kubeadm部署k8s高可用集群
kubeadm部署k8s高可用集群
一. 环境准备及集群规划
准备四台机器(均为2C1.5G配置):
192.168.10.11 master1
192.168.10.12 master2
192.168.10.13 master3
192.168.10.14 node
3台master共用一个vip: 192.168.10.100
所有机器配置好如下环境:
• 关闭防火墙,selinux
• 做好解析
• 配置好时间同步
• 禁用swap分区
• 配置内核参数
[root@master1 ~]# vim /etc/sysctl.d/kubernetes.conf
net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_nonlocal_bind = 1 net.ipv4.ip_forward = 1 vm.swappiness=0
[root@master1 ~]# sysctl --system
• 加载ipvs模块:
[root@master1 ~]# yum install ipset ipvsadm -y #安装相关管理工具
[root@master1 ~]# vim /etc/sysconfig/modules/ipvs.modules
#!/bin/bash modprobe -- ip_vs modprobe -- ip_vs_rr modprobe -- ip_vs_wrr modprobe -- ip_vs_sh modprobe -- nf_conntrack_ipv4
[root@master1 ~]# chmod +x /etc/sysconfig/modules/ipvs.modules
[root@master1 ~]# /etc/sysconfig/modules/ipvs.modules
•升级内核(版本较新的不需要此步)
[root@master1 ~]# yum -y update kernel
[root@master1 ~]# shutdown -r now
二、部署过程
1. 安装配置docker # 所有节点
2. 安装软件 # 所有节点
3. 安装负载均衡及高可用 # 所有 Master节点
4. 初台化Master1 # Master1节点
5. 配置kubectl # 所有需要的节点
6. 部署网络插件 # Master1节点
7. 加入Master节点 # 其它 Master节点
8. 加入Worker节点 # 所有 Node节点
2.1 安装配置docker
在所有节点安装
vim docker_install.sh
#/bin/bash curl http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -o /etc/yum.repos.d/docker-ce.repo yum -y install docker-ce-18.06.0.ce [ ! -d /etc/docker ] && mkdir /etc/docker cat >> /etc/docker/daemon.json <<- EOF { "registry-mirrors": ["https://pf5f57i3.mirror.aliyuncs.com"] } EOF systemctl enable docker systemctl start docker yum -y install ansible cat >> /etc/ansible/hosts << EOF [k8s] 192.168.10.11 192.168.10.12 192.168.10.13 192.168.10.14 EOF
ansible k8s -m script -a 'creates=/root/docker_install.sh /root/docker_install.sh'
2.2 安装软件
在所有节点安装
vim k8s_repo.sh
cat >> /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF cat >> /etc/ansible/host << EOF [cluster] 192.168.10.12 192.168.10.13 192.168.10.14 EOF
ansible cluster -m copy -a "src=/etc/yum.repos.d/kubernetes.repo dest=/etc/yum.repos.d/ force=no"
yum install -y kubeadm-1.18.10-0 kubelet-1.18.10-0 kubectl-1.18.10-0 ipvsadm
可用 yum list --showduplicates|egrep kubeadm 查看有哪些可用版本
设置开机启动kubelet
# systemctl enable kubelet
2.3 安装负载均衡
在所有Master节点操作
Kubernetes master 节点运行如下组件:
- kube-apiserver
- kube-scheduler
- kube-controller-manager
kube-scheduler 和 kube-controller-manager 可以以集群模式运行,通过 leader 选举产生一个工作进程,其它进程处于阻塞模式。kube-apiserver可以运行多个实例,但对其它组件需要提供统一的访问地址,该地址需要高可用。
本次部署使用 keepalived+haproxy 实现 kube-apiserver 的VIP 高可用和负载均衡。keepalived 提供 kube-apiserver 对外服务的 VIP高可用。haproxy 监听 VIP,后端连接所有 kube-apiserver 实例,提供健康检查和负载均衡功能。kube-apiserver的端口为6443, 为避免冲突, haproxy 监听的端口要与之不同,此实验中为6444。
keepalived 周期性检查本机的 haproxy 进程状态,如果检测到 haproxy 进程异常,则触发VIP 飘移。 所有组件都通过 VIP 监听的6444端口访问 kube-apiserver 服务。
在此我们使用睿云智合相关镜像,具体使用方法请访问: https://github.com/wise2c-devops 。当然也可以手动配置haproxy以实现apiserver负载均衡,keepalived实现haproxy高可用。
创建 haproxy和 keepalived的启动脚本
[root@master1 ~]# vim haproxy_keepalived.sh
#!/bin/bash MasterIP1=192.168.10.11 MasterIP2=192.168.10.12 MasterIP3=192.168.10.13 MasterPort=6443 # apiserver端口 docker run -d --restart=always --name haproxy-k8s -p 6444:6444 \ -e MasterIP1=$MasterIP1 \ -e MasterIP2=$MasterIP2 \ -e MasterIP3=$MasterIP3 \ -e MasterPort=$MasterPort wise2c/haproxy-k8s VIRTUAL_IP=192.168.10.100 # VIP INTERFACE=ens33 # 网卡名称 NETMASK_BIT=24 CHECK_PORT=6444 # Haproxy端口 RID=10 VRID=160 MCAST_GROUP=224.0.0.18 docker run -itd --restart=always --name=keepalived-k8s \ --net=host --cap-add=NET_ADMIN \ -e VIRTUAL_IP=$VIRTUAL_IP \ -e INTERFACE=$INTERFACE \ -e NETMASK_BIT=$NETMASK_BIT \ -e CHECK_PORT=$CHECK_PORT \ -e RID=$RID -e VRID=$VRID \ -e MCAST_GROUP=$MCAST_GROUP wise2c/keepalived-k8s
在所有Master节点执行脚本运行这两个容器
[root@master1 ~]# sh haproxy_keepalived.sh
[root@master1 ~]# ansible 192.168.10.12 -m script -a 'creates=/root/haproxy_keepalived.sh /root/haproxy_keepalived.sh'
[root@master1 ~]# ansible 192.168.10.13 -m script -a 'creates=/root/haproxy_keepalived.sh /root/haproxy_keepalived.sh'
测试
1).在每台机器上查看容器(haproxy, keepalived)是否都正常运行
2).在每台机器上查看6444端口是否监听
3).在有VIP的机器关闭haproxy容器或keepalived容器看看VIP能否正常飘移
2.4 初始化Master1
仅在 Master1节点操作
初始化参考:
在 Master1上创建初始化配置文件
[root@master1 ~]# mkdir k8s
[root@master1 ~]# cd k8s/
[root@master1 k8s]# kubeadm config print init-defaults > init.yml
根据实际环境修改初始化配置文件
[root@master1 k8s]# vim init.yml
apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.10.11 # 此处改为本机IP(修改) bindPort: 6443 nodeRegistration: criSocket: /var/run/dockershim.sock name: master1 #修改为master1 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controlPlaneEndpoint: "192.168.10.100:6444" # VIP:PORT(增加) controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd imageRepository: registry.aliyuncs.com/google_containers # 使用国内镜像仓库(增加) kind: ClusterConfiguration kubernetesVersion: v1.18.10 # 版本号(修改) networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 podSubnet: 10.244.0.0/16 # pod子网,和Flannel中要一致(增加) scheduler: {} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: ipvs
初始化 Master1
之前版本:
[root@master1 k8s]# kubeadm init --config=init.yml --experimental-upload-certs | tee kubeadm-init.log
v1.18.10版本:
[root@master1 k8s]# kubeadm init --config=init.yml --upload-certs |tee kubeadm-init.log
-
该命令指定了初始化时需要使用的配置文件,其中添加–experimental-upload-certs参数可以在后续执行加入节点时自动分发证书文件。
-
这里追加tee命令将初始化日志输出到kubeadm-init.log中以备用(可选)。
-
由于需要拉取镜像,各种原因,这里可能要等十几分钟,一定耐心耐心,只要没有error等待即可
初始化成功后可以看到类似于下图提示:
*如果中途失败, 再次初始化前先执行 kubeadm reset 命令清理, 然后再执行init或join操作
[root@node2 ~]# kubeadm reset
[reset] WARNING: Changes made to this host by 'kubeadm init' or 'kubeadm join' will be reverted. [reset] Are you sure you want to proceed? [y/N]: y [preflight] Running pre-flight checks W0321 22:54:01.292739 7918 removeetcdmember.go:79] [reset] No kubeadm config, using etcd pod spec to get data directory [reset] No etcd config found. Assuming external etcd [reset] Please, manually reset etcd to prevent further issues [reset] Stopping the kubelet service [reset] Unmounting mounted directories in "/var/lib/kubelet" [reset] Deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki] [reset] Deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf] [reset] Deleting contents of stateful directories: [/var/lib/kubelet /var/lib/dockershim /var/run/kubernetes /var/lib/cni] # reset进程没有清理CNI配置 The reset process does not clean CNI configuration. To do so, you must remove /etc/cni/net.d # reset进程没有清理iptables或IPVS表 The reset process does not reset or clean up iptables rules or IPVS tables. If you wish to reset iptables, you must do so manually by using the "iptables" command. If your cluster was setup to utilize IPVS, run ipvsadm --clear (or similar) to reset your system's IPVS tables. # reset进程没有清理kubeconfig文件 The reset process does not clean your kubeconfig files and you must remove them manually. Please, check the contents of the $HOME/.kube/config file.
kubeadm init主要执行了以下操作:
-
[init]:指定版本进行初始化操作
-
[preflight] :初始化前的检查和下载所需要的Docker镜像文件
-
[kubelet-start]:生成kubelet的配置文件”"var/lib/kubelet/config.yaml",没有这个文件kubelet无法启动,所以初始化之前的kubelet实际上启动不会成功。
-
[certificates]:生成Kubernetes使用的证书,存放在/etc/kubernetes/pki目录中。
-
[kubeconfig] :生成 KubeConfig 文件,存放在/etc/kubernetes目录中,组件之间通信需要使用对应文件。
-
[control-plane]:使用/etc/kubernetes/manifest目录下的YAML文件,安装 Master 组件。
-
[etcd]:使用/etc/kubernetes/manifest/etcd.yaml安装Etcd服务。
-
[wait-control-plane]:等待control-plan部署的Master组件启动。
-
[apiclient]:检查Master组件服务状态。
-
[uploadconfig]:更新配置
-
[kubelet]:使用configMap配置kubelet。
-
[patchnode]:更新CNI信息到Node上,通过注释的方式记录。
-
[mark-control-plane]:为当前节点打标签,打了角色Master,和不可调度标签,这样默认就不会使用Master节点来运行Pod。
-
[bootstrap-token]:生成token记录下来,后边使用kubeadm join往集群中添加节点时会用到
-
[addons]:安装附加组件CoreDNS和kube-proxy
2.5 配置kubectl
无论在master节点或node节点,要能够执行kubectl命令必须进行配置,有两种配置方式
方式一,通过配置文件
我用的是root用户,所以执行下面两步即可
[root@master k8s]# mkdir -p $HOME/.kube
[root@master k8s]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master k8s]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
方式二,通过环境变量
# echo 'export KUBECONFIG=/etc/kubernetes/admin.conf' >> ~/.bashrc
# source ~/.bashrc
配置好kubectl后,就可以使用kubectl命令了
[root@master1 k8s]# kubectl get cs
NAME STATUS MESSAGE ERROR controller-manager Healthy ok etcd-0 Healthy {"health":"true"} scheduler Healthy ok
[root@master1 k8s]# kubectl get no
NAME STATUS ROLES AGE VERSION master1 NotReady master 2m32s v1.18.0
[root@master1 k8s]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE coredns-7ff77c879f-965nt 0/1 Pending 0 2m24s coredns-7ff77c879f-qmsb2 0/1 Pending 0 2m24s etcd-master1 1/1 Running 1 2m38s kube-apiserver-master1 1/1 Running 1 2m38s kube-controller-manager-master1 1/1 Running 1 2m38s kube-proxy-q847x 1/1 Running 1 2m24s kube-scheduler-master1 1/1 Running 1 2m38s
由于未安装网络插件,coredns处于pending状态,node处于NotReady 状态
在更高版本的k8s集群中,可能会出现 scheduler、controller-manager 两个组件健康状况不正常的情况,如下:
[root@master-1 k8s]# kubectl get cs
NAME STATUS MESSAGE ERROR controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused etcd-0 Healthy {"health":"true"}
解决方法:修改以下两个文件:
/etc/kubernetes/manifests/kube-controller-manager.yaml
/etc/kubernetes/manifests/kube-scheduler.yaml
!!!注释掉: - --port=0 ,等一会即可
2.6 部署网络插件flannel
仅在Master1节点操作
kubernetes支持多种网络方案,这里简单介绍常用的 flannel 方案.
下载kube-flannel.yml文件
[root@master k8s]# curl -O https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
由于kube-flannel.yml文件指定的镜像从coreos镜像仓库拉取,可能拉取失败,我们替换掉它
# 查看
[root@master k8s]# grep -i "flannel:" kube-flannel.yml
image: quay.io/coreos/flannel:v0.12.0-amd64 image: quay.io/coreos/flannel:v0.12.0-amd64
# 替换(注:因文件版本不同,替换命令可能有所不同)
[root@master k8s]# sed -i 's#quay.io/coreos/flannel:v0.13.0#registry.cn-shenzhen.aliyuncs.com/leedon/flannel:v0.11.0-amd64#' kube-flannel.yml
由于国内网络原因,下载不下来的,多下载几次。
执行安装
[root@master1 k8s]# kubectl apply -f kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds-amd64 created
再次查看node和 Pod状态,全部OK, 所有的核心组件都起来了
[root@master1 k8s]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE coredns-7ff77c879f-965nt 1/1 Running 0 24m coredns-7ff77c879f-qmsb2 1/1 Running 0 24m etcd-master1 1/1 Running 1 25m kube-apiserver-master1 1/1 Running 1 25m kube-controller-manager-master1 1/1 Running 1 25m kube-flannel-ds-amd64-vvj65 1/1 Running 0 48s kube-proxy-q847x 1/1 Running 1 24m kube-scheduler-master1 1/1 Running 1 25m
[root@master1 k8s]# kubectl get no
2.7 加入master节点
从初始化输出或kubeadm-init.log中获取命令将master2和master3加入到集群中来
[root@master1 k8s]# cat kubeadm-init.log
在另外两个节点执行
[root@master2 ~]# kubeadm join 192.168.10.100:6444 --token abcdef.0123456789abcdef \
> --discovery-token-ca-cert-hash sha256:fae84690ed5edbf2189f9c7c6db193e09a543c9abe3e16a54c5ddaf5c558b1d2 \
> --control-plane --certificate-key 598ebb9877f3b981316a21879988e6cfe0eb64708c2aef689128604e5267a767
[root@master3 ~]# kubeadm join 192.168.10.100:6444 --token abcdef.0123456789abcdef \
> --discovery-token-ca-cert-hash sha256:fae84690ed5edbf2189f9c7c6db193e09a543c9abe3e16a54c5ddaf5c558b1d2 \
> --control-plane --certificate-key 598ebb9877f3b981316a21879988e6cfe0eb64708c2aef689128604e5267a767
稍等一会,加入成功后会有如下提示: (耐心等待)
再查看集群信息
[root@master1 k8s]# kubectl get no
NAME STATUS ROLES AGE VERSION master1 Ready master 12m v1.18.0 master2 Ready master 10m v1.18.0 master3 Ready master 3m3s v1.18.0
[root@master1 k8s]# kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE coredns-7ff77c879f-r4mqp 1/1 Running 0 12m coredns-7ff77c879f-w9nsh 1/1 Running 0 12m etcd-master1 1/1 Running 0 13m etcd-master2 1/1 Running 0 9m39s etcd-master3 1/1 Running 0 3m51s kube-apiserver-master1 1/1 Running 0 13m kube-apiserver-master2 1/1 Running 0 11m kube-apiserver-master3 1/1 Running 0 3m50s kube-controller-manager-master1 1/1 Running 1 13m kube-controller-manager-master2 1/1 Running 1 9m43s kube-controller-manager-master3 1/1 Running 0 3m50s kube-flannel-ds-amd64-9wn57 1/1 Running 1 11m kube-flannel-ds-amd64-ktxpl 1/1 Running 0 12m kube-flannel-ds-amd64-qhttx 1/1 Running 0 8m59s kube-proxy-6hlql 1/1 Running 0 11m kube-proxy-jbx8r 1/1 Running 0 12m kube-proxy-l9782 1/1 Running 0 8m59s kube-scheduler-master1 1/1 Running 2 13m kube-scheduler-master2 1/1 Running 2 9m43s kube-scheduler-master3 1/1 Running 0 3m49s
分别在master2和master3上配置好命令行工具kubectl
就可以正常使用了
也可以
2.8 加入worker节点
Kubernetes 的 Worker 节点跟 Master 节点几乎是相同的,它们运行着的都是一个 kubelet 组件。
唯一的区别在于,Master 节点上还会自动运行 kube-apiserver、kube-scheduler、kube-controller-manger 这三个系统 Pod
从init的输出或kubeadm-init.log文件中获取命令将node节点加入到集群中来
[root@master1 k8s]# cat kubeadm-init.log
在所有worker节点执行
过一段时间再看集群信息
可以在任意master节点上查看加入是否成功:
[root@master1 k8s]# kubectl get no
NAME STATUS ROLES AGE VERSION master1 Ready master 22m v1.18.0 master2 Ready master 20m v1.18.0 master3 Ready master 13m v1.18.0 node1 Ready <none> 4m46s v1.18.0
至此,集群部署完毕。
2.9 查看集群信息
查看service
[root@master3 ~]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 91m
查看代理规则
[root@master3 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 10.96.0.1:443 rr -> 192.168.10.11:6443 Masq 1 0 0 -> 192.168.10.12:6443 Masq 1 0 0 -> 192.168.10.13:6443 Masq 1 1 0 TCP 10.96.0.10:53 rr -> 10.244.0.2:53 Masq 1 0 0 -> 10.244.0.3:53 Masq 1 0 0 TCP 10.96.0.10:9153 rr -> 10.244.0.2:9153 Masq 1 0 0 -> 10.244.0.3:9153 Masq 1 0 0 UDP 10.96.0.10:53 rr -> 10.244.0.2:53 Masq 1 0 0 -> 10.244.0.3:53 Masq 1 0 0
查看etcd集群状态:
[root@master2 ~]# kubectl -n kube-system exec etcd-master1 -- etcdctl \
--endpoints=https://192.168.10.11:2379 \
--ca-file=/etc/kubernetes/pki/etcd/ca.crt \
--cert-file=/etc/kubernetes/pki/etcd/server.crt \
--key-file=/etc/kubernetes/pki/etcd/server.key cluster-health
