
使用 VMware® Workstation 16 Pro 创建三台虚拟机。

node1.k8s.com192.168.153.21masterCentOS 7.9-Minimal
node2.k8s.com192.168.153.22workerCentOS 7.9-Minimal
node3.k8s.com192.168.153.23workerCentOS 7.9-Minimal


每台虚拟机都要配置,使用 root 用户。


systemctl stop firewalld
systemctl disable firewalld


yum -y install ntpdate
ntpdate ntp5.aliyun.com


vi /etc/hostname


4、配置 hosts 文件

vi /etc/hosts

添加下面的内容: node1 node1.k8s.com node2 node1.k8s.com node3 node1.k8s.com

5、禁用 Swap

Kubernetes v1.8+ 要求关闭系统 Swap,否则 kubelet 可能工作不正常(kubeadm 初始化系统时也会检查 swap 是否关闭)

swapoff -a && sed -i '/ swap / s/^/#/' /etc/fstab

6、允许 iptables 检查桥接流量

确保 br_netfilter 模块被加载:

cat <<EOF | tee /etc/modules-load.d/k8s.conf

modprobe br_netfilter

net.bridge.bridge-nf-call-iptables 设置为 1:

cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

sysctl --system

7、禁用 SELinux

将 SELinux 设置为 permissive 模式(相当于将其禁用)

setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

8、创建用户并添加到 wheel 组

useradd k8s
passwd k8s
usermod -aG wheel k8s

安装 Docker 和 kubeadm

Kubernetes 支持多种容器运行时(Container Runtime),我这里将会安装 Docker。​

从 v1.14.0 开始, kubeadm 会自动检测 Linux 节点的容器运行环境,该检测基于 Domain Socket。

三种运行时及其对应的 Domain Socket:​

RuntimeDomain Socket

如果同时检测到 Docker 和 containerd ,则优先采用 Docker。

安装 Docker

每个节点都要安装,使用 k8s 用户。​

1、安装 yum-utils,并设置 Docker 的 stable 仓库

sudo yum install -y yum-utils
sudo yum-config-manager \
    --add-repo \

2、安装 Docker 最新版本

sudo yum -y install docker-ce docker-ce-cli containerd.io


[k8s@node1 ~]$ docker --version
Docker version 20.10.13, build a224086

3、配置 cgroupfs 驱动

需要确保容器运行时和 kubelet 所使用的是相同的 cgroup 驱动,否则 kubelet 进程会失败。

由于 kubeadm 把 kubelet 视为一个系统服务来管理,所以对基于 kubeadm 的安装, 官方推荐使用 systemd 驱动,不推荐 cgroupfs 驱动。

新建 /etc/docker/daemon.json 文件:

sudo vi /etc/docker/daemon.json


  "exec-opts": ["native.cgroupdriver=systemd"]

4、启用并启动 Docker

sudo systemctl enable --now docker

5、确认 Docker 启动成功

[k8s@node1 docker]$ systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-03-22 08:43:14 CST; 24s ago
     Docs: https://docs.docker.com
 Main PID: 12340 (dockerd)
    Tasks: 9
   Memory: 34.2M
   CGroup: /system.slice/docker.service
           └─12340 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.368688243+08:00" level=info msg="ccResolverWrapper: sending update to cc: {[{unix:///run/co...odule=grpc
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.368707820+08:00" level=info msg="ClientConn switching balancer to \"pick_first\"" module=grpc
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.376663870+08:00" level=info msg="[graphdriver] using prior storage driver: overlay2"
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.378856509+08:00" level=info msg="Loading containers: start."
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.485042302+08:00" level=info msg="Default bridge (docker0) is assigned with an IP address 17...P address"
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.526021249+08:00" level=info msg="Loading containers: done."
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.544232229+08:00" level=info msg="Docker daemon" commit=906f57f graphdriver(s)=overlay2 version=20.10.13
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.544300079+08:00" level=info msg="Daemon has completed initialization"
Mar 22 08:43:14 node1.k8s.com systemd[1]: Started Docker Application Container Engine.
Mar 22 08:43:14 node1.k8s.com dockerd[12340]: time="2022-03-22T08:43:14.562599360+08:00" level=info msg="API listen on /var/run/docker.sock"
Hint: Some lines were ellipsized, use -l to show in full.
[k8s@node1 docker]$

6、确认 Cgroup 驱动配置成功

[k8s@node1 docker]$ sudo docker info
 Context:    default
 Debug Mode: false
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Docker Buildx (Docker Inc., v0.8.0-docker)
  scan: Docker Scan (Docker Inc., v0.17.0)

 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 0
 Server Version: 20.10.13
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 1

安装 kubeadm、kubelet 和 kubectl

Kubeadm 是社区推出的一个用来部署 Kubernetes 集群的工具。

Kubelet 主要负责同容器运行时(比如:Docker)打交道,它是 Kubernetes 集群的核心组件。

Kubectl 则是 Kubernetes 集群的命令行工具。

每个节点都要安装,使用 k8s 用户。​

1、配置 Yum 源

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg

此处使用的是阿里云的 Kubernetes 镜像。


sudo yum install -y --nogpgcheck kubelet kubeadm kubectl

由于 Kubernetes 官网未开放同步方式, 使用阿里云镜像可能会有索引 gpg 检查失败的情况,此处指定 --nogpgcheck 参数跳过了检查。

3、启用并启动 kubelet

sudo systemctl enable --now kubelet

4、查看 kubelet 状态

[k8s@node1 docker]$ systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
   Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/kubelet.service.d
   Active: activating (auto-restart) (Result: exit-code) since Tue 2022-03-22 09:33:52 CST; 3s ago
     Docs: https://kubernetes.io/docs/
 Main PID: 12721 (code=exited, status=1/FAILURE)

Mar 22 09:33:52 node1.k8s.com systemd[1]: Unit kubelet.service entered failed state.
Mar 22 09:33:52 node1.k8s.com systemd[1]: kubelet.service failed.
[k8s@node1 docker]$
[k8s@node1 docker]$ journalctl -f -u kubelet
-- Logs begin at Tue 2022-03-22 01:45:18 CST. --
Mar 22 09:34:02 node1.k8s.com systemd[1]: kubelet.service: main process exited, code=exited, status=1/FAILURE
Mar 22 09:34:02 node1.k8s.com systemd[1]: Unit kubelet.service entered failed state.
Mar 22 09:34:02 node1.k8s.com systemd[1]: kubelet.service failed.
Mar 22 09:34:13 node1.k8s.com systemd[1]: kubelet.service holdoff time over, scheduling restart.
Mar 22 09:34:13 node1.k8s.com systemd[1]: Stopped kubelet: The Kubernetes Node Agent.
Mar 22 09:34:13 node1.k8s.com systemd[1]: Started kubelet: The Kubernetes Node Agent.
Mar 22 09:34:13 node1.k8s.com kubelet[12740]: E0322 09:34:13.108138   12740 server.go:205] "Failed to load kubelet config file" err="failed to load Kubelet config file /var/lib/kubelet/config.yaml, error failed to read kubelet config file \"/var/lib/kubelet/config.yaml\", error: open /var/lib/kubelet/config.yaml: no such file or directory" path="/var/lib/kubelet/config.yaml"
Mar 22 09:34:13 node1.k8s.com systemd[1]: kubelet.service: main process exited, code=exited, status=1/FAILURE
Mar 22 09:34:13 node1.k8s.com systemd[1]: Unit kubelet.service entered failed state.
Mar 22 09:34:13 node1.k8s.com systemd[1]: kubelet.service failed.

此时,kubelet 每隔几秒就会重启,因为它陷入了一个等待 kubeadm 指令的死循环。


通过下面这两条命令就能完成一个 Kubernetes 集群的部署:

# 创建一个 Master 节点
kubeadm init

# 将一个 Node 节点加入到当前集群中
kubeadm join <Master节点的IP和端口> ...

部署 Master 节点

在 node1 节点执行下面的命令:

sudo kubeadm init \
--image-repository registry.aliyuncs.com/google_containers \
--pod-network-cidr \
--kubernetes-version stable-1.23


[k8s@node1 docker]$ sudo kubeadm init \
> --image-repository registry.aliyuncs.com/google_containers \
> --pod-network-cidr \
> --kubernetes-version stable-1.23
[sudo] password for k8s:
[init] Using Kubernetes version: v1.23.5
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local node1.k8s.com] and IPs []
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost node1.k8s.com] and IPs [ ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost node1.k8s.com] and IPs [ ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 6.503693 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.23" in namespace kube-system with the configuration for the kubelets in the cluster
NOTE: The "kubelet-config-1.23" naming of the kubelet ConfigMap is deprecated. Once the UnversionedKubeletConfigMap feature gate graduates to Beta the default name will become just "kubelet-config". Kubeadm upgrade will handle this transition transparently.
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node node1.k8s.com as control-plane by adding the labels: [node-role.kubernetes.io/master(deprecated) node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node node1.k8s.com as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: c0wcm5.0yu9szfktsxvurza
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join --token c0wcm5.0yu9szfktsxvurza \
        --discovery-token-ca-cert-hash sha256:f3cf8d3ccd735c39b8e941343f113cd4eb045a70298db818a3fe918dd164e379
[k8s@node1 docker]$


mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

查看当前 Master 节点的状态:

[k8s@node1 docker]$ kubectl get nodes
NAME            STATUS     ROLES                  AGE     VERSION
node1.k8s.com   NotReady   control-plane,master   5m23s   v1.23.5

检查当前节点各个系统 Pod 的状态:

[k8s@node1 docker]$ kubectl get pods -n kube-system
NAME                                    READY   STATUS    RESTARTS   AGE
coredns-6d8c4cb4d-6t47l                 0/1     Pending   0          5m28s
coredns-6d8c4cb4d-969m7                 0/1     Pending   0          5m28s
etcd-node1.k8s.com                      1/1     Running   0          5m44s
kube-apiserver-node1.k8s.com            1/1     Running   0          5m42s
kube-controller-manager-node1.k8s.com   1/1     Running   0          5m42s
kube-proxy-x6x2g                        1/1     Running   0          5m29s
kube-scheduler-node1.k8s.com            1/1     Running   0          5m44s

Join 其他节点

复制刚才初始化后生成的 join 命令,用 root 用户在另外两个节点执行:

kubeadm join --token c0wcm5.0yu9szfktsxvurza \
        --discovery-token-ca-cert-hash sha256:f3cf8d3ccd735c39b8e941343f113cd4eb045a70298db818a3fe918dd164e379


[root@node3 ~]# kubeadm join --token c0wcm5.0yu9szfktsxvurza \
>         --discovery-token-ca-cert-hash sha256:f3cf8d3ccd735c39b8e941343f113cd4eb045a70298db818a3fe918dd164e379
[preflight] Running pre-flight checks
        [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

[root@node3 ~]#


[k8s@node1 docker]$ kubectl get nodes
NAME            STATUS     ROLES                  AGE     VERSION
node1.k8s.com   NotReady   control-plane,master   8m23s   v1.23.5
node2.k8s.com   NotReady   <none>                 100s    v1.23.5
node3.k8s.com   NotReady   <none>                 90s     v1.23.5

新增了两个节点,但各个节点的状态还是 NotReady,因为现在还没有部署网络插件。

上面的 join 命令最好保存下来,方便下次使用。如果忘记,可以用下面的命令获取:

kubeadm token create --print-join-command


Kubernetes 支持容器网络插件,使用的是一个名叫 CNI 的通用接口,它也是当前容器网络的事实标准,市面上的所有容器网络开源项目都可以通过 CNI 接入 Kubernetes,比如 Flannel、Calico、Canal、Romana 等等。

在 Master 节点执行下面的命令:

kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml


[k8s@node1 docker]$ kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
[k8s@node1 docker]$

稍等会儿再查看,三个节点的状态已经是 Ready 了:

[k8s@node1 docker]$ kubectl get nodes
NAME            STATUS   ROLES                  AGE     VERSION
node1.k8s.com   Ready    control-plane,master   10m     v1.23.5
node2.k8s.com   Ready    <none>                 3m48s   v1.23.5
node3.k8s.com   Ready    <none>                 3m38s   v1.23.5

部署 Dashboard 可视化插件

Dashboard 是基于 web 的 Kubernetes 用户界面。 可以通过 Dashboard 将容器应用部署到 Kubernetes 集群中,也可以对容器应用排错,还能管理集群资源。

在 Master 节执行下面的命令:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yaml


[k8s@node1 docker]$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.1/aio/deploy/recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[k8s@node1 docker]$

部署完之后,可以用下面的命令查看 Dashboard 对应的 Pod 的状态:

[k8s@node1 docker]$ kubectl get pods -n kubernetes-dashboard
NAME                                         READY   STATUS    RESTARTS   AGE
dashboard-metrics-scraper-799d786dbf-zz4pj   1/1     Running   0          42s
kubernetes-dashboard-fb8648fd9-zdxnt         1/1     Running   0          42s

本地访问 Dashboard

为了避免造成安全隐患,1.7 版本之后的 Dashboard 项目部署完成后,默认只能通过 Proxy 的方式在本地访问。用下面的命令启动代理:

[k8s@node1 docker]$ kubectl proxy
Starting to serve on

然后就可以在本地的浏览器输入 localhost:8001 地址,访问 Dashboard 了。

异地访问 Dashboard

如果想要在集群之外的机器上访问 Dashboard,可以采用端口转发命令:

kubectl port-forward --address -n kubernetes-dashboard service/kubernetes-dashboard 8080:443



在登录界面可以看到 Kubernetes Dashborad 支持两种认证方式:

  • TOKEN: 每个 Service Account 都有一个合法的 Bearer Token ,可用于登录 Dashboard 。 要了解有关如何配置和使用 Bearer Tokens 的更多信息,请参阅 身份验证 部分。
  • Kubeconfig:请选择您创建的 kubeconfig 文件以配置对集群的访问权限。 要了解有关如何配置和使用 kubeconfig 文件的更多信息, 请参阅 配置到多个集群的访问 部分。

刚才在初始化的时候, kubeadm init 创建了一个有效期为 24 小时的 TOKEN,使用下面的命令查看该 TOKEN:

[k8s@node1 docker]$ kubeadm token list
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
dpthen.utsmhwhanre8fiu0   23h         2022-03-23T01:44:17Z   authentication,signing   The default bootstrap token generated by 'kubeadm init'.   system:bootstrappers:kubeadm:default-node-token
[k8s@K8s01 ~]$

使用这个 TOKEN 可以登录 Dashboard:




但是,这个 TOKEN 的权限十分有限。


