Kubernetes容器集群管理环境 - 完整部署(中篇)

在上一篇关于Kubernetes容器集群管理环境部署的文章中,我们完成了一些基础的准备工作。在本篇(中篇)中,我们将继续深入,完成更多关键组件的部署和配置,让Kubernetes集群能够更加完善地运行起来。

目录#

  1. 安装etcd
  2. 安装Kubernetes Master组件
  3. 安装Kubernetes Node组件
  4. 网络插件部署
  5. 常见实践与最佳实践

1. 安装etcd#

1.1 下载etcd二进制文件#

ETCD_VERSION="v3.5.4"
wget https://github.com/etcd-io/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz
tar -xvf etcd-${ETCD_VERSION}-linux-amd64.tar.gz
cd etcd-${ETCD_VERSION}-linux-amd64
sudo cp etcd etcdctl /usr/local/bin/

1.2 配置etcd服务#

创建/etc/systemd/system/etcd.service文件,内容如下:

[Unit]
Description=etcd
Documentation=https://github.com/coreos
 
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd \
  --name=etcd-node1 \
  --data-dir=/var/lib/etcd \
  --listen-peer-urls=http://<etcd-node-ip>:2380 \
  --listen-client-urls=http://<etcd-node-ip>:2379,http://127.0.0.1:2379 \
  --advertise-client-urls=http://<etcd-node-ip>:2379 \
  --initial-cluster-token=etcd-cluster-1 \
  --initial-cluster=etcd-node1=http://<etcd-node-ip>:2380 \
  --initial-cluster-state=new
Restart=on-failure
RestartSec=5
 
[Install]
WantedBy=multi-user.target

<etcd-node-ip>替换为实际的etcd节点IP。

1.3 启动etcd服务#

sudo systemctl daemon-reload
sudo systemctl enable etcd
sudo systemctl start etcd

2. 安装Kubernetes Master组件#

2.1 下载Kubernetes二进制文件#

K8S_VERSION="v1.24.0"
wget https://dl.k8s.io/${K8S_VERSION}/kubernetes-server-linux-amd64.tar.gz
tar -xvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
sudo cp kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/

2.2 配置kube-apiserver#

创建/etc/kubernetes/manifests/kube-apiserver.yaml文件(如果目录不存在需先创建),内容如下:

apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - name: kube-apiserver
    image: k8s.gcr.io/kube-apiserver:${K8S_VERSION}
    command:
    - kube-apiserver
    - --advertise-address=<master-ip>
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=http://<etcd-node-ip>:2379
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

<master-ip><etcd-node-ip>替换为实际值。

2.3 配置kube-controller-manager#

创建/etc/kubernetes/manifests/kube-controller-manager.yaml文件:

apiVersion: v1
kind: Pod
metadata:
  name: kube-controller-manager
  namespace: kube-system
spec:
  containers:
  - name: kube-controller-manager
    image: k8s.gcr.io/kube-controller-manager:${K8S_VERSION}
    command:
    - kube-controller-manager
    - --bind-address=127.0.0.1
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --cluster-name=kubernetes
    - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt
    - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key
    - --kubeconfig=/etc/kubernetes/controller-manager.conf
    - --leader-elect=true
    - --root-ca-file=/etc/kubernetes/pki/ca.crt
    - --service-account-private-key-file=/etc/kubernetes/pki/sa.key
    - --use-service-account-credentials=true

2.4 配置kube-scheduler#

创建/etc/kubernetes/manifests/kube-scheduler.yaml文件:

apiVersion: v1
kind: Pod
metadata:
  name: kube-scheduler
  namespace: kube-system
spec:
  containers:
  - name: kube-scheduler
    image: k8s.gcr.io/kube-scheduler:${K8S_VERSION}
    command:
    - kube-scheduler
    - --bind-address=127.0.0.1
    - --kubeconfig=/etc/kubernetes/scheduler.conf
    - --leader-elect=true

3. 安装Kubernetes Node组件#

3.1 下载组件#

sudo apt-get update
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

3.2 配置kubelet#

创建/var/lib/kubelet/config.yaml文件:

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: systemd

3.3 启动kubelet#

sudo systemctl enable kubelet
sudo systemctl start kubelet

4. 网络插件部署(以Calico为例)#

4.1 下载Calico配置文件#

wget https://raw.githubusercontent.com/projectcalico/calico/v3.24.1/manifests/calico.yaml

4.2 部署Calico#

kubectl apply -f calico.yaml

5. 常见实践与最佳实践#

5.1 高可用etcd#

  • 生产环境建议部署至少3个etcd节点,形成集群,提高数据的可靠性和可用性。
  • 定期备份etcd数据,可使用etcdctl snapshot save命令。

5.2 安全配置#

  • 为Kubernetes API Server配置RBAC(基于角色的访问控制),严格控制不同用户和服务账号的权限。
  • 启用TLS加密,保护API通信安全。

5.3 监控与日志#

  • 部署Prometheus和Grafana等监控工具,对Kubernetes集群的各项指标(如CPU、内存、Pod状态等)进行监控。
  • 使用EFK(Elasticsearch + Fluentd + Kibana)或其他日志收集方案,集中管理容器日志。

示例用法#

查看节点状态#

kubectl get nodes

部署一个简单应用#

创建nginx-deployment.yaml文件:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80

部署应用:

kubectl apply -f nginx-deployment.yaml

参考#

2026-05