kubeadm+keepalived+haproxy搭建K8s高可用(三主两从)
系统3年前 (2020-11-24)
CentOS7使用kubeadm+keepalived+haproxy搭建K8s高可用master(三主两从)
k8s-lb为Vip
系统配置
#修改计算机名 #主节点1 hostnamectl --static set-hostname k8s-master1 && su #主节点2 hostnamectl --static set-hostname k8s-master2 && su #主节点3 hostnamectl --static set-hostname k8s-master3 && su #工作节点1 hostnamectl --static set-hostname k8s-work1 && su #工作节点2 hostnamectl --static set-hostname k8s-work2 && su #关闭防火墙和selinux setenforce 0 && sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config systemctl stop firewalld && systemctl disable firewalld && systemctl status firewalld #禁用swap swapoff -a && sed -i '/ swap / s/^/#/' /etc/fstab #配置host文件 cat >>/etc/hosts <<EOF 192.168.3.200 k8s-lb 192.168.3.210 k8s-master1 192.168.3.220 k8s-master2 192.168.3.230 k8s-master3 192.168.3.240 k8s-work1 192.168.3.250 k8s-work2 EOF #更换系统源 mv /etc/yum.repos.d/* /tmp && curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo && curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo && yum makecache #校准时间 ntpdate ntp.aliyun.com hwclock --systohc #配置免密并分发 ssh-keygen -t rsa -b 1200 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master1 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master2 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-master3 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-work1 ssh-copy-id -i ~/.ssh/id_rsa.pub root@k8s-work2 #升级内核 yum install wget -y && wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-lt-4.4.245-1.el7.elrepo.x86_64.rpm && wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-lt-devel-4.4.245-1.el7.elrepo.x86_64.rpm cat <<EOF > /root/upkernel.sh #!/bin/bash yum localinstall -y kernel-lt* if [ $? -eq 0 ];then grub2-set-default 0 && grub2-mkconfig -o /etc/grub2.cfg grubby --args="user_namespace.enable=1" --update-kernel="$(grubby --default-kernel)" fi echo "need reboot" EOF 执行sh upkernel.sh reboot #修改内核参数 cat > /etc/sysctl.d/k8s.conf << EOF net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 fs.may_detach_mounts = 1 vm.overcommit_memory = 1 vm.panic_on_oom = 0 fs.inotify.max_user_watches = 89100 fs.file-max = 52706963 fs.nr_open = 52706963 net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp.keepaliv.probes = 3 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp.max_tw_buckets = 36000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp.max_orphans = 327680 net.ipv4.tcp_orphan_retries = 3 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.ip_conntrack_max = 65536 net.ipv4.tcp_max_syn_backlog = 16384 net.ipv4.top_timestamps = 0 net.core.somaxconn = 16384 EOF 执行sysctl --system
安装docker
#更换docker为国内源
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo \
&& yum makecache
#安装
yum install yum-utils device-mapper-persistent-data lvm2 -y && yum install docker-ce docker-ce-cli -y
systemctl enable --now docker
#更换为国内镜像
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://f1bhsuge.mirror.aliyuncs.com"]
}
EOF
#修改docker Cgroup Driver为systemd
sed -i "s#^ExecStart=/usr/bin/dockerd.*#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd#g" /usr/lib/systemd/system/docker.service
执行systemctl daemon-reload && systemctl restart docker安装kubernetes
#更换k8s国内源 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF 执行yum clean all && yum makecache #安装 yum install kubelet kubeadm kubectl -y systemctl enable kubelet
安装和配置haproxy
3个master节点安装
yum install keepalived haproxy -y #配置Haproxy mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak vim /etc/haproxy/haproxy.cfg 修改为 global maxconn 2000 ulimit-n 16384 log 127.0.0.1 local0 err stats timeout 30s defaults log global mode http option httplog timeout connect 5000 timeout client 50000 timeout server 50000 timeout http-request 15s timeout http-keep-alive 15s frontend monitor-in bind *:33305 mode http option httplog monitor-uri /monitor listen stats bind *:8006 mode http stats enable stats hide-version stats uri /stats stats refresh 30s stats realm Haproxy\ Statistics stats auth admin:admin frontend k8s-master bind 0.0.0.0:8443 bind 127.0.0.1:8443 mode tcp option tcplog tcp-request inspect-delay 5s default_backend k8s-master backend k8s-master mode tcp option tcplog option tcp-check balance roundrobin default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 server master1 192.168.3.210:6443 check inter 2000 fall 2 rise 2 weight 100 server master2 192.168.3.220:6443 check inter 2000 fall 2 rise 2 weight 100 server master3 192.168.3.230:6443 check inter 2000 fall 2 rise 2 weight 100
同步到主节点2和主节点3
scp /etc/haproxy/haproxy.cfg root@k8s-master2:/etc/haproxy/ scp /etc/haproxy/haproxy.cfg root@k8s-master3:/etc/haproxy/
配置Keepalived
#mcast_src_ip:配置多播源地址,此地址是当前主机的ip地址
#priority:keepalived根据此项参数的大小仲裁master节点。我们这里让master节点为kubernetes提供服务,其他两个节点暂时为备用节点。因此master1节点设置为100,master2节点设置为99,master3节点设置为98
#state:我们将master1节点的state字段设置为MASTER,其他两个节点字段修改为BACKUP
#集群检查功能暂时为关闭状态,等到集群建立完成后再开启
#主节点1
mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf.bak
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
script "/etc/keepalived/kubernetes.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33
mcast_src_ip 192.168.3.210
virtual_router_id 51
priority 100
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.3.200
}
# track_script {
# chk_kubernetes
# }
}
#主节点2
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
script "/etc/keepalived/kubernetes.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
mcast_src_ip 192.168.3.220
virtual_router_id 51
priority 99
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.3.200
}
# track_script {
# chk_kubernetes
# }
}
#主节点3
vim /etc/keepalived/keepalived.conf
改为
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_kubernetes {
script "/etc/keepalived/kubernetes.sh"
interval 2
weight -5
fall 3
rise 2
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
mcast_src_ip 192.168.3.230
virtual_router_id 51
priority 98
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
192.168.3.200
}
# track_script {
# chk_kubernetes
# }
}
创建健康监测脚本
vim /etc/keepalived/kubernetes.sh
添加
#!/bin/bash
function chech_kubernetes() {
for ((i=0;i<5;i++));do
apiserver_pid_id=$(pgrep kube-apiserver)
if [[ ! -z $apiserver_pid_id ]];then
return
else
sleep 2
fi
apiserver_pid_id=0
done
}
# 1:running 0:stopped
check_kubernetes
if [[ $apiserver_pid_id -eq 0 ]];then
/usr/bin/systemctl stop keepalived
exit 1
else
exit 0
fi
执行
chmod u+x /etc/keepalived/kubernetes.sh
scp /etc/keepalived/kubernetes.sh root@k8s-master2:/etc/keepalived/
scp /etc/keepalived/kubernetes.sh root@k8s-master3:/etc/keepalived/
systemctl enable --now keepalived haproxy
systemctl status keepalived haproxy
ping 192.168.3.200
生成预处理文件
kubeadm config print init-defaults > kubeadm-init.yaml
vim /root/kubeadm-init.yaml
改为
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.3.200 #Vip的地址
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
certSANs:
- "192.168.3.200" #Vip地址
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers #aliyun地址
controlPlaneEndpoint: "192.168.3.200:8443" #Vip地址和端口
kind: ClusterConfiguration
kubernetesVersion: v1.19.0
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
podSubnet: 10.244.0.0/16 #pod网段
scheduler: {}拉取镜像
#主节点1 kubeadm config images pull --config kubeadm-init.yaml scp kubeadm-init.yaml root@k8s-master2:~ scp kubeadm-init.yaml root@k8s-master3:~ #主节点2 kubeadm config images pull --config kubeadm-init.yaml #主节点3 kubeadm config images pull --config kubeadm-init.yaml
节点初始化
#主节点1初始化 kubeadm init --config kubeadm-init.yaml --upload-certs mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config 配置环境变量 cat >> ~/.bashrc <<EOF export KUBECONFIG=/etc/kubernetes/admin.conf EOF 执行source ~/.bashrc
节点加入集群
主节点2和3加入集群
kubeadm join 192.168.3.200:8443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:9eabc1321478093aea95e1b27f52a95a516957b3147b9e9d1e77780d7ac2022b \ --control-plane --certificate-key c7fdc3458b2094c21ec6e4d651b85869b12107f2ba7dbbc8eba354d389e244da #执行 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config #环境变量 cat >> ~/.bashrc <<EOF export KUBECONFIG=/etc/kubernetes/admin.conf EOF 执行source ~/.bashrc #查看集群master节点 kubectl get node
工作节点1和2加入集群
kubeadm join 192.168.3.200:8443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:9eabc1321478093aea95e1b27f52a95a516957b3147b9e9d1e77780d7ac2022b
#查看集群所有节点信息 kubectl get node
安装网络插件
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml kubectl get pods -n kube-system | grep flannel kubectl get nodes #如果第三字段STATUS不是处于Running状态的话,说明flannel是异常的,需要排查问题 #目前节点状态是Ready,表示集群节点现在是可用的
测试集群
#在kubernetes集群中创建一个nginx的pod,验证是否能正常运行 kubectl create deployment nginx --image=nginx kubectl expose deployment nginx --port=80 --type=NodePort kubectl get pod,svc -o wide
图中前半部分是pod相关信息,后半部分是service相关信息
service/nginx这一行可以看出service暴漏给集群的端口是32713,工作在工作节点1中
浏览器打开测试正常
安装dashboard
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.4/aio/deploy/recommended.yaml #默认Dashboard只能集群内部访问,修改Service为NodePort类型后才可以暴露到外部 vim recommended.yaml 添加 type: NodePort nodePort: 30001
kubectl apply -f recommended.yaml
kubectl get pods -n kubernetes-dashboard
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
主要看STATUS这一列的值,如果是Running,并且RESTARTS字段的值为0(这个值并非一直在渐渐增大)说明为正常
kubectl get pod,svc -n kubernetes-dashboard -o wide
kubernetes-dashboard运行所在的节点是工作节点1,暴漏的端口是30001
所以访问地址为https://192.168.3.240:30001
#获取登陆的token值
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
选择Token验证方式
输入后登陆可以正常打开控制台
绑定集群角色
#解决无法查看集群信息
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')再使用token登陆
本站所有文章均可随意转载,转载时请保留原文链接及作者。
,想必也是非常愉悦的事!
