使用 kubeadm 搭建單節(jié)點(diǎn)集群已經(jīng)介紹過了秆撮，關(guān)于如何初始化環(huán)境四濒，安裝依賴組件請(qǐng)參考kubeadm搭建單節(jié)點(diǎn)集群, 這篇文章介紹如何使用kubeadm搭建高可用集群。

高可用拓?fù)淠Ｐ?/h3>

堆疊ETCD模型（Stacked etcd topology）

該模式主要特點(diǎn)：

1. etcd和k8s master 組件部署在同一個(gè)node上
2. 每個(gè)kube-apiserver职辨、kube-schedule盗蟆、kube-controller-manager 只連接本地etcd服務(wù)

外部ETCD模型（External etcd topology）

該模式主要特點(diǎn)：

1. etcd集群?jiǎn)为?dú)部署，不通過kubeadm創(chuàng)建管理
2. 每個(gè)kube-apiserver拨匆、kube-schedule贬循、kube-controller-manager 會(huì)連接到外部etcd集群

使用kubeadm創(chuàng)建集群時(shí)宴卖，如果etcd和master部署在同一個(gè)節(jié)點(diǎn)時(shí)使用 堆疊ETCD模型（Stacked etcd topology），否則配置使用外部ETCD模型（External etcd topology）

創(chuàng)建 kube-api 負(fù)載均衡

如以上集群結(jié)構(gòu)圖可知，我們首先需要為多個(gè)master節(jié)點(diǎn)創(chuàng)建負(fù)載均衡古程，負(fù)載均衡的配置需要注意以下幾點(diǎn)：

• 負(fù)載均衡創(chuàng)建成功后岳颇，需要將 kubaadm 的 ControlPlaneEndpoint 字段配置為負(fù)載均衡ip
• 需要先把第一個(gè)待初始化master節(jié)點(diǎn)掛載到負(fù)載均衡后端烫止，當(dāng)?shù)谝粋€(gè)master創(chuàng)建完成后奈泪，將下一個(gè)初始化的master節(jié)點(diǎn)ip加入到負(fù)載均衡后端，以此類推黎侈，直到所有master節(jié)點(diǎn)創(chuàng)建完畢察署。

創(chuàng)建高可用集群

1. 配置kubeadm config 文件

• 創(chuàng)建堆疊ETCD模型的配置：

cat <<EOF > /root/kubeadm-config
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.13.4
apiServer:
  certSANs:
  - "MASTER1_IP"
  - "MASTER2_IP"
  - "MASTER3_IP"
  - "LOAD_BALANCER_IP"
controlPlaneEndpoint: "LOAD_BALANCER_IP:LOAD_BALANCER_PORT"
imageRepository: registry.cn-beijing.aliyuncs.com/hsxue
networking:
  dnsDomain: cluster.local
  podSubnet: 10.128.0.0/23
  serviceSubnet: 10.192.0.0/22
EOF

配置中的 MASTER1_IP、MASTER2_IP峻汉、 MASTER3_IP贴汪、LOAD_BALANCER_IP脐往、LOAD_BALANCER_PORT 需要替換成實(shí)際的值

• 創(chuàng)建外部ETCD模型的配置

cat <<EOF > /root/kubeadm-config
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.13.4
apiServer:
  certSANs:
  - "MASTER1_IP"
  - "MASTER2_IP"
  - "MASTER3_IP"
  - "LOAD_BALANCER_IP"
controlPlaneEndpoint: "LOAD_BALANCER_IP:LOAD_BALANCER_PORT"
imageRepository: registry.cn-beijing.aliyuncs.com/hsxue
networking:
  dnsDomain: cluster.local
  podSubnet: 10.128.0.0/23
  serviceSubnet: 10.192.0.0/22
etcd:
    external:
        endpoints:
        - https://ETCD_0_IP:2379
        - https://ETCD_1_IP:2379
        - https://ETCD_2_IP:2379
        caFile: /etc/kubernetes/pki/etcd/ca.crt
        certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
        keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key

如上配置增加了外部etcd的配置，配置中如下值需要替換成實(shí)際的值：

• MASTER1_IP
• MASTER2_IP
• MASTER3_IP
• LOAD_BALANCER_IP
• LOAD_BALANCER_PORT
• ETCD_0_IP
• ETCD_1_IP
• ETCD_2_IP

2. 初始化第一個(gè)master節(jié)點(diǎn)

如果安裝的是外部ETCD模型集群扳埂，需要先將etcd證書拷貝到當(dāng)前master節(jié)點(diǎn)业簿，否則不需要執(zhí)行這一步

export CONTROL_PLANE="MASTER1_IP"
scp /etc/kubernetes/pki/etcd/ca.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.crt "${CONTROL_PLANE}":
scp /etc/kubernetes/pki/apiserver-etcd-client.key "${CONTROL_PLANE}":

注意：etcd證書需要和上一步配置的etcd證書路徑匹配

將該節(jié)點(diǎn)kube-apiserver地址和端口掛載到負(fù)載均衡后端，然后執(zhí)行如下命令

kubeadm init --config=/root/kubeadm-config --node-name=master1 --upload-certs

部署成功后會(huì)輸出如下信息：

...
You can now join any number of control-plane node by running the following command on each as a root:
kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use kubeadm init phase upload-certs to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866

以上信息有兩行關(guān)鍵信息需要記下來（每個(gè)人安裝完成后阳懂，輸出的信息肯定不一樣）：

1. 加入master節(jié)點(diǎn)命令

kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07

2. 加入worker節(jié)點(diǎn)命令

kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866

3. 安裝pod網(wǎng)絡(luò)插件

如下安裝 flannel 為例梅尤，執(zhí)行如下命令：

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/2140ac876ef134e0ed5af15c65e414cf26827915/Documentation/kube-flannel.yml

執(zhí)行 kubectl get pod -n kube-system -w 等待master組件全部 running

詳情參考：pod network addon

4. 加入剩余的master節(jié)點(diǎn)到集群

先將待初始化節(jié)點(diǎn)kube-apiserver地址和端口掛載到負(fù)載均衡后端，然后執(zhí)行上面得到的加入master節(jié)點(diǎn)的命令

kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866 --control-plane --certificate-key f8902e114ef118304e561c3ecd4d0b543adc226b7a07f675f56564185ffe0c07

• --control-plane 參數(shù)表示 kubeadm join 命令創(chuàng)建的是一個(gè)master節(jié)點(diǎn)
• --certificate-key master加入集群時(shí)岩调，會(huì)從 kubeadm-certs Secret下載證書巷燥，并使用該certificate-key解密證書，
  <div class="tip">
  kubeadm-certs Secret 和 certificate-key 2小時(shí)后會(huì)過期号枕，如果過期則需要重新生成
  </div>

重新生成certificate-key缰揪，可執(zhí)行如下命令

kubeadm init phase upload-certs --upload-certs

執(zhí)行完成后，繼續(xù)登陸到剩余master節(jié)點(diǎn)做同樣操作堕澄。直到所有master節(jié)點(diǎn)創(chuàng)建完畢

5. 加入worker節(jié)點(diǎn)

登陸到worker主機(jī)邀跃，直接執(zhí)行加入worker節(jié)點(diǎn)命令即可

kubeadm join 192.168.0.200:6443 --token 9vr73a.a8uxyaju799qwdjv --discovery-token-ca-cert-hash sha256:7c2e69131a36ae2a042a339b33381c6d0d43887e2de83720eff5359e26aec866

引用

• ha-topology

• Creating Highly Available clusters with kubeadm