Kubernetes Cluster HA Solution in Private Cloud

Others 2022-04-20 17:06:54 views: 0

For more in-depth articles on Kubernetes, please visit my oschina/WaltonWang blog homepage.

Kubernetes Master HA Architecture Diagram

Enter image description

Configuration and Description

  1. All components can be started and managed by kubelet static pod. The kubelet static pod mechanism ensures the high availability of each component on the host. Note that kubelet needs to add configuration --allow-privileged=true;

  2. The high availability of the kubelet that manages the static pod is responsible for systemd;

  3. Of course, you can also deploy these components directly through processes, and systemd manages these processes directly; (We chose this method to reduce complexity.)

  4. In the above figure, etcd and Master are deployed together, and three etcds are deployed on three Master nodes respectively, and these three etcds form a cluster; (Of course, if conditions permit, it is recommended to deploy etcd clusters and Master nodes separately.)

  5. The apiserver, controller-manager, and scheduler in each Master use hostNetwork, and the controller-manager and scheduler connect to the apiserver of this node through localhost, and will not connect to the apiservers of the other two Master nodes;

  6. External rest-client, kubectl, kubelet, kube-proxy, etc. all pass the TLS certificate, and do TLS termination on the LB node. When the LB comes out, the http request is sent to the corresponding apiserver instance through the LB policy (RR);

  7. The access from apiserver to kubelet server and kube-proxy server is also similar. Https goes to LB for TLS termination, and then http request goes out to the kubelet/kube-proxy server of the corresponding node;

  8. The HA of the apiserver is guaranteed by the classic haproxy + keepalived, and the cluster exposes the VIP to the outside world;

  9. The HA of controller-manager and scheduler uses the leader election function (--leader-elect=true) provided by itself, so that only one of the three controller-manager and scheduler is the leader, and the leader is in a normal working state. When the leader fails, it will Re-elect a new leader to replace and continue to work;

  10. Therefore, in this HA scheme, haproxy+keepalived is used to do LB and HA of apiserver, controller-manager and scheduler achieve HA through their own leader election, etcd ensures the consistency of etcd cluster data through the raft protocol to achieve HA;

  11. The configuration of keepalived can refer to the following:

    vrrp_script check_script {
 script  "/etc/keepalived/check_haproxy.py  http://caicloud:[email protected]/haproxy?stats"
 interval 5 # check every 5 seconds
 weight 5
 fall 2 # require 2 fail for KO
 rise 1 # require 1 successes for OK
}

vrrp_instance VI_01 {
	state MASTER (BACKUP)
	interface eth1
	track_interface {
		eth1
	}


	vrrp_garp_master_repeat 5
	vrrp_garp_master_refresh 10

	virtual_router_id 51
	priority 100 (97)

	advert_int 1

	authentication {
		auth_type PASS
		auth_pass username
	}

	virtual_ipaddress {
		192.168.205.254 dev eth1 label eth1:vip
	}

	track_script {
		check_script
	}

	notify "etc/keepalived/notify_state.sh"
}

  12. The configuration of haproxy can be referred to as follows:

    global
	log 127.0.0.1 local0
	maxconn 32768
	pidfile /run/haproxy.pid
	# turn on stats unix socket
	stats socket /run/haproxy.stats
	tune.ssl.default-dh-param  2048

default 
	log global
	mode http
	option httplog
	option dontlognull
	retries 3
	timeout connect 5000ms
	timeout client 50000ms
	timeout server 50000ms
	timeout check 50000ms
	timeout queue 50000ms

frontend frontend-apisver-http
	bind *:8080
	option forwardfor

	acl local_net src 192.168.205.0/24

	http-request allow if local_net
	http-request deny

	default_backend backend-apiserver-http

frontedn frontend-apiserver-https
	# haproxy enable ssl
	bind *:443 ssl crt /etc/kubernetes/master-lb.pem
	option forwardfor
	default_backend backend-apiserver-http

backend backend-apiserver-http
	balance roundrobin
	option forward-for

	server master-1 192.168.205.11:8080  check
	server master-2 192.168.205.12:8080  check
	server master-3 192.168.205.13:8080  check

listen  admin_stats
       bind  0.0.0.0:80
       log  global
       mode  http
       maxconn  10
       stats  enable
       #Hide  HAPRoxy version, a necessity for any public-facing site
       stats  hide-version
       stats  refresh 30s
       stats  show-node
       stats  realm Haproxy\ Statistics
       stats  auth caicloud:caicloud
       stats  uri /haproxy?stats

  13. The node where the LB is located, pay attention to ensure that the ip_vs model is loaded, and ip_forward and ip_nonlocal_bind are enabled;

    # make sure ip_vs kernel model is loaded
modprobe ip_vs
modprobe ip_vs_rr
modprobe ip_vs_wrr

# enable ip_forward and ip_nonlocal_bind
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.ipv4.ip_nonlocal_bind = 1" >> /etc/sysctl.conf

  14. If you deploy K8S components through pods, you can refer to the official Yaml:

  • apiserver

    apiVersion: v1
kind: Pod
metadata:
  name: kube-apiserver
spec:
  hostNetwork: true
  containers:
  - name: kube-apiserver
    image: gcr.io/google_containers/kube-apiserver:9680e782e08a1a1c94c656190011bd02
    command:
    - /bin/sh
    - -c
    - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001
      --cloud-provider=gce   --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
      --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt
      --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns
      --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key
      --secure-port=443 --token-auth-file=/srv/kubernetes/known_tokens.csv  --v=2
      --allow-privileged=False 1>>/var/log/kube-apiserver.log 2>&1
    ports:
    - containerPort: 443
      hostPort: 443
      name: https
    - containerPort: 7080
      hostPort: 7080
      name: http
    - containerPort: 8080
      hostPort: 8080
      name: local
    volumeMounts:
    - mountPath: /srv/kubernetes
      name: srvkube
      readOnly: true
    - mountPath: /var/log/kube-apiserver.log
      name: logfile
    - mountPath: /etc/ssl
      name: etcssl
      readOnly: true
    - mountPath: /usr/share/ssl
      name: usrsharessl
      readOnly: true
    - mountPath: /var/ssl
      name: varssl
      readOnly: true
    - mountPath: /usr/ssl
      name: usrssl
      readOnly: true
    - mountPath: /usr/lib/ssl
      name: usrlibssl
      readOnly: true
    - mountPath: /usr/local/openssl
      name: usrlocalopenssl
      readOnly: true
    - mountPath: /etc/openssl
      name: etcopenssl
      readOnly: true
    - mountPath: /etc/pki/tls
      name: etcpkitls
      readOnly: true
  volumes:
  - hostPath:
      path: /srv/kubernetes
    name: srvkube
  - hostPath:
      path: /var/log/kube-apiserver.log
    name: logfile
  - hostPath:
      path: /etc/ssl
    name: etcssl
  - hostPath:
      path: /usr/share/ssl
    name: usrsharessl
  - hostPath:
      path: /var/ssl
    name: varssl
  - hostPath:
      path: /usr/ssl
    name: usrssl
  - hostPath:
      path: /usr/lib/ssl
    name: usrlibssl
  - hostPath:
      path: /usr/local/openssl
    name: usrlocalopenssl
  - hostPath:
      path: /etc/openssl
    name: etcopenssl
  - hostPath:
      path: /etc/pki/tls
    name: etcpkitls
    • controller-manager
    apiVersion: v1
kind: Pod
metadata:
  name: kube-controller-manager
spec:
  containers:
  - command:
    - /bin/sh
    - -c
    - /usr/local/bin/kube-controller-manager --master=127.0.0.1:8080 --cluster-name=e2e-test-bburns
      --cluster-cidr=10.245.0.0/16 --allocate-node-cidrs=true --cloud-provider=gce  --service-account-private-key-file=/srv/kubernetes/server.key
      --v=2 --leader-elect=true 1>>/var/log/kube-controller-manager.log 2>&1
    image: gcr.io/google_containers/kube-controller-manager:fda24638d51a48baa13c35337fcd4793
    livenessProbe:
      httpGet:
        path: /healthz
        port: 10252
      initialDelaySeconds: 15
      timeoutSeconds: 1
    name: kube-controller-manager
    volumeMounts:
    - mountPath: /srv/kubernetes
      name: srvkube
      readOnly: true
    - mountPath: /var/log/kube-controller-manager.log
      name: logfile
    - mountPath: /etc/ssl
      name: etcssl
      readOnly: true
    - mountPath: /usr/share/ssl
      name: usrsharessl
      readOnly: true
    - mountPath: /var/ssl
      name: varssl
      readOnly: true
    - mountPath: /usr/ssl
      name: usrssl
      readOnly: true
    - mountPath: /usr/lib/ssl
      name: usrlibssl
      readOnly: true
    - mountPath: /usr/local/openssl
      name: usrlocalopenssl
      readOnly: true
    - mountPath: /etc/openssl
      name: etcopenssl
      readOnly: true
    - mountPath: /etc/pki/tls
      name: etcpkitls
      readOnly: true
  hostNetwork: true
  volumes:
  - hostPath:
      path: /srv/kubernetes
    name: srvkube
  - hostPath:
      path: /var/log/kube-controller-manager.log
    name: logfile
  - hostPath:
      path: /etc/ssl
    name: etcssl
  - hostPath:
      path: /usr/share/ssl
    name: usrsharessl
  - hostPath:
      path: /var/ssl
    name: varssl
  - hostPath:
      path: /usr/ssl
    name: usrssl
  - hostPath:
      path: /usr/lib/ssl
    name: usrlibssl
  - hostPath:
      path: /usr/local/openssl
    name: usrlocalopenssl
  - hostPath:
      path: /etc/openssl
    name: etcopenssl
  - hostPath:
      path: /etc/pki/tls
    name: etcpkitls
    • scheduler
    apiVersion: v1
kind: Pod
metadata:
  name: kube-scheduler
spec:
  hostNetwork: true
  containers:
  - name: kube-scheduler
    image: gcr.io/google_containers/kube-scheduler:34d0b8f8b31e27937327961528739bc9
    command:
    - /bin/sh
    - -c
    - /usr/local/bin/kube-scheduler --master=127.0.0.1:8080 --v=2 --leader-elect=true 1>>/var/log/kube-scheduler.log
      2>&1
    livenessProbe:
      httpGet:
        path: /healthz
        port: 10251
      initialDelaySeconds: 15
      timeoutSeconds: 1
    volumeMounts:
    - mountPath: /var/log/kube-scheduler.log
      name: logfile
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: default-token-s8ejd
      readOnly: true
  volumes:
  - hostPath:
      path: /var/log/kube-scheduler.log
    name: logfile
    • etcd
    apiVersion: v1
kind: Pod
metadata:
  name: etcd-server
spec:
  hostNetwork: true
  containers:
  - image: gcr.io/google_containers/etcd:2.0.9
    name: etcd-container
    command:
    - /usr/local/bin/etcd
    - --name
    - ${NODE_NAME}
    - --initial-advertise-peer-urls
    - http://${NODE_IP}:2380
    - --listen-peer-urls
    - http://${NODE_IP}:2380
    - --advertise-client-urls
    - http://${NODE_IP}:4001
    - --listen-client-urls
    - http://127.0.0.1:4001
    - --data-dir
    - /var/etcd/data
    - --discovery
    - ${DISCOVERY_TOKEN}
    ports:
    - containerPort: 2380
      hostPort: 2380
      name: serverport
    - containerPort: 4001
      hostPort: 4001
      name: clientport
    volumeMounts:
    - mountPath: /var/etcd
      name: varetcd
    - mountPath: /etc/ssl
      name: etcssl
      readOnly: true
    - mountPath: /usr/share/ssl
      name: usrsharessl
      readOnly: true
    - mountPath: /var/ssl
      name: varssl
      readOnly: true
    - mountPath: /usr/ssl
      name: usrssl
      readOnly: true
    - mountPath: /usr/lib/ssl
      name: usrlibssl
      readOnly: true
    - mountPath: /usr/local/openssl
      name: usrlocalopenssl
      readOnly: true
    - mountPath: /etc/openssl
      name: etcopenssl
      readOnly: true
    - mountPath: /etc/pki/tls
      name: etcpkitls
      readOnly: true
  volumes:
  - hostPath:
      path: /var/etcd/data
    name: varetcd
  - hostPath:
      path: /etc/ssl
    name: etcssl
  - hostPath:
      path: /usr/share/ssl
    name: usrsharessl
  - hostPath:
      path: /var/ssl
    name: varssl
  - hostPath:
      path: /usr/ssl
    name: usrssl
  - hostPath:
      path: /usr/lib/ssl
    name: usrlibssl
  - hostPath:
      path: /usr/local/openssl
    name: usrlocalopenssl
  - hostPath:
      path: /etc/openssl
    name: etcopenssl
  - hostPath:
      path: /etc/pki/tls
    name: etcpkitls

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324376458&siteId=291194637
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com