kubeadm部署多主的k8s集群

官方文档

apiserver高可用

flowchart TB
    client-->|发起请求|VIP(虚IP);
　　VIP -->|请求路由|node1
　　VIP -.-> node2
　　VIP -.-> node3
　　
    subgraph node1
      %%负载可以是nginx，也可以是HaProxy
        LoadBalancer-1-->|请求负载|apiserver-1
    end
    subgraph node2
      LoadBalancer-2
        apiserver-2
    end
    subgraph node3
      LoadBalancer3
        apiserver-3
    end
    
      LoadBalancer-1-.->apiserver-2
        LoadBalancer-1-.->apiserver-3

部署keepalived

在规划的多台控制平台的节点上，部署keepalived。实现高可用
- 参考： keepalived安装

1	$ yum install keepalived -y

修改keepalived的配置

1	$ vim /etc/keepalived/keepalived.conf

! /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
    router_id LVS_DEVEL
}
vrrp_script check_apiserver {
  script "/etc/keepalived/check_apiserver.sh" # 检测脚本
  interval 3
  weight -2
  fall 10
  rise 2
}

vrrp_instance VI_1 {
    state MASTER # MASTER / BACKUP
    interface eth0
    virtual_router_id 51
    priority 101 # 权重
    authentication {
        auth_type PASS
        auth_pass 111111
    }
    virtual_ipaddress {
        10.10.197.100 # 虚拟IP地址
    }
    track_script {
        check_apiserver
    }
}

编写apiserver的检测程序。如果apiserver挂掉，则通知keepalived。此时会将虚IP漂移到别的机器

1	$ vim /etc/keepalived/check_apiserver.sh

#!/bin/bash
# if check error then repeat check for 12 times, else exit
err=0
for k in $(seq 1 6)
do
    check_code=$(ps -ef | grep kube-apiserver | grep -v color | grep -v grep | wc -l)
    if [[ $check_code == "0" ]]; then
        err=$(expr $err + 1)
        sleep 5
        continue
    else
        err=0
        break
    fi
done

if [[ $err != "0" ]]; then
    echo "systemctl stop keepalived"
    /usr/bin/systemctl stop keepalived
    exit 1
else
    exit 0
fi

启动keepalived

1
2
3

$ systemctl start keepalived
$ systemctl enable keepalived
$ systemctl status keepalived

在每台机器上安装docker环境

参考：Post not found: Linux/CentOS7安装Docker

安装k8s的master

先使用yum安装kubeadm、kubelet、kubectl
在其中一台机器执行一下操作

1	$ kubeadm init --kubernetes-version=v1.21.12 --image-repository=registry.aliyuncs.com/google_containers --control-plane-endpoint "172.20.207.100:6443" --upload-certs

kubeadm init 执行成功，控制台会输出以下内容。大概意思就是添加control-plane node执行啥、添加worker nodes执行啥

You can now join any number of the control-plane node running the following command on each as root:

  kubeadm join 172.20.207.100:6443 --token wwxk1h.y5b1xaylttdqjb2o --discovery-token-ca-cert-hash sha256:321473cdb20c62f334109572a2dfc132530f15af39f5488780be430ca143f6fb --control-plane --certificate-key aa753b6628aa043478a4bd9784111b3c1d833b01c03f9f9bd4900d993894bf28

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.20.207.100:6443 --token wwxk1h.y5b1xaylttdqjb2o --discovery-token-ca-cert-hash sha256:321473cdb20c62f334109572a2dfc132530f15af39f5488780be430ca143f6fb

再安装网络插件calico

1	$ kubectl apply -f https://projectcalico.docs.tigera.io/v3.23/manifests/calico.yaml

在别的控制平台机器上执行

进入到规划的别的master机器上，复制粘贴上边master输出的指令并执行

$ kubeadm join 172.20.207.100:6443 --token wwxk1h.y5b1xaylttdqjb2o --discovery-token-ca-cert-hash sha256:321473cdb20c62f334109572a2dfc132530f15af39f5488780be430ca143f6fb --control-plane --certificate-key aa753b6628aa043478a4bd9784111b3c1d833b01c03f9f9bd4900d993894bf28

执行成功后可以通过kubectl get nodes查看集群当前节点情况

$ kubectl get nodes
NAME                    STATUS   ROLES                  AGE   VERSION
aliyun-192-168-100-138   Ready    control-plane,master   28m   v1.21.0
aliyun-192-168-100-144   Ready    control-plane,master   59s   v1.21.0

在worker节点上执行

进入到规划的worker 机器上，复制粘贴上边master输出的指令并执行

1	$ kubeadm join 172.20.207.100:6443 --token wwxk1h.y5b1xaylttdqjb2o --discovery-token-ca-cert-hash sha256:321473cdb20c62f334109572a2dfc132530f15af39f5488780be430ca143f6fb

参考文档

Kubernetes多主多从高可用集群部署