美文网首页K8s
二进制安装-k8s高可用集群07-部署高可用组件

二进制安装-k8s高可用集群07-部署高可用组件

作者: Chris0Yang | 来源:发表于2021-08-26 17:42 被阅读0次

    本文档讲解使用 keepalived 和 haproxy 实现 kube-apiserver 高可用的步骤:

    • keepalived 提供 kube-apiserver 对外服务的 VIP;
    • haproxy 监听 VIP,后端连接所有 kube-apiserver 实例,提供健康检查和负载均衡功能;

    运行 keepalived 和 haproxy 的节点称为 LB 节点。由于 keepalived 是一主多备运行模式,故至少两个 LB 节点。

    本文档复用 master 节点的三台机器,haproxy 监听的端口 (8443) 需要与 kube-apiserver 的端口 6443 不同,避免冲突。

    keepalived 在运行过程中周期检查本机的 haproxy 进程状态,如果检测到 haproxy 进程异常,则触发重新选主的过程,VIP 将飘移到新选出来的主节点,从而实现 VIP 的高可用。

    所有组件(如 kubeclt、apiserver、controller-manager、scheduler 等)都通过 VIP 和 haproxy 监听的 8443 端口访问 kube-apiserver 服务。

    1)安装软件包

    cat > magic27_install_package.sh << "EOF"
    #!/bin/bash
    # 安装软件包
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "yum install -y keepalived haproxy"
    done
    EOF
    

    2)配置和下发 haproxy 配置文件

    haproxy 配置文件:

    cat > haproxy.cfg <<EOF
    global
        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /var/run/haproxy-admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        nbproc 1
    defaults
        log global
        timeout connect 5000
        timeout client 10m
        timeout server 10m
    listen admin_stats
        bind 0.0.0.0:10080
        mode http
        log 127.0.0.1 local0 err
        stats refresh 30s
        stats uri /status
        stats realm welcome login\ Haproxy
        stats auth admin:123456
        stats hide-version
        stats admin if TRUE
    listen kube-master
        bind 0.0.0.0:8443
        mode tcp
        option tcplog
        balance source
        server 172.68.96.101 172.68.96.101:6443 check inter 2000 fall 2 rise 2 weight 1
        server 172.68.96.102 172.68.96.102:6443 check inter 2000 fall 2 rise 2 weight 1
        server 172.68.96.103 172.68.96.103:6443 check inter 2000 fall 2 rise 2 weight 1
    EOF
    

    注意更改其中的 ip 与自己的一致。

    • haproxy 在 10080 端口输出 status 信息;
    • haproxy 监听所有接口的 8443 端口,该端口与环境变量 ${KUBE_APISERVER} 指定的端口必须一致;
    • server 字段列出所有 kube-apiserver 监听的 IP 和端口;

    分发 haproxy.cfg 到所有集群节点上:

    cat > magic28_distribute_haproxy.sh << "EOF"
    #!/bin/bash
    # 分发 haproxy.cfg 到所有集群节点上
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        scp /data/template/haproxy.cfg root@${node_ip}:/etc/haproxy
    done
    EOF
    

    3)启动 haproxy 服务

    cat > magic29_start_haproxy.sh << "EOF"
    #!/bin/bash
    # 启动 haproxy 服务
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "systemctl restart haproxy"
    done
    EOF
    

    4)检查 haproxy 服务状态

    cat > magic30_check_haproxy_service.sh << "EOF"
    #!/bin/bash
    # 检查 haproxy 服务状态
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "systemctl status haproxy|grep Active"
    done
    EOF
    

    如果看到如下输出:

    bash magic30_check_haproxy_service.sh
    >>> 172.68.96.101
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    >>> 172.68.96.102
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    >>> 172.68.96.103
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    

    则说明正常,如果失败,用如下命令检查:

    journalctl -xu haproxy
    

    检查 haproxy 是否监听 8443 端口:

    cat > magic31_check_haproxy_proxy8443.sh << "EOF"
    #!/bin/bash
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "netstat -lnpt|grep haproxy"
    done
    EOF
    

    如果看到如下输出:

    bash magic31_check_haproxy_proxy8443.sh 
    >>> 172.68.96.101
    tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      25950/haproxy       
    tcp        0      0 0.0.0.0:10080           0.0.0.0:*               LISTEN      25950/haproxy       
    >>> 172.68.96.102
    tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      8042/haproxy        
    tcp        0      0 0.0.0.0:10080           0.0.0.0:*               LISTEN      8042/haproxy        
    >>> 172.68.96.103
    tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      7391/haproxy        
    tcp        0      0 0.0.0.0:10080           0.0.0.0:*               LISTEN      7391/haproxy   
    

    5)配置和下发 keepalived 配置文件

    keepalived 是一主(master)多备(backup)运行模式,故有两种类型的配置文件。master 配置文件只有一份,backup 配置文件视节点数目而定,对于本文档而言,规划如下:

    • master: 172.68.96.101
    • backup:172.68.96.102,172.68.96.103

    master 配置文件:

    source /opt/k8s/bin/environment.sh
    
    cat  > /data/template/keepalived-master.conf <<EOF
    global_defs {
        router_id lb-master-105
    }
    vrrp_script check-haproxy {
        script "killall -0 haproxy"
        interval 5
        weight -30
    }
    vrrp_instance VI-kube-master {
        state MASTER
        priority 120
        dont_track_primary
        interface ${VIP_IF}
        virtual_router_id 68
        advert_int 3
        track_script {
            check-haproxy
        }
        virtual_ipaddress {
            ${MASTER_VIP}
        }
    }
    EOF
    
    • VIP 所在的接口(interface ${VIP_IF})为 eth0;
    • 使用 killall -0 haproxy 命令检查所在节点的 haproxy 进程是否正常。如果异常则将权重减少(-30), 从而触发重新选主过程;
    • router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套 keepalived HA,则必须各不相同;

    backup 配置文件:

    source /opt/k8s/bin/environment.sh
    
    cat  > /data/template/keepalived-backup.conf <<EOF
    global_defs {
        router_id lb-backup-105
    }
    vrrp_script check-haproxy {
        script "killall -0 haproxy"
        interval 5
        weight -30
    }
    vrrp_instance VI-kube-master {
        state BACKUP
        priority 110
        dont_track_primary
        interface ${VIP_IF}
        virtual_router_id 68
        advert_int 3
        track_script {
            check-haproxy
        }
        virtual_ipaddress {
            ${MASTER_VIP}
        }
    }
    EOF
    
    • VIP 所在的接口(interface ${VIP_IF})为 eth0;
    • 使用 killall -0 haproxy 命令检查所在节点的 haproxy 进程是否正常。如果异常则将权重减少(-30), 从而触发重新选主过程;
    • router_id、virtual_router_id 用于标识属于该 HA 的 keepalived 实例,如果有多套 keepalived HA,则必须各不相同;
    • priority 的值必须小于 master 的值;

    6)分发 keepalived 配置文件

    下发 master 配置文件:

    scp /data/template/keepalived-master.conf root@master:/etc/keepalived/keepalived.conf
    

    下发 backup 配置文件:

    scp /data/template/keepalived-backup.conf root@node01:/etc/keepalived/keepalived.conf
    scp /data/template/keepalived-backup.conf root@node02:/etc/keepalived/keepalived.conf
    

    7)启动 keepalived 服务

    cat > magic32_start_keepalived_service.sh << "EOF"
    #!/bin/bash
    # 启动 keepalived 服务
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "systemctl restart keepalived"
    done
    EOF
    

    8)检查 keepalived 服务

    cat > magic33_check_keepalived_service.sh << "EOF"
    #!/bin/bash
    # 检查 keepalived 服务
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh root@${node_ip} "systemctl status keepalived|grep Active"
    done
    EOF
    

    输出如下:

    bash magic33_check_keepalived_service.sh
    >>> 172.68.96.101
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    >>> 172.68.96.102
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    >>> 172.68.96.103
       Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
    

    则正常,如果失败,则检查日志

    journalctl -xu keepalived
    

    查看 VIP 所在的节点,确保可以 ping 通 VIP:

    cat > magic34_ping_keepalived_service.sh << "EOF"
    #!/bin/bash
    #  查看VIP所在的节点,确保可以ping通VIP
    source /opt/k8s/bin/environment.sh
    for node_ip in ${NODE_IPS[@]}
    do
        echo ">>> ${node_ip}" 
        ssh ${node_ip} "/usr/sbin/ip addr show ${VIP_IF}"
        ssh ${node_ip} "ping -c 1 ${MASTER_VIP}"
    done
    EOF
    

    可以看到 VIP 目前在 master 节点上,而且各个节点也都是通的

    bash magic34_ping_keepalived_service.sh 
    >>> 172.68.96.101
    ......
    PING 172.68.96.88 (172.68.96.88) 56(84) bytes of data.
    64 bytes from 172.68.96.88: icmp_seq=1 ttl=64 time=0.031 ms
    ...........
    

    9)查看 haproxy 状态页面

    浏览器访问 ${MASTER_VIP}:10080/status 地址,查看 haproxy 状态页面:
    用户名密码就在刚刚定义的 haproxy 的配置当中。

    相关文章

      网友评论

        本文标题:二进制安装-k8s高可用集群07-部署高可用组件

        本文链接:https://www.haomeiwen.com/subject/wjduiltx.html