k8s cri-o浅尝

cri-o

Kubernetes的轻量级容器运行时

安装cri-o

添加镜像源 /etc/yum.repo.d/cri-o.repo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[devel_kubic_libcontainers_stable]
name=Stable Releases of Upstream github.com/containers packages (CentOS_7)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/repodata/repomd.xml.key
enabled=1


[devel_kubic_libcontainers_stable_cri-o_1.24]
name=devel:kubic:libcontainers:stable:cri-o:1.24 (CentOS_7)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/CentOS_7/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.24/CentOS_7/repodata/repomd.xml.key
enabled=1

开始安装

1
yum install cri-o

安装kubernetes

优化

关闭SELinux

1
2
3
# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

内核模块

1
2
3
4
5
6
7
cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

modprobe overlay
modprobe br_netfilter

内核优化

1
2
3
4
5
6
7
8
9
10
# sysctl params required by setup, params persist across reboots
cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
EOF

# Apply sysctl params without reboot
sysctl --system

开始安装

添加镜像源

1
2
3
4
5
6
7
8
9
cat <<EOF | tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

安装并启动

1
2
3
4
5
6
yum install kubelet-1.24.7 kubeadm-1.24.7 kubectl-1.24.7 --disableexcludes=kubernetes

sysctl -p /etc/sysctl.d/k8s.conf

systemctl enable --now crio
systemctl enable --now kubelet

启动k8s

初始化k8s

--skip-phases=addon/kube-proxy,这个根据自己的要求来。我是因为使用cilium替代了k8s的kube-proxy。

1
kubeadm init --kubernetes-version=v1.24.7 --pod-network-cidr=$CIDR --cri-socket=unix:///var/run/crio/crio.sock --skip-phases=addon/kube-proxy

下载cilium

1
2
3
4
5
6
7
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/master/stable.txt)
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}

安装cni网络

1
cilium install --helm-set tunnel=disabled --helm-set bpf.masquerade=true --helm-set bpf.clockProbe=true --helm-set bpf.waitForMount=true --helm-set bpf.preallocateMaps=true --helm-set bpf.tproxy=true --helm-set bpf.hostRouting=false --helm-set autoDirectNodeRoutes=true --helm-set localRedirectPolicy=true --helm-set enableCiliumEndpointSlice=true --helm-set enableK8sEventHandover=true --helm-set enableK8sEndpointSlice=true --helm-set wellKnownIdentities.enabled=true --helm-set sockops.enabled=true --helm-set bandwidthManager=true --helm-set hubble.enabled=false --helm-set installNoConntrackIptablesRules=true --helm-set egressGateway.enabled=true --helm-set endpointRoutes.enabled=false --helm-set kubeProxyReplacement=strict --helm-set loadBalancer.mode=dsr --helm-set nodePort.mode=dsr --helm-set nodePort.directRoutingDevice=eth0 --helm-set devices=eth0 --helm-set k8sServiceHost=10.0.0.3 --helm-set k8sServicePort=6443 --helm-set ipv4NativeRoutingCIDR=172.26.131.117/32

结束

检查

1
kubectl get pod -A