#(1)规划
master01:192.168.19.128
master02:192.168.19.129
VIP : 192.168.19.133

#(2)在跳板机上更新master证书和把证书发送到master上

# cat k8s-csr.json 
{
    "CN": "kubernetes",
    "hosts": [
        "127.0.0.1",
        "192.168.19.128",
        "192.168.19.129",
        "192.168.19.133",
        "10.254.0.1",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Hangzhou",
            "L": "Hangzhou",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

#重新生成master证书和私钥文件
cfssl gencert -ca=ca.pem   -ca-key=ca-key.pem   -config=ca-config.json   -profile=kubernetes k8s-csr.json | cfssljson -bare kubernetes

#发送到master01上
ansible 192.168.19.128 -m copy -a 'src=kubernetes.pem dest=/opt/kubernetes/ssl/kubernetes.pem'
ansible 192.168.19.128 -m copy -a 'src=kubernetes-key.pem dest=/opt/kubernetes/ssl/kubernetes-key.pem'

#(3)master相关配置和组件

#在master01上把kube-apiserver, kube-scheduler, kube-controller-manager相关组件发到master02上
cd /opt/kubernetes/bin/
scp  kube* master02:/opt/kubernetes/bin/

#在master01上把相关证书发送master02上
scp /opt/kubernetes/ssl/* master02:/opt/kubernetes/ssl/

#修改master01上kube-apiserver的启动脚本
vi /usr/lib/systemd/system/kube-apiserver.service
--advertise-address=0.0.0.0   --bind-address=0.0.0.0   修改监听地址为0.0.0.0

#在master01上把kube-apiserver, kube-scheduler, kube-controller-manager的服务启动脚本发到master02上
cd /usr/lib/systemd/system
scp kube-* master02:/usr/lib/systemd/system/

#master01上重启kube-apiserver
systemctl daemon-reload 
systemctl restart kube-apiserver

#在master02启动服务
systemctl enable kube-apiserver
systemctl enable kube-controller-manager
systemctl enable kube-scheduler
systemctl start kube-apiserver
systemctl start kube-controller-manager
systemctl start kube-scheduler

#(4)配置keepalived, 注意keepalived的优先级

1)安装keepalived

yum install keepalived -y 

2)master01的keepalived配置文件

#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
     router_id MASTER
}
vrrp_script check_apiserver {
                script "/server/scripts/check_apiserver.sh"
                interval 3
                weight -20

}

vrrp_instance VI_1 {
        state MASTER
        interface ens33
        virtual_router_id 51
        priority 100
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass redhat
        }
        virtual_ipaddress {
                192.168.19.133
        }
        track_script {
                check_apiserver
                }
}

3)master02的keepalived的配置文件

#cat /etc/keepalived/keepalived.conf
! Configuration File for keepalived

global_defs {
     router_id BACKUP
}
vrrp_script check_apiserver {
                script "/server/scripts/check_apiserver.sh"
                interval 3
                weight -20

}

vrrp_instance VI_1 {
        state BACKUP
        interface ens33
        virtual_router_id 51
        priority 99
        advert_int 1
        authentication {
                auth_type PASS
                auth_pass redhat
        }
        virtual_ipaddress {
                192.168.19.133
        }
        track_script {
                check_apiserver
                }
}

4)master01和master02上准备服务检测脚本

test -d /server/scripts ||mkdir -pv /server/scripts;cd /server/scripts 
#vi /server/scripts/check_apiserver.sh 
#!/bin/bash
flag=$(systemctl status kube-apiserver &> /dev/null;echo $?)
if [[ $flag !=0 ]];then
                echo "kube-apiserver is down,close the keepalived"
                systemctl stop keepalived
fi

5)master01和master02上启动服务

systemctl daemon-reload
systemctl enable keepalived
systemctl start keepalived
systemctl status keepalived 

#(5)修改客户端node节点配置

1)查看配置

grep server /opt/kubernetes/cfg/kubelet.kubeconfig 
grep server /opt/kubernetes/cfg/kube-proxy.kubeconfig 
grep server /opt/kubernetes/cfg/bootstrap.kubeconfig 

2)修改ip为vip

sed -ri 's/192.168.19.128/192.168.19.133/g' /opt/kubernetes/cfg/*.kubeconfig

3)node节点重启kube-proxy和kubelet

systemctl daemon-reload
systemctl restart kube-proxy 
systemctl restart kubelet
systemctl status kube-proxy 
systemctl status kubelet 

4)node节点验证是否修改成功

grep server /opt/kubernetes/cfg/kubelet.kubeconfig 
grep server /opt/kubernetes/cfg/kube-proxy.kubeconfig 
grep server /opt/kubernetes/cfg/bootstrap.kubeconfig

5)修改kubectl客户端的配置文件

sed -ri 's/192.168.19.128/192.168.19.133/g' /root/.kube/config

6)验证

现在vip在master01上;

kubectl客户端能正常连接apiserver

停止master01上kube-apiserver服务

systemctl stop kube-apiserver 

vip成功的漂移到master02上

kubectl客户端还是能够正常连接apiserver

再次启动master01上kube-apiserver 和keepalived服务

systemctl start kube-apiserver 
systemctl start keepalived 

vip再次漂移到master01上

kubectl 客户端还是能够正常的连接apiserver