银河麒麟v10 二进制kubeadm+containerd搭建k8s集群（证书100年）—

环境说明

银河麒麟v10 x86架构，cgroup v2启用

系统内核：5.4.x 源码编译安装

kubeadm 1.31.2 自编译二进制文件，证书有效期100年

containerd 版本：2.0.0

IP	Hostname	OS Version	Kernel Version	Comment
192.168.10.100	k8s-master	银河麒麟v10	5.4.286	control panel
192.168.10.101	k8s-node1	银河麒麟v10	5.4.286	worker node
192.168.10.102	k8s-node2	银河麒麟v10	5.4.286	worker node

部署准备

1. 参数模块调整和依赖安装

# 配置hostnamehostnamectl set-hostname k8s-master
hostnamectl set-hostname k8s-node1
hostnamectl set-hostname k8s-node2# 配置hosts192.168.10.101 k8s-node1
192.168.10.102 k8s-node2
192.168.10.100 k8s-master# 配置时间同步chrony 略# 关闭swap
swapoff -a# 内核模块加载cat << EOF > /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOFmodprobe overlay
modprobe br_netfilterlsmod | grep br_netfiltercat > /etc/modules-load.d/ipvs.conf << EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
EOF# 配置内核参数/etc/sysctl.confnet.ipv4.ip_forward=1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness = 0# 安装依赖
yum install socat libnetfilter_queue libnetfilter_cttimeout conntrack-tools libnetfilter_cthelper

2. 安装containerd

# 安装runc
wget https://github.com/opencontainers/runc/releases/download/v1.2.2/runc.amd64install -m 755 runc.amd64 /usr/sbin/runc# 安装cni插件
wget https://github.com/containernetworking/plugins/releases/download/v1.6.0/cni-plugins-linux-amd64-v1.6.0.tgzmkdir -p /opt/cni/bintar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.6.0.tgz# 下载二进制包wget https://github.com/containerd/containerd/releases/download/v2.0.0/containerd-2.0.0-
linux-amd64.tar.gz或者wget https://github.com/containerd/containerd/releases/download/v2.0.0/containerd-static-2.0.0-linux-amd64.tar.gz两者区别：containerd-<VERSION>-<OS>-<ARCH>.tar.gz: ✅Recommended. Dynamically linked with glibc 2.31 (Ubuntu 20.04).
containerd-static-<VERSION>-<OS>-<ARCH>.tar.gz: Statically linked. Expected to be used on non-glibc Linux distributions. Not position-independent.# 解压tar Cxzvf /usr/bin/ containerd-2.0.0-linux-amd64.tar.gz# 编写service文件
cat > /usr/lib/systemd/system/containerd.service << 'EOF'
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target dbus.service[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerdType=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999[Install]
WantedBy=multi-user.target
EOFsystemctl daemon-reload && systemctl enable containerd# 生成containerd的配置文件
mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml# 编辑containerd的配置文件/etc/containerd/config.toml，主要修改container的数据目录，并启用systemd的cgroup# 修改数据存储目录
root = "/data/lib/containerd"# 对于使用systemd作为init system的linux发行版，官方建议用systemd作为容器cgroup driver
# false改成true
SystemdCgroup = true[plugins."io.containerd.grpc.v1.cri".containerd]cgroup = "cgroupv2"[plugins."io.containerd.grpc.v1.cri"][plugins."io.containerd.grpc.v1.cri".containerd]# 设置 cgroup 驱动为 systemdcgroup_driver = "systemd"systemctl daemon-reload && systemctl start containerd && systemctl status containerd# 安装nerdctl (可选)wget https://github.com/containerd/nerdctl/releases/download/v2.0.0/nerdctl-2.0.0-linux-amd64.tar.gztar Czxvf /usr/bin nerdctl-2.0.0-linux-amd64.tar.gzEnabling cgroup v2 is highly recommended for rootless mode, see https://rootlesscontaine.rs/getting-started/common/cgroup2/

安装kubeadm

将编译的二进制文件kubeadm kubectl kubelet拷贝到目录/usr/bin下

PS：官方二进制文件下载地址：https://github.com/kubernetes/kubernetes/releases

cat > /usr/lib/systemd/system/kubelet.service << EOF
[Unit]
Description=kubelet: The Kubernetes Node Agent
Documentation=https://kubernetes.io/docs/
Wants=network-online.target
After=network-online.target[Service]
ExecStart=/usr/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10[Install]
WantedBy=multi-user.target
EOFsystemctl daemon-reload && systemctl enable kubeletmkdir -p  /usr/lib/systemd/system/kubelet.service.d/cat > /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf << 'EOF'
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/sysconfig/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS
EOFsystemctl start kubelet

# 初始化集群# 拉取所需镜像kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers# 初始化kubeadm init --kubernetes-version=v1.31.2 \
--apiserver-advertise-address=192.168.100.100 \
--pod-network-cidr=10.244.0.0/16 \
--service-cidr=10.96.0.0/12 \
--token-ttl=0 \
--image-repository registry.aliyuncs.com/google_containers

# 接下来在worker节点上执行相关的操作，worker节点与master节点的操作步骤的唯一区别是：master节点执行kubeadm init操作，woker节点执行kubeadm join操作，因此上面的步骤除了kubeadm init步骤之外，其他所有的步骤woker节点同样也需要执行。# 执行kubeadm init 成功之后输出的 最后一行kubeadm join 命令kubeadm config images pull --cri-socket unix:///var/run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containerskubeadm join 192.168.100.100:6443 --token o4zf8w.xxxx --discovery-token-ca-cert-hash sha256:376e215a51620ac6ccc

部署flannel

# 部署flannel插件cat > flannel.yaml << EOF
#---
#kind: Namespace
#apiVersion: v1
#metadata:
#  name: kube-flannel
#  labels:
#    k8s-app: flannel
#    pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: flannelname: flannel
rules:
- apiGroups:- ""resources:- podsverbs:- get
- apiGroups:- ""resources:- nodesverbs:- get- list- watch
- apiGroups:- ""resources:- nodes/statusverbs:- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: flannelname: flannel
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: flannel
subjects:
- kind: ServiceAccountname: flannelnamespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: flannelname: flannelnamespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:name: kube-flannel-cfgnamespace: kube-systemlabels:tier: nodek8s-app: flannelapp: flannel
data:cni-conf.json: |{"name": "cbr0","cniVersion": "0.3.1","plugins": [{"type": "flannel","delegate": {"hairpinMode": true,"isDefaultGateway": true}},{"type": "portmap","capabilities": {"portMappings": true}}]}net-conf.json: |{"Network": "10.244.0.0/16","EnableNFTables": false,"Backend": {"Type": "vxlan"}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:name: kube-flannel-dsnamespace: kube-systemlabels:tier: nodeapp: flannelk8s-app: flannel
spec:selector:matchLabels:app: flanneltemplate:metadata:labels:tier: nodeapp: flannelspec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/osoperator: Invalues:- linuxhostNetwork: truepriorityClassName: system-node-criticaltolerations:- operator: Existseffect: NoScheduleserviceAccountName: flannelinitContainers:- name: install-cni-pluginimage: docker.io/flannel/flannel-cni-plugin:v1.6.0-flannel1command:- cpargs:- -f- /flannel- /opt/cni/bin/flannelvolumeMounts:- name: cni-pluginmountPath: /opt/cni/bin- name: install-cniimage: docker.io/flannel/flannel:v0.26.1command:- cpargs:- -f- /etc/kube-flannel/cni-conf.json- /etc/cni/net.d/10-flannel.conflistvolumeMounts:- name: cnimountPath: /etc/cni/net.d- name: flannel-cfgmountPath: /etc/kube-flannel/containers:- name: kube-flannelimage: docker.io/flannel/flannel:v0.26.1command:- /opt/bin/flanneldargs:- --ip-masq- --kube-subnet-mgrresources:requests:cpu: "100m"memory: "50Mi"securityContext:privileged: falsecapabilities:add: ["NET_ADMIN", "NET_RAW"]env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespace- name: EVENT_QUEUE_DEPTHvalue: "5000"volumeMounts:- name: runmountPath: /run/flannel- name: flannel-cfgmountPath: /etc/kube-flannel/- name: xtables-lockmountPath: /run/xtables.lockvolumes:- name: runhostPath:path: /run/flannel- name: cni-pluginhostPath:path: /opt/cni/bin- name: cnihostPath:path: /etc/cni/net.d- name: flannel-cfgconfigMap:name: kube-flannel-cfg- name: xtables-lockhostPath:path: /run/xtables.locktype: FileOrCreate
EOFkubectl apply -f flannel.yaml

测试验证

# 检查证书过期时间
kubeadm certs check-expiration# 检查node pod
kubectl get node  kubectl get pod -A# 创建一个pod。nginx需要提前docker pull
kubectl create deployment nginx --image=nginx# 暴露端口
kubectl expose deployment nginx --port=80 --type=NodePort# 查看状态
kubectl get pods,svc

安装 kubeadm | Kubernetes