Binary deployment of Kubernetes cluster version 1.33

A Kubernetes cluster deployed a few years ago needs to be gradually updated. Since I haven’t recorded it for a long time, I am a little unfamiliar with the deployment method. Now I try to sort out the updates for the new version of the cluster.

1.、env

1.1.0 Cluster env

Hostname	IP	Role	software
k8s-master-01	10.88.12.60	Master	kube-apiserver、kube-controller-manager、kube-scheduler、etcd、kubelet、haproxy、containerd
k8s-master-02	10.88.12.61	Master	kube-apiserver、kube-controller-manager、kube-scheduler、etcd、kubelet、containerd
k8s-master-03	10.88.12.62	Master	kube-apiserver、kube-controller-manager、kube-scheduler、etcd、kubelet、containerd
k8s-worker-01	10.88.12.63	Worker	kubelet、containerd
k8s-worker-02	10.88.12.64	Worker	kubelet、containerd
k8s-worker-03	10.88.12.65	Worker	kubelet、containerd
	10.88.12.100	VIP	This address is usually a drift address bound by keepalived. For simplicity, we will directly configure the new network card

I think someone has noticed that there is no kube-proxy in the above cluster components, because this cluster uses cilium instead of kube-proxy, but kube-proxy is still included when deployed. At the same time, please note that each node must have the runc program

1.2.0 Network

Type	IP/Mask	describe
Host	10.88.12/24	Physical or virtual machine network
Cluster	10.90.0.0/16	Cluster Services Network
Pod	10.100.0.0/16	Cluster Pod Network

1.3.0 Software Version

Software	Version
cfssl	1.6.5
containerd	v2.1.0
crictl	0.1.0
runc	1.3.0
helm	v3.18.0
os_kernel	6.1.0-29

As for other basic system configurations, such as installing software dependency environments, modifying system kernel parameters, modifying system file descriptors, enabling certain kernel module functions (such as ipvs), cluster host time synchronization, disabling selinux, disabling swap partitions, etc., you can search and set them online according to your needs, so I will not describe them here.

2.Install the basic components of the Kubernetes cluster Master

2.1.0 Deploy containerd

All nodes in the cluster execute

1
# Unzip to the /usr/local/bin/ directory
2
kevn@k8s-master-01:~$ sudo tar -xvf containerd-2.1.0-linux-amd64.tar.gz -C /usr/local/
3

4
# Create a startup service file
5
koevn@k8s-master-01:~$ sudo cat > /etc/systemd/system/containerd.service <<EOF
6
[Unit]
7
Description=containerd container runtime
8
Documentation=https://containerd.io
9
After=network.target
10

11
[Service]
12
ExecStart=/usr/local/bin/containerd --config /etc/containerd/config.toml
13
Delegate=yes
14
KillMode=process
15
Restart=always
16
LimitNOFILE=1048576
17
LimitNPROC=infinity
18
LimitCORE=infinity
19

20
[Install]
21
WantedBy=multi-user.target
22
EOF
23

24
# Create containerd configuration file
25
koevn@k8s-master-01:~$ sudo mkdir -pv /etc/containerd/certs.d/harbor.koevn.com
26
koevn@k8s-master-01:~$ sudo containerd config default | tee /etc/containerd/config.toml
27
touch /etc/containerd/certs.d/harbor.koevn.com/hosts.toml
28

29
# Modify/etc/containerd/config.toml
30
[plugins]
31
  [plugins.'io.containerd.cri.v1.images']
32
    snapshotter = 'overlayfs'
33
    disable_snapshot_annotations = true
34
    discard_unpacked_layers = false
35
    max_concurrent_downloads = 3
36
    image_pull_progress_timeout = '5m0s'
37
    image_pull_with_sync_fs = false
38
    stats_collect_period = 10
39

40
    [plugins.'io.containerd.cri.v1.images'.pinned_images]
41
      sandbox = 'harbor.koevn.com/k8s/pause:3.10'    # This image is pulled according to your own definition. Here I point to a private warehouse
42

43
    [plugins.'io.containerd.cri.v1.images'.registry]
44
      config_path = "/etc/containerd/certs.d"  # Configure the mirror repository related information here
45
    [plugins.'io.containerd.cri.v1.images'.image_decryption]
46
      key_model = 'node'
47

48
# Configuration /etc/containerd/certs.d/harbor.koevn.com/hosts.toml
49
server = "https://harbor.koevn.com"
50

51
[host."https://harbor.koevn.com"]
52
  capabilities = ["pull", "resolve", "push"]
53
  skip_verify = true
54
  username = "admin"
55
  password = "K123456"
56

57
# Reload systemd management
58
koevn@k8s-master-01:~$ sudo systemctl daemon-reload
59

60
# containerd service started
61
koevn@k8s-master-01:~$ sudo systemctl start containerd.service
62

63
# containerd service status
64
koevn@k8s-master-01:~$ sudo systemctl status containerd.service
65

66
# Containerd service starts automatically at boot
67
koevn@k8s-master-01:~$ sudo systemctl enable --now containerd.service

2.1.1 Configuring crictl

1
# Unzip
2
koevn@k8s-master-01:~$ sudo tar xf crictl-v*-linux-amd64.tar.gz -C /usr/sbin/
3

4
# Generate configuration files
5
koevn@k8s-master-01:~$ sudo cat > /etc/crictl.yaml <<EOF
6
runtime-endpoint: unix:///run/containerd/containerd.sock
7
image-endpoint: unix:///run/containerd/containerd.sock
8
EOF
9

10
# Check
11
crictl info

2.2.0 Deploy etcd

This service is deployed on three Master nodes

2.2.1 Install etcd env

1
# Move the downloaded cfssl tool to the /usr/local/bin directory
2
koevn@k8s-master-01:/tmp$ sudo mv cfssl_1.6.5_linux_amd64 /usr/local/bin/cfssl
3
koevn@k8s-master-01:/tmp$ sudo mv cfssljson_1.6.5_linux_amd64 /usr/local/bin/cfssljson
4
koevn@k8s-master-01:/tmp$ sudo mv cfssl-certinfo_1.6.5_linux_amd64 /usr/local/bin/cfssl-certinfo
5
koevn@k8s-master-01:/tmp$ sudo chmod +x /usr/local/bin/cfss*
6

7
# Create etcd service directory
8
koevn@k8s-master-01:~$ sudo mkdir -pv /opt/etcd/{bin,cert,config}
9

10
# Unzip the etcd installation file
11
koevn@k8s-master-01:/tmp$ sudo tar -xvf etcd*.tar.gz && mv etcd-*/etcd /opt/etcd/bin/
12

13
# Add etcd system environment variables
14
koevn@k8s-master-01:/tmp$ sudo echo "export PATH=/opt/etcd/bin:$PATH" > /etc/profile.d/etcd.sh && sudo source /etc/profile
15

16
# Create a certificate generation directory
17
koevn@k8s-master-01:/tmp$ sudo mkdir -pv /opt/cert/etcd

2.2.2 Generate etcd certificate

Create a ca configuration file

1
koevn@k8s-master-01:/tmp$ cd /opt/cert
2
koevn@k8s-master-01:/opt/cert$ sudo cat > ca-config.json << EOF
3
{
4
  "signing": {
5
    "default": {
6
      "expiry": "876000h"
7
    },
8
    "profiles": {
9
      "kubernetes": {
10
        "usages": [
11
            "signing",
12
            "key encipherment",
13
            "server auth",
14
            "client auth"
15
        ],
16
        "expiry": "876000h"
17
      }
18
    }
19
  }
20
}
21
EOF

Create a CA certificate signing request

1
koevn@k8s-master-01:/opt/cert$ sudo cat > etcd-ca-csr.json  << EOF
2
{
3
  "CN": "etcd",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "Koevn",
14
      "OU": "Koevn Security"
15
    }
16
  ],
17
  "ca": {
18
    "expiry": "876000h"
19
  }
20
}
21
EOF

Generate etcd ca certificate

1
cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /opt/cert/etcd

Create etcd request certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > etcd-csr.json << EOF
2
{
3
  "CN": "etcd",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "Koevn",
14
      "OU": "Koevn Security"
15
    }
16
  ]
17
}
18
EOF

Generate etcd certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert \
2
   -ca=/opt/cert/etcd/etcd-ca.pem \
3
   -ca-key=/opt/cert/etcd/etcd-ca-key.pem \
4
   -config=ca-config.json \
5
   -hostname=127.0.0.1,k8s-master-01,k8s-master-02,k8s-master-03,10.88.12.60,10.88.12.61,10.88.12.62 \
6
   -profile=kubernetes \
7
   etcd-csr.json | cfssljson -bare /opt/cert/etcd

Copy the etcd*.pem certificates generated in the /opt/cert/etcd directory to the /opt/etcd/cert/ directory.

2.2.3 Create etcd configuration file

1
koevn@k8s-master-01:~$ sudo cat > /oet/etcd/config/etcd.config.yml << EOF
2
name: 'k8s-master-01'   # Note modify the name of each node
3
data-dir: /data/etcd/data
4
wal-dir: /data/etcd/wal
5
snapshot-count: 5000
6
heartbeat-interval: 100
7
election-timeout: 1000
8
quota-backend-bytes: 0
9
listen-peer-urls: 'https://10.88.12.60:2380'  # Modify the IP address that each node listens on
10
listen-client-urls: 'https://10.88.12.60:2379,http://127.0.0.1:2379'
11
max-snapshots: 3
12
max-wals: 5
13
cors:
14
initial-advertise-peer-urls: 'https://10.88.12.60:2380'
15
advertise-client-urls: 'https://10.88.12.60:2379'
16
discovery:
17
discovery-fallback: 'proxy'
18
discovery-proxy:
19
discovery-srv:
20
initial-cluster: 'k8s-master-01=https://10.88.12.60:2380,k8s-master-02=https://10.88.12.61:2380,k8s-master-03=https://10.88.12.62:2380'
21
initial-cluster-token: 'etcd-k8s-cluster'
22
initial-cluster-state: 'new'
23
strict-reconfig-check: false
24
enable-v2: true
25
enable-pprof: true
26
proxy: 'off'
27
proxy-failure-wait: 5000
28
proxy-refresh-interval: 30000
29
proxy-dial-timeout: 1000
30
proxy-write-timeout: 5000
31
proxy-read-timeout: 0
32
client-transport-security:
33
  cert-file: '/opt/etcd/cert/etcd.pem'
34
  key-file: '/opt/etcd/cert/etcd-key.pem'
35
  client-cert-auth: true
36
  trusted-ca-file: '/opt/etcd/cert/etcd-ca.pem'
37
  auto-tls: true
38
peer-transport-security:
39
  cert-file: '/opt/etcd/cert/etcd.pem'
40
  key-file: '/opt/etcd/cert/etcd-key.pem'
41
  peer-client-cert-auth: true
42
  trusted-ca-file: '/opt/etcd/cert/etcd-ca.pem'
43
  auto-tls: true
44
debug: false
45
log-package-levels:
46
log-outputs: [default]
47
force-new-cluster: false
48
EOF

View the etcd service directory structure

1
koevn@k8s-master-01:~$ sudo tree /opt/etcd/
2
/opt/etcd/
3
├── bin
4
│   ├── etcd
5
│   ├── etcdctl
6
│   └── etcdutl
7
├── cert
8
│   ├── etcd-ca.pem
9
│   ├── etcd-key.pem
10
│   └── etcd.pem
11
└── config
12
    └── etcd.config.yml
13

14
4 directories, 7 files

Then package etcd and distribute it to other Master nodes

1
koevn@k8s-master-01:~$ sudo tar -czvf /tmp/etcd.tar.gz /opt/etcd

2.2.4 Each etcd node configures and starts the service

1
koevn@k8s-master-01:~$ sudo cat /etc/systemd/system/etcd.service << EOF
2
[Unit]
3
Description=Etcd Service
4
Documentation=https://coreos.com/etcd/docs/latest/
5
After=network.target
6

7
[Service]
8
Type=notify
9
ExecStart=/opt/etcd/bin/etcd --config-file=/opt/etcd/config/etcd.config.yml
10
Restart=on-failure
11
RestartSec=10
12
LimitNOFILE=65536
13

14
[Install]
15
WantedBy=multi-user.target
16
Alias=etcd3.service
17
EOF

Load system service systemctl daemon-reload Start etcd service systemctl start etcd.service Check etcd service status systemctl status etcd.service Add automatic startup systemctl enable --now etcd.service

2.2.5 Check etcd status

1
koevn@k8s-master-01:~$ sudo export ETCDCTL_API=3
2
root@k8s-master-01:~# etcdctl --endpoints="10.88.12.60:2379,10.88.12.61:2379,10.88.12.62:2379" \
3
> --cacert=/opt/etcd/cert/etcd-ca.pem \
4
> --cert=/opt/etcd/cert/etcd.pem \
5
> --key=/opt/etcd/cert/etcd-key.pem \
6
> endpoint status \
7
> --write-out=table
8
+------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
9
|     ENDPOINT     |        ID        | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |
10
+------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
11
| 10.88.12.60:2379 | c1f013862d84cb12 |  3.5.21 |   35 MB |     false |      false |       158 |    8434769 |            8434769 |        |
12
| 10.88.12.61:2379 | cea2c8779e4914d0 |  3.5.21 |   36 MB |     false |      false |       158 |    8434769 |            8434769 |        |
13
| 10.88.12.62:2379 | df3b2276b87896db |  3.5.21 |   33 MB |      true |      false |       158 |    8434769 |            8434769 |        |
14
+------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+

Create a k8s certificate storage directory

1
koevn@k8s-master-01:~$ sudo mkdir -pv /opt/cert/kubernetes/pki
2
koevn@k8s-master-01:~$ sudo mkdir -pv /opt/kubernetes/cfg   # Cluster kubeconfig file directory
3
koevn@k8s-master-01:~$ cd /opt/cert

2.3.1 Generate k8s ca certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > ca-csr.json << EOF
2
{
3
  "CN": "kubernetes",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "Kubernetes",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ],
17
  "ca": {
18
    "expiry": "876000h"
19
  }
20
}
21
EOF

Generate CA certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert -initca ca-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/ca

2.3.2 Generate apiserver certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > apiserver-csr.json << EOF
2
{
3
  "CN": "kube-apiserver",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "Kubernetes",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ]
17
}
18
EOF
19

20
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert   \
21
-ca=/opt/cert/kubernetes/pki/ca.pem   \
22
-ca-key=/opt/cert/kubernetes/pki/ca-key.pem   \
23
-config=ca-config.json   \
24
-hostname=10.90.0.1,10.88.12.100,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,k8s.koevn.com,10.88.12.60,10.88.12.61,10.88.12.62,10.88.12.63,10.88.12.64,10.88.12.65,10.88.12.66,10.88.12.67,10.88.12.68   \
25
-profile=kubernetes apiserver-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/apiserver

2.3.3 Generate apiserver aggregate certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > front-proxy-ca-csr.json << EOF
2
{
3
  "CN": "kubernetes",
4
  "key": {
5
     "algo": "rsa",
6
     "size": 2048
7
  },
8
  "ca": {
9
    "expiry": "876000h"
10
  }
11
}
12
EOF
13

14
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert \
15
-initca front-proxy-ca-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/front-proxy-ca
16

17
koevn@k8s-master-01:/opt/cert$ sudo cat > front-proxy-client-csr.json  << EOF
18
{
19
  "CN": "front-proxy-client",
20
  "key": {
21
     "algo": "rsa",
22
     "size": 2048
23
  }
24
}
25
EOF
26

27
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert  \
28
-ca=/opt/cert/kubernetes/pki/front-proxy-ca.pem   \
29
-ca-key=/opt/cert/kubernetes/pki/front-proxy-ca-key.pem   \
30
-config=ca-config.json   \
31
-profile=kubernetes \
32
front-proxy-client-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/front-proxy-client

2.3.4 Generate controller-manage certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > manager-csr.json << EOF
2
{
3
  "CN": "system:kube-controller-manager",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "CN",
11
      "ST": "Beijing",
12
      "L": "Beijing",
13
      "O": "system:kube-controller-manager",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ]
17
}
18
EOF
19

20
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert  \
21
-ca=/opt/cert/kubernetes/pki/front-proxy-ca.pem   \
22
-ca-key=/opt/cert/kubernetes/pki/front-proxy-ca-key.pem   \
23
-config=ca-config.json   \
24
-profile=kubernetes \
25
manager-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/controller-manager
26

27
Set cluster items
28
```bash
29
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-cluster kubernetes \
30
  --certificate-authority=/opt/cert/kubernetes/pki/ca.pem \
31
  --embed-certs=true \
32
  --server=https://10.88.12.100:9443 \
33
  --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig

⚠️ 注意 The cluster item --server configuration must point to the keepalived high-availability VIP, and port 9443 is the port that haproxy listens on.

Setting the environment item context

1
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-context system:kube-controller-manager@kubernetes \
2
  --cluster=kubernetes \
3
  --user=system:kube-controller-manager \
4
  --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig

Setting a User Item

1
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-credentials system:kube-controller-manager \
2
  --client-certificate=/opt/cert/kubernetes/pki/controller-manager.pem \
3
  --client-key=/opt/cert/kubernetes/pki/controller-manager-key.pem \
4
  --embed-certs=true \
5
  --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig

Setting the default environment

1
koevn@k8s-master-01:/opt/cert$ sudo kubectl config use-context system:kube-controller-manager@kubernetes \
2
  --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig

2.3.5 Generate kube-scheduler certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > scheduler-csr.json << EOF
2
{
3
  "CN": "system:kube-scheduler",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "system:kube-scheduler",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ]
17
}
18
EOF
19

20
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert \
21
  -ca=/opt/cert/kubernetes/pki/ca.pem \
22
  -ca-key=/opt/cert/kubernetes/pki/ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  scheduler-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/scheduler
26

27
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-cluster kubernetes \
28
  --certificate-authority=/opt/cert/kubernetes/pki/ca.pem \
29
  --embed-certs=true \
30
  --server=https://10.88.12.100:9443 \
31
  --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig
32

33
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-credentials system:kube-scheduler \
34
  --client-certificate=/opt/cert/kubernetes/pki/scheduler.pem \
35
  --client-key=/opt/cert/kubernetes/pki/scheduler-key.pem \
36
  --embed-certs=true \
37
  --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig
38

39
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-context system:kube-scheduler@kubernetes \
40
  --cluster=kubernetes \
41
  --user=system:kube-scheduler \
42
  --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig
43

44
koevn@k8s-master-01:/opt/cert$ sudo kubectl config use-context system:kube-scheduler@kubernetes \
45
  --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig

2.3.6 Generate admin certificate

1
koevn@k8s-master-01:/opt/cert$ sudo cat > admin-csr.json << EOF
2
{
3
  "CN": "admin",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "system:masters",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ]
17
}
18
EOF
19

20
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert \
21
  -ca=/opt/cert/kubernetes/pki/ca.pem \
22
  -ca-key=/opt/cert/kubernetes/pki/ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  admin-csr.json | cfssljson -bare /opt/cert/kubernetes/pki/admin
26

27
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-cluster kubernetes \
28
  --certificate-authority=/opt/cert/kubernetes/pki/ca.pem \
29
  --embed-certs=true \
30
  --server=https://10.88.12.100:9443 \
31
  --kubeconfig=/opt/kubernetes/cfg/admin.kubeconfig
32

33
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-credentials kubernetes-admin \
34
  --client-certificate=/opt/cert/kubernetes/pki//admin.pem \
35
  --client-key=/opt/cert/kubernetes/pki//admin-key.pem \
36
  --embed-certs=true \
37
  --kubeconfig=/opt/kubernetes/cfg/admin.kubeconfig
38

39
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-context kubernetes-admin@kubernetes \
40
  --cluster=kubernetes \
41
  --user=kubernetes-admin \
42
  --kubeconfig=/opt/kubernetes/cfg/admin.kubeconfig
43

44
koevn@k8s-master-01:/opt/cert$ sudo kubectl config use-context kubernetes-admin@kubernetes \
45
--kubeconfig=/opt/kubernetes/cfg/admin.kubeconfig

2.3.7 Generate kube-proxy certificate (optional)

1
koevn@k8s-master-01:/opt/cert$ sudo cat > kube-proxy-csr.json  << EOF
2
{
3
  "CN": "system:kube-proxy",
4
  "key": {
5
    "algo": "rsa",
6
    "size": 2048
7
  },
8
  "names": [
9
    {
10
      "C": "US",
11
      "ST": "California",
12
      "L": "Los Angeles",
13
      "O": "system:kube-proxy",
14
      "OU": "Kubernetes-manual"
15
    }
16
  ]
17
}
18
EOF
19

20
koevn@k8s-master-01:/opt/cert$ sudo cfssl gencert \
21
  -ca=/opt/cert/kubernetes/pki/ca.pem \
22
  -ca-key=/opt/cert/kubernetes/pki/ca-key.pem \
23
  -config=ca-config.json \
24
  -profile=kubernetes \
25
  kube-proxy-csr.json | cfssljson -bare /opt/kubernetes/cfg/kube-proxy
26

27
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-cluster kubernetes \
28
  --certificate-authority=/opt/cert/kubernetes/pki/ca.pem \
29
  --embed-certs=true \
30
  --server=https://10.88.12.100:9443 \
31
  --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig
32

33
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-credentials kube-proxy \
34
  --client-certificate=/opt/cert/kubernetes/pki/kube-proxy.pem \
35
  --client-key=/opt/cert/kubernetes/pki/kube-proxy-key.pem \
36
  --embed-certs=true \
37
  --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig
38

39
koevn@k8s-master-01:/opt/cert$ sudo kubectl config set-context kube-proxy@kubernetes \
40
  --cluster=kubernetes \
41
  --user=kube-proxy \
42
  --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig
43

44
koevn@k8s-master-01:/opt/cert$ sudo kubectl config use-context kube-proxy@kubernetes \
45
--kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig

2.3.8 Create a ServiceAccount Key

1
koevn@k8s-master-01:/opt/cert$ sudo openssl genrsa -out /opt/cert/kubernetes/pki/sa.key 2048
2
koevn@k8s-master-01:/opt/cert$ sudo openssl rsa -in /opt/cert/kubernetes/pki/sa.key \
3
-pubout -out /opt/cert/kubernetes/pki/sa.pub

2.3.9 View the number of k8s component certificates

1
koevn@k8s-master-01:~$ ls /opt/cert/kubernetes/pki
2
-rw-r--r-- 1 root root 1025 May 20 17:11 admin.csr
3
-rw------- 1 root root 1679 May 20 17:11 admin-key.pem
4
-rw-r--r-- 1 root root 1444 May 20 17:11 admin.pem
5
-rw-r--r-- 1 root root 1383 May 20 16:25 apiserver.csr
6
-rw------- 1 root root 1675 May 20 16:25 apiserver-key.pem
7
-rw-r--r-- 1 root root 1777 May 20 16:25 apiserver.pem
8
-rw-r--r-- 1 root root 1070 May 20 11:58 ca.csr
9
-rw------- 1 root root 1679 May 20 11:58 ca-key.pem
10
-rw-r--r-- 1 root root 1363 May 20 11:58 ca.pem
11
-rw-r--r-- 1 root root 1082 May 20 16:38 controller-manager.csr
12
-rw------- 1 root root 1679 May 20 16:38 controller-manager-key.pem
13
-rw-r--r-- 1 root root 1501 May 20 16:38 controller-manager.pem
14
-rw-r--r-- 1 root root  940 May 20 16:26 front-proxy-ca.csr
15
-rw------- 1 root root 1675 May 20 16:26 front-proxy-ca-key.pem
16
-rw-r--r-- 1 root root 1094 May 20 16:26 front-proxy-ca.pem
17
-rw-r--r-- 1 root root  903 May 20 16:30 front-proxy-client.csr
18
-rw------- 1 root root 1679 May 20 16:30 front-proxy-client-key.pem
19
-rw-r--r-- 1 root root 1188 May 20 16:30 front-proxy-client.pem
20
-rw-r--r-- 1 root root 1045 May 20 18:30 kube-proxy.csr
21
-rw------- 1 root root 1679 May 20 18:30 kube-proxy-key.pem
22
-rw-r--r-- 1 root root 1464 May 20 18:30 kube-proxy.pem
23
-rw------- 1 root root 1704 May 21 09:21 sa.key
24
-rw-r--r-- 1 root root  451 May 21 09:21 sa.pub
25
-rw-r--r-- 1 root root 1058 May 20 17:00 scheduler.csr
26
-rw------- 1 root root 1679 May 20 17:00 scheduler-key.pem
27
-rw-r--r-- 1 root root 1476 May 20 17:00 scheduler.pem
28

29
koevn@k8s-master-01:~$ ls /opt/cert/kubernetes/pki/ | wc -l  # View Total
30
26

2.3.10 Install kubernetes components and certificate distribution (all Master nodes)

1
koevn@k8s-master-01:~$ sudo mkdir -pv /opt/kubernetes/{bin,etc,cert,cfg}
2
koevn@k8s-master-01:~$ sudo tree /opt/kubernetes    # View file hierarchy
3
/opt/kubernetes
4
├── bin
5
│   ├── kube-apiserver
6
│   ├── kube-controller-manager
7
│   ├── kubectl
8
│   ├── kubelet
9
│   ├── kube-proxy
10
│   └── kube-scheduler
11
├── cert
12
│   ├── admin-key.pem
13
│   ├── admin.pem
14
│   ├── apiserver-key.pem
15
│   ├── apiserver.pem
16
│   ├── ca-key.pem
17
│   ├── ca.pem
18
│   ├── controller-manager-key.pem
19
│   ├── controller-manager.pem
20
│   ├── front-proxy-ca.pem
21
│   ├── front-proxy-client-key.pem
22
│   ├── front-proxy-client.pem
23
│   ├── kube-proxy-key.pem
24
│   ├── kube-proxy.pem
25
│   ├── sa.key
26
│   ├── sa.pub
27
│   ├── scheduler-key.pem
28
│   └── scheduler.pem
29
├── cfg
30
│   ├── admin.kubeconfig
31
│   ├── bootstrap-kubelet.kubeconfig
32
│   ├── bootstrap.secret.yaml
33
│   ├── controller-manager.kubeconfig
34
│   ├── kubelet.kubeconfig
35
│   ├── kube-proxy.kubeconfig
36
│   └── scheduler.kubeconfig
37
├── etc
38
│   ├── kubelet-conf.yml
39
│   └── kube-proxy.yaml
40
└── manifests
41

42
6 directories, 32 files

2.4.0 Deploy Haproxy load balancing

⚠️ 注意 This step configures the high availability of the apiserver using a combination of Haproxy and Keepalived. In order to omit this step, I directly add a network card to the Master-01 node with a fake VIP address. In the production environment, it is best to use a combination of Haproxy and Keepalived to improve redundancy.

2.4.1 Install Haproxy

1
koevn@k8s-master-01:~$ sudo apt install haproxy

2.4.2 Modify the haproxy configuration file

1
koevn@k8s-master-01:~$ sudo cat >/etc/haproxy/haproxy.cfg << EOF
2
global
3
 maxconn 2000
4
 ulimit-n 16384
5
 log 127.0.0.1 local0 err
6
 stats timeout 30s
7

8
defaults
9
 log global
10
 mode http
11
 option httplog
12
 timeout connect 5000
13
 timeout client 50000
14
 timeout server 50000
15
 timeout http-request 15s
16
 timeout http-keep-alive 15s
17

18
listen stats
19
 mode http
20
 bind 0.0.0.0:9999
21
 stats enable
22
 log global
23
 stats uri     /haproxy-status
24
 stats auth    admin:K123456
25

26
frontend monitor-in
27
 bind *:33305
28
 mode http
29
 option httplog
30
 monitor-uri /monitor
31

32
frontend k8s-master
33
 bind 0.0.0.0:9443
34
 bind 127.0.0.1:9443
35
 mode tcp
36
 option tcplog
37
 tcp-request inspect-delay 5s
38
 default_backend k8s-master
39

40

41
backend k8s-master
42
 mode tcp
43
 option tcplog
44
 option tcp-check
45
 balance roundrobin
46
 default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
47
 server k8s-master-01 10.88.12.60:6443 check
48
 server k8s-master-02 10.88.12.61:6443 check
49
 server k8s-master-03 10.88.12.62:6443 check
50
EOF

Start the service

1
koevn@k8s-master-01:~$ sudo systemctl daemon-reload
2
koevn@k8s-master-01:~$ sudo systemctl enable --now haproxy.service

Visit http://10.88.12.100:9999/haproxy-status through the browser to view the haproxy status

2.5.0 Configure apiserver service (all Master nodes)

Configure apiserver to start the service

1
koevn@k8s-master-01:~$ sudo cat /etc/systemd/system/kube-apiserver.service << EOF
2
[Unit]
3
Description=Kubernetes API Server
4
Documentation=https://github.com/kubernetes/kubernetes
5
After=network.target
6

7
[Service]
8
ExecStart=/opt/kubernetes/bin/kube-apiserver \
9
      --v=2 \
10
      --allow-privileged=true \
11
      --bind-address=0.0.0.0 \
12
      --secure-port=6443 \
13
      --advertise-address=10.88.12.60 \    # Note Change the IP address of each Master node
14
      --service-cluster-ip-range=10.90.0.0/16 \  # The cluster network segment is configured according to the usage
15
      --service-node-port-range=30000-32767 \
16
      --etcd-servers=https://10.88.12.60:2379,https://10.88.12.61:2379,https://10.88.12.62:2379 \
17
      --etcd-cafile=/opt/etcd/cert/etcd-ca.pem \
18
      --etcd-certfile=/opt/etcd/cert/etcd.pem \
19
      --etcd-keyfile=/opt/etcd/cert/etcd-key.pem \
20
      --client-ca-file=/opt/kubernetes/cert/ca.pem \
21
      --tls-cert-file=/opt/kubernetes/cert/apiserver.pem \
22
      --tls-private-key-file=/opt/kubernetes/cert/apiserver-key.pem \
23
      --kubelet-client-certificate=/opt/kubernetes/cert/apiserver.pem \
24
      --kubelet-client-key=/opt/kubernetes/cert/apiserver-key.pem \
25
      --service-account-key-file=/opt/kubernetes/cert/sa.pub \
26
      --service-account-signing-key-file=/opt/kubernetes/cert/sa.key \
27
      --service-account-issuer=https://kubernetes.default.svc.cluster.local \
28
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
29
      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
30
      --authorization-mode=Node,RBAC \
31
      --enable-bootstrap-token-auth=true \
32
      --requestheader-client-ca-file=/opt/kubernetes/cert/front-proxy-ca.pem \
33
      --proxy-client-cert-file=/opt/kubernetes/cert/front-proxy-client.pem \
34
      --proxy-client-key-file=/opt/kubernetes/cert/front-proxy-client-key.pem \
35
      --requestheader-allowed-names=aggregator \
36
      --requestheader-group-headers=X-Remote-Group \
37
      --requestheader-extra-headers-prefix=X-Remote-Extra- \
38
      --requestheader-username-headers=X-Remote-User \
39
      --enable-aggregator-routing=true
40
Restart=on-failure
41
RestartSec=10s
42
LimitNOFILE=65535
43

44
[Install]
45
WantedBy=multi-user.target
46
EOF

Reload systemd management

1
koevn@k8s-master-01:~$ sudo systemctl daemon-reload

Start kube-apiserver

1
koevn@k8s-master-01:~$ sudo systemctl enable --now kube-apiserver.service

Check the kube-apiserver service status

1
koevn@k8s-master-01:~$ sudo systemctl status kube-apiserver.service

2.6.0 Configure kube-controller-manager service (all Master nodes)

Configure kube-controller-manager service to start the service

1
koevn@k8s-master-01:~$ sudo cat /etc/systemd/system/kube-controller-manager.service << EOF
2
[Unit]
3
Description=Kubernetes Controller Manager
4
Documentation=https://github.com/kubernetes/kubernetes
5
After=network.target
6

7
[Service]
8
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
9
      --v=2 \
10
      --root-ca-file=/opt/kubernetes/cert/ca.pem \
11
      --cluster-signing-cert-file=/opt/kubernetes/cert/ca.pem \
12
      --cluster-signing-key-file=/opt/kubernetes/cert/ca-key.pem \
13
      --service-account-private-key-file=/opt/kubernetes/cert/sa.key \
14
      --kubeconfig=/opt/kubernetes/cfg/controller-manager.kubeconfig \
15
      --leader-elect=true \
16
      --use-service-account-credentials=true \
17
      --node-monitor-grace-period=40s \
18
      --node-monitor-period=5s \
19
      --controllers=*,bootstrapsigner,tokencleaner \
20
      --allocate-node-cidrs=true \
21
      --service-cluster-ip-range=10.90.0.0/16 \    # Cluster services network changes based on usage
22
      --cluster-cidr=10.100.0.0/16 \               # Cluster pod network changes based on usage
23
      --node-cidr-mask-size-ipv4=24 \              # The network subnet mask is set to 24
24
      --requestheader-client-ca-file=/opt/kubernetes/cert/front-proxy-ca.pem
25

26
Restart=always
27
RestartSec=10s
28

29
[Install]
30
WantedBy=multi-user.target
31
EOF

Reload systemd management

1
koevn@k8s-master-01:~$ sudo systemctl daemon-reload

Start kube-apiserver

1
koevn@k8s-master-01:~$ sudo systemctl enable --now kube-controller-manager.service

Check the kube-apiserver service status

1
koevn@k8s-master-01:~$ sudo systemctl status kube-controller-manager.service

2.7.0 Configure kube-scheduler service (all Master nodes)

Configure kube-scheduler service and start the service

1
koevn@k8s-master-01:~$ sudo cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
2
[Unit]
3
Description=Kubernetes Scheduler
4
Documentation=https://github.com/kubernetes/kubernetes
5
After=network.target
6

7
[Service]
8
ExecStart=/opt/kubernetes/bin/kube-scheduler \
9
      --v=2 \
10
      --bind-address=0.0.0.0 \
11
      --leader-elect=true \
12
      --kubeconfig=/opt/kubernetes/cfg/scheduler.kubeconfig
13

14
Restart=always
15
RestartSec=10s
16

17
[Install]
18
WantedBy=multi-user.target
19
EOF

Reload systemd management

1
koevn@k8s-master-01:~$ sudo systemctl daemon-reload

Start kube-apiserver

1
koevn@k8s-master-01:~$ sudo systemctl enable --now kube-scheduler.service

Check the kube-apiserver service status

1
koevn@k8s-master-01:~$ sudo systemctl status kube-scheduler.service

2.8.0 TLS Bootstrapping Configuration

Create cluster configuration items

1
koevn@k8s-master-01:~$ sudo kubectl config set-cluster kubernetes \
2
--certificate-authority=/opt/cert/kubernetes/pki/ca.pem \
3
--embed-certs=true \
4
--server=https://10.88.12.100:9443 \
5
--kubeconfig=/opt/kubernetes/cfg/bootstrap-kubelet.kubeconfig

Creating a token

1
koevn@k8s-master-01:~$ sudo echo "$(head -c 6 /dev/urandom | md5sum | head -c 6)"."$(head -c 16 /dev/urandom | md5sum | head -c 16)"
2
79b841.0677456fb3b47289

Setting Credentials

1
koevn@k8s-master-01:~$ sudo kubectl config set-credentials tls-bootstrap-token-user \
2
--token=79b841.0677456fb3b47289 \
3
--kubeconfig=/opt/kubernetes/cfg/bootstrap-kubelet.kubeconfig

Setting context information

1
koevn@k8s-master-01:~$ sudo kubectl config set-context tls-bootstrap-token-user@kubernetes \
2
--cluster=kubernetes \
3
--user=tls-bootstrap-token-user \
4
--kubeconfig=/opt/kubernetes/cfg/bootstrap-kubelet.kubeconfig
5

6
koevn@k8s-master-01:~$ sudo kubectl config use-context tls-bootstrap-token-user@kubernetes \
7
--kubeconfig=/opt/kubernetes/cfg/bootstrap-kubelet.kubeconfig

Configure the current user to manage the cluster

1
mkdir -pv /home/koevn/.kube && cp /opt/kubernetes/cfg/admin.kubeconfig /home/koevn/.kube/config

Check the cluster status

1
koevn@k8s-master-01:~$ sudo kubectl get cs   # View the health status of core components of the Kubernetes control plane
2
Warning: v1 ComponentStatus is deprecated in v1.19+
3
NAME                 STATUS    MESSAGE   ERROR
4
etcd-0               Healthy   ok
5
controller-manager   Healthy   ok
6
scheduler            Healthy   ok

Apply bootstrap-token

1
koevn@k8s-master-01:~$ sudo cat > bootstrap.secret.yaml << EOF
2
apiVersion: v1
3
kind: Secret
4
metadata:
5
  name: bootstrap-token-79b841
6
  namespace: kube-system
7
type: bootstrap.kubernetes.io/token
8
stringData:
9
  description: "The default bootstrap token generated by 'kubelet '."
10
  token-id: 79b841
11
  token-secret: 0677456fb3b47289
12
  usage-bootstrap-authentication: "true"
13
  usage-bootstrap-signing: "true"
14
  auth-extra-groups:  system:bootstrappers:default-node-token,system:bootstrappers:worker,system:bootstrappers:ingress
15

16
---
17
apiVersion: rbac.authorization.k8s.io/v1
18
kind: ClusterRoleBinding
19
metadata:
20
  name: kubelet-bootstrap
21
roleRef:
22
  apiGroup: rbac.authorization.k8s.io
23
  kind: ClusterRole
24
  name: system:node-bootstrapper
25
subjects:
26
- apiGroup: rbac.authorization.k8s.io
27
  kind: Group
28
  name: system:bootstrappers:default-node-token
29
---
30
apiVersion: rbac.authorization.k8s.io/v1
31
kind: ClusterRoleBinding
32
metadata:
33
  name: node-autoapprove-bootstrap
34
roleRef:
35
  apiGroup: rbac.authorization.k8s.io
36
  kind: ClusterRole
37
  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
38
subjects:
39
- apiGroup: rbac.authorization.k8s.io
40
  kind: Group
41
  name: system:bootstrappers:default-node-token
42
---
43
apiVersion: rbac.authorization.k8s.io/v1
44
kind: ClusterRoleBinding
45
metadata:
46
  name: node-autoapprove-certificate-rotation
47
roleRef:
48
  apiGroup: rbac.authorization.k8s.io
49
  kind: ClusterRole
50
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
51
subjects:
52
- apiGroup: rbac.authorization.k8s.io
53
  kind: Group
54
  name: system:nodes
55
---
56
apiVersion: rbac.authorization.k8s.io/v1
57
kind: ClusterRole
58
metadata:
59
  annotations:
60
    rbac.authorization.kubernetes.io/autoupdate: "true"
61
  labels:
62
    kubernetes.io/bootstrapping: rbac-defaults
63
  name: system:kube-apiserver-to-kubelet
64
rules:
65
  - apiGroups:
66
      - ""
67
    resources:
68
      - nodes/proxy
69
      - nodes/stats
70
      - nodes/log
71
      - nodes/spec
72
      - nodes/metrics
73
    verbs:
74
      - "*"
75
---
76
apiVersion: rbac.authorization.k8s.io/v1
77
kind: ClusterRoleBinding
78
metadata:
79
  name: system:kube-apiserver
80
  namespace: ""
81
roleRef:
82
  apiGroup: rbac.authorization.k8s.io
83
  kind: ClusterRole
84
  name: system:kube-apiserver-to-kubelet
85
subjects:
86
  - apiGroup: rbac.authorization.k8s.io
87
    kind: User
88
    name: kube-apiserver

Create bootstrap.secret configuration to the cluster

1
kubectl create -f bootstrap.secret.yaml

3. Install the basic components of the Kubernetes cluster Worker

3.1.0 Required installation directory structure

1
koevn@k8s-worker-01:~$ sudo mkdir -pv /opt/kubernetes/{bin,cert,cfg,etc}
2
koevn@k8s-worker-01:~$ sudo tree /opt/kubernetes/   # View the directory structure
3
/opt/kubernetes/
4
├── bin
5
│   ├── kubectl
6
│   ├── kubelet
7
│   └── kube-proxy
8
├── cert             # Copy the certificate file from the master node
9
│   ├── ca.pem
10
│   ├── front-proxy-ca.pem
11
│   ├── kube-proxy-key.pem
12
│   └── kube-proxy.pem
13
├── cfg              # The kubeconfig file is copied from the master node
14
│   ├── bootstrap-kubelet.kubeconfig
15
│   ├── kubelet.kubeconfig
16
│   └── kube-proxy.kubeconfig
17
├── etc
18
│   ├── kubelet-conf.yml
19
│   └── kube-proxy.yaml
20
└── manifests
21

22
6 directories, 12 files

Kubernetes Worker nodes only need to install the Containerd and kubelet components. Although kube-proxy is not necessary, you can still install it and deploy it according to your needs.

3.2.0 Deploy kubelet service

This component needs to be deployed to all nodes in the cluster, and then deployed to other nodes accordingly. Add kubelet’s service file

1
koevn@k8s-worker-01:~$ sudo cat > /usr/lib/systemd/system/kubelet.service << EOF
2
[Unit]
3
Description=Kubernetes Kubelet
4
Documentation=https://github.com/kubernetes/kubernetes
5
After=network-online.target firewalld.service containerd.service
6
Wants=network-online.target
7
Requires=containerd.service
8

9
[Service]
10
ExecStart=/opt/kubernetes/bin/kubelet \
11
    --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap-kubelet.kubeconfig \
12
    --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \
13
    --config=/opt/kubernetes/etc/kubelet-conf.yml \
14
    --container-runtime-endpoint=unix:///run/containerd/containerd.sock \
15
    --node-labels=node.kubernetes.io/node=
16

17
[Install]
18
WantedBy=multi-user.target
19
EOF

Create and edit the kubelet configuration file

1
koevn@k8s-worker-01:~$ sudo cat > /etc/kubernetes/kubelet-conf.yml <<EOF
2
apiVersion: kubelet.config.k8s.io/v1beta1
3
kind: KubeletConfiguration
4
address: 0.0.0.0
5
port: 10250
6
readOnlyPort: 10255
7
authentication:
8
  anonymous:
9
    enabled: false
10
  webhook:
11
    cacheTTL: 2m0s
12
    enabled: true
13
  x509:
14
    clientCAFile: /opt/kubernetes/cert/ca.pem
15
authorization:
16
  mode: Webhook
17
  webhook:
18
    cacheAuthorizedTTL: 5m0s
19
    cacheUnauthorizedTTL: 30s
20
cgroupDriver: systemd
21
cgroupsPerQOS: true
22
clusterDNS:
23
- 10.90.0.10
24
clusterDomain: cluster.local
25
containerLogMaxFiles: 5
26
containerLogMaxSize: 10Mi
27
contentType: application/vnd.kubernetes.protobuf
28
cpuCFSQuota: true
29
cpuManagerPolicy: none
30
cpuManagerReconcilePeriod: 10s
31
enableControllerAttachDetach: true
32
enableDebuggingHandlers: true
33
enforceNodeAllocatable:
34
- pods
35
eventBurst: 10
36
eventRecordQPS: 5
37
evictionHard:
38
  imagefs.available: 15%
39
  memory.available: 100Mi
40
  nodefs.available: 10%
41
  nodefs.inodesFree: 5%
42
evictionPressureTransitionPeriod: 5m0s
43
failSwapOn: true
44
fileCheckFrequency: 20s
45
hairpinMode: promiscuous-bridge
46
healthzBindAddress: 127.0.0.1
47
healthzPort: 10248
48
httpCheckFrequency: 20s
49
imageGCHighThresholdPercent: 85
50
imageGCLowThresholdPercent: 80
51
imageMinimumGCAge: 2m0s
52
iptablesDropBit: 15
53
iptablesMasqueradeBit: 14
54
kubeAPIBurst: 10
55
kubeAPIQPS: 5
56
makeIPTablesUtilChains: true
57
maxOpenFiles: 1000000
58
maxPods: 110
59
nodeStatusUpdateFrequency: 10s
60
oomScoreAdj: -999
61
podPidsLimit: -1
62
registryBurst: 10
63
registryPullQPS: 5
64
resolvConf: /etc/resolv.conf
65
rotateCertificates: true
66
runtimeRequestTimeout: 2m0s
67
serializeImagePulls: true
68
staticPodPath: /opt/kubernetes/manifests
69
streamingConnectionIdleTimeout: 4h0m0s
70
syncFrequency: 1m0s
71
volumeStatsAggPeriod: 1m0s

Start kubelet

1
koevn@k8s-worker-01:~$ sudo systemctl daemon-reload   # Reload the systemd management unit
2
koevn@k8s-worker-01:~$ sudo systemctl enable --now kubelet.service   # Enable and immediately start the kubelet.service unit
3
koevn@k8s-worker-01:~$ sudo systemctl status kubelet.service  # View the current status of the kubelet.service service

3.3.0 Check the status of cluster nodes

1
koevn@k8s-master-01:~$ sudo kubectl get node
2
NAME            STATUS      ROLES    AGE   VERSION
3
k8s-master-01   NotReady    <none>   50s   v1.33.0
4
k8s-master-02   NotReady    <none>   47s   v1.33.0
5
k8s-master-03   NotReady    <none>   40s   v1.33.0
6
k8s-worker-01   NotReady    <none>   35s   v1.33.0
7
k8s-worker-02   NotReady    <none>   28s   v1.33.0
8
k8s-worker-03   NotReady    <none>   11s   v1.33.0

Since the CNI network plug-in is not installed in the Kubernetes cluster at this time, it is normal for the node STATUS to be in the NotReady state. Only when the CNI network plug-in runs normally without errors, the state is Ready.

3.4.0 View the Runtime version information of the cluster nodes

1
koevn@k8s-master-01:~$ sudo kubectl describe node | grep Runtime
2
  Container Runtime Version:  containerd://2.1.0
3
  Container Runtime Version:  containerd://2.1.0
4
  Container Runtime Version:  containerd://2.1.0
5
  Container Runtime Version:  containerd://2.1.0
6
  Container Runtime Version:  containerd://2.1.0
7
  Container Runtime Version:  containerd://2.1.0

3.5.0 Deploy kube-proxy service (optional)

This component needs to be deployed to all nodes in the cluster, and then deployed to other nodes accordingly. Add the kube-proxy service file

1
koevn@k8s-worker-01:~$ sudo cat >  /usr/lib/systemd/system/kube-proxy.service << EOF
2
[Unit]
3
Description=Kubernetes Kube Proxy
4
Documentation=https://github.com/kubernetes/kubernetes
5
After=network.target
6

7
[Service]
8
ExecStart=/opt/kubernetes/bin/kube-proxy \
9
  --config=/opt/kubernetes/etc/kube-proxy.yaml \
10
  --cluster-cidr=10.100.0.0/16 \
11
  --v=2
12
Restart=always
13
RestartSec=10s
14

15
[Install]
16
WantedBy=multi-user.target
17
EOF

Create and edit the kube-proxy configuration file

1
koevn@k8s-worker-01:~$ sudo cat > /etc/kubernetes/kube-proxy.yaml << EOF
2
apiVersion: kubeproxy.config.k8s.io/v1alpha1
3
bindAddress: 0.0.0.0
4
clientConnection:
5
  acceptContentTypes: ""
6
  burst: 10
7
  contentType: application/vnd.kubernetes.protobuf
8
  kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
9
  qps: 5
10
clusterCIDR: 10.100.0.0/16
11
configSyncPeriod: 15m0s
12
conntrack:
13
  max: null
14
  maxPerCore: 32768
15
  min: 131072
16
  tcpCloseWaitTimeout: 1h0m0s
17
  tcpEstablishedTimeout: 24h0m0s
18
enableProfiling: false
19
healthzBindAddress: 0.0.0.0:10256
20
hostnameOverride: ""
21
iptables:
22
  masqueradeAll: false
23
  masqueradeBit: 14
24
  minSyncPeriod: 0s
25
  syncPeriod: 30s
26
ipvs:
27
  masqueradeAll: true
28
  minSyncPeriod: 5s
29
  scheduler: "rr"
30
  syncPeriod: 30s
31
kind: KubeProxyConfiguration
32
metricsBindAddress: 127.0.0.1:10249
33
mode: "ipvs"
34
nodePortAddresses: null
35
oomScoreAdj: -999
36
portRange: ""
37
udpIdleTimeout: 250ms
38
EOF

Start kubelet

1
koevn@k8s-worker-01:~$ sudo systemctl daemon-reload   # Reload the systemd management unit
2
koevn@k8s-worker-01:~$ sudo systemctl enable --now kube-proxy.service   # Enable and immediately start the kubelet.service unit
3
koevn@k8s-worker-01:~$ sudo systemctl status kube-proxy.service  # View the current status of the kubelet.service service

4. Installing the Cluster Network Plugin

⚠️ 注意 The network plug-in installed this time is cilium. With this plug-in taking over the Kubernetes cluster network, the kube-proxy service must be shut down with systemctl stop kube-proxy.service to avoid interference with cilium. Deploy cilium to operate on any node of the Master.

4.1.0 Install Helm

1
koevn@k8s-master-01:~$ sudo curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
2
koevn@k8s-master-01:~$ sudo chmod 700 get_helm.sh
3
koevn@k8s-master-01:~$ sudo ./get_helm.sh
4
koevn@k8s-master-01:~$ sudo tar xvf helm-*-linux-amd64.tar.gz
5
koevn@k8s-master-01:~$ sudo cp linux-amd64/helm /usr/local/bin/

4.2.0 Install cilium

1
koevn@k8s-master-01:~$ sudo helm repo add cilium https://helm.cilium.io   # Add Source
2
koevn@k8s-master-01:~$ sudo helm search repo cilium/cilium --versions     # Search for supported versions
3
koevn@k8s-master-01:~$ sudo helm pull cilium/cilium                       # Pull the cilium installation package
4
koevn@k8s-master-01:~$ sudo tar xvf cilium-*.tgz
5
koevn@k8s-master-01:~$ sudo cd cilium/

Edit and modify the following contents of the values.yaml file in the cilium directory

1
#  ------  Other configurations omitted  ------#
2

3
kubeProxyReplacement: "true"       # Uncomment and change to true
4
k8sServiceHost: "kubernetes.default.svc.cluster.local"   # This domain needs to be bound according to the apiserver certificate you generated
5
k8sServicePort: "9443"             # apiserver prot
6
ipv4NativeRoutingCIDR: "10.100.0.0/16"    # Setting up Pod IPv4 Network
7
hubble:                                   # Enable specific Hubble metrics
8
  metrics:
9
    enabled:
10
    - dns
11
    - drop
12
    - tcp
13
    - flow
14
    - icmp
15
    - httpV2
16

17
#  ------  Other configurations omitted  ------#

⚠️ 注意 Here, for the repository configuration parameters in all other configuration files, it is recommended to deploy the harbor private warehouse if the network environment is generally not good to avoid the failure of the cluster containerd component to pull the image, resulting in the failure of Pod to run normally

Other features are enabled according to the configuration parameter level

Enable Hubble Relay aggregation service hubble.relay.enabled=true
Enable Hubble UI frontend (visualization page) hubble.ui.enabled=true
Enable Prometheus metrics output for Cilium prometheus.enabled=true
Enable Prometheus metrics output for Operators operator.prometheus.enabled=true
Enable Hubble hubble.enabled=true

The above paragraph is a simplified representation based on the values.yaml configuration file hierarchy. You can also add --set hubble.relay.enabled=true to enable the specified function through the cilium-cli command

Install cilium

1
koevn@k8s-master-01:~$ sudo helm upgrade cilium ./cilium \
2
  --namespace kube-system \
3
  --create-namespace \
4
  -f cilium/values.yaml

View Status

1
koevn@k8s-master-01:~$ sudo kubectl  get pod -A | grep cil
2
cilium-monitoring   grafana-679cd8bff-w9xm9                 1/1     Running   0               5d
3
cilium-monitoring   prometheus-87d4f66f7-6lmrz              1/1     Running   0               5d
4
kube-system         cilium-envoy-4sjq5                      1/1     Running   0               5d
5
kube-system         cilium-envoy-64694                      1/1     Running   0               5d
6
kube-system         cilium-envoy-fzjjw                      1/1     Running   0               5d
7
kube-system         cilium-envoy-twtw6                      1/1     Running   0               5d
8
kube-system         cilium-envoy-vwstr                      1/1     Running   0               5d
9
kube-system         cilium-envoy-whck6                      1/1     Running   0               5d
10
kube-system         cilium-fkjcm                            1/1     Running   0               5d
11
kube-system         cilium-h75vq                            1/1     Running   0               5d
12
kube-system         cilium-hcx4q                            1/1     Running   0               5d
13
kube-system         cilium-jz44w                            1/1     Running   0               5d
14
kube-system         cilium-operator-58d8755c44-hnwmd        1/1     Running   57 (84m ago)    5d
15
kube-system         cilium-operator-58d8755c44-xmg9f        1/1     Running   54 (82m ago)    5d
16
kube-system         cilium-qx5mn                            1/1     Running   0               5d
17
kube-system         cilium-wqmzc                            1/1     Running   0               5d

5. Deployment monitoring panel

5.1.0 Creating a monitoring service

1
koevn@k8s-master-01:~$ sudo wget https://raw.githubusercontent.com/cilium/cilium/1.12.1/examples/kubernetes/addons/prometheus/monitoring-example.yaml
2
koevn@k8s-master-01:~$ sudo kubectl  apply -f monitoring-example.yaml

5.2.0 Change the cluster Services Type to NodePort

View Current Services

1
koevn@k8s-master-01:~$ sudo kubectl get svc -A
2
NAMESPACE           NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
3
cilium-monitoring   grafana                ClusterIP   10.90.138.192   <none>        3000/TCP         1d
4
cilium-monitoring   prometheus             ClusterIP   10.90.145.89    <none>        9090/TCP         1d
5
default             kubernetes             ClusterIP   10.90.0.1       <none>        443/TCP          1d
6
kube-system         cilium-envoy           ClusterIP   None            <none>        9964/TCP         1d
7
kube-system         coredns                ClusterIP   10.90.0.10      <none>        53/UDP           1d
8
kube-system         hubble-metrics         ClusterIP   None            <none>        9965/TCP         1d
9
kube-system         hubble-peer            ClusterIP   10.90.63.177    <none>        443/TCP          1d
10
kube-system         hubble-relay           ClusterIP   10.90.157.4     <none>        80/TCP           1d
11
kube-system         hubble-ui              ClusterIP   10.90.13.110    <none>        80/TCP           1d
12
kube-system         metrics-server         ClusterIP   10.90.61.226    <none>        443/TCP          1d

Modify Services Type

1
koevn@k8s-master-01:~$ sudo kubectl edit svc -n cilium-monitoring grafana
2
koevn@k8s-master-01:~$ sudo kubectl edit svc -n cilium-monitoring prometheus
3
koevn@k8s-master-01:~$ sudo kubectl edit svc -n kube-system hubble-ui

Execute any of the above commands to display the contents of the yaml format file. Change the type: ClusterIP below to type: NodePort. If you cancel, change it back to type: ClusterIP

View the current Services again

1
NAMESPACE           NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
2
cilium-monitoring   grafana                NodePort    10.90.138.192   <none>        3000:31240/TCP   1d
3
cilium-monitoring   prometheus             NodePort    10.90.145.89    <none>        9090:32044/TCP   1d
4
default             kubernetes             ClusterIP   10.90.0.1       <none>        443/TCP          1d
5
kube-system         cilium-envoy           ClusterIP   None            <none>        9964/TCP         1d
6
kube-system         coredns                ClusterIP   10.90.0.10      <none>        53/UDP           1d
7
kube-system         hubble-metrics         ClusterIP   None            <none>        9965/TCP         1d
8
kube-system         hubble-peer            ClusterIP   10.90.63.177    <none>        443/TCP          1d
9
kube-system         hubble-relay           ClusterIP   10.90.157.4     <none>        80/TCP           1d
10
kube-system         hubble-ui              NodePort    10.90.13.110    <none>        80:32166/TCP     1d
11
kube-system         metrics-server         ClusterIP   10.90.61.226    <none>        443/TCP          1d

Browser accesses http://10.88.12.61:31240 grafana service

Browser accesses http://10.88.12.61:32044 prometheus service

Browser accesses http://10.88.12.61:32166 hubble-ui service

6. Install CoreDNS

6.1.0 Pull the CoreDNS installation package

1
koevn@k8s-master-01:~$ sudo helm repo add coredns https://coredns.github.io/helm
2
koevn@k8s-master-01:~$ sudo helm pull coredns/coredns
3
koevn@k8s-master-01:~$ sudo tar xvf coredns-*.tgz
4
koevn@k8s-master-01:~$ cd coredns/

Modify the values.yamlfile

1
koevn@k8s-master-01:~/coredns$ sudo vim values.yaml
2
service:
3
  clusterIP: "10.90.0.10"     # Uncomment and modify the specified IP

Install CoreDNS

1
koevn@k8s-master-01:~/coredns$ cd ..
2
koevn@k8s-master-01:~$ sudo helm install coredns ./coredns/ -n kube-system \
3
  -f coredns/values.yaml

7. Install Metrics Server

Download the metrics-server yaml file

1
koevn@k8s-master-01:~$ sudo wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml \
2
  -O metrics-server.yaml

Edit and modify the metrics-server.yaml file

1
# Modify the file about 134 lines
2
      - args:
3
        - --cert-dir=/tmp
4
        - --secure-port=10250
5
        - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
6
        - --kubelet-use-node-status-port
7
        - --metric-resolution=15s
8
        - --kubelet-insecure-tls
9
        - --requestheader-client-ca-file=/opt/kubernetes/cert/front-proxy-ca.pem
10
        - --requestheader-username-headers=X-Remote-User
11
        - --requestheader-group-headers=X-Remote-Group
12
        - --requestheader-extra-headers-prefix=X-Remote-Extra-
13

14
# Modify the file about 182 lines
15
        volumeMounts:
16
        - mountPath: /tmp
17
          name: tmp-dir
18
        - name: ca-ssl
19
          mountPath: /opt/kubernetes/cert
20
      volumes:
21
      - emptyDir: {}
22
        name: tmp-dir
23
      - name: ca-ssl
24
        hostPath:
25
        path: /opt/kubernetes/cert

Then deploy the application

1
koevn@k8s-master-01:~$ sudo kubectl apply -f metrics-server.yaml

View resource status

1
koevn@k8s-master-01:~$ sudo kubectl top node
2
NAME            CPU(cores)   CPU(%)   MEMORY(bytes)   MEMORY(%)
3
k8s-master-01   212m         5%       2318Mi          61%
4
k8s-master-02   148m         3%       2180Mi          57%
5
k8s-master-03   178m         4%       2103Mi          55%
6
k8s-worker-01   38m          1%       1377Mi          36%
7
k8s-worker-02   40m          2%       1452Mi          38%
8
k8s-worker-03   32m          1%       1475Mi          39%

8. Verifying intra-cluster communication

8.1.0 Deploy a pod resource

1
koevn@k8s-master-01:~$ cat > busybox.yaml << EOF
2
apiVersion: v1
3
kind: Pod
4
metadata:
5
  name: busybox
6
  namespace: default
7
spec:
8
  containers:
9
  - name: busybox
10
    image: harbor.koevn.com/library/busybox:1.37.0     # Here I use a private warehouse
11
    command:
12
      - sleep
13
      - "3600"
14
    imagePullPolicy: IfNotPresent
15
  restartPolicy: Always
16
EOF

Then execute the deployment pod resources

1
koevn@k8s-master-01:~$ sudo kubectl apply -f busybox.yaml

View pod resources

1
koevn@k8s-master-01:~$ sudo kubectl get pod
2
NAME      READY   STATUS    RESTARTS        AGE
3
busybox   1/1     Running   0               36s

8.2.0 Resolving NAMESPACE Services with pod

View Services

1
koevn@k8s-master-01:~$ sudo kubectl get svc -A
2
NAMESPACE           NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
3
cilium-monitoring   grafana                NodePort    10.90.138.192   <none>        3000:31240/TCP   1d
4
cilium-monitoring   prometheus             NodePort    10.90.145.89    <none>        9090:32044/TCP   1d
5
default             kubernetes             ClusterIP   10.90.0.1       <none>        443/TCP          1d
6
kube-system         cilium-envoy           ClusterIP   None            <none>        9964/TCP         1d
7
kube-system         coredns                ClusterIP   10.90.0.10      <none>        53/UDP           1d
8
kube-system         hubble-metrics         ClusterIP   None            <none>        9965/TCP         1d
9
kube-system         hubble-peer            ClusterIP   10.90.63.177    <none>        443/TCP          1d
10
kube-system         hubble-relay           ClusterIP   10.90.157.4     <none>        80/TCP           1d
11
kube-system         hubble-ui              NodePort    10.90.13.110    <none>        80:32166/TCP     1d
12
kube-system         metrics-server         ClusterIP   10.90.61.226    <none>        443/TCP          1d

Test analysis

1
koevn@k8s-master-01:~$ sudo kubectl exec busybox -n default \
2
  -- nslookup hubble-ui.kube-system.svc.cluster.local
3
Server:     10.90.0.10
4
Address:    10.90.0.10:53
5

6

7
Name:   hubble-ui.kube-system.svc.cluster.local
8
Address: 10.90.13.110
9

10
koevn@k8s-master-01:~$ sudo kubectl exec busybox -n default \
11
  -- nslookup grafana.cilium-monitoring.svc.cluster.local
12
Server:     10.90.0.10
13
Address:    10.90.0.10:53
14

15

16
Name:   grafana.cilium-monitoring.svc.cluster.local
17
Address: 10.90.138.192
18

19
koevn@k8s-master-01:~$ sudo kubectl exec busybox -n default \
20
  -- nslookup kubernetes.default.svc.cluster.local
21
Server:     10.90.0.10
22
Address:    10.90.0.10:53
23

24

25
Name:   kubernetes.default.svc.cluster.local
26
Address: 10.90.0.1

8.3.0 Each node tests the Kubernetes 443 and CoreDNS 53 ports

1
koevn@k8s-master-01:~$ sudo telnet 10.90.0.1 443
2
Trying 10.90.0.1...
3
Connected to 10.90.0.1.
4
Escape character is '^]'
5

6
koevn@k8s-master-01:~$ sudo nc -zvu 10.90.0.10 53
7
10.90.0.10: inverse host lookup failed: Unknown host
8
(UNKNOWN) [10.90.0.10] 53 (domain) open
9

10
koevn@k8s-worker-03:~$ sudo telnet 10.90.0.1 443
11
Trying 10.90.0.1...
12
Connected to 10.90.0.1.
13
Escape character is '^]'
14

15
koevn@k8s-worker-03:~$ sudo nc -zvu 10.90.0.10 53
16
10.90.0.10: inverse host lookup failed: Unknown host
17
(UNKNOWN) [10.90.0.10] 53 (domain) open

8.4.0 Test the network connectivity between Pods

View pod information

1
koevn@k8s-master-01:~$ sudo kubectl get pods -A -o \
2
custom-columns="NAMESPACE:.metadata.namespace,STATUS:.status.phase,NAME:.metadata.name,IP:.status.podIP"
3
NAMESPACE           STATUS    NAME                                    IP
4
cilium-monitoring   Running   grafana-679cd8bff-w9xm9                 10.100.4.249
5
cilium-monitoring   Running   prometheus-87d4f66f7-6lmrz              10.100.3.238
6
default             Running   busybox                                 10.100.4.232
7
kube-system         Running   cilium-envoy-4sjq5                      10.88.12.63
8
kube-system         Running   cilium-envoy-64694                      10.88.12.60
9
kube-system         Running   cilium-envoy-fzjjw                      10.88.12.62
10
kube-system         Running   cilium-envoy-twtw6                      10.88.12.61
11
kube-system         Running   cilium-envoy-vwstr                      10.88.12.65
12
kube-system         Running   cilium-envoy-whck6                      10.88.12.64
13
kube-system         Running   cilium-fkjcm                            10.88.12.63
14
kube-system         Running   cilium-h75vq                            10.88.12.64
15
kube-system         Running   cilium-hcx4q                            10.88.12.61
16
kube-system         Running   cilium-jz44w                            10.88.12.65
17
kube-system         Running   cilium-operator-58d8755c44-hnwmd        10.88.12.60
18
kube-system         Running   cilium-operator-58d8755c44-xmg9f        10.88.12.65
19
kube-system         Running   cilium-qx5mn                            10.88.12.62
20
kube-system         Running   cilium-wqmzc                            10.88.12.60
21
kube-system         Running   coredns-6f44546d75-qnl9d                10.100.0.187
22
kube-system         Running   hubble-relay-7cd9d88674-2tdcc           10.100.3.64
23
kube-system         Running   hubble-ui-9f5cdb9bd-8fwsx               10.100.2.214
24
kube-system         Running   metrics-server-76cb66cbf9-xfbzq         10.100.5.187

Enter the busybox pod test network

1
koevn@k8s-master-01:~$ sudo kubectl exec -ti busybox -- sh
2
/ # ping 10.100.4.249
3
PING 10.100.4.249 (10.100.4.249): 56 data bytes
4
64 bytes from 10.100.4.249: seq=0 ttl=63 time=0.472 ms
5
64 bytes from 10.100.4.249: seq=1 ttl=63 time=0.063 ms
6
64 bytes from 10.100.4.249: seq=2 ttl=63 time=0.064 ms
7
64 bytes from 10.100.4.249: seq=3 ttl=63 time=0.062 ms
8

9
/ # ping 10.88.12.63
10
PING 10.88.12.63 (10.88.12.63): 56 data bytes
11
64 bytes from 10.88.12.63: seq=0 ttl=62 time=0.352 ms
12
64 bytes from 10.88.12.63: seq=1 ttl=62 time=0.358 ms
13
64 bytes from 10.88.12.63: seq=2 ttl=62 time=0.405 ms
14
64 bytes from 10.88.12.63: seq=3 ttl=62 time=0.314 ms

9. Install dashboard

9.1.0 Pull the dashboard installation package

1
koevn@k8s-master-01:~$ sudo helm repo add kubernetes-dashboard \
2
https://kubernetes.github.io/dashboard/
3

4
koevn@k8s-master-01:~$ sudo helm search repo \
5
kubernetes-dashboard/kubernetes-dashboard --versions   # View supported versions
6
NAME                                      CHART VERSION APP VERSION DESCRIPTION
7
kubernetes-dashboard/kubernetes-dashboard 7.0.0                     General-purpose web UI for Kubernetes clusters
8
kubernetes-dashboard/kubernetes-dashboard 6.0.8         v2.7.0      General-purpose web UI for Kubernetes clusters
9
kubernetes-dashboard/kubernetes-dashboard 6.0.7         v2.7.0      General-purpose web UI for Kubernetes clusters
10

11
koevn@k8s-master-01:~$ sudo helm pull kubernetes-dashboard/kubernetes-dashboard --version 6.0.8  # Specifying a version
12
koevn@k8s-master-01:~$ sudo tar xvf kubernetes-dashboard-*.tgz
13
koevn@k8s-master-01:~$ cd kubernetes-dashboard

Edit and modify the values.yaml file

1
image:
2
  repository: harbor.koevn.com/library/kubernetesui/dashboard   # Here I use a private warehouse
3
  tag: "v2.7.0"  # The default is empty, specify the version yourself

9.2.0 Deploy dashboard

1
koevn@k8s-master-01:~/kubernetes-dashboard$ cd ..
2
helm install dashboard kubernetes-dashboard/kubernetes-dashboard \
3
  --version 6.0.8 \
4
  --namespace kubernetes-dashboard \
5
  --create-namespace

9.3.0 Temp token

1
koevn@k8s-master-01:~$ cat > dashboard-user.yaml << EOF
2
apiVersion: v1
3
kind: ServiceAccount
4
metadata:
5
  name: admin-user
6
  namespace: kube-system
7
---
8
apiVersion: rbac.authorization.k8s.io/v1
9
kind: ClusterRoleBinding
10
metadata:
11
  name: admin-user
12
roleRef:
13
  apiGroup: rbac.authorization.k8s.io
14
  kind: ClusterRole
15
  name: cluster-admin
16
subjects:
17
- kind: ServiceAccount
18
  name: admin-user
19
  namespace: kube-system
20
EOF

Execute the application

1
koevn@k8s-master-01:~$ sudo kubectl apply -f dashboard-user.yaml

Create a temporary token

1
koevn@k8s-master-01:~$ sudo kubectl -n kube-system create token admin-user
2
eyJhbGciOiJSUzI1NiIsImtpZCI6IjRkV3lkZTU1dF9mazczemwwaUdxUElPWDZhejFyaDh2ZzRhZmN5RlN3T0EifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzUwOTExMzc1LCJpYXQiOjE3NTA5MDc3NzUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiMmQwZmViMzItNDJlNy00ODE0LWJmYjUtOGU5MTFhNWZhZDM2Iiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiZmEwZGFhNjAtNWEzNC00NTFjLWFiYmUtNTQ2Y2EwOWVkNWQyIn19LCJuYmYiOjE3NTA5MDc3NzUsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbi11c2VyIn0.XbF8s70UTzrOnf8TrkyC7-3vdxLKQU1aQiCRGgRWyzh4e-A0uFgjVfQ17IrFsZEOVpE8H9ydNc3dZbP81apnGegeFZ42J7KmUkSUJnh5UbiKjmfWwK9ysoP-bba5nnq1uWB_iFR6r4vr6Q_B4-YyAn1DVy70VNaHrfyakyvpJ69L-5eH2jHXn68uizXdi4brf2YEAwDlmBWufeQqtPx7pdnF5HNMyt56oxQb2S2gNrgwLvb8WV2cIKE3DvjQYfcQeaufWK3gn0y-2h5-3z3r4084vHrXAYJRkPmOKy7Fh-DZ8t1g7icNfDRg4geI48WrMH2vOk3E_cpjRxS7dC5P9A

9.4.0 Creating a long-term token

1
koevn@k8s-master-01:~$ cat > dashboard-user-token.yaml << EOF
2
apiVersion: v1
3
kind: Secret
4
metadata:
5
  name: admin-user
6
  namespace: kube-system
7
  annotations:
8
    kubernetes.io/service-account.name: "admin-user"
9
type: kubernetes.io/service-account-token
10
EOF

Execute the application

1
koevn@k8s-master-01:~$ sudo kubectl apply -f dashboard-user-token.yaml

View token

1
koevn@k8s-master-01:~$ sudo kubectl get secret admin-user -n kube-system -o jsonpath={".data.token"} | base64 -d
2
eyJhbGciOiJSUzI1NiIsImtpZCI6IjRkV3lkZTU1dF9mazczemwwaUdxUElPWDZhejFyaDh2ZzRhZmN5RlN3T0EifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNzUwOTExNzM5LCJpYXQiOjE3NTA5MDgxMzksImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiMmZmNTE5NGEtOTlkMC00MDJmLTljNWUtMGQxOTMyZDkxNjgwIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiZmEwZGFhNjAtNWEzNC00NTFjLWFiYmUtNTQ2Y2EwOWVkNWQyIn19LCJuYmYiOjE3NTA5MDgxMzksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbi11c2VyIn0.LJa37eblpk_OBWGqRgX2f_aCMiCrrpjY57dW8bskKUWu7ldLhgR6JIbICI0NVnvX4by3RX9v_FGnAPwU821VDp05oYT1KcTDXV1BC57G4QGL4kS9tBOrmRyXY0jxB8ETRmGx8ECiCJqNfrVdT99dm8oaFqJx1zq6jut70UwhxQCIh7C-QVqg6Gybbb3a9x25M2YvVHWStduN_swMOQxyQDBRtA0ARAyClu73o36pDCs_a56GizGspA4bvHpHPT-_y1i3EkeVjMsEl6JQ0PeJNQiM4fBvtJ2I_0kqoEHNMRYzZXEQNETXF9vqjkiEg7XBlKe1L2Ke1-xwK5ZBKFnPOg

Edit dashboard servers

1
koevn@k8s-master-01:~$ sudo kubectl edit svc -n kube-system kubernetes-dashboard
2
  type: NodePort

View the mapped ports

1
koevn@k8s-master-01:~$ sudo kubectl get svc kubernetes-dashboard -n kube-system
2
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
3
kubernetes-dashboard   NodePort   10.90.211.135   <none>        443:32744/TCP   5d

Browser access https://10.88.12.62:32744

Binary deployment of Kubernetes cluster version 1.33

https://huoshen.pages.dev/p/59d111d7/

Author

Koevn

Published at

June 23, 2025

License

CC BY-NC-SA 4.0

1.、env

1.1.0 Cluster env

1.2.0 Network

1.3.0 Software Version

2.Install the basic components of the Kubernetes cluster Master

2.1.0 Deploy containerd

2.1.1 Configuring crictl

2.2.0 Deploy etcd

2.2.1 Install etcd env

2.2.2 Generate etcd certificate

2.2.3 Create etcd configuration file

2.2.4 Each etcd node configures and starts the service

2.2.5 Check etcd status

2.3.0 Generate k8s related certificates

2.3.1 Generate k8s ca certificate

2.3.2 Generate apiserver certificate

2.3.3 Generate apiserver aggregate certificate

2.3.4 Generate controller-manage certificate

2.3.5 Generate kube-scheduler certificate

2.3.6 Generate admin certificate

2.3.7 Generate kube-proxy certificate (optional)

2.3.8 Create a ServiceAccount Key

2.3.9 View the number of k8s component certificates

2.3.10 Install kubernetes components and certificate distribution (all Master nodes)

2.4.0 Deploy Haproxy load balancing

2.4.1 Install Haproxy

2.4.2 Modify the haproxy configuration file

2.5.0 Configure apiserver service (all Master nodes)

2.6.0 Configure kube-controller-manager service (all Master nodes)

2.7.0 Configure kube-scheduler service (all Master nodes)

2.8.0 TLS Bootstrapping Configuration

3. Install the basic components of the Kubernetes cluster Worker

3.1.0 Required installation directory structure

3.2.0 Deploy kubelet service

3.3.0 Check the status of cluster nodes

3.4.0 View the Runtime version information of the cluster nodes

3.5.0 Deploy kube-proxy service (optional)

4. Installing the Cluster Network Plugin

4.1.0 Install Helm

4.2.0 Install cilium

5. Deployment monitoring panel

5.1.0 Creating a monitoring service

5.2.0 Change the cluster Services Type to NodePort

6. Install CoreDNS

6.1.0 Pull the CoreDNS installation package

7. Install Metrics Server

8. Verifying intra-cluster communication

8.1.0 Deploy a pod resource

8.2.0 Resolving NAMESPACE Services with pod

8.3.0 Each node tests the Kubernetes 443 and CoreDNS 53 ports

8.4.0 Test the network connectivity between Pods

9. Install dashboard

9.1.0 Pull the dashboard installation package

9.2.0 Deploy dashboard

9.3.0 Temp token

9.4.0 Creating a long-term token

9.5.0 Login dashboard