Kubernetes的etcd節點和擴容方法是什么
這篇文章主要講解了“Kubernetes的etcd節點和擴容方法是什么”����,文中的講解內容簡單清晰����,易于學習與理解��,下面請大家跟著小編的思路慢慢深入�,一起來研究和學習“Kubernetes的etcd節點和擴容方法是什么”吧��!
Kubernetes使用kubeadm安裝默認只有一個etcd實例����,存在單點故障的風險���。提升Kubernetes集群可用性的方法包括:1�、備份(Kubernetes探秘—etcd狀態數據及其備份 )����;2���、etcd節點和實例擴容�;3�����、apiserver的多節點服務和負載均衡����。這里主要實驗etcd節點和實例的擴容����。
一��、etcd擴容����,主要思路
etcd是一個獨立的服務�����,在kubernetes中使用時將配置參數和數據目錄分別映射到了宿主機目錄�����,而且使用hostnetwork網絡(本主機網絡)����。其中�����,/etc/kubernetes/manifest/etcd.yaml 為啟動參數文件����,/etc/kubernetes/pki/etcd 為 https使用的證書����,/var/lib/etcd 為該節點的etcd數據文件�����。
對于已用kubeadm安裝的單Master節點Kubernetes集群�����,其etcd運行實例只有一個�����。我們希望將其etcd實例擴展到多個���,以降低單點失效風險���。Kubernetes中etcd的擴容的思路如下:
所有節點安裝kubeadm/kubectl/kubelet�,按照獨立master節點安裝��。
創建etcd集群的證書�,并復制到各個節點����。
在各節點修改etcd啟動配置文件�,啟動etcd實例�����。有多種方式(運行結果一樣���、管理方式不同):
通過 kubectl 部署�����,讓kubernetes控制啟動����。通過nodeSelector指定運行的節點����。
通過 kubelet 服務來啟動���,操作系統通過systemd啟動kubelet服務���。這是k8s的標準過程��。
通過docker的--restart參數讓容器自行啟動��,由容器服務來進行管理�。
把etcd作為宿主機服務來直接啟動���,不使用Docker或者k8s管理��。
將所有節點kube-apiserver.yaml的etcd服務指向本地的etcd服務實例����。
二��、etcd擴容���,實驗步驟
第一步:安裝多個節點
準備好安裝etcd的節點��。我使用ubuntu 18.04LTS���,然后安裝Docker CE 18.06和kubernetes 1.12.3�。
我這里的三個節點分別為:
podc01, 10.1.1.201
podc02, 10.1.1.202
podc03, 10.1.1.203
需要提前把k8s用到的容器鏡像拉取下來到每一個節點�。參考:
Kubernetes 1.12.3快速升級
Kubernetes 版本鎖定到1.12.3
多網卡Ubuntu服務器安裝Kubernetes
Ubuntu 18.04 設置多網卡多端口聚合
快速建立Kubernetes集群�,從零開始
第二步:創建etcd證書
本想嘗試復制主節點的/etc/kubernetes/kpi和/etc/kubernetes/manifest目錄到所有副(mate)節點�����,啟動后出現各種問題無法正常訪問���,提示是ca證書問題���。最后��,準備從頭開始創建自己的證書和部署yaml文件�����。
創建證書使用cfssl來創建����,需要下載模版文件和修改定義文件��,包括ca機構�、ca-config配置�����、ca-key私鑰��、csr請求��、server/peer/client等證書的配置模版文件等����。需要將里面的信息按照自己的環境進行修改�����。
最后生成cert-file證書文件���、key-file公鑰文件和trusted-ca-file證書機構文件(因為我們這里用的是自簽名��,所以創建自己的證書機構文件)��。
這三個文件在etcd實例啟動時配置進去(注意:API2和API3的參數名稱有些不同)��,需要放到每一個節點的相應目錄���,并映射到etcd容器卷中�����。
使用etcdctl作為服務客戶端訪問時也需要指定相應的參數�����,其它對端(Peer)etcd實例也需要使用這些參數來相互訪問����、組成集群�����、同步數據�。
mkdir ~/cfssl && cd ~/cfssl
mkdir bin && cd bin
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O cfssljson
chmod +x {cfssl,cfssljson}
export PATH=$PATH:~/cfssl/bin2�、創建證書配置文件
創建證書配置文件目錄:
mkdir -p ~/cfssl/etcd-certs && cd ~/cfssl/etcd-certs
生成證書配置文件放到~/cfssl/etcd-certs目錄中�����,文件模版如下:
# ==============================================
# ca-config.json
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
# ==============================================
# ca-csr.json
{
"CN": "My own CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "CA",
"O": "My Company Name",
"ST": "San Francisco",
"OU": "Org Unit 1",
"OU": "Org Unit 2"
}
]
}
# ==============================================
# server.json
{
"CN": "etcd0",
"hosts": [
"127.0.0.1",
"0.0.0.0",
"10.1.1.201",
"10.1.1.202",
"10.1.1.203"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
# ==============================================
# peer1.json # 填本機IP
{
"CN": "etcd0",
"hosts": [
"10.1.1.201"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
# ==============================================
# client.json
{
"CN": "client",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}3��、創建etcd集群的證書
操作如下:
cd ~/cfssl/etcd-certs
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer1.json | cfssljson -bare peer1
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
查看所產生的證書文件:
ls -l ~/cfssl/etcd-certs
文件包括:
...
第三步:啟動etcd多實例
啟動etcd實例之前��,務必將/var/lib/etcd目錄清空�����,否則一些設置的參數將不會起作用�����,仍然保留原來的狀態���。
注意����,etcd的下面幾個參數只在第一次啟動(初始化)時起作用���,包括:
- --initial-advertise-peer-urls=http://10.1.1.202:2380
- --initial-cluster=podc02=http://10.1.1.202:2380,podc03=http://10.1.1.203:2380
- --initial-cluster-token=etcd-cluster
- --initial-cluster-state=new
1���、上傳證書文件
將cfssl/etcd-certs目錄拷貝到/etc/kubernetes/pki/etcd-certs 目錄��,可以使用scp或sftp上傳�。
2����、編輯啟動文件
編輯/etc/kubernetes/manifests/etcd.yaml文件�,這是kubelet啟動etcd實例的配置文件�。
# /etc/kubernetes/manifests/etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.1.201:2379
- --cert-file=/etc/kubernetes/pki/etcd-certs/server.pem
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.1.201:2380
- --initial-cluster=etcd0=https://10.1.1.201:2380
- --key-file=/etc/kubernetes/pki/etcd-certs/server-key.pem
- --listen-client-urls=https://10.1.1.201:2379
- --listen-peer-urls=https://10.1.1.201:2380
- --name=etcd1
- --peer-cert-file=/etc/kubernetes/pki/etcd-certs/peer1.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd-certs/peer1-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd-certs/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd-certs/ca.pem
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
#livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.1.201]:2379 --cacert=/etc/kubernetes/pki/etcd-certs/ca.pem
# --cert=/etc/kubernetes/pki/etcd-certs/client.pem --key=/etc/kubernetes/pki/etcd-certs/client-key.pem
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd-certs
type: DirectoryOrCreate
name: etcd-certs
status: {}參照上面的模式�,在各個副節點修改etcd啟動參數/etc/kubernetes/manifest/etcd.yaml文件內容�。
3���、驗證運行狀態
進入etcd容器執行:
alias etcdv3="ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.1.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/client.pem --key=/etc/kubernetes/pki/etcd/client-key.pem"
etcdv3 member add etcd1 --peer-urls="https://10.1.1.202:2380"
4�、增加etcd節點
拷貝etcd1(10.1.1.201)節點上的證書到etcd1(10.1.1.202)節點上�,復制peer1.json到etcd2的peer2.json�����,修改peer2.json��。
# peer2.json
{
"CN": "etcd1",
"hosts": [
"10.1.86.202"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}重新生成在etcd1上生成peer1證書:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer1.json | cfssljson -bare peer1
啟動etcd1�,配置文件如下:
# etcd02 etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.1.202:2379
- --cert-file=/etc/kubernetes/pki/etcd-certs/server.pem
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.1.202:2380
- --initial-cluster=etcd01=https://10.1.1.201:2380,etcd02=https://10.1.1.202:2380
- --key-file=/etc/kubernetes/pki/etcd-certs/server-key.pem
- --listen-client-urls=https://10.1.1.202:2379
- --listen-peer-urls=https://10.1.1.202:2380
- --name=etcd02
- --peer-cert-file=/etc/kubernetes/pki/etcd-certs/peer2.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd-certs/peer2-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd-certs/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd-certs/ca.pem
- --initial-cluster-state=existing # 千萬別加雙引號��,被坑死
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
# livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.1.202]:2379 --cacert=/etc/kubernetes/pki/etcd-certs/ca.crt
# --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd-certs/healthcheck-client.key
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd-certs
type: DirectoryOrCreate
name: etcd-certs
status: {}進入etcd容器執行:
alias etcdv3="ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/client.pem --key=/etc/kubernetes/pki/etcd/client-key.pem"
etcdv3 member add etcd1 --peer-urls="https://10.1.1.203:2380"
按照以上步驟����,增加etcd03�����。
5����、etcd集群健康檢查
# etcdctl --endpoints=https://[10.1.1.201]:2379 --ca-file=/etc/kubernetes/pki/etcd-certs/ca.pem --cert-file=/etc/kubernetes/pki/etcd-certs/client.pem --key-file=/etc/kubernetes/pki/etcd-certs/client-key.pem cluster-health
member 5856099674401300 is healthy: got healthy result from https://10.1.86.201:2379
member df99f445ac908d15 is healthy: got healthy result from https://10.1.86.202:2379
cluster is healthy
第四步:修改apiserver服務指向
- --etcd-cafile=/etc/kubernetes/pki/etcd-certs/ca.pem
- --etcd-certfile=/etc/kubernetes/pki/etcd-certs/client.pem
- --etcd-keyfile=/etc/kubernetes/pki/etcd-certs/client-key.pem
至此����,etcd已經擴展成多節點的分布式集群�����,而且各個節點的kubernetes都是可以訪問的�。
注意:
上面所部署的工作節點還只能連接到一個apiserver����,其它副節點的apiserver雖然可用但是無法被工作節點連接到����。
下一步需要實現多master節點的容錯���,遇主節點故障時可以轉移訪問其它的副節點�。
感謝各位的閱讀�,以上就是“Kubernetes的etcd節點和擴容方法是什么”的內容了�����,經過本文的學習后����,相信大家對Kubernetes的etcd節點和擴容方法是什么這一問題有了更深刻的體會�,具體使用情況還需要大家實踐驗證��。這里是億速云����,小編將為大家推送更多相關知識點的文章����,歡迎關注�����!
