環(huán)境準(zhǔn)備

1.關(guān)閉防火墻，關(guān)閉selinux(生產(chǎn)環(huán)境按需關(guān)閉或打開)

systemctl disable firewalld.service
systemctl stop firewalld.service
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

檢查：

systemctl is-enabled firewalld.service
systemctl status firewalld.service
getenforce

2.同步服務(wù)器時間，選擇公網(wǎng)ntpd服務(wù)器或者自建ntpd服務(wù)器

3.關(guān)閉swap分區(qū)

echo "vm.swappiness=1">>/etc/sysctl.conf
sysctl -p
**檢查：**
sysctl -a|grep "vm.swappiness"

4.集群所有節(jié)點主機可以相互解析
5.master對node節(jié)點ssh互信

ssh-keygen -t rsa
ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.0.95

6.配置系統(tǒng)內(nèi)核參數(shù)使流過網(wǎng)橋的流量也進入iptables/netfilter框架

  modprobe br_netfilter  
  echo -e 'net.bridge.bridge-nf-call-iptables = 1 \nnet.bridge.bridge-nf-call-ip6tables = 1' >> /etc/sysctl.conf  && sysctl -p

或者

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

7.修改主機名

hostnamectl set-hostname master1
echo 'master1'>/etc/hostname

安裝docker kubeadm kubectl kubelet kubernetes-cni

1: 配置yum（所有節(jié)點）

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

2: 安裝kubeadm和docker

yum install -y yum-utils
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce docker-ce-selinux 
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable kubelet && systemctl start kubelet
systemctl enable docker && systemctl start docker

3: 下載鏡像：

#!/bin/bash

images=(
    kube-apiserver:v1.14.2
    kube-controller-manager:v1.14.2
    kube-scheduler:v1.14.2
    kube-proxy:v1.14.2
    kube-apiserver:v1.14.2
    pause:3.1
    etcd:3.3.10
    coredns:1.3.1
)

for imageName in ${images[@]} ; do
    docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName
    docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
done

4: 加入集群

kubeadm join 172.16.0.92:6443 --token 769elv.w7ndytgXXXXXXX \
    --discovery-token-ca-cert-hash sha256:685b7b8cb7ca0a0e3b65f3b68433e4d67f8927b54c5beXXXXXX

kubeadm join報錯及解決

1、報錯：detected “cgroupfs” as the Docker cgroup driver. The recommended driver is “systemd”

> kubeadm join ---
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/

原因：centos7的cgroup driver為systemd，docker默認(rèn)的cgroup driver為cgroupfs，使用兩種cgroup driver控制資源的話會導(dǎo)致資源分配不均。
解決方法：修改docker的cgroup driver為systemd

# Install Docker CE
## Set up the repository
### Install required packages.
yum install yum-utils device-mapper-persistent-data lvm2

### Add Docker repository.
yum-config-manager \
  --add-repo \
  https://download.docker.com/linux/centos/docker-ce.repo

## Install Docker CE.
yum update && yum install docker-ce-18.06.2.ce

## Create /etc/docker directory.
mkdir /etc/docker

# Setup daemon.
cat > /etc/docker/daemon.json <<EOF
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}
EOF

mkdir -p /etc/systemd/system/docker.service.d

# Restart Docker
systemctl daemon-reload
systemctl restart docker

2、報錯：
error execution phase preflight: couldn’t validate the identity of the API Server: abort connecting to API servers after timeout of 5m0s

> kubeadm join ---
error execution phase preflight: couldn't validate the identity of the API Server: abort connecting to API servers after timeout of 5m0s

原因：master節(jié)點的token過期了
解決：創(chuàng)建新的token

#得到token
>kubeadm token create 
#得到discovery-token-ca-cert-hash
> openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'  

重新添加就可以join成功啦。