参考

https://mritd.me/2016/10/29/set-up-kubernetes-cluster-by-kubeadm/
http://www.jianshu.com/p/4f5066dad9b4
http://kubernetes.io/docs/admin/addons/
https://github.com/kubernetes/kubernetes/issues/43815
https://github.com/kubernetes/kubernetes/pull/43835
https://www.addops.cn/post/kubernetes-deployment.html

环境

centos 7.2
docker-engine-1.12.6(使用阿里云加速器)
k8s 1.6.1
主机名可解析

打包rpm

yum  install git -y
git clone https://github.com/kubernetes/release && cd release/rpm && ./docker-build.sh
[root@cloud4ourself-mykc1 release]# git rev-parse --short HEAD
ee84be6

安装（master and nodes）

echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
sysctl -p

yum install output/x86_64/kube*.rpm -y

此处kubeadm 1.6.0存在一个bug，https://github.com/kubernetes/kubernetes/issues/43815，
1.6.1已解决

下载docker images

docker pull 4admin2root/kube-controller-manager-amd64:v1.6.0
docker pull 4admin2root/kube-scheduler-amd64:v1.6.0
docker pull 4admin2root/kube-apiserver-amd64:v1.6.0
docker pull 4admin2root/etcd-amd64:3.0.17
docker pull 4admin2root/kube-proxy-amd64:v1.6.0
docker pull  4admin2root/k8s-dns-sidecar-amd64:1.14.1
docker pull  4admin2root/k8s-dns-dnsmasq-nanny-amd64:1.14.1
docker pull  4admin2root/pause-amd64:3.0
docker pull 4admin2root/etcd:2.2.1

docker pull 4admin2root/node:v1.1.0
docker pull 4admin2root/cni:v1.6.1
docker pull 4admin2root/kube-policy-controller:v0.5.4


docker tag 4admin2root/kube-controller-manager-amd64:v1.6.0    gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0
docker tag 4admin2root/kube-scheduler-amd64:v1.6.0             gcr.io/google_containers/kube-scheduler-amd64:v1.6.0
docker tag 4admin2root/kube-apiserver-amd64:v1.6.0             gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
docker tag 4admin2root/etcd-amd64:3.0.17                       gcr.io/google_containers/etcd-amd64:3.0.17
docker tag 4admin2root/kube-proxy-amd64:v1.6.0                 gcr.io/google_containers/kube-proxy-amd64:v1.6.0
docker tag  4admin2root/k8s-dns-sidecar-amd64:1.14.1           gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1 
docker tag  4admin2root/k8s-dns-dnsmasq-nanny-amd64:1.14.1     gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1
docker tag  4admin2root/pause-amd64:3.0                        gcr.io/google_containers/pause-amd64:3.0
docker tag  4admin2root/etcd:2.2.1                             gcr.io/google_containers/etcd:2.2.1

docker tag  4admin2root/node:v1.1.0   quay.io/calico/node:v1.1.0
docker tag  4admin2root/cni:v1.6.1    quay.io/calico/cni:v1.6.1
docker tag  4admin2root/kube-policy-controller:v0.5.4  quay.io/calico/kube-policy-controller:v0.5.4

master执行init(使用下载版本kubeadm)

[root@cloud4ourself-mykc2 ~]# kubeadm init
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.6.0
[init] Using Authorization mode: RBAC
[preflight] Running pre-flight checks
[preflight] WARNING: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Starting the kubelet service
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] API Server serving cert is signed for DNS names [cloud4ourself-mykc2.novalocal kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.9.5.107]
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key and public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 23.784875 seconds
[apiclient] Waiting for at least one node to register
[apiclient] First node has registered after 4.502966 seconds
[token] Using token: 8d92f5.922276a553ed2847
[apiconfig] Created RBAC rules
[addons] Created essential addon: kube-proxy
[addons] Created essential addon: kube-dns

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run (as a regular user):

  sudo cp /etc/kubernetes/admin.conf $HOME/
  sudo chown $(id -u):$(id -g) $HOME/admin.conf
  export KUBECONFIG=$HOME/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  http://kubernetes.io/docs/admin/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join --token 8d92f5.922276a553ed2847 10.9.5.107:6443
[root@cloud4ourself-mykc2 ~]# kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes
NAME                            STATUS     AGE       VERSION
cloud4ourself-mykc2.novalocal   NotReady   9m        v1.6.1
[root@cloud4ourself-mykc2 ~]# kubectl --kubeconfig /etc/kubernetes/admin.conf get pod --all-namespaces
NAMESPACE     NAME                                                    READY     STATUS    RESTARTS   AGE
kube-system   etcd-cloud4ourself-mykc2.novalocal                      1/1       Running   0          9m
kube-system   kube-apiserver-cloud4ourself-mykc2.novalocal            1/1       Running   0          9m
kube-system   kube-controller-manager-cloud4ourself-mykc2.novalocal   1/1       Running   0          9m
kube-system   kube-dns-3913472980-jgk3f                               0/3       Pending   0          10m
kube-system   kube-proxy-9ghw7                                        1/1       Running   0          10m
kube-system   kube-scheduler-cloud4ourself-mykc2.novalocal            1/1       Running   0          9m

#docker pull quay.io/calico/cni:v1.6.1
#docker pull quay.io/calico/node:v1.1.0
#docker pull quay.io/calico/kube-policy-controller:v0.5.4

[root@cloud4ourself-mykc2 ~]# kubectl apply -f http://docs.projectcalico.org/v2.1/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml --kubeconfig /etc/kubernetes/admin.conf
configmap "calico-config" created
daemonset "calico-etcd" created
service "calico-etcd" created
daemonset "calico-node" created
deployment "calico-policy-controller" created
clusterrolebinding "calico-cni-plugin" created
clusterrole "calico-cni-plugin" created
serviceaccount "calico-cni-plugin" created
clusterrolebinding "calico-policy-controller" created
clusterrole "calico-policy-controller" created
serviceaccount "calico-policy-controller" created
[root@cloud4ourself-mykc2 ~]# kubectl --kubeconfig /etc/kubernetes/admin.conf get pod --all-namespaces
NAMESPACE     NAME                                                    READY     STATUS              RESTARTS   AGE
kube-system   calico-etcd-q6p11                                       1/1       Running             0          8s
kube-system   calico-node-j3b47                                       0/2       ContainerCreating   0          7s
kube-system   calico-policy-controller-2561685917-8sj5l               0/1       Pending             0          7s
kube-system   etcd-cloud4ourself-mykc2.novalocal                      1/1       Running             0          12m
kube-system   kube-apiserver-cloud4ourself-mykc2.novalocal            1/1       Running             0          12m
kube-system   kube-controller-manager-cloud4ourself-mykc2.novalocal   1/1       Running             0          12m
kube-system   kube-dns-3913472980-jgk3f                               0/3       Pending             0          13m
kube-system   kube-proxy-9ghw7                                        1/1       Running             0          13m
kube-system   kube-scheduler-cloud4ourself-mykc2.novalocal            1/1       Running             0          12m

[root@cloud4ourself-mykc2 ~]# kubectl --kubeconfig /etc/kubernetes/admin.conf get pod --all-namespaces
NAMESPACE     NAME                                                    READY     STATUS    RESTARTS   AGE
kube-system   calico-etcd-q6p11                                       1/1       Running   0          9m
kube-system   calico-node-j3b47                                       2/2       Running   0          9m
kube-system   calico-policy-controller-2561685917-8sj5l               1/1       Running   0          9m
kube-system   etcd-cloud4ourself-mykc2.novalocal                      1/1       Running   0          21m
kube-system   kube-apiserver-cloud4ourself-mykc2.novalocal            1/1       Running   0          21m
kube-system   kube-controller-manager-cloud4ourself-mykc2.novalocal   1/1       Running   0          21m
kube-system   kube-dns-3913472980-jgk3f                               3/3       Running   0          22m
kube-system   kube-proxy-9ghw7                                        1/1       Running   0          22m
kube-system   kube-scheduler-cloud4ourself-mykc2.novalocal            1/1       Running   0          21m
[root@cloud4ourself-mykc2 ~]# echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
[root@cloud4ourself-mykc2 ~]# source ~/.bash_profile

其他节点

#docker pull quay.io/calico/cni:v1.6.1
#docker pull quay.io/calico/node:v1.1.0
#docker pull quay.io/calico/kube-policy-controller:v0.5.4

[root@cloud4ourself-mykc3 ~]#  kubeadm join --token 8d92f5.922276a553ed2847 10.9.5.107:6443
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "10.9.5.107:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.9.5.107:6443"
[discovery] Cluster info signature and contents are valid, will use API Server "https://10.9.5.107:6443"
[discovery] Successfully established connection with API Server "10.9.5.107:6443"
[bootstrap] Detected server version: v1.6.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"

Node join complete:
* Certificate signing request sent to master and response
  received.
* Kubelet informed of new secure connection details.

Run 'kubectl get nodes' on the master to see this machine join.