kubernetes: Creating a cluster with kubeadm

[dushaoshuai]

机器要求和配置

• 一个装有 Linux 系统的机器
• 内存最好是 2 GB 往上，少了也可以凑活吧
• CPU 最少 2 个核心，不然 kubeadm init 会报错
  • 使用 --ignore-preflight-errors=NumCPU flags，kubeadm 就只会发出警告了
• 集群的所有机器之间有网络链接
• 所有节点的主机名，MAC 地址，product_uuid 都各不相同
  • MAC 地址：ip link
  • product_uuid：sudo cat /sys/class/dmi/id/product_uuid
• 多个网卡
  • 原文链接
  • 这部分还没弄明白，等以后弄明白了再补
• 端口和防火墙：k8s 和某些插件需要打开某些端口才能工作，如果碰到问题，这里也是个问题排查方向
• 关闭交换分区，kubelet 才能正确工作
  • lsblk 查看交换分区
  • sudo swapoff /dev/xxx

容器运行时

Installing a container runtime Container Runtimes

安装 kubeadm，kubelet，kubectl

kubeadm，kubelet，kubectl 不能随意升级，见 Upgrading kubeadm clusters

Manjaro

Skip package from being upgraded

Ubuntu

见 Kubernetes镜像 和 Installing kubeadm, kubelet and kubectl

sudo apt-get update
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add - 
sudo cat <<EOF > /etc/apt/sources.list.d/kubernetes.list
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF
sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl # pin version

cgroup driver

容器运行时和 kubelet 需要配置相同的 cgroup driver。

• kubelet - systemd cgroup driver
• containerd - Configuring the systemd cgroup driver
• Configuring a cgroup driver

kubeadm 配置

见 https://github.com/dushaoshuai/blog/issues/28#issuecomment-1288099098

创建集群

sudo kubeadm init --ignore-preflight-errors=NumCPU --config=～/.kube/kubeadm_config.yaml

• 失败时的输出：https://github.com/dushaoshuai/blog/issues/28#issuecomment-1287998572
• 成功时的输出：https://github.com/dushaoshuai/blog/issues/28#issuecomment-1287999636

按照 kubeadm 的输出继续操作：

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

现在 kubectl 可以和 api server 对话了，使用 kubectl 为集群安装 pod 网络：

# https://www.weave.works/docs/net/latest/kubernetes/kube-addon/#install
$ kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml
serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.apps/weave-net created

这样控制平面就起来了，可以给集群添加更多节点了:

sudo kubeadm join a.b.c.e:6443 --token abcdef.0123456789abcdef \           
        --discovery-token-ca-cert-hash sha256:bdffe9db95bb85b742a8e68d5f9d3fb8e4a0e7204bbea75398054ca56eeb93d2
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

See also

Kubernetes on Arch Linux kubeadm init Installing kubeadm Container Runtimes Creating a cluster with kubeadm

[dushaoshuai]

How to pass --pod-network-cidr via config

a fully populated example of a single YAML file containing multiple configuration types to be used during a kubeadm init run

[dushaoshuai]

一些镜像源

https://developer.aliyun.com/article/759310

registry.cn-hangzhou.aliyuncs.com/google_containers registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6

[dushaoshuai]

Using a private registry Pull an Image from a Private Registry

好像不方便，再看看其他的文档

[dushaoshuai]

Remove the node

[dushaoshuai]

阿里云镜像站

[dushaoshuai]

kubelet 也需要配置？

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#configure-kubelets-using-kubeadm https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration

kubelet 的配置可以通过 kubeadm 生成： kubeadm config print init-defaults --component-configs KubeletConfiguration > ~/.kube/kubeadm_config.yaml

[dushaoshuai]

cgroup driver

Configuring a cgroup driver containerd-Configuring the systemd cgroup driver

[dushaoshuai]

初始化控制平面失败时的输出：

~$ sudo kubeadm init --ignore-preflight-errors=NumCPU --config=.kube/kubeadm_config.yaml 
[init] Using Kubernetes version: v1.25.0
[preflight] Running pre-flight checks
    [WARNING NumCPU]: the number of available CPUs 1 is less than the required 2
    [WARNING SystemVerification]: missing optional cgroups: blkio
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [ecs-shaouai kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 1.2.3.4]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [ecs-shaouai localhost] and IPs [1.2.3.4 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [ecs-shaouai localhost] and IPs [1.2.3.4 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.

Unfortunately, an error has occurred:
    timed out waiting for the condition

This error is likely caused by:
    - The kubelet is not running
    - The kubelet is unhealthy due to a misconfiguration of the node in some way (required cgroups disabled)

If you are on a systemd-powered system, you can try to troubleshoot the error with the following commands:
    - 'systemctl status kubelet'
    - 'journalctl -xeu kubelet'

Additionally, a control plane component may have crashed or exited when started by the container runtime.
To troubleshoot, list all containers using your preferred container runtimes CLI.
Here is one example how you may list all running Kubernetes containers by using crictl:
    - 'crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock ps -a | grep kube | grep -v pause'
    Once you have found the failing container, you can inspect its logs with:
    - 'crictl --runtime-endpoint unix:///var/run/containerd/containerd.sock logs CONTAINERID'
error execution phase wait-control-plane: couldn't initialize a Kubernetes cluster
To see the stack trace of this error execute with --v=5 or higher

[dushaoshuai]

成功初始化控制平面的输出：

~$ sudo kubeadm init --ignore-preflight-errors=NumCPU --config=.kube/kubeadm_config.yaml 
[init] Using Kubernetes version: v1.25.0
[preflight] Running pre-flight checks
    [WARNING NumCPU]: the number of available CPUs 1 is less than the required 2
    [WARNING SystemVerification]: missing optional cgroups: blkio
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [ecs-shaouai kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.23.216.114]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [ecs-shaouai localhost] and IPs [172.23.216.114 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [ecs-shaouai localhost] and IPs [172.23.216.114 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 8.003550 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node ecs-shaouai as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node ecs-shaouai as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: abcdef.0123456789abcdef
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.31.110:6443 --token abcdef.0123456789abcdef \
        --discovery-token-ca-cert-hash sha256:c454446df08f1270a63d4b16fcab5a0bec1ec84f86e3e20b5d4942242b055441

[dushaoshuai]

初始化控制平面终于成功了

kubeadm 配置文件中 InitConfiguration 的 localAPIEndpoint.advertiseAddress 要设置成网卡上绑定的 IP.

不知道网卡上绑定的 IP 这种说法正确吗

[dushaoshuai]

kubeadm config print init-defaults --component-configs KubeletConfiguration > ~/.kube/kubeadm_config.yaml 生成 kubeadm 配置文件后，需要改几个默认的配置：

• advertiseAddress 改为主机的 IP 地址
• name 改为 hostname
• imageRepository 改为 registry.cn-hangzhou.aliyuncs.com/google_containers
• cgroupDriver 改为 systemd