关于k8s:华为云阿里云-不同云服务器部署KubernetesK8S

前言

经验了一周的高强度部署，踩了有数的坑后终于搭起了华为云 + 阿里云的集群，非常感觉 @chen645800876 大佬的云服务器 - 异地部署集群服务这篇文章，能力比较顺利的部署，少踩了很多坑。这次记录是基于大佬文章上，缩小了一些我没有应用的步骤，也把我踩的坑记录一下，做一个备份也心愿能帮忙到其他人。

正式装置

1. 调整内核参数

   cat > k8s.conf <<EOF
   #开启网桥模式
   net.bridge.bridge-nf-call-ip6tables = 1
   net.bridge.bridge-nf-call-iptables = 1
   #开启转发
   net.ipv4.ip_forward = 1
   ## 敞开 ipv6
   net.ipv6.conf.all.disable_ipv6=1
   EOF
   cp k8s.conf /etc/sysctl.d/k8s.conf
   sysctl -p /etc/sysctl.d/k8s.conf

2. ipvs 前置条件筹备

   # step1
   modprobe br_netfilter
   
   # step2
   cat > /etc/sysconfig/modules/ipvs.modules <<EOF
   #!/bin/bash
   modprobe -- ip_vs
   modprobe -- ip_vs_rr
   modprobe -- ip_vs_wrr
   modprobe -- ip_vs_sh
   modprobe -- nf_conntrack
   EOF
   
   # step3
   chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack

   这个中央须要留神一下的是原文中模块 nf_conntrack_ipv4 曾经没有应用了，解决办法是上面链接提出的计划，这个中央十分重要，如果抛错的话，前面 ipvs 转发会有问题
   https://github.com/easzlab/ku…

3. 敞开 swap 分区

   swapoff -a

4. Kubeadm、Kubelet、Kubectl 装置

   # 增加源
   cat <<EOF > /etc/yum.repos.d/kubernetes.repo
   [kubernetes]
   name=Kubernetes
   baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
   #baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-aarch64/
   #如果是处理器不是 amd 的话就须要用到另外一个版本 华为鲲鹏型的就是 aarch64 而阿里的是 x86_64
   #这个还有个老手小坑，就是 docker 的镜像也跟处理器版本无关。x86_64 上打的包，aarch64 的 docker 就不能公布，如果遇到 pod 公布不胜利有可能是这个问题
   enabled=1
   gpgcheck=1
   repo_gpgcheck=1
   gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
   EOF
   
   # 敞开 selinux
   setenforce 0
   
   # 装置 kubelet、kubeadm、kubectl
   yum install -y kubelet kubeadm kubectl
   
   # 设置为开机自启
   systemctl enable kubelet 

5. 建设虚构网卡

   # step1，留神替换你的公网 IP 进去
   cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
   BOOTPROTO=static
   DEVICE=eth0:1
   IPADDR= 你的公网 IP
   PREFIX=32
   TYPE=Ethernet
   USERCTL=no
   ONBOOT=yes
   EOF
   # step2 如果是 centos8，须要重启）（倡议间接换成 centos7，centos8 的网卡设置简单一些）# 华为云服务器在网卡设置上是默认了有 eth1-eth5 所以须要把默认的这些全副勾销 不然会抛错导致网卡无奈重启
   systemctl restart network
   # step3 查看新建的 IP 是否进去
   ip addr

6. 批改 kubelet 启动参数（重点，所有节点都要操作）

   # 此文件装置 kubeadm 后就存在了
   vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
   
   # 留神，这步很重要，如果不做，节点依然会应用内网 IP 注册进集群
   # 在开端增加参数 --node-ip= 公网 IP
   
   # Note: This dropin only works with kubeadm and kubelet v1.11+
   [Service]
   Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
   Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
   # This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
   EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
   # This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
   # the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
   EnvironmentFile=-/etc/sysconfig/kubelet
   ExecStart=
   ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --node-ip=xx.xx.xx.xx

7. 应用 kubeadm 初始化主节点, 提供两个脚本能够下载和清理镜像

   #! /bin/bash
   images=(
    kube-apiserver:v1.21.1
    kube-controller-manager:v1.21.1
    kube-scheduler:v1.21.1
    kube-proxy:v1.21.1
    pause:3.4.1
    etcd:3.4.13-0
    #coredns/coredns 间接从 dockerhub 上下载
   )
   for imageName in ${images[@]} ; do
    docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/${imageName}
    docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/${imageName} k8s.gcr.io/${imageName}
    docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/${imageName}
   done
   

   #! /bin/bash
   
   images=`docker images|grep k8s.gcr|awk '{print $3}'`
   for image in ${images}
   do
   echo $image
   docker rmi $image
   done

   # step1 增加配置文件，留神替换上面的 IP
   cat > kubeadm-config.yaml <<EOF
   apiVersion: kubeadm.k8s.io/v1beta2
   kind: ClusterConfiguration
   kubernetesVersion: v1.21.1
   apiServer:
     certSANs:    #填写所有 kube-apiserver 节点的 hostname、IP、VIP
     - master    #请替换为 hostname
     - xx.xx.xx.xx   #请替换为公网
     - yy.yy.yy.yy  #请替换为私网
     - 10.96.0.1   #不要替换，此 IP 是 API 的集群地址，局部服务会用到
   controlPlaneEndpoint: xx.xx.xx.xx:6443 #替换为公网 IP
   networking:
     podSubnet: 10.244.0.0/16
     serviceSubnet: 10.96.0.0/12
   --- 将默认调度形式改为 ipvs
   apiVersion: kubeproxy-config.k8s.io/v1alpha1
   kind: KubeProxyConfiguration
   featureGates:
     SupportIPVSProxyMode: true
   mode: ipvs
   EOF
   
   # step2 如果是 1 外围或者 1G 内存的请在开端增加参数（--ignore-preflight-errors=all），否则会初始化失败
   # 同时留神，此步骤胜利后，会打印，两个重要信息
   kubeadm init --config=kubeadm-config.yaml 
   
   # 信息 1 下面初始化胜利后，将会生成 kubeconfig 文件，用于申请 api 服务器，请执行上面操作
   mkdir -p $HOME/.kube
   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
   sudo chown $(id -u):$(id -g) $HOME/.kube/config
   
   # 信息 2 此信息用于前面工作节点退出主节点应用
   kubeadm join xx.xx.xx.xx:6443 --token sdfs.dsfsdfsdfijdth \
    --discovery-token-ca-cert-hash sha256:sdfsdfsdfsdfsdfsdfsdfsdfg9a460f44b118050091245c1d
   

8. 批改 kube-apiserver 参数（主节点）

   # 批改三个信息，增加 --bind-address 和批改 --advertise-address 和 feature-gates=RemoveSelfLink
   vim /etc/kubernetes/manifests/kube-apiserver.yaml
   
   apiVersion: v1
   kind: Pod
   metadata:
     annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 47.74.22.13:6443
     creationTimestamp: null
     labels:
    component: kube-apiserver
    tier: control-plane
     name: kube-apiserver
     namespace: kube-system
   spec:
     containers:
     - command:
    - kube-apiserver
    - --feature-gates=RemoveSelfLink=false  #如果波及到 NFS 挂载 StorageClass 须要减少这个参数 k8s 1.20 后就勾销了这个参数所以须要手动减少
   #解决办法是来源于 https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/issues/25
    - --advertise-address=47.74.22.13  #批改为公网 IP
    - --bind-address=0.0.0.0 #增加此参数
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: k8s.gcr.io/kube-apiserver:v1.18.0
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 175.24.19.12
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-apiserver
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/pki
      name: etc-pki
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
     hostNetwork: true
     priorityClassName: system-cluster-critical
     volumes:
     - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
     - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: etc-pki
     - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
   status: {}

9. 批改 flannel 文件并装置（主节点）

   wget https://raw.githubusercontent.com/coreos/flanne/master/Documentation/kube-flannel.yml
   
   
   apiVersion: apps/v1
   kind: DaemonSet
   metadata:
     name: kube-flannel-ds-amd64
     namespace: kube-system
     labels:
    tier: node
    app: flannel
   spec:
     selector:
    matchLabels:
      app: flannel
     template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: beta.kubernetes.io/os
                    operator: In
                    values:
                      - linux
                  - key: beta.kubernetes.io/arch
                    operator: In
                    values:
                      - amd64
      hostNetwork: true
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:v0.11.0-amd64
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.11.0-amd64
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --public-ip=$(PUBLIC_IP) # 增加此参数，申明公网 IP
        - --iface=eth0             # 增加此参数，绑定网卡
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
             add: ["NET_ADMIN"]
        env:
        - name: PUBLIC_IP     #增加环境变量
          valueFrom:          #
            fieldRef:          #
              fieldPath: status.podIP # 
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name

10. 手动开启配置，开启 ipvs 转发模式（主节点）

    # 后面都胜利了，然而有时候默认并不会启用 `IPVS` 模式，那就手动批改一下，只批改一处
    # 批改后，如果没有及时失效，请删除 kube-proxy，会主动从新创立，而后应用 ipvsadm -Ln 命令，查看是否失效
    # ipvsadm 没有装置的，应用 yum install ipvsadm 装置
    kubectl edit configmaps -n kube-system kube-proxy
    
    ---
    apiVersion: v1
    data:
      config.conf: |-
     apiVersion: kubeproxy.config.k8s.io/v1alpha1
     bindAddress: 0.0.0.0
     clientConnection:
       acceptContentTypes: ""
       burst: 0
       contentType: ""
       kubeconfig: /var/lib/kube-proxy/kubeconfig.conf
       qps: 0
     clusterCIDR: 10.244.0.0/16
     configSyncPeriod: 0s
     conntrack:
       maxPerCore: null
       min: null
       tcpCloseWaitTimeout: null
       tcpEstablishedTimeout: null
     detectLocalMode: ""
     enableProfiling: false
     healthzBindAddress: ""hostnameOverride:""
     iptables:
       masqueradeAll: false
       masqueradeBit: null
       minSyncPeriod: 0s
       syncPeriod: 0s
     ipvs:
       excludeCIDRs: null
       minSyncPeriod: 0s
       scheduler: ""
       strictARP: false
       syncPeriod: 0s
       tcpFinTimeout: 0s
       tcpTimeout: 0s
       udpTimeout: 0s
     kind: KubeProxyConfiguration
     metricsBindAddress: ""mode:"ipvs"  # 如果为空，请填入 `ipvs`
     nodePortAddresses: null
     oomScoreAdj: null
     portRange: ""showHiddenMetricsForVersion:""
     udpIdleTimeout: 0s
     winkernel:
       enableDSR: false
       networkName: ""