1、关闭selinux&firewalld
systemctl stop firewalld && systemctl disable firewalld
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/g' /etc/selinux/config
2、关闭swap
swapoff -a
sed -i 's/^[^#].*swap*/#&/g' /etc/fstab
3、安装依赖及常用工具
yum install -y yum-utils device-mapper-persistent-data lvm2 wget vim yum-utils net-tools epel-release
添加加载的内核模块
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
4、加载内核模块
modprobe overlay
modprobe br_netfilter
5、设置内核参数
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
6、应用内核参数
sysctl --system
7、添加docker源
cat <<EOF | sudo tee /etc/yum.repos.d/docker-ce.repo
[docker]
name=docker-ce
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
EOF
8、安装containerd
yum -y update && yum -y install containerd.io
# 指定版本使用containerd.io-x.x.x
# 需要升级系统则yum -y update
9、配置containerd
mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
(1)修改cgroup Driver为systemd
在配置文件中如下位置添加SystemdCgroup = true
(2)镜像加速
endpoint位置添加阿里云的镜像源
$ vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://xxxxxxxx.mirror.aliyuncs.com"]
(3)更改sandbox_image
$ vim /etc/containerd/config.toml
...
[plugins."io.containerd.grpc.v1.cri"]
disable_tcp_service = true
stream_server_address = "127.0.0.1"
stream_server_port = "0"
stream_idle_timeout = "4h0m0s"
enable_selinux = false
selinux_category_range = 1024
# 将这里改为aliyun的镜像源
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.4.1"
10、启动服务
systemctl enable containerd && systemctl start containerd
11、(可选)如果你的环境中网络代理去访问外网,containerd也需要单独添加代理
mkdir /etc/systemd/system/containerd.service.d
cat > /etc/systemd/system/containerd.service.d/http_proxy.conf << EOF
[Service]
Environment="HTTP_PROXY=http://<proxy_ip>:<proxy_port>/"
Environment="HTTPS_PROXY=http://<proxy_ip>:<proxy_port>/"
Environment="NO_PROXY=x.x.x.x,x.x.x.x"
EOF
12、加载配置并重启服务
systemctl daemon-reload && systemctl restart containerd
13、下载镜像检测containerd是否正常
ctr images pull docker.io/library/nginx:alpine
ctr是containerd自带的命令行客户端
14、添加kubernetes 源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
15、安装kubeadm,kubelet和kubectl
yum install -y kubelet-1.21.0 kubeadm-1.21.0 kubectl-1.21.0
systemctl enable kubelet
16、设置crictl
使用除docke以外的CRI时,需要使用crictl来进行镜像管理,相当于docker-cli
Containerd 只支持通过 CRI 拉取镜像的 mirror,也就是说,只有通过 crictl 或者 Kubernetes 调用时 mirror 才会生效,通过 ctr 拉取是不会生效的。crictl是k8s内部的镜像管理命令。
cat << EOF >> /etc/crictl.yaml
runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock
timeout: 10
debug: false
EOF
17、下载镜像
crictl pull nginx:latest
crictl基本上与docker用法一致
18、对接kubelet
vi /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS=--container-runtime=remote --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd
19、master需要重新创建token,可以直接使用命令快捷生成:
kubeadm token create --print-join-command
生成的命令在worknode上执行加入集群
若创建镜像超时,可手工拉取kube-proxy、core-dns、pause
20、master 节点再次执行kubectl apply -f calico.yaml,使worknode节点部署calico网络组建。
