一 K3S概述
1.1 K3S介紹
K3S是一個輕量級Kubernetes發行版,易于安裝,記憶體消耗低,所有二進制檔案不到40mb,- 適用于:
- 邊緣計算-Edge
- 物聯網-IoT
- CI
- ARM
1.2 K3S特點
k3s是完全兼容的Kubernetes發行版,有以下更改:- 移除過時的功能、Alpha功能、非默認功能,這些功能在大多數Kubernetes集群中已不可用,
- 洗掉內置插件(比如云供應商插件和存盤插件),可用外部插件程式替換,
- 添加SQLite3作為默認的資料存盤,etcd3仍然可用,但并非默認項,
- 包含在一個簡單的啟動程式當中,可以處理復雜的TLS和其他選項,
- 幾乎沒有作業系統依賴性(僅需要健全的內核和cgroup掛載),k3s軟體包所需的依賴:
- containerd
- Flannel
- CoreDNS
- CNI
- 主機系統服務 (iptables, socat, etc)
1.3 K3S架構
server節點被定義為運行k3s server命令的主機(裸機或虛擬機),worker節點被定義為運行k3s agent命令的主機, 常見的K3S高可用架構如下:- 兩個或更多server節點;
- 一個外部資料存盤,
1.4 worker節點注冊
worker節點通過k3s agent啟動時發起的Websocket連接進行注冊, worker節點將使用節點集群密鑰以及存盤在/etc/rancher/node/password的節點隨機密碼向server注冊,server將在單個節點的/var/lib/rancher/k3s/server/cred/node-passwd路徑存盤密碼,后續任何操作都必須使用相同的密碼,如果洗掉了worker節點目錄/etc/rancher/node,則應該為該worker節點重新創建密碼檔案,或者從服務器中洗掉該節點, 通過使用該--with-node-id標志啟動K3s server或agent,可以將唯一的節點ID添加到hostname,二 K3S部署規劃
2.1 節點需求
所有節點不能具有相同的主機名, 如果節點具有相同的主機名,需要在運行K3S前修改主機名,或者通過--node-name或$K3S_NODE_NAME變數傳遞唯一的主機名稱, 無負載最小配置:RAM: 512 MB,CPU: 1C, k3s server需要6443埠可被節點訪問,這些節點需要能夠通過UDP 8472埠來相互訪問組建Flannel VXLAN網路, 如果不使用Flannel VXLAN并提供自己的自定義CNI,則k3s不需要放行UDP 8472埠,k3s使用反向隧道,以便worker建立與server的出站連接,并且所有kubelet流量都通過該隧道通信, 如果要使用metrics server,則需要在每個節點上放行10250埠,2.2 節點規劃
高可用架構一:etcd與Master節點組件混布在一起,
三 K3S部署準備
3.1 變數引數準備
[root@master01 ~]# vi environment.sh1 #!/bin/sh 2 #****************************************************************# 3 # ScriptName: environment.sh 4 # Author: xhy 5 # Create Date: 2020-05-13 12:21 6 # Modify Author: xhy 7 # Modify Date: 2020-05-13 12:21 8 # Version: 9 #***************************************************************# 10 11 # 集群 MASTER 機器 IP 陣列 12 export MASTER_IPS=(172.24.12.11 172.24.12.12 172.24.12.13) 13 14 # 集群 MASTER IP 對應的主機名陣列 15 export MASTER_NAMES=(master01 master02 master03) 16 17 # 集群 NODE 機器 IP 陣列 18 export NODE_IPS=(172.24.12.21 172.24.12.22 172.24.12.23) 19 20 # 集群 NODE IP 對應的主機名陣列 21 export NODE_NAMES=(worker01 worker02 worker03) 22 23 # 集群所有機器 IP 陣列 24 export ALL_IPS=(172.24.12.11 172.24.12.12 172.24.12.13 172.24.12.21 172.24.12.22 172.24.12.23) 25 26 # 集群所有IP 對應的主機名陣列 27 export ALL_NAMES=(master01 master02 master03 worker01 worker02 worker03) 28 29 # etcd 集群服務地址串列 30 export ETCD_ENDPOINTS="https://172.24.12.11:2379,https://172.24.12.12:2379,https://172.24.12.13:2379" 31 32 # etcd 集群間通信的 IP 和埠 33 export ETCD_NODES="master01=https://172.24.12.11:2380,master02=https://172.24.12.12:2380,master03=https://172.24.12.13:2380" 34 35 # 節點間互聯網路介面名稱 36 export IFACE="eth0" 37 38 # etcd 資料目錄 39 export ETCD_DATA_DIR="/data/k3s/etcd/data" 40 41 # etcd WAL 目錄,建議是 SSD 磁盤磁區,或者和 ETCD_DATA_DIR 不同的磁盤磁區 42 export ETCD_WAL_DIR="/data/k3s/etcd/wal"
3.2 相關優化
[root@master01 ~]# vi k3sinit.sh1 #!/bin/sh 2 #****************************************************************# 3 # ScriptName: k3sinit.sh 4 # Author: xhy 5 # Create Date: 2020-05-13 18:56 6 # Modify Author: xhy 7 # Modify Date: 2020-05-13 18:56 8 # Version: 9 #***************************************************************# 10 # Initialize the machine. This needs to be executed on every machine. 11 12 # Disable the SELinux. 13 sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config 14 15 # Turn off and disable the firewalld. 16 systemctl stop firewalld 17 systemctl disable firewalld 18 19 # Modify related kernel parameters & Disable the swap. 20 cat > /etc/sysctl.d/k3s.conf << EOF 21 net.ipv4.ip_forward = 1 22 net.bridge.bridge-nf-call-ip6tables = 1 23 net.bridge.bridge-nf-call-iptables = 1 24 net.ipv4.tcp_tw_recycle = 0 25 vm.swappiness = 0 26 vm.overcommit_memory = 1 27 vm.panic_on_oom = 0 28 net.ipv6.conf.all.disable_ipv6 = 1 29 EOF 30 sysctl -p /etc/sysctl.d/k8s.conf >&/dev/null 31 swapoff -a 32 sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab 33 modprobe br_netfilter 34 35 # Add ipvs modules 36 cat > /etc/sysconfig/modules/ipvs.modules <<EOF 37 #!/bin/bash 38 modprobe -- ip_vs 39 modprobe -- ip_vs_rr 40 modprobe -- ip_vs_wrr 41 modprobe -- ip_vs_sh 42 modprobe -- nf_conntrack_ipv4 43 EOF 44 chmod 755 /etc/sysconfig/modules/ipvs.modules 45 bash /etc/sysconfig/modules/ipvs.modules 46 47 # Install rpm 48 yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget
3.3 配置免秘鑰
1 [root@master01 ~]# cat > etc/hosts << EOF 2 172.24.12.11 master01 3 172.24.12.12 master02 4 172.24.12.13 master03 5 172.24.12.21 worker01 6 172.24.12.22 worker02 7 172.24.12.23 worker03 8 EOF為了更方便遠程分發檔案和執行命令,本實驗配置master節點到其它節點的 ssh 信任關系,
1 [root@master01 ~]# source /root/environment.sh 2 [root@master01 ~]# for all_ip in ${ALL_IPS[@]} 3 do 4 echo ">>> ${all_ip}" 5 ssh-copy-id -i ~/.ssh/id_rsa.pub root@${all_ip} 6 scp /etc/hosts root@${all_ip}:/etc/hosts 7 scp environment.sh root@${all_ip}:/root/ 8 scp k3sinit.sh root@${all_ip}:/root/ 9 ssh root@${all_ip} "chmod +x /root/environment.sh" 10 ssh root@${all_ip} "chmod +x /root/k3sinit.sh" 11 ssh root@${all_ip} "bash /root/k3sinit.sh &" 12 done提示:此操作僅需要在master01節點操作,
四 自定義證書
4.1 安裝cfssl
1 [root@master01 ~]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl #下載cfssl軟體 2 [root@master01 ~]# chmod u+x /usr/local/bin/cfssl 3 [root@master01 ~]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson #下載json模板 4 [root@master01 ~]# chmod u+x /usr/local/bin/cfssljson 5 [root@master01 ~]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo 6 [root@master01 ~]# chmod u+x /usr/local/bin/cfssl-certinfo 7 [root@master01 ~]# mkdir /opt/k3s/work 8 [root@master01 ~]# cd /opt/k3s/work 9 [root@master01 cert]# cfssl print-defaults config > config.json 10 [root@master01 cert]# cfssl print-defaults csr > csr.json #創建模版配置json檔案
4.2 創建根證書
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# cp config.json ca-config.json #復制一份作為CA的組態檔 3 [root@master01 work]# cat > ca-config.json <<EOF 4 { 5 "signing": { 6 "default": { 7 "expiry": "168h" 8 }, 9 "profiles": { 10 "kubernetes": { 11 "expiry": "87600h", 12 "usages": [ 13 "signing", 14 "key encipherment", 15 "server auth", 16 "client auth" 17 ] 18 } 19 } 20 } 21 } 22 EOF欄位解釋: config.json:可以定義多個profiles,分別指定不同的過期時間、使用場景等引數;后續在簽名證書時使用某個profile;
- signing: 表示該證書可用于簽名其它證書;生成的ca.pem 證書中CA=TRUE;
- server auth: 表示client 可以用該CA 對server 提供的證書進行校驗;
- client auth: 表示server 可以用該CA 對client 提供的證書進行驗證,
1 [root@master01 work]# cp csr.json ca-csr.json #復制一份作為CA的證書簽名請求檔案 2 [root@master01 work]# cat > ca-csr.json <<EOF 3 { 4 "CN": "kubernetes", 5 "key": { 6 "algo": "rsa", 7 "size": 2048 8 }, 9 "names": [ 10 { 11 "C": "CN", 12 "ST": "Shanghai", 13 "L": "Shanghai", 14 "O": "k3s", 15 "OU": "System" 16 } 17 ] 18 } 19 EOF欄位解釋:
- CN: Common Name,kube-apiserver 從證書中提取該欄位作為請求的用戶名(User Name);瀏覽器使用該欄位驗證網站是否合法;
- C:country;
- ST:state;
- L:city;
- O: Organization,kube-apiserver 從證書中提取該欄位作為請求用戶所屬的組(Group);
- OU:organization unit,
4.3 分發根證書
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for all_ip in ${ALL_IPS[@]} 4 do 5 echo ">>> ${all_ip}" 6 ssh root@${all_ip} "mkdir -p /etc/kubernetes/cert" 7 scp ca*.pem ca-config.json root@${all_ip}:/etc/kubernetes/cert 8 done
五 安裝ETCD
5.1 安裝ETCD
1 [root@master01 ~]# wget https://github.com/coreos/etcd/releases/download/v3.4.7/etcd-v3.4.7-linux-amd64.tar.gz 2 [root@master01 ~]# tar -xvf etcd-v3.4.7-linux-amd64.tar.gz
5.2 分發ETCD
1 [root@master01 ~]# for master_ip in ${MASTER_IPS[@]} 2 do 3 echo ">>> ${master_ip}" 4 scp etcd-v3.4.7-linux-amd64/etcd* root@${master_ip}:/usr/local/bin 5 ssh root@${master_ip} "chmod +x /usr/local/bin/*" 6 ssh root@${master_ip} "mkdir -p /data/k3s/etcd/data" 7 ssh root@${master_ip} "mkdir -p /data/k3s/etcd/wal" 8 done
5.3 創建etcd證書和密鑰
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 cert]# cat > etcd-csr.json <<EOF 3 { 4 "CN": "etcd", 5 "hosts": [ 6 "127.0.0.1", 7 "localhost", 8 "172.24.12.11", 9 "172.24.12.12", 10 "172.24.12.13" 11 ], 12 "key": { 13 "algo": "rsa", 14 "size": 2048 15 }, 16 "names": [ 17 { 18 "C": "CN", 19 "ST": "Shanghai", 20 "L": "Shanghai", 21 "O": "k3s", 22 "OU": "System" 23 } 24 ] 25 } 26 EOF 27 #創建etcd的CA證書請求檔案解釋: hosts 欄位指定授權使用該證書的 etcd 節點 IP 或域名串列,需要將 etcd 集群的三個節點 IP 都列在其中,
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# cfssl gencert -ca=/opt/k3s/work/ca.pem \ 3 -ca-key=/opt/k3s/work/ca-key.pem -config=/opt/k3s/work/ca-config.json \ 4 -profile=kubernetes etcd-csr.json | cfssljson -bare etcd #生成CA密鑰(ca-key.pem)和證書(ca.pem)
5.4 分發證書和私鑰
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh root@${master_ip} "mkdir -p /etc/etcd/cert" 7 scp etcd*.pem root@${master_ip}:/etc/etcd/cert/ 8 done
5.5 創建etcd的systemd
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# cat > etcd.service.template <<EOF 4 [Unit] 5 Description=Etcd Server 6 After=network.target 7 After=network-online.target 8 Wants=network-online.target 9 Documentation=https://github.com/coreos 10 11 [Service] 12 Type=notify 13 WorkingDirectory=${ETCD_DATA_DIR} 14 ExecStart=/usr/local/bin/etcd \\ 15 --data-dir=${ETCD_DATA_DIR} \\ 16 --wal-dir=${ETCD_WAL_DIR} \\ 17 --name=##MASTER_NAME## \\ 18 --cert-file=/etc/etcd/cert/etcd.pem \\ 19 --key-file=/etc/etcd/cert/etcd-key.pem \\ 20 --trusted-ca-file=/etc/kubernetes/cert/ca.pem \\ 21 --peer-cert-file=/etc/etcd/cert/etcd.pem \\ 22 --peer-key-file=/etc/etcd/cert/etcd-key.pem \\ 23 --peer-trusted-ca-file=/etc/kubernetes/cert/ca.pem \\ 24 --peer-client-cert-auth \\ 25 --client-cert-auth \\ 26 --listen-peer-urls=https://##MASTER_IP##:2380 \\ 27 --initial-advertise-peer-urls=https://##MASTER_IP##:2380 \\ 28 --listen-client-urls=https://##MASTER_IP##:2379,http://127.0.0.1:2379 \\ 29 --advertise-client-urls=https://##MASTER_IP##:2379 \\ 30 --initial-cluster-token=etcd-cluster-0 \\ 31 --initial-cluster=${ETCD_NODES} \\ 32 --initial-cluster-state=new \\ 33 --auto-compaction-mode=periodic \\ 34 --auto-compaction-retention=1 \\ 35 --max-request-bytes=33554432 \\ 36 --quota-backend-bytes=6442450944 \\ 37 --heartbeat-interval=250 \\ 38 --election-timeout=2000 39 Restart=on-failure 40 RestartSec=5 41 LimitNOFILE=65536 42 43 [Install] 44 WantedBy=multi-user.target 45 EOF解釋: WorkingDirectory、--data-dir:指定作業目錄和資料目錄為 ${ETCD_DATA_DIR},需在啟動服務前創建這個目錄; --wal-dir:指定 wal 目錄,為了提高性能,一般使用 SSD 或者和 --data-dir 不同的磁盤; --name:指定節點名稱,當 --initial-cluster-state 值為 new 時,--name 的引數值必須位于 --initial-cluster 串列中; --cert-file、--key-file:etcd server 與 client 通信時使用的證書和私鑰; --trusted-ca-file:簽名 client 證書的 CA 證書,用于驗證 client 證書; --peer-cert-file、--peer-key-file:etcd 與 peer 通信使用的證書和私鑰; --peer-trusted-ca-file:簽名 peer 證書的 CA 證書,用于驗證 peer 證書,
5.5 修改etcd systemd相應地址
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for (( i=0; i < 3; i++ )) 4 do 5 sed -e "s/##MASTER_NAME##/${MASTER_NAMES[i]}/" -e "s/##MASTER_IP##/${MASTER_IPS[i]}/" etcd.service.template > etcd-${MASTER_IPS[i]}.service 6 done
5.6 分發etcd systemd
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 scp etcd-${master_ip}.service root@${master_ip}:/etc/systemd/system/etcd.service 7 done
5.7 啟動ETCD
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh root@${master_ip} "mkdir -p ${ETCD_DATA_DIR} ${ETCD_WAL_DIR}" 7 ssh root@${master_ip} "systemctl daemon-reload && systemctl enable etcd && systemctl restart etcd " & 8 done
5.8 檢查ETCD啟動
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh root@${master_ip} "systemctl status etcd|grep Active" 7 done
5.9 驗證服務狀態
1 [root@master01 ~]# cd /opt/k3s/work 2 [root@master01 work]# source /root/environment.sh 3 [root@master01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ETCDCTL_API=3 /usr/local/bin/etcdctl \ 7 --endpoints=https://${master_ip}:2379 \ 8 --cacert=/etc/kubernetes/cert/ca.pem \ 9 --cert=/etc/etcd/cert/etcd.pem \ 10 --key=/etc/etcd/cert/etcd-key.pem endpoint health 11 done
5.10 查看ETCD當前leader
1 [root@master01 ~]# source /root/environment.sh 2 [root@master01 ~]# ETCDCTL_API=3 /usr/local/bin/etcdctl \ 3 -w table --cacert=/etc/kubernetes/cert/ca.pem \ 4 --cert=/etc/etcd/cert/etcd.pem \ 5 --key=/etc/etcd/cert/etcd-key.pem \ 6 --endpoints=${ETCD_ENDPOINTS} endpoint status
如上所示,當前ETCD集群的leader為172.24.12.12,
六 安裝K3S server
6.1 腳本安裝
1 [root@master01 ~]# curl -sfL https://docs.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn \ 2 sh -s - server --write-kubeconfig ~/.kube/config \ 3 --datastore-endpoint='https://172.24.12.11:2379,master02=https://172.24.12.12:2379,master03=https://172.24.12.13:2379' --datastore-cafile=/etc/kubernetes/cert/ca.pem \ 4 --datastore-certfile=/etc/etcd/cert/etcd.pem \ 5 --datastore-keyfile=/etc/etcd/cert/etcd-key.pem \ 6 --token=x120952576 \ 7 --tls-san=172.24.12.254 8 [root@master01 ~]# echo "source <(kubectl completion bash)" >> ~/.bashrc提示:如上需要在所有master節點執行,/var/lib/rancher/k3s/server/manifests/為k3s中的靜態pud路徑, --write-kubeconfig ~/.kube/config效果為將組態檔寫到k8s默認會用的位置,而不是k3s默認的位置/etc/rancher/k3s/k3s.yaml,后者會導致istio、helm需要額外設定或無法運行, 釋義:腳本安裝可配置引數:
- INSTALL_K3S_MIRROR:中國區用戶設定INSTALL_K3S_MIRROR=cn可加速K3S二進制檔案下載,也可以直接手動下載二進制檔案,
- INSTALL_K3S_SKIP_DOWNLOAD:如果設定為true,則不會下載K3s hash檔案或K3S二進制檔案,
- INSTALL_K3S_SYMLINK:如果設定為skip將不會創建軟鏈接,force將強制覆寫,如果path中不存在命令,則默認值為符號鏈接,
- INSTALL_K3S_SKIP_START:如果設定為true,將不會自動啟動K3s服務,
- INSTALL_K3S_VERSION:可從github下載的K3s版本,如果未指定,將嘗試下載latest版本,
- INSTALL_K3S_BIN_DIR:將K3S的二進制檔案,軟鏈接和卸載腳本安裝到的目錄,/usr/local/bin用作默認目錄,
- INSTALL_K3S_BIN_DIR_READ_ONLY:如果設定為true,則不會寫入檔案到INSTALL_K3S_BIN_DIR,如果需要強制寫入則設定INSTALL_K3S_SKIP_DOWNLOAD=true,
- INSTALL_K3S_SYSTEMD_DIR:將systemd服務和環境變數檔案安裝到的目錄,/etc/systemd/system用作默認目錄,
- INSTALL_K3S_EXEC:當未指定INSTALL_K3S_EXEC變數,或設定了K3S_URL變數,或在INSTALL_K3S_EXEC變數中沒有添加server執行命令,那么k3s默認將以agent角色運行,反之,會默認以server角色運行,最終,systemd命令會被決議為EXEC命令和腳本引數的組合($@),
- INSTALL_K3S_NAME:如果未指定,將默認使用K3s exec命令創建的systemd服務的名稱,如果指定,名稱將以k3s-為前綴,
- INSTALL_K3S_TYPE:要創建的systemd服務型別,如果未指定,將默認使用K3s exec命令,
6.2 確認驗證
1 [root@master01 ~]# kubectl get nodes
1 [root@master01 ~]# kubectl taint node master01 node-role.kubernetes.io/master="":NoSchedule 2 [root@master01 ~]# kubectl taint node master01 node-role.kubernetes.io/master="":NoSchedule 3 [root@master01 ~]# kubectl taint node master01 node-role.kubernetes.io/master="":NoSchedule
七 高可用優化
7.1 Keepalived安裝
1 [root@master01 ~]# for master_ip in ${MASTER_IPS[@]} 2 do 3 echo ">>> ${master_ip}" 4 ssh root@${master_ip} "yum -y install gcc gcc-c++ make libnl libnl-devel libnfnetlink-devel openssl-devel" 5 ssh root@${master_ip} "wget http://down.linuxsb.com:8888/software/keepalived-2.0.20.tar.gz" 6 ssh root@${master_ip} "tar -zxvf keepalived-2.0.20.tar.gz" 7 ssh root@${master_ip} "cd keepalived-2.0.20/ && ./configure --sysconf=/etc --prefix=/usr/local/keepalived && make && make install" 8 ssh root@${master_ip} "systemctl enable keepalived && systemctl start keepalived" 9 done提示:如上僅需Master01節點操作,從而實作所有節點自動化安裝,
7.2 創建組態檔
1 [root@master01 ~]# wget http://down.linuxsb.com:8888/k3s_ha.sh #下載高可用自動配置腳本 2 [root@master01 ~]# vi k3s_ha.sh #其他部分保持默認 3 # master keepalived virtual ip address 4 export K3SHA_VIP=172.24.12.254 5 6 # master01 ip address 7 export K3SHA_IP1=172.24.12.11 8 9 # master02 ip address 10 export K3SHA_IP2=172.24.12.12 11 12 # master03 ip address 13 export K3SHA_IP3=172.24.12.13 14 15 # master01 hostname 16 export K3SHA_HOST1=master01 17 18 # master02 hostname 19 export K3SHA_HOST2=master02 20 21 # master03 hostname 22 export K3SHA_HOST3=master03 23 24 # master01 network interface name 25 export K3SHA_NETINF1=eth0 26 27 # master02 network interface name 28 export K3SHA_NETINF2=eth0 29 30 # master03 network interface name 31 export K3SHA_NETINF3=eth0 32 33 [root@master01 ~]# bash k3s_ha.sh解釋:如上僅需Master01節點操作,執行腳本后會生產如下組態檔清單: 執行k3s_ha.sh腳本后,會自動生成以下組態檔:
- keepalived:keepalived組態檔,位于各個master節點的/etc/keepalived目錄
- nginx-lb:nginx-lb負載均衡組態檔,位于各個master節點的/root/nginx-lb目錄
7.3 啟動Keepalived
1 [root@master01 ~]# cat /etc/keepalived/keepalived.conf 2 [root@master01 ~]# cat /etc/keepalived/check_apiserver.sh 確認Keepalived配置 3 [root@master01 ~]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh root@${master_ip} "systemctl restart keepalived.service" 7 ssh root@${master_ip} "systemctl status keepalived.service" 8 ssh root@${master_ip} "ping -c1 172.24.12.254" 9 done提示:如上僅需Master01節點操作,從而實作所有節點自動啟動服務,
7.4 確認驗證
1 [root@master01 ~]# kubectl -n kube-system get pods | grep -E 'NAME|nginx' 2 NAME READY STATUS RESTARTS AGE 3 nginx-lb-2dk6z 1/1 Running 0 2m56s 4 nginx-lb-68s47 1/1 Running 0 2m56s 5 nginx-lb-nbc9l 1/1 Running 0 2m56s提示:如上僅需Master01節點操作,從而實作所有節點自動啟動服務,
7.5 啟用高可用
1 [root@master01 ~]# vi /etc/rancher/k3s/k3s.yaml 2 …… 3 server: https://172.24.12.254:16443 4 ……提示:建議所有master節點進行如上修改,
八 worker節點加入
8.1 worker節點加入集群
1 [root@worker01 ~]# curl -sfL https://docs.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn \ 2 sh -s - agent --server https://172.24.12.254:16443 --token x120952576 3 [root@worker01 ~]# echo "source <(kubectl completion bash)" >> ~/.bashrc提示:所有worker節點如上操作加入集群,
8.2 其他命令引數
1 [root@master01 ~]# k3s server --help #查看k3s server更多引數 2 [root@worker01 ~]# k3s agent --help #查看k3s agent更多引數
九 部署Longhorn
9.1 Longhorn概述
Longhorn是用于Kubernetes的開源分布式塊存盤系統, 提示:更多介紹參考:https://github.com/longhorn/longhorn,9.2 Longhorn部署
1 [root@master01 ~]# yum -y install iscsi-initiator-utils提示:如上建議所有節點安裝,
1 [root@master01 ~]# wget \ 2 https://raw.githubusercontent.com/longhorn/longhorn/master/deploy/longhorn.yaml 3 [root@master01 ~]# vi longhorn.yaml
1 #…… 2 --- 3 kind: Service 4 apiVersion: v1 5 metadata: 6 labels: 7 app: longhorn-ui 8 name: longhorn-frontend 9 namespace: longhorn-system 10 spec: 11 type: NodePort #修改為nodeport 12 selector: 13 app: longhorn-ui 14 ports: 15 - port: 80 16 targetPort: 8000 17 nodePort: 8888 18 --- 19 #……提示:建議提前pull相關鏡像, longhornio/longhorn-engine:v0.8.1 longhornio/longhorn-ui:v0.8.1 longhornio/longhorn-instance-manager:v1_20200301 quay.io/k8scsi/csi-resizer:v0.3.0 quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
9.3 動態sc創建
提示:默認longhorn部署完成已創建一個sc,也可通過如下手動撰寫yaml創建,1 [root@master01 ~]# kubectl get sc 2 NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE 3 …… 4 longhorn driver.longhorn.io Delete Immediate true 15m
1 [root@master01 ~]# vi longhornsc.yaml
1 kind: StorageClass 2 apiVersion: storage.k8s.io/v1 3 metadata: 4 name: longhornsc 5 provisioner: rancher.io/longhorn 6 parameters: 7 numberOfReplicas: "3" 8 staleReplicaTimeout: "30" 9 fromBackup: ""
1 [root@master01 ~]# kubectl create -f longhornsc.yaml
9.4 測驗PV及PVC
1 [root@master01 ~]# vi longhornpod.yaml
1 apiVersion: v1 2 kind: PersistentVolumeClaim 3 metadata: 4 name: longhorn-pvc 5 spec: 6 accessModes: 7 - ReadWriteOnce 8 storageClassName: longhorn 9 resources: 10 requests: 11 storage: 2Gi 12 --- 13 apiVersion: v1 14 kind: Pod 15 metadata: 16 name: longhorn-pod 17 namespace: default 18 spec: 19 containers: 20 - name: volume-test 21 image: nginx:stable-alpine 22 imagePullPolicy: IfNotPresent 23 volumeMounts: 24 - name: volv 25 mountPath: /data 26 ports: 27 - containerPort: 80 28 volumes: 29 - name: volv 30 persistentVolumeClaim: 31 claimName: longhorn-pvc 32
1 [root@master01 ~]# kubectl create -f longhornpod.yaml
參考: https://docs.rancher.cn/k3s/ https://docs.rancher.cn/k3s/architecture.html
轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/81967.html
標籤:Linux
下一篇:Manjaro安裝后簡單配置