腾讯云Windows服务器作为Worker节点加入Kubernetes集群实战
原创
腾讯云Windows服务器作为Worker节点加入Kubernetes集群实战
原创
Faith
修改于 2025-05-10 13:51:31
修改于 2025-05-10 13:51:31
之前已经介绍了怎么在windows上安装docker,本文将介绍如何将windows云服务器加入K8S,建议先阅读前文再操作:https://cloud.tencent.com/developer/article/2464400
一、环境准备与注意事项
1. 系统要求
- Master:CentOS 7.9 (内核版本≥3.10)
- Node:Windows Server 2019
- Kubernetes版本:1.28.2
- 禁用防火墙或放行6443、10250等端口,且节点能访问公网
2. 【限制】Windows节点存在以下限制:
- 仅支持HostProcess容器隔离模式(无需Hyper-V虚拟化),由于使用HostProcess容器隔离模式,容器镜像系统版本需保持与节点系统版本一致,否则无法运行
- windows CVM作为work节点加入K8S之后,windows节点不能通过service ip访问服务,只有节点上的pod可以访问service ip,如果要访问的话,可以用nodeip+port访问
- 不支持NFS持久化存储
- 网络插件支持Calico/Flannel(本教程以Calico为例)
二、Master节点配置(CentOS 7.9)
1. 系统初始化
# 修改主机名及hosts
hostnamectl set-hostname master
# 配置内核
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
cat << EOF > /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter2. 容器运行时安装
# 安装containerd和docker(docker不是必须的)
sudo yum-config-manager --add-repo=https://mirrors.cloud.tencent.com/docker-ce/linux/centos/docker-ce.repo
sudo sed -i "s/download.docker.com/mirrors.tencentyun.com\/docker-ce/g" /etc/yum.repos.d/docker-ce.repo
yum install -y containerd.io docker-ce docker-ce-cli
mkdir /etc/containerd -p
containerd config default > /etc/containerd/config.toml
sed -i 's/registry.k8s.io\/pause:3.6/registry.aliyuncs.com\/google_containers\/pause:3.9/g' /etc/containerd/config.toml
systemctl enable containerd
systemctl enable docker
crictl config runtime-endpoint unix:///run/containerd/containerd.sock
crictl config image-endpoint unix:///run/containerd/containerd.sock
# 配置镜像加速
mkdir /etc/containerd -p
# 生成默认配置文件,并修改pause镜像源
containerd config default | sed 's/registry.k8s.io\/pause:3.6/registry.aliyuncs.com\/google_containers\/pause:3.9/g' > /etc/containerd/config.toml
# 配置docker加速源
cat > /etc/docker/daemon.json <<EOF
{
"registry-mirrors": [
"https://mirror.ccs.tencentyun.com"
],
"exec-opts": ["native.cgroupdriver=systemd"]
}
EOF
# 修改/etc/containerd/config.toml 配置加速源:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
# docker hub镜像加速
mkdir -p /etc/containerd/certs.d/docker.io
cat > /etc/containerd/certs.d/docker.io/hosts.toml << EOF
server = "https://docker.io"
[host."https://mirror.ccs.tencentyun.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
# registry.k8s.io镜像加速
mkdir -p /etc/containerd/certs.d/registry.k8s.io
tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml << 'EOF'
server = "https://registry.k8s.io"
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# docker.elastic.co镜像加速
mkdir -p /etc/containerd/certs.d/docker.elastic.co
tee /etc/containerd/certs.d/docker.elastic.co/hosts.toml << 'EOF'
server = "https://docker.elastic.co"
[host."https://elastic.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# gcr.io镜像加速
mkdir -p /etc/containerd/certs.d/gcr.io
tee /etc/containerd/certs.d/gcr.io/hosts.toml << 'EOF'
server = "https://gcr.io"
[host."https://gcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# ghcr.io镜像加速
mkdir -p /etc/containerd/certs.d/ghcr.io
tee /etc/containerd/certs.d/ghcr.io/hosts.toml << 'EOF'
server = "https://ghcr.io"
[host."https://ghcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# k8s.gcr.io镜像加速
mkdir -p /etc/containerd/certs.d/k8s.gcr.io
tee /etc/containerd/certs.d/k8s.gcr.io/hosts.toml << 'EOF'
server = "https://k8s.gcr.io"
[host."https://k8s-gcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# mcr.m.daocloud.io镜像加速
mkdir -p /etc/containerd/certs.d/mcr.microsoft.com
tee /etc/containerd/certs.d/mcr.microsoft.com/hosts.toml << 'EOF'
server = "https://mcr.microsoft.com"
[host."https://mcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# nvcr.io镜像加速
mkdir -p /etc/containerd/certs.d/nvcr.io
tee /etc/containerd/certs.d/nvcr.io/hosts.toml << 'EOF'
server = "https://nvcr.io"
[host."https://nvcr.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# quay.io镜像加速
mkdir -p /etc/containerd/certs.d/quay.io
tee /etc/containerd/certs.d/quay.io/hosts.toml << 'EOF'
server = "https://quay.io"
[host."https://quay.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# registry.jujucharms.com镜像加速
mkdir -p /etc/containerd/certs.d/registry.jujucharms.com
tee /etc/containerd/certs.d/registry.jujucharms.com/hosts.toml << 'EOF'
server = "https://registry.jujucharms.com"
[host."https://jujucharms.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# rocks.canonical.com镜像加速
mkdir -p /etc/containerd/certs.d/rocks.canonical.com
tee /etc/containerd/certs.d/rocks.canonical.com/hosts.toml << 'EOF'
server = "https://rocks.canonical.com"
[host."https://rocks-canonical.m.daocloud.io"]
capabilities = ["pull", "resolve", "push"]
EOF
# 重启机器
reboot3. Kubernetes组件安装
# 配置yum源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF
yum clean all
yum makecache fast
# 安装指定版本
yum install -y kubelet-1.28.2 kubeadm-1.28.2 kubectl-1.28.2
systemctl enable kubelet && systemctl start kubelet4. 集群初始化
# 根据实际IP和需求自行修改
kubeadm init \
--kubernetes-version=v1.28.2 \
--pod-network-cidr=10.244.0.0/16 \
--image-repository registry.aliyuncs.com/google_containers \
--apiserver-advertise-address 172.27.16.23
# 配置kubectl
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config三、Windows Worker节点配置
1. 系统准备
- 通过腾讯云控制台创建Windows Server 2019 CVM
- 配置安全组开放TCP/6443、10250端口
- 关闭Windows Defender防火墙(公共镜像默认关闭)
2. 容器运行时安装
# 下载安装脚本
Invoke-WebRequest https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/Install-Containerd.ps1 -OutFile C:\Install-Containerd.ps1
# 这一步注意,下载完不要直接执行,否则可能因为跨境网络问题下载不下来包,可以先将脚本中downloadfile的内容提前下载到本地,并放在脚本中定义的目录下,然后注释掉downloadfile的行
# 执行安装
C:\Install-Containerd.ps1 -ContainerDVersion xxxxx -skipHypervisorSupportCheck -CNIConfigPath "c:/etc/cni/net.d" -CNIBinPath "c:/opt/cni/bin"3. Kubernetes组件部署
# 准备节点组件
Invoke-WebRequest https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/PrepareNode.ps1 -OutFile C:\PrepareNode.ps1
# 跟之前一样的操作,下载下来先不要执行,先手动下载包,然后注释,再执行安装
C:\PrepareNode.ps1 -KubernetesVersion v1.28.2四、混合网络配置(Calico)
1. 安装kube-proxy
# Master节点执行
wget https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/calico/kube-proxy/kube-proxy.yml
# 在镜像前添加docker.1ms.run并修改镜像版本为集群版本,如image: docker.1ms.run/sigwindowstools/kube-proxy:v1.28.2-calico-hostprocess
kubectl apply -f kube-proxy.yml2. 部署Calico Operator
# Master节点执行
export CALICO_VERSION="v3.29.3"
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/$CALICO_VERSION/manifests/tigera-operator.yaml
# 修改custom-resources.yaml的CIDR (根据业务配置自行修改替换)
curl -O https://raw.githubusercontent.com/projectcalico/calico/$CALICO_VERSION/manifests/custom-resources.yaml
sed -i 's/192.168.0.0\/16/10.244.0.0\/16/g' custom-resources.yaml
kubectl apply -f custom-resources.yaml
#删除控制平面污点使容器调度
kubectl taint nodes --all node-role.kubernetes.io/control-plane-3. 网络插件配置(master节点执行)
# 防止IP地址借用
kubectl patch ipamconfigurations default --type merge --patch='{"spec": {"strictAffinity": true}}'
# 禁用BGP协议
kubectl patch installation default --type=merge -p '{"spec": {"calicoNetwork": {"bgp": "Disabled"}}}'
#为Calico服务创建 kubeconfig 文件,变量可通过kubectl get endpoints kubernetes -o wide 获取,自行替换
kubectl apply -f - << EOF
kind: ConfigMap
apiVersion: v1
metadata:
name: kubernetes-services-endpoint
namespace: tigera-operator
data:
KUBERNETES_SERVICE_HOST: "${APISERVER_ADDR}"
KUBERNETES_SERVICE_PORT: "${APISERVER_PORT}"
EOF
# 强制所有跨节点Pod流量通过VXLAN隧道封装
kubectl patch ippool.crd.projectcalico.org default-ipv4-ippool --type='json' -p='[{"op": "replace", "path": "/spec/vxlanMode", "value": "Always"}]'
# 将默认封装协议从IPIP切换为VXLAN
kubectl patch installation default --type='json' -p='[{"op": "replace", "path": "/spec/calicoNetwork/ipPools/0/encapsulation", "value": "VXLAN"}]'
#添加 Kubernetes 服务 CIDR(在上一步中发现)并在 Tigera-operator安装资源上启用Calico for Windows 。
kubectl patch installation default --type merge --patch='{"spec": {"serviceCIDRs": ["10.96.0.0/12"], "calicoNetwork": {"windowsDataplane": "HNS"}}}'五、节点加入集群
1. 生成加入命令(Master节点)
kubeadm token create --print-join-command
# 输出示例:kubeadm join 172.27.16.23:6443 --token xxxxx --discovery-token-ca-cert-hash sha256:xxxx2. Windows节点执行加入
# 以管理员身份运行PowerShell
kubeadm join 172.27.16.23:6443 --token xxxxx --discovery-token-ca-cert-hash sha256:xxxx --v=53. 验证节点状态
kubectl get nodes -o wide
# 应显示Windows节点状态为Ready4.预期效果展示
相关参考文档:
1、隔离模式参考:https://learn.microsoft.com/zh-cn/virtualization/windowscontainers/manage-containers/hyperv-container
2、Kubernetes 中的 Windows:https://kubernetes.io/zh-cn/docs/concepts/windows/
3、calico安装配置:https://docs.tigera.io/calico/latest/getting-started/kubernetes/windows-calico/operator
4、sig-windows-tools项目:https://github.com/kubernetes-sigs/sig-windows-tools/blob/master/guides/calico_operator.md
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
