我的书签
添加书签
移除书签通过二进制方式安装
分步安装二进制高可用 karmada 集群。
前提条件
服务器
需要 3 个服务器,例如:
+---------------+-----------------+-----------------+| HostName | Host IP | Public IP |+---------------+-----------------+-----------------+| karmada-01 | 172.31.209.245 | 47.242.88.82 |+---------------+-----------------+-----------------+| karmada-02 | 172.31.209.246 | |+---------------+-----------------+-----------------+| karmada-03 | 172.31.209.247 | |+---------------+-----------------+-----------------+
公共 IP 不是必需的。这个 IP 用于从公网下载某些
karmada依赖组件,并通过公网连接到karmadaApiServer。
DNS 解析
对 karmada-01、karmada-02、karmada-03 执行操作。
vi /etc/hosts172.31.209.245 karmada-01172.31.209.246 karmada-02172.31.209.247 karmada-03
你也可以使用 “Linux 虚拟服务器”进行负载均衡,不更改 /etc/hosts 文件。
环境
karmada-01 需要以下环境。
Golang:编译 karmada 二进制文件 GCC:编译 nginx(使用云负载均衡时忽略此项)
编译并下载二进制文件
对 karmada-01 执行操作。
Kubernetes 二进制文件
下载 kubernetes 二进制文件包。
参阅本页下载不同版本和不同架构的二进制文件:https://kubernetes.io/releases/download/#binaries
wget https://dl.k8s.io/v1.23.3/kubernetes-server-linux-amd64.tar.gztar -zxvf kubernetes-server-linux-amd64.tar.gz --no-same-ownercd kubernetes/server/binmv kube-apiserver kube-controller-manager kubectl /usr/local/sbin/
etcd 二进制文件
下载 etcd 二进制文件包。
若要使用较新版本的 etcd,请参阅:https://etcd.io/docs/latest/install/
wget https://github.com/etcd-io/etcd/releases/download/v3.5.1/etcd-v3.5.1-linux-amd64.tar.gztar -zxvf etcd-v3.5.1-linux-amd64.tar.gz --no-same-ownercd etcd-v3.5.1-linux-amd64/mv etcdctl etcd /usr/local/sbin/
Karmada 二进制文件
从源代码编译 karmada 二进制文件。
git clone https://github.com/karmada-io/karmadacd karmadamake karmada-aggregated-apiserver karmada-controller-manager karmada-scheduler karmada-webhook karmadactl kubectl-karmadamv _output/bin/linux/amd64/* /usr/local/sbin/
Nginx 二进制文件
从源代码编译 nginx 二进制文件。
wget http://nginx.org/download/nginx-1.21.6.tar.gztar -zxvf nginx-1.21.6.tar.gzcd nginx-1.21.6./configure --with-stream --without-http --prefix=/usr/local/karmada-nginx --without-http_uwsgi_module --without-http_scgi_module --without-http_fastcgi_modulemake && make installmv /usr/local/karmada-nginx/sbin/nginx /usr/local/karmada-nginx/sbin/karmada-nginx
分发二进制文件
上传二进制文件到 karmada-02、karmada-03 服务器。
生成证书
步骤 1:创建 Bash 脚本和配置文件
此脚本将使用 openssl 命令生成证书。 下载此目录。
我们分开了 CA 和叶证书生成脚本,若你需要更改叶证书的主体备用名称(又名负载均衡器 IP),你可以重用 CA 证书,并运行 generate_leaf.sh 以仅生成叶证书。
有 3 个 CA:front-proxy-ca、server-ca、etcd/ca。 为什么我们需要 3 个 CA,请参见 PKI 证书和要求、CA 重用和冲突。
如果你使用他人提供的 etcd,可以忽略 generate_etcd.sh 和 csr_config/etcd。
步骤 2:更改 <SERVER_IP>
你需要将 csr_config/**/*.conf 文件中的 <SERVER_IP> 更改为”负载均衡器 IP” 和”服务器 IP”。 如果你仅使用负载均衡器访问服务器,你只需要填写”负载均衡器 IP”。
你正常不需要更改 *.sh 文件。
步骤 3:运行 Shell 脚本
$ ./generate_ca.sh$ ./generate_leaf.sh ca_cert/$ ./generate_etcd.sh
步骤 4:检查证书
你可以查看证书的配置,以 karmada.crt 为例。
openssl x509 -noout -text -in karmada.crt
步骤 5:创建 Karmada 配置目录
复制证书到 /etc/karmada/pki 目录。
mkdir -p /etc/karmada/pkicd ca_certcp -r * /etc/karmada/pkicd ../certcp -r * /etc/karmada/pki
创建 Karmada kubeconfig 文件和 etcd 加密密钥
对 karmada-01 执行操作。
创建 kubeconfig 文件
步骤 1:下载 bash 脚本
下载此文件。
步骤 2:执行 bash 脚本
172.31.209.245:5443 是针对 karmada-apiserver 的 nginx 代理的地址,我们将在后续设置。 你应将其替换为负载均衡器提供的 “host:port”。
./create_kubeconfig_file.sh "https://172.31.209.245:5443"
创建 etcd 加密密钥
如果你不需要加密 etcd 中的内容,请忽略本节和对应的 kube-apiserver 启动参数。
export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)cat > /etc/karmada/encryption-config.yaml <<EOFkind: EncryptionConfigapiVersion: v1resources:- resources:- secretsproviders:- aescbc:keys:- name: key1secret: ${ENCRYPTION_KEY}- identity: {}EOF
分发文件
打包 karmada 配置文件并将其复制到其他节点。
cd /etctar -cvf karmada.tar karmadascp karmada.tar karmada-02:/etc/scp karmada.tar karmada-03:/etc/
karmada-02 和 karmada-03 需要解压缩归档文件。
cd /etctar -xvf karmada.tar
健康检查脚本
(1) 你可以使用以下 check_status.sh 检查所有组件是否健康。
下载此文件。
注:如果你使用的是 CentOS 7,则需要运行 yum update -y nss curl 来更新 curl 版本,这样 curl 才可能支持 tls 1.3。 如果 curl 仍然不支持 tls 1.3,你需要更新为包含较新 curl 的操作系统版本,或者直接使用 go 程序进行健康检查。
(2) 使用:./check_status.sh
安装 etcd 集群
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
创建 Systemd 服务
/usr/lib/systemd/system/etcd.service
[Unit]Description=Etcd ServerAfter=network.targetAfter=network-online.targetWants=network-online.targetDocumentation=https://github.com/coreos[Service]Type=notifyWorkingDirectory=/var/lib/etcd/ExecStart=/usr/local/sbin/etcd \--advertise-client-urls https://172.31.209.245:2379 \--cert-file /etc/karmada/pki/etcd/server.crt \--client-cert-auth=true \--data-dir /var/lib/etcd \--initial-advertise-peer-urls https://172.31.209.245:2380 \--initial-cluster "karmada-01=https://172.31.209.245:2380,karmada-02=https://172.31.209.246:2380,karmada-03=https://172.31.209.247:2380" \--initial-cluster-state new \--initial-cluster-token etcd-cluster \--key-file /etc/karmada/pki/etcd/server.key \--listen-client-urls "https://172.31.209.245:2379,https://127.0.0.1:2379" \--listen-peer-urls "https://172.31.209.245:2380" \--name karmada-01 \--peer-cert-file /etc/karmada/pki/etcd/peer.crt \--peer-client-cert-auth=true \--peer-key-file /etc/karmada/pki/etcd/peer.key \--peer-trusted-ca-file /etc/karmada/pki/etcd/ca.crt \--snapshot-count 10000 \--trusted-ca-file /etc/karmada/pki/etcd/ca.crt \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
注:
karmada-02和karmada-03需要更改的参数为:--name
--initial-advertise-peer-urls
--listen-peer-urls
--listen-client-urls
--advertise-client-urls
你可以使用
EnvironmentFile将可变配置与不可变配置分开。
启动 etcd 集群
3 个服务器必须执行以下命令创建 etcd 存储目录。
mkdir /var/lib/etcd/chmod 700 /var/lib/etcd
启动 etcd:
systemctl daemon-reloadsystemctl enable etcd.servicesystemctl start etcd.servicesystemctl status etcd.service
验证
etcdctl --cacert /etc/karmada/pki/etcd/ca.crt \--cert /etc/karmada/pki/etcd/healthcheck-client.crt \--key /etc/karmada/pki/etcd/healthcheck-client.key \--endpoints "172.31.209.245:2379,172.31.209.246:2379,172.31.209.247:2379" \endpoint status --write-out="table"+---------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+---------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| 172.31.209.245:2379 | 689151f8cbf4ee95 | 3.5.1 | 20 kB | false | false | 2 | 9 | 9 | || 172.31.209.246:2379 | 5db4dfb6ecc14de7 | 3.5.1 | 20 kB | true | false | 2 | 9 | 9 | || 172.31.209.247:2379 | 7e59eef3c816aa57 | 3.5.1 | 20 kB | false | false | 2 | 9 | 9 | |+---------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
安装 kube-apiserver
配置 Nginx
对 karmada-01 执行操作。
为 karmada apiserver 配置负载均衡。
/usr/local/karmada-nginx/conf/nginx.conf
worker_processes 2;events {worker_connections 1024;}stream {upstream backend {hash consistent;server 172.31.209.245:6443 max_fails=3 fail_timeout=30s;server 172.31.209.246:6443 max_fails=3 fail_timeout=30s;server 172.31.209.247:6443 max_fails=3 fail_timeout=30s;}server {listen 172.31.209.245:5443;proxy_connect_timeout 1s;proxy_pass backend;}}
/lib/systemd/system/karmada-nginx.service
[Unit]Description=The karmada karmada-apiserver nginx proxy serverAfter=syslog.target network-online.target remote-fs.target nss-lookup.targetWants=network-online.target[Service]Type=forkingExecStartPre=/usr/local/karmada-nginx/sbin/karmada-nginx -tExecStart=/usr/local/karmada-nginx/sbin/karmada-nginxExecReload=/usr/local/karmada-nginx/sbin/karmada-nginx -s reloadExecStop=/bin/kill -s QUIT $MAINPIDPrivateTmp=trueRestart=alwaysRestartSec=5StartLimitInterval=0LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada nginx。
systemctl daemon-reloadsystemctl enable karmada-nginx.servicesystemctl start karmada-nginx.servicesystemctl status karmada-nginx.service
创建 kube-apiserver Systemd 服务
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/kube-apiserver.service
[Unit]Description=Kubernetes API ServerDocumentation=https://kubernetes.io/docs/home/After=network.target[Service]# 如果你不需要加密 etcd,移除 --encryption-provider-configExecStart=/usr/local/sbin/kube-apiserver \--allow-privileged=true \--anonymous-auth=false \--audit-webhook-batch-buffer-size 30000 \--audit-webhook-batch-max-size 800 \--authorization-mode "Node,RBAC" \--bind-address 0.0.0.0 \--client-ca-file /etc/karmada/pki/server-ca.crt \--default-watch-cache-size 200 \--delete-collection-workers 2 \--disable-admission-plugins "StorageObjectInUseProtection,ServiceAccount" \--enable-admission-plugins "NodeRestriction" \--enable-bootstrap-token-auth \--encryption-provider-config "/etc/karmada/encryption-config.yaml" \--etcd-cafile /etc/karmada/pki/etcd/ca.crt \--etcd-certfile /etc/karmada/pki/etcd/apiserver-etcd-client.crt \--etcd-keyfile /etc/karmada/pki/etcd/apiserver-etcd-client.key \--etcd-servers "https://172.31.209.245:2379,https://172.31.209.246:2379,https://172.31.209.247:2379" \--insecure-port 0 \--logtostderr=true \--max-mutating-requests-inflight 2000 \--max-requests-inflight 4000 \--proxy-client-cert-file /etc/karmada/pki/front-proxy-client.crt \--proxy-client-key-file /etc/karmada/pki/front-proxy-client.key \--requestheader-allowed-names "front-proxy-client" \--requestheader-client-ca-file /etc/karmada/pki/front-proxy-ca.crt \--requestheader-extra-headers-prefix "X-Remote-Extra-" \--requestheader-group-headers "X-Remote-Group" \--requestheader-username-headers "X-Remote-User" \--runtime-config "api/all=true" \--secure-port 6443 \--service-account-issuer "https://kubernetes.default.svc.cluster.local" \--service-account-key-file /etc/karmada/pki/sa.pub \--service-account-signing-key-file /etc/karmada/pki/sa.key \--service-cluster-ip-range "10.254.0.0/16" \--tls-cert-file /etc/karmada/pki/kube-apiserver.crt \--tls-private-key-file /etc/karmada/pki/kube-apiserver.key \Restart=on-failureRestartSec=5Type=notifyLimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 kube-apiserver
3 个服务器必须执行以下命令:
systemctl daemon-reloadsystemctl enable kube-apiserver.servicesystemctl start kube-apiserver.servicesystemctl status kube-apiserver.service
验证
$ ./check_status.sh###### 开始检查 kube-apiserver[+]ping ok[+]log ok[+]etcd ok[+]poststarthook/start-kube-apiserver-admission-initializer ok[+]poststarthook/generic-apiserver-start-informers ok[+]poststarthook/priority-and-fairness-config-consumer ok[+]poststarthook/priority-and-fairness-filter ok[+]poststarthook/start-apiextensions-informers ok[+]poststarthook/start-apiextensions-controllers ok[+]poststarthook/crd-informer-synced ok[+]poststarthook/bootstrap-controller ok[+]poststarthook/rbac/bootstrap-roles ok[+]poststarthook/scheduling/bootstrap-system-priority-classes ok[+]poststarthook/priority-and-fairness-config-producer ok[+]poststarthook/start-cluster-authentication-info-controller ok[+]poststarthook/aggregator-reload-proxy-client-cert ok[+]poststarthook/start-kube-aggregator-informers ok[+]poststarthook/apiservice-registration-controller ok[+]poststarthook/apiservice-status-available-controller ok[+]poststarthook/kube-apiserver-autoregistration ok[+]autoregister-completion ok[+]poststarthook/apiservice-openapi-controller oklivez check passed###### kube-apiserver 检查成功
安装 karmada-aggregated-apiserver
首先,创建 namespace 并绑定 cluster admin role。对 karmada-01 执行操作。
kubectl create ns karmada-systemkubectl create clusterrolebinding cluster-admin:karmada --clusterrole=cluster-admin --user system:karmada
然后,类似 karmada-webhook,为高可用使用 nginx。
修改 nginx 配置并添加以下配置。对 karmada-01 执行以下操作。
cat /usr/local/karmada-nginx/conf/nginx.confworker_processes 2;events {worker_connections 1024;}stream {upstream backend {hash consistent;server 172.31.209.245:6443 max_fails=3 fail_timeout=30s;server 172.31.209.246:6443 max_fails=3 fail_timeout=30s;server 172.31.209.247:6443 max_fails=3 fail_timeout=30s;}upstream webhook {hash consistent;server 172.31.209.245:8443 max_fails=3 fail_timeout=30s;server 172.31.209.246:8443 max_fails=3 fail_timeout=30s;server 172.31.209.247:8443 max_fails=3 fail_timeout=30s;}upstream aa {hash consistent;server 172.31.209.245:7443 max_fails=3 fail_timeout=30s;server 172.31.209.246:7443 max_fails=3 fail_timeout=30s;server 172.31.209.247:7443 max_fails=3 fail_timeout=30s;}server {listen 172.31.209.245:5443;proxy_connect_timeout 1s;proxy_pass backend;}server {listen 172.31.209.245:4443;proxy_connect_timeout 1s;proxy_pass webhook;}server {listen 172.31.209.245:443;proxy_connect_timeout 1s;proxy_pass aa;}}
重新加载 nginx 配置。
systemctl restart karmada-nginx
创建 Systemd 服务
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-aggregated-apiserver.service
[Unit]Description=Karmada Aggregated ApiServerDocumentation=https://github.com/karmada-io/karmada[Service]ExecStart=/usr/local/sbin/karmada-aggregated-apiserver \--audit-log-maxage 0 \--audit-log-maxbackup 0 \--audit-log-path - \--authentication-kubeconfig /etc/karmada/karmada.kubeconfig \--authorization-kubeconfig /etc/karmada/karmada.kubeconfig \--etcd-cafile /etc/karmada/pki/etcd/ca.crt \--etcd-certfile /etc/karmada/pki/etcd/apiserver-etcd-client.crt \--etcd-keyfile /etc/karmada/pki/etcd/apiserver-etcd-client.key \--etcd-servers "https://172.31.209.245:2379,https://172.31.209.246:2379,https://172.31.209.247:2379" \--feature-gates "APIPriorityAndFairness=false" \--kubeconfig /etc/karmada/karmada.kubeconfig \--logtostderr=true \--secure-port 7443 \--tls-cert-file /etc/karmada/pki/karmada.crt \--tls-private-key-file /etc/karmada/pki/karmada.key \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-aggregated-apiserver
systemctl daemon-reloadsystemctl enable karmada-aggregated-apiserver.servicesystemctl start karmada-aggregated-apiserver.servicesystemctl status karmada-aggregated-apiserver.service
创建 APIService
externalName 是 nginx 所在的主机名 (karmada-01)。
(1) 创建文件:karmada-aggregated-apiserver-apiservice.yaml
apiVersion: apiregistration.k8s.io/v1kind: APIServicemetadata:name: v1alpha1.cluster.karmada.iolabels:app: karmada-aggregated-apiserverapiserver: "true"spec:insecureSkipTLSVerify: truegroup: cluster.karmada.iogroupPriorityMinimum: 2000service:name: karmada-aggregated-apiservernamespace: karmada-systemport: 443version: v1alpha1versionPriority: 10---apiVersion: v1kind: Servicemetadata:name: karmada-aggregated-apiservernamespace: karmada-systemspec:type: ExternalNameexternalName: karmada-01
(2) kubectl create -f karmada-aggregated-apiserver-apiservice.yaml
验证
$ ./check_status.sh###### 开始检查 karmada-aggregated-apiserver[+]ping ok[+]log ok[+]etcd ok[+]poststarthook/generic-apiserver-start-informers ok[+]poststarthook/max-in-flight-filter ok[+]poststarthook/start-aggregated-server-informers oklivez check passed###### karmada-aggregated-apiserver 检查成功
安装 kube-controller-manager
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
创建 Systemd 服务
/usr/lib/systemd/system/kube-controller-manager.service
[Unit]Description=Kubernetes Controller ManagerDocumentation=https://kubernetes.io/docs/home/After=network.target[Service]ExecStart=/usr/local/sbin/kube-controller-manager \--authentication-kubeconfig /etc/karmada/kube-controller-manager.kubeconfig \--authorization-kubeconfig /etc/karmada/kube-controller-manager.kubeconfig \--bind-address "0.0.0.0" \--client-ca-file /etc/karmada/pki/server-ca.crt \--cluster-name karmada \--cluster-signing-cert-file /etc/karmada/pki/server-ca.crt \--cluster-signing-key-file /etc/karmada/pki/server-ca.key \--concurrent-deployment-syncs 10 \--concurrent-gc-syncs 30 \--concurrent-service-syncs 1 \--controllers "namespace,garbagecollector,serviceaccount-token" \--feature-gates "RotateKubeletServerCertificate=true" \--horizontal-pod-autoscaler-sync-period 10s \--kube-api-burst 2000 \--kube-api-qps 1000 \--kubeconfig /etc/karmada/kube-controller-manager.kubeconfig \--leader-elect \--logtostderr=true \--node-cidr-mask-size 24 \--pod-eviction-timeout 5m \--requestheader-allowed-names "front-proxy-client" \--requestheader-client-ca-file /etc/karmada/pki/front-proxy-ca.crt \--requestheader-extra-headers-prefix "X-Remote-Extra-" \--requestheader-group-headers "X-Remote-Group" \--requestheader-username-headers "X-Remote-User" \--root-ca-file /etc/karmada/pki/server-ca.crt \--service-account-private-key-file /etc/karmada/pki/sa.key \--service-cluster-ip-range "10.254.0.0/16" \--terminated-pod-gc-threshold 10000 \--tls-cert-file /etc/karmada/pki/kube-controller-manager.crt \--tls-private-key-file /etc/karmada/pki/kube-controller-manager.key \--use-service-account-credentials \--v 4 \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 kube-controller-manager
systemctl daemon-reloadsystemctl enable kube-controller-manager.servicesystemctl start kube-controller-manager.servicesystemctl status kube-controller-manager.service
验证
$ ./check_status.sh###### 开始检查 kube-controller-manager[+]leaderElection okhealthz check passed###### kube-controller-manager 检查成功
安装 karmada-controller-manager
创建 Systemd 服务
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-controller-manager.service
[Unit]Description=Karmada Controller ManagerDocumentation=https://github.com/karmada-io/karmada[Service]ExecStart=/usr/local/sbin/karmada-controller-manager \--bind-address 0.0.0.0 \--cluster-status-update-frequency 10s \--kubeconfig /etc/karmada/karmada.kubeconfig \--logtostderr=true \--metrics-bind-address ":10358" \--secure-port 10357 \--v=4 \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-controller-manager
systemctl daemon-reloadsystemctl enable karmada-controller-manager.servicesystemctl start karmada-controller-manager.servicesystemctl status karmada-controller-manager.service
验证
$ ./check_status.sh###### 开始检查 karmada-controller-manager[+]ping okhealthz check passed###### karmada-controller-manager 检查成功
安装 karmada-scheduler
创建 Systemd Service
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-scheduler.service
[Unit]Description=Karmada SchedulerDocumentation=https://github.com/karmada-io/karmada[Service]ExecStart=/usr/local/sbin/karmada-scheduler \--bind-address 0.0.0.0 \--enable-scheduler-estimator=true \--kubeconfig /etc/karmada/karmada.kubeconfig \--logtostderr=true \--scheduler-estimator-port 10352 \--secure-port 10511 \--v=4 \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-scheduler
systemctl daemon-reloadsystemctl enable karmada-scheduler.servicesystemctl start karmada-scheduler.servicesystemctl status karmada-scheduler.service
验证
$ ./check_status.sh###### 开始检查 karmada-schedulerok###### karmada-scheduler 检查成功
安装 karmada-webhook
karmada-webhook 不同于 scheduler 和 controller-manager,其高可用需要用 nginx 实现。
修改 nginx 配置并添加以下配置。对 karmada-01 执行以下操作。
cat /usr/local/karmada-nginx/conf/nginx.confworker_processes 2;events {worker_connections 1024;}stream {upstream backend {hash consistent;server 172.31.209.245:6443 max_fails=3 fail_timeout=30s;server 172.31.209.246:6443 max_fails=3 fail_timeout=30s;server 172.31.209.247:6443 max_fails=3 fail_timeout=30s;}upstream webhook {hash consistent;server 172.31.209.245:8443 max_fails=3 fail_timeout=30s;server 172.31.209.246:8443 max_fails=3 fail_timeout=30s;server 172.31.209.247:8443 max_fails=3 fail_timeout=30s;}server {listen 172.31.209.245:5443;proxy_connect_timeout 1s;proxy_pass backend;}server {listen 172.31.209.245:4443;proxy_connect_timeout 1s;proxy_pass webhook;}}
重新加载 nginx 配置。
systemctl restart karmada-nginx
创建 Systemd 服务
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-webhook.service
[Unit]Description=Karmada WebhookDocumentation=https://github.com/karmada-io/karmada[Service]ExecStart=/usr/local/sbin/karmada-webhook \--bind-address 0.0.0.0 \--cert-dir /etc/karmada/pki \--health-probe-bind-address ":8444" \--kubeconfig /etc/karmada/karmada.kubeconfig \--logtostderr=true \--metrics-bind-address ":8445" \--secure-port 8443 \--tls-cert-file-name "karmada.crt" \--tls-private-key-file-name "karmada.key" \--v=4 \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-webook
systemctl daemon-reloadsystemctl enable karmada-webhook.servicesystemctl start karmada-webhook.servicesystemctl status karmada-webhook.service
配置 karmada-webhook
下载 webhook-configuration.yaml 文件:https://github.com/karmada-io/karmada/blob/master/artifacts/deploy/webhook-configuration.yaml
ca_string=$(cat /etc/karmada/pki/server-ca.crt | base64 | tr "\n" " "|sed s/[[:space:]]//g)sed -i "s/{{caBundle}}/${ca_string}/g" webhook-configuration.yaml# 你需要将 172.31.209.245:4443 更改为你的负载均衡器 host:port。sed -i 's/karmada-webhook.karmada-system.svc:443/172.31.209.245:4443/g' webhook-configuration.yamlkubectl create -f webhook-configuration.yaml
验证
$ ./check_status.sh###### 开始检查 karmada-webhookok###### karmada-webhook 检查成功
初始化 Karmada
对 karmada-01 执行以下操作。
git clone https://github.com/karmada-io/karmadacd karmada/charts/karmada/_crds/baseskubectl apply -f .cd ../patches/ca_string=$(cat /etc/karmada/pki/server-ca.crt | base64 | tr "\n" " "|sed s/[[:space:]]//g)sed -i "s/{{caBundle}}/${ca_string}/g" webhook_in_resourcebindings.yamlsed -i "s/{{caBundle}}/${ca_string}/g" webhook_in_clusterresourcebindings.yaml# 你需要将 172.31.209.245:4443 更改为你的负载均衡器 host:port。sed -i 's/karmada-webhook.karmada-system.svc:443/172.31.209.245:4443/g' webhook_in_resourcebindings.yamlsed -i 's/karmada-webhook.karmada-system.svc:443/172.31.209.245:4443/g' webhook_in_clusterresourcebindings.yamlkubectl patch CustomResourceDefinition resourcebindings.work.karmada.io --patch-file webhook_in_resourcebindings.yamlkubectl patch CustomResourceDefinition clusterresourcebindings.work.karmada.io --patch-file webhook_in_clusterresourcebindings.yaml
此时,Karmada基础组件已经安装完毕,此时,你可以接入集群;如果想使用karmadactl聚合查询,需要运行如下命令:
cat <<EOF | kubectl --kubeconfig=/etc/karmada/admin.kubeconfig apply -f -apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: cluster-proxy-clusterrolerules:- apiGroups:- 'cluster.karmada.io'resources:- clusters/proxyverbs:- '*'---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: cluster-proxy-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-proxy-clusterrolesubjects:- kind: Username: admin #这里为证书的用户名# The token generated by the serviceaccount can parse the group information. Therefore, you need to specify the group information below.- kind: Groupname: "system:masters" #这里为证书的group信息EOF
安装 karmada-scheduler-estimator(选装)
karmada-scheduler 使用 gRPC 访问 karmada-scheduler-estimator。你可以将 “Linux 虚拟服务器”用作负载均衡器。
你需要先部署上述组件并将成员集群接入到 Karmada 控制面。请参见安装 Karmada 到你自己的集群。
创建 Systemd 服务
在以下示例中,”/etc/karmada/physical-machine-karmada-member-1.kubeconfig” 是已接入成员集群的 kubeconfig 文件。
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-scheduler-estimator.service
[Unit]Description=Karmada Scheduler EstimatorDocumentation=https://github.com/karmada-io/karmada[Service]# 你需要更改 `--cluster-name` `--kubeconfig`ExecStart=/usr/local/sbin/karmada-scheduler-estimator \--cluster-name "physical-machine-karmada-member-1" \--kubeconfig "/etc/karmada/physical-machine-karmada-member-1.kubeconfig" \--logtostderr=true \--server-port 10352 \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-scheduler-estimator
systemctl daemon-reloadsystemctl enable karmada-scheduler-estimator.servicesystemctl start karmada-scheduler-estimator.servicesystemctl status karmada-scheduler-estimator.service
创建服务
(1) 创建 karmada-scheduler-estimator.yaml
apiVersion: v1kind: Servicemetadata:name: karmada-scheduler-estimator-{{MEMBER_CLUSTER_NAME}}namespace: karmada-systemlabels:cluster: {{MEMBER_CLUSTER_NAME}}spec:ports:- protocol: TCPport: {{PORT}}targetPort: {{TARGET_PORT}}type: ExternalNameexternalName: {{EXTERNAL_NAME}}
{{PORT}}: “—scheduler-estimator-port” parameter of “karmada-scheduler”.
{{TARGET_PORT}}: LoadBalancer IP.
{{EXTERNAL_NAME}}: LoadBalancer Host.
{{MEMBER_CLUSTER_NAME}}: Member Cluster Name
(2) 创建服务
kubectl create --kubeconfig "/etc/karmada/admin.kubeconfig" -f karmada-scheduler-estimator.yaml
验证
$ ./check_status.sh###### 开始检查 karmada-scheduler-estimatorok###### karmada-scheduler-estimator 检查成功
故障排查
karmada-scheduler需要一些时间才能找到新的karmada-scheduler-estimator。如果你不想等,可以直接重启 karmada-scheduler。
systemctl restart karmada-scheduler.service
安装 karmada-search(选装)
创建 Systemd 服务
对 karmada-01、karmada-02、karmada-03 执行操作。以 karmada-01 为例。
/usr/lib/systemd/system/karmada-search.service
[Unit]Description=Karmada SearchDocumentation=https://github.com/karmada-io/karmada[Service]ExecStart=/usr/local/sbin/karmada-search \--audit-log-maxage 0 \--audit-log-maxbackup 0 \--audit-log-path - \--authentication-kubeconfig /etc/karmada/karmada.kubeconfig \--authorization-kubeconfig /etc/karmada/karmada.kubeconfig \--etcd-cafile /etc/karmada/pki/etcd/ca.crt \--etcd-certfile /etc/karmada/pki/etcd/apiserver-etcd-client.crt \--etcd-keyfile /etc/karmada/pki/etcd/apiserver-etcd-client.key \--etcd-servers "https://172.31.209.245:2379,https://172.31.209.246:2379,https://172.31.209.247:2379" \--feature-gates "APIPriorityAndFairness=false" \--kubeconfig /etc/karmada/karmada.kubeconfig \--logtostderr=true \--secure-port 9443 \--tls-cert-file /etc/karmada/pki/karmada.crt \--tls-private-key-file /etc/karmada/pki/karmada.key \Restart=on-failureRestartSec=5LimitNOFILE=65536[Install]WantedBy=multi-user.target
启动 karmada-search
systemctl daemon-reloadsystemctl enable karmada-search.servicesystemctl start karmada-search.servicesystemctl status karmada-search.service
验证
$ ./check_status.sh###### 开始检查 karmada-search[+]ping ok[+]log ok[+]etcd ok[+]poststarthook/generic-apiserver-start-informers ok[+]poststarthook/max-in-flight-filter ok[+]poststarthook/start-karmada-search-informers ok[+]poststarthook/start-karmada-informers ok[+]poststarthook/start-karmada-search-controller ok[+]poststarthook/start-karmada-proxy-controller oklivez check passed###### karmada-search 检查成功
