k8s kubeadm部署高可用集群

一、在生产环境中,我们k8s集群需要多master实现高可用,所以下面介绍如何通过kubeadm部署k8s高可用集群(建议生产环境master至少3个以上)

二、master部署:

1、三台maser节点上部署etcd集群

2、使用VIP进行kubeadm初始化master

注意:本次是通过物理服务器进行部署,如果使用阿里云服务器部署,由于阿里云服务器不支持VIP,可以通过SLB做负载均衡

三、环境准备;

节点主机: IP地址 操作系统 虚拟IP(VIP)
test-k8s-master-1 172.18.178.236 CentOS Linux release 7.7.1908 (Core) 172.18.178.240
test-k8s-master-2 172.18.178.237 CentOS Linux release 7.7.1908 (Core)
test-k8s-master-3 172.18.178.238 CentOS Linux release 7.7.1908 (Core)
test-k8s-node-01 172.18.178.239 CentOS Linux release 7.7.1908 (Core)

 

1.修改主机名并修改hosts文件(所有节点上面都要进操作):

hostnamectl set-hostname test-k8s-master-1
hostnamectl set-hostname test-k8s-master-2
hostnamectl set-hostname test-k8s-master-3
hostnamectl set-hostname test-k8s-node-01

vim /etc/hosts

172.18.178.236  test-k8s-master-1
172.18.178.237  test-k8s-master-2
172.18.178.238  test-k8s-master-3
172.18.178.239  test-k8s-node-01

2、配置yum源、安装相关的依赖包以及相关主件、配置内核优化参数等,这里我使用一个脚本直接安装(所有节点上面都需要执行)

cat init.sh

#yum源

yum install -y yum-utils \
device-mapper-persistent-data \
lvm2

wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

wget http://mirrors.aliyun.com/repo/epel-7.repo -O /etc/yum.repos.d/epel.repo

cat >>/etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

#安装K8S组件
yum install -y kubelet kubeadm kubectl docker-ce
systemctl restart docker && systemctl enable docker
systemctl enable kubelet

##

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config

yum install -y epel-release vim screen bash-completion mtr lrzsz  wget telnet zip unzip sysstat  ntpdate libcurl openssl bridge-utils nethogs dos2unix iptables-services htop nfs-utils ceph-common git mysql

service firewalld stop
systemctl disable firewalld.service
service iptables stop
systemctl disable iptables.service

service postfix stop
systemctl disable postfix.service


wget http://mirrors.aliyun.com/repo/epel-7.repo -O /etc/yum.repos.d/epel.repo

note='#Ansible: nptdate-time'
task='*/10 * * * * /usr/sbin/ntpdate -u ntp.sjtu.edu.cn &> /dev/null'
echo "$(crontab -l)" | grep "^${note}$" &>/dev/null || echo -e "$(crontab -l)\n${note}" | crontab -
echo "$(crontab -l)" | grep "^${task}$" &>/dev/null || echo -e "$(crontab -l)\n${task}" | crontab -

echo '/etc/security/limits.conf 参数调优,需重启系统后生效'

cp -rf /etc/security/limits.conf /etc/security/limits.conf.back

cat > /etc/security/limits.conf << EOF
* soft nofile 655350
* hard nofile 655350
* soft nproc unlimited
* hard nproc unlimited
* soft core unlimited
* hard core unlimited
root soft nofile 655350
root hard nofile 655350
root soft nproc unlimited
root hard nproc unlimited
root soft core unlimited
root hard core unlimited
EOF

echo '/etc/sysctl.conf 文件调优'

cp -rf /etc/sysctl.conf /etc/sysctl.conf.back
cat > /etc/sysctl.conf << EOF

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120

# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

kernel.sysrq = 1
kernel.pid_max=1000000
EOF
sysctl -p

备注:将改脚本放置在每个节点服务器上,执行 sh init.sh 即可

3、加载ipvs模块:

cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#
!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4 EOF

chmod 755 /etc/sysconfig/modules/ipvs.modules
bash /etc/sysconfig/modules/ipvs.modules

 查看ipvs模块加载情况

 lsmod | grep -e ip_vs -e nf_conntrack_ipv4

 

 

 4、高可用(反向代理配置):(此操作在test-k8s-master-1上面操作,如果服务器资源充足也可以单独使用一台服务器做相关反向代理  备注:所有master节点上面都需要部署)

使用nginx(upstream)或者 HAproxy(这里使用Nginx+keepalived)

1.安装Nginx和keepalived:

yum -y install nginx keepalived
systemctl start keepalived && systemctl enable keepalived
systemctl start nginx && systemctl enable nginx

2.配置Nginx的upstream反代:

[root@test-k8s-master-1 ~]#  cd /etc/nginx

mv nginx.conf  nginx.conf.default

vim  nginx.conf.default

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}
stream {
log_format proxy '$remote_addr $remote_port - [$time_local] $status $protocol '
'"$upstream_addr" "$upstream_bytes_sent" "$upstream_connect_time"' ;
access_log /var/log/nginx/nginx-proxy.log proxy;
upstream kubernetes_lb{
server 172.18.178.236:6443 weight=5 max_fails=3 fail_timeout=30s;
server 172.18.178.237:6443 weight=5 max_fails=3 fail_timeout=30s;
server 172.18.178.238:6443 weight=5 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 30s;
proxy_timeout 30s;
proxy_pass kubernetes_lb;
}
}

检查Nginx配置文件语法是否正常,后重新加载Nginx

[root@test-k8s-master-1 nginx]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@test-k8s-master-1 nginx]# nginx -s reload

3.keeplived配置:

[root@test-k8s-master-1 ~]#  /etc/keepalived

mv keepalived.conf   keepalived.conf.default

vim keepalived.conf

global_defs {
notification_email {
test@gmail.com
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_1
}
vrrp_instance VI_1 {
state MASTER
interface ens192  #网卡设备名称,根据自己网卡信息进行更改
lvs_sync_daemon_inteface ens192 
virtual_router_id 88
advert_int 1
priority 110
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
172.18.178.240/24  # 这就就是虚拟IP地址
}
}

重启keepalived:

systemctl restart keepalived

5、初始化节点:

kubeadm config print init-defaults > kubeadm-init.yaml

下载镜像:

kubeadm config images pull --config kubeadm-init.yaml

修改kubeadm-init.yaml:

[root@test-k8s-master-1 ~]# vim  kubeadm-init.yaml
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 172.18.178.237
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: test-k8s-master-1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
controlPlaneEndpoint: "172.18.178.240:7443"
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.16.3
networking:
dnsDomain: cluster.local
podSubnet: "10.244.0.0/16"
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"

初始化:

[root@test-k8s-master-1 ~]# kubeadm init --config kubeadm-init.yaml

......................
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[endpoint] WARNING: port specified in controlPlaneEndpoint overrides bindPort in the controlplane address
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

kubeadm join 172.18.178.240:7443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:274a3c078548240887903b51e75e2cc9548343e06dcd2a3ca0c3087c3fdd3175 \
--control-plane

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.18.178.240:7443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:274a3c078548240887903b51e75e2cc9548343e06dcd2a3ca0c3087c3fdd3175

6、其他两个master 复制相关配置

USER=root
CONTROL_PLANE_IPS="test-k8s-master-2 test-k8s-master-3"
for host in ${CONTROL_PLANE_IPS}; do
ssh "${USER}"@$host "mkdir -p /etc/kubernetes/pki/etcd"
scp /etc/kubernetes/pki/ca.* "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.* "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.* "${USER}"@$host:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* "${USER}"@$host:/etc/kubernetes/pki/etcd/
scp /etc/kubernetes/admin.conf "${USER}"@$host:/etc/kubernetes/
done

7、master节点加入:

kubeadm join 172.18.178.240:7443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:274a3c078548240887903b51e75e2cc9548343e06dcd2a3ca0c3087c3fdd3175 \
--control-plane

8、node 节点加入:

kubeadm join 172.18.178.240:7443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:274a3c078548240887903b51e75e2cc9548343e06dcd2a3ca0c3087c3fdd3175

9、安装网络插件:

wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f kube-flannel.yml

10、相关master节点和node节点加入完成后,查看相关节点状态(以下情况说明部署成功)

[root@test-k8s-master-1 ~]# kubectl get node -A | grep master
test-k8s-master-1            Ready      master   233d   v1.16.3
test-k8s-master-2            Ready      master   233d   v1.16.3
test-k8s-master-3            Ready      master   233d   v1.16.3

 

posted @ 2020-07-16 17:50  小毅哥博客  阅读(3630)  评论(3编辑  收藏  举报