kubernetes v1.18.6 高可用集群集群安装说明

前言

之前我有写过普通集群搭建，没有给master做高可用，于是很多给我评论如何弄ha。今天我们就开始怎么去搭建一个高可用的Kuberneters 集群吧！

准备机器或虚拟机

我这里使用六台CentOS虚拟机，你们机器少的话可以删减两台worker，我这里主要还是讲解master的高可用。

镜像地址：http://mirrors.aliyun.com/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-2003.iso

IP	HOSTNAME	CPU	MEMORY	DISK
172.16.0.77	master00	>=2	>=4G	>=8G
172.16.0.78	master01	>=2	>=4G	>=8G
172.16.0.79	master02	>=2	>=4G	>=8G
172.16.0.80	worker00	>=2	>=4G	>=16G
172.16.0.81	worker01	>=2	>=4G	>=16G
172.16.0.82	worker02	>=2	>=4G	>=16G

详细安装步骤与上一篇大同小异

我这里不多做太多介绍了，直接上脚本。需要注意的是我这里的机器与外网隔离的，你们自己ip不一定要按照我的来，自己设置成桥接有网络的配置。

每台机器或虚拟机都执行如下脚本：

systemctl disable postfix --now && systemctl disable firewalld --now
setenforce 0 && sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
swapoff -a && sed -i 's/.*swap.*/#&/' /etc/fstab
cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
cd /etc/yum.repos.d/
mkdir backup
mv ./*.repo backup
curl -O http://mirrors.aliyun.com/repo/Centos-7.repo
curl -O https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
EOF
yum clean all && yum makecache
yum -y update
yum -y install docker-ce docker-ce-cli containerd.io kubelet kubeadm kubectl
systemctl enable docker --now
cat > /etc/docker/daemon.json <<EOF
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ]
}
EOF
mkdir -p /etc/systemd/system/docker.service.d
systemctl daemon-reload && systemctl restart docker
systemctl enable kubelet --now

在各master节点执行如下脚本：

yum -y install keepalived

在master00节点编辑kubeadm-config.yaml文件并保存：

apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.18.6
imageRepository: registry.cn-shanghai.aliyuncs.com/k8sgcrio_containers
apiServer:
  certSANs:
  - master00
  - master01
  - master02
  - vip
  - 172.16.0.77
  - 172.16.0.78
  - 172.16.0.79
  - 172.16.0.76
controlPlaneEndpoint: "172.16.0.76:6443"
#etcd:
    #external:
        #endpoints:
        #- http://172.16.0.160:2379
        #- http://172.16.0.161:2379
        #- http://172.16.0.162:2379
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12

其中 apiServer certSANS 填写master host名和ip以及虚拟ip(VIP)
controlPlaneEndpoint: 可以填VIP，也可以填master其中一个ip。其实个人推荐在准备两台机器搭建nginx一主一备，直接负载均衡转发到三台master即可。
etcd默认使用本地，也可以使用外部etcd集群,搭建方式可以参考我我的Etcd集群搭建：。我这里使用堆叠etcd方式。

在master00节点执行如下脚本：

mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.bak
cat << EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id master00
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 50
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.16.0.76
    }
}

EOF
systemctl enable keepalived --now
kubeadm init --config=kubeadm-config.yaml
输出结果(一定要记得保存哦，后面会用到！！！)：
此处忽略前半部分
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join 172.16.0.76:6443 --token ymrykq.ra79tq8u29ovhjky \
    --discovery-token-ca-cert-hash sha256:a0f42468b84d3826e92de594416652a5d9b2f757923b1a8ac2a0d7accc80ca75 \
    --control-plane 

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.16.0.76:6443 --token ymrykq.ra79tq8u29ovhjky \
    --discovery-token-ca-cert-hash sha256:a0f42468b84d3826e92de594416652a5d9b2f757923b1a8ac2a0d7accc80ca75 

上面其实输出结果都告诉你了，我这里再贴一遍： 

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

此时我们使用客户端获取节点信息：

[root@master00 ~]# kubectl get nodes
NAME       STATUS     ROLES    AGE     VERSION
master00   NotReady   master   5m24s   v1.18.6

上面我们看到状态为未就绪，原因是还有一步网络插件没部署，现在我们部署网络插件：

这里的kube-flannel.yml文件请看我上篇文章。

[root@master00 ~]# kubectl apply -f kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds-amd64 created
daemonset.apps/kube-flannel-ds-arm64 created
daemonset.apps/kube-flannel-ds-arm created
daemonset.apps/kube-flannel-ds-ppc64le created
daemonset.apps/kube-flannel-ds-s390x created

免密登录设置在master00上操作：

ssh-keygen
ssh-copy-id master01
ssh-copy-id master02

复制证书相关文件到其他master节点：

ssh master01 'mkdir -p /etc/kubernetes/pki/etcd/'
ssh master02 'mkdir -p /etc/kubernetes/pki/etcd/'
cd /etc/kubernetes/pki/
scp -r ca.* sa.* front-proxy-ca.* master01:$PWD
scp -r ca.* sa.* front-proxy-ca.* master02:$PWD
cd /etc/kubernetes/pki/etcd/
scp -r ca.* master01:$PWD
scp -r ca.* master02:$PWD

 

在master01节点执行如下脚本：

mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.bak
cat << EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id master01
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 50
    priority 90
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.16.0.76
    }
}
EOF
systemctl enable keepalived --now
kubeadm join 172.16.0.76:6443 --token ymrykq.ra79tq8u29ovhjky \
    --discovery-token-ca-cert-hash sha256:a0f42468b84d3826e92de594416652a5d9b2f757923b1a8ac2a0d7accc80ca75 \
    --control-plane
输出结果：
忽略前半部分
This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Control plane (master) label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

	mkdir -p $HOME/.kube
	sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
	sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.

在master02节点执行如下脚本：

mv /etc/keepalived/keepalived.conf /etc/keepalived/keepalived.bak
cat << EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
   router_id master02
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 50
    priority 80
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        172.16.0.76
    }
}
EOF
systemctl enable keepalived --now
kubeadm join 172.16.0.76:6443 --token ymrykq.ra79tq8u29ovhjky \
    --discovery-token-ca-cert-hash sha256:a0f42468b84d3826e92de594416652a5d9b2f757923b1a8ac2a0d7accc80ca75 \
    --control-plane
输出结果：
忽略前半部分
This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Control plane (master) label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

	mkdir -p $HOME/.kube
	sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
	sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.

在master00上检查集群情况：

[root@master00 ~]# kubectl get nodes
NAME      STATUS   ROLES    AGE     VERSION
master00  Ready    master   37m     v1.18.6
master01  Ready    master   10m     v1.18.6
master02  Ready    master   9m53s   v1.18.6

 大家可以看到master都成功加入集群了，这里是三个master，当master00挂掉的时候，keepalived的lvs技术会根据优先级虚拟vip。也就是我们前面配置到的172.16.0.76！当master00恢复的时候lvs会把虚拟vip交给master00。后面worker加入就更加简单了，直接复制上面加入命令。

在各个worker节点执行如下命令：

[root@worker00 ~]# kubeadm join 172.16.0.76:6443 --token ymrykq.ra79tq8u29ovhjky \
>     --discovery-token-ca-cert-hash sha256:a0f42468b84d3826e92de594416652a5d9b2f757923b1a8ac2a0d7accc80ca75 
W0804 16:19:40.260197    1645 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
	[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

在返回到master00执行如下命令：

[root@master00 ~]# kubectl get nodes
NAME      STATUS   ROLES    AGE   VERSION
master00  Ready    master   77m   v1.18.6
master01  Ready    master   50m   v1.18.6
master02  Ready    master   50m   v1.18.6
worker00  Ready    <none>   42s   v1.18.6
worker01  Ready    <none>   19s   v1.18.6
worker02  Ready    <none>   10s   v1.18.6

好了，高可用集群搭建完毕，有什么问题继续下面评论。