实验环境系统主机网卡centos7.9.2009k_masterens33 192.168.50.20centos7.9.2009k_nodeens33 192.168.50.21都是最小化安装的基础环境准备(所有节点都需要配置的)配置yum源因为centos7 的yum源早就停止维护了我们使用阿里云上面yum源curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo yum clean all yum makecache # 安装一些基础命令 yum -y install bash-completion vim net-tools bridge-utils wget # 刷新一下终端 bash修改主机名和ssh免密hostnamectl set-hostname k_master hostnamectl set-hostname k_node bash# 配置域名解析和ssh免密方便传输文件 [rootk_master ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.50.20 k_master 192.168.50.21 k_node ssh-keygen ssh-copy-id rootk_master ssh-copy-id rootk_node配置ntpyum -y install chrony systemctl enable chronyd --now chronyc sources date禁用防火墙和selinuxsystemctl disable firewalld.service --now setenforce 0 vim /etc/selinux/config # 修改为 SELINUXdisabled # 重启 reboot禁用swap分区k8s是要求禁止使用swap分区的会对系统的性能产生负面的影响的我这里的话在创建虚拟机的时候就没有创建交换分区所以不需要操作[rootk_node ~]# cat /etc/fstab # # /etc/fstab # Created by anaconda on Fri May 8 09:56:12 2026 # # Accessible filesystems, by reference, are maintained under /dev/disk # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID7cdc3393-4ec5-490d-a7c3-7fda6123940d /boot xfs defaults 0 0修改linux内核参数# 加载br_netfilter内核模块 modprobe br_netfilter # 永久生效开启会自动加载这个模块 echo br_netfilter /etc/modules-load.d/br_netfilter.conf # 验证模块是否安装成功 lsmod | grep br_netfilter # 添加内核参数 cat /etc/sysctl.d/k8s.conf EOF net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 net.ipv4.ip_forward 1 EOF sysctl -p /etc/sysctl.d/k8s.conf # 会输出一些信息的配置ipvs功能k8s使用的是ipvs模式而不是iptables模式ipvs的性能更加的高yum -y install ipset ipvsadm cat /etc/sysconfig/modules/ipvs.modules EOF modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 EOF # 添加权限这样开机回自动加载 chmod x ipvs.modules bash ipvs.modules # 查看加载是否成功了 lsmod | grep -e ip_vs -e nf_conntrack_ipv4安装容器运行时(使用的是containerd作为容器运行时)wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo yum -y install docker-ce systemctl enable docker --now # 安装docker的时候默认会安装containerd # 生成containerd配置文件 containerd config default /etc/containerd/config.toml # 编辑这个文件config.toml #设置拉取的镜像 sandbox_image registry.aliyuncs.com/google_containers/pause:3.9 #设置system cgroup驱动 SystemdCgroup true # 修改镜像拉取策略配置镜像加速器 [plugins.io.containerd.grpc.v1.cri.registry.mirrors] [plugins.io.containerd.grpc.v1.cri.registry.mirrors.registry.k8s.io] endpoint [https://registry-k8s-io.mirrors.sjtug.sjtu.edu.cn] [plugins.io.containerd.grpc.v1.cri.registry.mirrors.docker.io] endpoint [自己的镜像仓库地址] # 当拉取registry.k8s.io 下的镜像的时候去上海交大的镜像站下载而不是去国外下载镜像 # 当拉取docker.io 镜像的时候去国内网站下载 systemctl enable containerd --now [rootk_master containerd]# systemctl restart containerd # 查看containerd版本 [rootk_master containerd]# containerd -v containerd containerd.io 1.6.33 d2d58213f83a351ca8f528a95fbd145f5654e957安装k8s配置k8s源cat /etc/yum.repos.d/k8s.repo EOF [kubernetes] namekubernetes baseurlhttp://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttp://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF安装k8s软件包# 安装1.28版本 yum -y install kubelet-1.28.0 kubectl-1.28.0 kubeadm-1.28.0 # 设置开启自启等会安装k8s集群的时候会自动的启动的 systemctl enable kubelet # 安装后就会有这个crictl命令了这个就是用来连接哪一个容器运行时的设置容器运行时设置容器运行时(containerd版本大于1.6有另外的一个写法)# 这个是老版本的写法 crictl config runtime-endpoint unix:///var/run/containerd/containerd.sock crictl config image-endpoint unix:///var/run/containerd/containerd.sock新版本的话写在/etc/crictl.yaml这个文件就可以告诉circtl需要连接哪一个containerd只配置了socket地址不影响containerd本身只是客户端的连接配置# 新版本的写法 cat /etc/crictl.yaml EOF runtime-endpoint: unix:///var/run/containerd/containerd.sock image-endpoint: unix:///var/run/containerd/containerd.sock timeout: 10 debug: false EOF # 配置好后可以通过下面的命令输出一些信息会有报错的因为还没有安装k8s网络插件 crictl info systemctl restart containerd当然上面写的镜像加速器也是老配置1.6支持但是2.0会被淘汰新版和旧版配置参考下面的containerd配置镜像加速器 - FuShudi - 博客园安装集群k8s(只在k_master节点上执行)安装k8s集群2种方式一个是命令行另一个是通过配置文件毫无疑问配置文件是最优解能定义很多配置kubeadm config print init-defaults kubeadm.yaml [rootk_master ~]# cat kubeadm.yaml apiVersion: kubeadm.k8s.io/v1beta3 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.50.20 # master 地址 bindPort: 6443 nodeRegistration: criSocket: unix:///var/run/containerd/containerd.sock # 容器运行时接口 imagePullPolicy: IfNotPresent name: k_master # 主机名区分 taints: null --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta3 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: {} etcd: local: dataDir: /var/lib/etcd imageRepository: registry.aliyuncs.com/google_containers # 初始化时设置镜像仓库地址 kind: ClusterConfiguration kubernetesVersion: 1.28.0 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 podSubnet: 10.244.0.0/16 # pod网段 scheduler: {} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: ipvs # 设置ipvs模式 --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd # 设置kubelet驱动为systemd执行初始化kubeadm init --configkubeadm.yaml # 输出信息 Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run kubectl apply -f [podnetwork].yaml with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.50.20:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:bd17a10cb11b2a54cdec94844bc0f58375d1448ce8f7275720c2584f4d725d91# 根据上面的信息我们创建目录这个目录就是k8s管理员文件可以操作k8s集群的文件 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config将node节点添加到k8s集群这个加入k8s集群是有时间限制的24小时过期可以手动生成kubeadm token create --print-join-commandkubeadm join 192.168.50.20:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:bd17a10cb11b2a54cdec94844bc0f58375d1448ce8f7275720c2584f4d725d91查看节点状态[rootkmaster ~]# kubectl get node NAME STATUS ROLES AGE VERSION kmaster NotReady control-plane 7m52s v1.28.0 knode NotReady none 44s v1.28.0 # 没有安装网络插件因此是notready安装网络插件(calico只需要在kmaster节点上操作)安装版本为3.26About Calico | Calico Documentationcurl https://raw.githubusercontent.com/projectcalico/calico/v3.26.5/manifests/calico.yaml -O kubectl apply -f calico.yamlk8s集群测试[rootkmaster ~]# kubectl get node NAME STATUS ROLES AGE VERSION kmaster Ready control-plane 22m v1.28.0 knode Ready none 15m v1.28.0创建一个busybox的pod看能不能访问外网kubectl run b1 --image busybox --image-pull-policy IfNotPresent --dry-runclient -o yaml b1.yaml -- sleep 36000 kubectl apply -f b1.yaml # 进入容器访问外网 [rootkmaster test]# kubectl exec -ti b1 -- sh / # ping qq.com PING qq.com (157.255.219.143): 56 data bytes 64 bytes from 157.255.219.143: seq0 ttl127 time28.831 ms 64 bytes from 157.255.219.143: seq1 ttl127 time29.131 ms ^C --- qq.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max 28.831/28.981/29.131 ms # 可以访问外网k8s集群就安装成功了k8s安装其他组件安装metrics-server组件可以监控pod,node使用cpu内存的情况wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.6.4/components.yaml # 添加文件中的135行 - --kubelet-insecure-tls # 不检验kubelet的https证书是否合法直接信任跳过证书验证 # 会创建一个pod出来 [rootkmaster ~]# kubectl get pod -n kube-system | grep -i metrics metrics-server-69b546b776-kn8s9 1/1 Running 0 101s # 就能监控节点或者pod的使用情况了 [rootkmaster ~]# kubectl top node NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% kmaster 133m 6% 1801Mi 47% knode 63m 3% 1369Mi 23%安装nfs驱动自动创建pvnfs动态创建pv安装dashboard安装dashboard安装helm安装helm补充命令补全echo source (kubectl completion bash) /etc/profile echo source (istioctl completion bash) /etc/profile echo source (kubeadm completion bash) /etc/profile source /etc/profile # istioctl命令后面会安装的一键删除状态为exited容器crictl rm $(crictl ps -a | grep Exited | awk {print $1})# crictl拉取镜像有一个名称空间的限制 ctr -n k8s.io image import 你的镜像包.tarctr和crictl区别ctr是containerd工具默认在default命名空间导入tar包需要手动加-n k8s.iocrictl走的是cri接口强制只用k8s.io,因此crictl pull 拉取的镜像默认在k8s.io下面上一篇数据类型案例下一篇k8s新版本中sa和secret关系本文作者乔的港口本文链接https://www.cnblogs.com/qylogs/p/20008094版权声明本作品采用知识共享署名-非商业性使用-禁止演绎 2.5 中国大陆许可协议进行许可。关注我收藏该文30posted 2026-05-10 16:47 乔的港口 阅读(204) 评论(0) 收藏 举报登录后才能查看或发表评论立即 登录 或者 逛逛 博客园首页【推荐】 凌霞 618 年中大促Halo 与 1Panel 产品全线半价叠加满减【推荐】HarmonyOS 6.1.0 创新特性“悬浮页签沉浸光感”精品文章专题【推荐】科研领域的连接者艾思科蓝一站式科研学术服务数字化平台博客园 © 2004-2026​编辑浙公网安备 33010602011771号 浙ICP备20210404