• 二进制搭建kubernetes多master集群【三、配置k8s master及高可用】


    前面两篇文章已经配置好了etcd和flannel的网络,现在开始配置k8s master集群。

    etcd集群配置参考:二进制搭建kubernetes多master集群【一、使用TLS证书搭建etcd集群】

    flannel网络配置参考:二进制搭建kubernetes多master集群【二、配置flannel网络】

    本文在以下主机上操作部署k8s集群

    k8s-master1:192.168.80.7

    k8s-master2:192.168.80.8

    k8s-master3:192.168.80.9

    配置Kubernetes master集群

    kubernetes master 节点包含的组件:

    • kube-apiserver
    • kube-scheduler
    • kube-controller-manager

    目前这三个组件需要部署在同一台机器上。

    • kube-schedulerkube-controller-manager 和 kube-apiserver 三者的功能紧密相关;
    • 同时只能有一个 kube-schedulerkube-controller-manager 进程处于工作状态,如果运行多个,则需要通过选举产生一个 leader;

    一、部署kubectl命令工具

    kubectl 是 kubernetes 集群的命令行管理工具,本文档介绍安装和配置它的步骤。

    kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址、证书、用户名等信息,如果没有配置,执行 kubectl 命令时可能会出错。

     ~/.kube/config只需要部署一次,然后拷贝到其他的master。

    1、下载kubectl

    wget https://dl.k8s.io/v1.12.3/kubernetes-server-linux-amd64.tar.gz
    tar -xzvf kubernetes-server-linux-amd64.tar.gz
    cd kubernetes/server/bin/
    cp kube-apiserver kubeadm kube-controller-manager kubectl kube-scheduler /usr/local/bin

    2、创建请求证书

    [root@k8s-master1 ssl]# cat > admin-csr.json <<EOF
    {
      "CN": "admin",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "system:masters",
          "OU": "4Paradigm"
        }
      ]
    }
    EOF
    • O 为 system:masters,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters;
    • 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予所有 API的权限;
    • 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空;

    生成证书和私钥

    cfssl gencert -ca=/etc/kubernetes/cert/ca.pem 
      -ca-key=/etc/kubernetes/cert/ca-key.pem 
      -config=/etc/kubernetes/cert/ca-config.json 
      -profile=kubernetes admin-csr.json | cfssljson -bare admin

    3、创建~/.kube/config文件

    kubectl config set-cluster kubernetes 
      --certificate-authority=/etc/kubernetes/cert/ca.pem 
      --embed-certs=true 
      --server=https://114.67.81.105:8443 
      --kubeconfig=kubectl.kubeconfig
    
    # 设置客户端认证参数
    kubectl config set-credentials admin 
      --client-certificate=admin.pem 
      --client-key=admin-key.pem 
      --embed-certs=true 
      --kubeconfig=kubectl.kubeconfig
    
    # 设置上下文参数
    kubectl config set-context kubernetes 
      --cluster=kubernetes 
      --user=admin 
      --kubeconfig=kubectl.kubeconfig
      
    # 设置默认上下文
    kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig

    4、分发~/.kube/config文件

    [root@k8s-master1 temp]# cp kubectl.kubeconfig ~/.kube/config
    [root@k8s-master1 temp]# scp kubectl.kubeconfig k8s-master2:~/.kube/config
    kubectl.kubeconfig                                                                                                                                                                                    100% 6285     2.2MB/s   00:00    
    [root@k8s-master1 temp]# scp kubectl.kubeconfig k8s-master3:~/.kube/config
    kubectl.kubeconfig 

    二、部署api-server

    1、创建kube-apiserver的证书签名请求:

    
    
    [root@k8s-master1 ssl]# cat > kubernetes-csr.json <<EOF
    {
      "CN": "kubernetes",
      "hosts": [
        "127.0.0.1",
        "192.168.80.7",
        "192.168.80.8",
        "192.168.80.9",
        "192.168.80.13",
        "114.67.81.105",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local"
      ],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "ST": "BeiJing",
          "L": "BeiJing",
          "O": "k8s",
          "OU": "4Paradigm"
        }
      ]
    }
    EOF
    • hosts 字段指定授权使用该证书的 IP 或域名列表,这里列出了 VIP 、apiserver 节点 IP、kubernetes 服务 IP 和域名;
    • 域名最后字符不能是 .(如不能为 kubernetes.default.svc.cluster.local.),否则解析时失败,提示: x509: cannot parse dnsName "kubernetes.default.svc.cluster.local."
    • 如果使用非 cluster.local 域名,如 bqding.com,则需要修改域名列表中的最后两个域名为:kubernetes.default.svc.bqdingkubernetes.default.svc.bqding.com
    • 红色的主机依次为master节点的ip,以及负载均衡器的内网和公网IP。

    生成证书和私钥:

    cfssl gencert -ca=/etc/kubernetes/cert/ca.pem 
      -ca-key=/etc/kubernetes/cert/ca-key.pem 
      -config=/etc/kubernetes/cert/ca-config.json 
      -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

    2、将生成的证书和私钥文件拷贝到 master 节点:

    [root@k8s-master1 ssl]# cp kubernetes*.pem /etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kubernetes*.pem k8s-master2:/etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kubernetes*.pem k8s-master3:/etc/kubernetes/cert/

    3、创建加密配置文件

    [root@k8s-master1 ssl]# cat > encryption-config.yaml <<EOF
    kind: EncryptionConfig
    apiVersion: v1
    resources:
      - resources:
          - secrets
        providers:
          - aescbc:
              keys:
                - name: key1
                  secret: $(head -c 32 /dev/urandom | base64)
          - identity: {}
    EOF

    4、分发加密配置文件到master节点

    [root@k8s-master1 ssl]# cp encryption-config.yaml /etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp encryption-config.yaml k8s-master2:/etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp encryption-config.yaml k8s-master3:/etc/kubernetes/cert/

     5、创建kube-apiserver systemd unit文件

    [root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-apiserver.service << EOF
    [Unit]
    Description=Kubernetes API Server
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    After=network.target
    
    [Service]
    ExecStart=/usr/local/bin/kube-apiserver 
      --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota 
      --anonymous-auth=false 
      --experimental-encryption-provider-config=/etc/kubernetes/cert/encryption-config.yaml 
      --advertise-address=192.168.80.7 
      --bind-address=192.168.80.7 
      --insecure-port=0 
      --authorization-mode=Node,RBAC 
      --runtime-config=api/all 
      --enable-bootstrap-token-auth 
      --service-cluster-ip-range=10.254.0.0/16 
      --service-node-port-range=30000-32700 
      --tls-cert-file=/etc/kubernetes/cert/kubernetes.pem 
      --tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem 
      --client-ca-file=/etc/kubernetes/cert/ca.pem 
      --kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem 
      --kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem 
      --service-account-key-file=/etc/kubernetes/cert/ca-key.pem 
      --etcd-cafile=/etc/kubernetes/cert/ca.pem 
      --etcd-certfile=/etc/kubernetes/cert/kubernetes.pem 
      --etcd-keyfile=/etc/kubernetes/cert/kubernetes-key.pem 
      --etcd-servers=https://192.168.80.4:2379,https://192.168.80.5:2379,https://192.168.80.6:2379 
      --enable-swagger-ui=true 
      --allow-privileged=true 
      --apiserver-count=3 
      --audit-log-maxage=30 
      --audit-log-maxbackup=3 
      --audit-log-maxsize=100 
      --audit-log-path=/var/log/kube-apiserver-audit.log 
      --event-ttl=1h 
      --alsologtostderr=true 
      --logtostderr=false 
      --log-dir=/var/log/kubernetes 
      --v=2
    Restart=on-failure
    RestartSec=5
    Type=notify
    LimitNOFILE=65536
    
    [Install]
    WantedBy=multi-user.targe
    EOF
    • --experimental-encryption-provider-config:启用加密特性;
    • --authorization-mode=Node,RBAC: 开启 Node 和 RBAC 授权模式,拒绝未授权的请求;
    • --enable-admission-plugins:启用 ServiceAccount 和 NodeRestriction
    • --service-account-key-file:签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file 指定私钥文件,两者配对使用;
    • --tls-*-file:指定 apiserver 使用的证书、私钥和 CA 文件。--client-ca-file 用于验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书;
    • --kubelet-client-certificate--kubelet-client-key:如果指定,则使用 https 访问 kubelet APIs;需要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,否则访问 kubelet API 时提示未授权;
    • --bind-address: 不能为 127.0.0.1,否则外界不能访问它的安全端口 6443;
    • --insecure-port=0:关闭监听非安全端口(8080);
    • --service-cluster-ip-range: 指定 Service Cluster IP 地址段;
    • --service-node-port-range: 指定 NodePort 的端口范围;
    • --runtime-config=api/all=true: 启用所有版本的 APIs,如 autoscaling/v2alpha1;
    • --enable-bootstrap-token-auth:启用 kubelet bootstrap 的 token 认证;
    • --apiserver-count=3:指定集群运行模式,多台 kube-apiserver 会通过 leader 选举产生一个工作节点,其它节点处于阻塞状态;
    • 红色部分为各个master主机部分

    6、分发kube-apiserver.service文件到其他master

    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-apiserver.service k8s-master2:/etc/systemd/system/kube-apiserver.service
    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-apiserver.service k8s-master3:/etc/systemd/system/kube-apiserver.service

    7、创建日志目录

    mkdir -p /var/log/kubernetes

    8、启动api-server服务

    [root@k8s-master1 ssl]# systemctl daemon-reload
    [root@k8s-master1 ssl]# systemctl enable kube-apiserver
    [root@k8s-master1 ssl]# systemctl start kube-apiserver

    9、检查api-server和集群状态

    [root@k8s-master1 ssl]# netstat -ptln | grep kube-apiserve
    tcp        0      0 192.168.80.9:6443       0.0.0.0:*               LISTEN      22348/kube-apiserve
    
    [root@k8s-master1 ssl]#kubectl cluster-info
    Kubernetes master is running at https://114.67.81.105:8443
    
    To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

    10、授予kubernetes证书访问kubelet api权限

    kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

    三、部署kube-controller-manager

    该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。

    为保证通信安全,本文档先生成 x509 证书和私钥,kube-controller-manager 在如下两种情况下使用该证书:

    1. 与 kube-apiserver 的安全端口通信时;
    2. 在安全端口(https,10252) 输出 prometheus 格式的 metrics;

    1、创建kube-controller-manager证书请求:

    [root@k8s-master1 ssl]# cat > kube-controller-manager-csr.json << EOF
    {
        "CN": "system:kube-controller-manager",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "hosts": [
          "127.0.0.1",
          "192.168.80.7",
          "192.168.80.8",
          "192.168.80.9"
        ],
        "names": [
          {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-controller-manager",
            "OU": "4Paradigm"
          }
        ]
    }
    EOF
    • hosts 列表包含所有 kube-controller-manager 节点 IP;
    • CN 为 system:kube-controller-manager、O 为 system:kube-controller-manager,kubernetes 内置的 ClusterRoleBindings system:kube-controller-manager 赋予 kube-controller-manager 工作所需的权限。

    生成证书和私钥:

    cfssl gencert -ca=/etc/kubernetes/cert/ca.pem 
      -ca-key=/etc/kubernetes/cert/ca-key.pem 
      -config=/etc/kubernetes/cert/ca-config.json 
      -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager

    2、将生成的证书和私钥分发到所有 master 节点

    [root@k8s-master1 ssl]# cp kube-controller-manager*.pem /etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-controller-manager*.pem k8s-master2:/etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-controller-manager*.pem k8s-master3:/etc/kubernetes/cert/

    3、创建和分发kubeconfig文件

    kubectl config set-cluster kubernetes 
      --certificate-authority=/etc/kubernetes/cert/ca.pem 
      --embed-certs=true 
      --server=https://114.67.81.105:8443 
      --kubeconfig=kube-controller-manager.kubeconfig
    
    kubectl config set-credentials system:kube-controller-manager 
      --client-certificate=kube-controller-manager.pem 
      --client-key=kube-controller-manager-key.pem 
      --embed-certs=true 
      --kubeconfig=kube-controller-manager.kubeconfig
    
    kubectl config set-context system:kube-controller-manager 
      --cluster=kubernetes 
      --user=system:kube-controller-manager 
      --kubeconfig=kube-controller-manager.kubeconfig
    
    kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig

    分发 kube-controller-manager.kubeconfig 到所有 master 节点

    [root@k8s-master1 ssl]# cp kube-controller-manager.kubeconfig /etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-controller-manager.kubeconfig k8s-master2:/etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-controller-manager.kubeconfig k8s-master3:/etc/kubernetes/cert/

    4、创建和分发kube-controller-manager systemd unit文件

    [root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-controller-manager.service  << EOF
    [Unit]
    Description=Kubernetes Controller Manager
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    
    [Service]
    ExecStart=/usr/local/bin/kube-controller-manager 
    --address=127.0.0.1
    --kubeconfig=/etc/kubernetes/cert/kube-controller-manager.kubeconfig --authentication-kubeconfig=/etc/kubernetes/cert/kube-controller-manager.kubeconfig --service-cluster-ip-range=10.254.0.0/16 --cluster-name=kubernetes --cluster-signing-cert-file=/etc/kubernetes/cert/ca.pem --cluster-signing-key-file=/etc/kubernetes/cert/ca-key.pem --experimental-cluster-signing-duration=8760h --root-ca-file=/etc/kubernetes/cert/ca.pem --service-account-private-key-file=/etc/kubernetes/cert/ca-key.pem --leader-elect=true --feature-gates=RotateKubeletServerCertificate=true --controllers=*,bootstrapsigner,tokencleaner --horizontal-pod-autoscaler-use-rest-clients=true --horizontal-pod-autoscaler-sync-period=10s --tls-cert-file=/etc/kubernetes/cert/kube-controller-manager.pem --tls-private-key-file=/etc/kubernetes/cert/kube-controller-manager-key.pem --use-service-account-credentials=true --alsologtostderr=true --logtostderr=false --log-dir=/var/log/kubernetes --v=2 Restart=on Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
    • --port=0:关闭监听 http /metrics 的请求,同时 --address 参数无效,--bind-address 参数有效;
    • --secure-port=10252--bind-address=0.0.0.0: 在所有网络接口监听 10252 端口的 https /metrics 请求;
    • --address:指定监听的地址为127.0.0.1
    • --kubeconfig:指定 kubeconfig 文件路径,kube-controller-manager 使用它连接和验证 kube-apiserver;
    • --cluster-signing-*-file:签名 TLS Bootstrap 创建的证书;
    • --experimental-cluster-signing-duration:指定 TLS Bootstrap 证书的有效期;
    • --root-ca-file:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;
    • --service-account-private-key-file:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file 指定的公钥文件配对使用;
    • --service-cluster-ip-range :指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;
    • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;
    • --feature-gates=RotateKubeletServerCertificate=true:开启 kublet server 证书的自动更新特性;
    • --controllers=*,bootstrapsigner,tokencleaner:启用的控制器列表,tokencleaner 用于自动清理过期的 Bootstrap token;
    • --horizontal-pod-autoscaler-*:custom metrics 相关参数,支持 autoscaling/v2alpha1;
    • --tls-cert-file--tls-private-key-file:使用 https 输出 metrics 时使用的 Server 证书和秘钥;
    • --use-service-account-credentials=true:

    分发kube-controller-manager systemd unit文件

    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-controller-manager.service k8s-master2:/etc/systemd/system/kube-controller-manager.service
    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-controller-manager.service k8s-master3:/etc/systemd/system/kube-controller-manager.service

    5、启动kube-controller-manager服务

    [root@k8s-master1 ssl]# systemctl daemon-reload
    [root@k8s-master1 ssl]# systemctl enable kube-controller-manager
    [root@k8s-master1 ssl]# systemctl start kube-controller-manager

    6、检查kube-controller-manager服务

    [root@k8s-master1 ssl]# netstat -lnpt|grep kube-controll
    tcp        0      0 127.0.0.1:10252         0.0.0.0:*               LISTEN      17906/kube-controll 
    tcp6       0      0 :::10257                :::*                    LISTEN      17906/kube-controll

    7、查看当前kube-controller-manager的leader

    [root@k8s-master1 ssl]# kubectl get endpoints kube-controller-manager --namespace=kube-system  -o yaml
    apiVersion: v1
    kind: Endpoints
    metadata:
      annotations:
        control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master3_d19698f1-0379-11e9-9c06-fa163e0a2feb","leaseDurationSeconds":15,"acquireTime":"2018-12-19T10:40:15Z","renewTime":"2018-12-19T11:12:43Z","leaderTransitions":5}'
      creationTimestamp: 2018-12-19T08:53:45Z
      name: kube-controller-manager
      namespace: kube-system
      resourceVersion: "9860"
      selfLink: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager
      uid: 97ef4bad-036b-11e9-90aa-fa163e5caede

    可见,当前的 leader 为 kube-master3 节点。

    四、部署kube-scheduler

    该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。

    为保证通信安全,本文档先生成 x509 证书和私钥,kube-scheduler 在如下两种情况下使用该证书:

    1. 与 kube-apiserver 的安全端口通信;
    2. 在安全端口(https,10251) 输出 prometheus 格式的 metrics;

    1、创建kube-scheduler证书请求

    [root@k8s-master1 ssl]# cat > kube-scheduler-csr.json << EOF
    {
        "CN": "system:kube-scheduler",
        "hosts": [
          "127.0.0.1",
          "192.168.80.7",
          "192.168.80.8",
          "192.168.80.9"
        ],
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
          {
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "system:kube-scheduler",
            "OU": "4Paradigm"
          }
        ]
    }
    EOF
    • hosts 列表包含所有 kube-scheduler 节点 IP;
    • CN 为 system:kube-scheduler、O 为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限。

    生成证书和私钥:

    cfssl gencert -ca=/etc/kubernetes/cert/ca.pem 
      -ca-key=/etc/kubernetes/cert/ca-key.pem 
      -config=/etc/kubernetes/cert/ca-config.json 
      -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

    2、创建和分发kube-scheduler.kubeconfig文件

    kubectl config set-cluster kubernetes 
      --certificate-authority=/etc/kubernetes/cert/ca.pem 
      --embed-certs=true 
      --server=https://114.67.81.105:8443 
      --kubeconfig=kube-scheduler.kubeconfig
    
    kubectl config set-credentials system:kube-scheduler 
      --client-certificate=kube-scheduler.pem 
      --client-key=kube-scheduler-key.pem 
      --embed-certs=true 
      --kubeconfig=kube-scheduler.kubeconfig
    
    kubectl config set-context system:kube-scheduler 
      --cluster=kubernetes 
      --user=system:kube-scheduler 
      --kubeconfig=kube-scheduler.kubeconfig
    
    kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
    • 上一步创建的证书、私钥以及 kube-apiserver 地址被写入到 kubeconfig 文件中;

    分发 kubeconfig 到所有 master 节点:

    [root@k8s-master1 ssl]# cp kube-scheduler.kubeconfig /etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-scheduler.kubeconfig k8s-master2:/etc/kubernetes/cert/
    [root@k8s-master1 ssl]# scp kube-scheduler.kubeconfig k8s-master3:/etc/kubernetes/cert/

    3、创建和分发kube-scheduler systemd unit文件

    [root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-scheduler.service << EOF
    [Unit]
    Description=Kubernetes Scheduler
    Documentation=https://github.com/GoogleCloudPlatform/kubernetes
    
    [Service]
    ExecStart=/usr/local/bin/kube-scheduler 
      --address=127.0.0.1 
      --kubeconfig=/etc/kubernetes/cert/kube-scheduler.kubeconfig 
      --leader-elect=true 
      --alsologtostderr=true 
      --logtostderr=false 
      --log-dir=/var/log/kubernetes 
      --v=2
    Restart=on-failure
    RestartSec=5
    
    [Install]
    WantedBy=multi-user.target
    EOF
    • --address:在 127.0.0.1:10251 端口接收 http /metrics 请求;kube-scheduler 目前还不支持接收 https 请求;
    • --kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它连接和验证 kube-apiserver;
    • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;

    分发 systemd unit 文件到所有 master 节点:

    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-scheduler.service k8s-master2:/etc/systemd/system/kube-scheduler.service
    [root@k8s-master1 ssl]# scp /etc/systemd/system/kube-scheduler.service k8s-master3:/etc/systemd/system/kube-scheduler.service

    4、启动kube-scheduler服务

    [root@k8s-master1 ssl]# systemctl daemon-reload
    [root@k8s-master1 ssl]# systemctl enable kube-scheduler
    [root@k8s-master1 ssl]# systemctl start kube-scheduler

    5、查看kube-scheduler运行监听端口

    [root@k8s-master1 ssl]# netstat -lnpt|grep kube-sche
    tcp        0      0 127.0.0.1:10251         0.0.0.0:*               LISTEN      17921/kube-schedule

    6、查看当前kube-scheduler的leader

    [root@k8s-master1 ssl]# kubectl get endpoints kube-scheduler --namespace=kube-system  -o yaml
    apiVersion: v1
    kind: Endpoints
    metadata:
      annotations:
        control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master1_d41f4473-0379-11e9-a19b-fa163e0a2feb","leaseDurationSeconds":15,"acquireTime":"2018-12-19T10:38:27Z","renewTime":"2018-12-19T11:14:06Z","leaderTransitions":2}'
      creationTimestamp: 2018-12-19T09:10:56Z
      name: kube-scheduler
      namespace: kube-system
      resourceVersion: "9961"
      selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
      uid: fe267870-036d-11e9-90aa-fa163e5caede

    可见,当前的 leader 为 kube-master1 节点。

    七、在所有master节点上验证功能是否正常

    [root@k8s-master1 ~]#  kubectl get componentstatuses
    NAME                 STATUS    MESSAGE             ERROR
    scheduler            Healthy   ok                  
    controller-manager   Healthy   ok                  
    etcd-1               Healthy   {"health":"true"}   
    etcd-0               Healthy   {"health":"true"}   
    etcd-2               Healthy   {"health":"true"}

     八、Haproxy+keepalived配置k8s master高可用(每台master都进行操作,红色字体改成对应主机的即可)

    • keepalived 提供 kube-apiserver 对外服务的 VIP;
    • haproxy 监听 VIP,后端连接所有 kube-apiserver 实例,提供健康检查和负载均衡功能;

    运行 keepalived 和 haproxy 的节点称为 LB 节点。由于 keepalived 是一主多备运行模式,故至少两个 LB 节点。

    本文档复用 master 节点的三台机器,haproxy 监听的端口(8443) 需要与 kube-apiserver 的端口 6443 不同,避免冲突。

    keepalived 在运行过程中周期检查本机的 haproxy 进程状态,如果检测到 haproxy 进程异常,则触发重新选主的过程,VIP 将飘移到新选出来的主节点,从而实现 VIP 的高可用。

    所有组件(如 kubeclt、apiserver、controller-manager、scheduler 等)都通过 VIP 和 haproxy 监听的 8443 端口访问 kube-apiserver 服务。

    1、安装haproxy和keepalived

    yum install -y keepalived haproxy

    2、三个master配置haproxy代理api-server服务

    [root@k8s-master1 ~]# cat /etc/haproxy/haproxy.cfg 
    global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /var/run/haproxy-admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        nbproc 1
    
    defaults
        log     global
        timeout connect 5000
        timeout client  10m
        timeout server  10m
    
    listen  admin_stats
        bind 0.0.0.0:10080
        mode http
        log 127.0.0.1 local0 err
        stats refresh 30s
        stats uri /status
        stats realm welcome login Haproxy
        stats auth admin:123456
        stats hide-version
        stats admin if TRUE
    
    listen kube-master
        bind 0.0.0.0:8443
        mode tcp
        option tcplog
        balance roundrobin
        server 192.168.80.7 192.168.80.7:6443 check inter 2000 fall 2 rise 2 weight 1
        server 192.168.80.8 192.168.80.8:6443 check inter 2000 fall 2 rise 2 weight 1
        server 192.168.80.9 192.168.80.9:6443 check inter 2000 fall 2 rise 2 weight 1
    • haproxy 在 10080 端口输出 status 信息;
    • haproxy 监听所有接口的 8443 端口,该端口与环境变量 ${KUBE_APISERVER} 指定的端口必须一致;
    • server 字段列出所有 kube-apiserver 监听的 IP 和端口;

    3、三个master配置keepalived服务

    [root@k8s-master1 ~]# cat /etc/keepalived/keepalived.conf 
    global_defs {
        router_id lb-master-105
    }
    
    vrrp_script check-haproxy {
        script "killall -0 haproxy"
        interval 3
    }
    
    vrrp_instance VI-kube-master {
        state BACKUP
        nopreempt    #设置不抢占,必须设置在backup上且priority最高的节点上
        priority 120
        dont_track_primary
        interface ens192
        virtual_router_id 68
        advert_int 3
        track_script {
            check-haproxy
        }
        virtual_ipaddress {
            114.67.81.105    #VIP,访问此IP调用api-server
        }
    }
    • 使用 killall -0 haproxy 命令检查所在节点的 haproxy 进程是否正常。
    • router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套 keepalived HA,则必须各不相同;
    • 其他2个backup把nopreempt去掉,及priority分别设置110和100即可。

    4、启动haproxy和keepalived服务

    #haproxy
    systemctl enable haproxy
    systemctl start haproxy
    
    #keepalive
    systemctl enable keepalived
    systemctl start keepalived

    5、查看haproxy和keepalived服务状态以及VIP情况

    systemctl status haproxy|grep Active
    systemctl status keepalived|grep Active

    如果Active: active (running)表示正常。 

    6、查看VIP所属情况

    ip addr show | grep 114.67.81.105

    我这里VIP在192.168.80.7上。

    为了验证高可用配置成功否,可以把192.168.80.7上的haproxy服务关闭,此时VIP会漂移到192.168.80.8服务器上,当192.168.80.7解决问题重启后,由于它配置了nopreempt,所以它不会重新抢占VIP资源。

     注:* 如果使用云搭建的集群,在高可用这块可以直接用云服务商提供的SLB服务,如果haproxy+keepalive可能不支持,原因你懂的。(云底层封掉了)

    下一篇我们将进行node节点的部署,请参考:二进制搭建kubernetes多master集群【四、配置k8s node】

  • 相关阅读:
    java,jenkins
    docker compose,link,Odoo
    nginx,docker反向代理
    centos7上安装docker-ce社区版
    Install Rancher server
    docker公司测试环境搭建总结
    ansible+docker
    桥接物理网卡,pipwork指定ip,外网连接,研究salt+docker
    20170605
    20170602
  • 原文地址:https://www.cnblogs.com/harlanzhang/p/10131264.html
Copyright © 2020-2023  润新知