K8S-Demo集群实践08:部署高可用kube-controller-manager集群
- 一、创建和分发kubeconfig文件
- 二、创建kube-controller-manager systemd unit并分发部署
- 1、编写kube-controller-manager systemd unit模板
- 2、为每个Master节点生成部署文件
- 3、分发到master节点,
- 三、启动kube-controller-manager集群服务
- 四、查看leader和metrics信息
- 附:K8s-Demo集群版本信息
- 附:专栏链接
- 在3个Master节点上部署kube-controller-manager,启动后将通过竞争选举机制产生一个leader节点,其它节点为阻塞状态
一、创建和分发kubeconfig文件
[root@master1 ~]# cd /opt/install/kubeconfig
[root@master1 kubeconfig]# kubectl config set-cluster k8s-demo \
--certificate-authority=/opt/install/cert/ca.pem \
--embed-certs=true \
--server="https://##NODE_IP##:6443" \
--kubeconfig=controller-manager.kubeconfig
[root@master1 ~]# kubectl config set-credentials k8s-demo-ctrl-mgr \
--client-certificate=/opt/install/cert/controller-manager.pem \
--client-key=/opt/install/cert/controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=controller-manager.kubeconfig
[root@master1 ~]# kubectl config set-context system:kube-controller-manager \
--cluster=k8s-demo \
--user=k8s-demo-ctrl-mgr \
--kubeconfig=controller-manager.kubeconfig
[root@master1 ~]# kubectl config use-context system:kube-controller-manager --kubeconfig=controller-manager.kubeconfig[root@master1 ~]# cd /opt/install/kubeconfig
[root@master1 kubeconfig]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
sed -e "s/##NODE_IP##/${node_ip}/" controller-manager.kubeconfig > controller-manager-${node_ip}.kubeconfig
scp controller-manager-${node_ip}.kubeconfig root@${node_ip}:/opt/k8s/etc/controller-manager.kubeconfig
done二、创建kube-controller-manager systemd unit并分发部署
1、编写kube-controller-manager systemd unit模板
[root@master1 ~]# cd /opt/install/service
[root@master1 service]# cat > controller-manager.service.template <<EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
WorkingDirectory=${K8S_DIR}/kube-controller-manager
ExecStart=/opt/k8s/bin/kube-controller-manager \\
--profiling \\
--cluster-name=k8s-demo \\
--controllers=*,bootstrapsigner,tokencleaner \\
--kube-api-qps=1000 \\
--kube-api-burst=2000 \\
--leader-elect \\
--use-service-account-credentials \\
--concurrent-service-syncs=2 \\
--bind-address=##NODE_IP## \\
--secure-port=10252 \\
--port=0 \\
--tls-cert-file=/etc/kubernetes/cert/controller-manager.pem \\
--tls-private-key-file=/etc/kubernetes/cert/controller-manager-key.pem \\
--authentication-kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \\
--authorization-kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \\
--client-ca-file=/etc/kubernetes/cert/ca.pem \\
--requestheader-allowed-names="k8s-demo-aggregator" \\
--requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \\
--requestheader-extra-headers-prefix="X-Remote-Extra-" \\
--requestheader-group-headers=X-Remote-Group \\
--requestheader-username-headers=X-Remote-User \\
--cluster-signing-cert-file=/etc/kubernetes/cert/ca.pem \\
--cluster-signing-key-file=/etc/kubernetes/cert/ca-key.pem \\
--experimental-cluster-signing-duration=87600h \\
--horizontal-pod-autoscaler-sync-period=10s \\
--concurrent-deployment-syncs=10 \\
--concurrent-gc-syncs=30 \\
--node-cidr-mask-size=24 \\
--service-cluster-ip-range=${SERVICE_CIDR} \\
--pod-eviction-timeout=6m \\
--terminated-pod-gc-threshold=10000 \\
--root-ca-file=/etc/kubernetes/cert/ca.pem \\
--service-account-private-key-file=/etc/kubernetes/cert/ca-key.pem \\
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \\
--logtostderr=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF2、为每个Master节点生成部署文件
[root@master1 ~]# cd /opt/install/service
[root@master1 service]# for (( i=0; i < 3; i++ ))
do
sed -e "s/##NODE_NAME##/${MASTER_NAMES[i]}/" -e "s/##NODE_IP##/${MASTER_IPS[i]}/" controller-manager.service.template
> controller-manager-${MASTER_IPS[i]}.service
done
[root@master1 service]# ls -l controller-manager*.service
-rw-r--r-- 1 root root 1924 12月 22 11:17 controller-manager-192.168.66.10.service
-rw-r--r-- 1 root root 1924 12月 22 11:17 controller-manager-192.168.66.11.service
-rw-r--r-- 1 root root 1924 12月 22 11:17 controller-manager-192.168.66.12.service3、分发到master节点,
[root@master1 ~]# cd /opt/install/service
[root@master1 service]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
scp controller-manager-${node_ip}.service root@${node_ip}:/etc/systemd/system/kube-controller-manager.service
done三、启动kube-controller-manager集群服务
- 启动kube-controller-manager服务,端口10252
[root@master1 ~]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-controller-manager"
ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-controller-manager && systemctl restart kube-controller-manager"
done
[root@master1 ~]# ss -lnpt | grep kube-cont
LISTEN 0 128 192.168.66.10:10252 *:* users:(("kube-controller",pid=11364,fd=5))- 检查服务状态
[root@master1 ~]# for node_ip in ${MASTER_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "systemctl status kube-controller-manager|grep Active"
done- 健康检查
[root@master1 ~]# curl -s --cacert /opt/install/cert/ca.pem --cert /opt/install/cert/kubectl-admin.pem --key /opt/cert/kubectl-admin-key.pem https://192.168.66.10:10252/healthz
# 或者
[root@master1 ~]# wget https://192.168.66.10:10252/healthz --no-check-certificate- 遇到异常情况,可以查看日志
[root@master1 ~]# journalctl -u kube-controller-manager四、查看leader和metrics信息
- 从下面的输出信息中可以看到,当前leader为master1
[root@master1 ~]# kubectl get endpoints kube-controller-manager --namespace=kube-system -o yaml
apiVersion: v1
kind: Endpoints
metadata:
annotations:
control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"master1_b81b351d-3590-4686-aac7-e8f60257e1c5","leaseDurationSeconds":15,"acquireTime":"2020-07-17T07:49:04Z","renewTime":"2020-07-17T07:50:03Z","leaderTransitions":0}'
creationTimestamp: "2020-07-17T07:49:04Z"
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:control-plane.alpha.kubernetes.io/leader: {}
manager: kube-controller-manager
operation: Update
time: "2020-07-17T07:50:03Z"
name: kube-controller-manager
namespace: kube-system
resourceVersion: "659"
selfLink: /api/v1/namespaces/kube-system/endpoints/kube-controller-manager
uid: 7005f5af-2afd-499b-85b8-a8cdd40fdada- 查看metrics信息
[root@master1 kubernetes]# curl -s --cacert /opt/install/cert/ca.pem --cert /opt/install/cert/kubectl-admin.pem --key /opt/install/cert/kubectl-admin-key.pem https://192.168.66.12:10252/metrics |head
# HELP apiserver_audit_event_total [ALPHA] Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP apiserver_audit_requests_rejected_total [ALPHA] Counter of apiserver requests rejected due to an error in audit logging backend.
# TYPE apiserver_audit_requests_rejected_total counter
apiserver_audit_requests_rejected_total 0
# HELP apiserver_client_certificate_expiration_seconds [ALPHA] Distribution of the remaining lifetime on the certificate used to authenticate a request.
# TYPE apiserver_client_certificate_expiration_seconds histogram
apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
apiserver_client_certificate_expiration_seconds_bucket{le="1800"} 0附:K8s-Demo集群版本信息
组件 | 版本 | 命令 |
kubernetes | 1.18.5 | kubectl version |
docker-ce | 19.03.11 | docker version 或者 rpm -qa | grep docker |
etcd | 3.4.3 | etcdctl version |
calico | 3.13.3 | calico -v |
coredns | 1.7.0 | coredns -version |
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
