修改hostname

master和各个node都要先改好hostname,否则都是默认的localhost.localdomain,node加入master后因为hostname同名导致master出问题 

1
(hostnamectl set-hostname xxx)

关闭防火墙

1
2
systemctl stop firewalld
systemctl disable firewalld

关闭swap

1
2
swapoff -a 
sed -i 's/.*swap.*/#&/' /etc/fstab

关闭selinux

1
2
3
4
5
setenforce  0 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux 
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config

设置网络

1
2
3
4
5
6
7
modprobe br_netfilter
cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p /etc/sysctl.d/k8s.conf
ls /proc/sys/net/bridge

设置repo

1
2
3
4
5
6
7
8
9
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装必要工具

1
2
yum install -y epel-release
yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vim  ntpdate libseccomp libtool-ltdl

其他一些设置

1
2
3
4
5
6
7
8
9
10
11
systemctl enable ntpdate.service
echo '*/30 * * * * /usr/sbin/ntpdate time7.aliyun.com >/dev/null 2>&1' > /tmp/crontab2.tmp
crontab /tmp/crontab2.tmp
systemctl start ntpdate.service
 
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536"  >> /etc/security/limits.conf
echo "* hard nproc 65536"  >> /etc/security/limits.conf
echo "* soft  memlock  unlimited"  >> /etc/security/limits.conf
echo "* hard memlock  unlimited"  >> /etc/security/limits.conf

安装docker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-engine
yum install -y docker-ce
systemctl enable docker
systemctl start docker

安装kubeadm

1
2
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet

设置镜像加速

1
2
3
4
5
6
7
8
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://li2mrog8.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

准备镜像

  • 不翻墙的情况下无法从k8s.gcr.io拉取镜像,因此需要提前从阿里云下载好镜像并tag改为k8s.gcr.io的,==非master的node也需要下载pause和kube-proxy==
    1
    2
    3
    4
    5
    6
    for i in `kubeadm config images list`; do
      imageName=${i#k8s.gcr.io/}
      docker pull registry.aliyuncs.com/google_containers/$imageName
      docker tag registry.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
      docker rmi registry.aliyuncs.com/google_containers/$imageName
    done;

kubeadm init

  • kubeadm init 时要增加参数–pod-network-cidr 10.244.0.0/16,因为flannel的默认配置是10.244.0.0/16
  • kubeadm init 结束后不要忘了执行以下命令,否则无法正常使用kubectl
    1
    2
    3
    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

    安装flannel

  • https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

    安装dashboard

  • kubernetes-dashboard.yaml要修改镜像地址,否则无法pull
  • dashboard 如果以NodePort方式暴露接口来访问则需创建user,具体步骤为:
    • 创建一个叫admin-user的服务账号 
      1
      2
      3
      4
      5
      6
      # admin-user.yaml
        apiVersion: v1
        kind: ServiceAccount
        metadata:
        name: admin-user
        namespace: kube-system
    • 绑定角色,kubeadm默认已经创建了admin的角色,直接绑定就可以了 
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      # admin-user-role-binding.yaml
        apiVersion: rbac.authorization.k8s.io/v1beta1
        kind: ClusterRoleBinding
        metadata:
          name: admin-user
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: cluster-admin
        subjects:
        - kind: ServiceAccount
          name: admin-user
          namespace: kube-system
      • 获取token
        1
        kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
  • 通过APIServer来访问dashboard
    1
    https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
1
2
3
4
5
6
7
8
9
10
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt

# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key

# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

将生成的p12文件拷贝到本地 双击导入 然后重启浏览器 选择证书