Ubuntu 20.04 kubernetes install

kubernetes 구축과 container에 대한 학습을 위해 간단히 설치부터 테스트 했습니다.

참고하면서 봤던 글들이 너무 뒤죽박죽이어서 나름데로 정리를 다시 했으나 그럼에도 미흡한 부분이 있을 수 있습니다.

 

* 모두 root 계정으로 구성하였습니다. 

hostname	ip	role	resource
k8s-master	192.168.130.131/23	control-plane, master	Disk 30GB, 2Core, 4GB M
k8s-worker1	192.168.130.132/23	worker	Disk 30GB, 2Core, 4GB M
k8s-worker2	192.168.130.133/23	worker	Disk 30GB, 2Core, 4GB M

1. master node

1. hosts 설정

$ hostnamectl set-hostname [name]

$ cat <<EOF >> /etc/hosts
192.168.130.131 k8s-master
192.168.130.132 k8s-worker1
192.168.130.133 k8s-worker2
EOF

1. 방화벽 설정

## 방화벽 설정 확인
$ ufw status
Status: active

## 방확벽 disable
$ ufw disable
Firewall stopped and disabled on system startup

1. 저장소 설정 및 docker , containerd 설치

$ apt-get update  -> 설치 가능한 패키지 리스트를 최신화
$ apt-get upgrade -> 실제 업데이트
$ apt-get install ca-certificates curl gnupg lsb-release

## docker 공식 gpg key 추가
$ curl -fsSL <https://download.docker.com/linux/ubuntu/gpg> | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] <https://download.docker.com/linux/ubuntu> $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

## docker engine 및 containerd 설치
$ apt-get update
$ apt-get install docker-ce docker-ce-cli containerd.io

## docker version 확인
$ docker version
Client: Docker Engine - Community
 Version:           23.0.0
...
Server: Docker Engine - Community
 Engine:
  Version:          23.0.0
...

## Docker log 사이즈 지정
$ mkdir -p /etc/docker
$ cat <

1. kubernetes 설치 전 환경설정

## iptables가 브릿지된 트래픽을 바라보게 하기
$ cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

$ cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

$ sysctl --system

1. swap off

$ swapoff -a
$ vi /etc/fstab
## swap 부분 주석처리

1. master node에서 port 확인

## 6443, 8080 port 사용 확인, 사용중인 서비스가 없어야함
## kubernetes api 서버는 http서비스를 위해 6443, 8080 port를 사용
## 8080 port : 스트 및 부트스트랩을 하기 위한 것이며 마스터 노드의 다른 구성요소 (스케줄러, 컨트롤러 매니저)가 API와 통신
## 6443 port : TLS를 사용한다. --tls-cert-file 플래그로 인증서를 지정하고 --tls-private-key-file 플래그로 키를 지정한다

$ telnet [master ip] 6443

1. kubectl, kubeadm, kubelet 설치

## 저장소 업데이트 및 필수 패키지 추가
$ apt-get update
$ apt-get install apt-transport-https ca-certificates curl

## google cloud public key 다운로드 및 kubernetes 저장소 추가
$ curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg <https://packages.cloud.google.com/apt/doc/apt-key.gpg>
$ echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] <https://apt.kubernetes.io/> kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

$ apt-get update
$ apt-get install kubelet kubeadm kubectl

$ apt-mark hold kubelet kubeadm kubectl

## kubernetes 서비스 등록 및 재시작 수행
$ systemctl daemon-reload
$ systemctl restart kubelet

1. ip_forward 설정

## 네트워크 인터페이스 간 패킷 교환여부를 설정하는 옵션값으로 디폴트값은 0, NO FORWARD를 의미
## 1로 변경하면 network 간 패킷 통신이 가능
$ echo 1 | tee /proc/sys/net/ipv4/ip_forward

1. control plane 구성 - master node

(1) control plane 구성

$ kubeadm init
...
kubeadm join 192.168.130.131:6443 --token 5vq2ed.7rzhrrg97ezalngh \\
        --discovery-token-ca-cert-hash sha256:f53f8fdbbc1efc5979a020ce8d8d8b61f8a78396c1f2bd393b59ac3c11a0df6b

## 마지막 token 부분은 별도로 저장해야

## kubeadm init 에러 발생시(1)
containerd 데몬에서 cri 옵션이 버그를 야기시키는 것처럼 보임, 1.3.7 버전 이상에서 문제 발생
$  kubeadm init
[init] Using Kubernetes version: v1.26.1
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred:
        [ERROR CRI]: container runtime is not running: output: time="2023-02-01T07:29:46Z" level=fatal msg="validate service connection: CRI v1 runtime API is not implemented for endpoint \\"unix:///var/run/containerd/containerd.sock\\": rpc error: code = Unimplemented desc = unknown service runtime.v1.RuntimeService"
, error: exit status 1
        [ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher

## 아래 명령어 수행하여 초기화, init 재실행
$ rm /etc/containerd/config.toml
systemctl restart containerd.service

## kubeadm init 에러 발생시(2)
br_netfilter 모듈이 로드 되지 않아서 발생
$  kubeadm init
[init] Using Kubernetes version: v1.26.1
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred:
        [ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher

## 아래 명령어 수행 후 init 재실행
$ modprobe br_netfilter 

(2) 권한 설정

## root와 일반 user가 쿠버네티스 명령어를 사용할 수 있도록 설정
# root 유저로 수행시
$ export KUBECONFIG=/etc/kubernetes/admin.conf

# 일반 유저로 명령어 수행 시
$ mkdir -p $HOME/.kube

## admin.conf 파일은 kubelet 설치 시 생성
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config

(3) CNI 설치 (master node)

## pod network add-on 설치(calico, canal, flannel, romana, weave net 등)
## weave net 구성시에는 tcp 6783, udp 6783/6784 방화벽 차단 되면 안됨

$ kubectl apply -f <https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml>
## 실행결과
serviceaccount/weave-net created
clusterrole.rbac.authorization.k8s.io/weave-net created
clusterrolebinding.rbac.authorization.k8s.io/weave-net created
role.rbac.authorization.k8s.io/weave-net created
rolebinding.rbac.authorization.k8s.io/weave-net created
daemonset.apps/weave-net created

## 참고링크
weaveworks: <https://www.weave.works/docs/net/latest/kubernetes/kube-addon/>

(4) weave-net pod 구동 확인

$ kubectl get pods --all-namespaces
NAMESPACE     NAME                                 READY   STATUS    RESTARTS      AGE
kube-system   coredns-787d4945fb-frc8t             1/1     Running   0             44h
kube-system   coredns-787d4945fb-mxdk6             1/1     Running   0             44h
kube-system   etcd-k8s-master                      1/1     Running   1 (28m ago)   44h
kube-system   kube-apiserver-k8s-master            1/1     Running   1 (28m ago)   44h
kube-system   kube-controller-manager-k8s-master   1/1     Running   1 (28m ago)   44h
kube-system   kube-proxy-s9hj7                     1/1     Running   1 (28m ago)   44h
kube-system   kube-scheduler-k8s-master            1/1     Running   1 (28m ago)   44h
kube-system   weave-net-b8g94                      2/2     Running   1 (23m ago)   23m

1. Worker node

1. hosts 설정

$ hostnamectl set-hostname [name]

$ cat <<EOF >> /etc/hosts
192.168.130.131 k8s-master
192.168.130.132 k8s-worker1
192.168.130.133 k8s-worker2
EOF

1. 방화벽 설정

## 방화벽 설정 확인
$ ufw status
Status: active

## 방확벽 disable
$ ufw disable
Firewall stopped and disabled on system startup

1. 저장소 설정 및 docker , containerd 설치

$ apt-get update  -> 설치 가능한 패키지 리스트를 최신화
$ apt-get upgrade -> 실제 업데이트
$ apt-get install ca-certificates curl gnupg lsb-release

## docker 공식 gpg key 추가
$ curl -fsSL <https://download.docker.com/linux/ubuntu/gpg> | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] <https://download.docker.com/linux/ubuntu> $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

## docker engine 및 containerd 설치
$ apt-get update
$ apt-get install docker-ce docker-ce-cli containerd.io

## docker version 확인
$ docker version
Client: Docker Engine - Community
 Version:           23.0.0
...
Server: Docker Engine - Community
 Engine:
  Version:          23.0.0
...

## Docker log 사이즈 지정
$ mkdir -p /etc/docker
$ cat <

1. kubernetes 설치 전 환경설정

## iptables가 브릿지된 트래픽을 바라보게 하기
$ cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

$ cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

$ sysctl --system

1. swap off

$ swapoff -a
$ vi /etc/fstab
## swap 부분 주석처리

1. kubectl, kubeadm, kubelet 설치

## 저장소 업데이트 및 필수 패키지 추가
$ apt-get update
$ apt-get install apt-transport-https ca-certificates curl

## google cloud public key 다운로드 및 kubernetes 저장소 추가
$ curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg <https://packages.cloud.google.com/apt/doc/apt-key.gpg>
$ echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] <https://apt.kubernetes.io/> kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

$ apt-get update
$ apt-get install kubelet kubeadm kubectl

$ apt-mark hold kubelet kubeadm kubectl

## kubernetes 서비스 등록 및 재시작 수행
$ systemctl daemon-reload
$ systemctl restart kubelet

1. Worker node join

## master node에서 수행한 kubeadm init 명령어의 마지막 부분을 실행
$ kubeadm join 192.168.130.131:6443 --token 5vq2ed.7rzhrrg97ezalngh \\
        --discovery-token-ca-cert-hash sha256:f53f8fdbbc1efc5979a020ce8d8d8b61f8a78396c1f2bd393b59ac3c11a0df6b

## 아래와 같이 join 실패 시
$ kubeadm join 192.168.130.131:6443 --token 5vq2ed.7rzhrrg97ezalngh --discovery-token-ca-cert-hash sha256:f53f8fdbbc1efc5979a020ce8d8d8b61f8a78396c1f2bd393b59ac3c11a0df6b
[preflight] Running pre-flight checks
error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "5vq2ed"
To see the stack trace of this error execute with --v=5 or higher

## kubeadm token 유효기간은 24시간으로 지나면 재생성 해야함
## list 명령어로 확인 시 남아있을 경우 
$ kubeadm token list
TOKEN                     TTL         EXPIRES                USAGES                   DESCRIPTION                                                EXTRA GROUPS
rspbgu.bs06ttvl5g2nijji   23h         2023-02-04T05:57:21Z   authentication,signing   <none>                                                     system:bootstrappers:kubeadm:default-node-token

## 아래 명령어로 기존 token을 삭제 (24시간이 지났을 경우 list에 없을 수 있음)
$ kubeadm token delete rspbgu.bs06ttvl5g2nijji
bootstrap token "rspbgu" deleted
## 삭제 확인
$ kubeadm token list
## 신규 토큰 생성
$ kubeadm token create --print-join-command
kubeadm join 192.168.130.131:6443 --token l85ypt.kpwrps300qtqu9mi --discovery-token-ca-cert-hash sha256:f53f8fdbbc1efc5979a020ce8d8d8b61f8a78396c1f2bd393b59ac3c11a0df6b

## 정상적으로 join 시
$ kubeadm join 192.168.130.131:6443 --token l85ypt.kpwrps300qtqu9mi --discovery-token-ca-cert-hash sha256:f53f8fdbbc1efc5979a020ce8d8d8b61f8a78396c1f2bd393b59ac3c11a0df6b
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

## master에서 확인
$ kubectl get nodes
NAME          STATUS   ROLES           AGE   VERSION
k8s-master    Ready    control-plane   47h    v1.26.1
k8s-worker1   Ready    <none>          106m   v1.26.1
k8s-worker2   Ready    <none>          75m    v1.26.1