保姆级教程:在CentOS 7.6上从零搭建Kubernetes 1.18.6集群(含镜像拉取避坑指南)

张开发
2026/4/17 17:44:49 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

保姆级教程:在CentOS 7.6上从零搭建Kubernetes 1.18.6集群(含镜像拉取避坑指南)
保姆级教程在CentOS 7.6上从零搭建Kubernetes 1.18.6集群含镜像拉取避坑指南当你第一次接触Kubernetes时可能会被它复杂的架构和繁琐的配置过程吓到。但别担心这篇教程将手把手带你完成从零开始搭建一个完整的Kubernetes集群的全过程。我们会特别关注在国内网络环境下可能遇到的镜像拉取问题并提供多种解决方案。1. 环境准备与系统配置在开始之前确保你有至少三台运行CentOS 7.6的虚拟机或物理机。官方建议每台机器至少配置双核CPU和2GB内存。以下是我们的实验环境配置示例主机名IP地址角色操作系统k8s-master192.168.203.212控制节点CentOS 7.6k8s-node1192.168.203.213工作节点CentOS 7.6k8s-node2192.168.203.214工作节点CentOS 7.6提示在开始前请确保所有节点的MAC地址和product_uuid是唯一的。可以通过以下命令检查ip link cat /sys/class/dmi/id/product_uuid1.1 基础环境配置在所有节点上执行以下配置步骤更新系统并安装必要工具yum install -y epel-release conntrack ipvsadm ipset jq sysstat curl iptables libseccomp关闭防火墙和SELinuxsystemctl stop firewalld systemctl disable firewalld iptables -F iptables -X iptables -F -t nat iptables -X -t nat iptables -P FORWARD ACCEPT setenforce 0 sed -i s/SELINUXenforcing/SELINUXdisabled/g /etc/selinux/config关闭swap分区swapoff -a sed -i / swap / s/^\(.*\)$/#\1/g /etc/fstab1.2 内核参数优化Kubernetes对Linux内核有一些特殊要求我们需要进行相应配置cat /etc/sysconfig/modules/ipvs.modules EOF #!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 modprobe -- br_netfilter EOF chmod 755 /etc/sysconfig/modules/ipvs.modules bash /etc/sysconfig/modules/ipvs.modules然后设置内核参数cat EOF | tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-iptables1 net.bridge.bridge-nf-call-ip6tables1 net.ipv4.ip_forward1 net.ipv4.tcp_tw_recycle0 vm.swappiness0 vm.overcommit_memory1 vm.panic_on_oom0 fs.inotify.max_user_watches89100 fs.file-max52706963 fs.nr_open52706963 net.ipv6.conf.all.disable_ipv61 net.netfilter.nf_conntrack_max2310720 EOF sysctl -p /etc/sysctl.d/k8s.conf2. Docker安装与配置Kubernetes 1.18.6推荐使用Docker作为容器运行时环境。以下是安装步骤2.1 安装Docker CE# 卸载旧版本 yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-selinux \ docker-engine-selinux \ docker-engine # 安装依赖 yum install -y yum-utils device-mapper-persistent-data lvm2 # 添加阿里云Docker CE镜像源 yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # 安装Docker yum makecache fast yum -y install docker-ce2.2 配置Docker# 配置阿里云镜像加速和cgroup驱动 tee /etc/docker/daemon.json -EOF { registry-mirrors: [https://bk6kzfqm.mirror.aliyuncs.com], exec-opts: [native.cgroupdriversystemd], log-driver: json-file, log-opts: { max-size: 100m }, storage-driver: overlay2, storage-opts: [ overlay2.override_kernel_checktrue ] } EOF # 启动Docker并设置开机自启 systemctl daemon-reload systemctl restart docker systemctl enable docker注意Kubernetes要求Docker使用systemd作为cgroup驱动这是我们在daemon.json中配置exec-opts: [native.cgroupdriversystemd]的原因。3. Kubernetes组件安装3.1 配置Kubernetes yum源cat EOF /etc/yum.repos.d/kubernetes.repo [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttps://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF yum makecache fast3.2 安装kubeadm、kubelet和kubectlyum install -y kubelet-1.18.6 kubeadm-1.18.6 kubectl-1.18.6 systemctl enable --now kubelet3.3 配置命令自动补全yum install bash-completion -y kubectl completion bash /etc/bash_completion.d/kubectl kubeadm completion bash /etc/bash_completion.d/kubeadm4. 镜像拉取与避坑指南在国内网络环境下直接从k8s.gcr.io拉取镜像可能会遇到困难。以下是几种解决方案4.1 使用阿里云镜像仓库# 查看需要的镜像列表 kubeadm config images list --kubernetes-version v1.18.6输出结果类似k8s.gcr.io/kube-apiserver:v1.18.6 k8s.gcr.io/kube-controller-manager:v1.18.6 k8s.gcr.io/kube-scheduler:v1.18.6 k8s.gcr.io/kube-proxy:v1.18.6 k8s.gcr.io/pause:3.2 k8s.gcr.io/etcd:3.4.3-0 k8s.gcr.io/coredns:1.6.7我们可以使用以下脚本从阿里云拉取镜像并重新打标签#!/bin/bash KUBE_VERSIONv1.18.6 PAUSE_VERSION3.2 CORE_DNS_VERSION1.6.7 ETCD_VERSION3.4.3-0 # 从阿里云拉取镜像 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:$KUBE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:$KUBE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:$KUBE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:$KUBE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION # 重新打标签 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:$KUBE_VERSION k8s.gcr.io/kube-apiserver:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:$KUBE_VERSION k8s.gcr.io/kube-controller-manager:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:$KUBE_VERSION k8s.gcr.io/kube-scheduler:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:$KUBE_VERSION k8s.gcr.io/kube-proxy:$KUBE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION k8s.gcr.io/pause:$PAUSE_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION k8s.gcr.io/coredns:$CORE_DNS_VERSION docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION k8s.gcr.io/etcd:$ETCD_VERSION # 删除原始标签 docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:$KUBE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$CORE_DNS_VERSION docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD_VERSION4.2 离线安装方案如果网络条件特别差可以考虑离线安装在一台可以访问外网的机器上拉取所有镜像使用docker save命令导出镜像包将镜像包复制到内网机器使用docker load命令导入镜像具体操作# 在可以访问外网的机器上 docker save $(docker images | grep -v REPOSITORY | awk BEGIN{OFS:;ORS }{print $1,$2}) -o k8s-1.18.6-images.tar # 在内网机器上 docker image load -i k8s-1.18.6-images.tar5. 初始化Kubernetes集群5.1 在主节点上初始化集群kubeadm init \ --kubernetes-versionv1.18.6 \ --apiserver-advertise-address192.168.203.212 \ --pod-network-cidr10.244.0.0/16 \ --service-cidr10.1.0.0/16初始化成功后会输出类似下面的节点加入命令请保存好kubeadm join 192.168.203.212:6443 --token u7x1ds.5tiiipijzgoyhfim \ --discovery-token-ca-cert-hash sha256:b2b18c68862df62971aaf94652acb447c437003d30f34a7e84f870ce17a1a3d45.2 配置kubectlmkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config5.3 安装网络插件Kubernetes需要网络插件来实现Pod之间的通信。我们以Flannel为例kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml或者使用国内镜像源curl -o kube-flannel.yml https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml sed -i s/quay.io\/coreos\/flannel/quay-mirror.qiniu.com\/coreos\/flannel/g kube-flannel.yml kubectl apply -f kube-flannel.yml rm -f kube-flannel.yml6. 加入工作节点在每个工作节点上执行之前保存的kubeadm join命令kubeadm join 192.168.203.212:6443 --token u7x1ds.5tiiipijzgoyhfim \ --discovery-token-ca-cert-hash sha256:b2b18c68862df62971aaf94652acb447c437003d30f34a7e84f870ce17a1a3d4在主节点上检查节点状态kubectl get nodes7. 部署Kubernetes DashboardKubernetes Dashboard提供了Web界面来管理集群。7.1 部署Dashboardkubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml7.2 创建访问服务kubectl expose deployment kubernetes-dashboard -n kubernetes-dashboard --typeNodePort --port443 --target-port84437.3 创建管理员账号cat EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard EOF cat EOF | kubectl apply -f - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard EOF7.4 获取访问令牌kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk {print $1})复制输出的token然后通过以下URL访问Dashboardhttps://master-ip:node-port8. 常见问题排查在搭建过程中可能会遇到各种问题这里列出几个常见问题及解决方案kubelet无法启动检查Docker是否正常运行检查cgroup驱动配置是否正确查看日志journalctl -xeu kubelet节点NotReady检查网络插件是否安装成功检查kube-proxy是否正常运行查看节点详情kubectl describe node node-name镜像拉取失败尝试使用阿里云镜像源考虑离线安装方案检查Docker配置的镜像加速器是否生效Dashboard无法访问检查Service的NodePort是否正确暴露检查防火墙是否放行了对应端口确认token是否正确复制9. 集群维护建议定期备份备份/etc/kubernetes目录备份~/.kube/config文件考虑使用etcdctl备份集群数据版本升级先升级kubeadm然后升级控制平面节点最后升级工作节点监控与日志部署Prometheus监控集群状态配置EFK日志收集系统设置适当的告警规则安全加固定期轮换证书限制Dashboard的访问配置网络策略限制Pod间通信10. 性能优化技巧调整kubelet参数--max-pods110 --kube-api-qps100 --kube-api-burst100启用IPVS模式kubectl edit configmap kube-proxy -n kube-system # 修改mode: ipvs优化etcd性能使用SSD存储适当增加etcd的heartbeat-interval和election-timeout考虑独立部署etcd集群节点资源预留--kube-reservedcpu500m,memory1Gi --system-reservedcpu500m,memory1Gi在实际使用中我发现最常遇到的问题还是网络相关的配置。特别是在混合云或多数据中心环境下网络策略和CNI插件的选择会直接影响集群的稳定性和性能。建议在生产环境部署前先在测试环境充分验证网络方案。

更多文章