【Kubernetes硬核部署方式kubernetes-the-hard-way】04-部署ETCD集群
四、部署ETCD集群
Kubernetes组件是无状态的,并在etcd中存储集群状态。 在本小节中,我们将部署三个节点的etcd群集,并对其进行配置以实现高可用性和安全的远程访问。
1. 配置etcd
copy必要的证书文件
# 返回节点,保持与教程的同步
$ cd
例:
[root@node-1 pki]# cd
[root@node-1 ~]#
# 所有ETCD结点都需要执行一次
$ mkdir -p /etc/etcd /var/lib/etcd
$ chmod 700 /var/lib/etcd
$ cp ca.pem kubernetes-key.pem kubernetes.pem /etc/etcd/
配置etcd.service文件
# 所有ETCD结点都需要执行一次,注意“ETCD_IP=”etcd当前节点的ip地址的替换
$ ETCD_NAME=$(hostname -s)
# etcd当前节点的ip地址
$ ETCD_IP=192.168.31.70
# etcd所有节点的ip地址
$ ETCD_NAMES=(node-1 node-2 node-3)
$ ETCD_IPS=(192.168.31.70 192.168.31.71 192.168.31.72)
$ cat <<EOF > /etc/systemd/system/etcd.service
[Unit]
Description=etcd
Documentation=https://github.com/coreos
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd \\
--name ${ETCD_NAME} \\
--cert-file=/etc/etcd/kubernetes.pem \\
--key-file=/etc/etcd/kubernetes-key.pem \\
--peer-cert-file=/etc/etcd/kubernetes.pem \\
--peer-key-file=/etc/etcd/kubernetes-key.pem \\
--trusted-ca-file=/etc/etcd/ca.pem \\
--peer-trusted-ca-file=/etc/etcd/ca.pem \\
--peer-client-cert-auth \\
--client-cert-auth \\
--initial-advertise-peer-urls https://${ETCD_IP}:2380 \\
--listen-peer-urls https://${ETCD_IP}:2380 \\
--listen-client-urls https://${ETCD_IP}:2379,https://127.0.0.1:2379 \\
--advertise-client-urls https://${ETCD_IP}:2379 \\
--initial-cluster-token etcd-cluster-0 \\
--initial-cluster ${ETCD_NAMES[0]}=https://${ETCD_IPS[0]}:2380,${ETCD_NAMES[1]}=https://${ETCD_IPS[1]}:2380,${ETCD_NAMES[2]}=https://${ETCD_IPS[2]}:2380 \\
--initial-cluster-state new \\
--data-dir=/var/lib/etcd
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
#检查生成配置文件
$ cat /etc/systemd/system/etcd.service
2. 启动etcd集群
所有etcd节点都配置好etcd.service后,启动etcd集群
$ systemctl daemon-reload && systemctl enable etcd && systemctl restart etcd
3. 验证etcd集群
验证etcd集群状态
ETCDCTL_API=3 etcdctl member list \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/etcd/ca.pem \
--cert=/etc/etcd/kubernetes.pem \
--key=/etc/etcd/kubernetes-key.pem