CentOS7 搭建 Kubernetes 集群完整指南基于提供的文档本文提供kubeadm快速搭建推荐新手和二进制手动搭建生产可控两种方案所有步骤均适配CentOS7系统。一、通用前置准备两种方式都需执行1. 环境要求资源最低要求推荐配置操作系统CentOS7.x x86_64CentOS7.8 x86_64内存2GB4GBCPU2核4核硬盘30GB50GB网络所有节点互通能访问外网固定IP关闭防火墙/SELinux2. 节点规划以3节点为例角色IP地址主机名Master192.168.88.130k8s-masterWorker1192.168.88.131k8s-node1Worker2192.168.88.132k8s-node23. 所有节点系统初始化以下命令在所有节点执行# 1. 关闭防火墙systemctl stop firewalldsystemctl disable firewalld systemctl status firewalld# 2. 关闭SELinuxsed-is/enforcing/disabled//etc/selinux/config# 永久关闭setenforce0# 临时关闭# 3. 关闭Swap分区swapoff-a# 临时关闭sed-ris/.*swap.*/#//etc/fstab# 永久关闭# 4. 设置主机名每个节点对应修改hostnamectl set-hostname k8s-master# Master节点执行hostnamectl set-hostname k8s-node1# Worker1执行hostnamectl set-hostname k8s-node2# Worker2执行# 5. 配置hosts解析所有节点执行cat/etc/hostsEOF 192.168.88.130 k8s-master 192.168.88.131 k8s-node1 192.168.88.132 k8s-node2 EOF# 6. 配置桥接流量传递到iptablescat/etc/sysctl.d/k8s.confEOF net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 EOFsysctl--system# 生效配置# 7. 时间同步报错就更换yumyuminstallntpdate-yntpdate time.windows.com备份YUM源mv/etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup或者mv/etc/yum/repos.d/CentOS-Base.repo{,.date -I}下载新的CentOS-Base.repo 到/etc/yum.repos.d/CentOS 5wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repoCentOS 6wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repoCentOS 7wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo添加EPELCentOS 6wget-O/etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repoCentOS 7wget-O/etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo清除缓存yum clean all加载缓存yum makecache更新yumyum update-y删除 yum 进程锁文件CentOS 7 核心锁文件sudorm-f/var/run/yum.pid额外清理可能的 rpm 数据库锁防止连带问题sudorm-f/var/lib/rpm/__db.00*二、方案一kubeadm快速搭建推荐1. 所有节点安装Docker18.06.1版本# 配置阿里云Docker源wgethttps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo-O/etc/yum.repos.d/docker-ce.repo# 安装指定版本Dockeryum-yinstalldocker-ce-18.06.1.ce-3.el7# 启动并设置开机自启systemctlenabledockersystemctl startdocker# 配置阿里云镜像加速器cat/etc/docker/daemon.jsonEOF { registry-mirrors: [https://b9pmyelo.mirror.aliyuncs.com] } EOFsystemctl restartdocker2. 所有节点安装kubeadm、kubelet、kubectl# 配置阿里云K8s源cat/etc/yum.repos.d/kubernetes.repoEOF [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttps://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF# 安装指定版本文档使用v1.17.0yuminstall-ykubelet-1.17.0 kubeadm-1.17.0 kubectl-1.17.0# 设置kubelet开机自启systemctlenablekubelet# 重新启动主机reboot3. 部署Master节点仅在Master执行# 初始化集群指定阿里云镜像仓库避免gcr.io无法访问kubeadm init\--apiserver-advertise-address192.168.88.130\--image-repository registry.aliyuncs.com/google_containers\--kubernetes-version v1.17.0\--service-cidr10.96.0.0/12\--pod-network-cidr10.244.0.0/16# 配置kubectl认证mkdir-p$HOME/.kubesudocp-i/etc/kubernetes/admin.conf$HOME/.kube/configsudochown$(id-u):$(id-g)$HOME/.kube/config# 验证Master组件状态kubectl get cs执行成功后会输出Worker节点加入命令保存下来格式如下kubeadm join 192.168.88.130:6443 --token 93upi2.0n366lz463re8rho \ --discovery-token-ca-cert-hash sha256:836d298f889d2a5cae622bd8eee1bad94bea6b548d1bce1adbf2dd4ed9e81bd14. 安装CNI网络插件Flannel# 下载Flannel配置文件wgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml# 应用配置kubectl apply-fkube-flannel.yml# 等待Flannel Pod启动约1-2分钟kubectl get pods-nkube-system5. Worker节点加入集群在所有Worker执行执行之前保存的kubeadm join命令kubeadmjoin192.168.88.130:6443--tokenesce21.q6hetwm8si29qxwn\--discovery-token-ca-cert-hash sha256:00603a05805807501d7181c3d60b478788408cfe6cedefedb1f97569708be9c56. 验证集群状态在Master执行# 查看所有节点状态所有节点应为Ready状态kubectl get nodes# 测试部署Nginx验证集群kubectl create deployment nginx--imagenginx kubectl expose deployment nginx--port80--typeNodePort# 查看Pod和Servicekubectl get pod,svc访问任意Worker节点的http://NodeIP:30000-32767端口能看到Nginx欢迎页即搭建成功。三、方案二二进制手动搭建生产环境推荐1. 环境准备节点规划Master(192.168.88.130)、Worker1(192.168.88.131)、Worker2(192.168.88.132)所有节点完成通用前置准备软件版本Docker 19-ce、Kubernetes 1.19、Etcd 3.4.92. 部署Etcd集群3节点高可用2.1 安装证书生成工具仅在Master执行wgethttps://pkg.cfssl.org/R1.2/cfssl_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmodx cfssl*mvcfssl_linux-amd64 /usr/local/bin/cfsslmvcfssljson_linux-amd64 /usr/local/bin/cfssljsonmvcfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo2.2 生成Etcd证书仅在Master执行mkdir-p~/TLS/etcdcd~/TLS/etcd# 生成CA证书catca-config.jsonEOF { signing: { default: { expiry: 87600h }, profiles: { www: { expiry: 87600h, usages: [signing, key encipherment, server auth, client auth] } } } } EOFcatca-csr.jsonEOF { CN: etcd CA, key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: Beijing, ST: Beijing } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成Etcd服务证书catserver-csr.jsonEOF { CN: etcd, hosts: [ 192.168.88.130, 192.168.88.131, 192.168.88.132 ], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilewww server-csr.json|cfssljson-bareserver2.3 部署Etcd节点所有Etcd节点执行# 下载Etcd二进制包wgethttps://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gztarzxvf etcd-v3.4.9-linux-amd64.tar.gzmkdir-p/opt/etcd/{bin,cfg,ssl}mvetcd-v3.4.9-linux-amd64/{etcd,etcdctl}/opt/etcd/bin/# 拷贝证书从Master节点scp过来scproot192.168.88.130:~/TLS/etcd/ca*pem root192.168.88.130:~/TLS/etcd/server*pem /opt/etcd/ssl/# 创建配置文件每个节点修改ETCD_NAME和IPcat/opt/etcd/cfg/etcd.confEOF #[Member] ETCD_NAMEetcd-1 # 节点2改为etcd-2节点3改为etcd-3 ETCD_DATA_DIR/var/lib/etcd/default.etcd ETCD_LISTEN_PEER_URLShttps://192.168.88.130:2380 # 修改为当前节点IP ETCD_LISTEN_CLIENT_URLShttps://192.168.88.130:2379 # 修改为当前节点IP #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLShttps://192.168.88.130:2380 # 修改为当前节点IP ETCD_ADVERTISE_CLIENT_URLShttps://192.168.88.130:2379 # 修改为当前节点IP ETCD_INITIAL_CLUSTERetcd-1https://192.168.88.130:2380,etcd-2https://192.168.88.131:2380,etcd-3https://192.168.88.132:2380 ETCD_INITIAL_CLUSTER_TOKENetcd-cluster ETCD_INITIAL_CLUSTER_STATEnew EOF# 创建systemd服务cat/usr/lib/systemd/system/etcd.serviceEOF [Unit] DescriptionEtcd Server Afternetwork.target Afternetwork-online.target Wantsnetwork-online.target [Service] Typenotify EnvironmentFile/opt/etcd/cfg/etcd.conf ExecStart/opt/etcd/bin/etcd \ --cert-file/opt/etcd/ssl/server.pem \ --key-file/opt/etcd/ssl/server-key.pem \ --peer-cert-file/opt/etcd/ssl/server.pem \ --peer-key-file/opt/etcd/ssl/server-key.pem \ --trusted-ca-file/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file/opt/etcd/ssl/ca.pem \ --loggerzap Restarton-failure LimitNOFILE65536 [Install] WantedBymulti-user.target EOF# 启动Etcdsystemctl daemon-reload systemctl start etcd systemctlenableetcd2.4 验证Etcd集群状态ETCDCTL_API3/opt/etcd/bin/etcdctl--cacert/opt/etcd/ssl/ca.pem\--cert/opt/etcd/ssl/server.pem--key/opt/etcd/ssl/server-key.pem\--endpointshttps://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379endpoint health所有节点显示healthy即部署成功。3. 所有节点安装Docker19-ce版本wgethttps://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgztarzxvf docker-19.03.9.tgzmvdocker/* /usr/bin/# 创建systemd服务cat/usr/lib/systemd/system/docker.serviceEOF [Unit] DescriptionDocker Application Container Engine Documentationhttps://docs.docker.com Afternetwork-online.target firewalld.service Wantsnetwork-online.target [Service] Typenotify ExecStart/usr/bin/dockerd ExecReload/bin/kill -s HUP$MAINPIDLimitNOFILEinfinity LimitNPROCinfinity LimitCOREinfinity TimeoutStartSec0 Delegateyes KillModeprocess Restarton-failure StartLimitBurst3 StartLimitInterval60s [Install] WantedBymulti-user.target EOF# 配置镜像加速器mkdir/etc/dockercat/etc/docker/daemon.jsonEOF { registry-mirrors: [https://b9pmyelo.mirror.aliyuncs.com] } EOF# 启动Dockersystemctl daemon-reload systemctl startdockersystemctlenabledocker4. 部署Master节点组件仅在Master执行4.1 生成K8s证书mkdir-p~/TLS/k8scd~/TLS/k8s# 生成CA证书catca-config.jsonEOF { signing: { default: { expiry: 87600h }, profiles: { kubernetes: { expiry: 87600h, usages: [signing, key encipherment, server auth, client auth] } } } } EOFcatca-csr.jsonEOF { CN: kubernetes, key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: Beijing, ST: Beijing, O: k8s, OU: System } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成apiserver证书catserver-csr.jsonEOF { CN: kubernetes, hosts: [ 10.0.0.1, 127.0.0.1, 192.168.88.130, 192.168.88.131, 192.168.88.132, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local ], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing, O: k8s, OU: System } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilekubernetes server-csr.json|cfssljson-bareserver4.2 部署kube-apiserver# 下载K8s二进制包wgethttps://dl.k8s.io/v1.19.0/kubernetes-server-linux-amd64.tar.gztarzxvf kubernetes-server-linux-amd64.tar.gzmkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}cpkubernetes/server/bin/kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bincpkubernetes/server/bin/kubectl /usr/bin/# 拷贝证书cp~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/# 创建token文件cat/opt/kubernetes/cfg/token.csvEOF c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,system:node-bootstrapper EOF# 创建apiserver配置文件cat/opt/kubernetes/cfg/kube-apiserver.confEOF KUBE_APISERVER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --etcd-servershttps://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379 \ --bind-address192.168.88.130 \ --secure-port6443 \ --advertise-address192.168.88.130 \ --allow-privilegedtrue \ --service-cluster-ip-range10.0.0.0/24 \ --enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-modeRBAC,Node \ --enable-bootstrap-token-authtrue \ --token-auth-file/opt/kubernetes/cfg/token.csv \ --service-node-port-range30000-32767 \ --kubelet-client-certificate/opt/kubernetes/ssl/server.pem \ --kubelet-client-key/opt/kubernetes/ssl/server-key.pem \ --tls-cert-file/opt/kubernetes/ssl/server.pem \ --tls-private-key-file/opt/kubernetes/ssl/server-key.pem \ --client-ca-file/opt/kubernetes/ssl/ca.pem \ --service-account-key-file/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile/opt/etcd/ssl/ca.pem \ --etcd-certfile/opt/etcd/ssl/server.pem \ --etcd-keyfile/opt/etcd/ssl/server-key.pem \ --audit-log-maxage30 \ --audit-log-maxbackup3 \ --audit-log-maxsize100 \ --audit-log-path/opt/kubernetes/logs/k8s-audit.log EOF# 创建systemd服务cat/usr/lib/systemd/system/kube-apiserver.serviceEOF [Unit] DescriptionKubernetes API Server Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-apiserver.conf ExecStart/opt/kubernetes/bin/kube-apiserver$KUBE_APISERVER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOF# 启动apiserversystemctl daemon-reload systemctl start kube-apiserver systemctlenablekube-apiserver# 授权kubelet-bootstrap用户kubectl create clusterrolebinding kubelet-bootstrap\--clusterrolesystem:node-bootstrapper\--userkubelet-bootstrap4.3 部署kube-controller-managercat/opt/kubernetes/cfg/kube-controller-manager.confEOF KUBE_CONTROLLER_MANAGER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --leader-electtrue \ --master127.0.0.1:8080 \ --bind-address127.0.0.1 \ --allocate-node-cidrstrue \ --cluster-cidr10.244.0.0/16 \ --service-cluster-ip-range10.0.0.0/24 \ --cluster-signing-cert-file/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration87600h0m0s EOFcat/usr/lib/systemd/system/kube-controller-manager.serviceEOF [Unit] DescriptionKubernetes Controller Manager Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart/opt/kubernetes/bin/kube-controller-manager$KUBE_CONTROLLER_MANAGER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOFsystemctl start kube-controller-manager systemctlenablekube-controller-manager4.4 部署kube-schedulercat/opt/kubernetes/cfg/kube-scheduler.confEOF KUBE_SCHEDULER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --leader-elect \ --master127.0.0.1:8080 \ --bind-address127.0.0.1 EOFcat/usr/lib/systemd/system/kube-scheduler.serviceEOF [Unit] DescriptionKubernetes Scheduler Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-scheduler.conf ExecStart/opt/kubernetes/bin/kube-scheduler$KUBE_SCHEDULER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOFsystemctl start kube-scheduler systemctlenablekube-scheduler# 验证Master组件状态kubectl get cs5. 部署Worker节点组件所有Worker执行5.1 拷贝二进制文件和证书从Master节点scpmkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}/opt/cni/binscproot192.168.88.130:/opt/kubernetes/bin/{kubelet,kube-proxy}/opt/kubernetes/bin/scproot192.168.88.130:/usr/bin/kubectl /usr/bin/scproot192.168.88.130:/opt/kubernetes/ssl/ca.pem /opt/kubernetes/ssl/scproot192.168.88.130:/usr/lib/systemd/system/{kubelet,kube-proxy}.service /usr/lib/systemd/system/scp-rroot192.168.88.130:/opt/cni/ /opt/5.2 部署kubelet# 创建kubelet配置文件修改hostname-override为当前节点主机名cat/opt/kubernetes/cfg/kubelet.confEOF KUBELET_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --hostname-overridek8s-node1 \ --network-plugincni \ --kubeconfig/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir/opt/kubernetes/ssl \ --pod-infra-container-imagelizhenliang/pause-amd64:3.0 EOF# 创建kubelet参数文件cat/opt/kubernetes/cfg/kubelet-config.ymlEOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /opt/kubernetes/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110 EOF# 生成bootstrap.kubeconfigKUBE_APISERVERhttps://192.168.88.130:6443TOKENc47ffb939f5ca36231d9e3121a252940kubectl config set-cluster kubernetes\--certificate-authority/opt/kubernetes/ssl/ca.pem\--embed-certstrue\--server${KUBE_APISERVER}\--kubeconfigbootstrap.kubeconfig kubectl config set-credentialskubelet-bootstrap\--token${TOKEN}\--kubeconfigbootstrap.kubeconfig kubectl config set-context default\--clusterkubernetes\--userkubelet-bootstrap\--kubeconfigbootstrap.kubeconfig kubectl config use-context default--kubeconfigbootstrap.kubeconfigcpbootstrap.kubeconfig /opt/kubernetes/cfg/# 启动kubeletsystemctl daemon-reload systemctl start kubelet systemctlenablekubelet5.3 批准kubelet证书申请在Master执行# 查看证书请求kubectl get csr# 批准请求替换为实际的csr名称kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A5.4 部署kube-proxy# 创建kube-proxy配置文件修改hostnameOverride为当前节点主机名cat/opt/kubernetes/cfg/kube-proxy.confEOF KUBE_PROXY_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --config/opt/kubernetes/cfg/kube-proxy-config.yml EOFcat/opt/kubernetes/cfg/kube-proxy-config.ymlEOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: k8s-node1 clusterCIDR: 10.0.0.0/24 EOF# 生成kube-proxy证书在Master执行后scp到Workercd~/TLS/k8scatkube-proxy-csr.jsonEOF { CN: system:kube-proxy, hosts: [], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing, O: k8s, OU: System } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilekubernetes kube-proxy-csr.json|cfssljson-barekube-proxy# 生成kube-proxy.kubeconfigKUBE_APISERVERhttps://192.168.88.130:6443kubectl config set-cluster kubernetes\--certificate-authority/opt/kubernetes/ssl/ca.pem\--embed-certstrue\--server${KUBE_APISERVER}\--kubeconfigkube-proxy.kubeconfig kubectl config set-credentials kube-proxy\--client-certificate./kube-proxy.pem\--client-key./kube-proxy-key.pem\--embed-certstrue\--kubeconfigkube-proxy.kubeconfig kubectl config set-context default\--clusterkubernetes\--userkube-proxy\--kubeconfigkube-proxy.kubeconfig kubectl config use-context default--kubeconfigkube-proxy.kubeconfigcpkube-proxy.kubeconfig /opt/kubernetes/cfg/# 启动kube-proxysystemctl start kube-proxy systemctlenablekube-proxy6. 部署CNI网络插件在Master执行# 下载CNI插件wgethttps://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgztarzxvf cni-plugins-linux-amd64-v0.8.6.tgz-C/opt/cni/bin# 部署Flannelwgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.ymlsed-is#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#gkube-flannel.yml kubectl apply-fkube-flannel.yml# 验证节点状态kubectl get nodes四、集群验证# 查看所有节点状态kubectl get nodes# 查看系统Pod状态kubectl get pods-nkube-system# 测试部署应用kubectl create deployment nginx--imagenginx kubectl expose deployment nginx--port80--typeNodePort kubectl get svc nginx五、常见问题排查节点NotReady检查Flannel Pod是否正常运行查看kubelet日志journalctl -u kubelet镜像拉取失败替换为阿里云镜像仓库或提前下载镜像到节点证书问题检查证书有效期和hosts配置重新生成证书端口冲突确保6443、2379-2380、10250等端口未被占用
CentOS7 搭建 Kubernetes 集群
发布时间:2026/5/25 5:05:41
CentOS7 搭建 Kubernetes 集群完整指南基于提供的文档本文提供kubeadm快速搭建推荐新手和二进制手动搭建生产可控两种方案所有步骤均适配CentOS7系统。一、通用前置准备两种方式都需执行1. 环境要求资源最低要求推荐配置操作系统CentOS7.x x86_64CentOS7.8 x86_64内存2GB4GBCPU2核4核硬盘30GB50GB网络所有节点互通能访问外网固定IP关闭防火墙/SELinux2. 节点规划以3节点为例角色IP地址主机名Master192.168.88.130k8s-masterWorker1192.168.88.131k8s-node1Worker2192.168.88.132k8s-node23. 所有节点系统初始化以下命令在所有节点执行# 1. 关闭防火墙systemctl stop firewalldsystemctl disable firewalld systemctl status firewalld# 2. 关闭SELinuxsed-is/enforcing/disabled//etc/selinux/config# 永久关闭setenforce0# 临时关闭# 3. 关闭Swap分区swapoff-a# 临时关闭sed-ris/.*swap.*/#//etc/fstab# 永久关闭# 4. 设置主机名每个节点对应修改hostnamectl set-hostname k8s-master# Master节点执行hostnamectl set-hostname k8s-node1# Worker1执行hostnamectl set-hostname k8s-node2# Worker2执行# 5. 配置hosts解析所有节点执行cat/etc/hostsEOF 192.168.88.130 k8s-master 192.168.88.131 k8s-node1 192.168.88.132 k8s-node2 EOF# 6. 配置桥接流量传递到iptablescat/etc/sysctl.d/k8s.confEOF net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 EOFsysctl--system# 生效配置# 7. 时间同步报错就更换yumyuminstallntpdate-yntpdate time.windows.com备份YUM源mv/etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup或者mv/etc/yum/repos.d/CentOS-Base.repo{,.date -I}下载新的CentOS-Base.repo 到/etc/yum.repos.d/CentOS 5wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repoCentOS 6wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repoCentOS 7wget-O/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo# 或者curl-o/etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo添加EPELCentOS 6wget-O/etc/yum.repos.d/epel-6.repo http://mirrors.aliyun.com/repo/epel-6.repoCentOS 7wget-O/etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo清除缓存yum clean all加载缓存yum makecache更新yumyum update-y删除 yum 进程锁文件CentOS 7 核心锁文件sudorm-f/var/run/yum.pid额外清理可能的 rpm 数据库锁防止连带问题sudorm-f/var/lib/rpm/__db.00*二、方案一kubeadm快速搭建推荐1. 所有节点安装Docker18.06.1版本# 配置阿里云Docker源wgethttps://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo-O/etc/yum.repos.d/docker-ce.repo# 安装指定版本Dockeryum-yinstalldocker-ce-18.06.1.ce-3.el7# 启动并设置开机自启systemctlenabledockersystemctl startdocker# 配置阿里云镜像加速器cat/etc/docker/daemon.jsonEOF { registry-mirrors: [https://b9pmyelo.mirror.aliyuncs.com] } EOFsystemctl restartdocker2. 所有节点安装kubeadm、kubelet、kubectl# 配置阿里云K8s源cat/etc/yum.repos.d/kubernetes.repoEOF [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttps://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF# 安装指定版本文档使用v1.17.0yuminstall-ykubelet-1.17.0 kubeadm-1.17.0 kubectl-1.17.0# 设置kubelet开机自启systemctlenablekubelet# 重新启动主机reboot3. 部署Master节点仅在Master执行# 初始化集群指定阿里云镜像仓库避免gcr.io无法访问kubeadm init\--apiserver-advertise-address192.168.88.130\--image-repository registry.aliyuncs.com/google_containers\--kubernetes-version v1.17.0\--service-cidr10.96.0.0/12\--pod-network-cidr10.244.0.0/16# 配置kubectl认证mkdir-p$HOME/.kubesudocp-i/etc/kubernetes/admin.conf$HOME/.kube/configsudochown$(id-u):$(id-g)$HOME/.kube/config# 验证Master组件状态kubectl get cs执行成功后会输出Worker节点加入命令保存下来格式如下kubeadm join 192.168.88.130:6443 --token 93upi2.0n366lz463re8rho \ --discovery-token-ca-cert-hash sha256:836d298f889d2a5cae622bd8eee1bad94bea6b548d1bce1adbf2dd4ed9e81bd14. 安装CNI网络插件Flannel# 下载Flannel配置文件wgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml# 应用配置kubectl apply-fkube-flannel.yml# 等待Flannel Pod启动约1-2分钟kubectl get pods-nkube-system5. Worker节点加入集群在所有Worker执行执行之前保存的kubeadm join命令kubeadmjoin192.168.88.130:6443--tokenesce21.q6hetwm8si29qxwn\--discovery-token-ca-cert-hash sha256:00603a05805807501d7181c3d60b478788408cfe6cedefedb1f97569708be9c56. 验证集群状态在Master执行# 查看所有节点状态所有节点应为Ready状态kubectl get nodes# 测试部署Nginx验证集群kubectl create deployment nginx--imagenginx kubectl expose deployment nginx--port80--typeNodePort# 查看Pod和Servicekubectl get pod,svc访问任意Worker节点的http://NodeIP:30000-32767端口能看到Nginx欢迎页即搭建成功。三、方案二二进制手动搭建生产环境推荐1. 环境准备节点规划Master(192.168.88.130)、Worker1(192.168.88.131)、Worker2(192.168.88.132)所有节点完成通用前置准备软件版本Docker 19-ce、Kubernetes 1.19、Etcd 3.4.92. 部署Etcd集群3节点高可用2.1 安装证书生成工具仅在Master执行wgethttps://pkg.cfssl.org/R1.2/cfssl_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wgethttps://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmodx cfssl*mvcfssl_linux-amd64 /usr/local/bin/cfsslmvcfssljson_linux-amd64 /usr/local/bin/cfssljsonmvcfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo2.2 生成Etcd证书仅在Master执行mkdir-p~/TLS/etcdcd~/TLS/etcd# 生成CA证书catca-config.jsonEOF { signing: { default: { expiry: 87600h }, profiles: { www: { expiry: 87600h, usages: [signing, key encipherment, server auth, client auth] } } } } EOFcatca-csr.jsonEOF { CN: etcd CA, key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: Beijing, ST: Beijing } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成Etcd服务证书catserver-csr.jsonEOF { CN: etcd, hosts: [ 192.168.88.130, 192.168.88.131, 192.168.88.132 ], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilewww server-csr.json|cfssljson-bareserver2.3 部署Etcd节点所有Etcd节点执行# 下载Etcd二进制包wgethttps://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gztarzxvf etcd-v3.4.9-linux-amd64.tar.gzmkdir-p/opt/etcd/{bin,cfg,ssl}mvetcd-v3.4.9-linux-amd64/{etcd,etcdctl}/opt/etcd/bin/# 拷贝证书从Master节点scp过来scproot192.168.88.130:~/TLS/etcd/ca*pem root192.168.88.130:~/TLS/etcd/server*pem /opt/etcd/ssl/# 创建配置文件每个节点修改ETCD_NAME和IPcat/opt/etcd/cfg/etcd.confEOF #[Member] ETCD_NAMEetcd-1 # 节点2改为etcd-2节点3改为etcd-3 ETCD_DATA_DIR/var/lib/etcd/default.etcd ETCD_LISTEN_PEER_URLShttps://192.168.88.130:2380 # 修改为当前节点IP ETCD_LISTEN_CLIENT_URLShttps://192.168.88.130:2379 # 修改为当前节点IP #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLShttps://192.168.88.130:2380 # 修改为当前节点IP ETCD_ADVERTISE_CLIENT_URLShttps://192.168.88.130:2379 # 修改为当前节点IP ETCD_INITIAL_CLUSTERetcd-1https://192.168.88.130:2380,etcd-2https://192.168.88.131:2380,etcd-3https://192.168.88.132:2380 ETCD_INITIAL_CLUSTER_TOKENetcd-cluster ETCD_INITIAL_CLUSTER_STATEnew EOF# 创建systemd服务cat/usr/lib/systemd/system/etcd.serviceEOF [Unit] DescriptionEtcd Server Afternetwork.target Afternetwork-online.target Wantsnetwork-online.target [Service] Typenotify EnvironmentFile/opt/etcd/cfg/etcd.conf ExecStart/opt/etcd/bin/etcd \ --cert-file/opt/etcd/ssl/server.pem \ --key-file/opt/etcd/ssl/server-key.pem \ --peer-cert-file/opt/etcd/ssl/server.pem \ --peer-key-file/opt/etcd/ssl/server-key.pem \ --trusted-ca-file/opt/etcd/ssl/ca.pem \ --peer-trusted-ca-file/opt/etcd/ssl/ca.pem \ --loggerzap Restarton-failure LimitNOFILE65536 [Install] WantedBymulti-user.target EOF# 启动Etcdsystemctl daemon-reload systemctl start etcd systemctlenableetcd2.4 验证Etcd集群状态ETCDCTL_API3/opt/etcd/bin/etcdctl--cacert/opt/etcd/ssl/ca.pem\--cert/opt/etcd/ssl/server.pem--key/opt/etcd/ssl/server-key.pem\--endpointshttps://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379endpoint health所有节点显示healthy即部署成功。3. 所有节点安装Docker19-ce版本wgethttps://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgztarzxvf docker-19.03.9.tgzmvdocker/* /usr/bin/# 创建systemd服务cat/usr/lib/systemd/system/docker.serviceEOF [Unit] DescriptionDocker Application Container Engine Documentationhttps://docs.docker.com Afternetwork-online.target firewalld.service Wantsnetwork-online.target [Service] Typenotify ExecStart/usr/bin/dockerd ExecReload/bin/kill -s HUP$MAINPIDLimitNOFILEinfinity LimitNPROCinfinity LimitCOREinfinity TimeoutStartSec0 Delegateyes KillModeprocess Restarton-failure StartLimitBurst3 StartLimitInterval60s [Install] WantedBymulti-user.target EOF# 配置镜像加速器mkdir/etc/dockercat/etc/docker/daemon.jsonEOF { registry-mirrors: [https://b9pmyelo.mirror.aliyuncs.com] } EOF# 启动Dockersystemctl daemon-reload systemctl startdockersystemctlenabledocker4. 部署Master节点组件仅在Master执行4.1 生成K8s证书mkdir-p~/TLS/k8scd~/TLS/k8s# 生成CA证书catca-config.jsonEOF { signing: { default: { expiry: 87600h }, profiles: { kubernetes: { expiry: 87600h, usages: [signing, key encipherment, server auth, client auth] } } } } EOFcatca-csr.jsonEOF { CN: kubernetes, key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: Beijing, ST: Beijing, O: k8s, OU: System } ] } EOFcfssl gencert-initcaca-csr.json|cfssljson-bareca# 生成apiserver证书catserver-csr.jsonEOF { CN: kubernetes, hosts: [ 10.0.0.1, 127.0.0.1, 192.168.88.130, 192.168.88.131, 192.168.88.132, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local ], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing, O: k8s, OU: System } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilekubernetes server-csr.json|cfssljson-bareserver4.2 部署kube-apiserver# 下载K8s二进制包wgethttps://dl.k8s.io/v1.19.0/kubernetes-server-linux-amd64.tar.gztarzxvf kubernetes-server-linux-amd64.tar.gzmkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}cpkubernetes/server/bin/kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bincpkubernetes/server/bin/kubectl /usr/bin/# 拷贝证书cp~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/# 创建token文件cat/opt/kubernetes/cfg/token.csvEOF c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,system:node-bootstrapper EOF# 创建apiserver配置文件cat/opt/kubernetes/cfg/kube-apiserver.confEOF KUBE_APISERVER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --etcd-servershttps://192.168.88.130:2379,https://192.168.88.131:2379,https://192.168.88.132:2379 \ --bind-address192.168.88.130 \ --secure-port6443 \ --advertise-address192.168.88.130 \ --allow-privilegedtrue \ --service-cluster-ip-range10.0.0.0/24 \ --enable-admission-pluginsNamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \ --authorization-modeRBAC,Node \ --enable-bootstrap-token-authtrue \ --token-auth-file/opt/kubernetes/cfg/token.csv \ --service-node-port-range30000-32767 \ --kubelet-client-certificate/opt/kubernetes/ssl/server.pem \ --kubelet-client-key/opt/kubernetes/ssl/server-key.pem \ --tls-cert-file/opt/kubernetes/ssl/server.pem \ --tls-private-key-file/opt/kubernetes/ssl/server-key.pem \ --client-ca-file/opt/kubernetes/ssl/ca.pem \ --service-account-key-file/opt/kubernetes/ssl/ca-key.pem \ --etcd-cafile/opt/etcd/ssl/ca.pem \ --etcd-certfile/opt/etcd/ssl/server.pem \ --etcd-keyfile/opt/etcd/ssl/server-key.pem \ --audit-log-maxage30 \ --audit-log-maxbackup3 \ --audit-log-maxsize100 \ --audit-log-path/opt/kubernetes/logs/k8s-audit.log EOF# 创建systemd服务cat/usr/lib/systemd/system/kube-apiserver.serviceEOF [Unit] DescriptionKubernetes API Server Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-apiserver.conf ExecStart/opt/kubernetes/bin/kube-apiserver$KUBE_APISERVER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOF# 启动apiserversystemctl daemon-reload systemctl start kube-apiserver systemctlenablekube-apiserver# 授权kubelet-bootstrap用户kubectl create clusterrolebinding kubelet-bootstrap\--clusterrolesystem:node-bootstrapper\--userkubelet-bootstrap4.3 部署kube-controller-managercat/opt/kubernetes/cfg/kube-controller-manager.confEOF KUBE_CONTROLLER_MANAGER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --leader-electtrue \ --master127.0.0.1:8080 \ --bind-address127.0.0.1 \ --allocate-node-cidrstrue \ --cluster-cidr10.244.0.0/16 \ --service-cluster-ip-range10.0.0.0/24 \ --cluster-signing-cert-file/opt/kubernetes/ssl/ca.pem \ --cluster-signing-key-file/opt/kubernetes/ssl/ca-key.pem \ --root-ca-file/opt/kubernetes/ssl/ca.pem \ --service-account-private-key-file/opt/kubernetes/ssl/ca-key.pem \ --experimental-cluster-signing-duration87600h0m0s EOFcat/usr/lib/systemd/system/kube-controller-manager.serviceEOF [Unit] DescriptionKubernetes Controller Manager Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-controller-manager.conf ExecStart/opt/kubernetes/bin/kube-controller-manager$KUBE_CONTROLLER_MANAGER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOFsystemctl start kube-controller-manager systemctlenablekube-controller-manager4.4 部署kube-schedulercat/opt/kubernetes/cfg/kube-scheduler.confEOF KUBE_SCHEDULER_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --leader-elect \ --master127.0.0.1:8080 \ --bind-address127.0.0.1 EOFcat/usr/lib/systemd/system/kube-scheduler.serviceEOF [Unit] DescriptionKubernetes Scheduler Documentationhttps://github.com/kubernetes/kubernetes [Service] EnvironmentFile/opt/kubernetes/cfg/kube-scheduler.conf ExecStart/opt/kubernetes/bin/kube-scheduler$KUBE_SCHEDULER_OPTSRestarton-failure [Install] WantedBymulti-user.target EOFsystemctl start kube-scheduler systemctlenablekube-scheduler# 验证Master组件状态kubectl get cs5. 部署Worker节点组件所有Worker执行5.1 拷贝二进制文件和证书从Master节点scpmkdir-p/opt/kubernetes/{bin,cfg,ssl,logs}/opt/cni/binscproot192.168.88.130:/opt/kubernetes/bin/{kubelet,kube-proxy}/opt/kubernetes/bin/scproot192.168.88.130:/usr/bin/kubectl /usr/bin/scproot192.168.88.130:/opt/kubernetes/ssl/ca.pem /opt/kubernetes/ssl/scproot192.168.88.130:/usr/lib/systemd/system/{kubelet,kube-proxy}.service /usr/lib/systemd/system/scp-rroot192.168.88.130:/opt/cni/ /opt/5.2 部署kubelet# 创建kubelet配置文件修改hostname-override为当前节点主机名cat/opt/kubernetes/cfg/kubelet.confEOF KUBELET_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --hostname-overridek8s-node1 \ --network-plugincni \ --kubeconfig/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir/opt/kubernetes/ssl \ --pod-infra-container-imagelizhenliang/pause-amd64:3.0 EOF# 创建kubelet参数文件cat/opt/kubernetes/cfg/kubelet-config.ymlEOF kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 address: 0.0.0.0 port: 10250 readOnlyPort: 10255 cgroupDriver: cgroupfs clusterDNS: - 10.0.0.2 clusterDomain: cluster.local failSwapOn: false authentication: anonymous: enabled: false webhook: cacheTTL: 2m0s enabled: true x509: clientCAFile: /opt/kubernetes/ssl/ca.pem authorization: mode: Webhook webhook: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s evictionHard: imagefs.available: 15% memory.available: 100Mi nodefs.available: 10% nodefs.inodesFree: 5% maxOpenFiles: 1000000 maxPods: 110 EOF# 生成bootstrap.kubeconfigKUBE_APISERVERhttps://192.168.88.130:6443TOKENc47ffb939f5ca36231d9e3121a252940kubectl config set-cluster kubernetes\--certificate-authority/opt/kubernetes/ssl/ca.pem\--embed-certstrue\--server${KUBE_APISERVER}\--kubeconfigbootstrap.kubeconfig kubectl config set-credentialskubelet-bootstrap\--token${TOKEN}\--kubeconfigbootstrap.kubeconfig kubectl config set-context default\--clusterkubernetes\--userkubelet-bootstrap\--kubeconfigbootstrap.kubeconfig kubectl config use-context default--kubeconfigbootstrap.kubeconfigcpbootstrap.kubeconfig /opt/kubernetes/cfg/# 启动kubeletsystemctl daemon-reload systemctl start kubelet systemctlenablekubelet5.3 批准kubelet证书申请在Master执行# 查看证书请求kubectl get csr# 批准请求替换为实际的csr名称kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A5.4 部署kube-proxy# 创建kube-proxy配置文件修改hostnameOverride为当前节点主机名cat/opt/kubernetes/cfg/kube-proxy.confEOF KUBE_PROXY_OPTS--logtostderrfalse \ --v2 \ --log-dir/opt/kubernetes/logs \ --config/opt/kubernetes/cfg/kube-proxy-config.yml EOFcat/opt/kubernetes/cfg/kube-proxy-config.ymlEOF kind: KubeProxyConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 bindAddress: 0.0.0.0 metricsBindAddress: 0.0.0.0:10249 clientConnection: kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig hostnameOverride: k8s-node1 clusterCIDR: 10.0.0.0/24 EOF# 生成kube-proxy证书在Master执行后scp到Workercd~/TLS/k8scatkube-proxy-csr.jsonEOF { CN: system:kube-proxy, hosts: [], key: { algo: rsa, size: 2048 }, names: [ { C: CN, L: BeiJing, ST: BeiJing, O: k8s, OU: System } ] } EOFcfssl gencert-caca.pem -ca-keyca-key.pem-configca-config.json-profilekubernetes kube-proxy-csr.json|cfssljson-barekube-proxy# 生成kube-proxy.kubeconfigKUBE_APISERVERhttps://192.168.88.130:6443kubectl config set-cluster kubernetes\--certificate-authority/opt/kubernetes/ssl/ca.pem\--embed-certstrue\--server${KUBE_APISERVER}\--kubeconfigkube-proxy.kubeconfig kubectl config set-credentials kube-proxy\--client-certificate./kube-proxy.pem\--client-key./kube-proxy-key.pem\--embed-certstrue\--kubeconfigkube-proxy.kubeconfig kubectl config set-context default\--clusterkubernetes\--userkube-proxy\--kubeconfigkube-proxy.kubeconfig kubectl config use-context default--kubeconfigkube-proxy.kubeconfigcpkube-proxy.kubeconfig /opt/kubernetes/cfg/# 启动kube-proxysystemctl start kube-proxy systemctlenablekube-proxy6. 部署CNI网络插件在Master执行# 下载CNI插件wgethttps://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgztarzxvf cni-plugins-linux-amd64-v0.8.6.tgz-C/opt/cni/bin# 部署Flannelwgethttps://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.ymlsed-is#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#gkube-flannel.yml kubectl apply-fkube-flannel.yml# 验证节点状态kubectl get nodes四、集群验证# 查看所有节点状态kubectl get nodes# 查看系统Pod状态kubectl get pods-nkube-system# 测试部署应用kubectl create deployment nginx--imagenginx kubectl expose deployment nginx--port80--typeNodePort kubectl get svc nginx五、常见问题排查节点NotReady检查Flannel Pod是否正常运行查看kubelet日志journalctl -u kubelet镜像拉取失败替换为阿里云镜像仓库或提前下载镜像到节点证书问题检查证书有效期和hosts配置重新生成证书端口冲突确保6443、2379-2380、10250等端口未被占用
优雅触发你的技能)
:测试如何提前在代码提交阶段发现 Bug?)
)
