kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

CentOS7使用kubeadm+keepalived+haproxy搭建K8s高可用master(三主两从)

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

k8s-lb为Vip


系统配置

#修改计算机名
#主节点1
hostnamectl --static set-hostname k8s-master1 && su
#主节点2
hostnamectl --static set-hostname k8s-master2 && su
#主节点3
hostnamectl --static set-hostname k8s-master3 && su
#工作节点1
hostnamectl --static set-hostname k8s-work1 && su
#工作节点2
hostnamectl --static set-hostname k8s-work2 && su

#关闭防火墙和selinux
setenforce 0 && sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
systemctl stop firewalld && systemctl disable firewalld && systemctl status firewalld

#禁用swap
swapoff -a && sed -i '/ swap / s/^/#/' /etc/fstab

#配置host文件
cat >>/etc/hosts <<EOF
192.168.3.200 k8s-lb
192.168.3.210 k8s-master1
192.168.3.220 k8s-master2
192.168.3.230 k8s-master3
192.168.3.240 k8s-work1
192.168.3.250 k8s-work2
EOF

#更换系统源
mv /etc/yum.repos.d/* /tmp && curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo && curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && yum makecache

#校准时间
ntpdate ntp.aliyun.com
hwclock --systohc

#配置免密并分发
ssh-keygen -t rsa -b 1200
ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master1
ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master2
ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master3
ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-work1
ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-work2

#升级内核
yum install wget -y &&
wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-lt-4.4.245-1.el7.elrepo.x86_64.rpm && wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-lt-devel-4.4.245-1.el7.elrepo.x86_64.rpm

cat <<EOF > /root/upkernel.sh
#!/bin/bash

yum localinstall -y kernel-lt*
if [ $? -eq 0 ];then
 grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg
 grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)"
fi
echo "need reboot"
EOF
执行sh upkernel.sh
reboot

#修改内核参数
cat > /etc/sysctl.d/k8s.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory = 1
vm.panic_on_oom = 0
fs.inotify.max_user_watches = 89100
fs.file-max = 52706963
fs.nr_open = 52706963
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp.keepaliv.probes = 3
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp.max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp.max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.top_timestamps = 0
net.core.somaxconn = 16384
EOF
执行sysctl --system

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


安装docker

#更换docker为国内源
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& yum makecache

#安装
yum install yum-utils device-mapper-persistent-data lvm2 -y && yum install docker-ce docker-ce-cli -y
systemctl enable --now docker

#更换为国内镜像
cat > /etc/docker/daemon.json << EOF
{
  "registry-mirrors": ["https://f1bhsuge.mirror.aliyuncs.com"]
}
EOF

#修改docker Cgroup Driver为systemd
sed -i "s#^ExecStart=/usr/bin/dockerd.*#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd#g" /usr/lib/systemd/system/docker.service

执行systemctl daemon-reload && systemctl restart docker


安装kubernetes

#更换k8s国内源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
执行yum clean all && yum makecache

#安装
yum install kubelet kubeadm kubectl -y
systemctl enable kubelet


安装和配置haproxy

3个master节点安装

yum install keepalived haproxy -y 

#配置Haproxy
mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak
vim /etc/haproxy/haproxy.cfg
修改为
global
  maxconn  2000
  ulimit-n  16384
  log  127.0.0.1 local0 err
  stats timeout 30s

defaults
  log global
  mode  http
  option  httplog
  timeout connect 5000
  timeout client  50000
  timeout server  50000
  timeout http-request 15s
  timeout http-keep-alive 15s

frontend monitor-in
  bind *:33305
  mode http
  option httplog
  monitor-uri /monitor

listen stats
  bind    *:8006
  mode    http
  stats   enable
  stats   hide-version
  stats   uri       /stats
  stats   refresh   30s
  stats   realm     Haproxy\ Statistics
  stats   auth      admin:admin

frontend k8s-master
  bind 0.0.0.0:8443
  bind 127.0.0.1:8443
  mode tcp
  option tcplog
  tcp-request inspect-delay 5s
  default_backend k8s-master

backend k8s-master
  mode tcp
  option tcplog
  option tcp-check
  balance roundrobin
  default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
  server master1 192.168.3.210:6443  check inter 2000 fall 2 rise 2 weight 100
  server master2 192.168.3.220:6443  check inter 2000 fall 2 rise 2 weight 100
  server master3 192.168.3.230:6443  check inter 2000 fall 2 rise 2 weight 100

同步到主节点2和主节点3

scp /etc/haproxy/haproxy.cfg root@k8s-master2:/etc/haproxy/
scp /etc/haproxy/haproxy.cfg root@k8s-master3:/etc/haproxy/


配置Keepalived

#mcast_src_ip:配置多播源地址,此地址是当前主机的ip地址
#priority:keepalived根据此项参数的大小仲裁master节点。我们这里让master节点为kubernetes提供服务,其他两个节点暂时为备用节点。因此master1节点设置为100,master2节点设置为99,master3节点设置为98
#state:我们将master1节点的state字段设置为MASTER,其他两个节点字段修改为BACKUP
#集群检查功能暂时为关闭状态,等到集群建立完成后再开启
#主节点1
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
    router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
    script "/etc/keepalived/kubernetes.sh"
    interval 2
    weight -5
    fall 3  
    rise 2
}
vrrp_instance VI_1 {
    state MASTER
    interface ens33
    mcast_src_ip 192.168.3.210
    virtual_router_id 51
    priority 100
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.3.200
    }
#    track_script {
#       chk_kubernetes
#    }
}

#主节点2
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
    router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
    script "/etc/keepalived/kubernetes.sh"
    interval 2
    weight -5
    fall 3  
    rise 2
}
vrrp_instance VI_1 {
    state BACKUP
    interface ens33
    mcast_src_ip 192.168.3.220
    virtual_router_id 51
    priority 99
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.3.200
    }
#    track_script {
#       chk_kubernetes
#    }
}

#主节点3
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
    router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
    script "/etc/keepalived/kubernetes.sh"
    interval 2
    weight -5
    fall 3  
    rise 2
}
vrrp_instance VI_1 {
    state BACKUP
    interface ens33
    mcast_src_ip 192.168.3.230
    virtual_router_id 51
    priority 98
    advert_int 2
    authentication {
        auth_type PASS
        auth_pass K8SHA_KA_AUTH
    }
    virtual_ipaddress {
        192.168.3.200
    }
#    track_script {
#       chk_kubernetes
#    }
}

创建健康监测脚本
vim /etc/keepalived/kubernetes.sh
添加
#!/bin/bash

function chech_kubernetes() {
 for ((i=0;i<5;i++));do
  apiserver_pid_id=$(pgrep kube-apiserver)
  if [[ ! -z $apiserver_pid_id ]];then
   return
  else
   sleep 2
  fi
  apiserver_pid_id=0
 done
}

# 1:running  0:stopped
check_kubernetes
if [[ $apiserver_pid_id -eq 0 ]];then
 /usr/bin/systemctl stop keepalived
 exit 1
else
 exit 0
fi

执行
chmod u+x /etc/keepalived/kubernetes.sh
scp /etc/keepalived/kubernetes.sh root@k8s-master2:/etc/keepalived/
scp /etc/keepalived/kubernetes.sh root@k8s-master3:/etc/keepalived/
systemctl enable --now keepalived haproxy
systemctl status keepalived haproxy
ping 192.168.3.200

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


生成预处理文件

kubeadm config print init-defaults > kubeadm-init.yaml
vim /root/kubeadm-init.yaml
改为
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.3.200   #Vip的地址
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: k8s-master1
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  certSANs:
  - "192.168.3.200"      #Vip地址
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers    #aliyun地址
controlPlaneEndpoint: "192.168.3.200:8443"     #Vip地址和端口
kind: ClusterConfiguration
kubernetesVersion: v1.19.0
networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12
  podSubnet: 10.244.0.0/16        #pod网段
scheduler: {}


拉取镜像

#主节点1
kubeadm config images pull --config kubeadm-init.yaml
scp kubeadm-init.yaml root@k8s-master2:~
scp kubeadm-init.yaml root@k8s-master3:~
#主节点2
kubeadm config images pull --config kubeadm-init.yaml
#主节点3
kubeadm config images pull --config kubeadm-init.yaml

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


节点初始化

#主节点1初始化
kubeadm init --config kubeadm-init.yaml --upload-certs
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

配置环境变量
cat >> ~/.bashrc <<EOF
export KUBECONFIG=/etc/kubernetes/admin.conf
EOF
执行source ~/.bashrc

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


节点加入集群

主节点2和3加入集群

kubeadm join 192.168.3.200:8443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:9eabc1321478093aea95e1b27f52a95a516957b3147b9e9d1e77780d7ac2022b \
	--control-plane --certificate-key c7fdc3458b2094c21ec6e4d651b85869b12107f2ba7dbbc8eba354d389e244da

#执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

#环境变量
cat >> ~/.bashrc <<EOF
export KUBECONFIG=/etc/kubernetes/admin.conf
EOF
执行source ~/.bashrc

#查看集群master节点
kubectl get node

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


工作节点1和2加入集群

kubeadm join 192.168.3.200:8443 --token abcdef.0123456789abcdef \
    --discovery-token-ca-cert-hash sha256:9eabc1321478093aea95e1b27f52a95a516957b3147b9e9d1e77780d7ac2022b

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

#查看集群所有节点信息
kubectl get node

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


安装网络插件

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl get pods -n kube-system | grep flannel
kubectl get nodes
#如果第三字段STATUS不是处于Running状态的话,说明flannel是异常的,需要排查问题
#目前节点状态是Ready,表示集群节点现在是可用的

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


测试集群

#在kubernetes集群中创建一个nginx的pod,验证是否能正常运行
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80 --type=NodePort
kubectl get pod,svc -o wide

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

图中前半部分是pod相关信息,后半部分是service相关信息

service/nginx这一行可以看出service暴漏给集群的端口是32713,工作在工作节点1中


浏览器打开测试正常

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


安装dashboard

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml
#默认Dashboard只能集群内部访问,修改Service为NodePort类型后才可以暴露到外部
vim recommended.yaml
添加
 type: NodePort   
 nodePort: 30001

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


kubectl apply -f recommended.yaml
kubectl get pods -n kubernetes-dashboard
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

主要看STATUS这一列的值,如果是Running,并且RESTARTS字段的值为0(这个值并非一直在渐渐增大)说明为正常


kubectl get pod,svc -n kubernetes-dashboard -o wide

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

kubernetes-dashboard运行所在的节点是工作节点1,暴漏的端口是30001

所以访问地址为https://192.168.3.240:30001


#获取登陆的token值
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

选择Token验证方式


kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)

输入后登陆可以正常打开控制台


绑定集群角色

#解决无法查看集群信息
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

再使用token登陆

kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)


更新日期: 2020年11月24日
文章标签: LinuxK8S
文章链接: https://www.vos.cn/os/461.html  
版权说明:如非注明,本站文章均为vOS原创,转载请注明出处和附带本文链接。