• 使用Kubeadm + HAProxy + Keepalived部署高可用Kubernetes集群


    https://www.cnblogs.com/dhcn/p/12572904.html

    使用Kubeadm + HAProxy + Keepalived部署高可用Kubernetes集群

    这两天kubernetes爆出第一个特权升级高危漏洞,波及非常广泛,且没有有效的补丁可以修改此漏洞,只能将kubernetes升级。说巧不巧,与此同时,kubernetes v1.13.0版本发布,kubeadm也升级为GA版本,简单阅读了一下更新日志,先部署一套练练手~

    1、环境说明
    本次高可用集群基本参照官网步骤进行部署,官网给出了两种拓扑结构:堆叠control plane node和external etcd node,本文基于第一种拓扑结构进行部署,使用Keepalived + HAProxy搭建高可用Load balancer,完整的拓扑图如下:

    单个mastre节点将部署keepalived、haproxy、etcd、apiserver、controller-manager、schedule六种服务,load balancer集群和etcd集群仅用来为kubernetes集群集群服务,不对外营业。如果必要,可以将load balancer或者etcd单独部署,为kubernetes集群提供服务的同时,也可以为其他有需要的系统提供服务,比如下面这样的拓扑结构:

    这种拓扑结构也对应external etcd node~

    本文仅部署master节点,使用kubeadm部署worker节点非常简单,不在赘述,环境清单:

    [root@master-0 kubernetes]# kubectl get nodes -o wide
    NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
    master-0 Ready master 4h2m v1.13.0 172.16.7.11 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    master-1 Ready master 3h53m v1.13.0 172.16.7.12 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    master-2 Ready master 3h52m v1.13.0 172.16.7.13 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    1
    2
    3
    4
    5
    镜像清单:

    [root@master-0 kubernetes]# docker images
    REPOSITORY TAG IMAGE ID CREATED SIZE
    k8s.gcr.io/kube-proxy v1.13.0 8fa56d18961f 34 hours ago 80.2MB
    k8s.gcr.io/kube-scheduler v1.13.0 9508b7d8008d 34 hours ago 79.6MB
    k8s.gcr.io/kube-apiserver v1.13.0 f1ff9b7e3d6e 34 hours ago 181MB
    k8s.gcr.io/kube-controller-manager v1.13.0 d82530ead066 34 hours ago 146MB
    quay.io/calico/node v3.3.1 427a0694c75c 3 weeks ago 75.3MB
    quay.io/calico/cni v3.3.1 fa6f35a1c14d 3 weeks ago 75.4MB
    k8s.gcr.io/coredns 1.2.6 f59dcacceff4 4 weeks ago 40MB
    k8s.gcr.io/etcd 3.2.24 3cab8e1b9802 2 months ago 220MB
    k8s.gcr.io/pause 3.1 da86e6ba6ca1 11 months ago 742kB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    主要软件清单:

    keepalived-1.3.5-6.el7.x86_64.rpm
    haproxy-1.5.18-8.el7.x86_64.rpm
    docker-ce-18.09.0-3.el7.x86_64.rpm
    kubeadm-1.13.0-0.x86_64.rpm
    kubectl-1.13.0-0.x86_64.rpm
    kubelet-1.13.0-0.x86_64.rpm
    网盘下载地址:https://pan.baidu.com/s/1PwS5kiUd9G-oY2i9TgJVyA(包括rpm依赖)

    2、部署步骤
    2.1、部署keepalived
    此处的keeplived的主要作用是为haproxy提供vip(172.16.7.10),在三个haproxy实例之间提供主备,降低当其中一个haproxy失效的时对服务的影响。

    系统配置
    [root@master-0 ~]# cat >> /etc/sysctl.conf << EOF
    net.ipv4.ip_forward = 1
    EOF
    [root@master-0 ~]# sysctl -p
    net.ipv4.ip_forward = 1
    1
    2
    3
    4
    5
    In order for the Keepalived service to forward network packets properly to the real servers, each router node must have IP forwarding turned on in the kernel.

    安装keepalived
    [root@master-0 ~]# yum install -y keepalived
    1
    配置keepalived
    [root@master-2 ~]# cat > /etc/keepalived/keepalived.conf << EOF
    ! Configuration File for keepalived

    global_defs {
    router_id LVS_DEVEL
    }

    vrrp_script check_haproxy {
    script "killall -0 haproxy"
    interval 3
    weight -2
    fall 10
    rise 2
    }

    vrrp_instance VI_1 {
    state MASTER
    interface ens33
    virtual_router_id 51
    priority 250
    advert_int 1
    authentication {
    auth_type PASS
    auth_pass 35f18af7190d51c9f7f78f37300a0cbd
    }
    virtual_ipaddress {
    172.16.7.10
    }
    track_script {
    check_haproxy
    }
    }
    EOF
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    killall -0 根据进程名称检测进程是否存活
    master-0节点为***MASTER***,其余节点为***BACKUP***
    priority各个几点到优先级相差50,范围:0~250(非强制要求)
    启动并检测服务
    [root@master-0 ~]# systemctl enable keepalived.service
    [root@master-0 ~]# systemctl start keepalived.service
    [root@master-0 ~]# systemctl status keepalived.service
    [root@master-0 ~]# ip address show ens33
    2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:25:99:6e brd ff:ff:ff:ff:ff:ff
    inet 172.16.7.11/24 brd 172.16.7.255 scope global noprefixroute ens33
    valid_lft forever preferred_lft forever
    inet 172.16.7.10/32 scope global ens33
    valid_lft forever preferred_lft forever
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    2.2、部署haproxy
    此处的haproxy为apiserver提供反向代理,haproxy将所有请求轮询转发到每个master节点上。相对于仅仅使用keepalived主备模式仅单个master节点承载流量,这种方式更加合理、健壮。

    系统配置
    [root@master-0 ~]# cat >> /etc/sysctl.conf << EOF
    net.ipv4.ip_nonlocal_bind = 1
    EOF
    [root@master-0 ~]# sysctl -p
    net.ipv4.ip_forward = 1
    net.ipv4.ip_nonlocal_bind = 1
    1
    2
    3
    4
    5
    6
    Load balancing in HAProxy and Keepalived at the same time also requires the ability to bind to an IP address that are nonlocal, meaning that it is not assigned to a device on the local system. This allows a running load balancer instance to bind to an IP that is not local for failover.

    安装haproxy
    [root@master-0 ~]# yum install -y haproxy
    1
    配置haproxy
    [root@master-0 ~]# cat > /etc/haproxy/haproxy.cfg << EOF
    #---------------------------------------------------------------------
    # Global settings
    #---------------------------------------------------------------------
    global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events. This is done
    # by adding the '-r' option to the SYSLOGD_OPTIONS in
    # /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    # file. A line like the following can be added to
    # /etc/sysconfig/syslog
    #
    # local2.* /var/log/haproxy.log
    #
    log 127.0.0.1 local2

    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 4000
    user haproxy
    group haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    #---------------------------------------------------------------------
    # common defaults that all the 'listen' and 'backend' sections will
    # use if not designated in their block
    #---------------------------------------------------------------------
    defaults
    mode http
    log global
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor except 127.0.0.0/8
    option redispatch
    retries 3
    timeout http-request 10s
    timeout queue 1m
    timeout connect 10s
    timeout client 1m
    timeout server 1m
    timeout http-keep-alive 10s
    timeout check 10s
    maxconn 3000

    #---------------------------------------------------------------------
    # kubernetes apiserver frontend which proxys to the backends
    #---------------------------------------------------------------------
    frontend kubernetes-apiserver
    mode tcp
    bind *:16443
    option tcplog
    default_backend kubernetes-apiserver

    #---------------------------------------------------------------------
    # round robin balancing between the various backends
    #---------------------------------------------------------------------
    backend kubernetes-apiserver
    mode tcp
    balance roundrobin
    server master-0 172.16.7.11:6443 check
    server master-1 172.16.7.12:6443 check
    server master-2 172.16.7.13:6443 check

    #---------------------------------------------------------------------
    # collection haproxy statistics message
    #---------------------------------------------------------------------
    listen stats
    bind *:1080
    stats auth admin:awesomePassword
    stats refresh 5s
    stats realm HAProxy Statistics
    stats uri /admin?stats
    EOF
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    所以master节点上的配置完全相同~

    启动并检测服务
    [root@master-0 ~]# systemctl enable haproxy.service
    [root@master-0 ~]# systemctl start haproxy.service
    [root@master-0 ~]# systemctl status haproxy.service
    [root@master-0 ~]# ss -lnt | grep -E "16443|1080"
    LISTEN 0 128 *:1080 *:*
    LISTEN 0 128 *:16443 *:*
    1
    2
    3
    4
    5
    6
    2.3、安装kubeadm、kubectl、kubelet、docker
    系统配置
    [root@master-0 ~]# systemctl disable firewalld.service
    [root@master-0 ~]# systemctl stop firewalld.service
    [root@master-0 ~]# systemctl status firewalld.service

    [root@master-0 ~]# sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
    [root@master-0 ~]# setenforce 0

    [root@master-0 ~]# sed -i 's/(.*swap.*)/# 1/g' /etc/fstab
    [root@master-0 ~]# swapoff -a

    [root@master-0 ~]# cat <<EOF > /etc/sysctl.d/k8s.conf
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    EOF
    [root@master-0 ~]# sysctl --system
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    安装软件
    ### 设置docker-ce的yum源 ###
    [root@master-0 ~]# cat <<EOF > /etc/yum.repos.d/docker-ce.repo
    [docker-ce-stable]
    name=Docker CE Stable - $basearch
    baseurl=https://download.docker.com/linux/centos/7/$basearch/stable
    enabled=1
    gpgcheck=1
    gpgkey=https://download.docker.com/linux/centos/gpg
    EOF
    ### 安装docker-ce ###
    [root@master-0 ~]# yum install -y docker-ce --disableexcludes=docker-ce-stable

    ### 设置kubernetes的yum源 ###
    [root@master-0 ~]# cat <<EOF > /etc/yum.repos.d/kubernetes.repo
    [kubernetes]
    name=Kubernetes
    baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
    enabled=1
    gpgcheck=1
    repo_gpgcheck=1
    gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
    exclude=kube*
    EOF
    ### 安装 ###
    [root@master-0 ~]# yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    设置开机启动
    [root@master-0 ~]# systemctl enable docker.service
    [root@master-0 ~]# systemctl start docker.service
    [root@master-0 ~]# systemctl status docker.service

    [root@master-0 ~]# systemctl enable kubelet.service
    1
    2
    3
    4
    5
    2.4、部署master-0
    编辑hosts文件
    [root@master-0 ~]# cat >> /etc/hosts << EOF
    172.16.7.10 cluster.kube.com

    172.16.7.11 master-0
    172.16.7.12 master-1
    172.16.7.13 master-2
    EOF
    1
    2
    3
    4
    5
    6
    7
    编辑kubeadm配置文件
    [root@master-0 ~]# cat > kubeadm-config.yaml << EOF
    apiVersion: kubeadm.k8s.io/v1beta1
    kind: ClusterConfiguration
    kubernetesVersion: v1.13.0
    apiServer:
    certSANs:
    - "cluster.kube.com"
    controlPlaneEndpoint: "cluster.kube.com:16443"
    networking:
    podSubnet: "192.168.0.0/16"
    EOF
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    CNI使用Calico,设置podSubnet: “192.168.0.0/16”

    初始化第一个master节点
    [root@master-0 ~]# kubeadm init --config kubeadm-config.yaml
    [init] Using Kubernetes version: v1.13.0
    [preflight] Running pre-flight checks
    [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
    [preflight] Pulling images required for setting up a Kubernetes cluster
    [preflight] This might take a minute or two, depending on the speed of your internet connection
    [preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
    [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
    [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
    [kubelet-start] Activating the kubelet service
    [certs] Using certificateDir folder "/etc/kubernetes/pki"
    [certs] Generating "etcd/ca" certificate and key
    [certs] Generating "etcd/server" certificate and key
    [certs] etcd/server serving cert is signed for DNS names [master-0 localhost] and IPs [172.16.7.11 127.0.0.1 ::1]
    [certs] Generating "etcd/peer" certificate and key
    [certs] etcd/peer serving cert is signed for DNS names [master-0 localhost] and IPs [172.16.7.11 127.0.0.1 ::1]
    [certs] Generating "etcd/healthcheck-client" certificate and key
    [certs] Generating "apiserver-etcd-client" certificate and key
    [certs] Generating "ca" certificate and key
    [certs] Generating "apiserver-kubelet-client" certificate and key
    [certs] Generating "apiserver" certificate and key
    [certs] apiserver serving cert is signed for DNS names [master-0 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local cluster.kube.com cluster.kube.com] and IPs [10.96.0.1 172.16.7.11]
    [certs] Generating "front-proxy-ca" certificate and key
    [certs] Generating "front-proxy-client" certificate and key
    [certs] Generating "sa" key and public key
    [kubeconfig] Using kubeconfig folder "/etc/kubernetes"
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [kubeconfig] Writing "admin.conf" kubeconfig file
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [kubeconfig] Writing "kubelet.conf" kubeconfig file
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [kubeconfig] Writing "controller-manager.conf" kubeconfig file
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [kubeconfig] Writing "scheduler.conf" kubeconfig file
    [control-plane] Using manifest folder "/etc/kubernetes/manifests"
    [control-plane] Creating static Pod manifest for "kube-apiserver"
    [control-plane] Creating static Pod manifest for "kube-controller-manager"
    [control-plane] Creating static Pod manifest for "kube-scheduler"
    [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
    [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
    [apiclient] All control plane components are healthy after 19.503612 seconds
    [uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
    [kubelet] Creating a ConfigMap "kubelet-config-1.13" in namespace kube-system with the configuration for the kubelets in the cluster
    [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "master-0" as an annotation
    [mark-control-plane] Marking the node master-0 as control-plane by adding the label "node-role.kubernetes.io/master=''"
    [mark-control-plane] Marking the node master-0 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
    [bootstrap-token] Using token: 29kttk.v6a5ts4021pkc4zr
    [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
    [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
    [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
    [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
    [bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace
    [addons] Applied essential addon: CoreDNS
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [addons] Applied essential addon: kube-proxy

    Your Kubernetes master has initialized successfully!

    To start using your cluster, you need to run the following as a regular user:

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

    You should now deploy a pod network to the cluster.
    Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
    https://kubernetes.io/docs/concepts/cluster-administration/addons/

    You can now join any number of machines by running the following on each node
    as root:

    kubeadm join cluster.kube.com:16443 --token 29kttk.v6a5ts4021pkc4zr --discovery-token-ca-cert-hash sha256:d0bdfd403cd9822177f66c6f3fa28735a67c0747f52511f253ba82843b70f99a
    [root@master-0 ~]# mkdir -p $HOME/.kube
    [root@master-0 ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    [root@master-0 ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    安装网络插件
    [root@master-0 ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
    clusterrole.rbac.authorization.k8s.io/calico-node created
    clusterrolebinding.rbac.authorization.k8s.io/calico-node created
    [root@master-0 ~]# kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
    configmap/calico-config created
    service/calico-typha created
    deployment.apps/calico-typha created
    poddisruptionbudget.policy/calico-typha created
    daemonset.extensions/calico-node created
    serviceaccount/calico-node created
    customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
    customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    复制相关文件到其他master节点上
    [root@master-0 ~]# ssh root@master-1 mkdir -p /etc/kubernetes/pki/etcd
    [root@master-0 ~]# scp /etc/kubernetes/admin.conf root@master-1:/etc/kubernetes
    [root@master-0 ~]# scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} root@master-1:/etc/kubernetes/pki
    [root@master-0 ~]# scp /etc/kubernetes/pki/etcd/ca.* root@master-1:/etc/kubernetes/pki/etcd
    1
    2
    3
    4
    2.5、部署master-other
    [root@master-1 ~]# kubeadm join cluster.kube.com:16443 --token 29kttk.v6a5ts4021pkc4zr --discovery-token-ca-cert-hash sha256:d0bdfd403cd9822177f66c6f3fa28735a67c0747f52511f253ba82843b70f99a --experimental-control-plane
    [preflight] Running pre-flight checks
    [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
    [discovery] Trying to connect to API Server "cluster.kube.com:16443"
    [discovery] Created cluster-info discovery client, requesting info from "https://cluster.kube.com:16443"
    [discovery] Requesting info from "https://cluster.kube.com:16443" again to validate TLS against the pinned public key
    [discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "cluster.kube.com:16443"
    [discovery] Successfully established connection with API Server "cluster.kube.com:16443"
    [join] Reading configuration from the cluster...
    [join] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
    [join] Running pre-flight checks before initializing the new control plane instance
    [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
    [certs] Generating "apiserver-kubelet-client" certificate and key
    [certs] Generating "apiserver" certificate and key
    [certs] apiserver serving cert is signed for DNS names [master-1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local cluster.kube.com cluster.kube.com] and IPs [10.96.0.1 172.16.7.12]
    [certs] Generating "etcd/server" certificate and key
    [certs] etcd/server serving cert is signed for DNS names [master-1 localhost] and IPs [172.16.7.12 127.0.0.1 ::1]
    [certs] Generating "etcd/peer" certificate and key
    [certs] etcd/peer serving cert is signed for DNS names [master-1 localhost] and IPs [172.16.7.12 127.0.0.1 ::1]
    [certs] Generating "etcd/healthcheck-client" certificate and key
    [certs] Generating "apiserver-etcd-client" certificate and key
    [certs] Generating "front-proxy-client" certificate and key
    [certs] valid certificates and keys now exist in "/etc/kubernetes/pki"
    [certs] Using the existing "sa" key
    [endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
    [kubeconfig] Using existing up-to-date kubeconfig file: "/etc/kubernetes/admin.conf"
    [kubeconfig] Writing "controller-manager.conf" kubeconfig file
    [kubeconfig] Writing "scheduler.conf" kubeconfig file
    [etcd] Checking Etcd cluster health
    [kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.13" ConfigMap in the kube-system namespace
    [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
    [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
    [kubelet-start] Activating the kubelet service
    [tlsbootstrap] Waiting for the kubelet to perform the TLS Bootstrap...
    [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "master-1" as an annotation
    [etcd] Announced new etcd member joining to the existing etcd cluster
    [etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
    [uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
    [mark-control-plane] Marking the node master-1 as control-plane by adding the label "node-role.kubernetes.io/master=''"
    [mark-control-plane] Marking the node master-1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]

    This node has joined the cluster and a new control plane instance was created:

    * Certificate signing request was sent to apiserver and approval was received.
    * The Kubelet was informed of the new secure connection details.
    * Master label and taint were applied to the new node.
    * The Kubernetes control plane instances scaled up.
    * A new etcd member was added to the local/stacked etcd cluster.

    To start administering your cluster from this node, you need to run the following as a regular user:

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

    Run 'kubectl get nodes' to see this node join the cluster.
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    3、检查测试
    查看kubernetes集群状态
    [root@master-0 etcd]# kubectl get nodes -o wide
    NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
    master-0 Ready master 11m v1.13.0 172.16.7.11 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    master-1 Ready master 2m16s v1.13.0 172.16.7.12 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    master-2 Ready master 45s v1.13.0 172.16.7.13 <none> CentOS Linux 7 (Core) 3.10.0-862.el7.x86_64 docker://18.9.0
    [root@master-0 etcd]# kubectl get cs
    NAME STATUS MESSAGE ERROR
    controller-manager Healthy ok
    scheduler Healthy ok
    etcd-0 Healthy {"health": "true"}
    [root@master-0 etcd]# kubectl get csr
    NAME AGE REQUESTOR CONDITION
    csr-6jgcr 11m system:node:master-0 Approved,Issued
    node-csr-8wOc8SoFxlkm8Ep5QEr9erUexnYJ-lrilft4QUJ7RfI 2m26s system:bootstrap:29kttk Approved,Issued
    node-csr-l-ijTesiUBRFmaAXIHYj3J4vYEA7qbJLolIsKv5FZuM 55s system:bootstrap:29kttk Approved,Issued
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    查看etcd集群状态
    [root@master-0 ~]# kubectl exec -ti -n kube-system etcd-master-0 sh
    / # export ETCDCTL_API=3
    / # etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/ku
    bernetes/pki/etcd/healthcheck-client.key member list
    25e9e768b2abcbb6, started, master-2, https://172.16.7.13:2380, https://172.16.7.13:2379
    28e1924984642da1, started, master-1, https://172.16.7.12:2380, https://172.16.7.12:2379
    e19f37b34b9497ee, started, master-0, https://172.16.7.11:2380, https://172.16.7.11:2379
    1
    2
    3
    4
    5
    6
    7

    ————————————————
    版权声明:本文为CSDN博主「迷途的攻城狮(798570156)」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
    原文链接:https://blog.csdn.net/chenleiking/article/details/84841394

  • 相关阅读:
    Python基础——内置函数
    HHKB Mac快捷键使用
    解决EditText在ListView Item中,第一次点击无法获取焦点问题
    Android 设置Spinner默认显示文字
    IOS-静态Cell
    android-创建流式布局,并修改最后一行的最后一个view
    最简单的设置ExitText只能输入数字和字母的方法
    Android studio私人常用快捷键(持续更新)
    IOS-NSNotification(通知)
    Android书单(持续更新)
  • 原文地址:https://www.cnblogs.com/dhcn/p/12572904.html
Copyright © 2020-2023  润新知