集群外安装nginx 四层负载均衡
stream {
upstream apiserver {
server 10.10.10.13:6443 weight=1;
server 10.10.10.15:6443 weight=1;
server 10.10.10.16:6443 weight=1;
}
server {
listen 16443;
proxy_pass apiserver;
}
}
keepalived
keepalived.conf
global_defs {
router_id NG_BACKUP // 主节点为NG_MASTER,每个节点互斥唯一
script_user root
}
vrrp_script check_nginx {
script "/etc/nginx/check_nginx.sh" #指定检查nginx存活的脚本路径, 检查nginx是不对的在这里, 需要检查k8s是否可访问
interval 2
}
vrrp_instance VI_1 {
state BACKUP // 主节点为Master
interface ens33 // 网卡名称
virtual_router_id 51
priority 10 //master 100 其它节点低于master
mcast_src_ip 10.10.10.14 // 本机ip
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.10.10.222 // 虚拟ip
}
track_script {
check_nginx
}
}
/etc/nginx/check_nginx.sh(机器健康检查)
#!/bin/bash
#egrep -cv "grep|$$" 用于过滤掉包含grep 或者 $$ 表示的当前Shell进程ID
count=$(ps -ef | grep nginx | egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
systemctl stop keepalived
fi
重新生成证书
将 kube-system 中的 kubeadm-config 配置导出,修改
kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml
旧的配置
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: apiserver.demo:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/k8sxio
kind: ClusterConfiguration
kubernetesVersion: v1.19.5
networking:
dnsDomain: cluster.local
podSubnet: 10.100.0.1/16
serviceSubnet: 10.96.0.0/16
scheduler: {}
将几个master的信息补充到certSANs节点
apiServer:
certSANs:
- apiserver.demo
- node3
- node5
- node6
- 10.10.10.13
- 10.10.10.15
- 10.10.10.16
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: apiserver.demo:6443
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/k8sxio
kind: ClusterConfiguration
kubernetesVersion: v1.19.5
networking:
dnsDomain: cluster.local
podSubnet: 10.100.0.1/16
serviceSubnet: 10.96.0.0/16
scheduler: {}
生成apiserver证书
移走旧的
mv /etc/kubernetes/pki/apiserver.{crt,key} /备份目录
生成新的
kubeadm init phase certs apiserver --config kubeadm.yaml
kill 旧的apiserver docker
docker ps | grep kube-apiserver | grep -v pause
docker kill ${dockerId}
验证证书
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
- 新的节点ip已经添加进去了
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8950849701884516000 (0x7c37ce6156bcd6a0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Jun 11 16:58:25 2022 GMT
Not After : Jun 11 17:30:54 2023 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:56:5b:d8:5d:46:68:c9:97:f2:54:03:07:b1:
ee:43:f2:7e:a4:46:e3:51:87:75:dd:02:1c:6e:1f:
79:45:7d:d7:7f:10:72:8b:af:7f:24:6d:f3:1e:b4:
f4:d5:88:f4:e6:f0:e3:2a:27:18:8d:a4:73:10:58:
ee:23:c9:60:3c:30:96:56:e5:ca:6b:73:47:34:62:
78:88:b6:08:73:c0:9f:06:0d:ee:22:9f:cd:0f:68:
35:5b:bf:90:98:f7:80:0d:a7:a6:e1:83:da:44:68:
9f:54:be:13:86:04:75:9d:6d:c0:d3:25:eb:1e:cd:
e3:d1:7b:fc:2e:6e:0a:08:88:33:12:fc:18:e8:d6:
2b:2f:43:ab:ea:88:b2:e9:48:67:21:7d:50:45:f0:
e8:9c:17:a3:2a:fc:01:a8:c5:c2:d3:e5:27:71:c7:
8a:9c:ef:0d:8b:0a:1a:de:93:8e:34:4f:c6:b9:f2:
0d:de:38:97:e2:47:be:48:41:6b:d0:cf:9f:b7:67:
b9:5a:8f:50:97:0b:df:18:0c:91:a2:03:5f:a9:7b:
5a:3f:3b:32:26:05:2c:a5:55:50:d1:c2:e3:3c:2b:
bb:a2:f7:14:30:fd:d2:aa:be:23:94:b7:fc:2f:f0:
48:3c:30:57:71:99:e6:d5:be:91:5b:ed:cd:e5:bf:
fc:eb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:DD:90:BD:9A:CF:9A:20:E3:DF:D5:D7:51:C8:87:FC:60:EC:50:63:18
X509v3 Subject Alternative Name:
DNS:apiserver.demo, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:node3, DNS:node5, DNS:node6, IP Address:10.96.0.1, IP Address:10.10.10.13, IP Address:10.10.10.15, IP Address:10.10.10.16
Signature Algorithm: sha256WithRSAEncryption
38:87:60:64:02:b3:f3:88:31:b6:8e:49:73:75:32:83:5c:fc:
e3:65:9b:19:b1:e2:57:8d:ab:eb:b6:b6:98:a0:f7:eb:ed:01:
d0:f6:69:a8:2e:47:33:5e:44:c1:a3:33:da:e5:f4:81:b7:eb:
df:d9:56:64:b9:df:d9:ef:91:ff:da:22:5e:cb:af:2b:fb:2d:
22:1e:dc:ac:eb:b7:83:57:30:b9:d6:79:98:0e:57:87:76:03:
b6:b8:e7:46:eb:60:c6:f0:10:76:a8:ce:29:51:80:7b:40:03:
34:8d:0f:d4:57:ae:9f:83:0f:0f:b4:b9:9f:5e:97:2a:2f:19:
7f:0c:c4:2e:3e:88:6e:71:1d:7b:f7:fb:10:6a:8e:e9:b3:d8:
d6:54:01:10:e7:fe:49:c1:bb:b5:8f:e0:ac:3c:43:0d:76:f2:
af:34:3d:40:22:2b:a0:86:f0:cd:60:1c:a1:69:17:99:41:44:
10:1e:39:fc:74:3d:78:79:5d:be:c9:f0:5d:20:4e:45:64:f9:
a2:69:9d:3c:c6:d6:3f:73:f9:5a:33:98:6f:94:02:50:d4:86:
06:6d:4b:73:c1:bc:b3:df:db:ad:c5:0c:da:cb:c0:17:f0:1b:
94:d6:99:24:24:5e:86:a7:d8:90:6c:dd:84:13:cc:44:3c:db:
c1:11:9b:e3
-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIIfDfOYVa81qAwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMjA2MTExNjU4MjVaFw0yMzA2MTExNzMwNTRaMBkx
FzAVBgNVBAMTDmt1YmUtYXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArFZb2F1GaMmX8lQDB7HuQ/J+pEbjUYd13QIcbh95RX3XfxByi69/
JG3zHrT01Yj05vDjKicYjaRzEFjuI8lgPDCWVuXKa3NHNGJ4iLYIc8CfBg3uIp/N
D2g1W7+QmPeADaem4YPaRGifVL4ThgR1nW3A0yXrHs3j0Xv8Lm4KCIgzEvwY6NYr
L0Or6oiy6UhnIX1QRfDonBejKvwBqMXC0+UncceKnO8Niwoa3pOONE/GufIN3jiX
4ke+SEFr0M+ft2e5Wo9QlwvfGAyRogNfqXtaPzsyJgUspVVQ0cLjPCu7ovcUMP3S
qr4jlLf8L/BIPDBXcZnm1b6RW+3N5b/86wIDAQABo4HyMIHvMA4GA1UdDwEB/wQE
AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBTdkL2az5og49/V
11HIh/xg7FBjGDCBpgYDVR0RBIGeMIGbgg5hcGlzZXJ2ZXIuZGVtb4IKa3ViZXJu
ZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3Zj
giRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCBW5vZGUzggVu
b2RlNYIFbm9kZTaHBApgAAGHBAoKCg2HBAoKCg+HBAoKChAwDQYJKoZIhvcNAQEL
BQADggEBADiHYGQCs/OIMbaOSXN1MoNc/ONlmxmx4leNq+u2tpig9+vtAdD2aagu
RzNeRMGjM9rl9IG369/ZVmS539nvkf/aIl7Lryv7LSIe3Kzrt4NXMLnWeZgOV4d2
A7a450brYMbwEHaozilRgHtAAzSND9RXrp+DDw+0uZ9elyovGX8MxC4+iG5xHXv3
+xBqjumz2NZUARDn/knBu7WP4Kw8Qw128q80PUAiK6CG8M1gHKFpF5lBRBAeOfx0
PXh5Xb7J8F0gTkVk+aJpnTzG1j9z+VozmG+UAlDUhgZtS3PBvLPf263FDNrLwBfw
G5TWmSQkXoan2JBs3YQTzEQ828ERm+M=
-----END CERTIFICATE-----
新增的内容回填 kubeadm-config
kubectl edit cm kubeadm-config -n kube-system
将这部分再写一遍
certSANs:
- apiserver.demo
- node3
- node5
- node6
- 10.10.10.13
- 10.10.10.15
- 10.10.10.16
验证回填的内容是否成功
kubectl -n kube-system get configmap kubeadm-config -o yaml
/ect/hosts
将apiserver.xxx 映射到VIP(虚拟ip)
vim /etc/kubernetes/kubelet.conf
server: https://apiserver.xxx:16443
重启 kubelet
systemctl restart kubelet
vim /etc/kubernetes/controller-manager.conf
server: https://apiserver.xxx:16443
重启kube-controller-manager(kill掉自动重启)
docker ps | grep kube-controller-manager | \
grep -v pause
docker kill xxxxxx
vim /etc/kubernetes/scheduler.conf
server: https://apiserver.xxx:16443
重启scheduler
docker ps | grep kube-scheduler | grep -v pause
docker kill xxxx
更新 kube-proxy
kubectl -n kube-system edit cm kube-proxy
server: https://apiserver.xxx:16443
~/.kube/config
server: https://apiserver.demo:16443
kubeadm-config 16443
kubectl edit cm kubeadm-config -n kube-system
controlPlaneEndpoint属性apiserver.demo:16443
更新cluster-info
kubectl -n kube-public edit cm cluster-info
server: https://apiserver.demo:16443
验证 cluster-info
kubectl cluster-info
Kubernetes master is running at https://apiserver.demo:16443
KubeDNS is running at https://apiserver.demo:16443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
上传证书到集群
kubeadm init phase upload-certs --upload-certs
I0612 02:21:45.938155 103642 version.go:252] remote version is much newer: v1.24.1; falling back to: stable-1.19
W0612 02:21:46.570837 103642 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
1b594f631654ac0f221dd0cf593605a30b8f41eee480562d2a3103ab667cfcc7
join(certificate-key 的值就是 upload-certs的返回)
kubeadm join apiserver.demo:16443 --token 7d07w5.ezk3exm8polcedqu --discovery-token-ca-cert-hash sha256:0cfd862db9cf90787bb8f0aea7acb1a749f6e76cb370493f50f170882bccac3c --control-plane --certificate-key 1b594f631654ac0f221dd0cf593605a30b8f41eee480562d2a3103ab667cfcc
最后
修改所有节点的/etc/hosts VIP apiserver.xxxx 映射
注意的问题
vip高优先级的master宕机重启之后 无法自动加入集群
keepalived需要注意一下 (不能只验证ng,就认为它可用, 会陷入死循环)
ha的 master 挂了, 再次启动 抢夺了vip的控制权, 但是这时宕机的这台机器还没重新加入集群, 而重新加入集群又需要使用vip, vip在挂了机器身上就有问题,
所以验证脚本,要从验证nginx 调整到验证k8s节点
最后的最后查看ETCD
docker run --rm -it \
--net host \
-v /etc/kubernetes:/etc/kubernetes registry.aliyuncs.com/k8sxio/etcd:3.4.13-0 etcdctl \
--cert /etc/kubernetes/pki/etcd/peer.crt \
--key /etc/kubernetes/pki/etcd/peer.key \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--endpoints https://10.151.30.71:2379 endpoint health --cluster
docker run --rm -it --net host -v /etc/kubernetes:/etc/kubernetes registry.aliyuncs.com/k8sxio/etcd:3.4.13-0 etcdctl --cert /etc/kubernetes/pki/etcd/peer.crt --key /etc/kubernetes/pki/etcd/peer.key --cacert /etc/kubernetes/pki/etcd/ca.crt --endpoints https://10.10.10.13:2379,https://10.10.10.15:2379,https://10.10.10.16:2379 endpoint status --write-out=table