本文檔介紹部署高可用 kube-scheduler 集群的步驟。

該集群包含 3 個節(jié)點抖甘，啟動后將通過競爭選舉機制產(chǎn)生一個 leader 節(jié)點曙蒸，其它節(jié)點為阻塞狀態(tài)。當(dāng) leader 節(jié)點不可用后线椰，剩余節(jié)點將再次進行選舉產(chǎn)生新的 leader 節(jié)點胞谈，從而保證服務(wù)的可用性。

為保證通信安全，本文檔先生成 x509 證書和私鑰烦绳，kube-scheduler 在如下兩種情況下使用該證書：

• 與 kube-apiserver 的安全端口通信;
• 在安全端口 (https卿捎，10251) 輸出 prometheus 格式的 metrics；

配置之前需要先安裝 kubelet,flannel 等組件径密，不過前邊已經(jīng)安裝午阵，現(xiàn)在直接進入配置

1、創(chuàng)建 kube-scheduler 證書和私鑰

創(chuàng)建證書簽名請求：

cat > kube-scheduler-csr.json <<EOF
{
    "CN": "system:kube-scheduler",
    "hosts": [
      "127.0.0.1",
      "172.68.96.101",
      "172.68.96.102",
      "172.68.96.103"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
      {
        "C": "CN",
        "ST": "BeiJing",
        "L": "BeiJing",
        "O": "system:kube-scheduler",
        "OU": "4Paradigm"
      }
    ]
}
EOF

• hosts 列表包含所有 kube-scheduler 節(jié)點 IP享扔；
• CN 為 system:kube-scheduler趟庄、O 為 system:kube-scheduler，kubernetes 內(nèi)置的 ClusterRoleBindings system:kube-scheduler 將賦予 kube-scheduler 工作所需的權(quán)限伪很。

生成證書和私鑰：

cfssl gencert -ca=/etc/kubernetes/cert/ca.pem \
  -ca-key=/etc/kubernetes/cert/ca-key.pem \
  -config=/etc/kubernetes/cert/ca-config.json \
  -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler

2戚啥、創(chuàng)建和分發(fā) kubeconfig 文件

kubeconfig 文件包含訪問 apiserver 的所有信息，如 apiserver 地址锉试、CA 證書和自身使用的證書猫十；

source /opt/k8s/bin/environment.sh

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/cert/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
  --client-certificate=kube-scheduler.pem \
  --client-key=kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
  --cluster=kubernetes \
  --user=system:kube-scheduler \
  --kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig

• 上一步創(chuàng)建的證書、私鑰以及 kube-apiserver 地址被寫入到 kubeconfig 文件中呆盖；
  分發(fā) kubeconfig 到所有 master 節(jié)點：

cat > magic46_distribute_kubeconfig_All_NodeServier.sh << "EOF"
#!/bin/bash
# 分發(fā) kubeconfig 到所有 master 節(jié)點：
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}" 
    scp kube-scheduler.kubeconfig k8s@${node_ip}:/etc/kubernetes/
done
EOF

3拖云、創(chuàng)建和分發(fā) kube-scheduler systemd unit 文件

cat > kube-scheduler.service <<EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/k8s/bin/kube-scheduler \\
  --address=127.0.0.1 \\
  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\
  --leader-elect=true \\
  --alsologtostderr=true \\
  --logtostderr=false \\
  --log-dir=/var/log/kubernetes \\
  --v=2
Restart=on-failure
RestartSec=5
User=k8s
[Install]
WantedBy=multi-user.target
EOF

• --address：在 127.0.0.1:10251 端口接收 http /metrics 請求；kube-scheduler 目前還不支持接收 https 請求应又；
• --kubeconfig：指定 kubeconfig 文件路徑宙项，kube-scheduler 使用它連接和驗證 kube-apiserver；
• --leader-elect=true：集群運行模式株扛，啟用選舉功能尤筐；被選為 leader 的節(jié)點負責(zé)處理工作，其它節(jié)點為阻塞狀態(tài)洞就；
• User=k8s：使用 k8s 賬戶運行盆繁；

分發(fā) systemd unit 文件到所有 master 節(jié)點：

cat > magic47_distribute_kube-scheduler_All_NodeServier.sh << "EOF"
#!/bin/bash
# 分發(fā) systemd unit 文件到所有 master 節(jié)點
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}" 
    scp kube-scheduler.service root@${node_ip}:/etc/systemd/system/
done
EOF

4、啟動 kube-scheduler 服務(wù)

cat > magic48_start_kube-scheduler_servier.sh << "EOF"
#!/bin/bash
# 啟動 kube-scheduler 服務(wù)
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}" 
    ssh root@${node_ip} "mkdir -p /var/log/kubernetes && chown -R k8s /var/log/kubernetes"
    ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-scheduler && systemctl start kube-scheduler"
done
EOF

5旬蟋、檢查服務(wù)運行狀態(tài)

cat > magic49_check_servier.sh << "EOF"
#!/bin/bash
# 檢查服務(wù)運行狀態(tài)
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
    echo ">>> ${node_ip}" 
    ssh k8s@${node_ip} "systemctl status kube-scheduler|grep Active"
done
EOF

如果看到如下輸出：

bash magic49_check_servier.sh
>>> 172.68.96.101
   Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
>>> 172.68.96.102
   Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago
>>> 172.68.96.103
   Active: active (running) since Wed 20XX-XX-XX XX:XX:XX CST; XXh ago

則正常油昂，如果失敗，看日志：

journalctl -xu kube-scheduler

5倾贰，查看輸出的 metric

注意：以下命令在 kube-scheduler 節(jié)點上執(zhí)行冕碟。
kube-scheduler 監(jiān)聽 10251 端口，接收 http 請求：

sudo netstat -lnpt|grep kube-sche
tcp        0      0 127.0.0.1:10251         0.0.0.0:*               LISTEN      15377/kube-schedule

curl -s http://127.0.0.1:10251/metrics |head
# HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
# TYPE apiserver_audit_event_total counter
apiserver_audit_event_total 0
# HELP go_gc_duration_seconds A summary of the GC invocation durations.
# TYPE go_gc_duration_seconds summary
go_gc_duration_seconds{quantile="0"} 6.3423e-05
go_gc_duration_seconds{quantile="0.25"} 0.000120079
go_gc_duration_seconds{quantile="0.5"} 0.000146495
go_gc_duration_seconds{quantile="0.75"} 0.000174475
go_gc_duration_seconds{quantile="1"} 0.001807813

6匆浙、查看當(dāng)前的 leader

kubectl get endpoints kube-scheduler --namespace=kube-system  -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"kube-node2_XXXXXX-XXXXXX-XXXXXX","leaseDurationSeconds":15,"acquireTime":"20XX-XX-XX XX:XX:XX","renewTime":"20XX-XX-XX XX:XX:XX","leaderTransitions":1}'
  creationTimestamp: 20XX-XX-XX XX:XX:XX
  name: kube-scheduler
  namespace: kube-system
  resourceVersion: "30835"
  selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
  uid: XXXXXXXXX

可見安寺，當(dāng)前的 leader 為 kube-node2 節(jié)點

7、測試 kube-scheduler 集群的高可用

隨便找一個或兩個 master 節(jié)點吞彤，停掉 kube-scheduler 服務(wù)我衬，看其它節(jié)點是否獲取了 leader 權(quán)限（systemd 日志）

現(xiàn)在就去停掉 kube-node2 上的 kube-scheduler 服務(wù)。

systemctl stop kube-scheduler
systemctl status kube-scheduler | grep Active
   Active: inactive (dead) since Sat 20XX-XX-XX XX:XX:XX CST; XXs ago

然后再來查看一下現(xiàn)在的 leader 是誰：

kubectl get endpoints kube-scheduler --namespace=kube-system  -o yaml
apiVersion: v1
kind: Endpoints
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"kube-node3_XXXXXX-XXXXXX-XXXXXX","leaseDurationSeconds":15,"acquireTime":"20XX-XX-XX XX:XX:XXZ","renewTime":"20XX-XX-XX XX:XX:XXZ","leaderTransitions":2}'
  creationTimestamp: 20XX-XX-XX XX:XX:XXZ
  name: kube-scheduler
  namespace: kube-system
  resourceVersion: "30984"
  selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
  uid: XXXXXXXX

可以看到饰恕，已經(jīng)漂移到了 kube-node3 上去了