Skip to content

Commit

Permalink
kube-apiserver: support HA!
Browse files Browse the repository at this point in the history
  • Loading branch information
Zhang Jun committed Jul 11, 2018
1 parent 9cac040 commit f4de6be
Show file tree
Hide file tree
Showing 14 changed files with 362 additions and 38 deletions.
1 change: 1 addition & 0 deletions 00.组件版本和配置策略.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ tags: version

kube-apiserver:

+ 使用 keepalived 和 haproxy 实现 3 节点高可用;
+ 关闭非安全端口 8080 和匿名访问;
+ 在安全端口 6443 接收 https 请求;
+ 严格的认证和授权策略 (x509、token、RBAC);
Expand Down
12 changes: 8 additions & 4 deletions 01.系统初始化和全局变量.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ fs.inotify.max_user_watches=89100
EOF
$ sudo cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
$ sudo sysctl -p /etc/sysctl.d/kubernetes.conf
$ sudo mount -t cgroup -o cpu,cpuacct none /sys/fs/cgroup/cpu,cpuacct
```

## 加载内核模块
Expand Down Expand Up @@ -232,11 +233,14 @@ export NODE_IPS=(172.27.129.105 172.27.129.111 172.27.129.112)
# 集群各 IP 对应的 主机名数组
export NODE_NAMES=(kube-node1 kube-node2 kube-node3)

# kube-apiserver 节点 IP
export MASTER_IP=172.27.129.105
# kube-apiserver 的 VIP(HA 组件 keepalived 发布的 IP)
export MASTER_VIP=172.27.129.253

# kube-apiserver https 地址
export KUBE_APISERVER="https://${MASTER_IP}:6443"
# kube-apiserver VIP 地址(HA 组件 haproxy 监听 8443 端口)
export KUBE_APISERVER="https://${MASTER_IP}:8443"

# HA 节点,VIP 所在的网络接口名称
export VIP_IF="eth0"

# etcd 集群服务地址列表
export ETCD_ENDPOINTS="https://172.27.129.105:2379,https://172.27.129.111:2379,https://172.27.129.112:2379"
Expand Down
1 change: 1 addition & 0 deletions 02.创建CA证书和秘钥.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ source /opt/k8s/bin/environment.sh # 导入 NODE_IPS 环境变量
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /etc/kubernetes/cert && chown -R k8s /etc/kubernetes"
scp ca*.pem ca-config.json k8s@${node_ip}:/etc/kubernetes/cert
done
```
Expand Down
4 changes: 3 additions & 1 deletion 06-0.部署master节点.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@ kubernetes master 节点运行如下组件:
+ kube-scheduler
+ kube-controller-manager

这 3 个组件均可以以集群模式运行,通过 leader 选举产生一个工作进程,其它进程处于阻塞模式。
kube-scheduler 和 kube-controller-manager 可以以集群模式运行,通过 leader 选举产生一个工作进程,其它进程处于阻塞模式。

对于 kube-apiserver,可以运行多个实例(本文档是 3 实例),但对其它组件需要提供统一的访问地址,该地址需要高可用。本文档使用 keepalived 和 haproxy 实现 kube-apiserver VIP 高可用和负载均衡。

## 下载最新版本的二进制文件

Expand Down
268 changes: 268 additions & 0 deletions 06-1.ha.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,268 @@
# 06-1.部署高可用组件

本文档讲解使用 keepalived 和 haproxy 实现 kube-apiserver 高可用的步骤:

+ keepalived 提供 kube-apiserver 对外服务的 VIP;
+ haproxy 监听 VIP,后端连接所有 kube-apiserver 实例,提供健康检查和负载均衡功能;

运行 keepalived 和 haproxy 的节点称为 LB 节点。由于 keepalived 是一主多备运行模式,故至少两个 LB 节点。

本文档复用 master 节点的三台机器,haproxy 监听的端口(8443) 需要与 kube-apiserver 的端口 6443 不同,避免冲突。

keepalived 在运行过程中周期检查本机的 haproxy 进程状态,如果检测到 haproxy 进程异常,则触发重新选主的过程,VIP 将飘移到新选出来的主节点,从而实现 VIP 的高可用。

所有组件(如 kubeclt、apiserver、controller-manager、scheduler 等)都通过 VIP 和 haproxy 监听的 8443 端口访问 kube-apiserver 服务。

## 安装软件包

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "yum install -y keepalived haproxy"
done
```

## 配置和下发 haproxy 配置文件

haproxy 配置文件:

``` bash
cat > haproxy.cfg <<EOF
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
nbproc 1
defaults
log global
timeout connect 5000
timeout client 10m
timeout server 10m
listen admin_stats
bind 0.0.0.0:10080
mode http
log 127.0.0.1 local0 err
stats refresh 30s
stats uri /status
stats realm welcome login\ Haproxy
stats auth admin:123456
stats hide-version
stats admin if TRUE
listen kube-master
bind 0.0.0.0:8443
mode tcp
option tcplog
balance source
server 172.27.129.105 172.27.129.105:6443 check inter 2000 fall 2 rise 2 weight 1
server 172.27.129.111 172.27.129.111:6443 check inter 2000 fall 2 rise 2 weight 1
server 172.27.129.112 172.27.129.112:6443 check inter 2000 fall 2 rise 2 weight 1
EOF
```
+ haproxy 在 10080 端口输出 status 信息;
+ haproxy 监听**所有接口**的 8443 端口,该端口与环境变量 ${KUBE_APISERVER} 指定的端口必须一致;
+ server 字段列出所有 kube-apiserver 监听的 IP 和端口;

下发 haproxy.cfg 到所有 master 节点:

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
scp haproxy.cfg root@${node_ip}:/etc/haproxy
done
```

## 起 haproxy 服务

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p /run/haproxy && systemctl restart haproxy"
done
```

## 检查 haproxy 服务状态

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status haproxy|grep Active"
done
```

确保状态为 `active (running)`,否则查看日志,确认原因:

``` bash
journalctl -u haproxy
```

检查 haproxy 是否监听 8443 端口:

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "netstat -lnpt|grep haproxy"
done
```

确保输出类似于:

``` bash
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 120583/haproxy
```

## 配置和下发 keepalived 配置文件

keepalived 是一主(master)多备(backup)运行模式,故有两种类型的配置文件。master 配置文件只有一份,backup 配置文件视节点数目而定,对于本文档而言,规划如下:

+ master: 172.27.129.105
+ backup:172.27.129.111、172.27.129.112

master 配置文件:

``` bash
source /opt/k8s/bin/environment.sh
cat > keepalived-master.conf <<EOF
global_defs {
router_id lb-master-105
}
vrrp_script check-haproxy {
script "killall -0 haproxy"
interval 5
weight -30
}
vrrp_instance VI-kube-master {
state MASTER
priority 120
dont_track_primary
interface ${VIP_IF}
virtual_router_id 68
advert_int 3
track_script {
check-haproxy
}
virtual_ipaddress {
${MASTER_VIP}
}
}
EOF
```
+ VIP 所在的接口(interface ${VIP_IF})为 `eth0`
+ 使用 `killall -0 haproxy` 命令检查所在节点的 haproxy 进程是否正常。如果异常则将权重减少(-30),从而触发重新选主过程;
+ router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套 keepalived HA,则必须各不相同;

backup 配置文件:

``` bash
source /opt/k8s/bin/environment.sh
cat > keepalived-backup.conf <<EOF
global_defs {
router_id lb-backup-105
}
vrrp_script check-haproxy {
script "killall -0 haproxy"
interval 5
weight -30
}
vrrp_instance VI-kube-master {
state BACKUP
priority 110
dont_track_primary
interface ${VIP_IF}
virtual_router_id 68
advert_int 3
track_script {
check-haproxy
}
virtual_ipaddress {
${MASTER_VIP}
}
}
EOF
```
+ VIP 所在的接口(interface ${VIP_IF})为 `eth0`
+ 使用 `killall -0 haproxy` 命令检查所在节点的 haproxy 进程是否正常。如果异常则将权重减少(-30),从而触发重新选主过程;
+ router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套 keepalived HA,则必须各不相同;
+ priority 的值必须小于 master 的值;

## 下发 keepalived 配置文件

下发 master 配置文件:

``` bash
scp keepalived-master.conf [email protected]:/etc/keepalived/keepalived.conf
```

下发 backup 配置文件:

``` bash
scp keepalived-backup.conf [email protected]:/etc/keepalived/keepalived.conf
scp keepalived-backup.conf [email protected]:/etc/keepalived/keepalived.conf
```

## 起 keepalived 服务

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl restart keepalived"
done
```

## 检查 keepalived 服务

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status keepalived|grep Active"
done
```

确保状态为 `active (running)`,否则查看日志,确认原因:

``` bash
journalctl -u keepalived
```

查看 VIP 所在的节点,确保可以 ping 通 VIP:

``` bash
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh ${node_ip} "ip addr show ${VIP_IF}"
ssh ${node_ip} "ping -c 1 ${MASTER_VIP}"
done
```

## 查看 haproxy 状态页面

浏览器访问 ${MASTER_VIP}:10080/status 地址,查看 haproxy 状态页面:

![haproxy](images/haproxy.png)
Loading

0 comments on commit f4de6be

Please sign in to comment.