麒麟系统下用KubeKey3.1.10离线部署K8s1.26.12全记录（含Harbor2.13.1配置）

麒麟系统下KubeKey 3.1.10离线部署Kubernetes 1.26.12全流程实战含Harbor 2.13.1私有仓库配置在国产化操作系统环境中构建稳定的Kubernetes集群是当前企业级IT基础设施建设的核心需求之一。麒麟系统作为国产操作系统的代表其安全性和可靠性已得到广泛验证。本文将完整呈现基于麒麟系统、使用KubeKey 3.1.10工具离线部署Kubernetes 1.26.12集群的全过程特别包含Harbor 2.13.1私有镜像仓库的配置细节与实战问题解决方案。1. 环境准备与工具链配置1.1 硬件与操作系统要求在麒麟系统上进行Kubernetes离线部署首先需要确保基础环境满足以下要求CPU架构支持x86_64或arm64架构本文以Hygon C86 7285 32核处理器为例内存控制节点建议至少8GB工作节点建议至少4GB磁盘空间系统盘剩余空间不小于50GB/var分区建议单独挂载操作系统麒麟V10 SP2及以上版本已配置静态IP和主机名解析关键系统依赖包检查命令# 检查基础工具链 which socat conntrack ebtables ipset # 若无输出则需要安装 sudo yum install -y socat conntrack-tools ebtables ipset1.2 网络规划建议在离线环境中合理的网络规划能避免后期集群扩展时的冲突问题网络类型建议CIDR范围说明Pod网络10.233.64.0/18每个节点分配/24子网Service网络10.233.0.0/18集群内部服务通信主机管理网络172.23.123.0/24服务器SSH与管理流量提示生产环境中建议Pod IP池容量按(节点数 × 每个节点最大Pod数 × 2)计算2. 离线资源包制作2.1 KubeKey工具获取与配置在有网络连接的构建机上执行以下步骤下载KubeKey 3.1.10二进制包wget https://kubernetes.pek3b.qingstor.com/kubekey/releases/download/v3.1.10/kubekey-v3.1.10-linux-amd64.tar.gz tar -zxvf kubekey-v3.1.10-linux-amd64.tar.gz chmod x kk生成Kubernetes 1.26.12的manifest文件./kk create manifest --with-kubernetes v1.26.12 --with-registry生成的manifest-sample.yaml文件包含以下关键组件版本apiVersion: kubekey.kubesphere.io/v1alpha2 kind: Manifest spec: kubernetesDistributions: - type: kubernetes version: v1.26.12 components: containerd: version: 1.7.13 calicoctl: version: v3.27.4 harbor: version: v2.10.12.2 镜像列表定制化处理针对国产化环境需要替换镜像源为国内仓库地址。编辑manifest-sample.yaml的images部分images: - registry.cn-beijing.aliyuncs.com/kubesphereio/pause:3.9 - registry.cn-beijing.aliyuncs.com/kubesphereio/kube-apiserver:v1.26.12 - registry.cn-beijing.aliyuncs.com/kubesphereio/kube-proxy:v1.26.12构建离线资源包./kk artifact export -m manifest-sample.yaml -o kubesphere-offline-v1.26.12.tar.gz3. Harbor私有仓库部署3.1 Harbor 2.13.1离线安装将Harbor离线包上传到目标服务器后执行tar -zxvf harbor-offline-installer-v2.13.1.tgz cd harbor cp harbor.yml.tmpl harbor.yml配置harbor.yml关键参数hostname: 172.23.123.117 port: 8443 harbor_admin_password: Harbor12345 data_volume: /data/harbor ssl_cert: /etc/ssl/certs/harbor.crt ssl_cert_key: /etc/ssl/certs/harbor.key启动Harbor服务sudo ./install.sh --with-trivy --with-chartmuseum验证服务状态docker-compose ps3.2 镜像推送与项目管理创建专用项目curl -u admin:Harbor12345 -X POST https://172.23.123.117:8443/api/v2.0/projects \ -H Content-Type: application/json \ -d {project_name:kubesphere,public:false}使用docker客户端推送镜像docker login 172.23.123.117:8443 -u admin -p Harbor12345 docker pull registry.cn-beijing.aliyuncs.com/kubesphereio/pause:3.9 docker tag registry.cn-beijing.aliyuncs.com/kubesphereio/pause:3.9 172.23.123.117:8443/kubesphere/pause:3.9 docker push 172.23.123.117:8443/kubesphere/pause:3.94. Kubernetes集群部署4.1 集群配置文件定制生成基础配置模板./kk create config --with-kubernetes v1.26.12修改config-sample.yaml关键部分apiVersion: kubekey.kubesphere.io/v1alpha2 kind: Cluster metadata: name: kylin-prod spec: hosts: - {name: master, address: 172.23.123.117, internalAddress: 172.23.123.117, user: root, password: your_secure_password} roleGroups: etcd: [master] control-plane: [master] worker: [master] kubernetes: version: v1.26.12 containerManager: containerd registry: privateRegistry: 172.23.123.117:8443 namespaceOverride: kubesphere insecureRegistries: [172.23.123.117:8443]4.2 集群初始化与验证执行离线安装命令./kk create cluster -f config-sample.yaml -a kubesphere-offline-v1.26.12.tar.gz --with-local-storage安装完成后验证集群状态kubectl get nodes -o wide kubectl get pods -A关键组件健康检查kubectl get componentstatuses5. 常见问题排查指南5.1 镜像拉取失败处理当出现ImagePullBackOff错误时检查步骤确认Harbor服务可达curl -k https://172.23.123.117:8443/v2/_catalog检查节点docker配置cat /etc/containerd/config.toml | grep -A 5 registry.mirrors手动测试镜像拉取crictl pull 172.23.123.117:8443/kubesphere/pause:3.95.2 网络插件异常处理Calico网络问题排查流程检查Calico Pod状态kubectl get pods -n kube-system -l k8s-appcalico-node查看节点路由表ip route show | grep cali收集诊断信息calicoctl node status5.3 证书过期预防措施KubeKey生成的证书默认有效期为1年可通过以下方式续期检查证书有效期kubeadm certs check-expiration手动更新证书kubeadm certs renew all重启控制平面组件docker restart $(docker ps | grep kube-apiserver | awk {print $1})在实际部署过程中发现麒麟系统的SELinux策略可能导致containerd运行时出现问题。临时解决方案是设置宽容模式sudo setenforce 0 sudo sed -i s/SELINUXenforcing/SELINUXpermissive/g /etc/selinux/config