发布时间：2025-06-24 16:45:40  作者：北方职教升学中心  阅读量：263

sed -ri 's/.*swap.*/#&/' /etc/fstab

关闭 selinux

有selinux 可以关闭一下

修改limit

ulimit -SHn 65535

vi /etc/security/limits.conf

末尾添加如下内容

* soft nofile 655360* hard nofile 131072* soft nproc 655350* hard nproc 655350* soft memlock unlimited* hard memlock unlimited

:wq 保存退出

时区设置

timedatectl set-timezone Asia/Shanghaisystemctl restart systemd-timesyncd.service

检查设置

timedatectl status# 或者date

开启流量转发

设置所需的 sysctl 参数，参数在重新启动后保持不变

修改内核参数(首先确认你的系统已经加载了 br_netfilter 模块，默认是没有该模块的，需要你先安装 bridge-utils)
apt-get install -y bridge-utils
modprobe br_netfilter
lsmod | grep br_netfilter
如果报错找不到包，需要先更新 apt-get update -y

cat > /etc/modules-load.d/k8s.conf <<EOFoverlaybr_netfilterEOF

cat <<EOF | sudo tee /etc/sysctl.d/k8s.confnet.bridge.bridge-nf-call-iptables  = 1net.bridge.bridge-nf-call-ip6tables = 1net.ipv4.ip_forward                 = 1EOF

应用 sysctl 参数而不重新启动

sysctl --systemsysctl net.ipv4.ip_forward

lsmod | grep br_netfilterlsmod | grep overlay

ipvs设置

安装ipvs

apt install -y  ipset ipvsadm 

cat > /etc/modules-load.d/ipvs.conf << EOFmodprobe -- ip_vsmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- nf_conntrackEOF

sudo modprobe ip_vslsmod | grep ip_vslsmod | grep -e ip_vs -e nf_conntrack

安装容器运行时

安装基础环境

apt -y install apt-transport-https ca-certificates curl software-properties-commoncurl -fsSL https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg

安装 containerd

https://www.ghproxy.cn/https://github.com/containerd/containerd/releases/download/v1.7.24/containerd-1.7.24-linux-amd64.tar.gztar Cxzvf /usr/local containerd-1.7.24-linux-amd64.tar.gzhttps://gh.llkk.cc/https://github.com/containerd/containerd/releases/download/v1.7.24/cri-containerd-1.7.24-linux-amd64.tar.gzsudo tar -C / -xzf cri-containerd-1.7.24-linux-amd64.tar.gzexport PATH=$PATH:/usr/local/bin:/usr/local/sbinsource ~/.bashrcmkdir /etc/containerd

配置 containerd

#1.重新初始化containerd的配置文件containerd config default | tee /etc/containerd/config.toml 

修改SystemdCgroup

grep SystemdCgroup /etc/containerd/config.toml#2 修改Cgroup的管理者为systemd组件sed -ri 's#(SystemdCgroup = )false#\1true#' /etc/containerd/config.toml grep SystemdCgroup /etc/containerd/config.toml

修改修改pause的基础镜像版本

grep sandbox_image /etc/containerd/config.toml#3 修改pause的基础镜像名称sed -i 's#registry.k8s.io/pause:3.8#registry.aliyuncs.com/google_containers/pause:3.10#' /etc/containerd/config.tomlgrep sandbox_image /etc/containerd/config.toml

启动containerd

systemctl daemon-reloadsystemctl enable --now containerdsystemctl status containerdsystemctl restart containerd

安装kubelet kubeadm kubectl

添加阿里云k8s源

sudo apt-get updatesudo apt-get install -y apt-transport-https ca-certificates curl gpgcurl -fsSL https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.31/deb/Release.key |gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpgecho "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.31/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.listapt-get update#查看kubectl可用版本apt-cache madison kubectl

高可用集群【可选】

## 安装keepalived haproxyapt install -y keepalived haproxy

配置keepalived配置文件

配置keepalived配置文件

vim /etc/keepalived/keepalived.conf

示例配置文件

MASTER

! /etc/keepalived/keepalived.conf! Configuration File for keepalivedglobal_defs {    router_id LVS_DEVEL}vrrp_script check_apiserver {  script "/etc/keepalived/check_apiserver.sh"  interval 3  weight -2  fall 10  rise 2}vrrp_instance VI_1 {    # 状态，主节点为MASTER，从节点为BACKUP    state MASTER    # 修改为你自己网卡的名字    interface eth0    virtual_router_id 51    # MASTER当中使用101，BACKUP当中使用100    priority 101    authentication {        auth_type PASS        # 设置好你的密码，keepalived集群当中需要保证这个值的一致        auth_pass k8s_test    }    virtual_ipaddress {        # 设置你的虚拟IP地址        192.168.1.67/24    }    track_script {        check_apiserver    }}

BACKUP

! /etc/keepalived/keepalived.conf! Configuration File for keepalivedglobal_defs {    router_id LVS_DEVEL}vrrp_script check_apiserver {  script "/etc/keepalived/check_apiserver.sh"  interval 3  weight -2  fall 10  rise 2}vrrp_instance VI_1 {    # 状态，主节点为MASTER，从节点为BACKUP    state MASTER    # 修改为你自己网卡的名字    interface eth0    virtual_router_id 51    # MASTER当中使用101，BACKUP当中使用100    priority 100    authentication {        auth_type PASS        # 设置好你的密码，keepalived集群当中需要保证这个值的一致        auth_pass k8s_test    }    virtual_ipaddress {        # 设置你的虚拟IP地址        192.168.1.67/24    }    track_script {        check_apiserver    }}

配置keepalived配置文件 脚本

编辑keepalived配置文件 脚本

vim /etc/keepalived/check_apiserver.sh

示例配置文件

#!/bin/sherrorExit() {    echo "*** $*" 1>&2    exit 1}curl -sfk --max-time 2 https://localhost:7443/healthz -o /dev/null || errorExit "Error GET https://localhost:7443/healthz"

给脚本执行权限

chmod +x /etc/keepalived/check_apiserver.sh

编辑haproxy配置文件

cp    /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_bak vim    /etc/haproxy/haproxy.cfg

haproxy示例文件

# /etc/haproxy/haproxy.cfg#---------------------------------------------------------------------# Global settings#---------------------------------------------------------------------global    log /dev/log local0    log /dev/log local1 notice    daemon#---------------------------------------------------------------------# common defaults that all the 'listen' and 'backend' sections will# use if not designated in their block#---------------------------------------------------------------------defaults    mode                    http    log                     global    option                  httplog    option                  dontlognull    option http-server-close    option forwardfor       except 127.0.0.0/24    option                  redispatch    retries                 30    timeout http-request    10s    timeout queue           20s    timeout connect         5s    timeout client          35s    timeout server          35s    timeout http-keep-alive 10s    timeout check           10s#---------------------------------------------------------------------# apiserver frontend which proxys to the control plane nodes#---------------------------------------------------------------------frontend apiserver    # 注意负载均衡的端口要与keepalived里面的配置保持一致    bind *:7443    mode tcp    option tcplog    default_backend apiserver#---------------------------------------------------------------------# round robin balancing for apiserver#---------------------------------------------------------------------backend apiserver        option httpchk GET /healthz    http-check expect status 200    mode tcp    option ssl-hello-chk    balance     roundrobin        server k8s-master-01 192.168.1.64:6443 check    server k8s-master-02 192.168.1.65:6443 check    server k8s-master-03 192.168.1.66:6443 check

启动keepalived haproxy

systemctl enable haproxy --nowsystemctl enable keepalived --nowsystemctl start haproxysystemctl start keepalived systemctl status haproxysystemctl status keepalived 

如果配置文件更改 ，快速重启keepalived,haproxy

systemctl restart keepalived systemctl restart haproxy

安装kubeadm kubectl kubelet

安装kubeadm kubectl kubelet

sudo apt update && \sudo apt install -y kubelet kubectl kubeadm && \sudo apt-mark hold kubelet kubeadm kubectl

查看kubeadm版本

kubeadm version

开机启动kubelet

systemctl enable kubelet && systemctl restart kubelet

初始化k8s

输出配置文件

kubeadm config print init-defaults  > kubeadm-config.yaml

修改配置文件

apiVersion: kubeadm.k8s.io/v1beta4bootstrapTokens:- groups:  - system:bootstrappers:kubeadm:default-node-token  token: abcdef.0123456789abcdef  ttl: 24h0m0s  usages:  - signing  - authenticationkind: InitConfigurationlocalAPIEndpoint:  # apisServer地址修改  advertiseAddress: 192.168.1.81  # 端口不变  bindPort: 6443nodeRegistration:  criSocket: unix:///var/run/containerd/containerd.sock  imagePullPolicy: IfNotPresent  imagePullSerial: true  #节点名称修改  name: k8s-01  taints: nulltimeouts:  controlPlaneComponentHealthCheck: 4m0s  discovery: 5m0s  etcdAPICall: 2m0s  kubeletHealthCheck: 4m0s  kubernetesAPICall: 1m0s  tlsBootstrap: 5m0s  upgradeManifests: 5m0s---apiServer: {}apiVersion: kubeadm.k8s.io/v1beta4##ca证书和颁发证书时间修改caCertificateValidityPeriod: 876000h0m0scertificateValidityPeriod: 876000h0m0scertificatesDir: /etc/kubernetes/pkiclusterName: kubernetes# 新增控制平台地址 单节点不需要这个 controlPlaneEndpointcontrolPlaneEndpoint: "192.168.1.67:7443"controllerManager: {}dns: {}encryptionAlgorithm: RSA-2048etcd:  local:    dataDir: /var/lib/etcd#修改镜像拉取地址imageRepository: registry.aliyuncs.com/google_containerskind: ClusterConfigurationkubernetesVersion: 1.32.0networking:  dnsDomain: cluster.local  # 设置service网络地址范围  serviceSubnet: 10.96.0.0/12  # 设置pod网络地址范围  podSubnet: 10.60.0.0/16 proxy: {}scheduler: {}---#https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/configure-cgroup-driver/kind: KubeletConfigurationapiVersion: kubelet.config.k8s.io/v1beta1cgroupDriver: systemd---apiVersion: kubeproxy.config.k8s.io/v1alpha1kind: KubeProxyConfiguration#开启ipvs模式mode: ipvs 

拉取镜像 初始化集群

#拉取镜像kubeadm config images pull --config kubeadm-config.yaml#尝试运行 如果无错误，执行下面的初始化kubeadm init --config kubeadm-config.yaml --dry-run#初始化k8s集群 单节点不需要--upload-certskubeadm init --config kubeadm-config.yaml --upload-certs

初始化成功执行

mkdir -p $HOME/.kube  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config  sudo chown $(id -u):$(id -g) $HOME/.kube/config  export KUBECONFIG=/etc/kubernetes/admin.conf

其他master节点加入集群

kubeadm join 192.168.1.67:7443 --token abcdef.0123456789abcdef \	--discovery-token-ca-cert-hash sha256:006f34ef31937c42d822f3a635368d4861ff5bd8211538d629e0e3c282461349 \	--control-plane --certificate-key 62eeb97fff1258c0f3eb79e46d68050ee6da66f6256eb74c5e41e98aa55aa6bb

work节点加入集群

kubeadm join 192.168.146.200:6443 --token abcdef.0123456789abcdef \	--discovery-token-ca-cert-hash sha256:9d783c63bf9a20ce9634788b96905f369668d9f439e444e271907561455b8779 

安装网络插件

curl https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/calico-typha.yaml -o calico.yamlwget https://github.com/projectcalico/calico/releases/download/v3.29.1/release-v3.29.1.tgztar -xvf release-v3.29.1.tgzcd release-v3.29.1/imagesctr -n k8s.io images import calico-cni.tar ctr -n k8s.io images import calico-flannel-migration-controller.tar ctr -n k8s.io images import calico-node.tar ctr -n k8s.io images import calico-typha.tar ctr -n k8s.io images import calico-dikastes.tar ctr -n k8s.io images import calico-kube-controllers.tar ctr -n k8s.io images import calico-pod2daemon.tar #修改其中的 pod网络范围  CALICO_IPV4POOL_CIDR  默认值应该是 192.168.0.0/16kubectl apply -f  calico-typha.yaml

初始化失败处理

重置 kubeadm ，执行这个后需要敲 y 回车

kubeadm reset -fiptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X

删除上次 init 生成的文件

sudo rm -rf /etc/cni/net.d sudo rm -rf /var/lib/etcd ipvsadm --clearrm -rf $HOME/.kube/configrm -rf /etc/kubernetes

证书续期

证书有效期查看

kubeadm  certs check-expiration   

证书续期

# 备份证书cp -r /etc/kubernetes /etc/kubernetes.bak# 重新生成证书kubeadm certs renew all# 删除服务让证书生效# kubectl delete pod etcd-master -n kube-system# kubectl delete pod kube-apiserver-master -n kube-system# kubectl delete pod kube-controller-manager-master -n kube-system# kubectl delete pod kube-scheduler-master -n kube-system# 删除服务让证书生效crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | xargs crictl rmp -f cp -i /etc/kubernetes/admin.conf $HOME/.kube/configchown $(id -u):$(id -g) $HOME/.kube/config

去掉污点

# 查看污点kubectl describe nodes k8s-uat |grep Taints# 去掉污点 示例kubectl taint node k8s-01 node.kubernetes.io/not-ready:NoSchedule-# 查看污点 示例kubectl taint node k8s-01 node-role.kubernetes.io/control-plane:NoSchedule-