基于 Debian 13(代号 “Trixie”)虚拟机环境,搭建一个 单 Master + 单 Worker 的 Kubernetes 集群,使用 containerd 作为容器运行时,并采用 kubeadm 工具部署 Kubernetes v1.34.1
先设置 master, 等 worker 克隆出来再做修改
# 编辑网络配置
sudo vim /etc/network/interfaces
# 内容如下
allow-hotplug ens33
#iface ens33 inet dhcp
iface ens33 inet static
address 192.168.2.20/24
gateway 192.168.2.1
dns-nameservers 8.8.8.8 8.8.4.4
# 重启网络服务
sudo systemctl restart networking
先设置 master, 等 worker 克隆出来再做修改
# 2 设置主机名
# master 节点:
sudo hostnamectl set-hostname k8s-master
# 3 配置 hosts
cat <<EOF | sudo tee -a /etc/hosts
192.168.2.20 k8s-master
192.168.2.21 k8s-worker1
EOF
# 4 关闭 swap
sudo swapoff -a
# 永久关闭:注释 /etc/fstab 中的 swap 行
sudo sed -i '/^UUID.* swap / s/^(.*)$/#1/g' /etc/fstab
# 5 启用内核模块 & 调整 sysctl
# 模块配置
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
# 加载模块
sudo modprobe overlay
sudo modprobe br_netfilter
# 内核信息
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# 加载内核
sudo sysctl --system
# 1 安装依赖
sudo apt update
sudo apt install -y ca-certificates curl gnupg lsb-release
# 2 添加 Docker 官方 GPG 密钥(containerd 包来自 Docker 仓库)
sudo install -m 0755 -d /etc/apt/keyrings
#curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# 3 添加 repo
echo
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# 4 安装containerd
sudo apt update
sudo apt install -y containerd.io
# 5 配置 containerd
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
# sandbox 容器镜像, 使用阿里云库, 版本与k8s的版本保存一致
sudo sed -i 's@registry.k8s.io/pause:3.8@registry.aliyuncs.com/google_containers/3.10.1@' /etc/containerd/config.toml
grep "sandbox_image" /etc/containerd/config.toml
# 启用 systemd cgroup 驱动
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
grep "SystemdCgroup" /etc/containerd/config.toml
# config_path
sudo sed -i '/registry]$/,+1 s|(config_path = ").*|1/etc/containerd/certs.d"|' /etc/containerd/config.toml
# 6 重启 containerd
sudo systemctl daemon-reload
sudo systemctl enable containerd
sudo systemctl restart containerd
systemctl is-active containerd
# 添加 Kubernetes 官方 GPG 密钥
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.34/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
# 添加 kubernetes apt仓库
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.34/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
# 更新并安装
sudo apt update
sudo apt install -y kubelet kubeadm kubectl
# 并锁定其版本
sudo apt-mark hold kubelet kubeadm kubectl
# 为了实现容器运行时使用cgroupdrive与kubelet使用的cgroup的一致性
sudo sed -i 's/KUBELET_EXTRA_ARGS=/KUBELET_EXTRA_ARGS="--cgroup-driver=systemd"/g' /etc/default/kubelet
# 设置kubelet为开机自启动,由于当前没有生成配置文件,集群初始化后自启动
sudo systemctl enable kubelet
# 查看 Kubernetes 初始化所需镜像版本 (使用阿里云库)
kubeadm config images list --kubernetes-version=v1.34.1 --image-repository=registry.aliyuncs.com/google_containers
registry.aliyuncs.com/google_containers/kube-apiserver:v1.34.1
registry.aliyuncs.com/google_containers/kube-controller-manager:v1.34.1
registry.aliyuncs.com/google_containers/kube-scheduler:v1.34.1
registry.aliyuncs.com/google_containers/kube-proxy:v1.34.1
registry.aliyuncs.com/google_containers/coredns:v1.12.1
registry.aliyuncs.com/google_containers/pause:3.10.1
registry.aliyuncs.com/google_containers/etcd:3.6.4-0
# 可以看到 k8s v1.34 需要的pause版本为 pause:3.10.1
# 修改 sandbox_image
sudo sed -i 's|sandbox_image = ".*"|sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.10.1"|' /etc/containerd/config.toml
grep "sandbox_image" /etc/containerd/config.toml
# 重启 containerd 生效
sudo systemctl restart containerd
# 解决 crictl 警告日志:WARN[0000] Config "/etc/crictl.yaml" does not exist
sudo tee /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
pull-image-on-create: false
EOF
# 验证:不再显示警告
crictl images
crictl ps
# 检查前置配置:config_path = "/etc/containerd/certs.d"
grep -A1 "registry]$" /etc/containerd/config.toml
# 加速: docker.io
sudo mkdir -p /etc/containerd/certs.d/docker.io
sudo tee /etc/containerd/certs.d/docker.io/hosts.toml <<EOF
server = "https://docker.io"
[host."https://ccr.ccs.tencentyun.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://registry.cn-hangzhou.aliyuncs.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.1ms.run"]
capabilities = ["pull", "resolve"]
EOF
# 加速: registry.k8s.io
sudo mkdir -p /etc/containerd/certs.d/registry.k8s.io
cat <<'EOF' | sudo tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml > /dev/null
server = "https://registry.k8s.io"
[host."https://registry.cn-hangzhou.aliyuncs.com/google_containers"]
capabilities = ["pull", "resolve"]
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
# 验证拉取
sudo crictl pull nginx:1.29-alpine
因为以上配置都是 master 与 worker 都需要, 所以保存快照, 以便克隆出多个 worker 节点
# worker1 节点:
sudo hostnamectl set-hostname k8s-worker1
# 修改网络配置文件
sudo vim /etc/network/interfaces
# 内容如下:
address 192.168.2.21/24
# 重启网络服务
sudo systemctl restart networking
因为克隆之前已经配置, 这里直接跳过
# 配置 hosts
cat <<EOF | sudo tee -a /etc/hosts
192.168.2.20 k8s-master
192.168.2.21 k8s-worker1
EOF
# 1 初始化集群(指定 pod 网段,与 Calico 默认一致)
sudo kubeadm init
--control-plane-endpoint="k8s-master" # master 主机名
--image-repository registry.aliyuncs.com/google_containers # 使用阿里云镜像仓库
--service-cidr=10.140.0.0/16
--pod-network-cidr=10.240.0.0/16
--kubernetes-version=v1.34.1 # 默认从https://dl.k8s.io/release/stable-1.txt读取最新的版本号
# 2 普通用户配置 kubectl
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 3 root用户配置 kubectl
export KUBECONFIG=/etc/kubernetes/admin.conf
在运行kubeadm init 和 join 命令部署好master和node节点后,kubectl get nodes 看到节点都是NotReady状态,这是因为没有安装CNI网络插件
tajun77@k8s-master:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane 22m v1.34.1
通过命令kubectl apply -f 安装
# 如果官网下载地址不可用, 查看最新版本号, 手动从 githubu 下载
#kubectl apply -f https://docs.projectcalico.org/v3.31.0/manifests/calico.yaml
curl -O https://raw.githubusercontent.com/projectcalico/calico/v3.31.0/manifests/calico.yaml
wget https://raw.githubusercontent.com/projectcalico/calico/v3.31.0/manifests/calico.yaml
# 安装
kubectl apply -f calico.yaml
Calico v3.27 支持 K8s v1.31。等待几分钟,master 节点变为 Ready。
检查:
kubectl get pods -n kube-system
kubectl get nodes
在 worker 节点上执行前面
kubeadm init 输出的
join 命令,例如:
sudo kubeadm join k8s-master:6443 --token 5cftgm.w121mnitwjrne3r5 --discovery-token-ca-cert-hash sha256:0cb9a096478a0de8b6eee9e6e4cdf91cdb94f9c063cf6d00e5ccb066c81a93b9
🔐 若 token 过期(默认 24h),可在 master 重新生成:
kubeadm token create --print-join-command
在 master 上执行:
kubectl get nodes
应看到:
tajun77@k8s-master:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready control-plane 129m v1.34.1
k8s-worker1 Ready <none> 118s v1.34.1