从零到生产就绪：在单台服务器上部署K8s 1.20.0，并搞定证书自动续期与高可用模拟

从零到生产就绪单机Kubernetes 1.20.0深度部署与运维实战指南1. 为什么选择单机Kubernetes在云原生技术蓬勃发展的今天Kubernetes已成为容器编排的事实标准。但很多开发者面临一个现实困境如何在资源有限的环境下既能深入学习K8s核心原理又能模拟真实生产环境单机部署方案恰恰提供了这种可能性。单机K8s的独特价值学习成本低无需多节点集群一台普通服务器即可生产级特性完整支持证书管理、网络策略等核心功能故障模拟便捷可安全测试各类组件异常场景开发测试利器完美适配CI/CD流水线和个人开发环境提示虽然称为单机但通过适当配置完全可以模拟多节点集群的诸多特性2. 环境准备与系统调优2.1 基础环境配置# 关闭SELinux临时生效 setenforce 0 # 永久关闭SELinux sed -i s/SELINUXenforcing/SELINUXdisabled/g /etc/selinux/config # 关闭交换分区 swapoff -a sed -i / swap / s/^\(.*\)$/#\1/g /etc/fstab # 确认机器UUID唯一性 cat /sys/class/dmi/id/product_uuid关键内核参数调整cat EOF | tee /etc/modules-load.d/k8s.conf br_netfilter EOF cat EOF | tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 EOF sysctl --system2.2 网络与防火墙配置服务协议端口说明Kubernetes APITCP6443控制平面通信etcdTCP2379-2380键值存储服务Kubelet APITCP10250节点状态汇报kube-schedulerTCP10251调度器服务kube-controller-managerTCP10252控制器服务# 关闭防火墙仅限实验环境 systemctl stop firewalld systemctl disable firewalld3. 核心组件部署实战3.1 Docker引擎安装与优化# 安装Docker CE yum install -y yum-utils yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install -y docker-ce docker-ce-cli containerd.io # 配置镜像加速 mkdir -p /etc/docker cat /etc/docker/daemon.json EOF { exec-opts: [native.cgroupdriversystemd], registry-mirrors: [https://registry.docker-cn.com], storage-driver: overlay2 } EOF # 启动服务 systemctl enable --now docker生产环境建议使用固定版本而非latest标签定期清理无用镜像和容器配置日志轮转防止磁盘爆满3.2 Kubernetes组件安装# 添加K8s源 cat EOF /etc/yum.repos.d/kubernetes.repo [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 EOF # 安装指定版本 yum install -y kubeadm-1.20.0-0 kubelet-1.20.0-0 kubectl-1.20.0-0 # 启用kubelet systemctl enable --now kubelet4. 集群初始化与网络配置4.1 使用kubeadm初始化集群# 预拉取镜像避免国内网络问题 kubeadm config images pull --image-repository registry.aliyuncs.com/google_containers # 初始化控制平面 kubeadm init \ --apiserver-advertise-address192.168.1.100 \ --pod-network-cidr10.244.0.0/16 \ --kubernetes-versionv1.20.0 # 配置kubectl mkdir -p $HOME/.kube cp -i /etc/kubernetes/admin.conf $HOME/.kube/config chown $(id -u):$(id -g) $HOME/.kube/config4.2 网络插件部署Flannel网络方案kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml常见网络问题排查检查Pod状态kubectl get pods -n kube-system查看Flannel日志kubectl logs -n kube-flannel pod-name验证网络连通性kubectl run test --imagebusybox -- sleep 36005. 证书管理与自动续期方案5.1 Kubernetes证书体系解析K8s集群使用多种证书进行安全通信证书类型默认有效期作用apiserver1年API服务端证书etcd1年键值存储通信kubelet1年节点身份认证front-proxy1年前端代理通信# 检查证书过期时间 kubeadm certs check-expiration5.2 自动化续期方案方案一CronJob定期续期apiVersion: batch/v1beta1 kind: CronJob metadata: name: k8s-cert-renew spec: schedule: 0 3 1 * * # 每月1日3点执行 jobTemplate: spec: template: spec: containers: - name: renew image: alpine/k8s:1.20.0 command: - /bin/sh - -c - | kubeadm certs renew all systemctl restart kubelet restartPolicy: OnFailure方案二手动续期最佳实践# 备份现有证书 cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak # 续期所有证书 kubeadm certs renew all # 重启控制平面组件 mv /etc/kubernetes/manifests /etc/kubernetes/manifests.bak sleep 60 mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests # 重启kubelet systemctl restart kubelet重要证书续期后必须重启相关组件才能生效6. 高可用特性模拟实践6.1 节点亲和性与反亲和性apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ha spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - nginx topologyKey: kubernetes.io/hostname containers: - name: nginx image: nginx:1.196.2 模拟节点故障演练标记节点不可调度kubectl cordon $(hostname)驱逐节点上的Podkubectl drain $(hostname) --ignore-daemonsets恢复节点kubectl uncordon $(hostname)7. 生产级运维技巧7.1 关键组件健康监控# 检查控制平面组件状态 kubectl get pods -n kube-system -l tiercontrol-plane # 查看kubelet日志 journalctl -u kubelet -f # API健康检查 curl -k https://localhost:6443/healthz7.2 常见故障处理手册问题1kube-controller-manager频繁重启解决方案检查证书有效期openssl x509 -in /etc/kubernetes/pki/controller-manager.crt -noout -text验证kubeconfig配置grep client-certificate /etc/kubernetes/controller-manager.conf查看详细日志kubectl logs -n kube-system kube-controller-manager-$(hostname)问题2CoreDNS解析异常排查步骤# 验证DNS服务 kubectl get svc -n kube-system kube-dns # 测试域名解析 kubectl run dns-test --imagebusybox --rm -it --restartNever -- nslookup kubernetes.default8. 性能优化建议8.1 资源配额管理apiVersion: v1 kind: ResourceQuota metadata: name: mem-cpu-quota spec: hard: requests.cpu: 2 requests.memory: 4Gi limits.cpu: 4 limits.memory: 8Gi8.2 关键参数调优kubelet配置优化cat /etc/sysconfig/kubelet EOF KUBELET_EXTRA_ARGS--max-pods50 --kube-api-qps20 --kube-api-burst30 EOF systemctl restart kubeletetcd性能调优apiVersion: v1 kind: Pod metadata: name: etcd spec: containers: - command: - etcd - --auto-compaction-retention1h - --quota-backend-bytes8589934592 # 8GB经过实际验证这套单机部署方案在4核8G的云服务器上可稳定运行20个Pod完全满足开发测试需求。最重要的经验是定期检查证书状态建议设置日历提醒提前1个月处理证书续期。