前面两篇文章已经配置好了etcd和flannel的网络,如今开始配置k8s master集群。html
etcd集群配置参考:二进制搭建kubernetes多master集群【1、使用TLS证书搭建etcd集群】node
flannel网络配置参考:二进制搭建kubernetes多master集群【2、配置flannel网络】linux
本文在如下主机上操做部署k8s集群git
k8s-master1:192.168.80.7github
k8s-master2:192.168.80.8json
k8s-master3:192.168.80.9bootstrap
配置Kubernetes master集群后端
kubernetes master 节点包含的组件:api
目前这三个组件须要部署在同一台机器上。安全
kube-scheduler
、kube-controller-manager
和 kube-apiserver
三者的功能紧密相关;kube-scheduler
、kube-controller-manager
进程处于工做状态,若是运行多个,则须要经过选举产生一个 leader;1、部署kubectl命令工具
kubectl 是 kubernetes 集群的命令行管理工具,本文档介绍安装和配置它的步骤。
kubectl 默认从 ~/.kube/config
文件读取 kube-apiserver 地址、证书、用户名等信息,若是没有配置,执行 kubectl 命令时可能会出错。
~/.kube/config
只须要部署一次,而后拷贝到其余的master。
一、下载kubectl
wget https://dl.k8s.io/v1.12.3/kubernetes-server-linux-amd64.tar.gz
tar -xzvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin/ cp kube-apiserver kubeadm kube-controller-manager kubectl kube-scheduler /usr/local/bin
二、建立请求证书
[root@k8s-master1 ssl]# cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:masters", "OU": "4Paradigm" } ] } EOF
system:masters
,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters;cluster-admin
将 Group system:masters
与 Role cluster-admin
绑定,该 Role 授予全部 API的权限;生成证书和私钥
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes admin-csr.json | cfssljson -bare admin
三、建立~/.kube/config文件
kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/cert/ca.pem \ --embed-certs=true \ --server=https://114.67.81.105:8443 \ --kubeconfig=kubectl.kubeconfig # 设置客户端认证参数 kubectl config set-credentials admin \ --client-certificate=admin.pem \ --client-key=admin-key.pem \ --embed-certs=true \ --kubeconfig=kubectl.kubeconfig # 设置上下文参数 kubectl config set-context kubernetes \ --cluster=kubernetes \ --user=admin \ --kubeconfig=kubectl.kubeconfig # 设置默认上下文 kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
四、分发~/.kube/config文件
[root@k8s-master1 temp]# cp kubectl.kubeconfig ~/.kube/config [root@k8s-master1 temp]# scp kubectl.kubeconfig k8s-master2:~/.kube/config kubectl.kubeconfig 100% 6285 2.2MB/s 00:00 [root@k8s-master1 temp]# scp kubectl.kubeconfig k8s-master3:~/.kube/config kubectl.kubeconfig
2、部署api-server
一、建立kube-apiserver的证书签名请求:
[root@k8s-master1 ssl]# cat > kubernetes-csr.json <<EOF
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.80.7", "192.168.80.8", "192.168.80.9", "192.168.80.13", "114.67.81.105", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ] }
EOF
.
(如不能为 kubernetes.default.svc.cluster.local.
),不然解析时失败,提示: x509: cannot parse dnsName "kubernetes.default.svc.cluster.local."
;cluster.local
域名,如 bqding.com
,则须要修改域名列表中的最后两个域名为:kubernetes.default.svc.bqding
、kubernetes.default.svc.bqding.com
生成证书和私钥:
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
二、将生成的证书和私钥文件拷贝到 master 节点:
[root@k8s-master1 ssl]# cp kubernetes*.pem /etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kubernetes*.pem k8s-master2:/etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kubernetes*.pem k8s-master3:/etc/kubernetes/cert/
三、建立加密配置文件
[root@k8s-master1 ssl]# cat > encryption-config.yaml <<EOF kind: EncryptionConfig apiVersion: v1 resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: $(head -c 32 /dev/urandom | base64) - identity: {} EOF
四、分发加密配置文件到master节点
[root@k8s-master1 ssl]# cp encryption-config.yaml /etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp encryption-config.yaml k8s-master2:/etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp encryption-config.yaml k8s-master3:/etc/kubernetes/cert/
五、建立kube-apiserver systemd unit文件
[root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-apiserver.service << EOF [Unit] Description=Kubernetes API Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] ExecStart=/usr/local/bin/kube-apiserver \ --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \ --anonymous-auth=false \ --experimental-encryption-provider-config=/etc/kubernetes/cert/encryption-config.yaml \ --advertise-address=192.168.80.7 \ --bind-address=192.168.80.7 \ --insecure-port=0 \ --authorization-mode=Node,RBAC \ --runtime-config=api/all \ --enable-bootstrap-token-auth \ --service-cluster-ip-range=10.254.0.0/16 \ --service-node-port-range=30000-32700 \ --tls-cert-file=/etc/kubernetes/cert/kubernetes.pem \ --tls-private-key-file=/etc/kubernetes/cert/kubernetes-key.pem \ --client-ca-file=/etc/kubernetes/cert/ca.pem \ --kubelet-client-certificate=/etc/kubernetes/cert/kubernetes.pem \ --kubelet-client-key=/etc/kubernetes/cert/kubernetes-key.pem \ --service-account-key-file=/etc/kubernetes/cert/ca-key.pem \ --etcd-cafile=/etc/kubernetes/cert/ca.pem \ --etcd-certfile=/etc/kubernetes/cert/kubernetes.pem \ --etcd-keyfile=/etc/kubernetes/cert/kubernetes-key.pem \ --etcd-servers=https://192.168.80.4:2379,https://192.168.80.5:2379,https://192.168.80.6:2379 \ --enable-swagger-ui=true \ --allow-privileged=true \ --apiserver-count=3 \ --audit-log-maxage=30 \ --audit-log-maxbackup=3 \ --audit-log-maxsize=100 \ --audit-log-path=/var/log/kube-apiserver-audit.log \ --event-ttl=1h \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=2 Restart=on-failure RestartSec=5 Type=notify LimitNOFILE=65536 [Install] WantedBy=multi-user.targe EOF
--experimental-encryption-provider-config
:启用加密特性;--authorization-mode=Node,RBAC
: 开启 Node 和 RBAC 受权模式,拒绝未受权的请求;--enable-admission-plugins
:启用 ServiceAccount
和 NodeRestriction
;--service-account-key-file
:签名 ServiceAccount Token 的公钥文件,kube-controller-manager 的 --service-account-private-key-file
指定私钥文件,二者配对使用;--tls-*-file
:指定 apiserver 使用的证书、私钥和 CA 文件。--client-ca-file
用于验证 client (kue-controller-manager、kube-scheduler、kubelet、kube-proxy 等)请求所带的证书;--kubelet-client-certificate
、--kubelet-client-key
:若是指定,则使用 https 访问 kubelet APIs;须要为证书对应的用户(上面 kubernetes*.pem 证书的用户为 kubernetes) 用户定义 RBAC 规则,不然访问 kubelet API 时提示未受权;--bind-address
: 不能为 127.0.0.1
,不然外界不能访问它的安全端口 6443;--insecure-port=0
:关闭监听非安全端口(8080);--service-cluster-ip-range
: 指定 Service Cluster IP 地址段;--service-node-port-range
: 指定 NodePort 的端口范围;--runtime-config=api/all=true
: 启用全部版本的 APIs,如 autoscaling/v2alpha1;--enable-bootstrap-token-auth
:启用 kubelet bootstrap 的 token 认证;--apiserver-count=3
:指定集群运行模式,多台 kube-apiserver 会经过 leader 选举产生一个工做节点,其它节点处于阻塞状态;六、分发kube-apiserver.service文件到其余master
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-apiserver.service k8s-master2:/etc/systemd/system/kube-apiserver.service
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-apiserver.service k8s-master3:/etc/systemd/system/kube-apiserver.service
七、建立日志目录
mkdir -p /var/log/kubernetes
八、启动api-server服务
[root@k8s-master1 ssl]# systemctl daemon-reload [root@k8s-master1 ssl]# systemctl enable kube-apiserver [root@k8s-master1 ssl]# systemctl start kube-apiserver
九、检查api-server和集群状态
[root@k8s-master1 ssl]# netstat -ptln | grep kube-apiserve tcp 0 0 192.168.80.9:6443 0.0.0.0:* LISTEN 22348/kube-apiserve [root@k8s-master1 ssl]#kubectl cluster-info Kubernetes master is running at https://114.67.81.105:8443 To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
十、授予kubernetes证书访问kubelet api权限
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes
3、部署kube-controller-manager
为保证通讯安全,本文档先生成 x509 证书和私钥,kube-controller-manager 在以下两种状况下使用该证书:
一、建立kube-controller-manager证书请求:
[root@k8s-master1 ssl]# cat > kube-controller-manager-csr.json << EOF { "CN": "system:kube-controller-manager", "key": { "algo": "rsa", "size": 2048 }, "hosts": [ "127.0.0.1", "192.168.80.7", "192.168.80.8", "192.168.80.9" ], "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-controller-manager", "OU": "4Paradigm" } ] } EOF
生成证书和私钥:
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
二、将生成的证书和私钥分发到全部 master 节点
[root@k8s-master1 ssl]# cp kube-controller-manager*.pem /etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-controller-manager*.pem k8s-master2:/etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-controller-manager*.pem k8s-master3:/etc/kubernetes/cert/
三、建立和分发kubeconfig文件
kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/cert/ca.pem \ --embed-certs=true \ --server=https://114.67.81.105:8443 \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config set-credentials system:kube-controller-manager \ --client-certificate=kube-controller-manager.pem \ --client-key=kube-controller-manager-key.pem \ --embed-certs=true \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config set-context system:kube-controller-manager \ --cluster=kubernetes \ --user=system:kube-controller-manager \ --kubeconfig=kube-controller-manager.kubeconfig kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig
分发 kube-controller-manager.kubeconfig 到全部 master 节点
[root@k8s-master1 ssl]# cp kube-controller-manager.kubeconfig /etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-controller-manager.kubeconfig k8s-master2:/etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-controller-manager.kubeconfig k8s-master3:/etc/kubernetes/cert/
四、建立和分发kube-controller-manager systemd unit文件
[root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-controller-manager.service << EOF [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/usr/local/bin/kube-controller-manager \
--address=127.0.0.1 \
--kubeconfig=/etc/kubernetes/cert/kube-controller-manager.kubeconfig \ --authentication-kubeconfig=/etc/kubernetes/cert/kube-controller-manager.kubeconfig \ --service-cluster-ip-range=10.254.0.0/16 \ --cluster-name=kubernetes \ --cluster-signing-cert-file=/etc/kubernetes/cert/ca.pem \ --cluster-signing-key-file=/etc/kubernetes/cert/ca-key.pem \ --experimental-cluster-signing-duration=8760h \ --root-ca-file=/etc/kubernetes/cert/ca.pem \ --service-account-private-key-file=/etc/kubernetes/cert/ca-key.pem \ --leader-elect=true \ --feature-gates=RotateKubeletServerCertificate=true \ --controllers=*,bootstrapsigner,tokencleaner \ --horizontal-pod-autoscaler-use-rest-clients=true \ --horizontal-pod-autoscaler-sync-period=10s \ --tls-cert-file=/etc/kubernetes/cert/kube-controller-manager.pem \ --tls-private-key-file=/etc/kubernetes/cert/kube-controller-manager-key.pem \ --use-service-account-credentials=true \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=2 Restart=on Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target EOF
--port=0
:关闭监听 http /metrics 的请求,同时 --address
参数无效,--bind-address
参数有效;--secure-port=10252
、--bind-address=0.0.0.0
: 在全部网络接口监听 10252 端口的 https /metrics 请求;--kubeconfig
:指定 kubeconfig 文件路径,kube-controller-manager 使用它链接和验证 kube-apiserver;--cluster-signing-*-file
:签名 TLS Bootstrap 建立的证书;--experimental-cluster-signing-duration
:指定 TLS Bootstrap 证书的有效期;--root-ca-file
:放置到容器 ServiceAccount 中的 CA 证书,用来对 kube-apiserver 的证书进行校验;--service-account-private-key-file
:签名 ServiceAccount 中 Token 的私钥文件,必须和 kube-apiserver 的 --service-account-key-file
指定的公钥文件配对使用;--service-cluster-ip-range
:指定 Service Cluster IP 网段,必须和 kube-apiserver 中的同名参数一致;--leader-elect=true
:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工做,其它节点为阻塞状态;--feature-gates=RotateKubeletServerCertificate=true
:开启 kublet server 证书的自动更新特性;--controllers=*,bootstrapsigner,tokencleaner
:启用的控制器列表,tokencleaner 用于自动清理过时的 Bootstrap token;--horizontal-pod-autoscaler-*
:custom metrics 相关参数,支持 autoscaling/v2alpha1;--tls-cert-file
、--tls-private-key-file
:使用 https 输出 metrics 时使用的 Server 证书和秘钥;--use-service-account-credentials=true
:分发kube-controller-manager systemd unit文件
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-controller-manager.service k8s-master2:/etc/systemd/system/kube-controller-manager.service
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-controller-manager.service k8s-master3:/etc/systemd/system/kube-controller-manager.service
五、启动kube-controller-manager服务
[root@k8s-master1 ssl]# systemctl daemon-reload [root@k8s-master1 ssl]# systemctl enable kube-controller-manager [root@k8s-master1 ssl]# systemctl start kube-controller-manager
六、检查kube-controller-manager服务
[root@k8s-master1 ssl]# netstat -lnpt|grep kube-controll tcp 0 0 127.0.0.1:10252 0.0.0.0:* LISTEN 17906/kube-controll tcp6 0 0 :::10257 :::* LISTEN 17906/kube-controll
七、查看当前kube-controller-manager的leader
[root@k8s-master1 ssl]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml apiVersion: v1 kind: Endpoints metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master3_d19698f1-0379-11e9-9c06-fa163e0a2feb","leaseDurationSeconds":15,"acquireTime":"2018-12-19T10:40:15Z","renewTime":"2018-12-19T11:12:43Z","leaderTransitions":5}' creationTimestamp: 2018-12-19T08:53:45Z name: kube-controller-manager namespace: kube-system resourceVersion: "9860" selfLink: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager uid: 97ef4bad-036b-11e9-90aa-fa163e5caede
可见,当前的 leader 为 kube-master3 节点。
4、部署kube-scheduler
该集群包含 3 个节点,启动后将经过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。
为保证通讯安全,本文档先生成 x509 证书和私钥,kube-scheduler 在以下两种状况下使用该证书:
一、建立kube-scheduler证书请求
[root@k8s-master1 ssl]# cat > kube-scheduler-csr.json << EOF { "CN": "system:kube-scheduler", "hosts": [ "127.0.0.1", "192.168.80.7", "192.168.80.8", "192.168.80.9" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "system:kube-scheduler", "OU": "4Paradigm" } ] }
EOF
生成证书和私钥:
cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \ -ca-key=/etc/kubernetes/cert/ca-key.pem \ -config=/etc/kubernetes/cert/ca-config.json \ -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
二、建立和分发kube-scheduler.kubeconfig文件
kubectl config set-cluster kubernetes \ --certificate-authority=/etc/kubernetes/cert/ca.pem \ --embed-certs=true \ --server=https://114.67.81.105:8443 \ --kubeconfig=kube-scheduler.kubeconfig kubectl config set-credentials system:kube-scheduler \ --client-certificate=kube-scheduler.pem \ --client-key=kube-scheduler-key.pem \ --embed-certs=true \ --kubeconfig=kube-scheduler.kubeconfig kubectl config set-context system:kube-scheduler \ --cluster=kubernetes \ --user=system:kube-scheduler \ --kubeconfig=kube-scheduler.kubeconfig kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig
分发 kubeconfig 到全部 master 节点:
[root@k8s-master1 ssl]# cp kube-scheduler.kubeconfig /etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-scheduler.kubeconfig k8s-master2:/etc/kubernetes/cert/ [root@k8s-master1 ssl]# scp kube-scheduler.kubeconfig k8s-master3:/etc/kubernetes/cert/
三、建立和分发kube-scheduler systemd unit文件
[root@k8s-master1 ssl]# cat > /etc/systemd/system/kube-scheduler.service << EOF [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/GoogleCloudPlatform/kubernetes [Service] ExecStart=/usr/local/bin/kube-scheduler \ --address=127.0.0.1 \ --kubeconfig=/etc/kubernetes/cert/kube-scheduler.kubeconfig \ --leader-elect=true \ --alsologtostderr=true \ --logtostderr=false \ --log-dir=/var/log/kubernetes \ --v=2 Restart=on-failure RestartSec=5 [Install] WantedBy=multi-user.target
EOF
--address
:在 127.0.0.1:10251 端口接收 http /metrics 请求;kube-scheduler 目前还不支持接收 https 请求;--kubeconfig
:指定 kubeconfig 文件路径,kube-scheduler 使用它链接和验证 kube-apiserver;--leader-elect=true
:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工做,其它节点为阻塞状态;分发 systemd unit 文件到全部 master 节点:
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-scheduler.service k8s-master2:/etc/systemd/system/kube-scheduler.service
[root@k8s-master1 ssl]# scp /etc/systemd/system/kube-scheduler.service k8s-master3:/etc/systemd/system/kube-scheduler.service
四、启动kube-scheduler服务
[root@k8s-master1 ssl]# systemctl daemon-reload [root@k8s-master1 ssl]# systemctl enable kube-scheduler [root@k8s-master1 ssl]# systemctl start kube-scheduler
五、查看kube-scheduler运行监听端口
[root@k8s-master1 ssl]# netstat -lnpt|grep kube-sche tcp 0 0 127.0.0.1:10251 0.0.0.0:* LISTEN 17921/kube-schedule
六、查看当前kube-scheduler的leader
[root@k8s-master1 ssl]# kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml apiVersion: v1 kind: Endpoints metadata: annotations: control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"k8s-master1_d41f4473-0379-11e9-a19b-fa163e0a2feb","leaseDurationSeconds":15,"acquireTime":"2018-12-19T10:38:27Z","renewTime":"2018-12-19T11:14:06Z","leaderTransitions":2}' creationTimestamp: 2018-12-19T09:10:56Z name: kube-scheduler namespace: kube-system resourceVersion: "9961" selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler uid: fe267870-036d-11e9-90aa-fa163e5caede
可见,当前的 leader 为 kube-master1 节点。
7、在全部master节点上验证功能是否正常
[root@k8s-master1 ~]# kubectl get componentstatuses NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-1 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"} etcd-2 Healthy {"health":"true"}
8、Haproxy+keepalived配置k8s master高可用(每台master都进行操做,红色字体改为对应主机的便可)
运行 keepalived 和 haproxy 的节点称为 LB 节点。因为 keepalived 是一主多备运行模式,故至少两个 LB 节点。
本文档复用 master 节点的三台机器,haproxy 监听的端口(8443) 须要与 kube-apiserver 的端口 6443 不一样,避免冲突。
keepalived 在运行过程当中周期检查本机的 haproxy 进程状态,若是检测到 haproxy 进程异常,则触发从新选主的过程,VIP 将飘移到新选出来的主节点,从而实现 VIP 的高可用。
全部组件(如 kubeclt、apiserver、controller-manager、scheduler 等)都经过 VIP 和 haproxy 监听的 8443 端口访问 kube-apiserver 服务。
一、安装haproxy和keepalived
yum install -y keepalived haproxy
二、三个master配置haproxy代理api-server服务
[root@k8s-master1 ~]# cat /etc/haproxy/haproxy.cfg global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /var/run/haproxy-admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon nbproc 1 defaults log global timeout connect 5000 timeout client 10m timeout server 10m listen admin_stats bind 0.0.0.0:10080 mode http log 127.0.0.1 local0 err stats refresh 30s stats uri /status stats realm welcome login\ Haproxy stats auth admin:123456 stats hide-version stats admin if TRUE listen kube-master bind 0.0.0.0:8443 mode tcp option tcplog balance roundrobin server 192.168.80.7 192.168.80.7:6443 check inter 2000 fall 2 rise 2 weight 1 server 192.168.80.8 192.168.80.8:6443 check inter 2000 fall 2 rise 2 weight 1 server 192.168.80.9 192.168.80.9:6443 check inter 2000 fall 2 rise 2 weight 1
三、三个master配置keepalived服务
[root@k8s-master1 ~]# cat /etc/keepalived/keepalived.conf global_defs { router_id lb-master-105 } vrrp_script check-haproxy { script "killall -0 haproxy" interval 3 } vrrp_instance VI-kube-master { state BACKUP nopreempt #设置不抢占,必须设置在backup上且priority最高的节点上 priority 120 dont_track_primary interface ens192 virtual_router_id 68 advert_int 3 track_script { check-haproxy } virtual_ipaddress { 114.67.81.105 #VIP,访问此IP调用api-server } }
killall -0 haproxy
命令检查所在节点的 haproxy 进程是否正常。四、启动haproxy和keepalived服务
#haproxy
systemctl enable haproxy
systemctl start haproxy
#keepalive
systemctl enable keepalived
systemctl start keepalived
五、查看haproxy和keepalived服务状态以及VIP状况
systemctl status haproxy|grep Active
systemctl status keepalived|grep Active
若是Active: active (running)表示正常。
六、查看VIP所属状况
ip addr show | grep 114.67.81.105
我这里VIP在192.168.80.7上。
为了验证高可用配置成功否,能够把192.168.80.7上的haproxy服务关闭,此时VIP会漂移到192.168.80.8服务器上,当192.168.80.7解决问题重启后,因为它配置了nopreempt,因此它不会从新抢占VIP资源。
注:* 若是使用云搭建的集群,在高可用这块能够直接用云服务商提供的SLB服务,若是haproxy+keepalive可能不支持,缘由你懂的。(云底层封掉了)
下一篇咱们将进行node节点的部署,请参考:二进制搭建kubernetes多master集群【4、配置k8s node】