# 高可用架构
# – 3个Master节点
# – 3个ETCD节点
# – 6个Worker节点
# – 负载均衡器
# – 多可用区部署

# 网络架构
# – Pod网络：10.233.0.0/16
# – Service网络：10.96.0.0/12
# – 网络插件：Calico
# – 网络策略：启用

# 节点资源
# – Master节点：4 CPU, 16GB RAM
# – Worker节点：8 CPU, 32GB RAM
# – 总资源：60 CPU, 240GB RAM

# 存储资源
# – 系统存储：100GB
# – 数据存储：1TB
# – 日志存储：500GB
# – 备份存储：1TB

# 网络安全
# – 防火墙规则
# – 网络隔离
# – 访问控制

# 访问控制
# – RBAC权限
# – Pod安全策略
# – 审计日志

# 节点准备
# 配置主机名
hostnamectl set-hostname k8s-master-1
hostnamectl set-hostname k8s-master-2
hostnamectl set-hostname k8s-master-3
hostnamectl set-hostname k8s-worker-1
hostnamectl set-hostname k8s-worker-2
hostnamectl set-hostname k8s-worker-3
hostname set successfully

# 配置hosts文件
cat >> /etc/hosts <<EOF
192.168.1.101 k8s-master-1
192.168.1.102 k8s-master-2
192.168.1.103 k8s-master-3
192.168.1.201 k8s-worker-1
192.168.1.202 k8s-worker-2
192.168.1.203 k8s-worker-3
EOF
hosts file updated

# 关闭Swap
swapoff -a
sed -i ‘/ swap / s/^\(.*\)$/#\1/g’ /etc/fstab
swap disabled

# 配置内核参数
cat >> /etc/sysctl.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
sysctl -p
kernel parameters updated

# 安装Docker
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-utils installed

yum-config-manager –add-repo https://download.docker.com/linux/centos/docker-ce.repo
repo added

yum install -y docker-ce docker-ce-cli containerd.io
docker installed

# 配置Docker
mkdir -p /etc/docker
cat > /etc/docker/daemon.json <<EOF
{
“registry-mirrors”: [“https://mirror.example.com”],
“exec-opts”: [“native.cgroupdriver=systemd”],
“log-driver”: “json-file”,
“log-opts”: {
“max-size”: “100m”
},
“storage-driver”: “overlay2”
}
EOF
docker configured

systemctl enable docker
systemctl start docker
docker started

# 验证Docker
docker version
Client: Docker Engine – Community
Version: 24.0.7
Server: Docker Engine – Community
Version: 24.0.7

# 安装KubeKey
，
curl -sfL https://get-kk.kubesphere.io | VERSION=v3.0.13 sh –
Downloading kk …
kk installed successfully

# 创建配置文件
cat > config.yaml <<EOF
apiVersion: kubekey.kubesphere.io/v1alpha2
kind: Cluster
metadata:
name: sample
spec:
hosts:
– {name: k8s-master-1, address: 192.168.1.101, internalAddress: 192.168.1.101, user: root, password: “root123”}
– {name: k8s-master-2, address: 192.168.1.102, internalAddress: 192.168.1.102, user: root, password: “root123”}
– {name: k8s-master-3, address: 192.168.1.103, internalAddress: 192.168.1.103, user: root, password: “root123”}
– {name: k8s-worker-1, address: 192.168.1.201, internalAddress: 192.168.1.201, user: root, password: “root123”}
– {name: k8s-worker-2, address: 192.168.1.202, internalAddress: 192.168.1.202, user: root, password: “root123”}
– {name: k8s-worker-3, address: 192.168.1.203, internalAddress: 192.168.1.203, user: root, password: “root123”}
roleGroups:
etcd:
– k8s-master-1
– k8s-master-2
– k8s-master-3
control-plane:
– k8s-master-1
– k8s-master-2
– k8s-master-3
worker:
– k8s-worker-1
– k8s-worker-2
– k8s-worker-3
controlPlaneEndpoint:
internalLoadbalancer: haproxy
domain: lb.kubesphere.local
address: “”
port: 6443
kubernetes:
version: v1.28.0
clusterName: cluster.local
autoRenewCerts: true
containerManager: docker
etcd:
type: kubekey
network:
plugin: calico
kubePodsCIDR: 10.233.0.0/16
kubeServiceCIDR: 10.96.0.0/12
registry:
privateRegistry: “”
namespaceOverride: “”
registryMirrors: []
insecureRegistries: []
addons: []
—
apiVersion: installer.kubesphere.io/v1alpha1
kind: ClusterConfiguration
metadata:
name: ks-installer
namespace: kubesphere-system
labels:
version: v3.4.1
spec:
persistence:
storageClass: “”
authentication:
jwtSecret: “”
local_registry: “”
namespace_override: “”
etcd:
monitoring: false
endpointIps: 192.168.1.101,192.168.1.102,192.168.1.103
port: 2379
tlsEnable: true
common:
core:
console:
enableMultiLogin: true
port: 30880
type: NodePort
，
alerting:
enabled: true
auditing:
enabled: true
devops:
enabled: true
jenkinsCpuReq: 0.5
jenkinsCpuLim: 1
jenkinsMemoryReq: 4Gi
jenkinsMemoryLim: 4Gi
jenkinsVolumeSize: 8Gi
events:
enabled: true
logging:
enabled: true
logsidecar:
enabled: true
replicas: 2
metrics_server:
enabled: false
monitoring:
storageClass: “”
prometheusMemoryRequest: 400Mi
prometheusVolumeSize: 20Gi
alertmanagerVolumeSize: 2Gi
multicluster:
clusterRole: none
network:
networkpolicy:
enabled: true
ippool:
type: calico
topology:
type: none
openpitrix:
store:
enabled: true
servicemesh:
enabled: true
istio:
components:
ingressGateways:
– name: istio-ingressgateway
enabled: false
cni:
enabled: false
edgeruntime:
enabled: false
gatekeeper:
enabled: false
terminal:
timeout: 600
EOF
config.yaml created

# 安装KubeSphere
./kk create cluster -f config.yaml
Cluster installation started successfully

# 查看安装状态
kubectl logs -n kubesphere-system deployment/ks-installer -f
Waiting for installation to complete…
Installation completed successfully!

# 节点维护
# 标记节点为不可调度
kubectl cordon k8s-worker-1
node/k8s-worker-1 cordoned

# 驱逐节点上的Pod
kubectl drain k8s-worker-1 –ignore-daemonsets –delete-emptydir-data
node/k8s-worker-1 drained

# 维护节点
# … 执行维护操作 …

# 恢复节点调度
kubectl uncordon k8s-worker-1
node/k8s-worker-1 uncordoned

# 集群升级
# 备份ETCD
ETCDCTL_API=3 etcdctl snapshot save snapshot.db \
–cacert=/etc/kubernetes/pki/etcd/ca.crt \
–cert=/etc/kubernetes/pki/etcd/server.crt \
–key=/etc/kubernetes/pki/etcd/server.key
Snapshot saved at snapshot.db

# 升级Kubernetes
kubeadm upgrade plan
Components that must be upgraded manually after you have upgraded the control plane with ‘kubeadm upgrade apply’:
COMPONENT CURRENT AVAILABLE
kubelet 1 x v1.27.0 v1.28.0

# 升级控制平面
kubeadm upgrade apply v1.28.0
[upgrade/successful] SUCCESS! Your cluster was upgraded to “v1.28.0”. Enjoy!

# 升级kubelet
yum install -y kubelet-1.28.0 kubeadm-1.28.0 kubectl-1.28.0
systemctl daemon-reload
systemctl restart kubelet
kubelet upgraded successfully

# 备份集群
# 安装Velero
velero install –provider aws \
–plugins velero/velero-plugin-for-aws:v1.8.0 \
–bucket velero-backups \
–secret-file ./credentials-velero \
–use-volume-snapshots=true \
–backup-location-config region=minio
Velero is installed!

# 创建备份
velero backup create myapp-backup –include-namespaces myapp
Backup request “myapp-backup” submitted successfully.
Run `velero backup describe myapp-backup` or `velero backup logs myapp-backup` for more details.

# 查看备份
velero backup get
NAME STATUS ERRORS WARNINGS CREATED EXPIRES STORAGE LOCATION SELECTOR
myapp-backup Completed 0 0 2026-01-15 10:00:00 +0000 UTC 29d default <none>

# 恢复集群
# 执行恢复
velero restore create –from-backup myapp-backup
Restore request “myapp-backup-20260115102000” submitted successfully.
Run `velero restore describe myapp-backup-20260115102000` or `velero restore logs myapp-backup-20260115102000` for more details.

# 查看恢复状态
velero restore get
NAME BACKUP STATUS STARTED COMPLETED ERRORS WARNINGS CREATED SELECTOR
myapp-backup-20260115102000 myapp-backup Completed 2026-01-15 10:20:00 +0000 UTC 2026-01-15 10:20:30 +0000 UTC 0 0 2026-01-15 10:20:00 +0000 UTC <none>