本文章將說明如果您想要從頭建置一組具有Loadbalancer HA架構的Kubernetes Cluster時,你可能會需要做的事前準備工作。
本文將分成以下部分進行說明:
- 架構說明
- 防火牆規則說明
- 系統前置作業
- HA Loadbalancer建置
- DNS
- 結論
1. 架構說明
這次我們將建立一組3+3的kubernetes cluster,加上前端負載平衡所需要的2個節點組成本次LAB的整體架構。同時,將DNS服務也設定在Loadbalancer的節點上,利用HA機制避免DNS中斷的風險。此外,關於ETCD Cluster,官方有二種類型的架構方式,一種是完全獨立在外的External ETCD cluster(在另一篇文章中有說明),另一種就是本文將說明的將ETCD與Master節點整合在一起,如下圖所示:
Stacked etcd
2. 防火牆規則說明
以下針對不同角色說明firewall需要開放那些Port/Service:
- LB/DNS
- Controller Plane
- Compute Nodes
3. 系統前置作業
本次作業系統使用的是RHEL8,以下說明如何在RHEL8環境下搭配官方文件完成系統前置作業。
#---------------------------------------------------
# S3-1. 關閉SWAP
#---------------------------------------------------
[host]# swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
#---------------------------------------------------
# S3-2. 設定Firewalld (LB)
#---------------------------------------------------
[LB1]# vim set_firewall_lb.sh
#!/bin/bash
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=6443/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
firewall-cmd --reload
[LB1]# ./set_firewall_lb.sh ; firewall-cmd --list-all
#------------------------------------------------------
# S3-3. 設定Firewalld (control-planes)
#------------------------------------------------------
[root]# vim set_firewall_master.sh
#!/bin/bash
firewall-cmd --zone=public --add-service=kube-apiserver --permanent
firewall-cmd --zone=public --add-service=etcd-client --permanent
firewall-cmd --zone=public --add-service=etcd-server --permanent
firewall-cmd --zone=public --add-port=10250/tcp --permanent
firewall-cmd --zone=public --add-port=10251/tcp --permanent
firewall-cmd --zone=public --add-port=10252/tcp --permanent
firewall-cmd --reload
[root]# chmod +x set_firewall_master.sh ; ./set_firewall_master.sh
[root]# firewall-cmd --list-all
#------------------------------------------------------
# S3-4. 設定Firewalld (compute)
#------------------------------------------------------
[root]# vim set_firewall_worker.sh
#!/bin/bash
firewall-cmd --zone=public --add-port=10250/tcp --permanent
firewall-cmd --zone=public --add-port=30000-32767/tcp --permanent
firewall-cmd --reload
[root]# chomd +x set-firewall.sh ; firewall-cmd --list-all
#------------------------------------------------------
# S3-5. Package install (lbs)
#------------------------------------------------------
[lb01]# yum install haproxy bind keepalived
haproxy-1.8.27-5.el8.x86_64
rpcbind-1.2.5-10.el8.x86_64
keybinder3-0.3.2-4.el8.x86_64
bind-libs-9.11.36-8.el8.x86_64
python3-bind-9.11.36-8.el8.noarch
bind-license-9.11.36-8.el8.noarch
bind-libs-lite-9.11.36-8.el8.x86_64
bind-9.11.36-8.el8.x86_64
bind-utils-9.11.36-8.el8.x86_64
keepalived-2.1.5-9.el8.x86_64
#------------------------------------------------------
# S3-6. time sync (All nodes)
#------------------------------------------------------
[lb01]# systemctl enable --now chronyd
[lb01]# chronyc sources
time sync
4. HA Loadbalancer建置
這個部分將說明如何透過Keepalived + HAproxy的方式,架構出高可用性的軟體式的負載平衡。
負責將所有服務需求發送到可以處理的地方
簡單說明Keepalived,這個專案其實針對LVS開源專案的擴展強化,功能大致上與LVS相同,但是設定上簡單許多,許多企業都用這種方式來實現軟體負載平衡的高可用功能。所有訪問後端的流量會透過LVS調度器上的演算法決定如何分發到後端的Server來做處理。
詳細的原理與內容將以另一篇文章做說明,本文還是會著重在建置Kubernetes Cluster 過程中的實作。
VIP : 10.107.88.9
LB01: 10.107.88.20
LB02: 10.107.88.11
#-----------------------------------------------
# S4-1. Haproxy config (lb02同)
#-----------------------------------------------
[lb01]# cp /etc/haproxy/haproxy.cfg /data/install/haproxy.ori
[lb01]# vim /etc/haproxy/haproxy.cfg
....
frontend kube-apiserver
bind *:6443
mode tcp
option tcplog
default_backend kube-apiserver
backend kube-apiserver
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server master01 10.107.88.12:6443 check
server master02 10.107.88.13:6443 check
server master03 10.107.88.14:6443 check
[lb01]# systemctl restart haproxy ; systemctl enable haproxy ; systemctl status
#-----------------------------------------------
# S4-2. config (lb01)
#-----------------------------------------------
[lb01]# vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
[lb01]# sysctl -p
[lb01]# cp /etc/keepalived/keepalived.conf /data/install/keepalived.conf.ori
[lb01]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb01
}
vrrp_script health_chk {
script "killall -0 haproxy"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens192
virtual_router_id 50
mcast_src_ip 10.107.88.20
priority 50
advert_int 1
authentication {
auty_type PASS
auth_pass root123
}
virtual_ipaddress {
10.107.88.9
}
track_script {
health_chk
}
}
[lb01]# systemctl enable --now keepalived ; systemctl status keepalived
#-----------------------------------------------
# S4-3. config (lb02)
#-----------------------------------------------
[lb02]# vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
[lb02]# sysctl -p
[lb02]# cp /etc/keepalived/keepalived.conf /data/install/keepalived.conf.ori
[lb02]# vim /etc/keepalived/keepalived.conf
global_defs {
router_id lb02
}
vrrp_script health_chk {
script "killall -0 haproxy"
interval 2
weight -20
}
vrrp_instance VI_1 {
virtual_router_id 50
state BACKUP
interface ens192
mcast_src_ip 10.107.88.11
advert_int 1
priority 40
authentication {
auty_type PASS
auth_pass root123
}
virtual_ipaddress {
10.107.88.9/24
}
track_script {
health_chk
}
}
[lb02]# systemctl enable --now keepalived ; systemctl status keepalived
#------------------------------------------------
# S4-3. Verify
#------------------------------------------------
[lb01]# ip a (VIP here)
[lb02]# ip a (no VIP)
[lb01]# systemctl stop keepalived
[lb02]# ip a (VIP appear)
5.DNS
#------------------------------------------------
# S5-1. name.conf (all lbs)
#------------------------------------------------
[lb01]# cp /etc/named.conf /data/install/named.conf.ori
[lb01]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
allow-transfer { any; };
[add]
zone "test.example.poc" IN {
type master;
file "named.test.example.poc.zone";
allow-update { none; };
};
zone "88.107.10.in-addr.arpa" IN {
type master;
file "named.10.107.88.zone";
allow-update { none; };
};
#------------------------------------------------
# S5-2. named.test.example.poc.zone (all lbs)
#------------------------------------------------
[lb01]# vim /var/named/named.test.example.poc.zone
$TTL 10
@ IN SOA vip.test.example.poc. root.test.example.poc. ( 2023103101 1D 2H 1W 2D )
@ IN NS vip.test.example.poc.
@ IN A 10.107.88.9
vip IN A 10.107.88.9
lb01 IN A 10.107.88.20
lb02 IN A 10.107.88.11
master01 IN A 10.107.88.12
master02 IN A 10.107.88.13
master03 IN A 10.107.88.14
worker01 IN A 10.107.88.15
worker02 IN A 10.107.88.16
worker03 IN A 10.107.88.17
#------------------------------------------------
# S5-3. named.10.107.88.zone (all lbs)
#------------------------------------------------
[lb01]# vim /var/named/named.10.107.88.zone
$TTL 1D
@ IN SOA vip.test.example.poc. root.test.example.poc. ( 2023103102 1D 2H 1W 2D )
@ IN NS vip.test.example.poc.
9 IN PTR vip.test.example.poc.
20 IN PTR lb01.test.example.poc.
11 IN PTR lb02.test.example.poc.
12 IN PTR master01.test.example.poc.
13 IN PTR master02.test.example.poc.
14 IN PTR master03.test.example.poc.
15 IN PTR worker01.test.example.poc.
16 IN PTR worker02.test.example.poc.
17 IN PTR worker03.test.example.poc.
[lb01]# systemctl enable --now named ; systemctl status named
[lb01]# dig master01.test.example.poc +short
[lb01]# dig -x 10.107.88.16 +short
6.結論
以上說明了建置 Kubernetes Cluster之前的系統準備工作,規劃前有以下幾個重點建議要考量:
(1)網路架構:正式環境一般會使用商用的Load Balancer(ex. F5),軟體方式建議在測試環境或是個人LAB時使用。另一個重點是IP使用範圍,會比較建議直接切一段專門提供給Kubernetes Cluster使用,未來如果要進行動態擴展時會更便利。
(2) ETCD cluster架構:不論是獨立出來或是與master節點共用都可以,規劃時可以針對服務的需求進行設計,主要的差異是在獨立出來會需要更多的系統資源,同時也等於要多三台節點需要管理。目前商用解決方娛較常看到的方式是與Master節點共存在一起的方式較多。
(3) 節點的效能規劃:先評估第一階段會移轉那些服務進入kubernetes cluster,以此為基本再增加所需要的資源配置,如果都不確定的情況下,我的習慣是會在官方的需求之上再增加20~40%左右,雖然資源後續都可以擴展,但是多多少少會增加管理上的負擔。
本篇就到這邊,下一文章將開始進行Kubernetes節點上的元件與相關建置流程。希望這篇文章對大家有幫助,我們下篇文章再見。
※ References:
