Linkerd的部署与入门--高可用模式

环境

linkerd
Client version: stable-2.14.0
Server version: stable-2.14.0

kubernetes: 1.21.1（使用KIND模拟1Master+3Workers）

准备

高可用模式部署，要求kubernetes集群具有3个及以上的工作节点。高可用模式下，Linkerd的组件destination\dentity\proxy-injector默认为三个实例，需要分开部署到不同节点上。

还需将kube-system命名空间排除在Linkerd代理的注入范围外

sudo kubectl label namespace kube-system config.linkerd.io/admission-webhooks=disabled
namespace/kube-system labeled

高可用部署Linkerd

官方推荐使用helm方式部署高可用Linkerd，这里还是使用CLI方式进行部署
先通过linkerd-cli生成yaml文件, 然后部署, 如果不需要yaml文件也可以通过’|'连接两段命令后执行

$ sudo linkerd install --ha --crds > linkerd-crds-ha.yaml
Rendering Linkerd CRDs...
Next, run `linkerd install | kubectl apply -f -` to install the control plane.

$ sudo kubectl apply -f linkerd-crds-ha.yaml 
customresourcedefinition.apiextensions.k8s.io/authorizationpolicies.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/httproutes.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/meshtlsauthentications.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/networkauthentications.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/serverauthorizations.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/servers.policy.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/serviceprofiles.linkerd.io configured
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created

$ sudo linkerd install --ha > linkerd-install-ha.yaml
$ sudo kubectl apply -f linkerd-install-ha.yaml
namespace/linkerd created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-identity created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-identity created
serviceaccount/linkerd-identity created
clusterrole.rbac.authorization.k8s.io/linkerd-linkerd-destination created
clusterrolebinding.rbac.authorization.k8s.io/linkerd-linkerd-destination created
serviceaccount/linkerd-destination created
secret/linkerd-sp-validator-k8s-tls created
validatingwebhookconfiguration.admissionregistration.k8s.io/linkerd-sp-validator-webhook-config created
secret/linkerd-policy-validator-k8s-tls created
... ...

高可用模式下pod部署到三个工作节点

高可用部署Linkerd-viz

sudo linkerd viz install --ha > linker-viz-install-ha.yaml
sudo kubectl apply -f linkerd-viz-install-ha.yaml 

部署结果检查与web页面

linkerd check

# check结果输出
kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ control plane pods are ready
√ cluster networks contains all node podCIDRs
√ cluster networks contains all pods
√ cluster networks contains all services

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ proxy-init container runs as root user if docker container runtime is used

linkerd-identity
----------------
√ certificate config is valid
√ trust anchors are using supported crypto algorithm
√ trust anchors are within their validity period
√ trust anchors are valid for at least 60 days
√ issuer cert is using supported crypto algorithm
√ issuer cert is within its validity period
√ issuer cert is valid for at least 60 days
√ issuer cert is issued by the trust anchor

linkerd-webhooks-and-apisvc-tls
-------------------------------
√ proxy-injector webhook has valid cert
√ proxy-injector cert is valid for at least 60 days
√ sp-validator webhook has valid cert
√ sp-validator cert is valid for at least 60 days
√ policy-validator webhook has valid cert
√ policy-validator cert is valid for at least 60 days

linkerd-version
---------------
‼ can determine the latest version
    Get "https://versioncheck.linkerd.io/version.json?version=stable-2.14.0&uuid=8d0253eb-e8bd-4958-afc5-b6e6b1515d9d&source=cli": dial tcp 104.21.63.202:443: connect: connection timed out
    see https://linkerd.io/2.14/checks/#l5d-version-latest for hints
‼ cli is up-to-date
    unsupported version channel: stable-2.14.0
    see https://linkerd.io/2.14/checks/#l5d-version-cli for hints

control-plane-version
---------------------
√ can retrieve the control plane version
‼ control plane is up-to-date
    unsupported version channel: stable-2.14.0
    see https://linkerd.io/2.14/checks/#l5d-version-control for hints
√ control plane and cli versions match

linkerd-control-plane-proxy
---------------------------
√ control plane proxies are healthy
‼ control plane proxies are up-to-date
    some proxies are not running the current version:
        * linkerd-destination-9c8b785b4-74p95 (stable-2.14.0)
        * linkerd-destination-9c8b785b4-l5tgn (stable-2.14.0)
        * linkerd-destination-9c8b785b4-ll5kl (stable-2.14.0)
        * linkerd-identity-d9f84ccd8-4k5wx (stable-2.14.0)
        * linkerd-identity-d9f84ccd8-5xktl (stable-2.14.0)
        * linkerd-identity-d9f84ccd8-xztk6 (stable-2.14.0)
        * linkerd-proxy-injector-bd9c86cdc-4z4gx (stable-2.14.0)
        * linkerd-proxy-injector-bd9c86cdc-8lw58 (stable-2.14.0)
        * linkerd-proxy-injector-bd9c86cdc-s6f97 (stable-2.14.0)
    see https://linkerd.io/2.14/checks/#l5d-cp-proxy-version for hints
√ control plane proxies and cli versions match

linkerd-ha-checks
-----------------
√ pod injection disabled on kube-system
√ multiple replicas of control plane pods

linkerd-viz
-----------
√ linkerd-viz Namespace exists
√ can initialize the client
√ linkerd-viz ClusterRoles exist
√ linkerd-viz ClusterRoleBindings exist
√ tap API server has valid cert
√ tap API server cert is valid for at least 60 days
√ tap API service is running
√ linkerd-viz pods are injected
√ viz extension pods are running
√ viz extension proxies are healthy
‼ viz extension proxies are up-to-date
    Get "https://versioncheck.linkerd.io/version.json?version=stable-2.14.0&uuid=unknown&source=cli": dial tcp 172.67.150.14:443: connect: connection timed out
    see https://linkerd.io/2.14/checks/#l5d-viz-proxy-cp-version for hints
√ viz extension proxies and cli versions match
√ prometheus is installed and configured correctly
√ viz extension self-check

Status check results are √

注意输出中的片段：

linkerd-ha-checks
-----------------
√ pod injection disabled on kube-system
√ multiple replicas of control plane pods

因为在准备时执行了kubectl label namespace kube-system config.linkerd.io/admission-webhooks=disabled
所以以上通过“pod injection disabled on kube-system”的检查

# 将viz的web服务端口映射出来
sudo kubectl -n linkerd-viz port-forward web-8575747b4b-sn85x 8084:8084

YAML文件说明

高可用的yaml文件与非高可用版本比有以下区别：
（1）副本数量从1增加到3

（2）增加了podAntiAffinity

（3）增加了PDB约束

---
kind: PodDisruptionBudget
apiVersion: policy/v1
metadata:
  name: linkerd-identity
  namespace: linkerd
  labels:
    linkerd.io/control-plane-component: identity
    linkerd.io/control-plane-ns: linkerd
  annotations:
    linkerd.io/created-by: linkerd/cli stable-2.14.0
spec:
  maxUnavailable: 1
  selector:
    matchLabels:
      linkerd.io/control-plane-component: identity

其他说明

由于使用KIND环境，遇到镜像拉取不到的问题

$ sudo kind load docker-image prom/prometheus:v2.43.0 --name cluster1
Image: "prom/prometheus:v2.43.0" with ID "sha256:77ee200e57dcf69b947a8834bc84ea1b445618f6fc0f96be2021a202fd3b72d2" not yet present on node "cluster1-control-plane", loading...
Image: "prom/prometheus:v2.43.0" with ID "sha256:77ee200e57dcf69b947a8834bc84ea1b445618f6fc0f96be2021a202fd3b72d2" not yet present on node "cluster1-worker3", loading...
Image: "prom/prometheus:v2.43.0" with ID "sha256:77ee200e57dcf69b947a8834bc84ea1b445618f6fc0f96be2021a202fd3b72d2" not yet present on node "cluster1-worker", loading...
Image: "prom/prometheus:v2.43.0" with ID "sha256:77ee200e57dcf69b947a8834bc84ea1b445618f6fc0f96be2021a202fd3b72d2" not yet present on node "cluster1-worker2", loading...

参考：
Linkerd官方关于高可用的介绍