我的书签
添加书签
移除书签06-0 kube-apiserver 高可用之 nginx 代理
注意:如果没有特殊指明,本文档的所有操作均在 zhangjun-k8s01 节点上执行,然后远程分发文件和执行命令。
- 控制节点的 kube-controller-manager、kube-scheduler 是多实例部署,所以只要有一个实例正常,就可以保证高可用;
- 集群内的 Pod 使用 K8S 服务域名 kubernetes 访问 kube-apiserver, kube-dns 会自动解析出多个 kube-apiserver 节点的 IP,所以也是高可用的;
- 在每个节点起一个 nginx 进程,后端对接多个 apiserver 实例,nginx 对它们做健康检查和负载均衡;
- kubelet、kube-proxy、controller-manager、scheduler 通过本地的 nginx(监听 127.0.0.1)访问 kube-apiserver,从而实现 kube-apiserver 的高可用;
下载和编译 nginx
下载源码:
配置编译参数:
mkdir nginx-prefix./configure --with-stream --without-http --prefix=$(pwd)/nginx-prefix --without-http_uwsgi_module --without-http_scgi_module --without-http_fastcgi_module
--with-stream:开启 4 层透明转发(TCP Proxy)功能;--without-xxx:关闭所有其他功能,这样生成的动态链接二进制程序依赖最小;
输出:
Configuration summary+ PCRE library is not used+ OpenSSL library is not used+ zlib library is not usednginx path prefix: "/root/tmp/nginx-1.15.3/nginx-prefix"nginx binary file: "/root/tmp/nginx-1.15.3/nginx-prefix/sbin/nginx"nginx modules path: "/root/tmp/nginx-1.15.3/nginx-prefix/modules"nginx configuration prefix: "/root/tmp/nginx-1.15.3/nginx-prefix/conf"nginx configuration file: "/root/tmp/nginx-1.15.3/nginx-prefix/conf/nginx.conf"nginx pid file: "/root/tmp/nginx-1.15.3/nginx-prefix/logs/nginx.pid"nginx error log file: "/root/tmp/nginx-1.15.3/nginx-prefix/logs/error.log"nginx http access log file: "/root/tmp/nginx-1.15.3/nginx-prefix/logs/access.log"nginx http client request body temporary files: "client_body_temp"nginx http proxy temporary files: "proxy_temp"
cd /opt/k8s/work/nginx-1.15.3make && make install
cd /opt/k8s/work/nginx-1.15.3
输出:
查看 nginx 动态链接的库:
$ ldd ./nginx-prefix/sbin/nginx
输出:
linux-vdso.so.1 => (0x00007ffc945e7000)libdl.so.2 => /lib64/libdl.so.2 (0x00007f4385072000)libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4384e56000)libc.so.6 => /lib64/libc.so.6 (0x00007f4384a89000)/lib64/ld-linux-x86-64.so.2 (0x00007f4385276000)
- 由于只开启了 4 层透明转发功能,所以除了依赖 libc 等操作系统核心 lib 库外,没有对其它 lib 的依赖(如 libz、libssl 等),这样可以方便部署到各版本操作系统中;
安装和部署 nginx
创建目录结构:
source /opt/k8s/bin/environment.shfor node_ip in ${NODE_IPS[@]}doecho ">>> ${node_ip}"ssh root@${node_ip} "mkdir -p /opt/k8s/kube-nginx/{conf,logs,sbin}"done
cd /opt/k8s/worksource /opt/k8s/bin/environment.shfor node_ip in ${NODE_IPS[@]}doecho ">>> ${node_ip}"ssh root@${node_ip} "mkdir -p /opt/k8s/kube-nginx/{conf,logs,sbin}"scp /opt/k8s/work/nginx-1.15.3/nginx-prefix/sbin/nginx root@${node_ip}:/opt/k8s/kube-nginx/sbin/kube-nginxssh root@${node_ip} "chmod a+x /opt/k8s/kube-nginx/sbin/*"done
- 重命名二进制文件为 kube-nginx;
配置 nginx,开启 4 层透明转发功能:
- 需要根据集群 kube-apiserver 的实际情况,替换 backend 中 server 列表;
分发配置文件:
cd /opt/k8s/worksource /opt/k8s/bin/environment.shfor node_ip in ${NODE_IPS[@]}doecho ">>> ${node_ip}"scp kube-nginx.conf root@${node_ip}:/opt/k8s/kube-nginx/conf/kube-nginx.confdone
配置 kube-nginx systemd unit 文件:
cd /opt/k8s/work[Unit]Description=kube-apiserver nginx proxyAfter=network.targetAfter=network-online.targetWants=network-online.target[Service]Type=forkingExecStartPre=/opt/k8s/kube-nginx/sbin/kube-nginx -c /opt/k8s/kube-nginx/conf/kube-nginx.conf -p /opt/k8s/kube-nginx -tExecStart=/opt/k8s/kube-nginx/sbin/kube-nginx -c /opt/k8s/kube-nginx/conf/kube-nginx.conf -p /opt/k8s/kube-nginxExecReload=/opt/k8s/kube-nginx/sbin/kube-nginx -c /opt/k8s/kube-nginx/conf/kube-nginx.conf -p /opt/k8s/kube-nginx -s reloadPrivateTmp=trueRestart=alwaysRestartSec=5StartLimitInterval=0LimitNOFILE=65536[Install]WantedBy=multi-user.targetEOF
分发 systemd unit 文件:
cd /opt/k8s/worksource /opt/k8s/bin/environment.shfor node_ip in ${NODE_IPS[@]}doecho ">>> ${node_ip}"scp kube-nginx.service root@${node_ip}:/etc/systemd/system/done
cd /opt/k8s/worksource /opt/k8s/bin/environment.shfor node_ip in ${NODE_IPS[@]}doecho ">>> ${node_ip}"ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-nginx && systemctl restart kube-nginx"
检查 kube-nginx 服务运行状态
确保状态为 active (running),否则查看日志,确认原因:
