# 集群高可用 Kubernetes 从 1.5 开始,通过 `kops` 或者 `kube-up.sh` 部署的集群会自动部署一个高可用的系统,包括 * Etcd 集群模式 * kube-apiserver 负载均衡 * kube-controller-manager、kube-scheduler 和 cluster-autoscaler 自动选主(有且仅有一个运行实例) 如下图所示 ![ha](/files/nB8dm32w6dI0XF5UBMq1) 注意:以下步骤假设每台机器上 Kubelet 和 Docker 已配置并处于正常运行状态。 ## Etcd 集群 安装 cfssl ```bash # On all etcd nodes curl -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 curl -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x /usr/local/bin/cfssl* ``` 生成 CA certs: ```bash # SSH etcd0 mkdir -p /etc/kubernetes/pki/etcd cd /etc/kubernetes/pki/etcd cat >ca-config.json <ca-csr.json <client.json <:/etc/kubernetes/pki/etcd/ca.pem . scp root@:/etc/kubernetes/pki/etcd/ca-key.pem . scp root@:/etc/kubernetes/pki/etcd/client.pem . scp root@:/etc/kubernetes/pki/etcd/client-key.pem . scp root@:/etc/kubernetes/pki/etcd/ca-config.json . # Run on all etcd nodes cfssl print-defaults csr > config.json sed -i '0,/CN/{s/example\.net/'"$PEER_NAME"'/}' config.json sed -i 's/www\.example\.net/'"$PRIVATE_IP"'/' config.json sed -i 's/example\.net/'"$PUBLIC_IP"'/' config.json cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server config.json | cfssljson -bare server cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer config.json | cfssljson -bare peer ``` 最后运行 etcd,将如下的 yaml 配置写入每台 etcd 节点的 `/etc/kubernetes/manifests/etcd.yaml` 文件中,注意替换 * `` 为 etcd 节点名称 (比如 `etcd0`, `etcd1` 和 `etcd2`) * ``, `` and `` 为 etcd 节点的内网 IP 地址 ```bash cat >/etc/kubernetes/manifests/etcd.yaml < namespace: kube-system spec: containers: - command: - etcd --name ${PEER_NAME} \ - --data-dir /var/lib/etcd \ - --listen-client-urls https://${PRIVATE_IP}:2379 \ - --advertise-client-urls https://${PRIVATE_IP}:2379 \ - --listen-peer-urls https://${PRIVATE_IP}:2380 \ - --initial-advertise-peer-urls https://${PRIVATE_IP}:2380 \ - --cert-file=/certs/server.pem \ - --key-file=/certs/server-key.pem \ - --client-cert-auth \ - --trusted-ca-file=/certs/ca.pem \ - --peer-cert-file=/certs/peer.pem \ - --peer-key-file=/certs/peer-key.pem \ - --peer-client-cert-auth \ - --peer-trusted-ca-file=/certs/ca.pem \ - --initial-cluster etcd0=https://:2380,etcd1=https://:2380,etcd1=https://:2380 \ - --initial-cluster-token my-etcd-token \ - --initial-cluster-state new image: gcr.io/google_containers/etcd-amd64:3.1.0 livenessProbe: httpGet: path: /health port: 2379 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15 name: etcd env: - name: PUBLIC_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: PRIVATE_IP valueFrom: fieldRef: fieldPath: status.podIP - name: PEER_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - mountPath: /var/lib/etcd name: etcd - mountPath: /certs name: certs hostNetwork: true volumes: - hostPath: path: /var/lib/etcd type: DirectoryOrCreate name: etcd - hostPath: path: /etc/kubernetes/pki/etcd name: certs EOF ``` > 注意:以上方法需要每个 etcd 节点都运行 kubelet。如果不想使用 kubelet,还可以通过 systemd 的方式来启动 etcd: > > ```bash > export ETCD_VERSION=v3.1.10 > curl -sSL https://github.com/coreos/etcd/releases/download/${ETCD_VERSION}/etcd-${ETCD_VERSION}-linux-amd64.tar.gz | tar -xzv --strip-components=1 -C /usr/local/bin/ > rm -rf etcd-$ETCD_VERSION-linux-amd64* > > touch /etc/etcd.env > echo "PEER_NAME=$PEER_NAME" >> /etc/etcd.env > echo "PRIVATE_IP=$PRIVATE_IP" >> /etc/etcd.env > > cat >/etc/systemd/system/etcd.service < [Unit] > Description=etcd > Documentation=https://github.com/coreos/etcd > Conflicts=etcd.service > Conflicts=etcd2.service > > [Service] > EnvironmentFile=/etc/etcd.env > Type=notify > Restart=always > RestartSec=5s > LimitNOFILE=40000 > TimeoutStartSec=0 > > ExecStart=/usr/local/bin/etcd --name ${PEER_NAME} \ > --data-dir /var/lib/etcd \ > --listen-client-urls https://${PRIVATE_IP}:2379 \ > --advertise-client-urls https://${PRIVATE_IP}:2379 \ > --listen-peer-urls https://${PRIVATE_IP}:2380 \ > --initial-advertise-peer-urls https://${PRIVATE_IP}:2380 \ > --cert-file=/etc/kubernetes/pki/etcd/server.pem \ > --key-file=/etc/kubernetes/pki/etcd/server-key.pem \ > --client-cert-auth \ > --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem \ > --peer-cert-file=/etc/kubernetes/pki/etcd/peer.pem \ > --peer-key-file=/etc/kubernetes/pki/etcd/peer-key.pem \ > --peer-client-cert-auth \ > --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem \ > --initial-cluster etcd0=https://:2380,etcd1=https://:2380,etcd2=https://:2380 \ > --initial-cluster-token my-etcd-token \ > --initial-cluster-state new > > [Install] > WantedBy=multi-user.target > EOF > > systemctl daemon-reload > systemctl start etcd > ``` ## kube-apiserver 把 `kube-apiserver.yaml` 放到每台 Master 节点的 `/etc/kubernetes/manifests/`,并把相关的配置放到 `/srv/kubernetes/`,即可由 kubelet 自动创建并启动 apiserver: * basic\_auth.csv - basic auth user and password * ca.crt - Certificate Authority cert * known\_tokens.csv - tokens that entities (e.g. the kubelet) can use to talk to the apiserver * kubecfg.crt - Client certificate, public key * kubecfg.key - Client certificate, private key * server.cert - Server certificate, public key * server.key - Server certificate, private key > 注意:确保 kube-apiserver 配置 --etcd-quorum-read=true(v1.9 之后默认为 true)。 ### kubeadm 如果使用 kubeadm 来部署集群的话,可以按照如下步骤配置: ```bash # on master0 # deploy master0 cat >config.yaml < kubeadm-config.yaml < kube-proxy-сm.yaml sed -i 's#server:.*#server: https://:6443#g' kube-proxy-cm.yaml kubectl apply -f kube-proxy-cm.yaml --force # restart all kube-proxy pods to ensure that they load the new configmap kubectl delete pod -n kube-system -l k8s-app=kube-proxy ``` ## kubelet kubelet 需要配置 kube-apiserver 负载均衡的 IP 地址 ```bash sudo sed -i 's#server:.*#server: https://:6443#g' /etc/kubernetes/kubelet.conf sudo systemctl restart kubelet ``` ## 数据持久化 除了上面提到的这些配置,持久化存储也是高可用 Kubernetes 集群所必须的。 * 对于公有云上部署的集群,可以考虑使用云平台提供的持久化存储,比如 aws ebs 或者 gce persistent disk * 对于物理机部署的集群,可以考虑使用 iSCSI、NFS、Gluster 或者 Ceph 等网络存储,也可以使用 RAID ## 参考文档 * [Set up High-Availability Kubernetes Masters](https://kubernetes.io/docs/tasks/administer-cluster/highly-available-master/) * [Creating Highly Available Clusters with kubeadm](https://kubernetes.io/docs/setup/independent/high-availability/) * [Kubernetes Master Tier For 1000 Nodes Scale](http://fuel-ccp.readthedocs.io/en/latest/design/k8s_1000_nodes_architecture.html) * [Scaling Kubernetes to Support 50000 Services](https://docs.google.com/presentation/d/1BaIAywY2qqeHtyGZtlyAp89JIZs59MZLKcFLxKE6LyM/edit#slide=id.p3) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kubernetes.feisky.xyz/practice/ha.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.