部署k8s

前言

上网环境真坑

步骤

准备

# 时区
sudo timedatectl set-timezone Asia/Shanghai
sudo ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime

# 配置虚拟机
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# 设置所需的 sysctl 参数，参数在重新启动后保持不变
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

# 应用 sysctl 参数而不重新启动
sudo sysctl --system

配置容器运行时

• 安装 containerd

sudo apt-get update && sudo apt-get install -y containerd

• 配置 containerd

sudo mkdir -p /etc/containerd
sudo containerd config default | sudo tee /etc/containerd/config.toml

• 修改为 SystemdCgroup

sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
cat /etc/containerd/config.toml | grep SystemdCgroup

• 配置 containerd 服务

sudo systemctl enable containerd
sudo systemctl restart containerd
sudo systemctl status containerd

• containerd配置镜像加速

nano /etc/containerd/config.toml

#[plugins."io.containerd.cri.v1.images".registry]
#   config_path = "/etc/containerd/certs.d"
#更改

mkdir -p /etc/containerd/certs.d/docker.io
mkdir -p /etc/containerd/certs.d/registry.k8s.io

touch /etc/containerd/certs.d/docker.io/hosts.toml
touch /etc/containerd/certs.d/registry.k8s.io/hosts.toml

cat>/etc/containerd/certs.d/docker.io/hosts.toml<<EOF
server = "https://docker.io"

[host."https://docker.m.daocloud.io"]
  capabilities = ["pull", "resolve"]
[host."https://dockerproxy.com/"]
  capabilities = ["pull", "resolve"]
EOF

cat>/etc/containerd/certs.d/registry.k8s.io/hosts.toml<<EOF
server = "registry.k8s.io"

[host."k8s.m.daocloud.io"]
  capabilities = ["pull", "resolve"]
EOF

systemctl restart containerd.service

安装 kubelet/kubeadm/kubectl

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl gpg

sudo mkdir -p -m 755 /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.33/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.33/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list

sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

改id

nano /etc/machine-id

启动control-plane

sudo kubeadm init   --control-plane-endpoint=10.15.2.70   --node-name=k8s-control-plane   --pod-network-cidr=10.244.0.0/16   --kubernetes-version=v1.33.3   --image-repository=registry.aliyuncs.com/google_containers   --upload-certs   -v=5

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml

安装helm

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

安装 Kubernetes Dashboard kite

• 安装kite

kubectl apply -f https://raw.githubusercontent.com/zxh326/kite/refs/heads/main/deploy/install.yaml

安装ingress-nginx

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
kubectl create namespace ingress-nginx
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --set controller.publishService.enabled=true

kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort"}}'

• 代理kite

echo "admin:$(openssl passwd -apr1 admin)" > auth
kubectl create secret generic basic-auth --from-file=auth -n kube-system

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kite-ingress
  namespace: kube-system
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  ingressClassName: nginx
  rules:
  - host: console.private.dorimu.cn
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: kite
            port:
              number: 80

#kubectl apply -f ingress.yaml

手抖可用

• 排查问题

crictl ps -a

journalctl -u containerd -n 50 --no-pager 

journalctl -u kubelet -n 100 --no-pager

• 清除配置

sudo kubeadm reset -f
sudo rm -rf /etc/kubernetes/ /var/lib/kubelet/ /var/lib/etcd/

• 打印加入参数

sudo kubeadm token create --print-join-command

• 添加备用控制平面

kubeadm token create --print-join-command
kubeadm init phase upload-certs --upload-certs

#拼接
kubeadm join <LB_IP:6443> \
  --token 
<TOKEN> \
  --discovery-token-ca-cert-hash sha256:
<HASH> \
  --control-plane \
  --certificate-key 
<CERTIFICATE_KEY>