使用Ansible和Kubespray部署Kubernetes集群
部署生产就绪的Kubernetes集群有多种方法。在本文中,我们将重点介绍使用Ansible和Kubespray部署生产级Kubernetes集群。 Kubespray由Ansible手册,列表,配置工具和领域知识组成,用于通用OS/Kubernetes集群配置管理任务。
使用Kubespray,我们可以在AWS,GCE,Azure,OpenStack,vSphere,Packet(bare metal)或者Baremetal上快速部署高可用性的Kubernetes集群。它支持大多数流行的Linux发行版,例如Debian,Ubuntu,CentOS,RHEL,Fedora,CoreOS,openSUSE和Oracle Linux 7.
需要不同的部署方式,请查看:
使用Rancher RKE安装生产Kubernetes集群
对于半手动部署,请检查:
使用Ansible和Calico CNI在CentOS 7/CentOS 8上部署Kubernetes集群
对于适用于IoT和Edge的轻量级Kubernetes集群,请尝试:如何使用K3在5分钟内部署轻量级Kubernetes集群
基础架构准备
我们需要首先创建在Kubernetes集群部署期间使用的虚拟机/服务器。这涉及选择我们喜欢的Linux发行版。在我的设置中,Ill将CentOS 7用作所有部署的基本操作系统。
我的master/workers/etcd节点将使用m1.medium风格。如果我们期望集群中有大量工作负载,则它将拥有更多资源。
$openstack flavor list list+----+-----------+-------+------+-----------+-------+-----------+ | ID | Name | RAM | Disk | Ephemeral | VCPUs | Is Public | +----+-----------+-------+------+-----------+-------+-----------+ | 0 | m1.tiny | 1024 | 10 | 0 | 1 | True | | 1 | m1.small | 2048 | 20 | 0 | 1 | True | | 2 | m1.medium | 4096 | 20 | 0 | 2 | True | | 3 | m1.large | 8192 | 40 | 0 | 4 | True | | 4 | m1.xlarge | 16384 | 40 | 0 | 4 | True | +----+-----------+-------+------+-----------+-------+-----------+
使用openstack CLI创建虚拟机。三个控制器/etcd节点和两个工作器节点。
for i in master0 master1 master2 worker0 worker1; do openstack server create \ --image CentOS-7 \ --key-name jmutai \ --flavor m1.medium \ --security-group 7fffea2a-b756-473a-a13a-219dd0f1913a \ --network private \ $i done
所有控制器节点也将运行etcd服务。这是我创建的服务器。
$openstack server list +--------------------------------------+-------------------+--------+-----------------------------------+----------+-----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+-------------------+--------+-----------------------------------+----------+-----------+ | 5eba57c8-859c-4edb-92d3-ba76d38b56d0 | worker1 | ACTIVE | private=10.10.1.122 | CentOS-7 | m1.medium | | 72a63616-2ba0-4542-82eb-a64acb093216 | worker0 | ACTIVE | private=10.10.1.146 | CentOS-7 | m1.medium | | b445424c-364f-4667-9de1-559282e23ce1 | master2 | ACTIVE | private=10.10.1.134 | CentOS-7 | m1.medium | | 6a20fa48-8ae8-4a30-a301-af32dbb67277 | master1 | ACTIVE | private=10.10.1.194 | CentOS-7 | m1.medium | | 29ad13aa-261f-47e8-8ba5-9350f8c09847 | master0 | ACTIVE | private=10.10.1.126 | CentOS-7 | m1.medium | +--------------------------------------+-------------------+--------+-----------------------------------+----------+-----------+
克隆kubespray项目
克隆项目存储库:
$git clone https://github.com/kubernetes-sigs/kubespray.git Cloning into 'kubespray'... remote: Enumerating objects: 17, done. remote: Counting objects: 100% (17/17), done. remote: Compressing objects: 100% (16/16), done. remote: Total 38488 (delta 2), reused 2 (delta 0), pack-reused 38471 Receiving objects: 100% (38488/38488), 11.06 MiB | 548.00 KiB/s, done. Resolving deltas: 100% (21473/21473), done.
转到项目目录:
$cd kubespray
该目录包含用于部署Kubernetes的列表文件和剧本。
准备本地计算机
在要从中运行部署的本地计算机上,需要安装pip Python软件包管理器。
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py python get-pip.py --user
创建Kubernetes集群列表文件并安装依赖项
库存由3组组成:kube-node:运行pod的kubernetes节点列表。kube-master:运行kubernetes主组件(apiserver,调度程序,控制器)的服务器列表。etcd:组成服务器的列表etcd服务器。我们至少应具有3台服务器以进行故障转移。
还有两个特殊的组:calico-rr:针对高级Calico网络案例进行说明堡垒:如果无法直接访问节点,则配置堡垒主机
创建库存文件:
cp -rfp inventory/sample inventory/mycluster
使用服务器IP地址定义列表,并映射到正确的节点用途。
$vim inventory/mycluster/inventory.ini master0 ansible_host=10.10.1.126 ip=10.10.1.126 master1 ansible_host=10.10.1.194 ip=10.10.1.194 master2 ansible_host=10.10.1.134 ip=10.10.1.134 worker0 ansible_host=10.10.1.146 ip=10.10.1.146 worker1 ansible_host=10.10.1.122 ip=10.10.1.122 # ## configure a bastion host if your nodes are not directly reachable # bastion ansible_host=x.x.x.x ansible_user=some_user [kube-master] master0 master1 master2 [etcd] master0 master1 master2 [kube-node] worker0 worker1 [calico-rr] [k8s-cluster:children] kube-master kube-node calico-rr
将A记录添加到工作站上的/etc/hosts。
$sudo tee -a /etc/hosts <<EOF 10.10.1.126 master0 10.10.1.194 master1 10.10.1.134 master2 10.10.1.146 worker0 10.10.1.122 worker1 EOF
如果ssh私钥具有密码短语,请在开始部署之前保存它。
$eval `ssh-agent -s` && ssh-add Agent pid 4516 Enter passphrase for /home/centos/.ssh/id_rsa: Identity added: /home/centos/.ssh/id_rsa (/home/centos/.ssh/id_rsa)
从requirements.txt安装依赖
pip install --user -r requirements.txt
确认安装正确。
$ansible --version ansible 2.7.12 config file = /home/centos/kubespray/ansible.cfg configured module search path = [u'/home/centos/kubespray/library'] ansible python module location = /home/centos/.local/lib/python2.7/site-packages/ansible executable location = /home/centos/.local/bin/ansible python version = 2.7.5 (default, Jun 20 2019, 20:27:34) [GCC 4.8.5 20140623 (Red Hat 4.8.5-36)]
在"库存/mycluster/group_vars"下查看并更改参数
cat inventory/mycluster/group_vars/all/all.yml cat inventory/mycluster/group_vars/k8s-cluster/k8s-cluster.yml
使用Kubespray Ansible Playbook部署Kubernetes集群
现在执行剧本以使用Ansible部署可用于生产的Kubernetes。请注意,目标服务器必须有权访问Internet才能提取Docker镜像。
开始新的tmux会话。
tmux new -s kubespray
通过运行以下命令开始部署:
ansible-playbook -i inventory/mycluster/inventory.ini --become \ --user=centos --become-user=root cluster.yml
用远程用户ansible替换centos将按原样连接到节点。我们不应在执行中获得失败的任务。
登录到主节点之一,并检查集群状态。
$sudo su
# kubectl config get-clusters
NAME
cluster.local
# kubectl cluster-info
Kubernetes master is running at https://10.10.1.126:6443
coredns is running at https://10.10.1.126:6443/api/v1/namespaces/kube-system/services/coredns:dns/proxy
kubernetes-dashboard is running at https://10.10.1.126:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://10.10.1.126:6443
name: cluster.local
contexts:
- context:
cluster: cluster.local
user: kubernetes-admin
name: theitroad@localhost
current-context: theitroad@localhost
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master0 Ready master 23m v1.15.3
master1 Ready master 22m v1.15.3
master2 Ready master 22m v1.15.3
worker0 Ready 22m v1.15.3
worker1 Ready 22m v1.15.3
# kubectl get endpoints -n kube-system
NAME ENDPOINTS AGE
coredns 10.233.97.1:53,10.233.98.2:53,10.233.97.1:53 + 3 more… 78m
kube-controller-manager 80m
kube-scheduler 80m
kubernetes-dashboard 10.233.110.1:8443 78m
我们还可以在kube-system名称空间下的群集中检查正在运行的Pod。
# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-55c59dd474-fn7fj 1/1 Running 0 69m calico-node-5fjcp 1/1 Running 1 69m calico-node-9rt6v 1/1 Running 1 69m calico-node-cx472 1/1 Running 1 69m calico-node-v7db8 1/1 Running 0 69m calico-node-x2cwz 1/1 Running 1 69m coredns-74c9d4d795-bsqk5 1/1 Running 0 68m coredns-74c9d4d795-bv5qh 1/1 Running 0 69m dns-autoscaler-7d95989447-ccpf4 1/1 Running 0 69m kube-apiserver-master0 1/1 Running 0 70m kube-apiserver-master1 1/1 Running 0 70m kube-apiserver-master2 1/1 Running 0 70m kube-controller-manager-master0 1/1 Running 0 70m kube-controller-manager-master1 1/1 Running 0 70m kube-controller-manager-master2 1/1 Running 0 70m kube-proxy-6mvwq 1/1 Running 0 70m kube-proxy-cp7f9 1/1 Running 0 70m kube-proxy-fkmqk 1/1 Running 0 70m kube-proxy-nlmsk 1/1 Running 0 70m kube-proxy-pzwjh 1/1 Running 0 70m kube-scheduler-master0 1/1 Running 0 70m kube-scheduler-master1 1/1 Running 0 70m kube-scheduler-master2 1/1 Running 0 70m kubernetes-dashboard-7c547b4c64-q92qk 1/1 Running 0 69m nginx-proxy-worker0 1/1 Running 0 70m nginx-proxy-worker1 1/1 Running 0 70m nodelocaldns-6pjn8 1/1 Running 0 69m nodelocaldns-74lwl 1/1 Running 0 69m nodelocaldns-95ztp 1/1 Running 0 69m nodelocaldns-mx26s 1/1 Running 0 69m nodelocaldns-nmqbq 1/1 Running 0 69m
配置HAProxy负载均衡器
让我们配置一个外部负载平衡器(LB)以提供对外部客户端的访问,而内部LB仅接受与本地主机的客户端连接。将HAProxy软件包用作负载平衡器安装在服务器上。
sudo yum -y install haproxy
为API配置后端服务器。
listen k8s-apiserver-https bind *:6443 option ssl-hello-chk mode tcp balance roundrobin timeout client 3h timeout server 3h server master0 10.10.1.126:6443 server master1 10.10.1.194:6443 server master2 10.10.1.134:6443
启动并启用haproxy服务。
sudo systemctl enable --now haproxy
获取服务状态。
$systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-09-08 15:47:44 EAT; 37s ago
Main PID: 23051 (haproxy-systemd)
CGroup: /system.slice/haproxy.service
├─23051 /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
├─23052 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
└─23053 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
Sep 08 15:47:44 envoy-nginx.novalocal systemd[1]: Started HAProxy Load Balancer.
Sep 08 15:47:44 envoy-nginx.novalocal haproxy-systemd-wrapper[23051]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/...d -Ds
Sep 08 15:47:44 envoy-nginx.novalocal haproxy-systemd-wrapper[23051]: [WARNING] 250/154744 (23052) : parsing [/etc/haproxy/haproxy.cfg:45] ...log'.
Sep 08 15:47:44 envoy-nginx.novalocal haproxy-systemd-wrapper[23051]: [WARNING] 250/154744 (23052) : config : 'option forwardfor' ignored f...mode.
Hint: Some lines were ellipsized, use -l to show in full.
在防火墙上允许服务端口。
$sudo firewall-cmd --add-port=6443/tcp --permanent $sudo firewall-cmd --reload
要连接到API服务器,外部客户端可以通过我们配置的负载均衡器。
从主服务器上的/etc/kubernetes/admin.conf位置获取kube配置文件
$scp theitroad@localhost_IP:/etc/kubernetes/admin.conf kubespray.conf
然后,我们可以通过KUBECONFIG环境变量将kubectl客户端配置为使用下载的配置文件:
$export KUBECONFIG=./kubespray.conf $kubectl --insecure-skip-tls-verify get nodes NAME STATUS ROLES AGE VERSION master0 Ready master 92m v1.15.3 master1 Ready master 91m v1.15.3 master2 Ready master 91m v1.15.3 worker0 Ready <none> 90m v1.15.3 worker1 Ready <none> 90m v1.15.3
扩展Kubernetes集群
我们可能需要将工作节点,主节点或者etcd节点添加到现有集群中。这可以通过重新运行cluster.yml剧本来完成,或者我们可以针对在工人上安装kubelet并与主人交谈所需的最低限度。在适当的组中将新的工人节点添加到列表中。 ansible-playbook命令:
ansible-playbook -i inventory/mycluster/inventory.ini --become \ --user=centos --become-user=root -v cluster.yml
Kubernetes精通课程:
访问Kubernetes仪表板
如果设置了变量dashboard_enabled(默认为true),那么我们可以通过以下URL访问Kubernetes仪表板,系统将提示我们输入凭据:https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy /#!/login
或者使用kubectl proxy命令在机器和Kubernetes API服务器之间创建代理服务器。默认情况下,只能在本地(从启动它的计算机上)访问它。
首先,让我们检查kubectl是否已正确配置并有权访问集群。
$kubectl cluster-info
启动本地代理服务器。
$kubectl proxy Starting to serve on 127.0.0.1:8001
从以下浏览器本地访问仪表板:http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy /#!/login
设置动态卷配置
如果需要动态配置持久卷,请检查:
设置如何使用GlusterFS和Windows Server 2003设置Kubernetes/OpenShift动态持久卷配置
