# Kubernetes v1.30 集群安装
[TOC]
# 1、Kubernetes 安装环境说明
使用 Kubeadm 来搭建单 Master 多 Node 的集群,等后续掌握了整个 Kubernetes 的常用资源后,在来将单 Master 集群扩展为多 Master 集群。
# 1.1 地址规划
| IP 地址 | 主机名称 | 系统版本 | 内核版本 | CPU | 内存 |
|---|---|---|---|---|---|
| 10.0.0.201 | master01.oldxu.net | RockyLinux9.X | 5.14.0-427.16.1.el9_4.x86_64 | 2Core | 4G |
| 10.0.0.204 | node01.oldxu.net | RockyLinux9.X | 5.14.0-427.16.1.el9_4.x86_64 | 4Core | 16G |
| 10.0.0.205 | node02.oldxu.net | RockyLinux9.X | 5.14.0-427.16.1.el9_4.x86_64 | 4Core | 16G |
| 10.0.0.206 | node03.oldxu.net | RockyLinux9.X | 5.14.0-427.16.1.el9_4.x86_64 | 4Core | 16G |
# 1.2 版本选择
我们这⾥安装 Kubernetes 版本是 v1.30.0,系统是 RockyLinux9.4,容器运行时采用的是 Containerd,版本是 1.6.31
# 1.3 YUM 仓库
1、配置国内阿里云仓库
sed -e 's|^mirrorlist=|#mirrorlist=|g' \ | |
-e 's|^#baseurl=http://dl.rockylinux.org/$contentdir|baseurl=https://mirrors.aliyun.com/rockylinux|g' \ | |
-i /etc/yum.repos.d/rocky*.repo |
2、安装 epel 仓库
yum install epel-release -y | |
sed -i '/^metalink=/ s/^/#/; /#metalink=/a baseurl=https://mirrors.aliyun.com/epel/$releasever/Everything/$basearch/' /etc/yum.repos.d/epel.repo |
# 2、环境准备(所有节点执行)
# 2.1 主机名解析
添加主机名称解析记录,在所有节点执行(暂时先将 vip.oldxu.net 解析到 master01 节点上,后期扩展高可用 Master 时在修改对应的解析);
echo "10.0.0.201 master01 master01.oldxu.net vip.oldxu.net" >> /etc/hosts | |
echo "10.0.0.202 master02 master02.oldxu.net" >> /etc/hosts | |
echo "10.0.0.203 master03 master03.oldxu.net" >> /etc/hosts | |
echo "10.0.0.204 node01 node01.oldxu.net" >> /etc/hosts | |
echo "10.0.0.205 node02 node02.oldxu.net" >> /etc/hosts | |
echo "10.0.0.206 node03 node03.oldxu.net" >> /etc/hosts |
# 2.2 关闭防火墙
关闭 Selinux 防火墙,Firewalld 防火墙,在所有节点执行;
systemctl stop firewalld && systemctl disable firewalld | |
setenforce 0 |
# 2.3 关闭 Swap
禁止 k8s 使用 swap 虚拟内存;在所有节点执行;
sed -ri 's@(.*swap.*)@#\1@g' /etc/fstab | |
swapoff -a |
# 2.4 配置内核参数
1. 开启内核 ipv4 转发需要执行如下命令加载 overlay、br_netfilter 模块,在所有节点执行
cat > /etc/modules-load.d/k8s.conf <<EOF | |
overlay | |
br_netfilter | |
EOF | |
sudo modprobe overlay | |
sudo modprobe br_netfilter |
2. 创建 /etc/sysctl.d/k8s.conf 文件,添加如下内容:
cat > /etc/sysctl.d/k8s.conf <<EOF | |
net.bridge.bridge-nf-call-ip6tables = 1 | |
net.bridge.bridge-nf-call-iptables = 1 | |
net.ipv4.ip_forward = 1 | |
vm.swappiness = 0 | |
vm.overcommit_memory = 0 # 避免系统发生OOM自动杀死进程 | |
EOF | |
sysctl -p /etc/sysctl.d/k8s.conf |
# 2.5 安装 IPVS
1. 为了便于查看 ipvs 的代理规则,需要安装管理工具 ipvsadm,在所有节点执行;
yum install ipset ipvsadm -y |
2、为了在系统启动时自动加载 IPVS 相关的内核模块,使用 modprobe 命令加载 IPVS 相关的内核模块,使用如下命令创建一个脚本文件
mkdir /etc/sysconfig/modules -p | |
cat > /etc/sysconfig/modules/ipvs.modules <<EOF | |
#!/bin/bash | |
modprobe -- ip_vs | |
modprobe -- ip_vs_rr | |
modprobe -- ip_vs_wrr | |
modprobe -- ip_vs_sh | |
modprobe -- nf_conntrack | |
EOF |
3、为了确保这些模块已加载,使用 chmod 755 命令设置脚本文件的执行权限,然后执行。ipvs 部署参考文档
chmod 755 /etc/sysconfig/modules/ipvs.modules | |
bash /etc/sysconfig/modules/ipvs.modules | |
# 检测内核模块是否已经加载 | |
lsmod | grep -e ip_vs -e nf_conntrack |
# 2.6 时间同步
1、安装 chrony 时间同步服务
yum install ntpsec chrony -y | |
systemctl enable chronyd --now |
2、同步时间
chronyc sources |
# 3、安装集群组件
在所有节点上安装 Docker、cri-dockerd、kubelet、kubectl、kubeadm
# 3.1 安装 Docker
1、配置 Docker 的 yum 源
yum install -y yum-utils | |
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo |
2、安装 Docker,并配置镜像加速
yum install docker-ce -y | |
tee /etc/docker/daemon.json <<-EOF | |
{ | |
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], | |
"exec-opts": ["native.cgroupdriver=systemd"] | |
} | |
EOF | |
systemctl daemon-reload && systemctl enable docker --now |
# 3.2 安装 cri-dockerd
1、安装 cri-dockerd
[root@master01 ~]# wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.14/cri-dockerd-0.3.14.amd64.tgz | |
# 加速地址 | |
[root@master01 ~]# wget https://mirror.ghproxy.com/https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.14/cri-dockerd-0.3.14.amd64.tgz | |
[root@master01 ~]# tar xf cri-dockerd-0.3.14.amd64.tgz | |
[root@master01 ~]# mv cri-dockerd/cri-dockerd /usr/local/bin/ |
2、编写 cri-dockerd 启停程序,创建 /usr/lib/systemd/system/cri-dockerd.service 文件,填入如下内容
[Unit] | |
Description=CRI Interface for Docker Application Container Engine | |
Documentation=https://docs.mirantis.com | |
After=network-online.target firewalld.service docker.service | |
Wants=network-online.target | |
[Service] | |
Type=notify | |
ExecStart=/usr/local/bin/cri-dockerd --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 | |
ExecReload=/bin/kill -s HUP $MAINPID | |
TimeoutSec=0 | |
RestartSec=2 | |
Restart=always | |
StartLimitBurst=3 | |
StartLimitInterval=60s | |
# Having non-zero Limit*s causes performance problems due to accounting overhead | |
# in the kernel. We recommend using cgroups to do container-local accounting. | |
LimitNOFILE=infinity | |
LimitNPROC=infinity | |
LimitCORE=infinity | |
# Comment TasksMax if your systemd version does not support it. | |
# Only systemd 226 and above support this option. | |
TasksMax=infinity | |
Delegate=yes | |
KillMode=process | |
[Install] | |
WantedBy=multi-user.target |
3、启动 cri-dockerd 服务,如果启动失败,则检查 docker 服务是否正常启动。
[root@k8s-master01 ~]# systemctl daemon-reload | |
[root@k8s-master01 ~]# systemctl restart cri-dockerd |
# 3.2 安装集群工具
1、配置 Kubernetes 镜像源为阿里云,需要区分新版本和旧版本,具体参考地址
cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo | |
[kubernetes] | |
name=Kubernetes | |
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/rpm/ | |
enabled=1 | |
gpgcheck=1 | |
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/rpm/repodata/repomd.xml.key | |
EOF |
2、在每个节点安装 kubeadm、kubelet、kubectl
kubeadm:初始化集群工具kubelet:在集群中的每个节点上用来启动 Pod 和容器等kubectl:用来与集群通信的命令行工具
yum install kubelet-1.30.0 kubeadm-1.30.0 kubectl-1.30.0 -y | |
# 检查版本是否正确 | |
kubeadm version |
3、启动 kubelet,并加入开机自启动
systemctl enable kubelet --now |
# 4、集群初始化
# 4.1 下载容器镜像
1、通过命令获取对应集群需要使用的容器镜像
[root@master01 ~]# kubeadm config images list --kubernetes-version v1.30.0 | |
registry.k8s.io/kube-apiserver:v1.30.0 | |
registry.k8s.io/kube-controller-manager:v1.30.0 | |
registry.k8s.io/kube-scheduler:v1.30.0 | |
registry.k8s.io/kube-proxy:v1.30.0 | |
registry.k8s.io/coredns/coredns:v1.11.1 | |
registry.k8s.io/pause:3.9 | |
registry.k8s.io/etcd:3.5.12-0 |
2、由于镜像都在国外无法获取,所以将这些镜像全部都替换为阿里云的仓库地址,然后下载到本地。
[root@master01 ~]# kubeadm config images list \ | |
--image-repository registry.aliyuncs.com/google_containers \ | |
--kubernetes-version v1.30.0 | |
registry.aliyuncs.com/google_containers/kube-apiserver:v1.30.0 | |
registry.aliyuncs.com/google_containers/kube-controller-manager:v1.30.0 | |
registry.aliyuncs.com/google_containers/kube-scheduler:v1.30.0 | |
registry.aliyuncs.com/google_containers/kube-proxy:v1.30.0 | |
registry.aliyuncs.com/google_containers/coredns:v1.11.1 | |
registry.aliyuncs.com/google_containers/pause:3.9 | |
registry.aliyuncs.com/google_containers/etcd:3.5.12-0 |
3、使用 kubeadm config images pull 进行镜像下载
# Containerd | |
[root@master01 ~]# kubeadm config images pull \ | |
--image-repository registry.aliyuncs.com/google_containers \ | |
--kubernetes-version v1.30.0 | |
# cri-dockerd | |
[root@master01 ~]# kubeadm config images pull \ | |
--image-repository registry.aliyuncs.com/google_containers \ | |
--kubernetes-version v1.30.0 \ | |
--cri-socket=unix:///var/run/cri-dockerd.sock | |
# 提示下的镜像如下 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-apiserver:v1.30.0 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-controller-manager:v1.30.0 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-scheduler:v1.30.0 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/kube-proxy:v1.30.0 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/coredns:v1.11.1 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/pause:3.9 | |
[config/images] Pulled registry.aliyuncs.com/google_containers/etcd:3.5.12-0 |
# 4.2 初始化 Master
初始化 Kubernetes 集群方式 1:
1、执行 kubeadm init 初始化集群,然后设定对应的参数;
[root@master01 ~]# kubeadm init \ | |
--apiserver-advertise-address="10.0.0.201" \ | |
--control-plane-endpoint="vip.oldxu.net" \ | |
--image-repository registry.aliyuncs.com/google_containers \ | |
--kubernetes-version v1.30.0 \ | |
--service-cidr=10.96.0.0/16 \ | |
--pod-network-cidr=192.168.0.0/16 \ | |
--cri-socket=unix:///var/run/cri-dockerd.sock |
--apiserver-advertise-address :宣告 APIServer 节点地址,填写本机地址
--control-plane-endpoint :在多个 Master 时,指定其负载均衡的域名,用于实现高可用
--image-repository 指定镜像获取仓库的地址,与此前下载镜像的仓库地址保持一致
--kuernetes-version 指定 Kubernetes 对应的版本
--service-cidr 指定 service 运行网段(内部负载均衡的网段)
--pod-network-cidr 指定 pod 运行网段(后续的网络插件需要分配这个地址段 IP)
--cri-socket 指定容器运行时 sock 的路径。默认是 /var/run/containerd/containerd.sock ,可不配置,如果是 cri-dockerd 则需要明确指定。
2、拷贝 kubeconfig 配置文件
mkdir -p $HOME/.kube | |
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config | |
sudo chown $(id -u):$(id -g) $HOME/.kube/config |
初始化 Kubernetes 集群方式 2:
1、导出配置文件,然后对配置文件进行修改,然后作为 kueadm init 参数传递
[root@master01 ~]# kubeadm config print init-defaults --component-configs KubeletConfiguration > kubeadm.yml | |
[root@master01 ~]# kubeadm init --config kubeadm.yml | |
# 配置文件如下 | |
[root@master01 ~]# cat kubeadm.yml | |
apiVersion: kubeadm.k8s.io/v1beta3 | |
bootstrapTokens: | |
- groups: | |
- system:bootstrappers:kubeadm:default-node-token | |
token: abcdef.0123456789abcdef | |
ttl: 24h0m0s | |
usages: | |
- signing | |
- authentication | |
kind: InitConfiguration | |
localAPIEndpoint: | |
advertiseAddress: 10.0.0.201 # 指定 Master 节点内网 IP | |
bindPort: 6443 | |
nodeRegistration: | |
criSocket: unix:///var/run/dockershim.sock # 指定容器运行时的 socket 地址 | |
imagePullPolicy: IfNotPresent | |
name: master | |
taints: # 给 Master 添加污点,让其应用不能调度至该节点 | |
- effect: "NoSchedule" | |
key: "node-role.kubernetes.io/master" | |
--- | |
# 添加如下内容,使其支持 ipvs 模式 | |
apiVersion: kubeproxy.config.k8s.io/v1alpha1 | |
kind: KubeProxyConfiguration | |
mode: ipvs | |
--- | |
apiServer: | |
controlPlaneEndpoint: "vip.oldxu.net:6443" # 指定控制平面的域名 | |
timeoutForControlPlane: 4m0s | |
apiVersion: kubeadm.k8s.io/v1beta3 | |
certificatesDir: /etc/kubernetes/pki | |
clusterName: kubernetes | |
controllerManager: {} | |
dns: {} | |
etcd: | |
local: | |
dataDir: /var/lib/etcd | |
imageRepository: registry.aliyuncs.com/google_containers # 指定镜像拉取地址 | |
kind: ClusterConfiguration | |
kubernetesVersion: 1.30.0 # 指定 Kubernetes 版本 | |
networking: | |
dnsDomain: cluster.local | |
serviceSubnet: 10.96.0.0/12 # 指定 Service 网段 | |
podSubnet: 192.168.0.0/16 # 指定 Pod 网段 | |
scheduler: {} | |
--- | |
apiVersion: kubelet.config.k8s.io/v1beta1 | |
authentication: | |
anonymous: | |
enabled: false | |
webhook: | |
cacheTTL: 0s | |
enabled: true | |
x509: | |
clientCAFile: /etc/kubernetes/pki/ca.crt | |
authorization: | |
mode: Webhook | |
webhook: | |
cacheAuthorizedTTL: 0s | |
cacheUnauthorizedTTL: 0s | |
cgroupDriver: systemd | |
clusterDNS: | |
- 10.96.0.10 | |
clusterDomain: cluster.local | |
cpuManagerReconcilePeriod: 0s | |
evictionPressureTransitionPeriod: 0s | |
fileCheckFrequency: 0s | |
healthzBindAddress: 127.0.0.1 | |
healthzPort: 10248 | |
httpCheckFrequency: 0s | |
imageMinimumGCAge: 0s | |
kind: KubeletConfiguration | |
logging: {} | |
memorySwap: {} | |
nodeStatusReportFrequency: 0s | |
nodeStatusUpdateFrequency: 0s | |
rotateCertificates: true | |
runtimeRequestTimeout: 0s | |
shutdownGracePeriod: 0s | |
shutdownGracePeriodCriticalPods: 0s | |
staticPodPath: /etc/kubernetes/manifests | |
streamingConnectionIdleTimeout: 0s | |
syncFrequency: 0s | |
volumeStatsAggPeriod: 0s |
# 4.3 初始化 Nodes
1、加入 node 节点(cri-dockerd 方式)
[root@node1 ~]# kubeadm join vip.oldxu.net:6443 \ | |
--token hul17z.rrey39l7o7al9ooj \ | |
--discovery-token-ca-cert-hash sha256:19a8daea0bc5ee2008b2f0a1e88f84fec60f1345c7d79afd10d52d6a549aae4a \ | |
--cri-socket="unix:///run/cri-dockerd.sock" |
2、加入 node 节点(containerd 方式)
[root@node2 ~]# kubeadm join vip.oldxu.net:6443 \ | |
--token hul17z.rrey39l7o7al9ooj \ | |
--discovery-token-ca-cert-hash sha256:19a8daea0bc5ee2008b2f0a1e88f84fec60f1345c7d79afd10d52d6a549aae4a |
3、如果加入的 token 丢失,后期可以在 master 节点上,使用如下命令重新获取
[root@master01 ~]# kubeadm token create --print-join-command |
# 4.4 查看节点信息
1、查看当前已加入的节点
[root@master01 ~]# kubectl get nodes | |
NAME STATUS ROLES AGE VERSION | |
master01.oldxu.net NotReady control-plane 32m v1.30.0 | |
node01.oldxu.net NotReady <none> 35s v1.30.0 | |
node02.oldxu.net NotReady <none> 26s v1.30.0 |
2、查看节点的详情(例如使用的什么底层系统,使用的什么容器运行时)
[root@master01 ~]# kubectl get nodes -o wide | |
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME | |
master01.oldxu.net NotReady control-plane 33m v1.30.0 10.0.0.201 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 docker://26.1.3 | |
node01.oldxu.net NotReady <none> 68s v1.30.0 10.0.0.204 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 docker://26.1.3 | |
node02.oldxu.net NotReady <none> 59s v1.30.0 10.0.0.205 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 docker://26.1.3 |
# 4.5 安装网络插件
为了让 K8S 集群的 Pod 之间能够正常通讯,必须安装 Pod 网络,Pod 网络可以支持多种网络方案,可以在 Kubernetes 的 Addons 插件中进行选择。Addons
1、下载插件
[root@master01 ~]# wget https://github.com/flannel-io/flannel/releases/download/v0.25.1/kube-flannel.yml |
2、修改镜像地址为加速地址
镜像加速:uhub.service.ucloud.cn/oldxu/flannel:v0.25.1 | |
镜像加速:uhub.service.ucloud.cn/oldxu/flannel-cni-plugin:v1.4.0-flannel1 |
3、修改插件分配的 Pod 地址段范围,要与前面初始化集群保持一致
[root@master ~]# sed -i 's#10.244.0.0/16#192.168.0.0/16#g' kube-flannel.yml | |
containers: | |
- args: | |
- --ip-masq | |
- --kube-subnet-mgr | |
- --iface=eth0 # 指明绑定在哪个网卡上(可不配置) | |
net-conf.json: | | |
{ | |
"Network": "192.168.0.0/16", | |
"Backend": { | |
"Type": "vxlan" | |
} | |
} |
4、应用插件
[root@master ~]# kubectl apply -f kube-flannel.yml |
5、检查 flannel 的 Pod 是否都正常
[root@master01 ~]# kubectl get pod -n kube-flannel -o wide | |
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES | |
kube-flannel-ds-7lgmr 1/1 Running 0 27m 10.0.0.201 master01.oldxu.net <none> <none> | |
kube-flannel-ds-86xdk 1/1 Running 0 27m 10.0.0.205 node02.oldxu.net <none> <none> | |
kube-flannel-ds-z7znz 1/1 Running 0 27m 10.0.0.204 node01.oldxu.net <none> <none> |
6、再次检查 Node 节点的状态,会发现都已经处于 Ready 状态了
[root@master01 ~]# kubectl get nodes | |
NAME STATUS ROLES AGE VERSION | |
master01.oldxu.net Ready control-plane 64m v1.30.0 | |
node01.oldxu.net Ready <none> 32m v1.30.0 | |
node02.oldxu.net Ready <none> 32m v1.30.0 |
# 4.6 命令自动补全
# https://kubernetes.io/zh/docs/tasks/tools/included/optional-kubectl-configs-bash-linux/ | |
[root@master ~]# yum install bash-completion -y | |
[root@master ~]# echo 'source <(kubectl completion bash)' >>~/.bashrc |
# 5、集群状态测试
# 5.1 检查节点运行的 Pod
[root@master01 ~]# kubectl get pod -n kube-system | |
[root@master01 ~]# kubectl get pod -n kube-flannel |
# 5.2 创建资源测试集群
# kubectl create deployment nginx --image=nginx:1.20 --replicas=3 | |
# kubectl expose deployment nginx --port=80 --target-port=80 --type=NodePort |
# 5.3 检查 ip 连通性
# 检查各 Node 上的 Pod IP 连通性 | |
# kubectl get pods -o wide | |
# 在每个节点上 ping pod ip | |
# ping <pod-ip> | |
# 检查 service 可达性 | |
# kubectl get svc | |
# 在每个节点上访问服务 | |
# curl <service-ip>:<port> |
# 5.4 检查 DNS 可用性
# 进入 pod,查看 dns | |
# kubectl exec -it nginx -- sh | |
# 查看 dns 配置 | |
/ # cat /etc/resolv.conf | |
# 查看名字是否可以正确解析 | |
# curl nginx | |
# curl nginx.default.svc.cluster.local |
# 5.5 检查日志功能
# kubectl get pods | |
# kubectl logs <pod-name> |
# 5.6 集群异常清理
如果你的集群安装过程中遇到了问题,我们可以使用下面的命令来进行重置:
- 1、重置集群
- 2、删除网络插件接口
- 3、删除 cni 相关记录,删除 iptables 规则,删除 kubelet 数据、删除 kubernetes 静态 pod
- 4、重启 contaienrd、重启 kubelet
[root@master ~]# kubeadm reset | |
[root@master ~]# ipvsadm --clear | |
[root@master ~]# iptables -F && iptables -t nat -F | |
[root@master ~]# ifconfig flannel.1 down && ip link delete flannel.1 | |
[root@master ~]# ifconfig cni0 down && ip link delete cni0 | |
[root@master ~]# rm -rf /var/lib/cni/ /etc/cni/net.d/ /run/flannel/ | |
[root@master ~]# rm -rf /etc/kubernetes/ ~/.kube/ /var/lib/kubelet/ | |
[root@master ~]# systemctl restart containerd kubelet |
# 6、修改容器运行时为 Containerd
将节点上的容器运行时从 Docker Engine 改为 containerd - 官方文档
# 6.1 腾空节点并停止 Docker
1、驱逐节点 Pod,并设定节点为不可调度状态。(以 <font style="color:#DF2A3F;">master</font> 为例,Nodes 节点依次类推)
[root@master01 ~]# kubectl drain <nodename> --ignore-daemonsets |
2、停止 docker 和 kubelet
[root@master01 ~]# systemctl stop docker.socket kubelet cri-dockerd | |
[root@master01 ~]# systemctl disable docker cri-dockerd |
# 6.1 安装 Containerd
1、通过 yum 安装 Containerd ,版本在 1.6 以上。
[root@master01 ~]# yum install containerd -y |
2、生成 Containerd 默认配置文件
[root@master01 ~]# containerd config default > /etc/containerd/config.toml |
3、修改 Containerd 配置文件
[root@master01 ~]# vim /etc/containerd/config.toml | |
[plugins] | |
... | |
[plugins."io.containerd.grpc.v1.cri"] | |
... | |
# 修改 pause 镜像地址 | |
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9" | |
... | |
# 配置 systemd cgroup 驱动 | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] | |
... | |
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] | |
... | |
SystemdCgroup = true |
4、启动 containerd,直接执行下面的命令即可
[root@master ~]# systemctl daemon-reload | |
[root@master ~]# systemctl enable containerd --now |
# 6.2 安装 nerdctl
1、下载 nerdctl
[root@master01 ~]# wget https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-full-1.7.6-linux-amd64.tar.gz | |
# 加速地址 | |
[root@master01 ~]# wget https://mirror.ghproxy.com/https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-full-1.7.6-linux-amd64.tar.gz |
2、拷贝 nerdctl 命令并完成安装
[root@master01 ~]# tar xf nerdctl-full-1.7.6-linux-amd64.tar.gz | |
[root@master01 ~]# cp bin/nerdctl /usr/local/bin/ |
3、添加 nerdctl 自动补全
[root@master01 ~]# echo 'source <(nerdctl completion bash)' >> /etc/profile | |
[root@master01 ~]# source /etc/profile |
# 6.3 安装 buildkitd
nerdctl 需要使用 buildkitd 来实现镜像的构建,因此拷贝相关命令和相关的启动程序。
1、拷贝 buildctl、buildkitd 命令,以及 buildkit.service 服务启动程序;
[root@master01 ~]# cp bin/buildctl bin/buildkitd /usr/local/bin/ | |
[root@master01 ~]# cp lib/systemd/system/buildkit.service /usr/lib/systemd/system/ |
2、启动 buildkitd 服务
[root@master01 ~]# systemctl daemon-reload | |
[root@master01 ~]# systemctl enable buildkit --now |
# 6.4 配置 kubelet
1、配置 kubelet 使用 containerd 作为其容器运行时,需要编辑 /var/lib/kubelet/kubeadm-flags.env 文件,将 containerd 运行时添加到标志中, --container-runtime-endpoint=unix:///run/containerd/containerd.sock
# 修改前内容 | |
[root@node01 ~]# cat /var/lib/kubelet/kubeadm-flags.env | |
KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///run/cri-dockerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9" | |
# 修改后内容 --max-pods 表示节点允许运行最大的 Pod 数量 | |
[root@master01 test]# cat /var/lib/kubelet/kubeadm-flags.env | |
KUBELET_KUBEADM_ARGS="--container-runtime-endpoint=unix:///run/containerd/containerd.sock --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.9 --max-pods=200" |
2、修改完成后,重启 kubelet 服务
[root@node01 ~]# systemctl restart kubelet |
# 6.5 重新下载镜像
如果 Master 节点将容器运行时环境替换为 containerd ,则需要使用 containerd 重新下载控制平面所有相关的镜像(Node 节点不需要)。
[root@k8s-master01 ~]# kubeadm config images pull \ | |
--image-repository registry.aliyuncs.com/google_containers \ | |
--kubernetes-version v1.30.0 \ | |
--cri-socket=unix:///run/containerd/containerd.sock |
# 6.6 修改节点注解
kubeadm 工具在每个节点的 Node 对象注解中,存储了容器运行时的套接字信息。默认情况下,在每次使用 kubeadm 操作时都必须明确指定 cri-socket 字段。但可以通过手动修改注解来避免这个问题。
具体需要修改 kubeadm.alpha.kubernetes.io/cri-socket 的值,将 unix:///run/cri-dockerd.sock 改为 unix:///run/containerd/containerd.sock
# 只能在 Master 节点上操作 | |
[root@master01 ~]# kubectl edit nodes <node-name> | |
apiVersion: v1 | |
kind: Node | |
metadata: | |
annotations: | |
flannel.alpha.coreos.com/backend-data: '{"VNI":1,"VtepMAC":"b6:82:9b:fa:76:2f"}' | |
flannel.alpha.coreos.com/backend-type: vxlan | |
flannel.alpha.coreos.com/kube-subnet-manager: "true" | |
flannel.alpha.coreos.com/public-ip: 10.0.0.211 | |
kubeadm.alpha.kubernetes.io/cri-socket: unix:///run/containerd/containerd.sock | |
node.alpha.kubernetes.io/ttl: "0" | |
volumes.kubernetes.io/controller-managed-attach-detach: "true" |
# 6.7 检查集群环境
1、使用 uncordon 恢复节点
[root@master01 ~]# kubectl uncordon master01.oldxu.net | |
node/master01.oldxu.net uncordoned |
2、检查节点是否从 docker 切换为了 containerd
[root@master01 ~]# kubectl get nodes -o wide | |
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME | |
master01.oldxu.net Ready control-plane 15h v1.30.0 10.0.0.201 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 containerd://1.6.31 | |
node01.oldxu.net Ready <none> 15h v1.30.0 10.0.0.204 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 docker://26.1.3 | |
node02.oldxu.net Ready <none> 15h v1.30.0 10.0.0.205 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 docker://26.1.3 |
3、node 节点替换为 Containerd 没有 master 节点复杂,只需要执行如下几步即可;
- 1、下线对应的 node 节点;
- 2、安装 containerd、nerdctl、buildkit
- 3、修改 kubelet 连接 socket 的路径;
- 4、登录 master 修改节点对应 socket 的注解;
[root@master01 ~]# kubectl get nodes -o wide | |
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME | |
master01.oldxu.net Ready control-plane 15h v1.30.0 10.0.0.201 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 containerd://1.6.31 | |
node01.oldxu.net Ready <none> 15h v1.30.0 10.0.0.204 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 containerd://1.6.31 | |
node02.oldxu.net Ready <none> 15h v1.30.0 10.0.0.205 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 containerd://1.6.31 | |
node03.oldxu.net Ready <none> 15h v1.30.0 10.0.0.206 <none> Rocky Linux 9.4 (Blue Onyx) 5.14.0-427.16.1.el9_4.x86_64 containerd://1.6.31 |
4、新的节点 Containerd 如何纳入到集群中
- 1、安装 Containerd
- 2、安装 nerdctl、buildkitd
- 3、启动 containerd、buildkit、kubelet
- 4、安装 kubelet、kubectl、kubeadm
- 4、执行 kubeadm join 加入集群;
