二进制文件安装高可用k8s集群（二）kube-apiserver部署 kube - apiserver 是 Kubernetes 集群中至关重要的核心组件，它作为整个集群的控制中心，负责处理各种 API 请求，协调和管理集群内的各类资源。

二进制文件安装高可用k8s集群（一）etcd集群安装 安装高可用kubernetes集群所需要的etcd数据库，使用二进制方式进行安装。

k8s集群（containerd）安装——node篇 环境配置禁用selinuxsed -i '/^SELINUX=/s//SELINUX=disabled/' /etc/selinux/config禁用swap swapoff -a && sed -i '/swap/d' /etc/fstab禁用防火墙 yum -y remove firewalld修改hosts文件 echo "192.168.2.100 node1" >> /etc/hosts设置网桥（端口转发）for i in overlay br_netfilter do modprobe ${i} echo "${i}" >>/etc/modules-load.d/containerd.conf done cat >/etc/sysctl.d/99-kubernetes-cri.conf<<EOF net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF sysctl --system安装软件包yum -y install kubeadm kubelet ipvsadm ipset nfs-utils containerd修改containerd配置文件参考文章 containerd安装与配置设置开机自启动systemctl enable --now containerd systemctl enable --now kubelet获取master的token#在master主机主机上曹组操作 kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS abcdef.0123456789abcdef 22h 2025-03-28T02:16:52Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token #发现默认的token只剩下22个小时的有效期，删除这个token，重新生成一个长期有效的token kubeadm token delete abcdef.0123456789abcdef #创建一个新token kubeadm token create --ttl=0 --print-join-command kubeadm join 192.168.99.100:6443 --token truj3i.83g7lpw6cxj8medc --discovery-token-ca-cert-hash sha256:c5ce5be2f926c19b2760468618ef4746fa5cc63ca863ed01daba1021b06d7a32 #创建token命令返回的信息就是node加入master的命令#在node上面操作 kubeadm join 192.168.99.100:6443 --token truj3i.83g7lpw6cxj8medc --discovery-token-ca-cert-hash sha256:c5ce5be2f926c19b2760468618ef4746fa5cc63ca863ed01daba1021b06d7a32 [preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster.在master上查看集群信息node节点加入集群后需要等待一段时间（一般是几分钟）才会显示ready状态。 kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane 132m v1.28.15 node1 Ready <none> 13m v1.28.15 kubectl -n kube-system get pods NAME READY STATUS RESTARTS AGE calico-kube-controllers-658d97c59c-9z9km 1/1 Running 0 119m calico-node-7ftlf 1/1 Running 0 119m calico-node-fg6zv 1/1 Running 0 11m coredns-66f779496c-n7h9t 1/1 Running 0 131m coredns-66f779496c-x7tvt 1/1 Running 0 131m etcd-master 1/1 Running 0 131m kube-apiserver-master 1/1 Running 0 131m kube-controller-manager-master 1/1 Running 0 131m kube-proxy-tdp72 1/1 Running 0 131m kube-proxy-vrbvv 1/1 Running 0 11m kube-scheduler-master 1/1 Running 0 131m #刚加入集群时的状态 kubectl get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane 124m v1.28.15 node1 NotReady <none> 5m13s v1.28.15 kubectl -n kube-system get pods NAME READY STATUS RESTARTS AGE calico-kube-controllers-658d97c59c-9z9km 1/1 Running 0 114m calico-node-7ftlf 1/1 Running 0 114m calico-node-fg6zv 0/1 Init:1/3 0 5m57s coredns-66f779496c-n7h9t 1/1 Running 0 125m coredns-66f779496c-x7tvt 1/1 Running 0 125m etcd-master 1/1 Running 0 125m kube-apiserver-master 1/1 Running 0 125m kube-controller-manager-master 1/1 Running 0 125m kube-proxy-tdp72 1/1 Running 0 125m kube-proxy-vrbvv 1/1 Running 0 5m57s kube-scheduler-master 1/1 Running 0 125m

k8s集群（containerd）安装——master篇 master安装环境配置禁用selinux sed -i '/^SELINUX=/s//SELINUX=disabled/' /etc/selinux/config禁用swap swapoff -a && sed -i '/swap/d' /etc/fstab禁用防火墙 yum -y remove firewalld修改hosts文件 echo "192.168.2.51 master" >> /etc/hosts不添加会有如下报错[root@master1 k8s]# kubeadm init --config=kubeadm.yml --dry-run [init] Using Kubernetes version: v1.28.0 [preflight] Running pre-flight checks [WARNING Hostname]: hostname "master" could not be reached [WARNING Hostname]: hostname "master": lookup master on 114.114.114.114:53: no such host [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service' 设置网桥for i in overlay br_netfilter;do modprobe ${i} echo "${i}" >>/etc/modules-load.d/containerd.conf done cat >/etc/sysctl.d/99-kubernetes-cri.conf<<EOF net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF sysctl --system安装软件包安装kubeadm、kubectl、kubelet、containerdyum install -y kubeadm kubelet kubectl containerd #安装代理软件包 yum install -y ipvsadm ipset设置开机自启动systemctl enable --now containerd systemctl enable --now kubelet#配置快捷键 source <(kubeadm completion bash|tee /etc/bash_completion.d/kubeadm) source <(kubectl completion bash|tee /etc/bash_completion.d/kubectl)修改containerd配置文件，安装crictl，详见文章 containerd安装与配置下载镜像#查看安装集群所需要的镜像信息 kubeadm config images list I0326 20:53:28.890691 6257 version.go:256] remote version is much newer: v1.32.3; falling back to: stable-1.28 registry.k8s.io/kube-apiserver:v1.28.15 registry.k8s.io/kube-controller-manager:v1.28.15 registry.k8s.io/kube-scheduler:v1.28.15 registry.k8s.io/kube-proxy:v1.28.15 registry.k8s.io/pause:3.9 registry.k8s.io/etcd:3.5.15-0 registry.k8s.io/coredns/coredns:v1.10.1 #将镜像信息保存到临时文件中，方便下一步操作 kubeadm config images list > a.txt # 下载所需要的镜像 for i in ` awk -F'/' '{print "registry.aliyuncs.com/google_containers/"$2}' a.txt` do crictl pull $i doneImage is up to date for sha256:9dc6939e7c573673801790fcfad6f994282c216e005578f5836b5fafc6685fc2 Image is up to date for sha256:10541d8af03f40fae257735edd69b6c5dd0084bb9796649409ac7b5660705148 Image is up to date for sha256:9d3465f8477c6b383762d90ec387c9d77da8a402a849265805f86feaa57aeeea Image is up to date for sha256:ba6d7f8bc25be40b51dfeb5ddfda697527ba55073620c1c5fa04a5f0ae9e3816 Image is up to date for sha256:e6f1816883972d4be47bd48879a08919b96afcd344132622e4d444987919323c Image is up to date for sha256:2e96e5913fc06e3d26915af3d0f2ca5048cc4b6327e661e80da792cbf8d8d9d4 Image is up to date for sha256:1cf5f116067c67da67f97bff78c4bbc76913f59057c18627b96facaced73ea0b [root@master1 ~]# crictl images ls IMAGE TAG IMAGE ID SIZE registry.aliyuncs.com/google_containers/coredns latest 1cf5f116067c6 20.9MB registry.aliyuncs.com/google_containers/etcd 3.5.15-0 2e96e5913fc06 56.9MB registry.aliyuncs.com/google_containers/kube-apiserver v1.28.15 9dc6939e7c573 34.4MB registry.aliyuncs.com/google_containers/kube-controller-manager v1.28.15 10541d8af03f4 33.3MB registry.aliyuncs.com/google_containers/kube-proxy v1.28.15 ba6d7f8bc25be 28.3MB registry.aliyuncs.com/google_containers/kube-scheduler v1.28.15 9d3465f8477c6 18.5MB registry.aliyuncs.com/google_containers/pause 3.9 e6f1816883972 322kB 初始化master集群#生成配置模版 kubeadm config print init-defaults > init.yaml修改配置文件nodeRegistration下name字段改为master（name: master）imageRepository字段改为阿里云的地址（imageRepository: registry.aliyuncs.com/google_containers）localAPIEndpoint字段下advertiseAddress修改为master的IP地址（advertiseAddress: 192.168.2.51）设置cgroupDriver为systemd---kind: KubeletConfigurationapiVersion: kubelet.config.k8s.io/v1beta1cgroupDriver: systemd使用--dry-run模拟安装过程，查看是否有报错kubeadm init --config=init.yaml --dry-run #输出信息若干，没有 Error 和 Warning 就是正常正式部署masterrm -rf /etc/kubernetes/tmp kubeadm init --config=init.yaml |tee init/init.log #根据安装提示执行命令 mkdir -p $HOME/.kube cp -i /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config安装calico网络插件kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml查看集群状态#使用下面两条命令中的任意一条即可 kubectl -n kube-system get pods kubectl get pods -A NAME READY STATUS RESTARTS AGE calico-kube-controllers-658d97c59c-vkk2n 0/1 Pending 0 144m calico-node-2gjfd 0/1 Init:ImagePullBackOff 0 144m coredns-66f779496c-562gq 0/1 Pending 0 152m coredns-66f779496c-v4msh 0/1 Pending 0 152m etcd-master 1/1 Running 0 152m kube-apiserver-master 1/1 Running 0 152m kube-controller-manager-master 1/1 Running 0 152m kube-proxy-kwp62 1/1 Running 0 152m kube-scheduler-master 1/1 Running 0 152m等待几分钟后，calcio插件会变成Running状态kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system calico-kube-controllers-658d97c59c-9z9km 1/1 Running 0 9m5s kube-system calico-node-7ftlf 1/1 Running 0 9m6s kube-system coredns-66f779496c-n7h9t 1/1 Running 0 20m kube-system coredns-66f779496c-x7tvt 1/1 Running 0 20m kube-system etcd-master 1/1 Running 0 20m kube-system kube-apiserver-master 1/1 Running 0 20m kube-system kube-controller-manager-master 1/1 Running 0 20m kube-system kube-proxy-tdp72 1/1 Running 0 20m kube-system kube-scheduler-master 1/1 Running 0 20m

Containerd 常见命令 nerdctlnerdctl是containerd客户端工具，使用语法与docker一致，推荐使用。地址：https://github.com/containerd/nerdctl/releases，其中完整版（nerdctl-full-2.0.4-linux-amd64.tar.gz）包含containerd以及runc、CNI等依赖。nerctl实现了许多docker不具备的功能，如延迟拉取镜像（lazy-pulling）、镜像加密（imgcrypt）等功能。containerd常见命令crictl：遵循 CRI 接口规范的一个命令行工具，通常用它来检查和管理容器运行时和镜像。ctr 是 containerd 的一个客户端工具命令dockerctrcrictl查看运行的容器docker psctr task ls/ctr container lscrictl ps查看镜像docker imagesctr image lscrictl images查看容器日志docker logs-crictl logs查看容器数据信息docker inspectctr container infocrictl inspect查看容器资源docker stats-crictl stats启动/关闭已有的容器docker start/stopctr task start/killcrictl start/stop运行一个新的容器docker runctr run-(最小单元为pod)打标签docker tagctr inage tag-创建一个新的容器docker createctr container createcrictl create导入镜像docker loadcri image import-导出镜像docker savecri image export-删除容器docker rmctr container rmcrictl rm删除镜像docker rmictr image rmcrictl rmi拉取镜像docker pullctr image pullcrictl pull推送镜像docker pushctr image push-登录或在容器内部执行命令docker exec-crictl exec清空不用的容器docker image prune-crictl rmi --prune