#(1)规划
master01:192.168.19.128
master02:192.168.19.129
VIP : 192.168.19.133
#(2)在跳板机上更新master证书和把证书发送到master上
# cat k8s-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"192.168.19.128",
"192.168.19.129",
"192.168.19.133",
"10.254.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Hangzhou",
"L": "Hangzhou",
"O": "k8s",
"OU": "System"
}
]
}
#重新生成master证书和私钥文件
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes k8s-csr.json | cfssljson -bare kubernetes
#发送到master01上
ansible 192.168.19.128 -m copy -a 'src=kubernetes.pem dest=/opt/kubernetes/ssl/kubernetes.pem'
ansible 192.168.19.128 -m copy -a 'src=kubernetes-key.pem dest=/opt/kubernetes/ssl/kubernetes-key.pem'
#(3)master相关配置和组件
#在master01上把kube-apiserver, kube-scheduler, kube-controller-manager相关组件发到master02上
cd /opt/kubernetes/bin/
scp kube* master02:/opt/kubernetes/bin/
#在master01上把相关证书发送master02上
scp /opt/kubernetes/ssl/* master02:/opt/kubernetes/ssl/
#修改master01上kube-apiserver的启动脚本
vi /usr/lib/systemd/system/kube-apiserver.service
--advertise-address=0.0.0.0 --bind-address=0.0.0.0 修改监听地址为0.0.0.0
#在master01上把kube-apiserver, kube-scheduler, kube-controller-manager的服务启动脚本发到master02上
cd /usr/lib/systemd/system
scp kube-* master02:/usr/lib/systemd/system/
#master01上重启kube-apiserver
systemctl daemon-reload
systemctl restart kube-apiserver
#在master02启动服务
systemctl enable kube-apiserver
systemctl enable kube-controller-manager
systemctl enable kube-scheduler
systemctl start kube-apiserver
systemctl start kube-controller-manager
systemctl start kube-scheduler
#(4)配置keepalived, 注意keepalived的优先级
1)安装keepalived
yum install keepalived -y
2)master01的keepalived配置文件
#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id MASTER
}
vrrp_script check_apiserver {
script "/server/scripts/check_apiserver.sh"
interval 3
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass redhat
}
virtual_ipaddress {
192.168.19.133
}
track_script {
check_apiserver
}
}
3)master02的keepalived的配置文件
#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id BACKUP
}
vrrp_script check_apiserver {
script "/server/scripts/check_apiserver.sh"
interval 3
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass redhat
}
virtual_ipaddress {
192.168.19.133
}
track_script {
check_apiserver
}
}
4)master01和master02上准备服务检测脚本
test -d /server/scripts ||mkdir -pv /server/scripts;cd /server/scripts
#vi /server/scripts/check_apiserver.sh
#!/bin/bash
flag=$(systemctl status kube-apiserver &> /dev/null;echo $?)
if [[ $flag !=0 ]];then
echo "kube-apiserver is down,close the keepalived"
systemctl stop keepalived
fi
5)master01和master02上启动服务
systemctl daemon-reload
systemctl enable keepalived
systemctl start keepalived
systemctl status keepalived
#(5)修改客户端node节点配置
1)查看配置
grep server /opt/kubernetes/cfg/kubelet.kubeconfig
grep server /opt/kubernetes/cfg/kube-proxy.kubeconfig
grep server /opt/kubernetes/cfg/bootstrap.kubeconfig
2)修改ip为vip
sed -ri 's/192.168.19.128/192.168.19.133/g' /opt/kubernetes/cfg/*.kubeconfig
3)node节点重启kube-proxy和kubelet
systemctl daemon-reload
systemctl restart kube-proxy
systemctl restart kubelet
systemctl status kube-proxy
systemctl status kubelet
4)node节点验证是否修改成功
grep server /opt/kubernetes/cfg/kubelet.kubeconfig
grep server /opt/kubernetes/cfg/kube-proxy.kubeconfig
grep server /opt/kubernetes/cfg/bootstrap.kubeconfig
5)修改kubectl客户端的配置文件
sed -ri 's/192.168.19.128/192.168.19.133/g' /root/.kube/config
6)验证
现在vip在master01上;
kubectl客户端能正常连接apiserver
停止master01上kube-apiserver服务
systemctl stop kube-apiserver
vip成功的漂移到master02上
kubectl客户端还是能够正常连接apiserver
再次启动master01上kube-apiserver 和keepalived服务
systemctl start kube-apiserver
systemctl start keepalived
vip再次漂移到master01上
kubectl 客户端还是能够正常的连接apiserver