一、简介RKE2 是 Rancher 公司开源的 Kubernetes 发行版通过 systemd 服务方式部署和管理 K8s 集群以安全合规为核心设计目标是 RKE1 的替代产品。1、rke 和 rke2 部署区别架构层面对比项RKE1RKE2运行时Dockercontainerd组件运行方式Docker 容器静态 Pod containerdetcd独立容器内嵌管理网络插件默认CanalCanal安装方式二进制 cluster.ymlsystemd 服务安全层面 RKE2 也叫 RKE Government专门为安全合规设计 默认启用 SELinux 支持 组件默认开启 TLS 加密 符合 CIS Benchmark 安全基线 默认禁用不安全的 API 维护层面 RKE1 已停止新功能开发只做安全补丁 RKE2 持续迭代跟进上游 K8s 版本 操作层面 RKE1 需要单独的 rke 命令行工具 cluster.yml 文件来管理集群 RKE2 更像 K3s直接 systemd 管理配置更简单2、部署集群安装前准备 3 台机器我这里是基于linux rockey9.7 版本进行部署1master 2worker一主两从配置节点cpuip磁盘内存master4c172.16.72.20040G4Gnode014c172.16.72.20140G3Gnode024c172.16.72.20240G3G三台机器操作同步 #修改主机名 hostnamectl set-hostname master\node-1\node-2 bash #我这里关闭防火墙、安全机制也可以放行安全机制也可以不修改 systemctl stop firewalld.service vim /etc/selinux/config SELINUXdisabled #关闭交换内存 swapoff -a [rootmaster ~]# free -h #检查是否关闭 total used free shared buff/cache available Mem: 3.5Gi 447Mi 3.1Gi 8.0Mi 200Mi 3.1Gi Swap: 0B 0B 0B #检查这里 #注释开机自动挂载 vim /etc/fstab #/dev/mapper/rl-swap none swap defaults 0 0 #启用内核转发ipvs模块 modprobe ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack echo -e ip_vs\nip_vs_rr\nip_vs_wrr\nip_vs_sh\nnf_conntrack /etc/modules-load.d/lvs.conf systemctl restart systemd-modules-load.service #查看模块 lsmod | grep ip_vs ip_vs_sh 12288 0 ip_vs_wrr 12288 0 ip_vs_rr 12288 0 ip_vs 237568 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr nf_conntrack 229376 1 ip_vs nf_defrag_ipv6 24576 2 nf_conntrack,ip_vs libcrc32c 12288 3 nf_conntrack,xfs,ip_vs #写入主机ip解析 vim /etc/hosts 172.16.72.200 master 172.16.72.201 node-1 172.16.72.202 node-2master节点操作 #安装rke2的server curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRRORcn sh - #配置镜像加速 vim /etc/rancher/rke2/registries.yaml mirrors: docker.io: endpoint: - https://docker.1ms.run #节点标识文件 vim /etc/rancher/rke2/config.yaml token: rke2-secret-token tls-san: - 172.16.72.200 write-kubeconfig-mode: 0644 node-name: master node-label: - rolemaster debug: t kube-proxy-arg: - proxy-modeipvs #开机自启、启动 这里因为要拉取镜像所以时间会比较久耐心等待 systemctl enable rke2-server.service systemctl start rke2-server.service systemctl status rke2-server.service ● rke2-server.service - Rancher Kubernetes Engine v2 (server) Loaded: loaded (/usr/lib/systemd/system/rke2-server.service; enabled; preset: disabled) Active: active (running) since Sun 2026-05-24 18:13:14 CST; 45min ago Docs: https://github.com/rancher/rke2#readme Process: 4648 ExecCondition/bin/sh -c if systemctl is-active --quiet rke2-agent.service; then echo Error: rke2-agent i Process: 4650 ExecStartPre/sbin/modprobe br_netfilter (codeexited, status0/SUCCESS) Process: 4651 ExecStartPre/sbin/modprobe overlay (codeexited, status0/SUCCESS) Main PID: 4652 (rke2) Tasks: 176 Memory: 1.8G (peak: 2.3G) CPU: 3min 23.394s CGroup: /system.slice/rke2-server.service ├─ 4652 /usr/bin/rke2 server ├─ 4669 containerd -c /var/lib/rancher/rke2/agent/etc/containerd/config.toml ├─ 4789 kubelet --volume-plugin-dir/var/lib/kubelet/volumeplugins --file-check-frequency5s --sync-frequency3 ├─ 4846 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─ 4854 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─ 5077 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─ 5166 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─ 5175 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─ 5495 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─12840 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i ├─17934 /var/lib/rancher/rke2/data/v1.35.5-rke2r1-a0d90cdcd0dc/bin/containerd-shim-runc-v2 -namespace k8s.io -i两台worker节点操作 #下载agent curl -sfL https://rancher-mirror.rancher.cn/rke2/install.sh | INSTALL_RKE2_MIRRORcn INSTALL_RKE2_TYPEagent sh - #配置镜像加速结构错乱使用 set paste来保持格式 vim /etc/rancher/rke2/registries.yaml mirrors: docker.io: endpoint: - https://docker.1ms.run #创建node节点config.yaml文件 #node-1的内容 server: https://172.16.72.200:9345 token: rke2-secret-token node-name: node01 node-label: - roleworker debug: true kube-proxy-arg: - proxy-modeipvs #node-2的内容 server: https://172.16.72.200:9345 token: rke2-secret-token node-name: node02 node-label: - roleworker debug: true kube-proxy-arg: - proxy-modeipvs #两个worker节点服务开机自启\启动如果网络不好的耐心等待时间会长一点 systemctl enable rke2-agent.service systemctl start rke2-agent.service3、kubectl 命令我们现在要查看集群状态的话现在是没有 kubectl 的实际上 rke2 是自己带 kubectl 的命令工具的。master节点操作 #命令路径 cd /var/lib/rancher/rke2/bin/ ls containerd containerd-shim-runc-v2 crictl ctr kubectl kubelet runc #做一下软连接 ln -sv /var/lib/rancher/rke2/bin/kubectl /usr/local/bin/kubectl ln -sv /var/lib/rancher/rke2/bin/crictl /usr/local/bin/crictl ll /usr/local/bin/kubectl lrwxrwxrwx 1 root root 33 5月 24 19:37 /usr/local/bin/kubectl - /var/lib/rancher/rke2/bin/kubectl ll /usr/local/bin/crictl lrwxrwxrwx 1 root root 32 5月 24 19:39 /usr/local/bin/crictl - /var/lib/rancher/rke2/bin/crictl #现在配置一下kubeconfig文件因为是rke2安装的路径如下 cd /etc/rancher/rke2/ ls config.yaml registries.yaml rke2-pss.yaml rke2.yaml ##这个就是 #因为kubectl是默认读取.kube目录下的config文件配置在.kube目录下 mkdir -p /root/.kube cp /etc/rancher/rke2/rke2.yaml /root/.kube/config #查看节点状态 [rootmaster ~]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready control-plane,etcd 92m v1.35.5rke2r1 node01 Ready none 29m v1.35.5rke2r1 node02 Ready none 27m v1.35.5rke2r1 #给节点打一个标签 kubectl label node node02 node-role.kubernetes.io/workertrue kubectl label node node01 node-role.kubernetes.io/workertrue #再次查看 [rootmaster ~]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready control-plane,etcd 99m v1.35.5rke2r1 node01 Ready worker 36m v1.35.5rke2r1 node02 Ready worker 34m v1.35.5rke2r1 #现在是没有自动补全命令的现在设置自动补全命令 echo source (kubectl completion bash) ~/.bashrc echo alias kkubectl ~/.bashrc echo complete -F __start_kubectl k ~/.bashrc source ~/.bashrc [rootmaster ~]# k get nodes NAME STATUS ROLES AGE VERSION master Ready control-plane,etcd 103m v1.35.5rke2r1 node01 Ready worker 39m v1.35.5rke2r1 node02 Ready worker 38m v1.35.5rke2r1 #安装一个快速切换名称空间的命令。 https://github.com/ahmetb/kubectx/releases/download/v0.9.4/kubens #下载地址 chmod x kubens ; mv kubens /usr/sbin/ 这个插件装一下可以让你自由切换namespace 命令 kubens namespaces #查看组件是否运行正常 [rootmaster ~]# k get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system cloud-controller-manager-master 1/1 Running 1 (104m ago) 152m kube-system etcd-master 1/1 Running 0 152m kube-system helm-install-rke2-canal-jdk6p 0/1 Completed 0 153m kube-system helm-install-rke2-coredns-zwx5x 0/1 Completed 0 153m kube-system helm-install-rke2-ingress-nginx-78m6c 0/1 Completed 2 153m kube-system helm-install-rke2-metrics-server-pmjxr 0/1 Completed 0 153m kube-system helm-install-rke2-runtimeclasses-59xh4 0/1 Completed 0 153m kube-system helm-install-rke2-snapshot-controller-crd-7n8dd 0/1 Completed 0 153m kube-system helm-install-rke2-snapshot-controller-lnpsj 0/1 Completed 1 153m kube-system kube-apiserver-master 1/1 Running 0 152m kube-system kube-controller-manager-master 1/1 Running 1 (104m ago) 152m kube-system kube-proxy-master 1/1 Running 1 (153m ago) 152m kube-system kube-proxy-node01 1/1 Running 0 90m kube-system kube-proxy-node02 1/1 Running 0 88m kube-system kube-scheduler-master 1/1 Running 1 (104m ago) 152m kube-system rke2-canal-b7tl4 2/2 Running 0 88m kube-system rke2-canal-kv7l4 2/2 Running 0 90m kube-system rke2-canal-rrmmb 2/2 Running 0 19m kube-system rke2-coredns-rke2-coredns-69c9c9877c-kjs7n 1/1 Running 0 142m kube-system rke2-coredns-rke2-coredns-69c9c9877c-p9xgf 1/1 Running 0 88m kube-system rke2-coredns-rke2-coredns-autoscaler-645c95cdd7-8wdqb 1/1 Running 0 142m kube-system rke2-ingress-nginx-controller-jm94b 1/1 Running 0 61m kube-system rke2-ingress-nginx-controller-pb5bm 1/1 Running 0 88m kube-system rke2-ingress-nginx-controller-s48v7 1/1 Running 0 127m kube-system rke2-metrics-server-bdc688fb7-zs8nf 1/1 Running 0 139m kube-system rke2-snapshot-controller-6d8cd4bbcc-t576c 1/1 Running 0 139m #创建一个测试pod试一下。 kubectl create deployment nginx-test --imagenginx:1.26.0 --replicas3 kubectl expose deployment nginx-test --port80 --target-port80 --typeNodePort --namenginx-test-svc [rootmaster ~]# kubectl get pod NAME READY STATUS RESTARTS AGE nginx-856bc754b-2lkdh 1/1 Running 0 44m nginx-856bc754b-dhvx8 1/1 Running 0 44m nginx-856bc754b-x5xdq 1/1 Running 0 44m [rootmaster ~]# curl master:31723 [rootmaster ~]# curl node01:31723 [rootmaster ~]# curl node02:31723 #修改crictl套接字路径。修改后就可以看见了。 vim /etc/crictl.yaml runtime-endpoint: unix:///run/k3s/containerd/containerd.sock image-endpoint: unix:///run/k3s/containerd/containerd.sock [rootmaster ~]# crictl images IMAGE TAG IMAGE ID SIZE docker.io/library/nginx 1.26.0 94543a6c1aefa 71MB 。。。。。。略到此我们的 k8s 集群就算是安装完成了
