高可用Kubernetes集群-8. 部署kube-scheduler

 十．部署kube-scheduler

kube-scheduler是Kube-Master相关的3个服务之一，是有状态的服务，会修改集群的状态信息。

如果多个master节点上的相关服务同时生效，则会有同步与一致性问题，所以多master节点中的kube-scheduler服务只能是主备的关系，kukubernetes采用租赁锁（lease-lock）实现leader的选举，具体到kube-scheduler，设置启动参数"--leader-elect=true"。

1. 创建kube-scheduler证书

1）创建kube-scheduler证书签名请求

# kube-scheduler与kubei-apiserver通信采用双向TLS认证；
# kube-apiserver提取CN作为客户端的用户名，即system:kube-scheduler。 kube-apiserver预定义的 RBAC使用的ClusterRoleBindings system:kube-scheduler将用户system:kube-scheduler与ClusterRole system:kube-scheduler绑定
[root@kubenode1 ~]# mkdir -p /etc/kubernetes/scheduler
[root@kubenode1 ~]# cd /etc/kubernetes/scheduler
[root@kubenode1 scheduler]# touch scheduler-csr.json
[root@kubenode1 scheduler]# vim scheduler-csr.json
{
    "CN": "system:kube-scheduler",
    "hosts": [
      "172.30.200.21",
      "172.30.200.22",
      "172.30.200.23"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "ChengDu",
            "L": "ChengDu",
            "O": "system:kube-scheduler",
            "OU": "cloudteam"
        }
    ]
}

2）生成kube-scheduler证书与私钥

[root@kubenode1 scheduler]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem 
-ca-key=/etc/kubernetes/ssl/ca-key.pem 
-config=/etc/kubernetes/ssl/ca-config.json 
-profile=kubernetes scheduler-csr.json | cfssljson -bare scheduler

# 分发scheduler.pem，scheduler-key.pem
[root@kubenode1 scheduler]# scp scheduler*.pem root@172.30.200.22:/etc/kubernetes/scheduler/
[root@kubenode1 scheduler]# scp scheduler*.pem root@172.30.200.22:/etc/kubernetes/scheduler/

2. 创建kube-scheduler kubeconfig文件

kube-scheduler kubeconfig文件中包含Master地址信息与必要的认证信息。

# 配置集群参数；
# --server：指定api-server，采用ha之后的vip；
# cluster名自定义，设定之后需保持一致；
# --kubeconfig：指定kubeconfig文件路径与文件名；如果不设置，默认生成在~/.kube/config文件
[root@kubenode1 scheduler]# kubectl config set-cluster kubernetes 
--certificate-authority=/etc/kubernetes/ssl/ca.pem 
--embed-certs=true 
--server=https://172.30.200.10:6443 
--kubeconfig=scheduler.conf

# 配置客户端认证参数；
# 认证用户为前文签名中的“system:kube-scheduler”；
# 指定对应的公钥证书/私钥等
[root@kubenode1 scheduler]# kubectl config set-credentials system:kube-scheduler 
--client-certificate=/etc/kubernetes/scheduler/scheduler.pem 
--embed-certs=true 
--client-key=/etc/kubernetes/scheduler/scheduler-key.pem 
--kubeconfig=scheduler.conf

# 配置上下文参数
[root@kubenode1 scheduler]# kubectl config set-context system:kube-scheduler@kubernetes 
--cluster=kubernetes 
--user=system:kube-scheduler 
--kubeconfig=scheduler.conf

# 配置默认上下文
[root@kubenode1 scheduler]# kubectl config use-context system:kube-scheduler@kubernetes --kubeconfig=scheduler.conf

# 分发scheduler.conf文件到所有master节点；
[root@kubenode1 scheduler]# scp scheduler.conf root@172.30.200.22:/etc/kubernetes/scheduler/
[root@kubenode1 scheduler]# scp scheduler.conf root@172.30.200.22:/etc/kubernetes/scheduler/

3. 配置kube-scheduler的systemd unit文件

相关可执行文件在部署kubectl时已部署完成。 

# kube-scheduler在kube-apiserver启动之后启动
[root@kubenode1 ~]# touch /usr/lib/systemd/system/kube-scheduler.service 
[root@kubenode1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
After=kube-apiserver.service

[Service]
EnvironmentFile=/usr/local/kubernetes/kube-scheduler.conf
ExecStart=/usr/local/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_ARGS
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

# 启动参数文件
# --kubeconfig：kubeconfig配置文件路径，配置文件中包含master地址信息与必要的认证信息；
# --leader-elect：设置为true时进行leader选举，集群高可用部署时scheduler必须选举leader，默认即true
[root@kubenode1 ~]# touch /usr/local/kubernetes/kube-scheduler.conf
[root@kubenode1 ~]# vim /usr/local/kubernetes/kube-scheduler.conf 
KUBE_SCHEDULER_ARGS="--master=https://172.30.200.10:6443 
  --kubeconfig=/etc/kubernetes/scheduler/scheduler.conf 
  --leader-elect=true 
  --logtostderr=false 
  --log-dir=/var/log/kubernetes/scheduler 
  --v=2"

# 创建日志目录
[root@kubenode1 ~]# mkdir -p /var/log/kubernetes/scheduler

4. 启动并验证

1）kube-scheduler状态验证

[root@kubenode1 ~]# systemctl daemon-reload
[root@kubenode1 ~]# systemctl enable kube-scheduler
[root@kubenode1 ~]# systemctl start kube-scheduler
[root@kubenode1 ~]# systemctl status kube-scheduler

2）kube-scheduler选举查看

# 因kubenode1是第一个启动kube-scheduler节点，尝试获取leader权限，成功
[root@kubenode1 ~]# cat /var/log/kubernetes/scheduler/kube-scheduler.INFO | grep "leaderelection" 

# 在kubenode2上观察，kubenode2在尝试获取leader权限，但未成功，后续操作挂起
[root@kubenode2 ~]# tailf /var/log/kubernetes/scheduler/kube-scheduler.INFO 

3）验证master节点功能

# 在任意具有客户端工具kubectl的节点上均可查询master集群各核心组件的状态；
# kubectl默认会调用~/.kube/config的kube-apiserver信息与认证信息；
# “kubectl get componentstatuses”可简写” kubectl get cs”
[root@kubenode1 ~]# kubectl get componentstatuses