Kubernetes新手必看實務流程-Part1: RHEL環境準備

超健忘閒人

發佈於kubernetes怕忘記

2024/01/10閱讀時間約 20 分鐘

本文章將說明如果您想要從頭建置一組具有Loadbalancer HA架構的Kubernetes Cluster時，你可能會需要做的事前準備工作。

本文將分成以下部分進行說明：

架構說明
防火牆規則說明
系統前置作業
HA Loadbalancer建置
DNS
結論

1. 架構說明

這次我們將建立一組3+3的kubernetes cluster，加上前端負載平衡所需要的2個節點組成本次LAB的整體架構。同時，將DNS服務也設定在Loadbalancer的節點上，利用HA機制避免DNS中斷的風險。

此外，關於ETCD Cluster，官方有二種類型的架構方式，一種是完全獨立在外的External ETCD cluster(在另一篇文章中有說明)，另一種就是本文將說明的將ETCD與Master節點整合在一起，如下圖所示：

Stacked etcd

2. 防火牆規則說明

以下針對不同角色說明firewall需要開放那些Port/Service：

LB/DNS

Controller Plane

Compute Nodes

3. 系統前置作業

本次作業系統使用的是RHEL8，以下說明如何在RHEL8環境下搭配官方文件完成系統前置作業。

#---------------------------------------------------
# S3-1. 關閉SWAP
#---------------------------------------------------
[host]# swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab

#---------------------------------------------------
# S3-2. 設定Firewalld (LB)
#---------------------------------------------------
[LB1]# vim set_firewall_lb.sh
#!/bin/bash
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=6443/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
firewall-cmd --reload

[LB1]# ./set_firewall_lb.sh ; firewall-cmd --list-all

#------------------------------------------------------
# S3-3. 設定Firewalld (control-planes)
#------------------------------------------------------
[root]# vim set_firewall_master.sh
#!/bin/bash
firewall-cmd --zone=public --add-service=kube-apiserver --permanent
firewall-cmd --zone=public --add-service=etcd-client --permanent
firewall-cmd --zone=public --add-service=etcd-server --permanent
firewall-cmd --zone=public --add-port=10250/tcp --permanent
firewall-cmd --zone=public --add-port=10251/tcp --permanent
firewall-cmd --zone=public --add-port=10252/tcp --permanent
firewall-cmd --reload
[root]# chmod +x set_firewall_master.sh ; ./set_firewall_master.sh
[root]# firewall-cmd --list-all

#------------------------------------------------------
# S3-4. 設定Firewalld (compute)
#------------------------------------------------------
[root]# vim set_firewall_worker.sh
#!/bin/bash
firewall-cmd --zone=public --add-port=10250/tcp --permanent
firewall-cmd --zone=public --add-port=30000-32767/tcp --permanent
firewall-cmd --reload
[root]# chomd +x set-firewall.sh ; firewall-cmd --list-all

#------------------------------------------------------
# S3-5. Package install (lbs)
#------------------------------------------------------
[lb01]# yum install haproxy bind keepalived
haproxy-1.8.27-5.el8.x86_64
rpcbind-1.2.5-10.el8.x86_64
keybinder3-0.3.2-4.el8.x86_64
bind-libs-9.11.36-8.el8.x86_64
python3-bind-9.11.36-8.el8.noarch
bind-license-9.11.36-8.el8.noarch
bind-libs-lite-9.11.36-8.el8.x86_64
bind-9.11.36-8.el8.x86_64
bind-utils-9.11.36-8.el8.x86_64
keepalived-2.1.5-9.el8.x86_64

#------------------------------------------------------
# S3-6. time sync (All nodes)
#------------------------------------------------------
[lb01]# systemctl enable --now chronyd
[lb01]# chronyc sources

time sync

4. HA Loadbalancer建置

這個部分將說明如何透過Keepalived + HAproxy的方式，架構出高可用性的軟體式的負載平衡。

負責將所有服務需求發送到可以處理的地方

簡單說明Keepalived，這個專案其實針對LVS開源專案的擴展強化，功能大致上與LVS相同，但是設定上簡單許多，許多企業都用這種方式來實現軟體負載平衡的高可用功能。所有訪問後端的流量會透過LVS調度器上的演算法決定如何分發到後端的Server來做處理。

詳細的原理與內容將以另一篇文章做說明，本文還是會著重在建置Kubernetes Cluster 過程中的實作。

VIP : 10.107.88.9

LB01: 10.107.88.20

LB02: 10.107.88.11

#-----------------------------------------------
# S4-1. Haproxy config (lb02同)
#-----------------------------------------------
[lb01]# cp /etc/haproxy/haproxy.cfg /data/install/haproxy.ori
[lb01]# vim /etc/haproxy/haproxy.cfg
....
frontend kube-apiserver
  bind *:6443
  mode tcp
  option tcplog
  default_backend kube-apiserver

backend kube-apiserver
    mode tcp
    option tcplog
    option tcp-check
    balance roundrobin
    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
    server master01 10.107.88.12:6443 check
    server master02 10.107.88.13:6443 check
    server master03 10.107.88.14:6443 check

[lb01]# systemctl restart haproxy ; systemctl enable haproxy ; systemctl status

#-----------------------------------------------
# S4-2. config (lb01)
#-----------------------------------------------
[lb01]# vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
[lb01]# sysctl -p

[lb01]# cp /etc/keepalived/keepalived.conf /data/install/keepalived.conf.ori
[lb01]# vim /etc/keepalived/keepalived.conf
global_defs {
  router_id lb01
}
vrrp_script health_chk {
  script "killall -0 haproxy"
  interval 2
  weight -20
}
vrrp_instance VI_1 {
  state MASTER
  interface ens192
  virtual_router_id 50
  mcast_src_ip 10.107.88.20
  priority 50
  advert_int 1
  authentication {
   auty_type PASS
   auth_pass root123
  }
  virtual_ipaddress {
    10.107.88.9
  }
  track_script {
      health_chk
  }
}

[lb01]# systemctl enable --now keepalived ; systemctl status keepalived

#-----------------------------------------------
# S4-3. config (lb02)
#-----------------------------------------------
[lb02]# vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
[lb02]# sysctl -p

[lb02]# cp /etc/keepalived/keepalived.conf /data/install/keepalived.conf.ori
[lb02]# vim /etc/keepalived/keepalived.conf
global_defs {
  router_id lb02
}
vrrp_script health_chk {
  script "killall -0 haproxy"
  interval 2
  weight -20
}
vrrp_instance VI_1 {
  virtual_router_id 50
  state BACKUP
  interface ens192
  mcast_src_ip 10.107.88.11
  advert_int 1
  priority 40
  authentication {
   auty_type PASS
   auth_pass root123
  }
  virtual_ipaddress {
     10.107.88.9/24
  }
  track_script {
    health_chk
  }
}

[lb02]# systemctl enable --now keepalived ; systemctl status keepalived

#------------------------------------------------
# S4-3. Verify
#------------------------------------------------
[lb01]# ip a (VIP here)
[lb02]# ip a (no VIP)
[lb01]# systemctl stop keepalived
[lb02]# ip a (VIP appear)

5.DNS

#------------------------------------------------
# S5-1. name.conf (all lbs)
#------------------------------------------------
[lb01]# cp /etc/named.conf /data/install/named.conf.ori
[lb01]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
allow-transfer { any; };

[add]
zone "test.example.poc" IN {
  type master;
  file "named.test.example.poc.zone";
  allow-update { none; };
};

zone "88.107.10.in-addr.arpa" IN {
  type master;
  file "named.10.107.88.zone";
  allow-update { none; };
};

#------------------------------------------------
# S5-2. named.test.example.poc.zone (all lbs)
#------------------------------------------------
[lb01]# vim /var/named/named.test.example.poc.zone
$TTL 10
@       IN SOA  vip.test.example.poc. root.test.example.poc. ( 2023103101 1D 2H 1W 2D )
@       IN NS   vip.test.example.poc.
@       IN A    10.107.88.9
vip   IN A 10.107.88.9
lb01  IN A    10.107.88.20
lb02  IN A 10.107.88.11
master01 IN A 10.107.88.12
master02 IN A 10.107.88.13
master03 IN A 10.107.88.14
worker01 IN A 10.107.88.15
worker02 IN A 10.107.88.16
worker03 IN A 10.107.88.17

#------------------------------------------------
# S5-3. named.10.107.88.zone (all lbs)
#------------------------------------------------
[lb01]# vim /var/named/named.10.107.88.zone
$TTL 1D
@       IN SOA  vip.test.example.poc. root.test.example.poc. ( 2023103102 1D 2H 1W 2D )
@       IN NS   vip.test.example.poc.

9  IN PTR vip.test.example.poc.
20  IN PTR lb01.test.example.poc.
11  IN PTR lb02.test.example.poc.
12  IN PTR master01.test.example.poc.
13  IN PTR master02.test.example.poc.
14  IN PTR master03.test.example.poc.
15  IN PTR worker01.test.example.poc.
16  IN PTR worker02.test.example.poc.
17  IN PTR worker03.test.example.poc.

[lb01]# systemctl enable --now named ; systemctl status named
[lb01]# dig master01.test.example.poc +short
[lb01]# dig -x 10.107.88.16 +short