侧边栏壁纸
博主头像
船长博主等级

专注于云原生运维,致敬每个爱学习的你

  • 累计撰写 35 篇文章
  • 累计创建 10 个标签
  • 累计收到 8 条评论

Kubernetes 高可用集群部署

船长
2022-01-29 / 0 评论 / 0 点赞 / 179 阅读 / 21,117 字
温馨提示:
本文最后更新于 2022-01-29,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

集群环境介绍

Kubernetes集群是单Master的集群,对于生产环境风险太大了,非常有必要做一个高可用集群,这里的高可用主要针对控制面板来说的,比如 kube-apiserver、etcd、kube-controller-manager、kube-scheduler 这几个组件,其中 kube-controller-manager 于 kube-scheduler 组件是 Kubernetes 集群自己去实现的高可用,当有多个组件存在的时候,会自动选择一个作为 Leader 提供服务,所以不需要我们手动去实现高可用,apiserver 和 etcd 就需要手动去搭建高可用的集群的。

hostnameIPOSsoftware
kubernetes-master-100-1192.168.1.101CentOS Linux release 7.5kube-vip、etcd、apiserver、scheduler、-controller-manager
kubernetes-master-100-2192.168.1.102CentOS Linux release 7.5kube-vip、etcd、apiserver、scheduler、-controller-manager
kubernetes-master-100-3192.168.1.103CentOS Linux release 7.5kube-vip、etcd、apiserver、scheduler、-controller-manager
kubernetes-node-100-4192.168.1.104CentOS Linux release 7.5kube-proxy、kubelet
kubernetes-node-100-5192.168.1.105CentOS Linux release 7.5kube-proxy、kubelet
kubernetes-node-100-6192.168.1.106CentOS Linux release 7.5kube-proxy、kubelet
kubernetes-node-100-7192.168.1.107CentOS Linux release 7.5kube-proxy、kubelet
kubernetes-node-100-8192.168.1.108CentOS Linux release 7.5kube-proxy、kubelet
kubernetes-node-100-9192.168.1.109CentOS Linux release 7.5kube-proxy、kubelet

服务器初始化配置

关闭防火墙:
$ systemctl stop firewalld
$ systemctl disable firewalld
 
关闭selinux:
$ sed -i 's/enforcing/disabled/' /etc/selinux/config
$ setenforce 0
 
关闭swap:
$ swapoff -a  # 临时
$ sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
 
根据规划设置主机名:
hostnamectl set-hostname <hostname>
 
在Master添加Hosts:
$ cat /etc/hosts
192.168.1.101 kubernetes-master-100-1 
192.168.1.102 kubernetes-master-100-2 
192.168.1.103 kubernetes-master-100-3 
192.168.1.104 kubernetes-node-100-4 
192.168.1.105 kubernetes-node-100-5 
192.168.1.106 kubernetes-node-100-6 
192.168.1.107 kubernetes-node-100-7 
192.168.1.108 kubernetes-node-100-8 
192.168.1.109 kubernetes-node-100-9 
 
将桥接的IPv4流量传递到iptables的链:
$ cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
$ sysctl --system


cp -rf /etc/security/limits.conf /etc/security/limits.conf.back
 
cat > /etc/security/limits.conf << EOF
* soft nofile 655350
* hard nofile 655350
* soft nproc unlimited
* hard nproc unlimited
* soft core unlimited
* hard core unlimited
root soft nofile 655350
root hard nofile 655350
root soft nproc unlimited
root hard nproc unlimited
root soft core unlimited
root hard core unlimited
EOF
 
echo '/etc/sysctl.conf 文件调优'
 
cp -rf /etc/sysctl.conf /etc/sysctl.conf.back
cat > /etc/sysctl.conf << EOF
 
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time = 120
 
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
 
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
 
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
 
kernel.sysrq = 1
kernel.pid_max=1000000
EOF
sysctl -p
 
 
# 加载ipvs模块
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules
bash /etc/sysconfig/modules/ipvs.modules
 
# 查看ipvs模块加载情况
 lsmod | grep -e ip_vs -e nf_conntrack_ipv4

所有节点部署Docker/kubeadm/kubelet

# 安装Docker
$ wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
$ yum -y install docker-ce-18.06.1.ce-3.el7
$ systemctl enable docker && systemctl start docker
$ docker --version
Docker version 18.06.1-ce, build e68fc7a

# 添加阿里云YUM软件源
$ cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

# 安装kubeadm,kubelet和kubectl


$ yum install -y kubelet-1.20.2 kubeadm-1.20.2 kubectl-1.20.2
$ systemctl enable kubelet

部署ETCD外部集群

# 由于使用kubeadm部署的集群,默认只有一个etc节点,所以只能二进制安装好etcd集群加入。
 
cfssl 二进制包
下载 cfssl 二进制包用于签发证书,官网地址:https://pkg.cfssl.org/,下载如下文件:
 
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
 
将 cfssl 的几个二进制包添加到 PATH 包含的目录下:
$ ls cfssl*
cfssl-certinfo_linux-amd64  cfssljson_linux-amd64  cfssl_linux-amd64
$ chmod +x cfssl*
$ cp cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
$ cp cfssljson_linux-amd64 /usr/local/bin/cfssl-json
$ cp cfssl_linux-amd64 /usr/local/bin/cfssl

ETCD 二进制包
下载 ETCD 的二进制包,官方 Github 地址:https://github.com/etcd-io/etcd/releases,下载如下文件:
wget https://github.com/etcd-io/etcd/releases/download/v3.4.13/etcd-v3.4.13-linux-amd64.tar.gz
 
 
签发证书 ETCD 证书 准备文件
$ pwd
/opt
mkdir -p etcd/{bin,conf,data,json_file,ssl}
touch etcd/json_file/{ca-config.json,ca-csr.json,server-csr.jso


$ tree
.
etcd
├── bin
├── conf
├── data
├── json_file
|    ├── ca-config.json
|    ├── ca-csr.json
|    └── server-csr.json
└── ssl
 
# 上述几个文件的内容分别如下(标 '*' 的文件名表示该文件内容你要根据你的环境进行修改):

$ cd /opt/etcd/
$ cat json_file/ca-config.json:
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
 
$ json_file/ca-csr.json:
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
 
$  json_file/server-csr.json*:
{
    "CN": "etcd",
    "hosts": [
                "192.168.1.101",
                "192.168.1.102",
                "192.168.1.103"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
# 此处 hosts 列表要添加上所有 etcd 节点的 IP。


# kubernetes-master-100-1上执行生成密钥
cfssl gencert -initca json_file/ca-csr.json | cfssl-json -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=json_file/ca-config.json -profile=www json_file/server-csr.json | cfssl-json -bare server
 
 
 
 
颁发证书
这里直接执行一下 generate_cert.sh 即可,该文件会在当前目录自签一套 CA 证书并基于这个 CA 为 ETCD 签发一套证书,如下:
 
$ cfssl gencert -initca json_file/ca-csr.json | cfssl-json -bare ca -
$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=json_file/ca-config.json -profile=www json_file/server-csr.json | cfssl-json -bare server
 
 
生成文件如下:
$ ls ca* server* | xargs -n1
ca.csr # CA 证书请求
ca-key.pem # CA 私钥
ca.pem # CA 证书
server.csr # etcd 证书请求
server-key.pem # etcd 私钥
server.pem # etcd 证书
 
将私钥与证书移动到 ETCD 的证书目录:
$ cp *.pem /opt/etcd/ssl/
$ ls /opt/etcd/ssl/
ca-key.pem  ca.pem  server-key.pem  server.pem
 
 
ETCD 部署
下面操作在三台master机器中进行:
将下载好的 ETCD 二进制包分发到这几个主机并解压:
 
$ tar xf etcd-v3.4.13-linux-amd64.tar.gz
$ ls etcd-v3.4.13-linux-amd64/
Documentation  etcd  etcdctl  README-etcdctl.md  README.md  READMEv2-etcdctl.md

#将二进制包移动到 bin 目录下:
 
$ mkdir -p /opt/etcd/bin/
$ mv etcd-v3.4.13-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

# 创建 ETCD 的配置文件,
[root@kubernetes-master-100-1 ~]# cat /opt/etcd/conf/etcd.conf
#[Member]
# 节点名称,唯一
ETCD_NAME="etcd-1"
# 数据目录
ETCD_DATA_DIR="/opt/etcd/data/default.etcd"
# 集群内部通信监听的地址
ETCD_LISTEN_PEER_URLS="https://192.168.1.101:2380"
# 与客户端通信监听的地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.101:2379"
 
#[Clustering]
# 对外公告的该节点集群内监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.101:2380"
# 对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.101:2379"
# 集群所有成员
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.101:2380,etcd-2=https://192.168.1.102:2380,etcd-3=https://192.168.1.103:2380"
# 通信 Token(密钥),可自行修改
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 标识是创建新的集群,加入已有的集群设为 exist
ETCD_INITIAL_CLUSTER_STATE="new"


[root@kubernetes-master-100-2 ~]# cat /opt/etcd/conf/etcd.conf
#[Member]
# 节点名称,唯一
ETCD_NAME="etcd-2"
# 数据目录
ETCD_DATA_DIR="/opt/etcd/data/default.etcd"
# 集群内部通信监听的地址
ETCD_LISTEN_PEER_URLS="https://192.168.1.102:2380"
# 与客户端通信监听的地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.102:2379"
 
#[Clustering]
# 对外公告的该节点集群内监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.102:2380"
# 对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.102:2379"
# 集群所有成员
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.101:2380,etcd-2=https://192.168.1.102:2380,etcd-3=https://192.168.1.103:2380"
# 通信 Token(密钥),可自行修改
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 标识是创建新的集群,加入已有的集群设为 exist
ETCD_INITIAL_CLUSTER_STATE="new"

[root@kubernetes-master-100-3 ~]# cat /opt/etcd/conf/etcd.conf
#[Member]
# 节点名称,唯一
ETCD_NAME="etcd-3"
# 数据目录
ETCD_DATA_DIR="/opt/etcd/data/default.etcd"
# 集群内部通信监听的地址
ETCD_LISTEN_PEER_URLS="https://192.168.1.103:2380"
# 与客户端通信监听的地址
ETCD_LISTEN_CLIENT_URLS="https://192.168.1.103:2379"
 
#[Clustering]
# 对外公告的该节点集群内监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.1.103:2380"
# 对外公告的该节点客户端监听地址
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.1.103:2379"
# 集群所有成员
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.1.101:2380,etcd-2=https://192.168.1.102:2380,etcd-3=https://192.168.1.103:2380"
# 通信 Token(密钥),可自行修改
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
# 标识是创建新的集群,加入已有的集群设为 exist
ETCD_INITIAL_CLUSTER_STATE="new"

# Systemd 管理
# 创建 ETCD 的 Systemd service 文件:
[root@k8s-suzaku-master1 ~]# vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
 
[Service]
Type=notify
EnvironmentFile=/opt/etcd/conf/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
        --cert-file=/opt/etcd/ssl/server.pem \
        --key-file=/opt/etcd/ssl/server-key.pem \
        --peer-cert-file=/opt/etcd/ssl/server.pem \
        --peer-key-file=/opt/etcd/ssl/server-key.pem \
        --trusted-ca-file=/opt/etcd/ssl/ca.pem \
        --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65535
 
[Install]
WantedBy=multi-user.target

# 拷贝证书、配置文件至其他两个etc节点
[root@kubernetes-master-100-1 ~]# scp /usr/lib/systemd/system/etcd.service 192.168.1.101:/usr/lib/systemd/system/
[root@kubernetes-master-100-1 ~]# scp /usr/lib/systemd/system/etcd.service 192.168.1.102:/usr/lib/systemd/system/
[root@kubernetes-master-100-1 ~]# scp -r /opt/etcd 192.168.1.101:/opt/
[root@kubernetes-master-100-1 ~]# scp -r /opt/etcd 192.168.1.102:/opt/

# 启动检查
分别在 三台master这几个节点启动 ETCD 服务并加入开机自启:
 
$ systemctl daemon-reload
$ systemctl start etcd
$ systemctl enable etcd
检查 ETCD 集群健康状态,输出内容如下则说明 ETCD 集群正常:

[root@kubernetes-master-100-1 ~]# /opt/etcd/bin/etcdctl --endpoints="https://192.168.1.101:2379,https://192.168.1.102:2379,https://192.168.1.103:2379" --cacert=/opt/etcd/ssl/ca.pem --key=/opt/etcd/ssl/server-key.pem  --cert=/opt/etcd/ssl/server.pem  endpoint health
https://192.168.1.101:2379 is healthy: successfully committed proposal: took = 22.904006ms
https://192.168.1.103:2379 is healthy: successfully committed proposal: took = 22.253018ms
https://192.168.1.102:2379 is healthy: successfully committed proposal: took = 22.998862ms

kube-vip初始化配置

首先 获取 kube-vip 的 docker 镜像,并在 /etc/kuberentes/manifests 中设置静态 pod 的 yaml 资源清单文件,这样 Kubernetes 就会自动在每个控制平面节点上部署 kube-vip 的 pod 了。 (先在master配置启动,等集群初始化完毕后在其他Master启动kube-vip即可)

# 设置VIP地址
export VIP=192.168.1.100
export INTERFACE=ens32
ctr image pull docker.io/plndr/kube-vip:0.3.1
ctr run --rm --net-host docker.io/plndr/kube-vip:0.3.1 vip \
/kube-vip manifest pod \
--interface $INTERFACE \
--vip $VIP \
--controlplane \
--services \
--arp \
--leaderElection | tee  /etc/kubernetes/manifests/kube-vip.yaml

[root@kubernetes-master-100-1 ~]# cat /etc/kubernetes/manifests/kube-vip.yaml 
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  name: kube-vip
  namespace: kube-system
spec:
  containers:
  - args:
    - manager
    env:
    - name: vip_arp
      value: "true"
    - name: vip_interface
      value: ens32
    - name: port
      value: "6443"
    - name: vip_cidr
      value: "32"
    - name: cp_enable
      value: "true"
    - name: cp_namespace
      value: kube-system
    - name: svc_enable
      value: "true"
    - name: vip_leaderelection
      value: "true"
    - name: vip_leaseduration
      value: "5"
    - name: vip_renewdeadline
      value: "3"
    - name: vip_retryperiod
      value: "1"
    - name: vip_address
      value: 192.168.1.100
    image: plndr/kube-vip:0.3.1
    imagePullPolicy: Always
    name: kube-vip
    resources: {}
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        - NET_RAW
        - SYS_TIME
    volumeMounts:
    - mountPath: /etc/kubernetes/admin.conf
      name: kubeconfig
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes/admin.conf
    name: kubeconfig
status: {}

kubeadm 初始化集群

# 编辑config.yaml文件
[root@kubernetes-master-100-1 ~]# cat config.yaml 
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"  #使用IPVS模式,非iptables
---
apiVersion: kubeadm.k8s.io/v1beta1  #v1beta1版本,非v1alpha版本,语法会有变化
certificatesDir: /etc/kubernetes/pki  
clusterName: kubernetes
controlPlaneEndpoint: 192.168.1.100:6443  #api server IP (VIP)地址
controllerManager: {}
dns:
  type: CoreDNS  #默认DNS:CoreDNS
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers  #国内阿里镜像
kind: ClusterConfiguration
kubernetesVersion: v1.20.2   #K8S版本
networking:
  dnsDomain: cluster.local
  serviceSubnet: 172.201.0.0/16  #SVC网络段
  podSubnet: 172.200.0.0/16     #POD网络段
apiServer:
        certSANs: 
        - 192.168.1.101
        - 192.168.1.102
        - 192.168.1.103
        extraArgs:
           etcd-cafile: /opt/etcd/ssl/ca.pem
           etcd-certfile: /opt/etcd/ssl/server.pem
           etcd-keyfile: /opt/etcd/ssl/server-key.pem
etcd:  #使用外接etcd高可用
    external:
        caFile: /opt/etcd/ssl/ca.pem
        certFile: /opt/etcd/ssl/server.pem
        keyFile: /opt/etcd/ssl/server-key.pem
        endpoints:
        - https://192.168.1.101:2379
        - https://192.168.1.102:2379
        - https://192.168.1.103:2379
        
[root@kubernetes-master-100-1 ~]# kubeadm init --config config.yaml
Your Kubernetes control-plane has initialized successfully!
 
To start using your cluster, you need to run the following as a regular user:
 
  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config
 
Alternatively, if you are the root user, you can run:
 
  export KUBECONFIG=/etc/kubernetes/admin.conf
 
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/
 
You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:
 
  kubeadm join 192.168.1.100:6443--token ryqarh.y3o0vhhvgy61opxz \
    --discovery-token-ca-cert-hash sha256:41db7216c10221a59d80c2b06f4756e8125caca58d29e0c16001b54dba5a9987 \
    --control-plane
 
Then you can join any number of worker nodes by running the following on each as root:
 
kubeadm join 192.168.1.100:6443 --token ryqarh.y3o0vhhvgy61opxz \
    --discovery-token-ca-cert-hash sha256:41db7216c10221a59d80c2b06f4756e8125caca58d29e0c16001b54dba5a9987
    
# 拷贝证书文件到其他master节点
scp /etc/kubernetes/pki/ca.* 192.168.1.101:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.* 192.168.1.101:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.* 192.168.1.101:/etc/kubernetes/pki/
scp /etc/kubernetes/admin.conf 192.168.1.101:/etc/kubernetes/
 
scp /etc/kubernetes/pki/ca.* 192.168.1.102:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.* 192.168.1.102:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.* 192.168.1.102:/etc/kubernetes/pki/
scp /etc/kubernetes/admin.conf 192.168.1.102:/etc/kubernetes/

# master节点加入:
kubeadm join 192.168.1.100:6443 --token ryqarh.y3o0vhhvgy61opxz \
    --discovery-token-ca-cert-hash sha256:41db7216c10221a59d80c2b06f4756e8125caca58d29e0c16001b54dba5a9987 --control-plane
     
# node 节点加入:
kubeadm join 192.168.1.100:6443 --token ryqarh.y3o0vhhvgy61opxz \
    --discovery-token-ca-cert-hash sha256:41db7216c10221a59d80c2b06f4756e8125caca58d29e0c16001b54dba5a9987
 
# 如果忘记了master节点init之后的join命令怎么办?
kubeadm token create --print-join-command


# 安装网络插件:
wget https://docs.projectcalico.org/manifests/calico.yaml
kubectl apply -f calico.yaml

[root@kubernetes-master-100-1 ~]# kubectl get nodes
NAME                      STATUS   ROLES                  AGE   VERSION
kubernetes-master-100-1   Ready    control-plane,master   66m   v1.20.2
kubernetes-master-100-2   Ready    control-plane,master   61m   v1.20.2
kubernetes-master-100-3   Ready    control-plane,master   55m   v1.20.2
kubernetes-node-100-4     Ready    <none>                 50m   v1.20.2
kubernetes-node-100-5     Ready    <none>                 50m   v1.20.2
kubernetes-node-100-6     Ready    <none>                 50m   v1.20.2
kubernetes-node-100-7     Ready    <none>                 50m   v1.20.2
kubernetes-node-100-8     Ready    <none>                 50m   v1.20.2
kubernetes-node-100-9     Ready    <none>                 50m   v1.20.2



[root@kubernetes-master-100-1 ~]# kubectl get cs 
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME                 STATUS    MESSAGE             ERROR
scheduler            Healthy   ok                 
controller-manager   Healthy   ok                 
etcd-1               Healthy   {"health":"true"}  
etcd-0               Healthy   {"health":"true"}  
etcd-2               Healthy   {"health":"true"}  
  
PS:这里注意,如果kubectl get cs 
scheduler 和 controller-manager 异常的话,检查三台master的 yaml文件,使用kubeadm安装的集群就会出现这种问题:
[root@kubernetes-master-100-1 ~]# cd /etc/kubernetes/manifests/
[root@kubernetes-master-100-1 manifests]# ll
total 12
-rw------- 1 root root 3507 Feb 25 18:55 kube-apiserver.yaml
-rw------- 1 root root 2827 Feb 25 18:58 kube-controller-manager.yaml
-rw------- 1 root root 1410 Feb 25 19:00 kube-scheduler.yaml
 
 
其中删除 kube-controller-manager.yaml 和 kube-scheduler.yaml 配置文件中的 ---port=0 参数

[root@kubernetes-master-100-1 ~]# kubectl get pods -A
NAMESPACE     NAME                                              READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-659bd7879c-pqv4b          1/1     Running   0          52m
kube-system   calico-node-2vm7t                                 1/1     Running   0          52m
kube-system   calico-node-7fqjv                                 1/1     Running   0          52m
kube-system   calico-node-88jzz                                 1/1     Running   0          52m
kube-system   calico-node-9zq87                                 1/1     Running   0          52m
kube-system   calico-node-jw9d8                                 1/1     Running   0          52m
kube-system   calico-node-qr4jk                                 1/1     Running   0          52m
kube-system   calico-node-vcdmj                                 1/1     Running   0          52m
kube-system   calico-node-wfgxg                                 1/1     Running   0          52m
kube-system   calico-node-xprj5                                 1/1     Running   0          52m
kube-system   coredns-54d67798b7-rktxc                          1/1     Running   0          71m
kube-system   coredns-54d67798b7-x428g                          1/1     Running   0          71m
kube-system   kube-apiserver-kubernetes-master-100-1            1/1     Running   0          71m
kube-system   kube-apiserver-kubernetes-master-100-2            1/1     Running   0          65m
kube-system   kube-apiserver-kubernetes-master-100-3            1/1     Running   0          60m
kube-system   kube-controller-manager-kubernetes-master-100-1   1/1     Running   0          2m17s
kube-system   kube-controller-manager-kubernetes-master-100-2   1/1     Running   0          108s
kube-system   kube-controller-manager-kubernetes-master-100-3   0/1     Running   0          86s
kube-system   kube-proxy-69dxh                                  1/1     Running   0          55m
kube-system   kube-proxy-7kkv6                                  1/1     Running   0          71m
kube-system   kube-proxy-9vs2b                                  1/1     Running   0          65m
kube-system   kube-proxy-c9nxz                                  1/1     Running   0          60m
kube-system   kube-proxy-jsppb                                  1/1     Running   0          55m
kube-system   kube-proxy-k94f4                                  1/1     Running   0          55m
kube-system   kube-proxy-mx9nc                                  1/1     Running   0          55m
kube-system   kube-proxy-q4nsq                                  1/1     Running   0          55m
kube-system   kube-proxy-spw8l                                  1/1     Running   0          55m
kube-system   kube-scheduler-kubernetes-master-100-1            1/1     Running   0          2m27s
kube-system   kube-scheduler-kubernetes-master-100-2            1/1     Running   0          115s
kube-system   kube-scheduler-kubernetes-master-100-3            0/1     Running   0          95s
kube-system   kube-vip-kubernetes-master-100-1                  1/1     Running   0          71m
kube-system   kube-vip-kubernetes-master-100-2                  1/1     Running   0          64m
kube-system   kube-vip-kubernetes-master-100-3                  1/1     Running   0          59m

kube-vip集群配置

# copy配置文件
[root@kubernetes-master-100-1 ~]# scp /etc/kubernetes/manifests/kube-vip.yaml 192.168.1.102:/etc/kubernetes/manifests/
[root@kubernetes-master-100-1 ~]# scp /etc/kubernetes/manifests/kube-vip.yaml 192.168.1.103:/etc/kubernetes/manifests/

# 登录另外的Master查看
[root@kubernetes-master-100-2 manifests]# docker ps | grep vip
c9d50e0a260f        plndr/kube-vip                                                  "/kube-vip manager"      About an hour ago   Up About an hour                        k8s_kube-vip_kube-vip-kubernetes-master-100-2_kube-system_434ab069a53e2baf875e3d827f1788d9_0
46646c0c47ba        registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2   "/pause"                 About an hour ago   Up About an hour                        k8s_POD_kube-vip-kubernetes-master-100-2_kube-system_434ab069a53e2baf875e3d827f1788d9_0


[root@kubernetes-master-100-3 manifests]# docker ps | grep vip
5f213491d320        plndr/kube-vip                                                  "/kube-vip manager"      About an hour ago   Up About an hour                        k8s_kube-vip_kube-vip-kubernetes-master-100-3_kube-system_434ab069a53e2baf875e3d827f1788d9_0
04b7c38ae306        registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2   "/pause"                 About an hour ago   Up About an hour                        k8s_POD_kube-vip-kubernetes-master-100-3_kube-system_434ab069a53e2baf875e3d827f1788d9_0

# 检查VIP是否正常
[root@kubernetes-master-100-1 ~]# ip addr | grep -A5 1.100
    inet 192.168.1.100/32 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::410a:6f16:e8df:380a/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:60:77:19:d5 brd ff:ff:ff:ff:ff:ff
    
[root@kubernetes-master-100-2 manifests]# ip addr | grep -A5 1.100
[root@kubernetes-master-100-3 manifests]# ip addr | grep -A5 1.100

# 确保VIP只出现在一个节点上说明一切正常

验证集群高可用

如果把kubernetes-master-100-1关闭,看下VIP是否会漂移到可用Master节点上,如果能正常漂移并且集群能正常访问,则集群高可用没问题!

# 关机
[root@kubernetes-master-100-1 ~]# init 0
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.

# 查看VIP已漂移到kubernetes-master-100-2
[root@kubernetes-master-100-2 ~]# ip addr | grep -A5 1.100
    inet 192.168.1.100/32 scope global ens32
       valid_lft forever preferred_lft forever
    inet6 fe80::b359:2c72:baaf:f06/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:87:85:e0:f9 brd ff:ff:ff:ff:ff:ff
    
 # 验证集群是否可以正常访问
[root@kubernetes-master-100-2 ~]# kubectl get nodes
NAME                      STATUS   ROLES                  AGE   VERSION
kubernetes-master-100-1   Ready    control-plane,master   81m   v1.20.2
kubernetes-master-100-2   Ready    control-plane,master   75m   v1.20.2
kubernetes-master-100-3   Ready    control-plane,master   70m   v1.20.2
kubernetes-node-100-4     Ready    <none>                 65m   v1.20.2
kubernetes-node-100-5     Ready    <none>                 65m   v1.20.2
kubernetes-node-100-6     Ready    <none>                 65m   v1.20.2
kubernetes-node-100-7     Ready    <none>                 65m   v1.20.2
kubernetes-node-100-8     Ready    <none>                 65m   v1.20.2
kubernetes-node-100-9     Ready    <none>                 65m   v1.20.2
0

评论区