基础架构部文档
基础架构部文件格式标准参考
技术文档
mr_doc 接入ucenter 认证登录
loki日志收集
https证书与ssl/tls 加密
FTP 主动模式和被动模式的区别
Hadoop-windows10安装部署Hadoop2.7.3
JKS和PFX证书文件格式相互转换方法
KVM 基础操作
k8s nginx ingress日志收集到ELK并分析
Django基础
clash http代理 socks代理服务器搭建 配置
Ubuntu 22.04 安装 FFmpeg v7.0
ORM
AI MCP 介绍
Django 模板
Office正版化项目的个人体验和心得
重置jenkins构建历史
K8S实施方案
k8s的yaml文件语法
Docker的优势与虚拟机的区别
问题处理文档
HR推送数据问题处理报
Nginx从入门到放弃01-nginx基础安装
Nginx从入门到放弃02-Nginx基本命令和新建WEB站点
Nginx从入门到放弃03-Nginx调优
Nginx从入门到放弃04-Nginx的N种特别实用示例
JMeter教程
01-mariadb编译安装
02-mariadb二进制安装
Docker修改默认的存储路径
01-influxdb2时序数据库简介及安装
02-influxdb2时序数据库核心概念
03-influxdb2时序数据库flux查询语言
04-influxdb2--Python客户端influxdb-client
05-Spring boot 集成influxdb2
06-influxdb2其他知识
OA添加waf后相关问题的解决过程
排除java应用cpu使用率过高
exsi迁移文档
视频测试
阿里云产品试题
超融合服务器和传统服务器的区别
Serv-U问题集锦
文件夹共享操作手册
磁盘脱机处理方案
Office内存或磁盘空间不足处理方法
Cmd中ping不是内部或外部命令的解决方法
ELK 搭建文档
限制用户的远程桌面会话数量
Docker快速安装rocketmq、redis、zookeeper
超融合建设方案
git 入门
HR系统写入ES数据报错403
ELK搭建文档
KVM 安装和基础使用文档
helm 安装 rancher
访问共享提示禁用当前用户解决方法
K8S StorageClass搭建
KVM 扩展磁盘
借助sasl构建基于AD用户验证的SVN服务器
fastdfs编译安装并迁移数据
关闭系统保护的必要性
SCF 前置机部署
阿里云OSS学习文档
阿里云学习文档-VPC
(k8s踩坑)namespace无法删除
rancher-helm安装
zookeeper集群安装
批量替换K8s secrets 中某个特定域名的tls证书
kibana 批量创建索引模式
centos7 恢复Yum使用
ACP云计算部分知识点总结
Loki 日志系统搭建文档
自动更新k8s集群中所有名称空间中特定证书
AI分享
(AI)函数调用与MCP调用的区别
安装戴尔DELL Optilex 7040 USB驱动时提示无法定位程序输入点 kernel32\.dll
新华三服务器EXSI 显卡直通
conda
双流本地k8s搭建
通义灵码介绍
本文档使用「觅思文档专业版」发布
-
+
首页
双流本地k8s搭建
配置表 | ip | 名称 | 配置 | | --- | --- | --- | | 10.2.8.111 | sl-k8s-master-01 | 4c8g | | 10.2.8.112 | sl-k8s-master-02 | 4c8g | | 10.2.8.113 | sl-k8s-master-03 | 4c8g | | 10.2.8.114 | sl-k8s-node-01 | 8c16g | | 10.2.8.115 | sl-k8s-node-02 | 8c16g | | 10.2.8.116 | sl-k8s-node-03 | 8c16g | 搭建高可用负载均衡 思考了一下还是沿用以前的 keepalived+haproxy 比较方便 问了ai之所以大家选haproxy不选nginx 是因为四层负载ha更好,而且ha只做这个,所以选ha会更好 安装docker ```shell sudo apt remove docker docker-engine docker.io containerd runc sudo apt update && sudo apt upgrade -y sudo apt install -y ca-certificates curl gnupg lsb-release sudo mkdir -p /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin sudo systemctl enable docker.service sudo systemctl enable containerd.service ``` mkdir /etc/haproxy # haproxy.cfg ```shell global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4096 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend kube-apiserver mode tcp bind *:9443 option tcplog default_backend kube-apiserver listen stats mode http bind *:8888 stats auth admin:password stats refresh 5s stats realm HAProxy\ Statistics stats uri /stats log 127.0.0.1 local3 err backend kube-apiserver mode tcp balance roundrobin server k8s-master1 10.2.8.111:6443 check server k8s-master2 10.2.8.112:6443 check server k8s-master3 10.2.8.113:6443 check ``` ```shell docker run -d --name k8s-haproxy \ --net=host \ --restart=always \ -v /etc/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro \ harbor.tqsys.cn/public/haproxy-debian:2.3 ``` keepalived ```shell # keepalived.conf - master 1 ! Configuration File for keepalived global_defs { router_id LVS_1 } vrrp_script checkhaproxy { script "/usr/bin/check-haproxy.sh" interval 2 weight -30 } vrrp_instance VI_1 { state MASTER interface ens34 virtual_router_id 51 priority 100 advert_int 1 # 单播配置 unicast_peer { 10.2.8.112 } virtual_ipaddress { 10.2.8.110/24 dev ens34 } authentication { auth_type PASS auth_pass password } track_script { checkhaproxy } } # 第五步:配置keepalived master2 # keepalived.conf - master 2 ! Configuration File for keepalived global_defs { router_id LVS_2 } vrrp_script checkhaproxy { script "/usr/bin/check-haproxy.sh" interval 2 weight -30 } vrrp_instance VI_1 { state BACKUP interface ens34 virtual_router_id 51 priority 90 advert_int 1 # 单播配置 unicast_peer { 10.2.8.111 } virtual_ipaddress { 10.2.8.110/24 dev ens34 } authentication { auth_type PASS auth_pass password } track_script { checkhaproxy } } ``` ```shell # 第六步:创建check-proxy.sh #!/bin/bash count=`netstat -apn | grep 9443 | wc -l` if [ $count -gt 0 ]; then exit 0 else exit 1 fi ``` mkdir /etc/keepalived # 第七步:启动keepalived docker run -d --name k8s-keepalived \ --restart=always \ --net=host \ --cap-add=NET_ADMIN --cap-add=NET_BROADCAST --cap-add=NET_RAW \ -v /etc/keepalived/keepalived.conf:/container/service/keepalived/assets/keepalived.conf \ -v /etc/keepalived/check-haproxy.sh:/usr/bin/check-haproxy.sh \ harbor.tqsys.cn/public/keepalived:2.0.20 --copy-service # 搭建k8s 系统优化 ```shell #关闭swap分区 sudo sed -i '/swap/s/^\(.*\)$/#\1/g' /etc/fstab #配置内核参数 #创建/etc/sysctl.d/k8s.conf cat > /etc/sysctl.d/k8s.conf <<EOF net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 vm.swappiness = 0 EOF #加载内核模块 sudo modprobe overlay sudo modprobe br_netfilter #创建/etc/modules-load.d/k8s.conf cat > /etc/modules-load.d/k8s.conf <<EOF overlay br_netfilter EOF #应用配置 sysctl -p /etc/sysctl.d/k8s.conf #更换时区和时钟同步 sudo timedatectl set-timezone Asia/Shanghai # 按需替换时区 sudo apt install chrony -y sudo systemctl enable --now chrony #编辑/etc/security/limits.conf cat >> /etc/security/limits.conf <<EOF * soft nofile 65535 * hard nofile 65535 * soft nproc 65535 * hard nproc 65535 EOF #禁用透明大页(THP) #编辑/etc/default/grub GRUB_CMDLINE_LINUX="... transparent_hugepage=never" #配置IPVS(可选,提升Service性能) sudo apt install -y ipset ipvsadm sudo modprobe ip_vs sudo modprobe ip_vs_rr sudo modprobe ip_vs_wrr sudo modprobe ip_vs_sh sudo modprobe nf_conntrack cat > /etc/modules-load.d/ipvs.conf <<EOF ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack EOF #持久化模块(创建/etc/modules-load.d/ipvs.conf) ``` containerd配置 ```shell #修改containerd 配置 sudo mkdir -p /etc/containerd containerd config default | sudo tee /etc/containerd/config.toml #这步忘记的话,后面的pod会不停重启,且找不到原因 SystemdCgroup = true # 必须设为 true sudo sed -i 's#registry.k8s.io#registry.aliyuncs.com/google_containers#g' /etc/containerd/config.toml cat > /etc/crictl.yaml <<EOF runtime-endpoint: unix:///run/containerd/containerd.sock image-endpoint: unix:///run/containerd/containerd.sock timeout: 10 debug: false EOF systemctl restart containerd ``` 安装kubeadm ```shell apt-get update && apt-get install -y apt-transport-https curl -fsSL https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.30/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list apt-get update apt-cache madison kubeadm | grep 1.30 apt-get install -y kubelet=1.30.12-1.1 kubeadm=1.30.12-1.1 kubectl=1.30.12-1.1 sudo kubeadm init \ --control-plane-endpoint=10.2.8.110:9443 \ --apiserver-advertise-address=10.2.8.111 \ --pod-network-cidr=10.188.0.0/16 \ --service-cidr=10.199.0.0/16 \ --image-repository registry.cn-hangzhou.aliyuncs.com/google_containers \ --cri-socket unix:///run/containerd/containerd.sock \ --upload-certs kubeadm join 10.2.8.110:9443 --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --control-plane --certificate-key 72c298551b025590f5123de51b80d511b32cb9f7711e57bf2dca3a3ea19e9092 \ --cri-socket unix:///run/containerd/containerd.sock sudo kubeadm join 10.2.8.110:9443 \ --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --control-plane \ --certificate-key 72c298551b025590f5123de51b80d511b32cb9f7711e57bf2dca3a3ea19e9092 \ --apiserver-advertise-address=10.2.8.112 \ --cri-socket unix:///run/containerd/containerd.sock sudo kubeadm join 10.2.8.110:9443 \ --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --control-plane \ --certificate-key 72c298551b025590f5123de51b80d511b32cb9f7711e57bf2dca3a3ea19e9092 \ --apiserver-advertise-address=10.2.8.113 \ --cri-socket unix:///run/containerd/containerd.sock sudo kubeadm join 10.2.8.110:9443 \ --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --control-plane \ --certificate-key 72c298551b025590f5123de51b80d511b32cb9f7711e57bf2dca3a3ea19e9092 \ --apiserver-advertise-address=10.2.8.111 \ --cri-socket unix:///run/containerd/containerd.sock You can now join any number of the control-plane node running the following command on each as root: kubeadm join 10.2.8.110:9443 --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --control-plane --certificate-key 72c298551b025590f5123de51b80d511b32cb9f7711e57bf2dca3a3ea19e9092 Please note that the certificate-key gives access to cluster sensitive data, keep it secret! As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use "kubeadm init phase upload-certs --upload-certs" to reload certs afterward. Then you can join any number of worker nodes by running the following on each as root: kubeadm join 10.2.8.110:9443 --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --cri-socket unix:///run/containerd/containerd.sock ``` # node 节点加入 ```shell #要跟master一样初始化系统 sudo apt update && sudo apt upgrade -y sudo apt install -y containerd.io kubeadm join 10.2.8.110:9443 --token yrgunw.23jcjh5puvvugbz6 \ --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 \ --cri-socket unix:///run/containerd/containerd.sock kubeadm join 10.2.8.110:9443 --token gjo40y.rczdbd33uqashuoh --discovery-token-ca-cert-hash sha256:a0ed4fde64a2fd60c1815535feb9a50ad5006fcbe55e913a9fa4f1ce84101ca0 --cri-socket unix:///run/containerd/containerd.sock #安装calico curl https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml -O #搭建ingress wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/cloud/deploy.yaml # 删除准入控制 kubectl delete validatingwebhookconfigurations ingress-nginx-admission ```
杨超
2025年8月29日 15:49
转发文档
收藏文档
上一篇
下一篇
手机扫码
复制链接
手机扫一扫转发分享
复制链接
Markdown文件
Word文件
PDF文档
PDF文档(打印)
分享
链接
类型
密码
更新密码
有效期