05-4. 部署高可用 kube-scheduler 集群

本文档介绍部署高可用 kube-scheduler 集群的步骤。

该集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。

为保证通信安全,本文档先生成 x509 证书和私钥,kube-scheduler 在如下两种情况下使用该证书:

  1. 与 kube-apiserver 的安全端口通信;
  2. 安全端口(https,10251) 输出 prometheus 格式的 metrics;

注意:如果没有特殊指明,本文档的所有操作均在 zhangjun-k8s-01 节点上执行

创建 kube-scheduler 证书和私钥

创建证书签名请求:

  1. cd /opt/k8s/work
  2. cat > kube-scheduler-csr.json <<EOF
  3. {
  4. "CN": "system:kube-scheduler",
  5. "hosts": [
  6. "127.0.0.1",
  7. "172.27.138.239",
  8. "172.27.137.229",
  9. "172.27.138.251"
  10. ],
  11. "key": {
  12. "algo": "rsa",
  13. "size": 2048
  14. },
  15. "names": [
  16. {
  17. "C": "CN",
  18. "ST": "BeiJing",
  19. "L": "BeiJing",
  20. "O": "system:kube-scheduler",
  21. "OU": "opsnull"
  22. }
  23. ]
  24. }
  25. EOF
  • hosts 列表包含所有 kube-scheduler 节点 IP;
  • CN 和 O 均为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限;

生成证书和私钥:

  1. cd /opt/k8s/work
  2. cfssl gencert -ca=/opt/k8s/work/ca.pem \
  3. -ca-key=/opt/k8s/work/ca-key.pem \
  4. -config=/opt/k8s/work/ca-config.json \
  5. -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
  6. ls kube-scheduler*pem

将生成的证书和私钥分发到所有 master 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4. do
  5. echo ">>> ${node_ip}"
  6. scp kube-scheduler*.pem root@${node_ip}:/etc/kubernetes/cert/
  7. done

创建和分发 kubeconfig 文件

kube-scheduler 使用 kubeconfig 文件访问 apiserver,该文件提供了 apiserver 地址、嵌入的 CA 证书和 kube-scheduler 证书:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. kubectl config set-cluster kubernetes \
  4. --certificate-authority=/opt/k8s/work/ca.pem \
  5. --embed-certs=true \
  6. --server="https://##NODE_IP##:6443" \
  7. --kubeconfig=kube-scheduler.kubeconfig
  8. kubectl config set-credentials system:kube-scheduler \
  9. --client-certificate=kube-scheduler.pem \
  10. --client-key=kube-scheduler-key.pem \
  11. --embed-certs=true \
  12. --kubeconfig=kube-scheduler.kubeconfig
  13. kubectl config set-context system:kube-scheduler \
  14. --cluster=kubernetes \
  15. --user=system:kube-scheduler \
  16. --kubeconfig=kube-scheduler.kubeconfig
  17. kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig

分发 kubeconfig 到所有 master 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4. do
  5. echo ">>> ${node_ip}"
  6. sed -e "s/##NODE_IP##/${node_ip}/" kube-scheduler.kubeconfig > kube-scheduler-${node_ip}.kubeconfig
  7. scp kube-scheduler-${node_ip}.kubeconfig root@${node_ip}:/etc/kubernetes/kube-scheduler.kubeconfig
  8. done

创建 kube-scheduler 配置文件

  1. cd /opt/k8s/work
  2. cat >kube-scheduler.yaml.template <<EOF
  3. apiVersion: kubescheduler.config.k8s.io/v1alpha1
  4. kind: KubeSchedulerConfiguration
  5. bindTimeoutSeconds: 600
  6. clientConnection:
  7. burst: 200
  8. kubeconfig: "/etc/kubernetes/kube-scheduler.kubeconfig"
  9. qps: 100
  10. enableContentionProfiling: false
  11. enableProfiling: true
  12. hardPodAffinitySymmetricWeight: 1
  13. healthzBindAddress: ##NODE_IP##:10251
  14. leaderElection:
  15. leaderElect: true
  16. metricsBindAddress: ##NODE_IP##:10251
  17. EOF
  • --kubeconfig:指定 kubeconfig 文件路径,kube-scheduler 使用它连接和验证 kube-apiserver;
  • --leader-elect=true:集群运行模式,启用选举功能;被选为 leader 的节点负责处理工作,其它节点为阻塞状态;

替换模板文件中的变量:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for (( i=0; i < 3; i++ ))
  4. do
  5. sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-scheduler.yaml.template > kube-scheduler-${NODE_IPS[i]}.yaml
  6. done
  7. ls kube-scheduler*.yaml
  • NODE_NAMES 和 NODE_IPS 为相同长度的 bash 数组,分别为节点名称和对应的 IP;

分发 kube-scheduler 配置文件到所有 master 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4. do
  5. echo ">>> ${node_ip}"
  6. scp kube-scheduler-${node_ip}.yaml root@${node_ip}:/etc/kubernetes/kube-scheduler.yaml
  7. done
  • 重命名为 kube-scheduler.yaml;

创建 kube-scheduler systemd unit 模板文件

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. cat > kube-scheduler.service.template <<EOF
  4. [Unit]
  5. Description=Kubernetes Scheduler
  6. Documentation=https://github.com/GoogleCloudPlatform/kubernetes
  7. [Service]
  8. WorkingDirectory=${K8S_DIR}/kube-scheduler
  9. ExecStart=/opt/k8s/bin/kube-scheduler \\
  10. --config=/etc/kubernetes/kube-scheduler.yaml \\
  11. --bind-address=##NODE_IP## \\
  12. --secure-port=10259 \\
  13. --port=0 \\
  14. --tls-cert-file=/etc/kubernetes/cert/kube-scheduler.pem \\
  15. --tls-private-key-file=/etc/kubernetes/cert/kube-scheduler-key.pem \\
  16. --authentication-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\
  17. --client-ca-file=/etc/kubernetes/cert/ca.pem \\
  18. --requestheader-allowed-names="" \\
  19. --requestheader-client-ca-file=/etc/kubernetes/cert/ca.pem \\
  20. --requestheader-extra-headers-prefix="X-Remote-Extra-" \\
  21. --requestheader-group-headers=X-Remote-Group \\
  22. --requestheader-username-headers=X-Remote-User \\
  23. --authorization-kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \\
  24. --logtostderr=true \\
  25. --v=2
  26. Restart=always
  27. RestartSec=5
  28. StartLimitInterval=0
  29. [Install]
  30. WantedBy=multi-user.target
  31. EOF

为各节点创建和分发 kube-scheduler systemd unit 文件

替换模板文件中的变量,为各节点创建 systemd unit 文件:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for (( i=0; i < 3; i++ ))
  4. do
  5. sed -e "s/##NODE_NAME##/${NODE_NAMES[i]}/" -e "s/##NODE_IP##/${NODE_IPS[i]}/" kube-scheduler.service.template > kube-scheduler-${NODE_IPS[i]}.service
  6. done
  7. ls kube-scheduler*.service

分发 systemd unit 文件到所有 master 节点:

  1. cd /opt/k8s/work
  2. source /opt/k8s/bin/environment.sh
  3. for node_ip in ${NODE_IPS[@]}
  4. do
  5. echo ">>> ${node_ip}"
  6. scp kube-scheduler-${node_ip}.service root@${node_ip}:/etc/systemd/system/kube-scheduler.service
  7. done

启动 kube-scheduler 服务

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3. do
  4. echo ">>> ${node_ip}"
  5. ssh root@${node_ip} "mkdir -p ${K8S_DIR}/kube-scheduler"
  6. ssh root@${node_ip} "systemctl daemon-reload && systemctl enable kube-scheduler && systemctl restart kube-scheduler"
  7. done

检查服务运行状态

  1. source /opt/k8s/bin/environment.sh
  2. for node_ip in ${NODE_IPS[@]}
  3. do
  4. echo ">>> ${node_ip}"
  5. ssh root@${node_ip} "systemctl status kube-scheduler|grep Active"
  6. done

确保状态为 active (running),否则查看日志,确认原因:

  1. journalctl -u kube-scheduler

查看输出的 metrics

注意:以下命令在 kube-scheduler 节点上执行。

kube-scheduler 监听 10251 和 10259 端口:

  • 10251:接收 http 请求,非安全端口,不需要认证授权;
  • 10259:接收 https 请求,安全端口,需要认证授权;

两个接口都对外提供 /metrics/healthz 的访问。

  1. $ sudo netstat -lnpt |grep kube-sch
  2. tcp 0 0 172.27.138.251:10251 0.0.0.0:* LISTEN 114702/kube-schedul
  3. tcp 0 0 172.27.138.251:10259 0.0.0.0:* LISTEN 114702/kube-schedul
  1. $ curl -s http://172.27.138.251:10251/metrics |head
  2. # HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
  3. # TYPE apiserver_audit_event_total counter
  4. apiserver_audit_event_total 0
  5. # HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
  6. # TYPE apiserver_audit_requests_rejected_total counter
  7. apiserver_audit_requests_rejected_total 0
  8. # HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
  9. # TYPE apiserver_client_certificate_expiration_seconds histogram
  10. apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
  11. apiserver_client_certificate_expiration_seconds_bucket{le="1800"} 0
  1. $ curl -s --cacert /opt/k8s/work/ca.pem --cert /opt/k8s/work/admin.pem --key /opt/k8s/work/admin-key.pem https://172.27.138.251:10259/metrics |head
  2. # HELP apiserver_audit_event_total Counter of audit events generated and sent to the audit backend.
  3. # TYPE apiserver_audit_event_total counter
  4. apiserver_audit_event_total 0
  5. # HELP apiserver_audit_requests_rejected_total Counter of apiserver requests rejected due to an error in audit logging backend.
  6. # TYPE apiserver_audit_requests_rejected_total counter
  7. apiserver_audit_requests_rejected_total 0
  8. # HELP apiserver_client_certificate_expiration_seconds Distribution of the remaining lifetime on the certificate used to authenticate a request.
  9. # TYPE apiserver_client_certificate_expiration_seconds histogram
  10. apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0
  11. apiserver_client_certificate_expiration_seconds_bucket{le="1800"} 0

查看当前的 leader

  1. $ kubectl get endpoints kube-scheduler --namespace=kube-system -o yaml
  2. apiVersion: v1
  3. kind: Endpoints
  4. metadata:
  5. annotations:
  6. control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"zhangjun-k8s-01_ce04632e-64e4-477e-b8f0-4e69020cd996","leaseDurationSeconds":15,"acquireTime":"2020-02-07T07:05:00Z","renewTime":"2020-02-07T07:05:28Z","leaderTransitions":0}'
  7. creationTimestamp: "2020-02-07T07:05:00Z"
  8. name: kube-scheduler
  9. namespace: kube-system
  10. resourceVersion: "756"
  11. selfLink: /api/v1/namespaces/kube-system/endpoints/kube-scheduler
  12. uid: 1b687724-a6e2-4404-9efb-a1f0e201fecc

可见,当前的 leader 为 zhangjun-k8s-01 节点。

测试 kube-scheduler 集群的高可用

随便找一个或两个 master 节点,停掉 kube-scheduler 服务,看其它节点是否获取了 leader 权限。