kubernetes二进制高可用部署实战
环境:
192.168.30.20 VIP(虚拟)
192.168.30.21 master1
192.168.30.22 master2
192.168.30.23 node1
192.168.30.24 node2
192.168.30.25 k8s-LB1 (master)
192.168.30.26 k8s-LB2 (backup)
关闭swap swapoff -a 临时 永久 注释:vim /etc/fstab
关闭防火墙和selinux
关闭防火墙: systemctl stop firewalld
systemctl disable firewalld
Iptables -F
关闭selinux: $ sed -i ‘s/enforcing/disabled/’ /etc/selinux/config $ setenforce 0
临时 $ setenforce 0
实验由初:部署k8s高可用集群只需要对kube-apiserver进行做keepalived的高可用
Controller-manager和scheduler配置文件中可直接加入–leader-elect=true
可以自动实现leader选举
例如,某一个pod对象创建的请求被3个控制器实例分别执行一次进而创建出一个pod对象副本来。因此,在某一时刻,仅能有一个kube-controller-manager实例处于正常工作状态,余下的均处于备用状态,或者称为等待状态
注意多个实例要都同时启用–leader-elect=true
这种leader选举操作时分布式锁机制的一种应用,它通过创建和维护k8s资源对象来维护锁状态,初始状态时,各controller-manager实例通过竞争的方式去抢占指定的Endpoints。胜利者被选为leader
一、签发证书
Rz -E
传入etcd ca证书json文件便于认证,这里是用于以下证书的配置,我集合在一个脚本里面了
下面我分批执行
[root@k8s-master1 ~]# mkdir k8s
[root@k8s-master1 ~]# cd k8s
[root@k8s-master1 k8s]# mkdir etcd-cert
[root@k8s-master1 k8s]# mkdir k8s-cert
[root@k8s-master1 k8s]# cd etcd-cert/
[root@k8s-master1 etcd-cert]# rz -E
rz waiting to receive.
[root@k8s-master1 etcd-cert]# rz -E
rz waiting to receive.
[root@k8s-master1 etcd-cert]# ls
cfssl.sh etcd-cert.sh
这里我传了一个cfssl的认证工具,有两种认证形式,openssl、cfssl、我们这里用的cfssl
cfssl是一个证书工具,json、详细信息生成,并赋予权限
这里也可以直接执行,我是把它放到一个脚本里,直接执行的
[root@k8s-master1 etcd-cert]# cat cfssl.sh
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
[root@k8s-master1 etcd-cert]# sh cfssl.sh
证书机构准备为你颁发证书,我这里写的是10年,可以根据你自己情况而定
[root@k8s-master1 etcd-cert]# cat > ca-config.json <<EOF
{
“signing”: {
“default”: {
“expiry”: “87600h”
},
“profiles”: {
“www”: {
“expiry”: “87600h”,
“usages”: [
“signing”,
“key encipherment”,
“server auth”,
“client auth”
]
}
}
}
}
EOF
这里写的都是CA证书自己的地址
[root@k8s-master1 etcd-cert]# cat > ca-csr.json <<EOF
{
“CN”: “etcd CA”,
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“L”: “Beijing”,
“ST”: “Beijing”
}
]
}
EOF
写完之后查看目录下会给我们生成2个json文件
[root@k8s-master1 etcd-cert]# ls
ca-config.json ca-csr.json cfssl.sh etcd-cert.sh
生成根证书,这也是自身拥有的
用cfssl工具初始化一个CA机构生成文件,通过json管道输出
[root@k8s-master1 etcd-cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca –
生成之后会显示pem的证书
[root@k8s-master1 etcd-cert]# ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem cfssl.sh etcd-cert.sh
进行颁发证书,给我们的HTTPS进行加密,对我们的etcd进行CA证书的颁发,并写清每台的主机IP,同时rsa的加密算法实现
[root@k8s-master1 etcd-cert]# cat > server-csr.json <<EOF
{
“CN”: “etcd”,
“hosts”: [
“192.168.30.21”,
“192.168.30.22”,
“192.168.30.23”,
“192.168.30.24”
],
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“L”: “BeiJing”,
“ST”: “BeiJing”
}
]
}
EOF
这里生成了三个证书,可以使用证书了
[root@k8s-master1 etcd-cert]# ls
ca-config.json ca-csr.json ca.pem etcd-cert.sh server-csr.json server.pem
ca.csr ca-key.pem cfssl.sh server.csr server-key.pem
[root@k8s-master1 etcd-cert]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
二、部署etcd集群
创建soft的目录放软件包
[root@k8s-master1 ~]# mkdir soft
[root@k8s-master1 ~]# cd soft
[root@k8s-master1 soft]# rz -E
rz waiting to receive.
[root@k8s-master1 soft]# ls
etcd-v3.3.10-linux-amd64.tar.gz
解压etcd软件包,可以在github上下载,一般以amd结尾的
[root@k8s-master1 soft]# tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
[root@k8s-master1 soft]# ls
etcd-v3.3.10-linux-amd64 etcd-v3.3.10-linux-amd64.tar.gz
[root@k8s-master1 soft]# cd etcd-v3.3.10-linux-amd64/
etcd是主要的相关配置,etcdctl是管理工具
[root@k8s-master1 etcd-v3.3.10-linux-amd64]# ls
Documentation etcd etcdctl README-etcdctl.md README.md READMEv2-etcdctl.md
创建etcd的目录以便日后管理
[root@k8s-master1 soft]# mkdir /opt/etcd/{cfg,bin,ssl} -p
[root@k8s-master1 soft]# cd etcd-v3.3.10-linux-amd64/
[root@k8s-master1 etcd-v3.3.10-linux-amd64]# mv etcd etcdctl /opt/etcd/bin
[root@k8s-master1 etcd-v3.3.10-linux-amd64]# ls /opt/etcd/bin/
etcd etcdctl
这里我传了一个写了以下配置etcd的脚本,我们分批执行一下
[root@k8s-master1 k8s]# rz -E
rz waiting to receive.
[root@k8s-master1 k8s]# vim etcd.sh
[root@k8s-master1 k8s]# chmod +x etcd.sh
[root@k8s-master1 k8s]# ls
etcd-cert etcd.sh k8s-cert
尝试指定我们的配置etcd文件,输入结果报错
[root@k8s-master1 k8s]# ./etcd.sh etcd01 192.168.30.21 etcd02=https://192.168.30.22:2380,etcd03=https://192.168.30.23:2380,etcd04=https://192.168.30.24:2380
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
Job for etcd.service failed because the control process exited with error code. See “systemctl status etcd.service” and “journalctl -xe” for details.
因为我们这里/usr/lib/systemd/system/etcd.service需要指定三个证书,也是刚才我们生成的,确保key-file在我们启动文件systemd中指定调用的文件耦合,ca.pem、server.pem、server-key.pem。这三个需要放在我们调用中的/opt/etcd/ssl中
[root@k8s-master1 ~]# cp /root/k8s/etcd-cert/{ca,server-key,server}.pem /opt/etcd/ssl
[root@k8s-master1 ~]# cd /opt/etcd/ssl
[root@k8s-master1 ssl]# ls
ca.pem server-key.pem server.pem
Server.pem是暴露我们2379端口用的
其他的是用于我们集群中
cat/usr/lib/systemd/system/etcd.service
–initial-cluster-state=new –cert-file=/opt/etcd/ssl/server.pem –key-file=/opt/etcd/ssl/server-key.pem –peer-cert-file=/opt/etcd/ssl/server.pem –peer-key-file=/opt/etcd/ssl/server-key.pem –trusted-ca-file=/opt/etcd/ssl/ca.pem –peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
这下我们的证书已经指定好了。直接启动就可以了,这里因为我们指定的是三个etcd
找不到另外两个节点,所有处于一直启动状态中,我们只需把另外两个节点加入进来就可以了,用ps-ef查看也是没问题的,进程有etcd的
[root@k8s-master1 ~]# systemctl restart etcd
^C
[root@k8s-master1 ~]# ps -ef |grep etcd
root 2332 1633 0 10:03 pts/0 00:00:00 systemctl restart etcd
root 2338 1 2 10:03 ? 00:00:00 /opt/etcd/bin/etcd –name=etcd01 –data-dir=/var/lib/etcd/default.etcd –listen-peer-urls=https://192.168.30.21:2380 –listen-client-urls=https://192.168.30.21:2379,http://127.0.0.1:2379 –advertise-client-urls=https://192.168.30.21:2379 –initial-advertise-peer-urls=https://192.168.30.21:2380 –initial-cluster=etcd01=https://192.168.30.21:2380,etcd02=https://192.168.30.22:2380,etcd03=https://192.168.30.23:2380,etcd04=https://192.168.30.24:2380 –initial-cluster-token=etcd-cluster –initial-cluster-state=new –cert-file=/opt/etcd/ssl/server.pem –key-file=/opt/etcd/ssl/server-key.pem –peer-cert-file=/opt/etcd/ssl/server.pem –peer-key-file=/opt/etcd/ssl/server-key.pem –trusted-ca-file=/opt/etcd/ssl/ca.pem –peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
root 2402 2351 0 10:03 pts/1 00:00:00 grep –color=auto etcd
把我们master上opt/etcd的配置文件及启动文件用-r连目录上传到另外两台主机上,还有systemd下的启动调用集群证书文件
[root@k8s-master1 ~]# scp -r /opt/etcd root@192.168.30.22:/opt
[root@k8s-master1 ~]# scp -r /opt/etcd root@192.168.30.23:/opt
[root@k8s-master1 ~]# scp -r /opt/etcd root@192.168.30.24:/opt
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.30.22:/usr/lib/systemd/system
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.30.23:/usr/lib/systemd/system
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/etcd.service root@192.168.30.24:/usr/lib/systemd/system
修改每个节点上的ip以及名称
2379是数据通信的端口,2380是集群直接的端口
#[Member]
ETCD_NAME=”etcd01″
ETCD_DATA_DIR=”/var/lib/etcd/default.etcd”
ETCD_LISTEN_PEER_URLS=”https://192.168.30.22:2380″
ETCD_LISTEN_CLIENT_URLS=”https://192.168.30.22:2379″
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS=”https://192.168.30.22:2380″
ETCD_ADVERTISE_CLIENT_URLS=”https://192.168.30.22:2379″
ETCD_INITIAL_CLUSTER=”etcd01=https://192.168.30.21:2380,etcd02=https://192.168.30.22:2380,etcd03=https://192.168.30.23:2380,etcd04=https://192.168.30.24:2380″
ETCD_INITIAL_CLUSTER_TOKEN=”etcd-cluster”
ETCD_INITIAL_CLUSTER_STATE=”new”
[root@k8s-master2 ~]# systemctl start etcd
#[Member]
ETCD_NAME=”etcd02″
ETCD_DATA_DIR=”/var/lib/etcd/default.etcd”
ETCD_LISTEN_PEER_URLS=”https://192.168.30.23:2380″
ETCD_LISTEN_CLIENT_URLS=”https://192.168.30.23:2379″
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS=”https://192.168.30.23:2380″
ETCD_ADVERTISE_CLIENT_URLS=”https://192.168.30.23:2379″
ETCD_INITIAL_CLUSTER=”etcd01=https://192.168.30.21:2380,etcd02=https://192.168.30.22:2380,etcd03=https://192.168.30.23:2380,etcd04=https://192.168.30.24:2380″
ETCD_INITIAL_CLUSTER_TOKEN=”etcd-cluster”
ETCD_INITIAL_CLUSTER_STATE=”new”
[root@k8s-node1 ~]# systemctl start etcd
#[Member]
ETCD_NAME=”etcd03″
ETCD_DATA_DIR=”/var/lib/etcd/default.etcd”
ETCD_LISTEN_PEER_URLS=”https://192.168.30.24:2380″
ETCD_LISTEN_CLIENT_URLS=”https://192.168.30.24:2379″
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS=”https://192.168.30.24:2380″
ETCD_ADVERTISE_CLIENT_URLS=”https://192.168.30.24:2379″
ETCD_INITIAL_CLUSTER=”etcd01=https://192.168.30.21:2380,etcd02=https://192.168.30.22:2380,etcd03=https://192.168.30.23:2380,etcd04=https://192.168.30.24:2380″
ETCD_INITIAL_CLUSTER_TOKEN=”etcd-cluster”
ETCD_INITIAL_CLUSTER_STATE=”new”
[root@k8s-node2 ~]# systemctl start etcd
2379是数据通信的端口,2380是集群直接的端口
检查集群状态,因为我们是自签的证书所有要指定我们的证书pem
[root@k8s-master1 ~]# /opt/etcd/bin/etcdctl –ca-file=/opt/etcd/ssl/ca.pem –cert-file=/opt/etcd/ssl/server.pem –key-file=/opt/etcd/ssl/server-key.pem –endpoints=”https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379″ cluster-health
member 83ee018d2841375 is healthy: got healthy result from https://192.168.30.22:2379
member 31491770f0472891 is healthy: got healthy result from https://192.168.30.23:2379
member 7d0b0924d5dc6c42 is healthy: got healthy result from https://192.168.30.24:2379
member c04fbd1891457563 is healthy: got healthy result from https://192.168.30.21:2379
cluster is healthy
三、node节点都安装docker
这里是Centos7安装方式,ce版本是最新的社区版
安装依赖包
$ sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
添加Docker软件包源
$ sudo yum-config-manager \
–add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
安装Docker-ce
$ sudo yum install docker-ce
启动Docker
$ sudo systemctl start docker
默认是国外的源,下载会很慢,建议配置国内镜像仓库
#vim /etc/docker/daemon.json
{
“registry-mirrors”: [ “https://registry.docker-cn.com” ]
}
$ systemctl enable docker
建议使用daocloud的加速器
该脚本可以将 –registry-mirror 加入到你的 Docker 配置文件 /etc/docker/daemon.json 中
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
启动Docker
$ sudo systemctl start docker
四、部署fanneld网络
使用k8s网络通信原理实现有两种方案,隧道方案和路由方案
常用fannle、100台以内,支持很多的封包类型,传输形式,支持路由表同一局域网限制,对网络环境跨互联网进行使用,支持已有的进行通信,使用的是重叠网络进行隧道方案设计性能开销大,基于现有的tcp数据包再封装一次,传输,两边有这样一次封装和解封装的进程,使用重叠网络(flannel)
callco、上百台 使用BJP 、 协议通信,不支持多网络环境,必须在支持bjp的环境,在路由表中的环境学习IP进行通信,一般大型公司使用callco
路由方案是有路由表进行转发的,不会对数据包封装和解封装,性能好,走的是三层,网络层
Overlay Network:覆盖网络,在基础网络上叠加的一种虚拟网络
技术模式,该网络中的主机通过虚拟链路连接起来。
Flannel:是Overlay网络的一种,也是将源数据包封装在另一种网
络包里面进行路由转发和通信,目前已经支持UDP、VXLAN、AWS
VPC和GCE路由等数据转发方式
为你的key设置数组,为k8s节点设置子网,再为大子网分配一个小的子网,再分配到每个node上,数据转发方式为vxlan
[root@k8s-master1 ~]# /opt/etcd/bin/etcdctl –ca-file=/opt/etcd/ssl/ca.pem –cert-file=/opt/etcd/ssl/server.pem –key-file=/opt/etcd/ssl/server-key.pem –endpoints=”https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379″ set /coreos.com/network/config ‘{ “Network”: “172.17.0.0/16”, “Backend”: {“Type”: “vxlan”}}’
用get去查看子网范围状态
[root@k8s-master1 ~]# /opt/etcd/bin/etcdctl –ca-file=/opt/etcd/ssl/ca.pem –cert-file=/opt/etcd/ssl/server.pem –key-file=/opt/etcd/ssl/server-key.pem –endpoints=”https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379″ get /coreos.com/network/config
{ “Network”: “172.17.0.0/16”, “Backend”: {“Type”: “vxlan”}}
下载二进制包
https://github.com/coreos/flannel/releases
[root@k8s-node1 ~]# rz -E
rz waiting to receive.
[root@k8s-node1 ~]# rz -E
rz waiting to receive.
[root@k8s-node1 ~]# ls
anaconda-ks.cfg flannel-v0.10.0-linux-amd64.tar.gz flannel.sh
[root@k8s-node1 ~]# mkdir /opt/kubernetes/{bin,cfg,ssl} -p
[root@k8s-node1 ~]# tar zxvf flannel-v0.10.0-linux-amd64.tar.gz
[root@k8s-node1 ~]# mv flanneld mk-docker-opts.sh /opt/kubernetes/bin
[root@k8s-node1 ~]# chmod +x flannel.sh
[root@k8s-node1 ~]# ./flannel.sh https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379
给node2节点部署flannel
[root@k8s-node1 ~]# scp -r /opt/kubernetes/ root@192.168.30.24:/opt
[root@k8s-node1 ~]# scp /usr/lib/systemd/system/{flanneld,docker}.service root@192.168.30.24:/usr/lib/systemd/system/
[root@k8s-node1 ~]# systemctl start flanneld
[root@k8s-node1 ~]# systemctl restart docker
[root@k8s-node1 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:97:f5:6c:cd brd ff:ff:ff:ff:ff:ff
inet 172.17.25.1/24 brd 172.17.25.255 scope global docker0
valid_lft forever preferred_lft forever
6: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether b2:1a:97:5c:61:1f brd ff:ff:ff:ff:ff:ff
inet 172.17.25.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
[root@k8s-node2 ~]# systemctl start flanneld
[root@k8s-node2 ~]# systemctl restart docker
[root@k8s-node2 ~]# ip a
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3f:3c:a8:62 brd ff:ff:ff:ff:ff:ff
inet 172.17.77.1/24 brd 172.17.77.255 scope global docker0
valid_lft forever preferred_lft forever
6: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 96:1c:bc:ec:05:d6 brd ff:ff:ff:ff:ff:ff
inet 172.17.77.0/32 scope global flannel.1
在node2测试创建容器分配的网络,测试网络都是flanneld分配出去的
[root@k8s-node2 ~]# docker run -it busybox
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000
inet 172.17.77.2/24 brd 172.17.77.255 scope global eth0
valid_lft forever preferred_lft forever
在node1节点测试node2上的pod容器是否可以通信,是可以的
[root@k8s-node1 ~]# ping 172.17.77.2
PING 172.17.77.2 (172.17.77.2) 56(84) bytes of data.
64 bytes from 172.17.77.2: icmp_seq=1 ttl=63 time=0.477 ms
64 bytes from 172.17.77.2: icmp_seq=2 ttl=63 time=0.445 ms
在node2节点测试node1上的pod容器是否可以通信,是可以的
[root@k8s-node1 ~]# docker run -it busybox
/ # ip a
inet 172.17.97.2/24 brd 172.17.97.255 scope global eth0
[root@k8s-node2 ~]# ping 172.17.97.2
PING 172.17.97.2 (172.17.97.2) 56(84) bytes of data.
64 bytes from 172.17.97.2: icmp_seq=1 ttl=63 time=0.516 ms
五、部署master
这里是自己写的配置
[root@k8s-master1 ~]# ls
master.zip k8s soft
[root@k8s-master1 ~]# cd k8s
[root@k8s-master1 k8s ~]# unzip master.zip
Archive: master.zip
inflating: apiserver.sh
inflating: controller-manager.sh
inflating: scheduler.sh
[root@k8s-master1 k8s]# ls
apiserver.sh controller-manager.sh etcd-cert etcd.sh flannel.sh k8s-cert scheduler.sh
[root@k8s-master1 ~]# cd soft/
[root@k8s-master1 soft]# rz -E
把二进制包拿进来,解压完并放到我们的工作目录
[root@k8s-master1 soft]# tar zxvf kubernetes-server-linux-amd64.tar.gz
[root@k8s-master1 soft]# cd kubernetes/server/bin/
[root@k8s-master1 bin]# mkdir -p /opt/kubernetes/{bin,cfg,ssl}
[root@k8s-master1 bin]# cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
监听本机apiserver和etcd的地址
[root@k8s-master1 k8s]# ./apiserver.sh 192.168.30.21 https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379
设置api-server.sh我们的配置选项中的日志存放位置
[root@k8s-master1 k8s]# mkdir /opt/kubernetes/logs
修改日志存放位置,修改opt/kubernetes/cfg/kube-apiserver
[root@k8s-master1 k8s]# vim apiserver.sh
KUBE_APISERVER_OPTS=”–logtostderr=false \\
–log-dir=/opt/kubernetes/logs \\
[root@k8s-master1 ~]# cd k8s/k8s-cert/
[root@k8s-master1 k8s-cert]# ls
[root@k8s-master1 k8s-cert]# rz -E
rz waiting to receive.
[root@k8s-master1 k8s-cert]# ls
k8s-cert.sh
修改ip 把节点IP添加进去,并执行,生成证书
[root@k8s-master1 k8s-cert]# vim k8s-cert.sh
cat > server-csr.json <<EOF
{
“CN”: “kubernetes”,
“hosts”: [
“10.0.0.1”,
“127.0.0.1”,
“192.168.30.21”,
“192.168.30.22”,
“192.168.30.23”,
“192.168.30.24”,
“192.168.30.25”,
“192.168.30.26”,
“kubernetes”,
“kubernetes.default”,
“kubernetes.default.svc”,
“kubernetes.default.svc.cluster”,
“kubernetes.default.svc.cluster.local”
[root@k8s-master1 k8s-cert]# bash k8s-cert.sh
[root@k8s-master1 k8s-cert]# ls
admin.csr ca-config.json ca.pem kube-proxy-key.pem server-key.pem
admin-csr.json ca.csr k8s-cert.sh kube-proxy.pem server.pem
admin-key.pem ca-csr.json kube-proxy.csr server.csr
admin.pem ca-key.pem kube-proxy-csr.json server-csr.json
[root@k8s-master1 k8s-cert]# cp ca.pem server.pem server-key.pem ca-key.pem /opt/kubernetes/ssl/
五、部署apiserver生成token文件
把kubeconfig.sh 拉进来
把第一段复制进来生成token文件
[root@k8s-master1 k8s-cert]# cat > token.csv <<EOF
> ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,”system:kubelet-bootstrap”
> EOF
[root@k8s-master1 k8s-cert]# cat token.csv
0fb61c46f8991b718eb38d27b605b008,kubelet-bootstrap,10001,”system:kubelet-bootstrap”
[root@k8s-master1 k8s-cert]# mv token.csv /opt/kubernetes/cfg
[root@k8s-master1 k8s-cert]# systemctl start kube-apiserver
[root@k8s-master1 ~]# ps -ef |grep kube
root 59260 1 99 15:26 ? 00:00:06 /opt/kubernetes/bin/kube-apiserver –logtostderr=false –log-dir=/opt/kubernetes/logs –v=4 –etcd-servers=https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379 –bind-address=192.168.30.21 –secure-port=6443 –advertise-address=192.168.30.21 –allow-privileged=true –service-cluster-ip-range=10.0.0.0/24 –enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction –authorization-mode=RBAC,Node –kubelet-https=true –enable-bootstrap-token-auth –token-auth-file=/opt/kubernetes/cfg/token.csv –service-node-port-range=30000-50000 –tls-cert-file=/opt/kubernetes/ssl/server.pem –tls-private-key-file=/opt/kubernetes/ssl/server-key.pem –client-ca-file=/opt/kubernetes/ssl/ca.pem –service-account-key-file=/opt/kubernetes/ssl/ca-key.pem –etcd-cafile=/opt/etcd/ssl/ca.pem –etcd-certfile=/opt/etcd/ssl/server.pem –etcd-keyfile=/opt/etcd/ssl/server-key.pem
root 59275 13922 0 15:26 pts/2 00:00:00 grep –color=auto kube
查看apiserver日志存放位置
[root@k8s-master1 cfg]# ls /opt/kubernetes/logs
kube-apiserver.ERROR
kube-apiserver.INFO
kube-apiserver.k8s-master1.unknownuser.log.ERROR.20190713-195308.66108
kube-apiserver.k8s-master1.unknownuser.log.ERROR.20190713-195313.66130
apiserver默认监听8080
[root@k8s-master1 k8s]# netstat -antp | grep :8080
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 65327/kube-apiserve
[root@k8s-master1 k8s]# chmod +x controller-manager.sh
指定本地连接的ip 127.0.0.1
[root@k8s-master1 k8s]# ./controller-manager.sh 127.0.0.1
[root@k8s-master1 k8s]# ./scheduler.sh 127.0.0.1
把kubectl 放到/usr/bin下可以执行了
[root@k8s-master1 ~]# cp /root/soft/kubernetes/server/bin/kubectl /usr/bin/
查看单词缩写
[root@k8s-master1 ~]# kubectl api-resources
[root@k8s-master1 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-3 Healthy {“health”:”true”}
etcd-2 Healthy {“health”:”true”}
etcd-1 Healthy {“health”:”true”}
etcd-0 Healthy {“health”:”true”}
七、部署node节点
[root@k8s-master1 cfg]# cat token.csv
aa70bb385b5a864e477b8c641fbef3d0,kubelet-bootstrap,10001,”system:kubelet-bootstrap”
将kubelet-bootstrap用户绑定到系统集群角色
[root@k8s-master1 ~]# kubectl create clusterrolebinding kubelet-bootstrap –clusterrole=system:node-bootstrapper –user=kubelet-bootstrap
- 创建kubeconfig文件
相当于认证信息,有了认证信息,才有权限访问apiserver
将上面生成的删除,从下面开始
[root@k8s-master1 k8s-cert]# vim kubeconfig.sh
BOOTSTRAP_TOKEN=aa70bb385b5a864e477b8c641fbef3d0
APISERVER=$1
SSL_DIR=$2
# 创建kubelet bootstrapping kubeconfig
export KUBE_APISERVER=”https://$APISERVER:6443″
# 设置集群参数
kubectl config set-cluster kubernetes \
–certificate-authority=$SSL_DIR/ca.pem \
–embed-certs=true \
–server=${KUBE_APISERVER} \
–kubeconfig=bootstrap.kubeconfig
# 设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap \
–token=${BOOTSTRAP_TOKEN} \
–kubeconfig=bootstrap.kubeconfig
# 设置上下文参数
kubectl config set-context default \
–cluster=kubernetes \
–user=kubelet-bootstrap \
–kubeconfig=bootstrap.kubeconfig
# 设置默认上下文
kubectl config use-context default –kubeconfig=bootstrap.kubeconfig
#———————-
# 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
–certificate-authority=$SSL_DIR/ca.pem \
–embed-certs=true \
–server=${KUBE_APISERVER} \
–kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
–client-certificate=$SSL_DIR/kube-proxy.pem \
–client-key=$SSL_DIR/kube-proxy-key.pem \
–embed-certs=true \
–kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
–cluster=kubernetes \
–user=kube-proxy \
–kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default –kubeconfig=kube-proxy.kubeconfig
[root@k8s-master1 k8s-cert]# bash kubeconfig.sh 192.168.30.21 /root/k8s/k8s-cert
确保token加入进来
[root@k8s-master1 k8s-cert]# cat bootstrap.kubeconfig
name: kubernetes
contexts:
– context:
cluster: kubernetes
user: kubelet-bootstrap
name: default
current-context: default
kind: Config
preferences: {}
users:
– name: kubelet-bootstrap
user:
token: aa70bb385b5a864e477b8c641fbef3d0
- 部署kubelet,kube-proxy组件
Bootstrap.kubeconfig用来部署kubelet
Kube-proxy.kubeconfig用来部署kube-proxy
[root@k8s-master1 k8s-cert]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.30.23:/opt/kubernetes/cfg
[root@k8s-master1 k8s-cert]# scp bootstrap.kubeconfig kube-proxy.kubeconfig root@192.168.30.24:/opt/kubernetes/cfg
[root@k8s-node1 ~]# rz -E
rz waiting to receive.
[root@k8s-node1 ~]# unzip node.zip
[root@k8s-node1 ~]# bash kubelet.sh 192.168.30.23
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
把kube-proxy的ipvs规则删除
创建日志目录文件并调用到执行目录下
[root@k8s-node1 cfg]# mkdir /opt/kubernetes/logs
[root@k8s-node1 kubernetes]# vim cfg/kubelet
KUBELET_OPTS=”–logtostderr=false \
–log-dir=/opt/kubernetes/log \
–v=4 \
把kubelet、kube-proxy启动文件传到这个目录下
[root@k8s-master1 ~]# scp soft/kubernetes/server/bin/{kubelet,kube-proxy} root@192.168.30.23:/opt/kubernetes/bin/
[root@k8s-master1 ~]# scp /root/soft/kubernetes/server/bin/{kubelet,kube-proxy} root@192.168.30.24:/opt/kubernetes/bin/
[root@k8s-node1 kubernetes]# systemctl restart kubelet
[root@k8s-node1 kubernetes]# ps -ef |grep kube
root 10953 1 0 16:31 ? 00:00:06 /opt/kubernetes/bin/flanneld –ip-masq –etcd-endpoints=https://192.168.30.21:2379,https://192.168.30.23:2379,https://192.168.30.24:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
root 34160 1 6 20:58 ? 00:00:00 /opt/kubernetes/bin/kubelet –logtostderr=false –log-dir=/opt/kubernetes/log –v=4 –hostname-override=192.168.30.23 –kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig –bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig –config=/opt/kubernetes/cfg/kubelet.config –cert-dir=/opt/kubernetes/ssl –pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 34183 16147 0 20:58 pts/1 00:00:00 grep –color=auto kube
验证证书
[root@k8s-master1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk 3m38s kubelet-bootstrap Pending
颁发证书# kubectl certificate approve后面跟node节点的name
[root@k8s-master1 ~]# kubectl certificate approve node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk
certificatesigningrequest.certificates.k8s.io/node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk approved
[root@k8s-master1 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.30.23 NotReady <none> 7s v1.13.4
[root@k8s-master1 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.30.23 Ready <none> 11s v1.13.4
[root@k8s-master1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk 8m15s kubelet-bootstrap Approved,Issued
[root@k8s-node1 ~]# vim proxy.sh
[root@k8s-node1 ~]# bash proxy.sh 192.168.30.23
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
[root@k8s-node1 ~]# ps -ef |grep kube-proxy
root 35841 1 0 21:14 ? 00:00:00 /opt/kubernetes/bin/kube-proxy –logtostderr=true –v=4 –hostname-override=192.168.30.23 –cluster-cidr=10.0.0.0/24 –proxy-mode=ipvs –kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig
root 36005 16147 0 21:15 pts/1 00:00:00 grep –color=auto kube-proxy
七.二、部署第二个node节点
[root@k8s-node1 ~]# scp -r /opt/kubernetes/ root@192.168.30.24:/opt
[root@k8s-node1 ~]# scp /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.30.24:/usr/lib/systemd/system/
去node2上操作
[root@k8s-node2 ~]# cd /opt/kubernetes/cfg/
[root@k8s-node2 cfg]# ls
bootstrap.kubeconfig kubelet kubelet.kubeconfig kube-proxy.kubeconfig
flanneld kubelet.config kube-proxy
[root@k8s-node2 cfg]# cd ../ssl
[root@k8s-node2 ssl]# ls
kubelet-client-2019-07-13-21-06-07.pem kubelet-client-current.pem kubelet.crt kubelet.key
删除node1上颁发的证书
[root@k8s-node2 ssl]# rm -rf *
修改一个ip ,找到配置文件把ip上改成第二个node
[root@k8s-node2 cfg]# grep 23 *
kubelet:–hostname-override=192.168.30.23 \
kubelet.config:address: 192.168.30.23
kube-proxy:–hostname-override=192.168.30.23 \
这里把kube-proxy 的ipvs删掉
把这些都修改为24主机的IP之后启动
[root@k8s-node2 cfg]# systemctl restart kubelet
[root@k8s-node2 cfg]# systemctl restart kube-proxy.service
[root@k8s-node2 cfg]# ps -ef |grep kube
root 62846 1 0 16:49 ? 00:00:07 /opt/kubernetes/bin/flanneld –ip-masq –etcd-endpoints=https://192.168.30.21:2379,https://192.168.30.23:2379,https://192.168.30.24:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
root 86738 1 6 21:27 ? 00:00:00 /opt/kubernetes/bin/kubelet –logtostderr=false –log-dir=/opt/kubernetes/log –v=4 –hostname-override=192.168.30.24 –kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig –bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig –config=/opt/kubernetes/cfg/kubelet.config –cert-dir=/opt/kubernetes/ssl –pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 86780 1 35 21:28 ? 00:00:02 /opt/kubernetes/bin/kube-proxy –logtostderr=true –v=4 –hostname-override=192.168.30.24 –cluster-cidr=10.0.0.0/24 –proxy-mode=ipvs –kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig
root 86923 66523 0 21:28 pts/1 00:00:00 grep –color=auto kube
查看到master节点又有新的节点加入
[root@k8s-master1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-eH_jPNUBXJF6sIii9SvNz9fW71543MLjPvOYWeDteqo 90s kubelet-bootstrap Pending
node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk 31m kubelet-bootstrap Approved,Issued
颁发证书
[root@k8s-master1 ~]# kubectl certificate approve node-csr-eH_jPNUBXJF6sIii9SvNz9fW71543MLjPvOYWeDteqo
certificatesigningrequest.certificates.k8s.io/node-csr-eH_jPNUBXJF6sIii9SvNz9fW71543MLjPvOYWeDteqo approved
[root@k8s-master1 ~]# kubectl get csr
NAME AGE REQUESTOR CONDITION
node-csr-eH_jPNUBXJF6sIii9SvNz9fW71543MLjPvOYWeDteqo 3m18s kubelet-bootstrap Approved,Issued
node-csr-xLNLbvb3cibW-fyr_5Qyd3YuUYAX9DJgDwViu3AyXMk 33m kubelet-bootstrap Approved,Issued
查看node节点状态
[root@k8s-master1 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.30.23 Ready <none> 25m v1.13.4
192.168.30.24 Ready <none> 51s v1.13.4
八、创建一个测试实例
[root@k8s-master1 ~]# kubectl run nginx –image=nginx
[root@k8s-master1 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-7cdbd8cdc9-wb228 1/1 Running 0 49s
暴露外部端口进行用户端访问
[root@k8s-master1 ~]# kubectl expose deployment nginx –port=88 –target-port=80 –type=NodePort
[root@k8s-master1 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 20h
nginx NodePort 10.0.0.27 <none> 88:44364/TCP 20h
访问外网内网都可以
查看pod日志
[root@k8s-master1 ~]# kubectl logs nginx-7cdbd8cdc9-2qrcw
Error from server (Forbidden): Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx-7cdbd8cdc9-2qrcw)
如果出现报错这里说明缺少一个默认的绑定集群的角色
定义/opt/kubernetes/cfg/kubelet.config
authentication:
anonymous:
enabled: true
并赋予系统集群一个角色
[root@k8s-master1 ~]# kubectl create clusterrolebinding cluster-system-anonymous –clusterrole=cluster-admin –user=system:anonymous
[root@k8s-master1 ~]# kubectl logs nginx-7cdbd8cdc9-2qrcw
172.17.55.0 – – [18/Jul/2019:08:08:22 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.29.0” “-“
172.17.55.0 – – [18/Jul/2019:08:08:24 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.29.0” “-“
172.17.55.0 – – [18/Jul/2019:08:08:27 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.29.0” “-“
172.17.46.1 – – [18/Jul/2019:08:14:37 +0000] “GET / HTTP/1.1” 200 612 “-” “curl/7.29.0” “-“
.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0″ “-“
172.17.46.1 – – [18/Jul/2019:08:52:25 +0000] “GET / HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0” “-“
172.17.46.1 – – [18/Jul/2019:08:52:25 +0000] “GET / HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0” “-“
172.17.46.1 – – [18/Jul/2019:08:52:25 +0000] “GET / HTTP/1.1” 304 0 “-” “Mozilla/5.0 (Windows NT 10
九.部署master高可用
[root@k8s-master1 ~]# scp -r /opt/kubernetes/ root@192.168.30.22:/opt
[root@k8s-master1 ~]# scp /usr/lib/systemd/system/{kube-apiserver,kube-scheduler,kube-controller-manager}.service root@192.168.30.22:/usr/lib/systemd/system
修改kube-apiserver的IP
[root@k8s-master2 cfg]# grep 21 *
kube-apiserver:–etcd-servers=https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379 \
kube-apiserver:–bind-address=192.168.30.21 \
kube-apiserver:–advertise-address=192.168.30.21 \
启动kube-apiserver
[root@k8s-master2 ~]# systemctl start kube-apiserver
[root@k8s-master2 ~]# systemctl start kube-scheduler.service
[root@k8s-master2 ~]# systemctl start kube-controller-manager.service
[root@k8s-master2 ~]# ps -ef |grep kube
root 6840 1 12 14:10 ? 00:00:13 /opt/kubernetes/bin/kube-apiserver –logtostderr=false –log-dir=/opt/kubernetes/logs –v=4 –etcd-servers=https://192.168.30.21:2379,https://192.168.30.22:2379,https://192.168.30.23:2379,https://192.168.30.24:2379 –bind-address=192.168.30.22 –secure-port=6443 –advertise-address=192.168.30.22 –allow-privileged=true –service-cluster-ip-range=10.0.0.0/24 –enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction –authorization-mode=RBAC,Node –kubelet-https=true –enable-bootstrap-token-auth –token-auth-file=/opt/kubernetes/cfg/token.csv –service-node-port-range=30000-50000 –tls-cert-file=/opt/kubernetes/ssl/server.pem –tls-private-key-file=/opt/kubernetes/ssl/server-key.pem –client-ca-file=/opt/kubernetes/ssl/ca.pem –service-account-key-file=/opt/kubernetes/ssl/ca-key.pem –etcd-cafile=/opt/etcd/ssl/ca.pem –etcd-certfile=/opt/etcd/ssl/server.pem –etcd-keyfile=/opt/etcd/ssl/server-key.pem
root 6913 1 9 14:12 ? 00:00:01 /opt/kubernetes/bin/kube-scheduler –logtostderr=true –v=4 –master=127.0.0.1:8080 –leader-elect
root 6945 1 14 14:12 ? 00:00:01 /opt/kubernetes/bin/kube-controller-manager –logtostderr=true –v=4 –master=127.0.0.1:8080 –leader-elect=true –address=127.0.0.1 –service-cluster-ip-range=10.0.0.0/24 –cluster-name=kubernetes –cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem –cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem –root-ca-file=/opt/kubernetes/ssl/ca.pem –service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem –experimental-cluster-signing-duration=87600h0m0s
root 6953 3519 10 14:12 pts/1 00:00:00 grep –color=auto kube
把kubectl 从master传过来,查看集群状态
[root@k8s-master1 ~]# scp /usr/bin/kubectl root@192.168.30.22:/usr/bin
因为我们部署了etcd,所有集群状态在master2也能看到
[root@k8s-master2 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-3 Healthy {“health”:”true”}
etcd-2 Healthy {“health”:”true”}
etcd-1 Healthy {“health”:”true”}
etcd-0 Healthy {“health”:”true”}
[root@k8s-master2 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
192.168.30.23 Ready <none> 41m v1.13.4
192.168.30.24 Ready <none> 37m v1.13.4
十.安装nginx实现负载调度
在k8s-LB 1/2上都安装的先决条件 :
sudo yum install yum-utils
建立了 yum 库、创建文件/etc/yum.repos.d/nginx.repo有下列内容 :
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
安装 nginx, 请运行以下命令 :
sudo yum install nginx
[root@k8s-LB1 ~]# vim /etc/nginx/nginx.conf
worker_processes 4;
修改进程数为4
设置负载均衡器,从stream池子放置需要负载均衡的ip,也是就master上的IP
并代理到我们LB上,用LB来访问,请求分发流量到后端不同的master主机上
stream {
upstream k8s-apiserver {
server 192.168.30.21:6443;
server 192.168.30.22:6443;
}
server {
listen 192.168.30.25:6443;
proxy_pass k8s-apiserver;
}
}
[root@k8s-LB1 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@k8s-LB1 ~]# systemctl restart nginx
[root@k8s-LB1 ~]# ps -ef |grep nginx
root 2394 1 0 14:56 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 2395 2394 0 14:56 ? 00:00:00 nginx: worker process
nginx 2396 2394 0 14:56 ? 00:00:00 nginx: worker process
nginx 2397 2394 0 14:56 ? 00:00:00 nginx: worker process
nginx 2398 2394 0 14:56 ? 00:00:00 nginx: worker process
root 2414 1912 0 14:56 pts/0 00:00:00 grep –color=auto nginx
确定我们监听的是6443,端口
[root@k8s-LB1 ~]# netstat -anpt |grep 6443
tcp 0 0 192.168.30.25:6443 0.0.0.0:* LISTEN 2394/nginx: master
修改node节点上的ip,指定我们的负载均衡器的IP 192.168.30.25
[root@k8s-node1 cfg]# vim bootstrap.kubeconfig
server: https://192.168.30.25:6443
[root@k8s-node1 cfg]# vim kubelet.kubeconfig
server: https://192.168.30.25:6443
[root@k8s-node1 cfg]# vim kube-proxy.kubeconfig
server: https://192.168.30.25:6443
重启kubelet
[root@k8s-node1 cfg]# systemctl restart kubelet
[root@k8s-node1 cfg]# ps -ef |grep kubelet
root 39714 1 7 15:05 ? 00:00:00 /opt/kubernetes/bin/kubelet –logtostderr=true –v=4 –hostname-override=192.168.30.23 –kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig –bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig –config=/opt/kubernetes/cfg/kubelet.config –cert-dir=/opt/kubernetes/ssl –pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 39903 4302 0 15:05 pts/2 00:00:00 grep –color=auto kubelet
[root@k8s-node2 cfg]# vim kubelet.kubeconfig
server: https://192.168.30.25:6443
[root@k8s-node2 cfg]# vim kube-proxy.kubeconfig
server: https://192.168.30.25:6443
[root@k8s-node2 cfg]# vim bootstrap.kubeconfig
server: https://192.168.30.25:6443
重启kubelet
[root@k8s-node2 cfg]# systemctl restart kubelet
[root@k8s-node2 cfg]# ps -ef |grep kubelet
root 101094 1 7 15:09 ? 00:00:00 /opt/kubernetes/bin/kubelet –logtostderr=true –v=4 –hostname-override=192.168.30.24 –kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig –bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig –config=/opt/kubernetes/cfg/kubelet.config –cert-dir=/opt/kubernetes/ssl –pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0
root 101283 13585 0 15:09 pts/1 00:00:00 grep –color=auto kubelet
设置nginx启动日志并记录node节点上的状态日志
[root@k8s-LB1 ~]# vim /etc/nginx/nginx.conf
stream {
log_format main “$remote_addr $upstream_addr – $time_local $status”;
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
[root@k8s-LB1 ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@k8s-LB1 ~]# systemctl reload nginx
[root@k8s-LB1 ~]# ls /var/log/nginx/
access.log error.log k8s-access.log
测试日志日否开启
重启node2上的kubelet,查看k8s-LB1的日志
[root@k8s-node2 cfg]# systemctl restart kubelet
看到日志已经分配了,并来自两个master上的日志,这里Nginx负载均衡说明没有问题
[root@k8s-LB1 ~]# tail /var/log/nginx/k8s-access.log
192.168.30.24 192.168.30.22:6443 – 25/Jul/2019:15:20:14 +0800 200
192.168.30.24 192.168.30.21:6443 – 25/Jul/2019:15:20:14 +0800 200
十一.部署主从LB +keepalived实现vip 高可用
这里前面我们按照好了,直接把配置scp过来就行
[root@k8s-LB1 ~]# scp /root/etc/nginx/nginx.conf root@192.168.30.26:/etc/nginx/nginx.conf
修改代理监听的IP为192.168.30.26
[root@k8s-LB2 yum.repos.d]# vim /etc/nginx/nginx.conf
stream {
log_format main “$remote_addr $upstream_addr – $time_local $status”;
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 192.168.30.21:6443;
server 192.168.30.22:6443;
}
server {
listen 192.168.30.26:6443;
proxy_pass k8s-apiserver;
}
}
[root@k8s-LB2 yum.repos.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf
重启,日志也启动了
[root@k8s-LB2 yum.repos.d]# systemctl restart nginx
[root@k8s-LB2 ~]# tail /var/log/nginx/k8s-access.log
两个节点都安装keepalived
[root@k8s-LB1 ~]# yum install keepalived
[root@k8s-LB2 ~]# yum install keepalived
修改主配置文件
[root@k8s-LB1 ~]# rz -E
rz waiting to receive.
[root@k8s-LB1 ~]# cp keepalived.conf /etc/keepalived/keepalived.conf
cp:是否覆盖“/etc/keepalived/keepalived.conf”? y
[root@k8s-LB1 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
script “/etc/keepalived/check_nginx.sh”
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 100 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.30.20/24
}
track_script {
check_nginx
}
}
/usr/local/nginx/sbin/check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv “grep|$$”)
if [ “$count” -eq 0 ];then
/etc/init.d/keepalived stop
fi
写一个脚本,检查nginx进程状态,如果启动失败,那就停掉keepalived,
上文我们在配置文件中也写到了脚本
[root@k8s-LB1 ~]# vim /etc/keepalived/check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv “grep|$$”)
if [ “$count” -eq 0 ];then
systemctl stop keepalived
fi
[root@k8s-LB1 keepalived]# chmod +x /etc/keepalived/check_nginx.sh
[root@k8s-LB1 keepalived]# systemctl restart keepalived
[root@k8s-LB1 keepalived]# ps -ef |grep keepalived
root 4085 1 0 16:15 ? 00:00:00 /usr/sbin/keepalived -D
root 4086 4085 0 16:15 ? 00:00:00 /usr/sbin/keepalived -D
root 4087 4085 0 16:15 ? 00:00:00 /usr/sbin/keepalived -D
root 4111 1912 0 16:15 pts/0 00:00:00 grep –color=auto keepalived
这里会绑定一个vip 地址,配置文件中设置的
[root@k8s-LB1 keepalived]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:12:31:53 brd ff:ff:ff:ff:ff:ff
inet 192.168.30.25/24 brd 192.168.30.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.30.20/24 scope global secondary ens33
把LB1的配置文件转到LB2上,这里修改matser为backup 优先级为90
[root@k8s-LB1 ~]# scp /etc/keepalived/keepalived.conf root@192.168.30.26:/etc/keepalived
! Configuration File for keepalived
global_defs {
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
script “/etc/keepalived/check_nginx.sh”
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 90 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.30.20/24
}
track_script {
check_nginx
}
}
/usr/local/nginx/sbin/check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv “grep|$$”)
if [ “$count” -eq 0 ];then
/etc/init.d/keepalived stop
fi
脚本也传过来
[root@k8s-LB1 ~]# scp /etc/keepalived/check_nginx.sh root@192.168.30.26:/etc/keepalived
[root@k8s-LB2 keepalived]# ls
check_nginx.sh keepalived.conf
[root@k8s-LB2 keepalived]# chmod +x check_nginx.sh
[root@k8s-LB2 ~]# systemctl start keepalived
[root@k8s-LB2 ~]# ps -ef |grep keepalived
root 58283 1 0 16:32 ? 00:00:00 /usr/sbin/keepalived -D
root 58285 58283 0 16:32 ? 00:00:00 /usr/sbin/keepalived -D
root 58286 58283 0 16:32 ? 00:00:00 /usr/sbin/keepalived -D
root 58360 2184 0 16:33 pts/0 00:00:00 grep –color=auto keepalived
测试keepalived是否成功
停掉LB1的Nginx 那么VIP地址就飘到LB上了
[root@k8s-LB1 ~]# systemctl stop nginx
[root@k8s-LB2 ~]# ip a
valid_lft 1613sec preferred_lft 1613sec
inet 192.168.30.26/24 brd 192.168.30.255 scope global secondary noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.30.20/24 scope global secondary ens33
因为脚本里面我们停掉了keepaived所有就飘不过来了,重启一个keepalived就可以了
脚本写入停掉keepalived,这里主要是给我们提供一个服务挂掉的原因,设置报警之后,挂了说明服务有问题,方面我们去解决,如果不写入脚本,那么vip飘移过去,但是我们不知道服务存在问题,写入就是更好的通知我们状态,LB1问题解决重启keepalived,VIP地址还会回来,因为重点在与优先级的问题,LB1设置的是100,所有优先抢占
[root@k8s-LB1 ~]# systemctl start nginx
[root@k8s-LB1 ~]# systemctl restart keepalived
[root@k8s-LB1 ~]# ip a
inet 192.168.30.25/24 brd 192.168.30.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.30.20/24 scope global secondary ens33
十二.接入k8s
只需要修改node节点上kubeconfig的IP为master上的虚拟ip 也就是vip 地址192.168.30.20
[root@k8s-node2 cfg]# vim bootstrap.kubeconfig
[root@k8s-node2 cfg]# vim kubelet.kubeconfig
[root@k8s-node2 cfg]# vim kube-proxy.kubeconfig
[root@k8s-node2 cfg]# systemctl restart kubelet
[root@k8s-node2 cfg]# systemctl restart kube-proxy
[root@k8s-node1 cfg]# vim bootstrap.kubeconfig
[root@k8s-node1 cfg]# vim kubelet.kubeconfig
[root@k8s-node1 cfg]# vim kube-proxy.kubeconfig
[root@k8s-node1 cfg]# systemctl restart kubelet
[root@k8s-node1 cfg]# systemctl restart kube-proxy
查看请求目前没有接受到vip 的请求,需要改一下nginx监听的IP
[root@k8s-LB1 ~]# tail /var/log/nginx/k8s-access.log
192.168.30.24 192.168.30.22:6443 – 27/Jul/2019:11:13:59 +0800 200
192.168.30.23 192.168.30.21:6443 – 27/Jul/2019:11:13:59 +0800 200
192.168.30.23 192.168.30.21:6443 – 27/Jul/2019:11:17:19 +0800 200
192.168.30.24 192.168.30.22:6443 – 27/Jul/2019:11:18:11 +0800 200
[root@k8s-LB1 ~]# vim /etc/nginx/nginx.conf
server {
listen 0.0.0.0:6443;
proxy_pass k8s-apiserver;
[root@k8s-LB1 ~]# systemctl restart nginx
[root@k8s-LB2 ~]# vim /etc/nginx/nginx.conf
server {
listen 0.0.0.0:6443;
proxy_pass k8s-apiserver;
[root@k8s-LB2 ~]# systemctl restart nginx
测试重启node节点,查看
[root@k8s-node2 cfg]# systemctl restart kubelet
[root@k8s-LB1 ~]# tail /var/log/nginx/k8s-access.log
192.168.30.23 192.168.30.22:6443 – 25/Jul/2019:17:14:12 +0800 200
192.168.30.23 192.168.30.21:6443 – 25/Jul/2019:17:14:12 +0800 200
192.168.30.24 192.168.30.22:6443 – 25/Jul/2019:17:14:12 +0800 200
192.168.30.24 192.168.30.21:6443 – 25/Jul/2019:17:14:13 +0800 200