DevOps

众说周知,Kubernetes 从 1.24 起就删除了 Dockershim 相关代码,现在整理了一下国内网络环境下使用 containerd 作为运行时的集群搭建步骤

1. 系统准备

# 允许 iptables 检查桥接流量
sudo tee /etc/modules-load.d/containerd.conf << EOF
overlay
br_netfilter
EOF

sudo tee /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
EOF

# 使设置生效
sudo modprobe overlay br_netfilter
sudo sysctl --system

# 禁用虚拟内存
sudo swapoff -a

2. 安装 Kubernetes 组件

2.1 Debian/Ubuntu

# 安装 containerd
curl -sL http://mirrors.aliyun.com/docker-ce/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker-ce.gpg
echo "deb http://mirrors.aliyun.com/docker-ce/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update
sudo apt install -y containerd.io

# 安装 kubeadm
curl -sL https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg
echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt install -y kubeadm=1.21.14-00 kubectl=1.21.14-00 kubelet=1.21.14-00

2.2 CentOS

# 安装 containerd
sudo curl https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo
sudo yum install -y containerd.io
sudo systemctl enable containerd

# 安装 kubeadm
sudo tee /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=0
gpgcheck=1
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
sudo yum install -y --enablerepo=kubernetes kubeadm-1.21.14 kubelet-1.21.14 kubectl-1.21.14
sudo systemctl enable kubelet

2.3 配置容器运行时

# 配置容器运行时
sudo tee /etc/containerd/config.toml << EOF
version = 2
[plugins."io.containerd.grpc.v1.cri"]
  sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.6"
  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
    runtime_type = "io.containerd.runc.v2"
    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
      SystemdCgroup = true
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
    endpoint = ["https://hub-mirror.c.163.com"]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
    endpoint = ["http://registry.lan:5000"]
EOF
sudo systemctl restart containerd

# 添加自动填充
sudo tee /etc/profile.d/kubectl.sh << EOF
source <(kubectl completion bash)
source <(crictl completion bash)
export KUBECONFIG=/etc/kubernetes/admin.conf
EOF

# 配置 crictl
sudo tee /etc/crictl.yaml << EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
EOF

3. 使用 Kubeadm 引导集群

sudo kubeadm init --kubernetes-version=1.21.14 --token=abcdef.0123456789abcdef \
  --apiserver-advertise-address=$(ip addr show dev eth0 | grep -Po 'inet \K[\d.]+') \
  --cri-socket=unix:///run/containerd/containerd.sock \
  --image-repository=registry.aliyuncs.com/google_containers

稍等几分钟,K8S 的 Master 节点就启动起来了

# 其他节点加入集群
sudo kubeadm join node1.lan:6443 --token=abcdef.0123456789abcdef --discovery-token-unsafe-skip-ca-verification

3.1 kubernetes 组件安装

# 链接 kubeconfig
sudo chmod +r /etc/kubernetes/admin.conf

# 配置网络插件
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/calico.yaml

# 去除污点
kubectl taint node --all node-role.kubernetes.io/master-

# 安装 Helm
curl -sL https://get.helm.sh/helm-v3.9.2-linux-amd64.tar.gz | sudo tar zxf - --strip-components=1 -C /usr/local/bin

# 安装 Traefik Ingress Controller
helm install traefik -n kube-system --repo https://helm.traefik.io/traefik traefik

3.2 集群清理

sudo kubeadm reset --cri-socket=unix:///run/containerd/containerd.sock -f
sudo rm -rf /var/lib/{calico,etcd,kubelet,kubernetes,cni} /etc/cni/net.d /etc/kubernetes /opt/cni/bin/*

参考资料

  1. 弃用 Dockershim 的常见问题
  2. 生产环境

评论

This is just a placeholder img.