当前位置：首页 > news >正文

kubeadm方式安装k8s

news 文章来源：https://blog.csdn.net/m0_70848838/article/details/142147011 2025/5/12 6:47:25

一、安装环境

环境准备：（有阿里云）centos7
k8s-master    192.168.1.11
k8s-node1     192.168.1.22
k8s-node2    192.168.1.33

二、前期准备

在k8s-master主机

[root@k8s-master ~]# vim /etc/hosts //做个域名劫持（三台主机都做）
192.168.1.11 k8s-master
192.168.1.22 k8s-node1
192.168.1.33 k8s-node2

1.配置yum源（三台主机都做）

[root@k8s-master ~]# cd /etc/yum.repos.d/
[root@k8s-master yum.repos.d]# vim kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
[root@k8s-master yum.repos.d]# vim docker-ce.repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/$releasever/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[root@k8s-master yum.repos.d]# yum clean all && yum makecache

2.安装必备工具（三台主机都做）

[root@k8s-master yum.repos.d]# yum -y install wget jq psmisc vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git //安装必备工具

3.关闭防火墙以及swap 分区（三台主机都做）

[root@k8s-master ~]# swapoff -a
[root@k8s-master ~]# sysctl -w vm.swappiness=0
vm.swappiness = 0
[root@k8s-master ~]# sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab

4.同步时间（三台主机都做）

[root@k8s-master yum.repos.d]# cd
[root@k8s-master ~]# yum -y install ntpdate //同步时间
[root@k8s-master ~]# ntpdate time2.aliyun.com
[root@k8s-master ~]# crontab -e //编写计划任务
* 5 * * * /usr/sbin/ntpdate time2.aliyun.com

5. 配置 limit（三台主机都做）

[root@k8s-master ~]# ulimit -SHn 65535 //单个进程可以打开的⽂件数量将被限制为 65535
[root@k8s-master ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 65535
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited

6. 安装 k8s ⾼可⽤性 Git 仓库（master主机）

[root@k8s-master ~]# git clone https://gitee.com/dukuan/k8s-ha-install.git

三、配置内核模块

1. 配置 ipvs 模块（centos可以不用做）（三台主机都做）

[root@k8s-master ~]# yum install ipvsadm ipset sysstat conntrack libseccomp -y
[root@k8s-master ~]# modprobe -- ip_vs
[root@k8s-master ~]# modprobe -- ip_vs_rr
[root@k8s-master ~]# modprobe -- ip_vs_wrr
[root@k8s-master ~]# modprobe -- ip_vs_sh
[root@k8s-master ~]# modprobe -- nf_conntrack
[root@k8s-master ~]# vim /etc/modules-load.d/ipvs.conf
# 在系统启动时加载下列 IPVS 和相关功能所需的模块
ip_vs                   # 负载均衡模块
ip_vs_lc           # 用于实现基于连接数量的负载均衡算法
ip_vs_wlc           # 用于实现带权重的最少连接算法的模块
ip_vs_rr           # 负载均衡rr算法模块
ip_vs_wrr           # 负载均衡wrr算法模块
ip_vs_lblc       # 负载均衡算法，它结合了最少连接（LC）算法和基于偏置的轮询（Round Robin with Bias）算法
ip_vs_lblcr       # 用于实现基于链路层拥塞状况的最少连接负载调度算法的模块
ip_vs_dh           # 用于实现基于散列（Hashing）的负载均衡算法的模块
ip_vs_sh           # 用于源端负载均衡的模块
ip_vs_fo           # 用于实现基于本地服务的负载均衡算法的模块
ip_vs_nq           # 用于实现NQ算法的模块
ip_vs_sed           # 用于实现随机早期检测（Random Early Detection）算法的模块
ip_vs_ftp           # 用于实现FTP服务的负载均衡模块
ip_vs_sh
nf_conntrack   # 用于跟踪网络连接的状态的模块
ip_tables           # 用于管理防护墙的机制
ip_set               # 用于创建和管理IP集合的模块
xt_set               # 用于处理IP数据包集合的模块，提供了与iptables等网络工具的接口
ipt_set               # 用于处理iptables规则集合的模块
ipt_rpfilter   # 用于实现路由反向路径过滤的模块
ipt_REJECT       # iptables模块之一，用于将不符合规则的数据包拒绝，并返回特定的错误码
ipip                   # 用于实现IP隧道功能的模块，使得数据可以在两个网络之间进行传输
[root@k8s-master ~]# sysctl --system
[root@k8s-master ~]# systemctl enable systemd-modules-load.service
[root@k8s-master ~]# systemctl start systemd-modules-load.service

[root@k8s-master ~]# lsmod | grep -e ip_vs -e nf_conntrack //查看已写⼊加载的模块

2. 配置 k8s 内核（三台主机都做）

[root@k8s-master ~]# vim /etc/sysctl.d/k8s.conf
# 写入k8s所需内核模块
net.bridge.bridge-nf-call-iptables = 1       # 控制网络桥接与iptables之间的网络转发行为
net.bridge.bridge-nf-call-ip6tables = 1       # 用于控制网络桥接（bridge）的IP6tables过滤规则。当该参数设置为1时，表示启用对网络桥接的IP6tables过滤规则
fs.may_detach_mounts = 1       # 用于控制文件系统是否允许分离挂载，1表示允许
net.ipv4.conf.all.route_localnet = 1       # 允许本地网络上的路由。设置为1表示允许，设置为0表示禁止。
vm.overcommit_memory=1       # 控制内存分配策略。设置为1表示允许内存过量分配，设置为0表示不允许。
vm.panic_on_oom=0       # 决定当系统遇到内存不足（OOM）时是否产生panic。设置为0表示不产生panic，设置为1表示产生panic。
fs.inotify.max_user_watches=89100       # inotify可以监视的文件和目录的最大数量。
fs.file-max=52706963       # 系统级别的文件描述符的最大数量。
fs.nr_open=52706963           # 单个进程可以打开的文件描述符的最大数量。
net.netfilter.nf_conntrack_max=2310720       # 网络连接跟踪表的最大大小。
net.ipv4.tcp_keepalive_time = 600       # TCP保活机制发送探测包的间隔时间（秒）。
net.ipv4.tcp_keepalive_probes = 3       # TCP保活机制发送探测包的最大次数。
net.ipv4.tcp_keepalive_intvl =15       # TCP保活机制在发送下一个探测包之前等待响应的时间（秒）。
net.ipv4.tcp_max_tw_buckets = 36000   # TCP TIME_WAIT状态的bucket数量。
net.ipv4.tcp_tw_reuse = 1       # 允许重用TIME_WAIT套接字。设置为1表示允许，设置为0表示不允许。
net.ipv4.tcp_max_orphans = 327680       # 系统中最大的孤套接字数量。
net.ipv4.tcp_orphan_retries = 3           # 系统尝试重新分配孤套接字的次数。
net.ipv4.tcp_syncookies = 1       # 用于防止SYN洪水攻击。设置为1表示启用SYN cookies，设置为0表示禁用。
net.ipv4.tcp_max_syn_backlog = 16384       # SYN连接请求队列的最大长度。
net.ipv4.ip_conntrack_max = 65536       # IP连接跟踪表的最大大小。
net.ipv4.tcp_max_syn_backlog = 16384       # 系统中最大的监听队列的长度。
net.ipv4.tcp_timestamps = 0       # 用于关闭TCP时间戳选项。
net.core.somaxconn = 16384       # 用于设置系统中最大的监听队列的长度
[root@k8s-master ~]# reboot //保存后，所有节点重启，保证重启后内核依然加载
[root@k8s-master ~]# lsmod | grep --color=auto -e ip_vs -e nf_conntrack

四、基本组件安装

1. 安装 Containerd

（1）安装 Docker（三台主机都做）

[root@k8s-master ~]# yum remove -y podman runc containerd
[root@k8s-master ~]# yum remove -y docker
[root@k8s-master ~]# yum -y install docker-ce docker-ce-cli containerd.io //安装Docker和containerd

（2）配置 Containerd 所需模块（三台主机都做）

[root@k8s-master ~]# cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf //也可以用vim写
> overlay
> br_netfilter
> EOF
overlay
br_netfilter
[root@k8s-master ~]# modprobe -- overlay
[root@k8s-master ~]# modprobe -- br_netfilter

（3）配置 Containerd 所需内核（三台主机都做）

[root@k8s-master ~]# cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
> net.bridge.bridge-nf-call-iptables = 1
> net.ipv4.ip_forward = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@k8s-master ~]# sysctl --system //使生效

（4）Containerd 配置⽂件（三台主机都做）

[root@k8s-master ~]# mkdir -p /etc/containerd //这个目录其实是有的，这里只是为了确保一下

[root@k8s-master ~]# containerd config default | tee /etc/containerd/config.toml
[root@k8s-master ~]# vim /etc/containerd/config.toml

disabled_plugins = []
imports = []
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/var/lib/containerd"
state = "/run/containerd"
temp = ""
version = 2

[cgroup]
path = ""

[debug]
address = ""
format = ""
gid = 0
level = ""
uid = 0

[grpc]
address = "/run/containerd/containerd.sock"
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
tcp_address = ""
tcp_tls_ca = ""
tcp_tls_cert = ""
tcp_tls_key = ""
uid = 0

[metrics]
address = ""
grpc_histogram = false

[plugins]

[plugins."io.containerd.gc.v1.scheduler"]
deletion_threshold = 0
mutation_threshold = 100
pause_threshold = 0.02
schedule_delay = "0s"
startup_delay = "100ms"

[plugins."io.containerd.grpc.v1.cri"]
device_ownership_from_security_context = false
disable_apparmor = false
disable_cgroup = false
disable_hugetlb_controller = true
disable_proc_mount = false
disable_tcp_service = true
drain_exec_sync_io_timeout = "0s"
enable_selinux = false
enable_tls_streaming = false
enable_unprivileged_icmp = false
enable_unprivileged_ports = false
ignore_deprecation_warnings = []
ignore_image_defined_volumes = false
max_concurrent_downloads = 3
max_container_log_line_size = 16384
netns_mounts_under_state_dir = false
restrict_oom_score_adj = false
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9"
selinux_category_range = 1024
stats_collect_period = 10
stream_idle_timeout = "4h0m0s"
stream_server_address = "127.0.0.1"
stream_server_port = "0"
systemd_cgroup = false
tolerate_missing_hugetlb_controller = true
unset_seccomp_profile = ""

[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = ""
ip_pref = ""
max_conf_num = 1

[plugins."io.containerd.grpc.v1.cri".containerd]
default_runtime_name = "runc"
disable_snapshot_annotations = true
discard_unpacked_layers = false
ignore_rdt_not_enabled_errors = false
no_pivot = false
snapshotter = "overlayfs"

[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = ""

[plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = "io.containerd.runc.v2"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = ""
CriuImagePath = ""
CriuPath = ""
CriuWorkPath = ""
IoGid = 0
IoUid = 0
NoNewKeyring = false
NoPivotRoot = false
Root = ""
ShimCgroup = ""
SystemdCgroup =true
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9"

[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
base_runtime_spec = ""
cni_conf_dir = ""
cni_max_conf_num = 0
container_annotations = []
pod_annotations = []
privileged_without_host_devices = false
runtime_engine = ""
runtime_path = ""
runtime_root = ""
runtime_type = ""

[plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]

[plugins."io.containerd.grpc.v1.cri".image_decryption]
key_model = "node"

[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""

[plugins."io.containerd.grpc.v1.cri".registry.auths]

[plugins."io.containerd.grpc.v1.cri".registry.configs]

[plugins."io.containerd.grpc.v1.cri".registry.headers]

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""

[plugins."io.containerd.internal.v1.opt"]
path = "/opt/containerd"

[plugins."io.containerd.internal.v1.restart"]
interval = "10s"

[plugins."io.containerd.internal.v1.tracing"]

[plugins."io.containerd.metadata.v1.bolt"]
content_sharing_policy = "shared"

[plugins."io.containerd.monitor.v1.cgroups"]
no_prometheus = false

[plugins."io.containerd.runtime.v1.linux"]
no_shim = false
runtime = "runc"
runtime_root = ""
shim = "containerd-shim"
shim_debug = false

[plugins."io.containerd.runtime.v2.task"]
platforms = ["linux/amd64"]
sched_core = false

[plugins."io.containerd.service.v1.diff-service"]
default = ["walking"]

[plugins."io.containerd.service.v1.tasks-service"]
rdt_config_file = ""

[plugins."io.containerd.snapshotter.v1.aufs"]
root_path = ""

[plugins."io.containerd.snapshotter.v1.btrfs"]
root_path = ""

[plugins."io.containerd.snapshotter.v1.devmapper"]
async_remove = false
base_image_size = ""
discard_blocks = false
fs_options = ""
fs_type = ""
pool_name = ""
root_path = ""

[plugins."io.containerd.snapshotter.v1.native"]
root_path = ""

[plugins."io.containerd.snapshotter.v1.overlayfs"]
mount_options = []
root_path = ""
sync_remove = false
upperdir_label = false

[plugins."io.containerd.snapshotter.v1.zfs"]
root_path = ""

[plugins."io.containerd.tracing.processor.v1.otlp"]

[proxy_plugins]

[stream_processors]

[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar"

[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
path = "ctd-decoder"
returns = "application/vnd.oci.image.layer.v1.tar+gzip"

[timeouts]
"io.containerd.timeout.bolt.open" = "0s"
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"

[ttrpc]
address = ""
gid = 0
uid = 0
[root@k8s-master ~]# systemctl daemon-reload //加载systemctl控制脚本
[root@k8s-master ~]# systemctl enable --now containerd.service //开机启动，--now表示现在就启动

（5）配置 crictl 客户端连接的运⾏位置（三台主机都做）

[root@k8s-master ~]# vim /etc/crictl.yaml //配置容器运⾏环境的crictl.yml⽂件
runtime-endpoint: unix:///run/containerd/containerd.sock # 指定了容器运⾏时的地址为：unix://...
image-endpoint: unix:///run/containerd/containerd.sock # 指定了镜像运⾏时的地址为：unix://...
timeout: 10 # 设置了超时时间为10秒
debug: false # 关闭调试模式
[root@k8s-master ~]# systemctl status containerd //查看状态，是否启动

2.安装 Kubernetes 组件（三台主机都做）

[root@k8s-master ~]# yum list kubeadm.x86_64 --showduplicates | sort -r #查询最新的Kubernetes版本号
[root@k8s-master ~]# yum install kubeadm-1.28* kubectl-1.28* kubelet-1.28* -y # 安装1.28最新版本kubeadm、kubelet和kubectl
[root@k8s-master ~]# yum list installed|grep kube //查看这些是否安装
[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl start kubelet
[root@k8s-master ~]# systemctl enable kubelet
[root@k8s-master ~]# systemctl status kubelet //查看是否启动
注意：如果kubelet无法正常启动，检查swap是否已经取消虚拟分区，查看/var/log/message，如果是没有/var/lib/kubelet/config.yaml文件，可能需要重新安装，先卸载kubelet，然后重新安装，systemctl daemon-reload重新加载以后，安装kubeadm（因为依赖原因被卸载），在设置开机自启并启动systemctl enable --now kudelet

3. Kubernetes 集群初始化（主节点做）

（1）Kubeadm 配置⽂件

[root@k8s-master ~]# vim kubeadm-config.yaml #修改kubeadm配置⽂件
apiVersion: kubeadm.k8s.io/v1beta3 # 指定Kubernetes配置文件的版本，使用的是kubeadm API的v1beta3版本
bootstrapTokens: # 定义bootstrap tokens的信息。这些tokens用于在Kubernetes集群初始化过程中进行身份验证
- groups: # 定义了与此token关联的组
- system:bootstrappers:kubeadm:default-node-token
token: 7t2weq.bjbawausm0jaxury # bootstrap token的值
ttl: 24h0m0s # token的生存时间，这里设置为24小时
usages: # 定义token的用途
- signing # 数字签名
- authentication # 身份验证
kind: InitConfiguration # 指定配置对象的类型，InitConfiguration：表示这是一个初始化配置
localAPIEndpoint: # 定义本地API端点的地址和端口
advertiseAddress: 192.168.1.11
bindPort: 6443
nodeRegistration: # 定义节点注册时的配置
criSocket: unix:///var/run/containerd/containerd.sock # 容器运行时(CRI)的套接字路径
name: k8s-master # 节点的名称
taints: # 标记
- effect: NoSchedule # 免调度节点
key: node-role.kubernetes.io/control-plane # 该节点为控制节点
---
apiServer: # 定义了API服务器的配置
certSANs: # 为API服务器指定了附加的证书主体名称(SAN)，指定IP即可
- 192.168.1.11
timeoutForControlPlane: 4m0s # 控制平面的超时时间，这里设置为4分钟
apiVersion: kubeadm.k8s.io/v1beta3 # 指定API Server版本
certificatesDir: /etc/kubernetes/pki # 指定了证书的存储目录
clusterName: kubernetes # 定义了集群的名称为"kubernetes"
controlPlaneEndpoint: 192.168.1.11:6443 # 定义了控制节点的地址和端口
controllerManager: {} # 控制器管理器的配置，为空表示使用默认配置
etcd: # 定义了etcd的配置
local: # 本地etcd实例
dataDir: /var/lib/etcd # 数据目录
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers # 指定了Kubernetes使用的镜像仓库的地址，阿里云的镜像仓库。
kind: ClusterConfiguration # 指定了配置对象的类型，ClusterConfiguration：表示这是一个集群配置
kubernetesVersion: v1.28.2 # 指定了kubernetes的版本
networking: # 定义了kubernetes集群网络设置
dnsDomain: cluster.local # 定义了集群的DNS域为：cluster.local
podSubnet: 172.16.0.0/16 # 定义了Pod的子网
serviceSubnet: 10.96.0.0/16 # 定义了服务的子网
scheduler: {} # 使用默认的调度器行为

[root@k8s-master ~]# kubeadm config migrate --old-config kubeadm-config.yaml --new-config new.yaml //将旧的kubeadm配置文件转换为新的格式

（2）下载组件镜像

[root@k8s-master ~]# kubeadm config images pull --config /root/new.yaml //通过新的new.yaml文件从指定的仓库拉取kubeadm组件镜像

（3）集群初始化

[root@k8s-master ~]# kubeadm init --config /root/new.yaml --upload-certs
后面这些记得保存，后面添加节点要用：
kubeadm join 192.168.1.11:6443 --token 7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash sha256:47ed12a3edb4c5d68ad413f4113a08a98c50f6b7805d8e668f667819827f01d2

（4）初始化失败排查

I.初始化重置

如果初始化失败，重置后再次初始化，命令如下（没有失败不要执⾏！！！）
[root@k8s-master ~]# kubeadm reset -f ; ipvsadm --clear ; rm -rf ~/.kube

II.如果初始化不成功

通过⽇志找到错误原因：CentOS⽇志路径：/var/log/messages

1.内存必须大点，2核2G
2.echo 1 > /proc/net/ipv4/ip_foeward
3.kubelet无法启动（连接超时）
   （1）swap虚拟分区没关
   （2）没有配置文件
   （3）配置文件IP错误（new.yaml）
4.Containerd 配置⽂件错误（vim /etc/containerd/config.toml）

（5）加载环境变量

[root@k8s-master ~]# vim .bashrc
export KUBECONFIG=/etc/kubernetes/admin.conf
[root@k8s-master ~]# source .bashrc

拍个快照吧

4.Node 节点配置

（1）node 加⼊集群（在node1和node2里面做）

[root@k8s-node1 ~]# kubeadm join 192.168.1.11:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:47ed12a3edb4c5d68ad413f4113a08a98c50f6b7805d8e668f667819827f01d2
[root@k8s-node2 ~]# kubeadm join 192.168.1.11:6443 --token 7t2weq.bjbawausm0jaxury --discovery-token-ca-cert-hash sha256:47ed12a3edb4c5d68ad413f4113a08a98c50f6b7805d8e668f667819827f01d2

（2）查看集群状态

[root@k8s-master ~]# kubectl get node //获取所有节点信息
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 39m v1.28.2
k8s-node1 NotReady <none> 3m7s v1.28.2
k8s-node2 NotReady <none> 2m39s v1.28.2

（3）查看容器和节点状态

[root@k8s-master ~]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6554b8b87f-2gtst 0/1 Pending 0 52m
kube-system coredns-6554b8b87f-m6wsw 0/1 Pending 0 52m
kube-system etcd-k8s-master 1/1 Running 1 53m
kube-system kube-apiserver-k8s-master 1/1 Running 1 53m
kube-system kube-controller-manager-k8s-master 1/1 Running 1 53m
kube-system kube-proxy-r2xmz 1/1 Running 0 16m
kube-system kube-proxy-tthq6 1/1 Running 0 52m
kube-system kube-proxy-xgtmk 1/1 Running 0 16m
kube-system kube-scheduler-k8s-master 1/1 Running 1 53m

5.Calico组件安装

（1）切换git分支

[root@k8s-master ~]# cd k8s-ha-install/
[root@k8s-master k8s-ha-install]# git checkout manual-installation-v1.28.x
分支 manual-installation-v1.28.x 设置为跟踪来自 origin 的远程分支 manual-installation-v1.28.x。
切换到一个新分支 'manual-installation-v1.28.x'
[root@k8s-master k8s-ha-install]# cd calico/

（2）修改Pod网段

[root@k8s-master calico]# cat ~/new.yaml | grep Sub
podSubnet: 172.16.0.0/16
serviceSubnet: 10.96.0.0/16
[root@k8s-master calico]# POD_SUBNET=`cat /etc/kubernetes/manifests/kube-controller-manager.yaml | grep cluster-cidr= | awk -F= '{print $NF}'`
[root@k8s-master calico]# sed -i "s#POD_CIDR#${POD_SUBNET}#g" calico.yaml
[root@k8s-master calico]# kubectl apply -f calico.yaml
[root@k8s-master calico]# kubectl get po -n kube-system