画板

1、前置准备

1.1 环境准备

服务器要求:

  • 建议最小硬件配置:2核CPU、2G内存、30G硬盘
  • 服务器最好可以访问外网,会有从网上拉取镜像需求,如果服务器不能上网,需要提前下载对应镜像并导入节点

软件环境:

软件 版本
OS CentOS Linux release 7.9.2009 (Core)
Docker
Kubernetes

服务器整体规划:

角色 IP 组件
k8s-master1 192.168.6.20 docker,etcd,nginx,keepalived
k8s-master2 192.168.6.21 docker,etcd,nginx,keepalived
k8s-node1 192.168.6.22 docker,etcd
负载均衡 192.168.6.88(VIP)

架构图:

0、kubeadm部署k8s高可用 - 图2

1.2 操作系统初始化

# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld

# 关闭selinux
sed -i ‘s/enforcing/disabled/‘ /etc/selinux/config # 永久
setenforce 0 # 临时

# 关闭swap
swapoff -a # 临时
sed -ri ‘s/.swap./#&/‘ /etc/fstab # 永久

# 根据规划设置主机名
hostnamectl set-hostname k8s-master1 >

hostnamectl set-hostname k8s-master2

hostnamectl set-hostname k8s-node1

# 在master添加hosts
cat >> /etc/hosts << EOF
192.168.6.20 k8s-master1
192.168.6.21 k8s-master2
192.168.6.22 k8s-node1
EOF

# 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl —system # 生效

# 时间同步
yum install ntpdate -y
ntpdate time.windows.com >

2、 部署Nginx+Keepalived高可用负载均衡器

Kubernetes作为容器集群系统,通过健康检查+重启策略实现了Pod故障自我修复能力,通过调度算法实现将Pod分布式部署,并保持预期副本数,根据Node失效状态自动在其他Node拉起Pod,实现了应用层的高可用性。

针对Kubernetes集群,高可用性还应包含以下两个层面的考虑:Etcd数据库的高可用性和Kubernetes Master组件的高可用性。 而kubeadm搭建的K8s集群,Etcd只起了一个,存在单点,所以我们这里会独立搭建一个Etcd集群。

Master节点扮演着总控中心的角色,通过不断与工作节点上的Kubelet和kube-proxy进行通信来维护整个集群的健康工作状态。如果Master节点故障,将无法使用kubectl工具或者API做任何集群管理。

Master节点主要有三个服务kube-apiserver、kube-controller-manager和kube-scheduler,其中kube-controller-manager和kube-scheduler组件自身通过选择机制已经实现了高可用,所以Master高可用主要针对kube-apiserver组件,而该组件是以HTTP API提供服务,因此对他高可用与Web服务器类似,增加负载均衡器对其负载均衡即可,并且可水平扩容。

kube-apiserver高可用架构图:

0、kubeadm部署k8s高可用 - 图3

  • Nginx是一个主流Web服务和反向代理服务器,这里用四层实现对apiserver实现负载均衡。
  • Keepalived是一个主流高可用软件,基于VIP绑定实现服务器双机热备,在上述拓扑中,Keepalived主要根据Nginx运行状态判断是否需要故障转移(偏移VIP),例如当Nginx主节点挂掉,VIP会自动绑定在Nginx备节点,从而保证VIP一直可用,实现Nginx高可用。

注:为了节省机器,这里与K8s master节点机器复用。也可以独立于k8s集群之外部署,只要nginx与apiserver能通信就行。

2.1 安装软件包(主备)

nginx安装:https://nginx.org/en/linux_packages.html#RHEL-CentOS

安装需要的依赖: yum install -y gcc yum install -y pcre pcre-devel yum install -y zlib zlib-devel yum install -y openssl openssl-devel rpm -q pcre pcre-devel openssl openssl-devel

keepalived安装:

keepalived官方:https://www.keepalived.org/download.html

yum -y install keepalived

2.2 Nginx配置文件(主/备一样)

  1. cat > /etc/nginx/nginx.conf << "EOF"
  2. user  nginx;
  3. worker_processes  auto;
  5. error_log  /var/log/nginx/error.log notice;
  6. pid        /var/run/nginx.pid;
  9. events {
  10.     worker_connections  1024;
  11. }
  13. # 四层负载均衡,为两台Master apiserver组件提供负载均衡
  14. stream {
  15.     log_format  main  '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
  16.     access_log  /var/log/nginx/k8s-access.log  main;
  17.     upstream k8s-apiserver {
  18.        server 192.168.6.20:6443;   # Master1 APISERVER IP:PORT
  19.        server 192.168.6.21:6443;   # Master2 APISERVER IP:PORT
  20.     }
  22.     server {
  23.        listen 16443;  # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
  24.        proxy_pass k8s-apiserver;
  25.     }
  26. }
  28. http {
  29.     include       /etc/nginx/mime.types;
  30.     default_type  application/octet-stream;
  32.     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
  33.                       '$status $body_bytes_sent "$http_referer" '
  34.                       '"$http_user_agent" "$http_x_forwarded_for"';
  36.     access_log  /var/log/nginx/access.log  main;
  38.     sendfile        on;
  39.     #tcp_nopush     on;
  41.     keepalive_timeout  65;
  43.     #gzip  on;
  45.     include /etc/nginx/conf.d/*.conf;
  46. }
  47. EOF

2.3 Keepalive配置文件(Nginx Master)

  1. cat > /etc/keepalived/keepalived.conf << EOF
  2. global_defs { 
  3.    notification_email { 
  4.      acassen@firewall.loc 
  5.      failover@firewall.loc 
  6.      sysadmin@firewall.loc 
  7.    } 
  8.    notification_email_from Alexandre.Cassen@firewall.loc  
  9.    smtp_server 127.0.0.1 
  10.    smtp_connect_timeout 30 
  11.    router_id NGINX_MASTER
  12. } 
  14. vrrp_script check_nginx {
  15.     script "/etc/keepalived/check_nginx.sh"
  16. }
  18. vrrp_instance VI_1 { 
  19.     state MASTER 
  20.     interface ens33  # 修改为实际网卡名
  21.     virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的 
  22.     priority 100    # 优先级,备服务器设置 90 
  23.     advert_int 1    # 指定VRRP 心跳包通告间隔时间,默认1秒 
  24.     authentication { 
  25.         auth_type PASS      
  26.         auth_pass 1111 
  27.     }  
  28.     # 虚拟IP
  29.     virtual_ipaddress { 
  30.         192.168.6.88/24
  31.     } 
  32.     track_script {
  33.         check_nginx
  34.     } 
  35. }
  36. EOF
  • vrrp_script:指定检查nginx工作状态脚本(根据nginx状态判断是否故障转移)
  • virtual_ipaddress:虚拟IP(VIP)
  • virtual_router_id 确保主备一致

准备上述配置文件中检查nginx运行状态的脚本:

  1. cat > /etc/keepalived/check_nginx.sh  << "EOF"
  2. #!/bin/bash
  3. count=$(ss -antp |grep 16443 |egrep -cv "grep|$$")
  5. if [ "$count" -eq 0 ];then
  6.     exit 1
  7. else
  8.     exit 0
  9. fi
  10. EOF
  11. chmod +x /etc/keepalived/check_nginx.sh

2.4 Keepalive配置文件(Nginx Backup)

  1. cat > /etc/keepalived/keepalived.conf << EOF
  2. global_defs { 
  3.    notification_email { 
  4.      acassen@firewall.loc 
  5.      failover@firewall.loc 
  6.      sysadmin@firewall.loc 
  7.    } 
  8.    notification_email_from Alexandre.Cassen@firewall.loc  
  9.    smtp_server 127.0.0.1 
  10.    smtp_connect_timeout 30 
  11.    router_id NGINX_BACKUP
  12. } 
  14. vrrp_script check_nginx {
  15.     script "/etc/keepalived/check_nginx.sh"
  16. }
  18. vrrp_instance VI_1 { 
  19.     state BACKUP 
  20.     interface ens33
  21.     virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
  22.     priority 90
  23.     advert_int 1
  24.     authentication { 
  25.         auth_type PASS      
  26.         auth_pass 1111 
  27.     }  
  28.     virtual_ipaddress { 
  29.         192.168.6.88/24
  30.     } 
  31.     track_script {
  32.         check_nginx
  33.     } 
  34. }
  35. EOF

准备上述配置文件中检查nginx运行状态的脚本:

  1. cat > /etc/keepalived/check_nginx.sh  << "EOF"
  2. #!/bin/bash
  3. count=$(ss -antp |grep 16443 |egrep -cv "grep|$$")
  5. if [ "$count" -eq 0 ];then
  6.     exit 1
  7. else
  8.     exit 0
  9. fi
  10. EOF
  11. chmod +x /etc/keepalived/check_nginx.sh

注:keepalived根据脚本返回状态码(0为工作正常,非0不正常)判断是否故障转移。

2.5 启动并设置开机启动

systemctl daemon-reload
 systemctl start nginx
 systemctl start keepalived
 systemctl enable nginx
 systemctl enable keepalived

2.6 查看keepalived工作状态

  • 网卡是否绑定了VIP

2.7 Nginx+Keepalived高可用测试

  1. 关闭主节点Nginx,测试VIP是否漂移到备节点服务器。
  2. 在Nginx Master执行 pkill nginx
    在Nginx Backup,ip addr命令查看已成功绑定VIP。

3、ETCD集群部署

Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,kubeadm搭建默认情况下只启动一个Etcd Pod,存在单点故障,生产环境强烈不建议,所以我们这里使用3台服务器组建集群,可容忍1台机器故障,当然,你也可以使用5台组建集群,可容忍2台机器故障。

节点名称 IP
etcd-1 192.168.6.20
etcd-2 192.168.6.21
etcd-3 192.168.6.22

注:为了节省机器,这里与K8s节点机器复用。也可以独立于k8s集群之外部署,只要apiserver能连接到就行。

3.1 准备cfssl证书生成工具

cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。

找任意一台服务器操作,这里用Master节点。

https://github.com/cloudflare/cfssl

git clonehttps://github.com/cloudflare/cfssl.git

cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 chmod +x /usr/local/bin/cfssl*

3.2 自签ETCD证书

  1. 自签证书颁发机构(CA)
mkdir -p ~/etcd_tls
 cd ~/etcd_tls

自签CA:

  1. cat > ca-config.json << EOF
  2. {
  3.   "signing": {
  4.     "default": {
  5.       "expiry": "87600h"
  6.     },
  7.     "profiles": {
  8.       "www": {
  9.          "expiry": "87600h",
  10.          "usages": [
  11.             "signing",
  12.             "key encipherment",
  13.             "server auth",
  14.             "client auth"
  15.         ]
  16.       }
  17.     }
  18.   }
  19. }
  20. EOF
  22. cat > ca-csr.json << EOF
  23. {
  24.     "CN": "etcd CA",
  25.     "key": {
  26.         "algo": "rsa",
  27.         "size": 2048
  28.     },
  29.     "names": [
  30.         {
  31.             "C": "CN",
  32.             "L": "Beijing",
  33.             "ST": "Beijing"
  34.         }
  35.     ]
  36. }
  37. EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

会生成ca.pem和ca-key.pem文件。

  1. 使用自签CA签发Etcd HTTPS证书

创建证书申请文件:

  1. cat > server-csr.json << EOF
  2. {
  3.     "CN": "etcd",
  4.     "hosts": [
  5.     "192.168.6.20",
  6.     "192.168.6.21",
  7.     "192.168.6.22"
  8.     ],
  9.     "key": {
  10.         "algo": "rsa",
  11.         "size": 2048
  12.     },
  13.     "names": [
  14.         {
  15.             "C": "CN",
  16.             "L": "BeiJing",
  17.             "ST": "BeiJing"
  18.         }
  19.     ]
  20. }
  21. EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

会生成server.pem和server-key.pem文件。

注:上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。

3.3 从Github下载二进制文件

wget https://github.com/etcd-io/etcd/releases/

3.4 部署集群

以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3。

1. 创建工作目录并解压二进制包

mkdir /opt/etcd/{bin,cfg,ssl} -p
 tar zxvf etcd-v3.5.0-linux-amd64.tar.gz
 mv etcd-v3.5.0-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

2. 创建etcd配置文件

  1. cat > /opt/etcd/cfg/etcd.conf << EOF
  2. #[Member]
  3. ETCD_NAME="etcd-1"
  4. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  5. ETCD_LISTEN_PEER_URLS="https://192.168.6.20:2380"
  6. ETCD_LISTEN_CLIENT_URLS="https://192.168.6.20:2379"
  8. #[Clustering]
  9. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.6.20:2380"
  10. ETCD_ADVERTISE_CLIENT_URLS="https://192.168.6.20:2379"
  11. ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.6.20:2380,etcd-2=https://192.168.6.21:2380,etcd-3=https://192.168.6.22:2380"
  12. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  13. ETCD_INITIAL_CLUSTER_STATE="new"
  14. EOF

• ETCD_NAME:节点名称,集群中唯一

• ETCDDATADIR:数据目录

• ETCDLISTENPEER_URLS:集群通信监听地址

• ETCDLISTENCLIENT_URLS:客户端访问监听地址

• ETCDINITIALADVERTISEPEERURLS:集群通告地址

• ETCDADVERTISECLIENT_URLS:客户端通告地址

• ETCDINITIALCLUSTER:集群节点地址

• ETCDINITIALCLUSTER_TOKEN:集群Token

• ETCDINITIALCLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群

3. systemd管理etcd

  1. cat > /usr/lib/systemd/system/etcd.service << EOF
  2. [Unit]
  3. Description=Etcd Server
  4. After=network.target
  5. After=network-online.target
  6. Wants=network-online.target
  8. [Service]
  9. Type=notify
  10. EnvironmentFile=/opt/etcd/cfg/etcd.conf
  11. ExecStart=/opt/etcd/bin/etcd \
  12. --cert-file=/opt/etcd/ssl/server.pem \
  13. --key-file=/opt/etcd/ssl/server-key.pem \
  14. --peer-cert-file=/opt/etcd/ssl/server.pem \
  15. --peer-key-file=/opt/etcd/ssl/server-key.pem \
  16. --trusted-ca-file=/opt/etcd/ssl/ca.pem \
  17. --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
  18. --logger=zap
  19. Restart=on-failure
  20. LimitNOFILE=65536
  22. [Install]
  23. WantedBy=multi-user.target
  24. EOF

4. 拷贝刚才生成的证书

把刚才生成的证书拷贝到配置文件中的路径:

cp ~/etcd_tls/capem ~/etcd_tls/serverpem /opt/etcd/ssl/

5. 启动并设置开机启动

systemctl daemon-reload
 systemctl start etcd
 systemctl enable etcd

6. 将上面节点1所有生成的文件拷贝到节点2和节点3

scp -r /opt/etcd/ root@192.168.6.21:/opt/
 scp /usr/lib/systemd/system/etcd.service root@192.168.6.21:/usr/lib/systemd/system/
 scp -r /opt/etcd/ root@192.168.6.22:/opt/
 scp /usr/lib/systemd/system/etcd.service root@192.168.6.22:/usr/lib/systemd/system/

然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP:

vi /opt/etcd/cfg/etcd.conf
 #[Member]
 ETCD_NAME=”etcd-2” # 修改此处,节点2改为etcd-2,节点3改为etcd-3
 ETCD_DATA_DIR=”/var/lib/etcd/default.etcd”
 ETCD_LISTEN_PEER_URLS=”https://192.168.6.21:2380“ # 修改此处为当前服务器IP
 ETCD_LISTEN_CLIENT_URLS=”https://192.168.6.21:2379“ # 修改此处为当前服务器IP

 #[Clustering]
 ETCD_INITIAL_ADVERTISE_PEER_URLS=”https://192.168.6.21:2380“ # 修改此处为当前服务器IP
 ETCD_ADVERTISE_CLIENT_URLS=”https://192.168.6.21:2379“ # 修改此处为当前服务器IP
 ETCD_INITIAL_CLUSTER=”etcd-1=https://192.168.6.20:2380,etcd-2=https://192.168.6.21:2380,etcd-3=https://192.168.6.22:2380
 ETCD_INITIAL_CLUSTER_TOKEN=”etcd-cluster”
 ETCD_INITIAL_CLUSTER_STATE=”new”

最后启动etcd并设置开机启动,同上。

7. 查看集群状态

  1. ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.6.20:2379,https://192.168.6.21:2379,https://192.168.6.22:2379" endpoint health --write-out=table
  2. +---------------------------+--------+-------------+-------+
  3. |         ENDPOINT          | HEALTH |    TOOK     | ERROR |
  4. +---------------------------+--------+-------------+-------+
  5. | https://192.168.6.20:2379 |   true | 13.658289ms |       |
  6. | https://192.168.6.22:2379 |   true | 13.870048ms |       |
  7. | https://192.168.6.21:2379 |   true | 13.591061ms |       |
  8. +---------------------------+--------+-------------+-------+

4、安装Docker/kubeadm/kubelet【所有节点】

这里使用Docker作为容器引擎,也可以换成别的,例如containerd

4.1 安装Docker

  1. wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
  2. yum -y install docker-ce
  3. systemctl enable docker && systemctl start docker

配置镜像加速器:

  1. cat > /etc/docker/daemon.json << EOF
  2. {
  3.   "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
  4. }
  5. EOF

systemctl restart docker

docker info

4.2 添加阿里云YUM软件源

  1. cat > /etc/yum.repos.d/kubernetes.repo << EOF
  2. [kubernetes]
  3. name=Kubernetes
  4. baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
  5. enabled=1
  6. gpgcheck=0
  7. repo_gpgcheck=0
  8. gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
  9. EOF

4.3 安装kubeadm,kubelet和kubectl

由于版本更新频繁,这里指定版本号部署:

  1. yum install -y kubelet-1.20.0 kubeadm-1.20.0 kubectl-1.20.0
  2. systemctl enable kubelet

5、部署Kubernetes Master

5.1 初始化Master1

生成初始化配置文件:

  1. cat > kubeadm-config.yaml << EOF
  2. apiVersion: kubeadm.k8s.io/v1beta2
  3. bootstrapTokens:
  4. - groups:
  5.   - system:bootstrappers:kubeadm:default-node-token
  6.   token: 9037x2.tcaqnpaqkra9vsbw
  7.   ttl: 24h0m0s
  8.   usages:
  9.   - signing
  10.   - authentication
  11. kind: InitConfiguration
  12. localAPIEndpoint:
  13.   advertiseAddress: 192.168.6.20
  14.   bindPort: 6443
  15. nodeRegistration:
  16.   criSocket: /var/run/dockershim.sock  # kubelet中的插件连接docker
  17.   name: k8s-master1
  18.   taints:
  19.   - effect: NoSchedule
  20.     key: node-role.kubernetes.io/master
  21. ---
  22. apiServer:
  23.   certSANs:  # 包含所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
  24.   - k8s-master1
  25.   - k8s-master2
  26.   - 192.168.6.20
  27.   - 192.168.6.21
  28.   - 192.168.6.88 # VIP
  29.   - 127.0.0.1
  30.   extraArgs:
  31.     authorization-mode: Node,RBAC
  32.   timeoutForControlPlane: 4m0s
  33. apiVersion: kubeadm.k8s.io/v1beta2
  34. certificatesDir: /etc/kubernetes/pki
  35. clusterName: kubernetes
  36. controlPlaneEndpoint: 192.168.6.88:16443 # 负载均衡虚拟IP(VIP)和端口
  37. controllerManager: {}
  38. dns:
  39.   type: CoreDNS
  40. etcd:
  41.   external:  # 使用外部etcd
  42.     endpoints:
  43.     - https://192.168.6.20:2379 # etcd集群3个节点
  44.     - https://192.168.6.21:2379
  45.     - https://192.168.6.22:2379
  46.     caFile: /opt/etcd/ssl/ca.pem # 连接etcd所需证书
  47.     certFile: /opt/etcd/ssl/server.pem
  48.     keyFile: /opt/etcd/ssl/server-key.pem
  49. imageRepository: registry.aliyuncs.com/google_containers # 由于默认拉取镜像地址k8s.gcr.io国内无法访问,这里指定阿里云镜像仓库地址
  50. kind: ClusterConfiguration
  51. kubernetesVersion: v1.20.0 # K8s版本,与上面安装的一致
  52. networking:
  53.   dnsDomain: cluster.local
  54.   podSubnet: 10.244.0.0/16  # Pod网络,与下面部署的CNI网络组件yaml中保持一致
  55.   serviceSubnet: 10.96.0.0/12  # 集群内部虚拟网络,Pod统一访问入口
  56. scheduler: {}
  57. EOF

使用配置文件初始化引导: 

  1. kubeadm init --config kubeadm-config.yaml
  2. ...
  3. [addons] Applied essential addon: kube-proxy
  5. Your Kubernetes control-plane has initialized successfully!
  7. To start using your cluster, you need to run the following as a regular user:
  9.   mkdir -p $HOME/.kube
  10.   sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  11.   sudo chown $(id -u):$(id -g) $HOME/.kube/config
  13. Alternatively, if you are the root user, you can run:
  15.   export KUBECONFIG=/etc/kubernetes/admin.conf
  17. You should now deploy a pod network to the cluster.
  18. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  19.   https://kubernetes.io/docs/concepts/cluster-administration/addons/
  21. You can now join any number of control-plane nodes by copying certificate authorities
  22. and service account keys on each node and then running the following as root:
  24.   kubeadm join 192.168.6.88:16443 --token 9037x2.tcaqnpaqkra9vsbw \
  25.     --discovery-token-ca-cert-hash sha256:25d7712faa2ea32756468c6989fdcdf5bd7418166b509973237e746a7f420f39 \
  26.     --control-plane 
  28. Then you can join any number of worker nodes by running the following on each as root:
  30. kubeadm join 192.168.6.88:16443 --token 9037x2.tcaqnpaqkra9vsbw \
  31.     --discovery-token-ca-cert-hash sha256:25d7712faa2ea32756468c6989fdcdf5bd7418166b509973237e746a7f420f39

初始化完成后,会有两个join的命令,带有 —control-plane 是用于加入组建多master集群的,不带的是加入节点的。

拷贝kubectl使用的连接k8s认证文件到默认路径:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubectl get node
NAME STATUS ROLES AGE VERSION

k8s-master1 NotReady control-plane,master 4m4s v1.20.0

5.2 初始化Master2

将Master1节点生成的证书拷贝到Master2:

scp -r /etc/kubernetes/pki/ 192.168.6.21:/etc/kubernetes/

复制加入master join命令在master2执行:

kubeadm join 192.168.6.88:16443 —token 9037x2.tcaqnpaqkra9vsbw \ —discovery-token-ca-cert-hash sha256:25d7712faa2ea32756468c6989fdcdf5bd7418166b509973237e746a7f420f39 \ —control-plane

拷贝kubectl使用的连接k8s认证文件到默认路径:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubectl get node
NAME STATUS ROLES AGE VERSION

k8s-master1 NotReady control-plane,master 8m46s v1.20.0

k8s-master2 NotReady control-plane,master 18s v1.20.0

注:由于网络插件还没有部署,还没有准备就绪 NotReady

5.3 访问负载均衡器测试

找K8s集群中任意一个节点,使用curl查看K8s版本测试,使用VIP访问:

curl -k https://192.168.6.88:16443/version

{

“major”: “1”,

“minor”: “20”,

“gitVersion”: “v1.20.0”,

“gitCommit”: “af46c47ce925f4c4ad5cc8d1fca46c7b77d13b38”,

“gitTreeState”: “clean”,

“buildDate”: “2020-12-08T17:51:19Z”,

“goVersion”: “go1.15.5”,

“compiler”: “gc”,

“platform”: “linux/amd64”

}

可以正确获取到K8s版本信息,说明负载均衡器搭建正常。

该请求数据流程:curl -> vip(nginx) -> apiserver

通过查看Nginx日志也可以看到转发apiserver IP:

tail /var/log/nginx/k8s-access.log -f

192.168.6.21 192.168.6.21:6443 - [17/Sep/2021:15:53:23 +0800] 200 1096

192.168.6.21 192.168.6.20:6443 - [17/Sep/2021:15:53:23 +0800] 200 1096

6、加入Kubernetes Node

在192.168.6.22(Node)执行。

向集群添加新节点,执行在kubeadm init输出的kubeadm join命令:

kubeadm join 192.168.6.88:16443 —token 9037x2.tcaqnpaqkra9vsbw \ —discovery-token-ca-cert-hash sha256:25d7712faa2ea32756468c6989fdcdf5bd7418166b509973237e746a7f420f39

后续其他节点也是这样加入。

注:默认token有效期为24小时,当过期之后,该token就不可用了。这时就需要重新创建token,可以直接使用命令快捷生成:

kubeadm token create —print-join-command

7、部署网络组件-Calico

Calico是一个纯三层的数据中心网络方案,是目前Kubernetes主流的网络方案。

wget https://docs.projectcalico.org/manifests/calico.yaml
修改pod的网段CALICO_IPV4POOL_CIDR 
  1. ...
  2. - name: CALICO_IPV4POOL_CIDR
  3.   value: "10.244.0.0/16" # 与初始化master1的配置文件的podSubnet保持一致
  4. ...

部署Calico:

kubectl apply -f calico.yaml
kubectl get pods -n kube-system

8、部署Dashboard

Dashboard是官方提供的一个UI,可用于基本管理K8s资源。

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部: 
  1. spec:
  2.   ports:
  3.     - port: 443
  4.       targetPort: 8443
  5.       nodePort: 30001
  6.   selector:
  7.     k8s-app: kubernetes-dashboard
  8.   type: NodePort
kubectl apply -f recommended.yaml
 # 查看部署
kubectl get pods -n kubernetes-dashboard

访问地址:https://NodeIP:30001

创建service account 并绑定到默认的cluster-admin管理员集群角色:

  1. # 创建用户
  2. $ kubectl create serviceaccount dashboard-admin -n kube-system
  3. # 用户授权 
  4. $ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
  5. # 获取用户Token
  6. $ kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

注:使用输出的token登陆dashboard

9、部署Metrics Server

0、kubeadm部署k8s高可用 - 图4

项目地址:https://github.com/kubernetes-sigs/metrics-server

wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.4.1/components.yaml

Deployment/metrics-server修改:

  • —kubelet-insecure-tls 告诉metrics-server不验证kubelet提供的https证书
  • —kubelet-preferred-address-types=InternalIP 使用节点IP连接kubelet
  • image: geray/metrics-server:v0.4.1

10、master节点作为node使用

默认配置下Kubernetes不会将Pod调度到Master节点。如果希望将k8s-master也当作Node使用
kubectl taint node k8s-master1 node-role.kubernetes.io/master-

11、部署Ingress

Kubernetes-v1.22+ 需要使用 ingress-nginx>=1.0,因为 networking.k8s.io/v1beta 已经移除

作者:cnsre运维博客
链接:https://www.imooc.com/article/320464
来源:慕课网 
  1. curl https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/baremetal/deploy.yaml > deploy.yaml 
  3. sed -i 's@k8s.gcr.io/ingress-nginx/controller:v1.0.0\(.*\)@geray/ingress-nginx-controller:v1.0.0@' deploy.yaml
  5. sed -i 's@k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.0\(.*\)$@geray/kube-webhook-certgen:v1.0@' deploy.yaml
  7. sed -i 's/Deployment/DaemonSet/g' deploy.yaml
  9. # 预先拉取镜像
  10. docker pull geray/ingress-nginx-controller:v1.0.0
  11. docker pull geray/kube-webhook-certgen:v1.0
  13. kubectl apply -f deploy.yaml

附件:直接apply即可

deploy.yaml