Debain12 部署Kubernetes 1.32.5 单节点教程

1.准备工作(我这里使用 ESXi 7.0 U2 创建虚拟机)

cpu 8c
内存 8g
系统 debain 12
ip 192.168.xxx.70

2.开始部署

关闭 swap

1
sed -ri 's/^([^#].*swap.*)$/#\1/' /etc/fstab && grep swap /etc/fstab && swapoff -a && free -h

如果安装了防火墙请关闭防火墙

1
ufw disable

开启ipv4转发

1
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
2
net.ipv4.ip_forward = 1
3
EOF
4
sysctl --system
5
sysctl net.ipv4.ip_forward

设置hostname

1
nano /etc/hostname
2
debain-master

设置host

1
nano /etc/hosts
2

3

4
127.0.0.1       localhost
5
127.0.1.1       debain-master
6

7
# The following lines are desirable for IPv6 capable hosts
8
::1     localhost ip6-localhost ip6-loopback
9
ff02::1 ip6-allnodes
10
ff02::2 ip6-allrouters

安装containerd

1
apt update && apt install -y containerd

查看containerd版本

1
containerd -v
2

3
root@debian:~# containerd -v
4
containerd github.com/containerd/containerd 1.6.20~ds1 1.6.20~ds1-1+deb12u1

生成默认containerd配置文件

1
mkdir -p /etc/containerd && containerd config default>/etc/containerd/config.toml

编辑配置文件

nano /etc/containerd/config.toml

修改plugins.”io.containerd.grpc.v1.cri”.containerd.runtimes.runc.options 的 SystemdCgroup = fales 为 true

修改sandbox_image = “registry.k8s.io/pause:3.6” 为sandbox_image = “registry.aliyuncs.com/google_containers/pause:3.9”

1
disabled_plugins = []
2
imports = []
3
oom_score = 0
4
plugin_dir = ""
5
required_plugins = []
6
root = "/var/lib/containerd"
7
state = "/run/containerd"
8
temp = ""
9
version = 2
10

11
[cgroup]
12
  path = ""
13

14
[debug]
15
  address = ""
16
  format = ""
17
  gid = 0
18
  level = ""
19
  uid = 0
20

21
[grpc]
22
  address = "/run/containerd/containerd.sock"
23
  gid = 0
24
  max_recv_message_size = 16777216
25
  max_send_message_size = 16777216
26
  tcp_address = ""
27
  tcp_tls_ca = ""
28
  tcp_tls_cert = ""
29
  tcp_tls_key = ""
30
  uid = 0
31

32
[metrics]
33
  address = ""
34
  grpc_histogram = false
35

36
[plugins]
37

38
  [plugins."io.containerd.gc.v1.scheduler"]
39
    deletion_threshold = 0
40
    mutation_threshold = 100
41
    pause_threshold = 0.02
42
    schedule_delay = "0s"
43
    startup_delay = "100ms"
44

45
  [plugins."io.containerd.grpc.v1.cri"]
46
    device_ownership_from_security_context = false
47
    disable_apparmor = false
48
    disable_cgroup = false
49
    disable_hugetlb_controller = true
50
    disable_proc_mount = false
51
    disable_tcp_service = true
52
    enable_selinux = false
53
    enable_tls_streaming = false
54
    enable_unprivileged_icmp = false
55
    enable_unprivileged_ports = false
56
    ignore_image_defined_volumes = false
57
    max_concurrent_downloads = 3
58
    max_container_log_line_size = 16384
59
    netns_mounts_under_state_dir = false
60
    restrict_oom_score_adj = false
61
    sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"
62
    selinux_category_range = 1024
63
    stats_collect_period = 10
64
    stream_idle_timeout = "4h0m0s"
65
    stream_server_address = "127.0.0.1"
66
    stream_server_port = "0"
67
    systemd_cgroup = false
68
    tolerate_missing_hugetlb_controller = true
69
    unset_seccomp_profile = ""
70

71
    [plugins."io.containerd.grpc.v1.cri".cni]
72
      bin_dir = "/opt/cni/bin"
73
      conf_dir = "/etc/cni/net.d"
74
      conf_template = ""
75
      ip_pref = ""
76
      max_conf_num = 1
77

78
    [plugins."io.containerd.grpc.v1.cri".containerd]
79
      default_runtime_name = "runc"
80
      disable_snapshot_annotations = true
81
      discard_unpacked_layers = false
82
      ignore_rdt_not_enabled_errors = false
83
      no_pivot = false
84
      snapshotter = "overlayfs"
85

86
      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
87
        base_runtime_spec = ""
88
        cni_conf_dir = ""
89
        cni_max_conf_num = 0
90
        container_annotations = []
91
        pod_annotations = []
92
        privileged_without_host_devices = false
93
        runtime_engine = ""
94
        runtime_path = ""
95
        runtime_root = ""
96
        runtime_type = ""
97

98
        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
99

100
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
101

102
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
103
          base_runtime_spec = ""
104
          cni_conf_dir = ""
105
          cni_max_conf_num = 0
106
          container_annotations = []
107
          pod_annotations = []
108
          privileged_without_host_devices = false
109
          runtime_engine = ""
110
          runtime_path = ""
111
          runtime_root = ""
112
          runtime_type = "io.containerd.runc.v2"
113

114
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
115
            BinaryName = ""
116
            CriuImagePath = ""
117
            CriuPath = ""
118
            CriuWorkPath = ""
119
            IoGid = 0
120
            IoUid = 0
121
            NoNewKeyring = false
122
            NoPivotRoot = false
123
            Root = ""
124
            ShimCgroup = ""
125
            SystemdCgroup = true
126

127
      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
128
        base_runtime_spec = ""
129
        cni_conf_dir = ""
130
        cni_max_conf_num = 0
131
        container_annotations = []
132
        pod_annotations = []
133
        privileged_without_host_devices = false
134
        runtime_engine = ""
135
        runtime_path = ""
136
        runtime_root = ""
137
        runtime_type = ""
138

139
        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
140

141
    [plugins."io.containerd.grpc.v1.cri".image_decryption]
142
      key_model = "node"
143

144
    [plugins."io.containerd.grpc.v1.cri".registry]
145
      config_path = ""
146

147
      [plugins."io.containerd.grpc.v1.cri".registry.auths]
148

149
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
150

151
      [plugins."io.containerd.grpc.v1.cri".registry.headers]
152

153
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
154

155
    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
156
      tls_cert_file = ""
157
      tls_key_file = ""
158

159
  [plugins."io.containerd.internal.v1.opt"]
160
    path = "/opt/containerd"
161

162
  [plugins."io.containerd.internal.v1.restart"]
163
    interval = "10s"
164

165
  [plugins."io.containerd.metadata.v1.bolt"]
166
    content_sharing_policy = "shared"
167

168
  [plugins."io.containerd.monitor.v1.cgroups"]
169
    no_prometheus = false
170

171
  [plugins."io.containerd.runtime.v1.linux"]
172
    no_shim = false
173
    runtime = "runc"
174
    runtime_root = ""
175
    shim = "containerd-shim"
176
    shim_debug = false
177

178
  [plugins."io.containerd.runtime.v2.task"]
179
    platforms = ["linux/amd64"]
180
    sched_core = false
181

182
  [plugins."io.containerd.service.v1.diff-service"]
183
    default = ["walking"]
184

185
  [plugins."io.containerd.service.v1.tasks-service"]
186
    rdt_config_file = ""
187

188
  [plugins."io.containerd.snapshotter.v1.aufs"]
189
    root_path = ""
190

191
  [plugins."io.containerd.snapshotter.v1.btrfs"]
192
    root_path = ""
193

194
  [plugins."io.containerd.snapshotter.v1.devmapper"]
195
    async_remove = false
196
    base_image_size = ""
197
    discard_blocks = false
198
    fs_options = ""
199
    fs_type = ""
200
    pool_name = ""
201
    root_path = ""
202

203
  [plugins."io.containerd.snapshotter.v1.native"]
204
    root_path = ""
205

206
  [plugins."io.containerd.snapshotter.v1.overlayfs"]
207
    root_path = ""
208
    upperdir_label = false
209

210
  [plugins."io.containerd.snapshotter.v1.zfs"]
211
    root_path = ""
212

213
[proxy_plugins]
214

215
[stream_processors]
216

217
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
218
    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
219
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
220
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
221
    path = "ctd-decoder"
222
    returns = "application/vnd.oci.image.layer.v1.tar"
223

224
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
225
    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
226
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
227
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
228
    path = "ctd-decoder"
229
    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
230

231
[timeouts]
232
  "io.containerd.timeout.bolt.open" = "0s"
233
  "io.containerd.timeout.shim.cleanup" = "5s"
234
  "io.containerd.timeout.shim.load" = "5s"
235
  "io.containerd.timeout.shim.shutdown" = "3s"
236
  "io.containerd.timeout.task.state" = "2s"
237

238
[ttrpc]
239
  address = ""
240
  gid = 0
241
  uid = 0

重启 containerd 服务

1
systemctl restart containerd
2
systemctl enable containerd

添加Kubernetes GPG 密钥

1
apt install -y apt-transport-https ca-certificates curl gpg
2
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.32/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
3
chmod 644 /etc/apt/keyrings/kubernetes-apt-keyring.gpg

添加 Kubernetes apt 仓库

1
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list

更新apt源安装 kubeadm, kubelet, kubectl 并禁止更新

1
apt update && \
2
apt install -y kubelet kubectl kubeadm && \
3
apt-mark hold kubelet kubeadm kubectl

验证安装

1
root@debian:~# kubectl version
2
Client Version: v1.32.5
3
Kustomize Version: v5.5.0
4
The connection to the server localhost:8080 was refused - did you specify the right host or port?
5
root@debian:~# kubelet version
6
E0601 12:25:40.197825   18045 run.go:72] "command failed" err="unknown command version"
7
root@debian:~# kubeadm version
8
kubeadm version: &version.Info{Major:"1", Minor:"32", GitVersion:"v1.32.5", GitCommit:"9894294ef13a5b32803e3ca2c0d620a088cc84d1", GitTreeState:"clean", BuildDate:"2025-05-15T09:10:46Z", GoVersion:"go1.23.8", Compiler:"gc", Platform:"linux/amd64"}

生成初始化节点配置文件

1
kubeadm config print init-defaults > kubeadm-config.yaml

编辑配置

1
nano kubeadm-config.yaml

将advertiseAddress: 1.2.3.4 修改为 advertiseAddress: 192.168.xxx.70 (修改为你的master节点ip地址)
将nodeRegistration 中的 name 修改为你的master 节点的主机名
在networking 中添加 podSubnet: 10.244.0.0/16
将imageRepository: registry.k8s.io 修改为imageRepository: registry.aliyuncs.com/google_containers

1
apiVersion: kubeadm.k8s.io/v1beta4
2
bootstrapTokens:
3
- groups:
4
  - system:bootstrappers:kubeadm:default-node-token
5
  token: abcdef.0123456789abcdef
6
  ttl: 24h0m0s
7
  usages:
8
  - signing
9
  - authentication
10
kind: InitConfiguration
11
localAPIEndpoint:
12
  advertiseAddress: 192.168.xxx.70
13
  bindPort: 6443
14
nodeRegistration:
15
  criSocket: unix:///var/run/containerd/containerd.sock
16
  imagePullPolicy: IfNotPresent
17
  imagePullSerial: true
18
  name: debain-master
19
  taints: null
20
timeouts:
21
  controlPlaneComponentHealthCheck: 4m0s
22
  discovery: 5m0s
23
  etcdAPICall: 2m0s
24
  kubeletHealthCheck: 4m0s
25
  kubernetesAPICall: 1m0s
26
  tlsBootstrap: 5m0s
27
  upgradeManifests: 5m0s
28
---
29
apiServer: {}
30
apiVersion: kubeadm.k8s.io/v1beta4
31
caCertificateValidityPeriod: 87600h0m0s
32
certificateValidityPeriod: 8760h0m0s
33
certificatesDir: /etc/kubernetes/pki
34
clusterName: kubernetes
35
controllerManager: {}
36
dns: {}
37
encryptionAlgorithm: RSA-2048
38
etcd:
39
  local:
40
    dataDir: /var/lib/etcd
41
imageRepository: registry.aliyuncs.com/google_containers
42
kind: ClusterConfiguration
43
kubernetesVersion: 1.32.0
44
networking:
45
  dnsDomain: cluster.local
46
  serviceSubnet: 10.96.0.0/12
47
  podSubnet: 10.244.0.0/16
48
proxy: {}
49
scheduler: {}

初始化节点

1
kubeadm init --config kubeadm-config.yaml --upload-certs --v=9

初始化成功以后运行

1
  mkdir -p $HOME/.kube
2
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
3
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

安装Calico

1
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.30.1/manifests/tigera-operator.yaml
2

3
wget https://github.moeyy.xyz/https://raw.githubusercontent.com/projectcalico/calico/v3.30.1/manifests/custom-resources.yaml

修改custom-resources.yaml

1
 nano custom-resources.yaml

将cidr 修改为在kubeadm-config.yaml 中定义的 podSubnet: 10.244.0.0/16 -> cidr: 10.244.0.0/16/16
在spec 中添加镜像registry: docker.m.daocloud.io

1
# This section includes base Calico installation configuration.
2
# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation
3
apiVersion: operator.tigera.io/v1
4
kind: Installation
5
metadata:
6
  name: default
7
spec:
8
  # Configures Calico networking.
9
  registry: docker.m.daocloud.io # <-- 添加或修改此行！
10
  calicoNetwork:
11
    ipPools:
12
    - name: default-ipv4-ippool
13
      blockSize: 26
14
      cidr: 10.244.0.0/16
15
      encapsulation: VXLANCrossSubnet
16
      natOutgoing: Enabled
17
      nodeSelector: all()
18

19
---
20

21
# This section configures the Calico API server.
22
# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
23
apiVersion: operator.tigera.io/v1
24
kind: APIServer
25
metadata:
26
  name: default
27
spec: {}
28

29
---
30

31
# Configures the Calico Goldmane flow aggregator.
32
apiVersion: operator.tigera.io/v1
33
kind: Goldmane
34
metadata:
35
  name: default
36

37
---
38

39
# Configures the Calico Whisker observability UI.
40
apiVersion: operator.tigera.io/v1
41
kind: Whisker
42
metadata:
43
  name: default

apply

1
 kubectl create -f custom-resources.yaml
2

3

4
Every 2.0s: kubectl get pods -n calico-system
5

6
NAME                                       READY   STATUS    RESTARTS   AGE
7
calico-kube-controllers-77f646f8d9-6dlkw   1/1     Running   0          4m20s
8
calico-node-5n2cp                          1/1     Running   0          4m23s
9
calico-typha-b6c4c4db5-lmkc6               1/1     Running   0          4m25s
10
csi-node-driver-cklfv                      2/2     Running   0          4m22s
11
goldmane-795ddb994b-vssfw                  1/1     Running   0          4m26s
12
whisker-7cc794bddb-dt4ms                   2/2     Running   0          2m44s

可用性验证

1
root@debain-master:~# kubectl get svc -n kube-system
2
NAME       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
3
kube-dns   ClusterIP   10.96.0.10   <none>        53/UDP,53/TCP,9153/TCP   58m
4
root@debain-master:~# dig -t a www.bilibili.com @10.96.0.10
5

6
; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> -t a www.bilibili.com @10.96.0.10
7
;; global options: +cmd
8
;; Got answer:
9
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16904
10
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
11

12
;; OPT PSEUDOSECTION:
13
; EDNS: version: 0, flags:; udp: 1232
14
; COOKIE: 4138133d6f05ec22 (echoed)
15
;; QUESTION SECTION:
16
;www.bilibili.com.              IN      A
17

18
;; ANSWER SECTION:
19
www.bilibili.com.       30      IN      A       111.6.167.135
20
www.bilibili.com.       30      IN      A       111.6.167.136
21
www.bilibili.com.       30      IN      A       111.6.167.134
22
www.bilibili.com.       30      IN      A       111.6.167.137
23

24
;; Query time: 0 msec
25
;; SERVER: 10.96.0.10#53(10.96.0.10) (UDP)
26
;; WHEN: Sun Jun 01 14:02:24 CST 2025
27
;; MSG SIZE  rcvd: 185