集群规划
主机名 角色 ip
HDSS7-21.host.com kube-apiserver 192.168.12.13
HDSS7-22.host.com kube-apiserver 192.168.12.14
HDSS7-11.host.com 4层负载均衡 192.168.12.11
HDSS7-12.host.com 4层负载均衡 192.168.12.12
注意:这里192.168.12.11和192.168.12.12使用nginx做4层负载均衡器,用keepalive跑一个vip:192.168.12.10,代理两个kube-apiserver,实现高可用
1. hdss7-21安装apiserver
[root@hdss7-21 certs]# cd /opt/src/[root@hdss7-21 src]# rz[root@hdss7-21 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/[root@hdss7-21 src]# cd ..[root@hdss7-21 opt]# mv kubernetes/ kubernetes-v1.15.2[root@hdss7-21 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes[root@hdss7-21 opt]# cd kubernetes[root@hdss7-21 kubernetes]# rm -rf kubernetes-src.tar.gz[root@hdss7-21 kubernetes]# cd server/bin/[root@hdss7-21 bin]# rm -rf *.tar[root@hdss7-21 bin]# rm -rf *_tag签发apiserver-client证书:apiserver与etc通信用的证书。apiserver是客户端,etcd是服务端运维主机HDSS-200.host.com上[root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/[root@hdss7-21 bin]# mkdir cert[root@hdss7-21 bin]# cd cert/[root@hdss7-21 cert]# ls[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca.pem .root@hdss7-200's password:ca.pem 100% 1334 505.1KB/s 00:00[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./root@hdss7-200's password:apiserver.pem 100% 1586 913.6KB/s 00:00[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./root@hdss7-200's password:apiserver-key.pem 100% 1675 711.1KB/s 00:00[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./root@hdss7-200's password:ca-key.pem 100% 1679 1.3MB/s 00:00[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client-key.pem ./root@hdss7-200's password:client-key.pem 100% 1679 749.7KB/s 00:00[root@hdss7-21 cert]# scp hdss7-200:/opt/certs/client.pem ./root@hdss7-200's password:client.pem[root@hdss7-21 bin]# mkdir conf[root@hdss7-21 bin]# cd /opt/kubernetes/server/bin/conf[root@hdss7-21 conf]# vi audit.yaml[root@hdss7-21 conf]# cat audit.yamlapiVersion: audit.k8s.io/v1beta1 # This is required.kind: Policy# Don't generate audit events for all requests in RequestReceived stage.omitStages:- "RequestReceived"rules:# Log pod changes at RequestResponse level- level: RequestResponseresources:- group: ""# Resource "pods" doesn't match requests to any subresource of pods,# which is consistent with the RBAC policy.resources: ["pods"]# Log "pods/log", "pods/status" at Metadata level- level: Metadataresources:- group: ""resources: ["pods/log", "pods/status"]# Don't log requests to a configmap called "controller-leader"- level: Noneresources:- group: ""resources: ["configmaps"]resourceNames: ["controller-leader"]# Don't log watch requests by the "system:kube-proxy" on endpoints or services- level: Noneusers: ["system:kube-proxy"]verbs: ["watch"]resources:- group: "" # core API groupresources: ["endpoints", "services"]# Don't log authenticated requests to certain non-resource URL paths.- level: NoneuserGroups: ["system:authenticated"]nonResourceURLs:- "/api*" # Wildcard matching.- "/version"# Log the request body of configmap changes in kube-system.- level: Requestresources:- group: "" # core API groupresources: ["configmaps"]# This rule only applies to resources in the "kube-system" namespace.# The empty string "" can be used to select non-namespaced resources.namespaces: ["kube-system"]# Log configmap and secret changes in all other namespaces at the Metadata level.- level: Metadataresources:- group: "" # core API groupresources: ["secrets", "configmaps"]# Log all other resources in core and extensions at the Request level.- level: Requestresources:- group: "" # core API group- group: "extensions" # Version of group should NOT be included.# A catch-all rule to log all other requests at the Metadata level.- level: Metadata# Long-running requests like watches that fall under this rule will not# generate an audit event in RequestReceived.omitStages:- "RequestReceived"[root@hdss7-21 conf]#[root@hdss7-21 conf]# cat /opt/kubernetes/server/bin/kube-apiserver.sh#!/bin/bash./kube-apiserver \--apiserver-count 2 \--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \--audit-policy-file ./conf/audit.yaml \--authorization-mode RBAC \--client-ca-file ./cert/ca.pem \--requestheader-client-ca-file ./cert/ca.pem \--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \--etcd-cafile ./cert/ca.pem \--etcd-certfile ./cert/client.pem \--etcd-keyfile ./cert/client-key.pem \--etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379 \--service-account-key-file ./cert/ca-key.pem \--service-cluster-ip-range 192.168.0.0/16 \--service-node-port-range 3000-29999 \--target-ram-mb=1024 \--kubelet-client-certificate ./cert/client.pem \--kubelet-client-key ./cert/client-key.pem \--log-dir /data/logs/kubernetes/kube-apiserver \--tls-cert-file ./cert/apiserver.pem \--tls-private-key-file ./cert/apiserver-key.pem \--v 2[root@hdss7-21 conf]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh[root@hdss7-21 conf]# vi /etc/supervisord.d/kube-apiserver.ini[root@hdss7-21 conf]# cat /etc/supervisord.d/kube-apiserver.ini[program:kube-apiserver-7-21]command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)numprocs=1 ; number of processes copies to start (def 1)directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)autostart=true ; start at supervisord start (default: true)autorestart=true ; retstart at unexpected quit (default: true)startsecs=30 ; number of secs prog must stay running (def. 1)startretries=3 ; max # of serial start failures (default 3)exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)stopsignal=QUIT ; signal used to kill process (default TERM)stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)user=root ; setuid to this UNIX account to run the programredirect_stderr=true ; redirect proc stderr to stdout (default false)stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTOstdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)stdout_events_enabled=false ; emit events on stdout writes (default false)[root@hdss7-21 conf]# mkdir -p /data/logs/kubernetes/kube-apiserver[root@hdss7-21 conf]# supervisorctl updatekube-apiserver-7-21: added process group[root@hdss7-21 conf]# supervisorctl statusetcd-server-7-21 RUNNING pid 2753, uptime 0:53:15kube-apiserver-7-21 RUNNING pid 2873, uptime 0:00:48
2.运维主机HDSS-200.host.com
[root@hdss7-200 certs]# cd /opt/certs/
[root@hdss7-200 certs]# ll
total 36
-rw-r--r-- 1 root root 840 Jun 6 13:03 ca-config.json
-rw-r--r-- 1 root root 989 Jun 6 11:19 ca.csr
-rw-r--r-- 1 root root 334 Jun 6 11:18 ca-csr.json
-rw------- 1 root root 1679 Jun 6 11:19 ca-key.pem
-rw-r--r-- 1 root root 1334 Jun 6 11:19 ca.pem
-rw-r--r-- 1 root root 1062 Jun 6 13:04 etcd-peer.csr
-rw-r--r-- 1 root root 379 Jun 6 13:04 etcd-peer-csr.json
-rw------- 1 root root 1679 Jun 6 13:04 etcd-peer-key.pem
-rw-r--r-- 1 root root 1424 Jun 6 13:04 etcd-peer.pem
[root@hdss7-200 certs]# vi /opt/certs/client-csr.json
{
"CN": "k8s-node",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
[root@hdss7-200 certs]# vi apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.254.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"192.168.12.21",
"192.168.12.21",
"192.168.12.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
3 hdss7-22安装apiserver
[root@hdss7-22 src]# tar xf kubernetes-server-linux-amd64-v1.15.2.tar.gz -C /opt/
[root@hdss7-22 src]# cd ..
[root@hdss7-22 opt]# ls
containerd etcd etcd-v3.1.20 kubernetes src
[root@hdss7-22 opt]# mv kubernetes/ kubernetes-v1.15.2
[root@hdss7-22 opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[root@hdss7-22 opt]# mkdir /opt/kubernetes/server/bin/cert /opt/kubernetes/server/bin/conf
[root@hdss7-22 opt]# cd /opt/kubernetes/server/bin/cert
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/ca.pem ./
root@hdss7-200's password:
ca.pem 100% 1334 2.5KB/s 00:00
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/apiserver.pem ./
root@hdss7-200's password:
apiserver.pem 100% 1586 752.4KB/s 00:00
[root@hdss7-22 cert]# ls
apiserver.pem ca.pem
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/apiserver-key.pem ./
root@hdss7-200's password:
apiserver-key.pem 100% 1675 1.2MB/s 00:00
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/ca-key.pem ./
root@hdss7-200's password:
ca-key.pem 100% 1679 1.3MB/s 00:00
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/client-key.pem ./
root@hdss7-200's password:
client-key.pem 100% 1679 728.4KB/s 00:00
[root@hdss7-22 cert]# scp hdss7-200:/opt/certs/client.pem ./
root@hdss7-200's password:
client.pem
[root@hdss7-22 conf]# vim audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
[root@hdss7-22 conf]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./cert/ca.pem \
--requestheader-client-ca-file ./cert/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./cert/ca.pem \
--etcd-certfile ./cert/client.pem \
--etcd-keyfile ./cert/client-key.pem \
--etcd-servers https://192.168.12.12:2379,https://192.168.12.21:2379,https://192.168.12.22:2379 \
--service-account-key-file ./cert/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./cert/client.pem \
--kubelet-client-key ./cert/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./cert/apiserver.pem \
--tls-private-key-file ./cert/apiserver-key.pem \
--v 2
[root@hdss7-22 conf]# vi /etc/supervisord.d/kube-apiserver.ini
[root@hdss7-22 conf]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[program:kube-apiserver-7-22]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@hdss7-22 conf]# mkdir -p /data/logs/kubernetes/kube-apiserver
[root@hdss7-22 conf]# supervisorctl update
[root@hdss7-22 conf]# supervisorctl status
etcd-server-7-22 RUNNING pid 4264, uptime 0:51:18
kube-apiserver-7-22 RUNNING pid 4400, uptime 0:02:53
4 hdss7-11上部署nginx
[root@hdss7-11 opt]# yum install nginx -y
nginx四层负载,必须与http同级:
[root@hdss7-11 opt]# cat /etc/nginx/nginx.conf
stream {
upstream kube-apiserver {
server 192.168.12.21:6443 max_fails=3 fail_timeout=30s;
server 192.168.12.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
[root@hdss7-11 opt]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-11 opt]# systemctl restart nginx
[root@hdss7-11 opt]# systemctl enable nginx
5.hdss7-12安装nginx
[root@hdss7-12 certs]# yum install nginx -y
[root@hdss7-12 certs]# vim /etc/nginx/nginx.conf
stream {
upstream kube-apiserver {
server 192.168.12.21:6443 max_fails=3 fail_timeout=30s;
server 192.168.12.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
[root@hdss7-12 certs]#
[root@hdss7-12 certs]#
[root@hdss7-12 certs]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-12 certs]# systemctl start nginx
[root@hdss7-12 certs]# systemctl enable nginx
6.实现keep高可用
[root@hdss7-11 opt]# yum install keepalived -y
[root@hdss7-11 opt]# cat /etc/keepalived/check_port.sh
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
[root@hdss7-11 opt]# chmod +x /etc/keepalived/check_port.sh
[root@hdss7-11 opt]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 192.168.12.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 192.168.12.11
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
192.168.12.10
}
}
[root@hdss7-11 opt]# systemctl start keepalived
[root@hdss7-11 opt]# systemctl enable keepalived
[root@hdss7-12 certs]# yum install keepalived -y
[root@hdss7-12 certs]# cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 192.168.12.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 192.168.12.11
nopreempt
authentication {
auth_type PASS
auth_pass 11111111
}
track_script {
chk_nginx
}
virtual_ipaddress {
192.168.12.10
}
}
[root@hdss7-12 certs]# cat /etc/keepalived/check_port.sh
#!/bin/bash
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
[root@hdss7-12 certs]# chmod +x /etc/keepalived/check_port.sh
[root@hdss7-12 certs]# systemctl start keepalived
[root@hdss7-12 certs]# systemctl enable keepalived
若有收获,就点个赞吧
0 人点赞
