Set up a High Availability etcd Cluster with kubeadm

    By default, kubeadm runs a local etcd instance on each control plane node. It is also possible to treat the etcd cluster as external and provision etcd instances on separate hosts. The differences between the two approaches are covered in the Options for Highly Available topology page.

    This task walks through the process of creating a high availability external etcd cluster of three members that can be used by kubeadm during cluster creation.

    • Three hosts that can talk to each other over TCP ports 2379 and 2380. This document assumes these default ports. However, they are configurable through the kubeadm config file.
    • Each host must have systemd and a bash compatible shell installed.
    • Each host must have a container runtime, kubelet, and kubeadm installed.
    • Each host should have access to the Kubernetes container image registry () or list/pull the required etcd image using kubeadm config images list/pull. This guide will set up etcd instances as managed by a kubelet.
    • Some infrastructure to copy files between hosts. For example ssh and scp can satisfy this requirement.

    The general approach is to generate all certs on one node and only distribute the necessary files to the other nodes.

    Note: kubeadm contains all the necessary cryptographic machinery to generate the certificates described below; no other cryptographic tooling is required for this example.

    Note: The examples below use IPv4 addresses but you can also configure kubeadm, the kubelet and etcd to use IPv6 addresses. Dual-stack is supported by some Kubernetes options, but not by etcd. For more details on Kubernetes dual-stack support see .

    1. Configure the kubelet to be a service manager for etcd.

      Note: You must do this on every host where etcd should be running.

      Since etcd was created first, you must override the service priority by creating a new unit file that has higher precedence than the kubeadm-provided kubelet unit file.

      1. systemctl status kubelet
    2. Create configuration files for kubeadm.

      Generate one kubeadm configuration file for each host that will have an etcd member running on it using the following script.

      1. # Update HOST0, HOST1 and HOST2 with the IPs of your hosts
      2. export HOST0=10.0.0.6
      3. export HOST1=10.0.0.7
      4. export HOST2=10.0.0.8
      5. # Update NAME0, NAME1 and NAME2 with the hostnames of your hosts
      6. export NAME0="infra0"
      7. export NAME1="infra1"
      8. export NAME2="infra2"
      9. # Create temp directories to store files that will end up on other hosts
      10. mkdir -p /tmp/${HOST0}/ /tmp/${HOST1}/ /tmp/${HOST2}/
      11. HOSTS=(${HOST0} ${HOST1} ${HOST2})
      12. NAMES=(${NAME0} ${NAME1} ${NAME2})
      13. for i in "${!HOSTS[@]}"; do
      14. HOST=${HOSTS[$i]}
      15. NAME=${NAMES[$i]}
      16. cat << EOF > /tmp/${HOST}/kubeadmcfg.yaml
      17. ---
      18. apiVersion: "kubeadm.k8s.io/v1beta3"
      19. kind: InitConfiguration
      20. nodeRegistration:
      21. name: ${NAME}
      22. localAPIEndpoint:
      23. advertiseAddress: ${HOST}
      24. ---
      25. apiVersion: "kubeadm.k8s.io/v1beta3"
      26. kind: ClusterConfiguration
      27. etcd:
      28. local:
      29. serverCertSANs:
      30. peerCertSANs:
      31. - "${HOST}"
      32. extraArgs:
      33. initial-cluster: ${NAMES[0]}=https://${HOSTS[0]}:2380,${NAMES[1]}=https://${HOSTS[1]}:2380,${NAMES[2]}=https://${HOSTS[2]}:2380
      34. initial-cluster-state: new
      35. listen-peer-urls: https://${HOST}:2380
      36. listen-client-urls: https://${HOST}:2379
      37. advertise-client-urls: https://${HOST}:2379
      38. initial-advertise-peer-urls: https://${HOST}:2380
      39. EOF
      40. done
    3. Generate the certificate authority.

      If you already have a CA then the only action that is copying the CA’s crt and key file to /etc/kubernetes/pki/etcd/ca.crt and /etc/kubernetes/pki/etcd/ca.key. After those files have been copied, proceed to the next step, “Create certificates for each member”.

      If you do not already have a CA then run this command on $HOST0 (where you generated the configuration files for kubeadm).

      This creates two files:

      • /etc/kubernetes/pki/etcd/ca.crt
      • /etc/kubernetes/pki/etcd/ca.key
    4. Create certificates for each member.

      1. kubeadm init phase certs etcd-server --config=/tmp/${HOST2}/kubeadmcfg.yaml
      2. kubeadm init phase certs etcd-peer --config=/tmp/${HOST2}/kubeadmcfg.yaml
      3. kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
      4. kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST2}/kubeadmcfg.yaml
      5. cp -R /etc/kubernetes/pki /tmp/${HOST2}/
      6. # cleanup non-reusable certificates
      7. find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete
      8. kubeadm init phase certs etcd-server --config=/tmp/${HOST1}/kubeadmcfg.yaml
      9. kubeadm init phase certs etcd-peer --config=/tmp/${HOST1}/kubeadmcfg.yaml
      10. kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
      11. kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST1}/kubeadmcfg.yaml
      12. cp -R /etc/kubernetes/pki /tmp/${HOST1}/
      13. find /etc/kubernetes/pki -not -name ca.crt -not -name ca.key -type f -delete
      14. kubeadm init phase certs etcd-server --config=/tmp/${HOST0}/kubeadmcfg.yaml
      15. kubeadm init phase certs etcd-peer --config=/tmp/${HOST0}/kubeadmcfg.yaml
      16. kubeadm init phase certs etcd-healthcheck-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
      17. kubeadm init phase certs apiserver-etcd-client --config=/tmp/${HOST0}/kubeadmcfg.yaml
      18. # No need to move the certs because they are for HOST0
      19. # clean up certs that should not be copied off this host
      20. find /tmp/${HOST2} -name ca.key -type f -delete
      21. find /tmp/${HOST1} -name ca.key -type f -delete
    5. Copy certificates and kubeadm configs.

      1. USER=ubuntu
      2. HOST=${HOST1}
      3. scp -r /tmp/${HOST}/* ${USER}@${HOST}:
      4. USER@HOST $ sudo -Es
      5. root@HOST $ chown -R root:root pki
    6. Ensure all expected files exist.

      The complete list of required files on $HOST0 is:

      On $HOST1:

      1. $HOME
      2. └── kubeadmcfg.yaml
      3. ---
      4. /etc/kubernetes/pki
      5. ├── apiserver-etcd-client.crt
      6. ├── apiserver-etcd-client.key
      7. └── etcd
      8. ├── ca.crt
      9. ├── healthcheck-client.crt
      10. ├── healthcheck-client.key
      11. ├── peer.crt
      12. ├── peer.key
      13. ├── server.crt
      14. └── server.key

      On $HOST2:

      1. $HOME
      2. └── kubeadmcfg.yaml
      3. ---
      4. /etc/kubernetes/pki
      5. ├── apiserver-etcd-client.crt
      6. ├── apiserver-etcd-client.key
      7. └── etcd
      8. ├── ca.crt
      9. ├── healthcheck-client.crt
      10. ├── healthcheck-client.key
      11. ├── peer.crt
      12. ├── peer.key
      13. ├── server.crt
      14. └── server.key
    7. Create the static pod manifests.

      Now that the certificates and configs are in place it’s time to create the manifests. On each host run the kubeadm command to generate a static manifest for etcd.

    8. Optional: Check the cluster health.

      If etcdctl isn’t available, you can run this tool inside a container image. You would do that directly with your container runtime using a tool such as crictl run and not through Kubernetes

      1. ETCDCTL_API=3 etcdctl \
      2. --cert /etc/kubernetes/pki/etcd/peer.crt \
      3. --key /etc/kubernetes/pki/etcd/peer.key \
      4. --cacert /etc/kubernetes/pki/etcd/ca.crt \
      5. --endpoints https://${HOST0}:2379 endpoint health
      6. ...
      7. https://[HOST0 IP]:2379 is healthy: successfully committed proposal: took = 16.283339ms
      8. https://[HOST1 IP]:2379 is healthy: successfully committed proposal: took = 19.44402ms
      9. https://[HOST2 IP]:2379 is healthy: successfully committed proposal: took = 35.926451ms
      • Set to the IP address of the host you are testing.