BC-Linux for Euler部署K8S-1.27

• 1、介绍及说明
  • 1.1 主机信息
  • 1.2 部署组件及规划
• 2、基础优化
  • 2.1 开启ipv6
  • 2.2 修改文件最大数
  • 2.3 配置hosts解析
  • 2.4 内核参数优化
  • 2.5 selinux关闭
  • 2.6 防火墙
  • 2.7 ipvs支持
  • 2.8 内核版本要求
  • 2.9 yum源配置
• 3、部署
  • 3.1 docker及cri-docker安装及配置 - 所有主机
    • 3.1.1 docker
    • 3.1.2 cri-dockerd
  • 3.2 containerd部署 - 所有主机
    • 3.2.1 安装containerd
  • 3.3 nginx部署 - 2台master节点
  • 3.4 keepalived部署 - 2台master节点
  • 3.5 etcd部署 - 三个节点
    • 3.5.1 准备cfssl证书生成工具
    • 3.5.2 生成etcd证书
    • 3.5.3 部署etcd
    • 3.5.4 将节点1生成的所有文件拷贝到节点2和节点3
    • 3.5.5 查看集群状态
  • 3.6 k8s安装 - 所有主机
    • 3.6.1 修改k8s证书默认1年到期
    • 3.6.2 安装go环境
  • 3.7 k8s部署
    • 3.7.1 初始化 - 1台master节点
      • 3.7.1.1 单节点初始化
      • 3.7.1.2 集群初始化
    • 3.7.2 添加master节点 - 剩余master节点
    • 3.7.3 添加node - 所以node节点
    • 3.7.4 部署CNI网络 - 任意一台master节点
    • 3.7.5 metrics-server安装 - 任意一台master节点
    • 3.7.6 验证集群 - 任意一台master节点

1、介绍及说明

• 背景

​ 大云企业操作系统BC-Linux for Euler 是以 openEuler 社区操作系统为基础，借助开源社区的开放优势，通过定制化手段研发的企业级 Linux 操作系统；目前主要在移动内部是用，是国产化改造的主力系统；本次部署使用BCLinux for Euler 21.10；本次使用kubeadm部署k8s-1.27.4双栈环境(ipv6为主)

1.1 主机信息

1.2 部署组件及规划

2、基础优化

2.1 开启ipv6

1. 检查是否支持ipv6

[root@bclinux-11 ~]# cat /proc/net/if_inet6 # 查看是否有输出，有输出就支持ipv6
[root@bclinux-11 ~]# grep ipv6 /etc/sysctl.conf 
#开启ipv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0

2. 配置ipv6

[root@bclinux-11 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens160 
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens160
DEVICE=ens160
ONBOOT=yes
IPADDR=172.168.80.11
PREFIX=24
GATEWAY=172.168.80.2
DNS1=114.114.114.114
IPV6_PRIVACY=no
IPV6ADDR=1:2:3:4::11/64
IPV6_DEFAULTGW=1:2:3:4::2
[root@bclinux-11 ~]# ip a show ens160 # 检查是否有ipv6地址
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0c:29:16:ba:aa brd ff:ff:ff:ff:ff:ff
    inet 172.168.80.11/24 brd 172.168.80.255 scope global noprefixroute ens160
       valid_lft forever preferred_lft forever
    inet6 1:2:3:4::11/64 scope global noprefixroute 
       valid_lft forever preferred_lft forever

2.2 修改文件最大数

[root@bclinux-11 ~]# egrep -v '^#|^$' /etc/security/limits.conf
* soft nofile 655350
* hard nofile 655350

2.3 配置hosts解析

[root@bclinux-11 ~]# cat /etc/hosts 
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
1:2:3:4::11 bclinux-11
1:2:3:4::12 bclinux-12
1:2:3:4::13 bclinux-13
172.168.80.11 bclinux-11
172.168.80.12 bclinux-12
172.168.80.13 bclinux-13

2.4 内核参数优化

[root@bclinux-11 ~]# cat /etc/sysctl.d/k8s.conf 
# ipv6配置
net.ipv6.conf.all.forwarding = 1
net.bridge.bridge-nf-call-ip6tables = 1
# ipv4配置
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.forwarding = 1

2.5 selinux关闭

[root@bclinux-11 ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config  && setenforce 0

2.6 防火墙

1. 防火墙关闭
2. 配置防火墙规则，将k8s对应的端口开放或者将节点主机的开放不设限制

2.7 ipvs支持

1. 检查是否加载ipvs

[root@bclinux-11 ~]# lsmod | grep ip_vs # 有结果就加载了，没有结果就没有加载

2. 加载ipvs

[root@bclinux-11 ~]# cat >/etc/sysconfig/modules/ipvs.modules <<-"EOF"
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for mod in $(ls $ipvs_mods_dir |grep -o "^[^.]*");do
    /sbin/modinfo -F filename $mod &>/dev/null
    if [ $? -eq 0 ];then
        /sbin/modprobe $mod
    fi
done
EOF
[root@bclinux-11 ~]# chown 755 /etc/sysconfig/modules/ipvs.modules && /etc/sysconfig/modules/ipvs.modules

3. 检查

[root@bclinux-11 ~]# lsmod | grep ip_vs
ip_vs_wrr              16384  0
ip_vs_wlc              16384  0
ip_vs_sh               16384  0
ip_vs_sed              16384  0
ip_vs_rr               16384  0
ip_vs_pe_sip           16384  0
nf_conntrack_sip       32768  1 ip_vs_pe_sip
ip_vs_ovf              16384  0
ip_vs_nq               16384  0
ip_vs_lc               16384  0
ip_vs_lblcr            16384  0
ip_vs_lblc             16384  0
ip_vs_ftp              16384  0
ip_vs_fo               16384  0
ip_vs_dh               16384  0
ip_vs                 172032  28 ip_vs_wlc,ip_vs_rr,ip_vs_dh,ip_vs_lblcr,ip_vs_sh,ip_vs_ovf,ip_vs_fo,ip_vs_nq,ip_vs_lblc,ip_vs_pe_sip,ip_vs_wrr,ip_vs_lc,ip_vs_sed,ip_vs_ftp
nf_nat                 36864  3 nf_nat_ipv6,nf_nat_ipv4,ip_vs_ftp
nf_conntrack          163840  6 xt_conntrack,nf_nat,nf_nat_ipv6,nf_nat_ipv4,nf_conntrack_sip,ip_vs
nf_defrag_ipv6         20480  2 nf_conntrack,ip_vs
libcrc32c              16384  3 nf_conntrack,nf_nat,ip_vs

2.8 内核版本要求

• 已知问题内核版本：3.10.0-957.el7.x86_64

• 已知问题系统版本：centos7.6以前的版本

• 问题现象：部署完成后，各组件、创建pod无问题，创建完service网络后，在pod里ping不通service网络的名称，同命名空间或跨空间都不可以ping通

• 现用系统内核版本为4.19无需升级

2.9 yum源配置

[root@bclinux-11 ~]# ls /etc/yum.repos.d/
BCLinux.repo  centos8.repo  docker-ce.repo  kubernetes.repo
# BC-Linux源
[root@bclinux-11 ~]# cat /etc/yum.repos.d/BCLinux.repo 
[baseos]
name=BC-Linux-release - baseos
baseurl=http://mirrors.bclinux.org/bclinux/oe21.10/OS/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
[everything]
name=BC-Linux-release - everything
baseurl=http://mirrors.bclinux.org/bclinux/oe21.10/everything/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
[update]
name=BC-Linux-release - update
baseurl=http://mirrors.bclinux.org/bclinux/oe21.10/update/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
[extras]
name=BC-Linux-release - extras
baseurl=http://mirrors.bclinux.org/bclinux/oe21.10/extras/$basearch/
gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-BCLinux-For-Euler
# centos8源，安装docker时需要
[root@bclinux-11 ~]# cat /etc/yum.repos.d/centos8.repo 
[BaseOS]
name=CentOS-8-stream - Base - repo.huaweicloud.com
baseurl=https://repo.huaweicloud.com/centos/8-stream/BaseOS/$basearch/os/
#mirrorlist=https://mirrorlist.centos.org/?release=8-stream&arch=$basearch&repo=BaseOS&infra=$infra
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/centos/RPM-GPG-KEY-CentOS-Official 
#released updates 
[AppStream]
name=CentOS-8-stream - AppStream - repo.huaweicloud.com
baseurl=https://repo.huaweicloud.com/centos/8-stream/AppStream/$basearch/os/
#mirrorlist=https://mirrorlist.centos.org/?release=8-stream&arch=$basearch&repo=AppStream&infra=$infra
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/centos/RPM-GPG-KEY-CentOS-Official
[PowerTools]
name=CentOS-8-stream - PowerTools - repo.huaweicloud.com
baseurl=https://repo.huaweicloud.com/centos/8-stream/PowerTools/$basearch/os/
#mirrorlist=https://mirrorlist.centos.org/?release=8-stream&arch=$basearch&repo=PowerTools&infra=$infra
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/centos/RPM-GPG-KEY-CentOS-Official
#additional packages that may be useful
[extras]
name=CentOS-8-stream - Extras - repo.huaweicloud.com
baseurl=https://repo.huaweicloud.com/centos/8-stream/extras/$basearch/os/
#mirrorlist=https://mirrorlist.centos.org/?release=8-stream&arch=$basearch&repo=extras
gpgcheck=1
gpgkey=https://repo.huaweicloud.com/centos/RPM-GPG-KEY-CentOS-Official
# docker源
[root@bclinux-11 ~]# cat /etc/yum.repos.d/docker-ce.repo 
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-debuginfo]
name=Docker CE Stable - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/debug-$basearch/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-stable-source]
name=Docker CE Stable - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/source/stable
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test]
name=Docker CE Test - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-debuginfo]
name=Docker CE Test - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/debug-$basearch/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-test-source]
name=Docker CE Test - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/source/test
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly]
name=Docker CE Nightly - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-debuginfo]
name=Docker CE Nightly - Debuginfo $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/debug-$basearch/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
[docker-ce-nightly-source]
name=Docker CE Nightly - Sources
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/8/source/nightly
enabled=0
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/docker-ce/linux/centos/gpg
# k8s源
[root@bclinux-11 ~]# cat /etc/yum.repos.d/kubernetes.repo 
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg

3、部署

3.1 docker及cri-docker安装及配置 - 所有主机

​ k8s在1.24版本后，开始不支持接入docker，仅接入使用CRI 标准接口的容器编排器，目前比较主流程的替代品是containerd。containerd相关的命令参数与docker基本一样，唯一的区别就是无法构建镜像，所以还得使用docker构建镜像；但是docker维护了一个cri-docker的项目，主要为了满足k8s的CRI标准。

3.1.1 docker

# 安装docker
[root@bclinux-11 ~]# yum install docker-ce -y
# 配置docker
[root@bclinux-11 ~]# cat >/etc/docker/daemon.json<<-"EOF"
{
  "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"],
  "insecure-registries":["test.harbor.org:18080"],
  "data-root": "/home/docker_data",
  "log-driver":"json-file",
  "log-opts": {"max-size" :"50m","max-file":"1"},
  "exec-opts": ["native.cgroupdriver=systemd"]
} 
EOF
# 启动并设置开机自启
[root@bclinux-11 ~]# systemctl start docker && systemctl enable docker && systemctl status docker

3.1.2 cri-dockerd

• 下载地址：https://github.com/Mirantis/cri-dockerd/releases

# 安装
[root@bclinux-11 ~]# yum install -y https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.4/cri-dockerd-0.3.4-3.el8.x86_64.rpm
# 配置
[root@bclinux-11 ~]# egrep -v '^#|^$' /usr/lib/systemd/system/cri-docker.service
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --pod-infra-container-image registry.aliyuncs.com/google_containers/pause:3.9 --ipv6-dual-stack
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
# 启动并设置开机自启动
[root@bclinux-11 ~]# systemctl start cri-docker.service && systemctl enable cri-docker.service && systemctl status cri-docker.service

3.2 containerd部署 - 所有主机

• 如果部署了docker就不需要部署contained，俩者二选一；为什么有了cri-dockerd，还要用containerd

  • containerd好处
  1. 在调用时比docker少了俩层，比docker更快
  2. 比docker更安全
  • containerd缺点(不一定是缺点)
  1. 不支持制作镜像，做镜像还得用docker或者podman
  2. 操作命令相比较docker复杂一点

• 调用示意图

• 下载地址：https://github.com/containerd/containerd/releases

3.2.1 安装containerd

[root@bclinux ~]# tar xf cri-containerd-1.7.2-linux-amd64.tar.gz -C /
# 配置containerd
[root@bclinux ~]# mkdir /etc/containerd -p && containerd config default > /etc/containerd/config.toml
# 2条配置修改：
# 65行：sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.8" 【修改pause容器镜像为国内】
# 137行：SystemdCgroup = true 【让Runc使用system cgroup驱动，对容器进行资源划分，隔离。】
[root@bclinux ~]# vim /etc/containerd/config.toml # 添加私有harbor仓库
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."172.168.80.14:18080".auth]
          username = "admin"
          password = "Harbor12345"
      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."172.168.80.14:18080"]
          endpoint = ["http://172.168.80.14:18080"]
[root@bclinux ~]# systemctl start containerd.service && systemctl enable containerd.service && systemctl status containerd.service

3.3 nginx部署 - 2台master节点

• nginx下载地址：http://nginx.org/en/download.html
• nginx-rpm包下载地址：http://nginx.org/packages/centos/8/x86_64/RPMS/
• 本文使用二进制安装nginx，因rpm安装的nginx没有ipv6模块，所以使用二进制将ipv6模块编译进去

# 下载依赖包
[root@bclinux-11 ~]# yum -y install gcc automake autoconf libtool make gcc-c++ openssl openssl-devel zlib-devel pcre-devel zlib pcre libxslt-devel  perl-devel
# 编译nginx
[root@bclinux-11 ~]# tar xf nginx-1.24.0.tar.gz
[root@bclinux-11 nginx-1.24.0]# ./configure --prefix=/data/nginx --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --with-ipv6
..............................
  nginx path prefix: "/data/nginx"
  nginx binary file: "/data/nginx/sbin/nginx"
  nginx modules path: "/data/nginx/modules"
  nginx configuration prefix: "/data/nginx/conf"
  nginx configuration file: "/data/nginx/conf/nginx.conf"
  nginx pid file: "/data/nginx/logs/nginx.pid"
  nginx error log file: "/data/nginx/logs/error.log"
  nginx http access log file: "/data/nginx/logs/access.log"
  nginx http client request body temporary files: "client_body_temp"
  nginx http proxy temporary files: "proxy_temp"
  nginx http fastcgi temporary files: "fastcgi_temp"
  nginx http uwsgi temporary files: "uwsgi_temp"
  nginx http scgi temporary files: "scgi_temp"

./configure: warning: the "--with-ipv6" option is deprecated # 提示添加了ipv6模块
[root@bclinux-11 nginx-1.24.0]# make && make install
# 配置启动
[root@bclinux-11 nginx-1.24.0]# cat >/usr/lib/systemd/system/nginx.service<<-"EOF"
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/data/nginx/logs/nginx.pid
ExecStart=/data/nginx/sbin/nginx -c /data/nginx/conf/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /data/nginx/logs/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /data/nginx/logs/nginx.pid)"
[Install]
WantedBy=multi-user.target
EOF
# 配置代理
[root@bclinux-11 ~]# cat /data/nginx/conf/nginx.conf

user  root;
worker_processes  auto;

error_log  logs/error.log;
error_log  logs/error.log  notice;
error_log  logs/error.log  info;

pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    sendfile        on;
    keepalive_timeout  65;
}
stream {
    log_format proxy '$remote_addr [$time_local] '
               '$protocol $status $bytes_sent $bytes_received '
               '$session_time -> $upstream_addr '
               '$upstream_bytes_sent $upstream_bytes_received $upstream_connect_time';
    access_log logs/tcp-access.log proxy;
    upstream kube-apiservers {
        hash  $remote_addr consistent;
        server [1:2:3:4::11]:6443 weight=6 max_fails=1 fail_timeout=10s;
        server [1:2:3:4::12]:6443 weight=6 max_fails=1 fail_timeout=10s;
    }
    server {
        listen [::]:8443 ipv6only=on;
        proxy_connect_timeout 30s;
        proxy_timeout 60s;
        proxy_pass kube-apiservers;
    }
}
# 启动并设置开机自启
[root@bclinux-11 nginx-1.24.0]# systemctl start nginx && systemctl enable nginx && systemctl status nginx

• nginx修改banner值

# 修改变量 
cat src/core/nginx.h
#define NGINX_VERSION      ""
#define NGINX_VER          "流氓兔/" NGINX_VERSION

#ifdef NGX_BUILD
#define NGINX_VER_BUILD    NGINX_VER " (" NGX_BUILD ")"
#else
#define NGINX_VER_BUILD    NGINX_VER
#endif

#define NGINX_VAR          ""
#define NGX_OLDPID_EXT     ".oldbin"

3.4 keepalived部署 - 2台master节点

[root@bclinux-11 ~]# yum install keepalived -y
[root@bclinux-11 keepalived]# tee >/etc/keepalived/keepalived.conf << "EOF"
! Configuration File for keepalived

global_defs {
   router_id k8s
}

vrrp_script check_ng {
    script "/etc/keepalived/script/check_ng.sh"
    interval 3
    weight -2
}

vrrp_instance VI_1 {
    state MASTER # 备节点修改成BACKUP
    interface ens160
    virtual_router_id 351
    priority 200 # 备节点修改成150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass ceb1b3ec013d66163d6ab
    }
    unicast_src_ip 172.168.80.11 # 修改成备节点的ip
    unicast_peer { 
      172.168.80.12 # 修改成主节点的ip
    }
    virtual_ipaddress {
        172.168.80.10
    }
    virtual_ipaddress_excluded {
        1:2:3:4::10
    }
    track_script {
        check_ng
    }
}
EOF
[root@bclinux-11 keepalived]# mkdir -p /etc/keepalived/script/ && tee >/etc/keepalived/script/check_ng.sh << "EOF" && chmod +x /etc/keepalived/script/check_ng.sh
#!/bin/bash
nginx_num=`ps -ef|grep [n]ginx|wc -l`
pid_file='/data/nginx/logs/nginx.pid'
if [ "${nginx_num}" != 0 -a -f /data/nginx/logs/nginx.pid ];then
  exit 0
else
  systemctl stop keepalived && exit 1
fi
EOF
[root@bclinux-11 keepalived]# systemctl start keepalived.service  && systemctl enable keepalived.service && systemctl status keepalived.service

3.5 etcd部署 - 三个节点

​ Etcd 是一个分布式键值存储系统，k8s使用Etcd进行数据存储，kubeadm搭建默认情况下只启动一个Etcd Pod，存在单点故障，生产环境强烈不建议，所以我们这里使用3台服务器组建集群，可容忍1台机器故障，当然，你也可以使用5台组建集群，可容忍2台机器故障。

• 为了节省机器，这里与K8s节点机器复用。也可以独立于k8s集群之外部署，只要apiserver能连接到就行。

• 如果是单节点k8s，可用内置etcd ，也可用外置etcd

3.5.1 准备cfssl证书生成工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

3.5.2 生成etcd证书

# 自签证书颁发工具机构（CA）
# 创建工作目录：
[root@bclinux-11 ~]# mkdir -p ~/etcd_tls
[root@bclinux-11 ~]# cd ~/etcd_tls
# 自签CA：
[root@bclinux-11 etcd_tls]# cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
[root@bclinux-11 etcd_tls]# cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing"
        }
    ]
}
EOF
# 生成证书：
[root@bclinux-11 etcd_tls]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2021/05/11 16:36:24 [INFO] generating a new CA key and certificate from CSR
2021/05/11 16:36:24 [INFO] generate received request
2021/05/11 16:36:24 [INFO] received CSR
2021/05/11 16:36:24 [INFO] generating key: rsa-2048
2021/05/11 16:36:24 [INFO] encoded CSR
2021/05/11 16:36:24 [INFO] signed certificate with serial number 359821359061850962149376009879415970209566630594
[root@bclinux-11 etcd_tls]# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem
# 会生成ca.pem和ca-key.pem文件。
# 使用自签CA签发etcd https正式
# 创建证书申请文件：
[root@bclinux-11 etcd_tls]# cat > server-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
    "1:2:3:4::11",
    "1:2:3:4::12",
    "1:2:3:4::13"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing"
        }
    ]
}
EOF
# 注：上述文件hosts字段中IP为所有etcd节点的集群内部通信IP，要修改成自己的，一个都不能少！为了方便后期扩容可以多写几个预留的IP；如果要修改为ipv6调用，则把ip写成ipv6地址。
# 生成证书：
[root@bclinux-11 etcd_tls]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
2021/05/11 16:38:34 [INFO] generate received request
2021/05/11 16:38:34 [INFO] received CSR
2021/05/11 16:38:34 [INFO] generating key: rsa-2048
2021/05/11 16:38:35 [INFO] encoded CSR
2021/05/11 16:38:35 [INFO] signed certificate with serial number 686508384315413943399934921027716200577151171267
2021/05/11 16:38:35 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@bclinux-11 etcd_tls]# ls server*
server.csr  server-csr.json  server-key.pem  server.pem
# 会生成server.pem和server-key.pem文件。

3.5.3 部署etcd

• 下载地址：https://github.com/etcd-io/etcd/releases

• 以下在一台上操作，操作完成将节点1生成的所有文件拷贝到节点2和节点3；如配置ipv6则把下面配置得ipv4地址换成ipv6即可。

# 创建工作目录并解压二进制文件-1
[root@bclinux-11 ~]# mkdir /opt/etcd/{bin,cfg,ssl} -p
[root@bclinux-11 ~]# tar zxvf etcd-v3.5.6-linux-amd64.tar.gz
[root@bclinux-11 ~]# mv etcd-v3.5.6-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
# 创建etcd配置文件-1
[root@bclinux-11 ~]# cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://[1:2:3:4::11]:2380"
ETCD_LISTEN_CLIENT_URLS="https://[1:2:3:4::11]:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://[1:2:3:4::11]:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://[1:2:3:4::11]:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://[1:2:3:4::11]:2380,etcd-2=https://[1:2:3:4::12]:2380,etcd-3=https://[1:2:3:4::13]:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
# ETCD_NAME：节点名称，集群中唯一
# ETCDDATADIR：数据目录
# ETCDLISTENPEER_URLS：集群通信监听地址
# ETCDLISTENCLIENT_URLS：客户端访问监听地址
# ETCDINITIALADVERTISEPEERURLS：集群通告地址
# ETCDADVERTISECLIENT_URLS：客户端通告地址
# ETCDINITIALCLUSTER：集群节点地址
# ETCDINITIALCLUSTER_TOKEN：集群Token
# ETCDINITIALCLUSTER_STATE：加入集群的当前状态，new是新集群，existing表示加入已有集群
# systemd管理etcd-1
[root@bclinux-11 ~]# cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
# 拷贝刚才生成的证书-1
[root@bclinux-11 ~]# cp ~/etcd_tls/ca*pem ~/etcd_tls/server*pem /opt/etcd/ssl/

3.5.4 将节点1生成的所有文件拷贝到节点2和节点3

[root@bclinux-11 ~]# scp -r /opt/etcd/ root@[1:2:3:4::12]:/opt/
[root@bclinux-11 ~]# scp /usr/lib/systemd/system/etcd.service root@[1:2:3:4::12]:/usr/lib/systemd/system/
[root@bclinux-11 ~]# scp -r /opt/etcd/ root@[1:2:3:4::13]:/opt/
[root@bclinux-11 ~]# scp /usr/lib/systemd/system/etcd.service root@[1:2:3:4::13]:/usr/lib/systemd/system/
# 然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP：
[root@bclinux-11 ~]# cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"                                            # 修改此处，节点2改为etcd-2，节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://[1:2:3:4::11]:2380"            # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://[1:2:3:4::11]:2379"          # 修改此处为当前服务器IP

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://[1:2:3:4::11]:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://[1:2:3:4::11]:2379"       # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://[1:2:3:4::11]:2380,etcd-2=https://[1:2:3:4::12]:2380,etcd-3=https://[1:2:3:4::13]:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
# 启动etcd
[root@bclinux-11 ~]# systemctl daemon-reload && systemctl start etcd && systemctl enable etcd && systemctl status etcd
# 注：etcd节点要一起启动
# ansible操作
ansible etcd -m service -a 'name=etcd state=started enabled=yes daemon-reload=yes'
# 注：etcd是在ansible里做的分组，这个组下面只有etcd这三台的主机ip

3.5.5 查看集群状态

[root@bclinux-11 ~]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://[1:2:3:4::11]:2379,https://[1:2:3:4::12]:2379,https://[1:2:3:4::13]:2379" endpoint health --write-out=table
+----------------------------+--------+-------------+-------+
|          ENDPOINT          | HEALTH |    TOOK     | ERROR |
+----------------------------+--------+-------------+-------+
| https://[1:2:3:4::11]:2379 |   true | 17.543566ms |       |
| https://[1:2:3:4::13]:2379 |   true | 18.424848ms |       |
| https://[1:2:3:4::12]:2379 |   true | 18.384393ms |       |
+----------------------------+--------+-------------+-------+
# 如果输出上面信息，就说明集群部署成功。
# 如果有问题第一步先看日志：/var/log/message 或 journalctl -u etcd

3.6 k8s安装 - 所有主机

[root@bclinux-11 ~]# yum install kubeadm-1.27.4 kubelet-1.27.4 kubectl-1.27.4 -y
[root@bclinux-11 ~]# systemctl enable kubelet.service

3.6.1 修改k8s证书默认1年到期

• kubeadm部署的k8s除ca证书是10年，其他均是1年，如想修改默认，需要对kubeadm的源码进行修改并重新打包。
• 下载地址：https://github.com/kubernetes/kubernetes/releases
• 本次安装因为测试用，就不修改了，如想修改，参考下文

# 修改默认证书时间
[root@bclinux-11 ~]# vim kubernetes-1.20.10/staging/src/k8s.io/client-go/util/cert/cert.go
 65                 NotBefore:             now.UTC(),
 66                 NotAfter:              now.Add(duration365d * 100).UTC(),
 # 此处修改的ca正式到期时间，把10改为100即可
[root@bclinux-11 ~]# vim kubernetes-1.20.10/cmd/kubeadm/app/constants/constants.go
 49         CertificateValidity = time.Hour * 24 * 365 * 100
 # 此处是修改其他证书到期时间，增加*100

3.6.2 安装go环境

[root@bclinux-11 ~]# cat kubernetes-1.20.10/build/build-image/cross/VERSION
v1.15.15-legacy-1
# 安装go环境
[root@bclinux-11 ~]# yum install gcc make rsync jq -y
[root@bclinux-11 ~]# wget https://dl.google.com/go/go1.15.15.linux-amd64.tar.gz
[root@bclinux-11 ~]# tar zxvf go1.15.linux-amd64.tar.gz  -C /usr/local
[root@bclinux-11 ~]# tee >> /etc/profile <<-"EOF"
export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export PATH=$PATH:$GOROOT/bin
EOF
[root@bclinux-11 ~]# source /etc/profile
[root@bclinux-11 ~]# go version
go version go1.15.15 linux/amd64
# 编译kubeadm
[root@bclinux-11 ~]# cd kubernetes-1.20.10/
[root@bclinux-11 kubernetes-1.20.10]# make all WHAT=cmd/kubeadm GOFLAGS=-v
# 替换原有的kubeadm-所有主机
[root@bclinux-11 kubernetes-1.20.10]# ansible k8s-all -m copy -a "src=./_output/local/bin/linux/amd64/kubeadm dest=/usr/bin/kubeadm backup=yes"
# ./_output/local/bin/linux/amd64/kubeadm 是编译完输出目录

3.7 k8s部署

3.7.1 初始化 - 1台master节点

3.7.1.1 单节点初始化

• 列出初始化的yaml文件

---
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration # 初始Master节点的私有配置 
bootstrapTokens:        # 可以指定bootstrapToken，默认24小过期自动删除
- token: "9a08jv.c0izixklcxtmnze7"
  description: "kubeadm bootstrap token"
  ttl: "24h"
certificateKey: "e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204"      # 可以指定certificateKey,默认两小时过期自动删除
localAPIEndpoint:
  advertiseAddress: "1:2:3:4::11"    # master节点ip
nodeRegistration:
  criSocket: /var/run/cri-dockerd.sock
  name: master
  kubeletExtraArgs:
    node-ip: "1:2:3:4::11,172.168.80.11"    # master节点ip

---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration      # 所有Master节点的公共配置
imageRepository: registry.aliyuncs.com/google_containers
kubernetesVersion: v1.27.4
controlPlaneEndpoint: "[1:2:3:4::11]:6443"    # api-server地址,建议用域名
networking:
  podSubnet: 172:244::/64,172.244.0.0/16    # ipv4放在前面，那么kubectl get node时显示的是ipv4地址
  serviceSubnet: 172:96::/112,172.96.0.0/18    # ipv4放在前面，那么kubectl get service时显示的是ipv4地址
etcd:
  local:
    dataDir: "/home/etcd_data"
    extralArgs:
      listen-metrics-urls: http://[::]:2381

apiServer:
  certSANs: 
  - "1:2:3:4::11"
  - "172.168.80.11"
  - "bclinux-11"
  - "172.96.0.1"
  - "172:96::1"
  extraArgs:
    service-cluster-ip-range: 172:96::/112,172.96.0.0/18
    bind-address: "::"
    secure-port: "6443"
scheduler:
  extraArgs:
    bind-address: "::"
controllerManager:
  extraArgs:
    bind-address: "::"
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
failSwapOn: false
cgroupDriver: systemd
healthzBindAddress: "::"
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
clusterCIDR: "172:244::/64,172.244.0.0/16"    # Pod的地址范围
mode: "ipvs"

3.7.1.2 集群初始化

[root@bclinux-11 ~]# cat kube-init.yaml 
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration # 初始Master节点的私有配置 
bootstrapTokens:        # 可以指定bootstrapToken，默认24小过期自动删除
- token: "9a08jv.c0izixklcxtmnze7"
  description: "kubeadm bootstrap token"
  ttl: "24h"
certificateKey: "e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204"      # 可以指定certificateKey,默认两小时过期自动删除
localAPIEndpoint:
  advertiseAddress: "1:2:3:4::11"    # master节点ip
nodeRegistration:
  criSocket: /var/run/cri-dockerd.sock
  name: bclinux-11
  kubeletExtraArgs:
    node-ip: "1:2:3:4::11,172.168.80.11"    # master节点ip

---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration      # 所有Master节点的公共配置
imageRepository: registry.aliyuncs.com/google_containers
kubernetesVersion: v1.27.4
controlPlaneEndpoint: "[1:2:3:4::10]:8443"    # api-server地址,建议用域名
networking:
  podSubnet: 172:244::/64,172.244.0.0/16    # ipv4放在前面，那么kubectl get node时显示的是ipv4地址
  serviceSubnet: 172:96::/112,172.96.0.0/18    # ipv4放在前面，那么kubectl get service时显示的是ipv4地址
etcd:
  external:  # 使用外部etcd
    endpoints:
    - https://[1:2:3:4::11]:2379 # etcd集群3个节点
    - https://[1:2:3:4::12]:2379 # etcd集群3个节点
    - https://[1:2:3:4::13]:2379 # etcd集群3个节点
    caFile: /data/etcd/ssl/ca.pem # 连接etcd所需证书
    certFile: /data/etcd/ssl/server.pem
    keyFile: /data/etcd/ssl/server-key.pem

apiServer:
  certSANs: 
  - "1:2:3:4::11"
  - "1:2:3:4::12"
  - "172.168.80.11"
  - "172.168.80.12"
  - "bclinux-11"
  - "bclinux-12"
  - "172.96.0.1"
  - "172:96::1"
  extraArgs:
    service-cluster-ip-range: 172:96::/112,172.96.0.0/18
    bind-address: "::"
    secure-port: "6443"
scheduler:
  extraArgs:
    bind-address: "::"
controllerManager:
  extraArgs:
    bind-address: "::"
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
failSwapOn: false
cgroupDriver: systemd
healthzBindAddress: "::"
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
clusterCIDR: "172:244::/64,172.244.0.0/16"    # Pod的地址范围
mode: "ipvs"
[root@bclinux-11 ~]# kubeadm init --config kube-init-1.27.yaml --upload-certs
........................................
  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join [1:2:3:4::10]:8443 --token 9a08jv.c0izixklcxtmnze7 \
	--discovery-token-ca-cert-hash sha256:71818aa4d010d77aa3f0864c04415da65db936e68d598710296c2bf38104e4cf \
	--control-plane --certificate-key e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join [1:2:3:4::10]:8443 --token 9a08jv.c0izixklcxtmnze7 \
	--discovery-token-ca-cert-hash sha256:71818aa4d010d77aa3f0864c04415da65db936e68d598710296c2bf38104e4cf
[root@bclinux-11 ~]# mkdir -p $HOME/.kube
[root@bclinux-11 ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@bclinux-11 ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config

3.7.2 添加master节点 - 剩余master节点

[root@bclinux-12 ~]# cat /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--node-ip 1:2:3:4::12,172.168.80.12 --fail-swap-on=false"
[root@bclinux-12 ~]# kubeadm join [1:2:3:4::10]:8443 --token 9a08jv.c0izixklcxtmnze7 --discovery-token-ca-cert-hash sha256:71818aa4d010d77aa3f0864c04415da65db936e68d598710296c2bf38104e4cf --control-plane --certificate-key e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204 --cri-socket=/var/run/cri-dockerd.sock
..........................
To start administering your cluster from this node, you need to run the following as a regular user:

	mkdir -p $HOME/.kube
	sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
	sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.
[root@bclinux-12 ~]# kubectl get pod -n kube-system|grep api
kube-apiserver-bclinux-11            1/1     Running            0             15h
kube-apiserver-bclinux-12            0/1     CrashLoopBackOff   5 (16s ago)   3m38s # 此pod有问题
# 修改这个节点apiserver的静态文件
[root@bclinux-12 ~]# grep '\-\-advertise-address' /etc/kubernetes/manifests/kube-apiserver.yaml 
    - --advertise-address=172.168.80.12 # 换成ipv6的ip
[root@bclinux-12 ~]# kubectl get pod -n kube-system|grep api
kube-apiserver-bclinux-11            1/1     Running   0          15h
kube-apiserver-bclinux-12            1/1     Running   0          2m42s

3.7.3 添加node - 所以node节点

[root@bclinux-13 ~]# cat /etc/sysconfig/kubelet 
KUBELET_EXTRA_ARGS="--node-ip 1:2:3:4::13,172.168.80.13 --fail-swap-on=false"
[root@bclinux-13 ~]# kubeadm join [1:2:3:4::10]:8443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:d63a4cb2d94ee1fb7f882f14cae74f5ded7b0f187dc778130b9f3005168ed8cb --cri-socket=/var/run/cri-dockerd.sock 
.................................................
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

3.7.4 部署CNI网络 - 任意一台master节点

• calico文件下载地址：https://raw.githubusercontent.com/projectcalico/calico/v3.26.0/manifests/calico.yaml

# 修改calico配置并关闭IPIP使用BGP，在同网络环境下使用qperf命令分别测试calico的BGP、IPIP、VXLAN三种模式损耗大概为：bgp损耗10%、ipip损耗30%、vxlan损耗80%；推荐使用BGP模式，但是BGP模式对网络环境有要求(网络搞不明白，可自行查找资料)
[root@bclinux-11 ~]# vim calico-3.26.0.yaml
              "type": "calico-ipam",
              "assign_ipv4": "true", # 增加
              "assign_ipv6": "true"  # 增加
........................
            # Auto-detect the BGP IP address.
            - name: IP
              value: "autodetect"
            - name: IP6
              value: "autodetect"
            # 开启ipv6的nat出口
            - name: CALICO_IPV6POOL_NAT_OUTGOING
              value: "true"
            # 选择calico绑定的网卡，如果v4和v6在俩个网卡上，则使用 IP4_AUTODETECTION_METHOD 和 IP6_AUTODETECTION_METHOD 分别配置
            - name: IP_AUTODETECTION_METHOD
              value: "interface=ens160"
            # Enable IPIP
            - name: CALICO_IPV4POOL_IPIP
              value: "Never" # 关闭ipip
            - name: CALICO_IPV6POOL_IPIP
              value: "Never" # 关闭ipip
            # Enable or Disable VXLAN on the default IP pool.
            - name: CALICO_IPV4POOL_VXLAN
              value: "Never"
            # Enable or Disable VXLAN on the default IPv6 IP pool.
            - name: CALICO_IPV6POOL_VXLAN
              value: "Never"
            # Disable IPv6 on Kubernetes.
            - name: FELIX_IPV6SUPPORT
              value: "true" # 将false改为true
[root@bclinux-11 ~]# kubectl apply -f calico-3.26.0.yaml
[root@bclinux-11 ~]# kubectl get pod -n kube-system |grep calico
calico-kube-controllers-786b679988-vm8bb   1/1     Running   0               9m42s
calico-node-d79wc                          1/1     Running   0               7m10s
calico-node-hvlwh                          1/1     Running   0               9m42s
calico-node-xt8lb                          1/1     Running   0               9m42s

3.7.5 metrics-server安装 - 任意一台master节点

• 下载地址：https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
• 镜像地址由 k8s.gcr.io/metrics-server 替换为 registry.aliyuncs.com/google_containers
• 增加启动参数 --kubelet-insecure-tls # 忽略证书校验

[root@bclinux-11 ~]# kubectl apply -f components.yaml
[root@bclinux-11 ~]# kubectl get pod -n kube-system |grep metrics
metrics-server-6467f9696d-926st            1/1     Running   0              35s
[root@bclinux-11 ~]# kubectl top node
NAME         CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%   
bclinux-11   636m         31%    782Mi           57%       
bclinux-12   685m         34%    811Mi           59%       
bclinux-13   109m         5%     703Mi           51%

3.7.6 验证集群 - 任意一台master节点

# 创建deployment类型的pod，保证每个节点运行一个
[root@bclinux-11 ~]# kubectl create deployment nginx --image nginx:1.20.0 --replicas 3
# 常见nodeport类型的svc网络
[root@bclinux-11 ~]# kubectl expose deployment nginx --target-port 80 --port 80 --type NodePort
# 查看pod地址和svc地址
[root@bclinux-11 ~]# kubectl get pod,svc -o wide
NAME                         READY   STATUS    RESTARTS   AGE   IP                             NODE         NOMINATED NODE   READINESS GATES
pod/nginx-7cf478bb58-7bmpm   1/1     Running   0          85s   172:244::390e:eaa8:1a33:8703   bclinux-12   <none>           <none>
pod/nginx-7cf478bb58-rb4fz   1/1     Running   0          85s   172:244::be3f:5e5d:bf32:cf80   bclinux-13   <none>           <none>
pod/nginx-7cf478bb58-xl4zr   1/1     Running   0          85s   172:244::1f75:c21e:b2f9:de81   bclinux-11   <none>           <none>

NAME                 TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE   SELECTOR
service/kubernetes   ClusterIP   172:96::1      <none>        443/TCP        16h   <none>
service/nginx        NodePort    172:96::11a8   <none>        80:30587/TCP   12s   app=nginx
# 分别curl容器地址、svc地址、节点地址看看是否都可以curl通
[root@bclinux-11 ~]# curl -I6 [172:244::390e:eaa8:1a33:8703] 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [172:244::be3f:5e5d:bf32:cf80] 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [172:244::1f75:c21e:b2f9:de81] 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [172:96::11a8] 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [1:2:3:4::13]:30587 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [1:2:3:4::12]:30587 2>&1|grep HTTP
HTTP/1.1 200 OK
[root@bclinux-11 ~]# curl -I6 [1:2:3:4::11]:30587 2>&1|grep HTTP
HTTP/1.1 200 OK