starttech Hexo https://jsonhc.github.io/ All rights reserved 2026, starttech 一起成长 starttech 的个人博客 2026-03-01T13:49:11.709Z starttech

本篇文章是在 CentOS9系统上安装高可用Kubernetes1.35集群

节点资源配置如下:

主机名ip内存核心操作系统
master01192.168.213.414g2centos9
master02192.168.213.424g2centos9
master03192.168.213.434g2centos9
worker01192.168.213.4410g4centos9
worker02192.168.213.4510g4centos9

高可用vip:192.168.213.40

此篇文章高可用方案为nginx+keepalived,当然其他方案诸如haproxy+keepalived也是可行的,这里不做介绍

开始配置操作:

配置aliyun源(所有节点都需要)

tee /etc/yum.repos.d/centos.repo > /dev/null << 'EOF'
[baseos]
name=CentOS Stream $releasever - BaseOS - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1
[baseos-debuginfo]
name=CentOS Stream $releasever - BaseOS Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[baseos-source]
name=CentOS Stream $releasever - BaseOS Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[appstream]
name=CentOS Stream $releasever - AppStream - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1
[appstream-debuginfo]
name=CentOS Stream $releasever - AppStream Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[appstream-source]
name=CentOS Stream $releasever - AppStream Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
EOF

配置主机名

[root@localhost ~]# hostnamectl set-hostname master01
[root@master01 ~]# hostname
master01
[root@master02 ~]# hostname
master02
[root@master03 ~]# hostname
master03
[root@worker01 ~]# hostname
worker01
[root@worker02 ~]# hostname
worker02

配置节点ip

[root@master01 ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.41/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@master01 ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@master02 ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.42/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@master02 ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@master03 ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.43/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@master03 ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@worker01 ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.44/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@worker01 ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[root@worker02 ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.45/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@worker02 ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

关闭防火墙和设置selinux(所有节点都需要)

[root@master01 ~]# systemctl stop firewalld.service
[root@master01 ~]# systemctl disable firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@master01 ~]# setenforce 0
[root@master01 ~]# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

关闭swap(所有节点都需要)

[root@master01 ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab
[root@master01 ~]# swapoff -a

配置epel源,并安装nginx、keepalived(只需要在master三个节点安装)

[root@master01 ~]# yum install epel-release
[root@master01 ~]# yum install nginx keepalived
[root@master01 ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
[root@master01 ~]# yum install nginx-mod-stream
[root@master01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
stream {
    log_format  main  '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
    access_log  /var/log/nginx/k8s-access.log  main;
    upstream k8s-apiserver {
       server 192.168.213.41:6443;   # k8s-master01 APISERVER IP:PORT
       server 192.168.213.42:6443;   # k8s-master02 APISERVER IP:PORT
       server 192.168.213.43:6443;   # k8s-master03 APISERVER IP:PORT
    }

    server {
       listen 16443; # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
       proxy_pass k8s-apiserver;
    }
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        error_page 404 /404.html;
        location = /404.html {
        }
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}
[root@master01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@master01 ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@master01 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id NGINX_MASTER
}

vrrp_script check_nginx {
    script "/etc/keepalived/check_nginx.sh"
}

vrrp_instance VI_1 {
    state MASTER
    interface ens160  # 修改为实际网卡名
    mcast_src_ip 192.168.213.41
    virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
    priority 100    # 优先级,备服务器设置 90
    advert_int 1    # 指定VRRP 心跳包通告间隔时间,默认1秒
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    # 虚拟IP
    virtual_ipaddress {
        192.168.213.40/24
    }
    track_script {
        check_nginx
    }
}
[root@master01 ~]# cat /etc/keepalived/check_nginx.sh
#!/bin/bash
count=$(ps -ef |grep nginx | grep sbin | egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
    systemctl stop keepalived
fi
[root@master01 ~]# chmod +x  /etc/keepalived/check_nginx.sh
[root@master01 ~]# systemctl daemon-reload && systemctl start nginx keepalived && systemctl enable nginx keepalived
[root@master02 ~]# yum install epel-release
[root@master02 ~]# yum install nginx keepalived
[root@master02 ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
[root@master02 ~]# yum install nginx-mod-stream
[root@master02 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
stream {
    log_format  main  '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
    access_log  /var/log/nginx/k8s-access.log  main;
    upstream k8s-apiserver {
       server 192.168.213.41:6443;   # k8s-master01 APISERVER IP:PORT
       server 192.168.213.42:6443;   # k8s-master02 APISERVER IP:PORT
       server 192.168.213.43:6443;   # k8s-master03 APISERVER IP:PORT
    }
    server {
       listen 16443; # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
       proxy_pass k8s-apiserver;
    }
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        error_page 404 /404.html;
        location = /404.html {
        }
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}
[root@master02 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@master02 ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@master02 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id NGINX_BACKUP
}

vrrp_script check_nginx {
    script "/etc/keepalived/check_nginx.sh"
}

vrrp_instance VI_1 {
    state BACKUP
    interface ens160
    mcast_src_ip 192.168.213.42
    virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
    priority 99
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.213.40/24
    }
    track_script {
        check_nginx
    }
}
[root@master02 ~]# cat /etc/keepalived/check_nginx.sh
#!/bin/bash
count=$(ps -ef |grep nginx | grep sbin | egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
    systemctl stop keepalived
fi
[root@master02 ~]# chmod +x /etc/keepalived/check_nginx.sh
[root@master02 ~]# systemctl daemon-reload && systemctl start nginx keepalived && systemctl enable nginx keepalived
[root@master03 ~]# yum install epel-release
[root@master03 ~]# yum install nginx keepalived
[root@master03 ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
[root@master03 ~]# yum install nginx-mod-stream
[root@master03 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
stream {
    log_format  main  '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
    access_log  /var/log/nginx/k8s-access.log  main;
    upstream k8s-apiserver {
       server 192.168.213.41:6443;   # k8s-master01 APISERVER IP:PORT
       server 192.168.213.42:6443;   # k8s-master02 APISERVER IP:PORT
       server 192.168.213.43:6443;   # k8s-master03 APISERVER IP:PORT
    }

    server {
       listen 16443; # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
       proxy_pass k8s-apiserver;
    }
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    server {
        listen       80;
        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        error_page 404 /404.html;
        location = /404.html {
        }
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}
[root@master03 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@master03 ~]# cp /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
[root@master03 ~]# cat /etc/keepalived/keepalived.conf
global_defs {
   notification_email {
     acassen@firewall.loc
     failover@firewall.loc
     sysadmin@firewall.loc
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 127.0.0.1
   smtp_connect_timeout 30
   router_id NGINX_BACKUP
}

vrrp_script check_nginx {
    script "/etc/keepalived/check_nginx.sh"
}

vrrp_instance VI_1 {
    state BACKUP
    interface ens160
    mcast_src_ip 192.168.213.43
    virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
    priority 98
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.213.40/24
    }
    track_script {
        check_nginx
    }
}
[root@master03 ~]# cat /etc/keepalived/check_nginx.sh
#!/bin/bash
count=$(ps -ef |grep nginx | grep sbin | egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
    systemctl stop keepalived
fi
[root@master03 ~]# chmod +x /etc/keepalived/check_nginx.sh
[root@master03 ~]# systemctl daemon-reload && systemctl start nginx keepalived && systemctl enable nginx keepalived

三个master节点配置完成后,查看vip情况
1

稍微通过stop掉nginx节点服务来验证是否继续提供服务

  • 当stop掉master01节点的nginx:
[root@master01 ~]# systemctl stop nginx

2

可以看见vip已经飘走,而且keepalived服务也已经挂掉:
3

可以在master02节点发现vip:
4

  • 当在master01节点上,启动nginx、keepalived服务后:
[root@master01 ~]# systemctl start nginx
[root@master01 ~]# systemctl start keepalived

vip已经飘回到master01节点了:
5

修改hosts解析(所有节点都进行配置)

[root@master01 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.213.41  master01
192.168.213.42  master02
192.168.213.43  master03
192.168.213.44  worker01
192.168.213.45  worker02

安装内核相关的包文件(所有节点都需要)

[root@master01 ~]# dnf install kernel-devel-$(uname -r)

启用内核模块配置桥接iptables(所有节点都需要)

[root@master01 ~]# modprobe br_netfilter
[root@master01 ~]# modprobe ip_vs
[root@master01 ~]# modprobe ip_vs_rr
[root@master01 ~]# modprobe ip_vs_wrr
[root@master01 ~]# modprobe ip_vs_sh
[root@master01 ~]# modprobe overlay

上面作用:加载kubernetes正常运行所必需的内核模块,通过加载这些模块,您可以确保服务器已为 Kubernetes 安装做好准备,并能有效地管理集群内的网络和负载均衡任务

[root@master01 ~]# cat > /etc/modules-load.d/kubernetes.conf << EOF
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
overlay
EOF

这里是为了这些模块在系统启动时进行加载

[root@master01 ~]# cat > /etc/sysctl.d/kubernetes.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
  • net.bridge.bridge-nf-call-ip6tables:使iptables能够处理桥接的 IPv6 流量
  • net.bridge.bridge-nf-call-iptables:使 iptables 能够处理桥接的 IPv4 流量
  • net.ipv4.ip_forward:启用IPv4数据包转发

通过设置这些sysctl参数,可以确保系统配置正确,以支持 Kubernetes 网络需求以及集群内部的网络流量转发。这些设置对于 Kubernetes 网络组件的平稳运行至关重要

[root@master01 ~]# sysctl --system

以上就是k8s节点系统中相关的初始化配置,接下来就是其他的配置
这里还是使用docker作为k8s的容器运行,替代Containerd(所有节点都需要)

[root@master01 ~]# cd /etc/yum.repos.d/ && wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@master01 yum.repos.d]# cd
[root@master01 ~]# yum install docker-ce -y
[root@master01 ~]# systemctl start docker
[root@master01 ~]# systemctl enable docker
  • 给docker配置加速器
[root@master01 ~]# cat << EOF > /etc/docker/daemon.json
{
    "registry-mirrors": [
     "https://docker.1ms.run",
     "https://docker.aityp.com",
     "https://docker.m.daocloud.io"
     ]
}
EOF
[root@master01 ~]# systemctl daemon-reload
[root@master01 ~]# systemctl restart docker

安装cri-dockerd(所有节点都需要)

[root@master01 ~]# wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.16/cri-dockerd-0.3.16.amd64.tgz
[root@master01 ~]# tar xf cri-dockerd-0.3.16.amd64.tgz
[root@master01 ~]# cp cri-dockerd/cri-dockerd /usr/bin/
[root@master01 ~]# cat /etc/systemd/system/cri-docker.service
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd://
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
[root@master01 ~]# cat /etc/systemd/system/cri-docker.socket
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service
[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target
[root@master01 ~]# systemctl enable cri-docker --now
Created symlink /etc/systemd/system/multi-user.target.wants/cri-docker.service → /etc/systemd/system/cri-docker.service.
[root@master01 ~]# systemctl enable cri-docker.socket --now
Created symlink /etc/systemd/system/sockets.target.wants/cri-docker.socket → /etc/systemd/system/cri-docker.socket.
[root@master01 ~]# systemctl status cri-docker

配置k8s repo(所有节点都需要)

[root@master01 ~]# cat << EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/repodata/repomd.xml.key
exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni
EOF

安装kubernetes相关软件

[root@master01 ~]# yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

6

启用kubelet服务(所有节点)

[root@master01 ~]# systemctl enable --now kubelet.service

等到上面所有相关配置完成无误后,接下来就是k8s集群初始化阶段

  • master01节点:
[root@master01 ~]# kubeadm init --apiserver-advertise-address=192.168.213.40 --control-plane-endpoint 192.168.213.40:16443 --image-repository registry.aliyuncs.com/google_containers --service-cidr=10.96.0.0/16 --pod-network-cidr=10.244.0.0/16 --cri-socket unix:///var/run/cri-dockerd.sock

其中192.168.213.40是上面配置的vip,16443端口是nginx那里配置的监听端口
7

正常初始化无误如上图,接下来初始化其他mster节点
在其他master节点操作之前需要将master01上面的证书同步到其他mster节点上

[root@master02 ~]# mkdir /etc/kubernetes/pki
[root@master02 ~]# mkdir /etc/kubernetes/pki/etcd/
[root@master01 ~]# scp /etc/kubernetes/pki/ca.* master02:/etc/kubernetes/pki/
[root@master01 ~]# scp /etc/kubernetes/pki/sa.* master02:/etc/kubernetes/pki/
[root@master01 ~]# scp /etc/kubernetes/pki/front-proxy-c* master02:/etc/kubernetes/pki/
[root@master01 ~]# scp /etc/kubernetes/pki/etcd/ca.* master02:/etc/kubernetes/pki/etcd/
  • 完成这个同步后,接下来在master02节点上进行初始化
[root@master02 ~]# kubeadm join 192.168.213.40:16443 --token xwcjjp.jnl94i2ez1ej9ocm --discovery-token-ca-cert-hash sha256:2dcdcc678c105bff36d7f6614db324b1d871e836929e03897731f18df318b7c1 --control-plane --cri-socket unix:///var/run/cri-dockerd.sock

8

成功初始化如上

[root@master01 ~]# kubectl get nodes
NAME       STATUS     ROLES           AGE     VERSION
master01   NotReady   control-plane   8m17s   v1.35.1
master02   NotReady   control-plane   64s     v1.35.1
  • 接下来master03按照相同方式进行同步证书并初始化
[root@master03 ~]# mkdir /etc/kubernetes/pki
[root@master03 ~]# mkdir /etc/kubernetes/pki/etcd/
[root@master01 ~]# scp /etc/kubernetes/pki/ca.* master03:/etc/kubernetes/pki/
[root@master01 ~]# scp /etc/kubernetes/pki/sa.* master03:/etc/kubernetes/pki/
[root@master01 ~]# scp /etc/kubernetes/pki/etcd/ca.* master03:/etc/kubernetes/pki/etcd/
[root@master01 ~]# scp /etc/kubernetes/pki/front-proxy-c* master03:/etc/kubernetes/pki/

[root@master03 ~]# kubeadm join 192.168.213.40:16443 --token xwcjjp.jnl94i2ez1ej9ocm --discovery-token-ca-cert-hash sha256:2dcdcc678c105bff36d7f6614db324b1d871e836929e03897731f18df318b7c1 --control-plane --cri-socket unix:///var/run/cri-dockerd.sock

9

  • 当master所有节点都初始化完成后,然后添加worker节点:
[root@worker01 ~]# kubeadm join 192.168.213.40:16443 --token xwcjjp.jnl94i2ez1ej9ocm --discovery-token-ca-cert-hash sha256:2dcdcc678c105bff36d7f6614db324b1d871e836929e03897731f18df318b7c1 --cri-socket unix:///var/run/cri-dockerd.sock
[root@worker02 ~]# kubeadm join 192.168.213.40:16443 --token xwcjjp.jnl94i2ez1ej9ocm --discovery-token-ca-cert-hash sha256:2dcdcc678c105bff36d7f6614db324b1d871e836929e03897731f18df318b7c1 --cri-socket unix:///var/run/cri-dockerd.sock

添加worker两台节点后,集群状态如下

[root@master01 ~]# kubectl get nodes
NAME       STATUS     ROLES           AGE     VERSION
master01   NotReady   control-plane   15m     v1.35.1
master02   NotReady   control-plane   8m46s   v1.35.1
master03   NotReady   control-plane   2m52s   v1.35.1
worker01   NotReady   <none>          63s     v1.35.1
worker02   NotReady   <none>          54s     v1.35.1
  • 接下来安装网络插件calico,实现集群中各个 Pod 之间的联网,为 Calico 部署 Tigera Operator
[root@master01 ~]# wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml

部署如下:

[root@master01 ~]# kubectl create -f tigera-operator.yaml
namespace/tigera-operator created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgpfilters.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/apiservers.operator.tigera.io created
customresourcedefinition.apiextensions.k8s.io/imagesets.operator.tigera.io created
customresourcedefinition.apiextensions.k8s.io/installations.operator.tigera.io created
customresourcedefinition.apiextensions.k8s.io/tigerastatuses.operator.tigera.io created
serviceaccount/tigera-operator created
clusterrole.rbac.authorization.k8s.io/tigera-operator created
clusterrolebinding.rbac.authorization.k8s.io/tigera-operator created
deployment.apps/tigera-operator created

下载calico自定义资源清单

[root@master01 ~]# wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/custom-resources.yaml
[root@master01 ~]# sed -i 's/cidr: 192\.168\.0\.0\/16/cidr: 10.244.0.0\/16/g' custom-resources.yaml
[root@master01 ~]# kubectl create -f custom-resources.yaml
installation.operator.tigera.io/default created
apiserver.operator.tigera.io/default created

完成上面配置后,查看pod状态
10

至此高可用k8s集群1.35版本安装完成
查看集群信息

[root@master01 ~]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.213.40:16443
CoreDNS is running at https://192.168.213.40:16443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

简单创建一个nginx应用实例

[root@master01 ~]# cat > nginx-deploy.yaml << 'EOF'
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
EOF
[root@master01 ~]# kubectl create -f nginx-deploy.yaml
deployment.apps/nginx-deployment created
[root@master01 ~]# kubectl get pod
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-59f86b59ff-dhr7t   1/1     Running   0          31s

将部署的nginx应用暴露给外部网络

[root@master01 ~]# cat > nginx-svc.yaml << 'EOF'
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  type: NodePort
EOF
[root@master01 ~]# kubectl apply -f nginx-svc.yaml
service/nginx-service created

查看暴露的外部端口

[root@master01 ~]# kubectl get svc|grep nginx
nginx-service   NodePort    10.96.9.115   <none>        80:30934/TCP   36s

浏览器进行访问验证
11

]]> https://jsonhc.github.io/posts/1243066720/ 2026-03-01T13:00:00.000Z

本篇文章是在 CentOS9系统上安装高可用Kubernetes1.35集群

节点资源配置如下:

主机名 ip 内存 核]]> 在CentOS9上部署高可用 Kubernetes1.35集群 2026-03-01T13:49:11.709Z starttech

此篇文章主要介绍如何创建阿里云ACK集群,并部署简单的应用,通过域名进行访问

在阿里云控制平台创建ACK集群,负载均衡架构为ALB Ingress

ACK1

确认完配置,等待创建

ACK2

所有创建过程结束后,如下图
ACK3

通过workbench管理集群:
ACK5

创建测试应用

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: anolis-registry.cn-zhangjiakou.cr.aliyuncs.com/openanolis/nginx:1.14.1-8.6
        ports:
        - containerPort: 80
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  namespace: default
spec:
  selector:
    app: nginx
  ports:
  - port: 80
    targetPort: 80
  type: ClusterIP

部署之后
application1
application2

创建 ALB Ingress 规则

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-alb-ingress
  namespace: default
  annotations:
    # 指定使用 ALB Ingress Class(必须)
    alb.ingress.kubernetes.io/switch: "true"
    
    # ALB 实例 ID(可选,不指定则自动创建新 ALB)
    # alb.ingress.kubernetes.io/id: "alb-xxxxxx"
    
    # 监听端口配置
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    
    # 是否自动创建 HTTPS 证书(使用阿里云 SSL 证书服务)
    alb.ingress.kubernetes.io/certificate-ids: "your-cert-id"  # 可选:已有证书 ID
    
    # 重写配置(可选)
    alb.ingress.kubernetes.io/rewrite-target: /
    
    # 健康检查配置
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    
spec:
  ingressClassName: alb  # 必须使用 alb
  rules:
  - host: www.jsonjsonstart.dpdns.org  # 替换为你的域名
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-service
            port:
              number: 80

ingress1

查看创建的ingress

alicloud:/# kubectl get ingress nginx-alb-ingress 
NAME                CLASS   HOSTS                         ADDRESS   PORTS   AGE
nginx-alb-ingress   alb     www.jsonjsonstart.dpdns.org             80      104s

查看 ALB 控制台
ALB1

访问测试

C:\Users\admin>curl -H "Host: www.jsonjsonstart.dpdns.org" http://alb-n2uzltobvzhbr32cq4.cn-hangzhou.alb.aliyuncsslb.com
C:\Users\admin>curl -H "Host: www.jsonjsonstart.dpdns.org" http://47.97.243.72/ --resolve www.jsonjsonstart.dpdns.org:80:47.97.243.72

将上面的DNS记录配置到自己的域名
由于我这里有一个空闲未使用的域名:jsonjsonstart.dpdns.org,然后到cloudflare平台设置dns记录
dns1

最后通过浏览器访问

result

由于该域名是免费申请的,未在国内备案,所以提示如上,但是验证应用访问是没有问题的

当然域名配置最好配置https:alb.ingress.kubernetes.io/certificate-ids: “your-cert-id”,去阿里云证书管理平台创建或者使用免费的证书机构cert-manager

]]> https://jsonhc.github.io/posts/1243066715/ 2026-02-28T12:44:00.000Z

此篇文章主要介绍如何创建阿里云ACK集群,并部署简单的应用,通过域名进行访问

各位技术爱好者们,大家好!本文是在 CentOS 9系统上安装 Kubernetes 。在本指南中,将一步步指导你完成集群的启动和运行,从安装到配置,全程无遗漏

先决条件

在开始安装过程之前,请确保您已具备以下先决条件:

  • 至少需要三个节点(一个主节点和两个工作节点),运行系统CentOS 9。
  • 每个节点至少应配备 2GB 内存和 2 个 CPU 核心。
  • 如果没有设置 DNS,则每个节点的配置/etc/hosts文件中配置各个节点的解析

本文是部署教程,所以只设置了master和node两台centos9系统的节点

主机名ip内存核心操作系统
master192.168.213.30164centos9
worker1192.168.213.31164centos9

在 CentOS9上安装Kubernetes集群

配置ip

  • master节点
[root@localhost ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.30/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@localhost ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
  • worker1节点
[root@localhost ~]# nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.31/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
[root@localhost ~]# nmcli connection up "ens160"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

配置好ip后,设置hosts(两个节点都需要)

[root@master ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.213.30  master
192.168.213.31  worker1

配置主机名

[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# hostnamectl set-hostname worker1

关闭防火墙和设置selinux(两个节点都需要)

[root@master ~]# systemctl stop firewalld.service
[root@master ~]# systemctl disable firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@master ~]# setenforce 0
[root@master ~]# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

关闭swap(两个节点都需要)

[root@master ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab
[root@master ~]# swapoff -a

配置aliyun源(两个节点都需要)

tee /etc/yum.repos.d/centos.repo > /dev/null << 'EOF'
[baseos]
name=CentOS Stream $releasever - BaseOS - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1
[baseos-debuginfo]
name=CentOS Stream $releasever - BaseOS Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[baseos-source]
name=CentOS Stream $releasever - BaseOS Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[appstream]
name=CentOS Stream $releasever - AppStream - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1
[appstream-debuginfo]
name=CentOS Stream $releasever - AppStream Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
[appstream-source]
name=CentOS Stream $releasever - AppStream Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
EOF

安装内核相关的包文件(两个节点都需要)

[root@master ~]# dnf install kernel-devel-$(uname -r)

启用内核模块配置桥接iptables(两个节点都需要)

[root@master ~]# modprobe br_netfilter
[root@master ~]# modprobe ip_vs
[root@master ~]# modprobe ip_vs_rr
[root@master ~]# modprobe ip_vs_wrr
[root@master ~]# modprobe ip_vs_sh
[root@master ~]# modprobe overlay

上面作用:加载kubernetes正常运行所必需的内核模块,通过加载这些模块,您可以确保服务器已为 Kubernetes 安装做好准备,并能有效地管理集群内的网络和负载均衡任务

cat > /etc/modules-load.d/kubernetes.conf << EOF
br_netfilter
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
overlay
EOF

这里是为了这些模块在系统启动时进行加载

cat > /etc/sysctl.d/kubernetes.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
  • net.bridge.bridge-nf-call-ip6tables:使iptables能够处理桥接的 IPv6 流量
  • net.bridge.bridge-nf-call-iptables:使 iptables 能够处理桥接的 IPv4 流量
  • net.ipv4.ip_forward:启用IPv4数据包转发
    通过设置这些sysctl参数,可以确保系统配置正确,以支持 Kubernetes 网络需求以及集群内部的网络流量转发。这些设置对于 Kubernetes 网络组件的平稳运行至关重要
[root@master ~]# sysctl --system

以上就是k8s节点系统中相关的初始化配置,接下来就是其他的配置
这里还是使用docker作为k8s的容器运行,替代Containerd(两个节点都需要)

[root@master ~]# cd /etc/yum.repos.d/ && wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@master yum.repos.d]# cd
[root@master ~]# yum install docker-ce -y
[root@master ~]# systemctl start docker
[root@master ~]# systemctl status docker
[root@master ~]# systemctl enable docker
  • 配置docker加速
cat << EOF > /etc/docker/daemon.json
{
    "registry-mirrors": [
     "https://docker.1ms.run",
     "https://docker.aityp.com",
     "https://docker.m.daocloud.io"
     ]
}
systemctl daemon-reload
systemctl restart docker
  • 测试镜像下载
[root@worker1 ~]# docker pull nginx
  • 如果下载镜像还是有问题,建议docker做代理,或者离线下载好需要用到的镜像。docker代理配置:

[root@master ~]# mkdir -p /etc/systemd/system/docker.service.d
[root@master ~]# vim /etc/systemd/system/docker.service.d/http-proxy.conf
[root@master ~]# cat /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTPS_PROXY=http://192.168.3.31:7897"
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker
[root@master ~]# systemctl show --property=Environment docker
Environment=HTTPS_PROXY=http://192.168.3.31:7897

安装cri-dockerd(两个节点都需要)

[root@master ~]# wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.3.16/cri-dockerd-0.3.16.amd64.tgz
[root@master ~]# tar xf cri-dockerd-0.3.16.amd64.tgz
[root@master ~]# cp cri-dockerd/cri-dockerd /usr/bin/
[root@master ~]# systemctl enable cri-docker --now
[root@master ~]# systemctl enable cri-docker.socket --now
[root@master ~]# systemctl status cri-docker
  • 上面涉及的服务cri-docker.service、cri-docker.socket,服务文件如下

[root@master ~]# cat /etc/systemd/system/cri-docker.service
[Unit]
Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket
[Service]
Type=notify
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd://
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
[root@master ~]# cat /etc/systemd/system/cri-docker.socket
[Unit]
Description=CRI Docker Socket for the API
PartOf=cri-docker.service
[Socket]
ListenStream=%t/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker
[Install]
WantedBy=sockets.target

两个节点都验证cri-dockerd服务正常后,就可以继续接下来的操作了

安装kubernetes组件(两个节点都需要)

  • 配置kubernetes1.35版本仓库
cat << EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/
enabled=1
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.35/rpm/repodata/repomd.xml.key
exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni
EOF
  • 安装 Kubernetes 软件包
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

该–disableexcludes=kubernetes标志确保在安装过程中不会排除 Kubernetes 存储库中的软件包

  • 启动并启用 kubelet 服务
[root@master ~]# systemctl enable --now kubelet.service

初始化Kubernetes控制平面(master节点操作)

[root@master ~]# kubeadm init --apiserver-advertise-address=192.168.213.30 --image-repository registry.aliyuncs.com/google_containers --service-cidr=10.96.0.0/16 --pod-network-cidr=10.244.0.0/16 --cri-socket unix:///var/run/cri-dockerd.sock

初始化过程

[root@master ~]# kubeadm init --apiserver-advertise-address=192.168.213.30 --image-repository registry.aliyuncs.com/google_containers --service-cidr=10.96.0.0/16 --pod-network-cidr=10.244.0.0/16 --cri-socket unix:///var/run/cri-dockerd.sock
[init] Using Kubernetes version: v1.35.0
[preflight] Running pre-flight checks
        [WARNING ContainerRuntimeVersion]: You must update your container runtime to a version that supports the CRI method RuntimeConfig. Falling back to using cgroupDriver from kubelet config will be removed in 1.36. For more information, see https://git.k8s.io/enhancements/keps/sig-node/4033-group-driver-detection-over-cri
        [WARNING SystemVerification]: kernel release 5.14.0-665.el9.x86_64 is unsupported. Supported LTS versions from the 5.x series are 5.4, 5.10 and 5.15. Any 6.x version is also supported. For cgroups v2 support, the recommended version is 5.10 or newer
        [WARNING Hostname]: hostname "master" could not be reached
        [WARNING Hostname]: hostname "master": lookup master on 192.168.213.2:53: no such host
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action beforehand using 'kubeadm config images pull'
W0131 22:35:18.560702   59468 checks.go:906] detected that the sandbox image "registry.k8s.io/pause:3.9" of the container runtime is inconsistent with that used by kubeadm. It is recommended to use "registry.aliyuncs.com/google_containers/pause:3.10.1" as the CRI sandbox image.
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master] and IPs [10.96.0.1 192.168.213.30]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost master] and IPs [192.168.213.30 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost master] and IPs [192.168.213.30 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "super-admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/instance-config.yaml"
[patches] Applied patch of type "application/strategic-merge-patch+json" to target "kubeletconfiguration"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests"
[kubelet-check] Waiting for a healthy kubelet at http://127.0.0.1:10248/healthz. This can take up to 4m0s
[kubelet-check] The kubelet is healthy after 1.002242613s
[control-plane-check] Waiting for healthy control plane components. This can take up to 4m0s
[control-plane-check] Checking kube-apiserver at https://192.168.213.30:6443/livez
[control-plane-check] Checking kube-controller-manager at https://127.0.0.1:10257/healthz
[control-plane-check] Checking kube-scheduler at https://127.0.0.1:10259/livez
[control-plane-check] kube-controller-manager is healthy after 8.506861505s
[control-plane-check] kube-scheduler is healthy after 9.943662123s
[control-plane-check] kube-apiserver is healthy after 12.004015281s
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node master as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node master as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: eydjwt.nrde0uu9mslzfc13
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
    export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
    https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.213.30:6443 --token eydjwt.nrde0uu9mslzfc13 \
        --discovery-token-ca-cert-hash sha256:288c17b1953041849daa0fd2f2c6ddf3d717c4ae994afbf555eef880e036228b

没有报错,执行结果很丝滑,按照提示做相关操作

[root@master ~]# mkdir -p $HOME/.kube
[root@master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config

查看node状态

[root@master ~]# kubectl get nodes
NAME     STATUS     ROLES           AGE     VERSION
master   NotReady   control-plane   2m41s   v1.35.0

master节点没问题后,加入工作节点worker1,通过提示的命令进行操作

[root@worker1 ~]# kubeadm join 192.168.213.30:6443 --token eydjwt.nrde0uu9mslzfc13 --discovery-token-ca-cert-hash sha256:288c17b1953041849daa0fd2f2c6ddf3d717c4ae994afbf555eef880e036228b --cri-socket unix:///var/run/cri-dockerd.sock

查看加入的worker1节点:

[root@master ~]# kubectl get nodes
NAME      STATUS     ROLES           AGE   VERSION
master    NotReady   control-plane   26m   v1.35.0
worker1   NotReady   <none>          35s   v1.35.0

安装网络插件calico

  • 实现集群中各个 Pod 之间的联网,为 Calico 部署 Tigera Operator
[root@master ~]# wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yaml
[root@master ~]# kubectl create -f tigera-operator.yaml
  • 下载自定义 Calico 资源清单
[root@master ~]# wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/custom-resources.yaml
[root@master ~]# sed -i 's/cidr: 192\.168\.0\.0\/16/cidr: 10.244.0.0\/16/g' custom-resources.yaml
  • 上面pod子网的修改是和之前kubeadm init初始化一致的
[root@master ~]# kubectl create -f custom-resources.yaml
installation.operator.tigera.io/default created
apiserver.operator.tigera.io/default created

验证工作节点

[root@master ~]# kubectl get nodes
NAME      STATUS   ROLES           AGE   VERSION
master    Ready    control-plane   37m   v1.35.0
worker1   Ready    <none>          12m   v1.35.0

至此kubernetes1.35集群安装成功,创建一个nginx应用进行测试

[root@master ~]# cat nginx-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
    name: nginx-deployment
    labels:
    app: nginx
spec:
    replicas: 1
    selector:
    matchLabels:
        app: nginx
    template:
    metadata:
        labels:
        app: nginx
    spec:
        containers:
        - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

然后进行部署

[root@master ~]# kubectl create -f nginx-deploy.yaml

查看部署的nginx的状态

[root@master ~]# kubectl get pod
NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-59f86b59ff-hm8d5   1/1     Running   0          32s

将部署的应用暴露给外部网络

[root@master ~]# cat nginx-svc.yaml
apiVersion: v1
kind: Service
metadata:
    name: nginx-service
spec:
    selector:
    app: nginx
    ports:
    - protocol: TCP
        port: 80
        targetPort: 80
    type: NodePort
[root@master ~]# kubectl apply -f nginx-svc.yaml

查询服务状态

[root@master ~]# kubectl get svc
NAME            TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
kubernetes      ClusterIP   10.96.0.1      <none>        443/TCP        43m
nginx-service   NodePort    10.96.74.125   <none>        80:32694/TCP   4s

通过nodePort暴露的32694端口进行访问http://192.168.213.30:32694

本指南介绍了在 CentOS 9系统上安装 Kubernetes 的基本步骤

]]> https://jsonhc.github.io/posts/1243066713/ 2026-02-27T13:00:00.000Z

各位技术爱好者们,大家好!本文是在 CentOS 9系统上安装 Kubernetes 。在本指南中,将一步步指导你完成集群的启动和运行,从安装到配置,全程无遗漏

install k3s on centos9

配置aliyun仓库

tee /etc/yum.repos.d/centos.repo > /dev/null << 'EOF'
[baseos]
name=CentOS Stream $releasever - BaseOS - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1

[baseos-debuginfo]
name=CentOS Stream $releasever - BaseOS Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[baseos-source]
name=CentOS Stream $releasever - BaseOS Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[appstream]
name=CentOS Stream $releasever - AppStream - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1

[appstream-debuginfo]
name=CentOS Stream $releasever - AppStream Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[appstream-source]
name=CentOS Stream $releasever - AppStream Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
EOF

配置ip

nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.110/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
nmcli connection up "ens160"

安装k3s

[root@localhost ~]# curl -sfL https://get.k3s.io | sh

k3s1

查看k3s状态

[root@localhost ~]# systemctl status k3s
[root@localhost ~]# kubectl get pod -A
[root@localhost ~]# crictl image ls
  • 由于下载的镜像网络原因,所以状态都是failed,需要修改镜像源加速

配置镜像源加速

[root@localhost ~]# cat <<EOF > /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
      - "https://docker.1ms.run"
      - "https://docker-0.unsee.tech"
      - "https://registry-1.docker.io"
  "registry.k8s.io":
    endpoint:
      - "https://k8s.m.daocloud.io"
EOF
[root@localhost ~]# systemctl restart k3s
[root@localhost ~]# systemctl status k3s

k3s2

通过k3s部署nginx进行测试

[root@localhost ~]# cat nginx.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  ports:
    - protocol: TCP
      port: 8081
      targetPort: 80
  selector:
    app: nginx
  type: LoadBalancer
[root@localhost ~]# kubectl apply -f nginx.yaml
[root@localhost ~]# kubectl get pods
  • 当nginx部署成功后,通过如下进行访问

访问nginx服务

[root@localhost ~]# kubectl get svc
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)          AGE
kubernetes   ClusterIP      10.43.0.1       <none>            443/TCP          18m
nginx        LoadBalancer   10.43.179.184   192.168.213.110   8081:30768/TCP   56s

k3s3

设置k8s config

[root@localhost ~]# mkdir -p ~/.kube
[root@localhost ~]# cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
[root@localhost ~]# chown $(id -u):$(id -g) ~/.kube/config

安装helm

[root@localhost ~]# curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11929  100 11929    0     0  23810      0 --:--:-- --:--:-- --:--:-- 23810
[WARNING] Could not find git. It is required for plugin installation.
Downloading https://get.helm.sh/helm-v3.19.4-linux-amd64.tar.gz
Verifying checksum... Done.
Preparing to install helm into /usr/local/bin
helm installed into /usr/local/bin/helm

添加rancher repo

[root@localhost ~]# helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
[root@localhost ~]# kubectl create namespace cattle-system

安装cert-manager

[root@localhost ~]# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
[root@localhost ~]# kubectl create namespace cert-manager
namespace/cert-manager created
[root@localhost ~]# helm repo add jetstack https://charts.jetstack.io
"jetstack" has been added to your repositories
[root@localhost ~]# helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "jetstack" chart repository
...Successfully got an update from the "rancher-stable" chart repository
Update Complete. ⎈Happy Helming!⎈
[root@localhost ~]# helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.11.01

k3s4

安装rancher

[root@localhost ~]# helm install rancher rancher-stable/rancher   --namespace cattle-system   --set hostname=rancher.kolukisa.org   --set bootstrapPassword=admin   --set ingress.tls.source=letsEncrypt   --set letsEncrypt.email=mail@kolukisa.org  --set replicas=1

k3s5

  • 安装完成后如下

k3s6

  • 将rancher的暴露方式修改为LoadBalancer
kubectl -n cattle-system edit svc rancher
  • 将type: ClusterIP修改为LoadBalancer,将443端口修改为8443,port: 80修改为8080
[root@localhost ~]# kubectl -n cattle-system get svc
NAME                        TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                         AGE
cm-acme-http-solver-jmrjt   NodePort       10.43.212.21    <none>            8089:31676/TCP                  12m
imperative-api-extension    ClusterIP      10.43.131.234   <none>            6666/TCP                        11m
rancher                     LoadBalancer   10.43.14.7      192.168.213.110   8080:31266/TCP,8443:32137/TCP   13m
rancher-webhook             ClusterIP      10.43.215.43    <none>            443/TCP                         9m29s
[root@localhost ~]# kubectl -n cattle-system get ingress
NAME                        CLASS     HOSTS                  ADDRESS           PORTS     AGE
cm-acme-http-solver-47h5w   traefik   rancher.kolukisa.org   192.168.213.110   80        12m
rancher                     traefik   rancher.kolukisa.org   192.168.213.110   80, 443   13m

访问方式

  • 通过ip+port访问

k3s7

  • 通过域名访问

k3s8

]]> https://jsonhc.github.io/posts/1243066710/ 2026-02-25T16:00:00.000Z install k3s on centos9

install microk8s on centos9

配置aliyun仓库

tee /etc/yum.repos.d/centos.repo > /dev/null << 'EOF'
[baseos]
name=CentOS Stream $releasever - BaseOS - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1

[baseos-debuginfo]
name=CentOS Stream $releasever - BaseOS Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[baseos-source]
name=CentOS Stream $releasever - BaseOS Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/BaseOS/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[appstream]
name=CentOS Stream $releasever - AppStream - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/os/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=1

[appstream-debuginfo]
name=CentOS Stream $releasever - AppStream Debuginfo - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/x86_64/debug/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0

[appstream-source]
name=CentOS Stream $releasever - AppStream Source - mirrors.aliyun.com
baseurl=https://mirrors.aliyun.com/centos-stream/9-stream/AppStream/source/tree/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
enabled=0
EOF

配置ip

nmcli connection modify "ens160" ipv4.method manual ipv4.addresses 192.168.213.110/24 ipv4.gateway 192.168.213.2 ipv4.dns "192.168.213.2"
nmcli connection up "ens160"

系统初始化

[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@localhost ~]# setenforce 0
[root@localhost ~]# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# modprobe ip_tables
[root@localhost ~]# modprobe ip_conntrack
[root@localhost ~]# modprobe iptable_filter
[root@localhost ~]# modprobe ipt_state

使用snap安装microk8s

  • 安装snap
[root@localhost ~]# yum install epel-release
[root@localhost ~]# yum install snapd
[root@localhost ~]# systemctl enable --now snapd.socket
[root@localhost ~]# ln -s /var/lib/snapd/snap /snap
  • 安装microk8s
[root@localhost ~]# snap install microk8s --classic
[root@localhost ~]# snap install microk8s --classic
2026-01-21T21:59:26+08:00 INFO Waiting for automatic snapd restart...
Warning: /var/lib/snapd/snap/bin was not found in your $PATH. If you've not restarted your session
         since you installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469
         for more details.

microk8s (1.32/stable) v1.32.9 from Canonical✓ installed
  • MicroK8s 会创建一个用户组,以便无缝使用需要管理员权限的命令。要将当前用户添加到该用户组并获得对 .kube 缓存目录的访问权限
[root@localhost ~]# usermod -a -G microk8s $USER
[root@localhost ~]# mkdir -p ~/.kube
[root@localhost ~]# chmod 0700 ~/.kube
[root@localhost ~]# su - $USER
  • 检查microk8s状态
[root@localhost ~]# microk8s status
[root@localhost ~]# microk8s kubectl get pod -A
[root@localhost ~]# microk8s kubectl get nodes

1

[root@localhost ~]# journalctl -u snap.microk8s.daemon-kubelite -n 100 -f
[root@localhost ~]# systemctl status snap.microk8s.daemon-containerd

可以看见下载registry.k8s.io/pause:3.10镜像失败,由systemctl status snap.microk8s.daemon-containerd命令找到容器加速配置
/var/snap/microk8s/current/args/containerd-template.toml

  • 为microk8s配置镜像源加速
[root@localhost ~]# ll /var/snap/microk8s/current/args/certs.d/
[root@localhost ~]# mkdir -p /var/snap/microk8s/current/args/certs.d/registry.k8s.io
[root@localhost ~]# cat /var/snap/microk8s/current/args/certs.d/registry.k8s.io/hosts.toml
server = "https://registry.k8s.io"

[host."https://k8s.m.daocloud.io"]
  capabilities = ["pull", "resolve"]
  skip_verify = false
[host."https://mirror.azure.cn"]
  capabilities = ["pull", "resolve"]
  skip_verify = false
[host."https://registry-1.docker.io"]
  capabilities = ["pull", "resolve"]
  skip_verify = false
[root@localhost ~]# cat /var/snap/microk8s/current/args/certs.d/docker.io/hosts.toml
server = "https://docker.io"

[host."https://docker.1ms.run"]
  capabilities = ["pull", "resolve"]
[root@localhost ~]# snap restart microk8s
  • 查看下载的镜像:
[root@localhost ~]# microk8s ctr images ls
  • microk8s状态:
[root@localhost ~]# microk8s kubectl get pod -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-5947598c79-92cff   1/1     Running   0          12m
kube-system   calico-node-k2qsr                          1/1     Running   0          12m
kube-system   coredns-79b94494c7-jl6rk                   1/1     Running   0          12m
[root@localhost ~]# microk8s kubectl get nodes
NAME                    STATUS   ROLES    AGE   VERSION
localhost.localdomain   Ready    <none>   12m   v1.32.9
  • 启用基础插件
[root@localhost ~]# microk8s enable dns
Infer repository core for addon dns
Addon core/dns is already enabled
[root@localhost ~]# microk8s enable hostpath-storage
Infer repository core for addon hostpath-storage
Enabling default storage class.
WARNING: Hostpath storage is not suitable for production environments.
         A hostpath volume can grow beyond the size limit set in the volume claim manifest.

deployment.apps/hostpath-provisioner created
storageclass.storage.k8s.io/microk8s-hostpath created
serviceaccount/microk8s-hostpath created
clusterrole.rbac.authorization.k8s.io/microk8s-hostpath created
clusterrolebinding.rbac.authorization.k8s.io/microk8s-hostpath created
Storage will be available soon.
[root@localhost ~]# microk8s kubectl get sc
NAME                          PROVISIONER            RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
microk8s-hostpath (default)   microk8s.io/hostpath   Delete          WaitForFirstConsumer   false                  5s

更多插件:https://canonical.com/microk8s/docs/addons

microk8s集群添加Worker节点

  • 新增worker节点并安装好microk8s集群,版本需要一致
[root@localhost ~]# microk8s kubectl get nodes
NAME                    STATUS   ROLES    AGE   VERSION
localhost.localdomain   Ready    <none>   90m   v1.32.9

[root@localhost ~]# snap install microk8s --classic --channel=1.32
2026-01-21T23:43:08+08:00 INFO Waiting for automatic snapd restart...
Warning: /var/lib/snapd/snap/bin was not found in your $PATH. If you've not restarted your session
         since you installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469
         for more details.

microk8s (1.32/stable) v1.32.9 from Canonical✓ installed
[root@localhost ~]# hostnamectl set-hostname microk8s-worker
[root@microk8s-worker ~]# microk8s kubectl get nodes
NAME                    STATUS     ROLES    AGE     VERSION
localhost.localdomain   NotReady   <none>   2m41s   v1.32.9
  • worker节点配置镜像加速,参考上面
[root@microk8s-worker ~]# microk8s kubectl get nodes
NAME                    STATUS     ROLES    AGE     VERSION
localhost.localdomain   NotReady   <none>   7m34s   v1.32.9
microk8s-worker         Ready      <none>   2m44s   v1.32.9
[root@microk8s-worker ~]# microk8s remove-node localhost.localdomain
[root@microk8s-worker ~]# microk8s kubectl get nodes
NAME              STATUS   ROLES    AGE     VERSION
microk8s-worker   Ready    <none>   2m55s   v1.32.9
[root@microk8s-worker ~]# microk8s kubectl get pod -A
NAMESPACE     NAME                                       READY   STATUS     RESTARTS   AGE
kube-system   calico-kube-controllers-5947598c79-zp6wc   1/1     Running    0          7m41s
kube-system   calico-node-h2rzw                          1/1     Running    0          116s
kube-system   coredns-79b94494c7-zpd9n                   1/1     Running    0          7m41s
  • 从192.168.213.110上添加worker节点192.168.213.111
    获取token添加方式:
[root@localhost ~]# microk8s add-node
From the node you wish to join to this cluster, run the following:
microk8s join 192.168.213.110:25000/3261736fb5043b8367253a69ee907dc5/7f32c8813166

Use the '--worker' flag to join a node as a worker not running the control plane, eg:
microk8s join 192.168.213.110:25000/3261736fb5043b8367253a69ee907dc5/7f32c8813166 --worker

If the node you are adding is not reachable through the default interface you can use one of the following:
microk8s join 192.168.213.110:25000/3261736fb5043b8367253a69ee907dc5/7f32c8813166
  • 在worker节点上操作如下:
[root@microk8s-worker ~]# microk8s kubectl get nodes
NAME              STATUS   ROLES    AGE    VERSION
microk8s-worker   Ready    <none>   4m3s   v1.32.9
[root@microk8s-worker ~]# microk8s join 192.168.213.110:25000/3261736fb5043b8367253a69ee907dc5/7f32c8813166 --worker
Contacting cluster at 192.168.213.110

The node has joined the cluster and will appear in the nodes list in a few seconds.

This worker node gets automatically configured with the API server endpoints.
If the API servers are behind a loadbalancer please set the '--refresh-interval' to '0s' in:
    /var/snap/microk8s/current/args/apiserver-proxy
and replace the API server endpoints with the one provided by the loadbalancer in:
    /var/snap/microk8s/current/args/traefik/provider.yaml

Successfully joined the cluster.

添加成功后,在110节点上查询

[root@localhost ~]# microk8s kubectl get nodes
NAME                    STATUS   ROLES    AGE    VERSION
localhost.localdomain   Ready    <none>   138m   v1.32.9
microk8s-worker         Ready    <none>   21s    v1.32.9

2

特别注意:在 MicroK8s 集群中,所有集群级别的管理操作,都需要在 Master 节点(即控制平面节点)上执行。Worker 节点的职责是运行工作负载,而不是管理集群本身
所以启用插件只需要在master节点操作就行,如果master事先已经启用了某些插件,那么加入的worker后就不需要再次启用了

[root@localhost ~]# microk8s enable dns
Infer repository core for addon dns
Addon core/dns is already enabled
[root@localhost ~]# microk8s enable hostpath-storage
Infer repository core for addon hostpath-storage
Addon core/hostpath-storage is already enabled
]]> https://jsonhc.github.io/posts/1243066712/ 2026-02-25T16:00:00.000Z install microk8s on centos9]]> install microk8s on centos9 2026-03-01T13:49:11.709Z