在Ubuntu 18.04 中安装 Kubernetes

本文记录在 Ubuntu 18.04 Server 中安装 Kubernetes 的的过程。

调整 Ubuntu 的设置

网络 - 内核开启ip4转发

编辑 /etc/sysctl.conf，开启ipv4转发

sudo vim /etc/sysctl.conf

开启: net.ipv4.ip_forward = 1

保存文件后执行

sudo sysctl -p

禁用 Swap 分区

执行以下命令，禁用所有 Swap 分区

sudo swapoff -a

然后修改/etc/fstab文件，注释掉 SWAP 的自动挂载，防止机子重启后swap启用。

更新Ubuntu

sudo apt-get update

安装 Docker

参考 Docker课堂实验手册(一)

Docker - 设置docker不操作iptables

编辑docker daemon默认配置文件 /etc/docker/daemon.json。加入:

"iptables": false

安装 Kubernetes

sudo apt-get install -y apt-transport-https curl

设置使用国内（阿里）镜像源进行安装:

sudo curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -

sudo tee /etc/apt/sources.list.d/kubernetes.list <<-'EOF'
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
EOF

sudo apt-get update

安装最新版本的 kubelet kubeadm 和 kubectl

sudo apt-get install -y kubelet kubeadm kubectl

将 kubelet 设置为开启启动

sudo systemctl enable kubelet && sudo systemctl start kubelet

获取镜像文件

查看需要的镜像

kubeadm config images list

系统输出:

k8s.gcr.io/kube-apiserver:v1.15.3
k8s.gcr.io/kube-controller-manager:v1.15.3
k8s.gcr.io/kube-scheduler:v1.15.3
k8s.gcr.io/kube-proxy:v1.15.3
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.3.10
k8s.gcr.io/coredns:1.3.1

编辑一个文件, 命名为： install_k8s_images.sh

#! /bin/bash
images=(
    kube-apiserver:v1.15.3
    kube-controller-manager:v1.15.3
    kube-scheduler:v1.15.3
    kube-proxy:v1.15.3
    pause:3.1
    etcd:3.3.10
    coredns:1.3.1
)

for imageName in ${images[@]} ; do
    docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName
    docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
done

将文件设置为可运行：

chmod a+x install_k8s_images.sh

运行 install_k8s_images.sh 安装所需要的镜像

./install_k8s_images.sh

更新：以上需要的镜像我已经打包成一个文件，可以直接加载到 docker 中，参考 从本地上传安装 kubernetes 所需要的镜像

注意：以上步骤需要在Master和Node机器完成

配置Master节点

修改主节点的 hostname 为: master-node

sudo hostnamectl set-hostname master-node

初始化 Kubernetes:

sudo kubeadm init --pod-network-cidr=10.244.0.0/16

系统显示:

W0907 16:17:44.359105    1998 version.go:98] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get https://dl.k8s.io/release/stable-1.txt: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
W0907 16:17:44.359172    1998 version.go:99] falling back to the local client version: v1.15.3
[init] Using Kubernetes version: v1.15.3
[preflight] Running pre-flight checks
	[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
	[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 19.03.1. Latest validated version: 18.09
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [master-node localhost] and IPs [192.168.43.10 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [master-node localhost] and IPs [192.168.43.10 127.0.0.1 ::1]
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [master-node kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.43.10]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.
[apiclient] All control plane components are healthy after 61.555344 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.15" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node master-node as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node master-node as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: mg39mb.hmfz2bao1t90fcdc
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.43.10:6443 --token mg39mb.hmfz2bao1t90fcdc \
    --discovery-token-ca-cert-hash sha256:4343f8637818221cc153a4c556a6a29606f5a14ea040b3e9ee1e5e29af6e7381

为当前用户保存 kubernetes 配置信息

mkdir -p $HOME/.kube

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

现在，你可以使用以下命令，加入新的节点(node):

kubeadm join 192.168.43.10:6443 --token mg39mb.hmfz2bao1t90fcdc \
    --discovery-token-ca-cert-hash sha256:4343f8637818221cc153a4c556a6a29606f5a14ea040b3e9ee1e5e29af6e7381

现在，我们可以通过 kubetl 命令查看状态

kubectl get nodes

得到如下结果:

NAME          STATUS     ROLES    AGE     VERSION
master-node   NotReady   master   3h44m   v1.15.3

可以看到，当前只有一个节点，并且状态是:”NotReady”, 因为现在还没有配置任何Pod网络。

在Master上部署一个Pod网络

在本教程中，我们部署一个 Flannel pod network。在Master节点机器上执行以下命令:

sudo kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

系统显示:

podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds-amd64 created
daemonset.apps/kube-flannel-ds-arm64 created
daemonset.apps/kube-flannel-ds-arm created
daemonset.apps/kube-flannel-ds-ppc64le created
daemonset.apps/kube-flannel-ds-s390x created

执行后，查看pod网络的状态:

kubectl get pods --all-namespaces

系统显示:

NAMESPACE     NAME                                  READY   STATUS     RESTARTS   AGE
kube-system   coredns-5c98db65d4-fl5fs              0/1     Pending    0          3h50m
kube-system   coredns-5c98db65d4-nrsq7              0/1     Pending    0          3h50m
kube-system   etcd-master-node                      1/1     Running    0          3h50m
kube-system   kube-apiserver-master-node            1/1     Running    0          3h50m
kube-system   kube-controller-manager-master-node   1/1     Running    0          3h50m
kube-system   kube-flannel-ds-amd64-fkzck           0/1     Init:0/1   0          80s
kube-system   kube-proxy-vm9jj                      1/1     Running    0          3h50m
kube-system   kube-scheduler-master-node            1/1     Running    0          3h50m

整个过程需要花费一定的时间，知道所有服务都已经启动:

NAMESPACE     NAME                                  READY   STATUS    RESTARTS   AGE
kube-system   coredns-5c98db65d4-fl5fs              1/1     Running   0          3h53m
kube-system   coredns-5c98db65d4-nrsq7              1/1     Running   0          3h53m
kube-system   etcd-master-node                      1/1     Running   0          3h53m
kube-system   kube-apiserver-master-node            1/1     Running   0          3h53m
kube-system   kube-controller-manager-master-node   1/1     Running   0          3h53m
kube-system   kube-flannel-ds-amd64-fkzck           1/1     Running   0          4m4s
kube-system   kube-proxy-vm9jj                      1/1     Running   0          3h53m
kube-system   kube-scheduler-master-node            1/1     Running   0          3h53m

这时，再查看节点状态:

kubectl get nodes

NAME          STATUS   ROLES    AGE     VERSION
master-node   Ready    master   3h54m   v1.15.3

可以看到， master节点已经准备就绪。

准备工作节点

修改主机名

修改主节点的 hostname 为: worker-node01

sudo hostnamectl set-hostname worker-node01

设置admin配置文件

1. 将主节点中的 /etc/kubernetes/admin.conf 文件拷贝到从节点相同目录下。

2. 拷贝以后，在从节点执行:

echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile

3. 执行

source ~/.bash_profile

是改动立即生效

将节点加入Pod网络

现在，你可以使用以下命令，加入新的节点(node):

sudo kubeadm join 192.168.43.10:6443 --token mg39mb.hmfz2bao1t90fcdc --discovery-token-ca-cert-hash sha256:4343f8637818221cc153a4c556a6a29606f5a14ea040b3e9ee1e5e29af6e7381

系统显示:

[preflight] Running pre-flight checks
	[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
	[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 19.03.1. Latest validated version: 18.09
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.15" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Activating the kubelet service
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

再运行 get nodes 查看:

kubectl get nodes

系统显示:

NAME          STATUS   ROLES    AGE    VERSION
kube-master   Ready    master   106m   v1.15.3
kube-node01   Ready    <none>   96m    v1.15.3

标明已经安装成功过。