从零构建高可用Kubernetes集群：二进制部署v1.35.0实战指南

1. 环境准备与系统配置在开始部署Kubernetes集群之前我们需要确保所有节点具备一致的运行环境。这里以CentOS 7为例其他Linux发行版的命令可能需要相应调整。1.1 系统基础配置首先在所有节点执行以下操作# 关闭防火墙 systemctl disable --now firewalld # 关闭SELinux setenforce 0 sed -i s/SELINUXenforcing/SELINUXdisabled/g /etc/selinux/config # 关闭交换分区 swapoff -a sed -ri s/.*swap.*/#/ /etc/fstab # 设置时间同步 yum install -y chrony systemctl enable --now chronyd1.2 内核参数优化Kubernetes对Linux内核参数有特定要求需要调整以下参数cat /etc/sysctl.d/k8s.conf EOF net.ipv4.ip_forward 1 net.bridge.bridge-nf-call-iptables 1 fs.may_detach_mounts 1 vm.overcommit_memory 1 fs.file-max 52706963 net.netfilter.nf_conntrack_max 2310720 EOF sysctl --system1.3 安装基础工具所有节点需要安装必要的工具包yum install -y wget vim net-tools nfs-utils telnet yum-utils device-mapper-persistent-data lvm2 git2. 容器运行时安装Kubernetes支持多种容器运行时这里我们以containerd为例进行安装。2.1 安装containerd# 下载containerd wget https://github.com/containerd/containerd/releases/download/v1.6.8/containerd-1.6.8-linux-amd64.tar.gz tar Cxzvf /usr/local containerd-1.6.8-linux-amd64.tar.gz # 创建systemd服务 cat /etc/systemd/system/containerd.service EOF [Unit] Descriptioncontainerd container runtime Documentationhttps://containerd.io Afternetwork.target local-fs.target [Service] ExecStartPre-/sbin/modprobe overlay ExecStart/usr/local/bin/containerd Delegateyes KillModeprocess Restartalways LimitNOFILEinfinity [Install] WantedBymulti-user.target EOF # 启动containerd systemctl daemon-reload systemctl enable --now containerd2.2 配置CNI插件wget https://github.com/containernetworking/plugins/releases/download/v1.1.1/cni-plugins-linux-amd64-v1.1.1.tgz mkdir -p /opt/cni/bin tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.1.1.tgz3. Kubernetes组件安装3.1 下载Kubernetes二进制文件在master01节点执行wget https://dl.k8s.io/v1.25.0/kubernetes-server-linux-amd64.tar.gz tar -xzf kubernetes-server-linux-amd64.tar.gz cd kubernetes/server/bin cp kube-apiserver kube-controller-manager kube-scheduler kubectl kubelet kube-proxy /usr/local/bin/3.2 分发组件到其他节点for NODE in k8s-master02 k8s-master03; do scp /usr/local/bin/kube* $NODE:/usr/local/bin/ done for NODE in k8s-node01 k8s-node02; do scp /usr/local/bin/kubelet kube-proxy $NODE:/usr/local/bin/ done4. 证书生成与配置4.1 安装cfssl工具wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssl_1.6.3_linux_amd64 -O /usr/local/bin/cfssl wget https://github.com/cloudflare/cfssl/releases/download/v1.6.3/cfssljson_1.6.3_linux_amd64 -O /usr/local/bin/cfssljson chmod x /usr/local/bin/cfssl*4.2 生成CA证书cat ca-config.json EOF { signing: { default: { expiry: 87600h }, profiles: { kubernetes: { usages: [signing, key encipherment, server auth, client auth], expiry: 87600h } } } } EOF cat ca-csr.json EOF { CN: Kubernetes, key: { algo: rsa, size: 2048 }, names: [ { C: CN, ST: Beijing, L: Beijing, O: Kubernetes, OU: CA } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca5. 高可用架构部署5.1 使用HAProxyKeepalived在所有master节点安装HAProxy和Keepalivedyum install -y haproxy keepalived配置HAProxycat /etc/haproxy/haproxy.cfg EOF global log 127.0.0.1 local0 maxconn 2000 daemon defaults log global mode tcp timeout connect 5s timeout client 50s timeout server 50s frontend k8s-api bind *:9443 default_backend k8s-api-servers backend k8s-api-servers balance roundrobin server k8s-master01 192.168.1.31:6443 check server k8s-master02 192.168.1.32:6443 check server k8s-master03 192.168.1.33:6443 check EOF配置Keepalivedmaster01节点cat /etc/keepalived/keepalived.conf EOF vrrp_script chk_haproxy { script killall -0 haproxy interval 2 weight 2 } vrrp_instance VI_1 { interface eth0 state MASTER virtual_router_id 51 priority 100 virtual_ipaddress { 192.168.1.36 } track_script { chk_haproxy } } EOF6. 核心组件部署6.1 etcd集群部署在所有master节点配置etcdcat /etc/etcd/etcd.config.yml EOF name: $(hostname -s)>cat /etc/kubernetes/apiserver EOF KUBE_API_ARGS--etcd-servershttps://192.168.1.31:2379,https://192.168.1.32:2379,https://192.168.1.33:2379 \\ --etcd-cafile/etc/kubernetes/pki/etcd/ca.crt \\ --etcd-certfile/etc/kubernetes/pki/etcd/server.crt \\ --etcd-keyfile/etc/kubernetes/pki/etcd/server.key \\ --client-ca-file/etc/kubernetes/pki/ca.crt \\ --tls-cert-file/etc/kubernetes/pki/apiserver.crt \\ --tls-private-key-file/etc/kubernetes/pki/apiserver.key \\ --service-cluster-ip-range10.96.0.0/12 \\ --service-node-port-range30000-32767 \\ --enable-admission-pluginsNodeRestriction \\ --authorization-modeNode,RBAC EOF7. 网络插件安装7.1 安装Calico网络插件kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml7.2 验证网络状态kubectl get pods -n kube-system -l k8s-appcalico-node kubectl get pods -n kube-system -l k8s-appcalico-kube-controllers8. 集群验证与测试8.1 验证节点状态kubectl get nodes kubectl get cs8.2 部署测试应用kubectl create deployment nginx --imagenginx kubectl expose deployment nginx --port80 --typeNodePort kubectl get svc nginx9. 集群维护与扩展9.1 添加新节点在新节点上完成环境准备安装容器运行时安装kubelet和kube-proxy加入集群9.2 证书轮换kubeadm alpha certs renew all10. 生产环境建议启用集群审计日志配置合理的资源配额和限制设置Pod安全策略定期备份etcd数据监控集群健康状态我在实际部署过程中发现二进制部署虽然步骤繁琐但能让我们更深入理解Kubernetes各组件的工作原理。特别是在排查问题时这种部署方式能提供更清晰的排查路径。建议在测试环境充分验证后再应用到生产环境。