k8s@kube-node1 k8s]$ ssh-copy-id k8s@kube-node1
[k8s@kube-node1 k8s]$ ssh-copy-id k8s@kube-node2
[k8s@kube-node1 k8s]$ ssh-copy-id k8s@kube-node3在每台机器上添加环境变量:
$ sudo echo 'PATH=/opt/k8s/bin:$PATH:$HOME/bin:$JAVA_HOME/bin' >>/root/.bashrc
$ echo 'PATH=/opt/k8s/bin:$PATH:$HOME/bin:$JAVA_HOME/bin' >>~/.bashrc在每台机器上安装依赖包:
$ sudo yum install -y epel-release
$ sudo yum install -y vim go conntrack ipvsadm ipset jq sysstat curl iptables # ipvs 依赖 ipset在每台机器上关闭防火墙:
$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalld
$ sudo iptables -F && sudo iptables -X && sudo iptables -F -t nat && sudo iptables -X -t nat
$ sudo sudo iptables -P FORWARD ACCEPT$ cat > kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
EOF
$ sudo cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
$ sudo sysctl -p /etc/sysctl.d/kubernetes.conf
$ sudo modprobe br_netfilter切换到 root 账号执行:
[root@kube-node1 ~]# for intf in /sys/devices/virtual/net/docker0/brif/*; do echo 1 > $intf/hairpin_mode; done在每台机器上创建目录:
$ sudo mkdir -p /opt/k8s/bin
$ sudo chown -R k8s /opt/k8s
$ sudo sudo mkdir -p /etc/kubernetes/cert
$ sudo chown -R k8s /etc/kubernetes
$ sudo mkdir -p /etc/etcd/cert
$ sudo chown -R k8s /etc/etcd/cert
$ sudo mkdir -p /var/lib/etcd && chown -R k8s /etc/etcd/cert后续的部署步骤将使用下面定义的全局环境变量,请根据自己的机器、网络情况修改:
#!/usr/bin/bash
# 生成 EncryptionConfig 所需的加密 key
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
# 最好使用 当前未用的网段 来定义服务网段和 Pod 网段
# 服务网段,部署前路由不可达,部署后集群内使用IP:Port可达
SERVICE_CIDR="10.254.0.0/16"
# Pod 网段,必须是 /16 段地址,部署前路由不可达,**部署后**路由可达(flanneld保证)
CLUSTER_CIDR="172.30.0.0/16"
# 服务端口范围 (NodePort Range)
export NODE_PORT_RANGE="8400-9000"
# 集群各机器 IP 数组
export NODE_IPS=(172.27.129.105 172.27.129.111 172.27.129.112)
# 集群各 IP 对应的 主机名数组
export NODE_NAMES=(kube-node1 kube-node2 kube-node3)
# kube-apiserver 节点 IP
export MASTER_NODE=172.27.129.105
# kube-apiserver https 地址
export KUBE_APISERVER="https://${172.27.129.105}:6443"
# etcd 集群服务地址列表
export ETCD_ENDPOINTS="https://172.27.129.105:2379,https://172.27.129.111:2379,https://172.27.129.112:2379"
# etcd 集群间通信的 IP 和端口
export ETCD_NODES="kube-node1=https://172.27.129.105:2380,kube-node2=https://172.27.129.111:2380,kube-node3=https://172.27.129.112:2380"
# flanneld 网络配置前缀
export FLANNEL_ETCD_PREFIX="/kubernetes/network"
# kubernetes 服务 IP (一般是 SERVICE_CIDR 中第一个IP)
export CLUSTER_KUBERNETES_SVC_IP="10.254.0.1"
# 集群 DNS 服务 IP (从 SERVICE_CIDR 中预分配)
export CLUSTER_DNS_SVC_IP="10.254.0.2"
# 集群 DNS 域名
export CLUSTER_DNS_DOMAIN="cluster.local."
# 将二进制目录 /opt/k8s/bin 加到 PATH 中
export PATH=/opt/k8s/bin:$PATH- 打包后的变量定义见 environment.sh,后续部署时会提示导入该脚本;
把全局变量定义脚本拷贝到所有节点的 /opt/k8s/bin 目录:
source environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp environment.sh k8s@${node_ip}:/opt/k8s/bin/
ssh k8s@${node_ip} "chmod +x /opt/k8s/bin/*"
done