开篇
- 《K3s 系列文章》
- 《Rancher 系列文章》
计划
在腾讯云上装置 K3S
后续会在这套 K3S 集群上装置 Rancher
计划指标
-
高可用
- 3 台 master 的 k3s 集群
-
数据备份
- k3s 数据备份到 腾讯云对象存储 cos
-
尽量复用私有云的能力
Tencent Cloud Controller Manager(❌ 因为腾讯云曾经放弃保护相干源码, 所以无奈复用)SVC LoadBalancer 调用 CLB(❌ 因为腾讯云曾经放弃保护相干源码, 所以无奈复用)- 备份 – 应用腾讯云 COS
前提条件
-
有腾讯云账户,账户至多领有如下权限:auto k3s 装置 – 设置 CAM 以及这些权限:
QcloudTAGFullAccess
- 该腾讯云账号有对应的 API 密钥,地址:拜访密钥 – 控制台 (tencent.com),或者领有相干权限:
cam:QueryCollApiKey
和cam:CreateCollApiKey
- 一台 linux 操作机,用于部署 autok3s
- 一个对象存储通 cos,用于备份
-
已有的镜像仓库的一些账号密码或认证信息,包含:quay,docker,腾讯云(用于减速 pull push 镜像)
ℹ️ Info:
腾讯云 tcr 广州 提供收费个人版实例,能够应用并增加:
https://ccr.ccs.tencentyun.com
K3S 装置注意事项
- 通过 autok3s 部署
- 通过 autok3s 装置后, 默认 k8s api 通过 公网 IP 进行通信, 须要调整 systemd 配置使其通过内网进行通信.
- ⚠️付费模式,装置后可依据具体情况在将付费模式控制台改为:包年包月
K3S 装置参数
本次 K3s 装置参数如下:
- Master
3
台 - Worker:
0
- Region:shanghai(
ap-shanghai
) - zone:二区(
ap-shanghai-2
) - Instance Type:
S5.MEDIUM8
- Image:
img-22trbn9x
(ubuntu 20.04) - instanceChargeType:默认后付费,且无奈调整。⚠️装置后控制台改为:PREPAID
- Disk:
CLOUD_SSD
(ℹ️CLOUD_PREMIUM
(高性能云盘),CLOUD_SSD
(SSD 云硬盘)) - Disk Size:
50
G - VPC ID: 空(autok3s 会主动创立)
- Subnet ID: 空(autok3s 会主动创立)
- Internet Max Bandwidth Out:
5
(能够按需调小) - Security Group Ids:空, 让 autok3s 主动创立, 集群创立好之后再调整平安组, 放大入口范畴
- EIP:是否应用弹性公网 IP
false
- Tags (见下文)
- K3s Version:
v1.21.7+k3s1
- Cluster:
true
- Master Extra Args: 见下文
- Cluster 模式:
true
- Registry(见下文)
- UI:
true
⚠️ Warning:
执行
autok3s
创立前, 如果抉择已有的平安组, 那么 CVM 实例 至多 须要利用以下平安组规定:Rule Protocol Port Source Description InBound TCP 22 ALL SSH Connect Port InBound TCP 6443 K3s agent nodes Kubernetes API InBound TCP 10250 K3s server & agent Kubelet InBound UDP 8472 K3s server & agent (Optional) Required only for Flannel VXLAN InBound TCP 2379,2380 K3s server nodes (Optional) Required only for embedded ETCD OutBound ALL ALL ALL Allow All
特地是: 22 端口必须要对操作机的公网 IP 凋谢
起因: autok3s 主动部署私有云时, 通过公网 IP 上传 KeyPair, 如果没有以上平安组,
autok3s
会执行失败. 报错如下: (101.34.46.218
就是公网 IP)level=error msg="[ssh-dialer] init dialer [101.34.46.218:22] error: [tencent] calling getInstanceStatus error. region: ap-shanghai, zone: ap-shanghai-2, instanceName: [ins-ggxozpyl ins-cfi2vio1 ins-78rkem0b], message: not `RUNNING` status"
装置步骤
AutoK3s
在操作机上安装,命令如下:
curl -sS http://rancher-mirror.cnrancher.com/autok3s/install.sh | INSTALL_AUTOK3S_MIRROR=cn sh
过程如下:
Downloading package http://rancher-mirror.rancher.cn/autok3s/v0.4.6/autok3s_linux_amd64 as /tmp/autok3s_linux_amd64
Download complete.
Running with sufficient permissions to attempt to move autok3s to /usr/local/bin
New version of autok3s installed to /usr/local/bin
Version: {"gitVersion":"v0.4.6","gitCommit":"4537e6ee2aea8b204a72f7b6c377edb154f7c058","gitTreeState":"","buildDate":"2021-12-28T04:15:30Z","goVersion":"go1.16.2","compiler":"gc","platform":"linux/amd64"}
Downloading package http://rancher-mirror.rancher.cn/kube-explorer/v0.2.7/kube-explorer-linux-amd64 as /tmp/kube-explorer-linux-amd64
Download complete.
Running with sufficient permissions to attempt to move kube-explorer to /usr/local/bin
New version of kube-explorer installed to /usr/local/bin
Skipping /usr/local/bin/kubectl symlink to autok3s, already exists
您能够通过以下 CLI 命令启动本地 UI。
autok3s serve --bind-address 0.0.0.0 --bind-port 8087
⚠️ Warning:
页面无登录认证,确保最小权限凋谢以及用完后及时敞开。
输入如下:
INFO[0000] run as daemon, listening on 127.0.0.1:8087
拜访 UI:http://< 操作机 IP>:8087
AutoK3s UI 模板
如果今后要屡次装置,能够在 UI 上创立 可复用 的模板,模板包含如下固定参数:
-
Credential Options:
- 腾讯云 Secret Id
- 腾讯云 Secret Key
-
Instance Options
-
Basic
- Region:
ap-shanghai
- Zone:
ap-shanghai-2
- Instance Type:
S5.MEDIUM8
- Image:
img-22trbn9x
(ubuntu 20.04) - Disk Category:
CLOUD_SSD
- Disk Size:
50
G
- Region:
-
Network
- Internet Max Bandwidth Out:
5
- EIP:
Disable
- ⚠️ 留神:另外 3 个参数:VPC ID、SubnetID、Security Group Ids 每次创立时须要按需填写或留空
- Internet Max Bandwidth Out:
-
SSH Public
- SSH User:
ubuntu
- SSH Port:
22
- Keypair Id : 留空(⚠️ 留神:如果 Keypair Id 留空,会主动生成 Keypair)
- SSH User:
-
SSH Private
- SSH Agent Auth:
Disable
- SSH Key Path: 留空(⚠️ 留神:如果下面抉择了 Keypair Id, 那么对应的 SSH Key Path 也要填写)
- SSH Agent Auth:
-
Advance
-
打了 3 个 tags,不便后续治理:
app=rancher
env=prod
provider=k3s
-
-
-
K3s Options
-
Basic
- K3s Channel:
stable
- K3s Version:
v1.21.7+k3s1
(ℹ️ Info: 202201 依据 suse 官网选型的最新稳定版,k3s v1.21.7+k3s1,前面会按需调整版本) - Cluster:
Enable
(启用集群模式,应用 etcd 组成高可用集群) - K3s Install Script:
http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh
- K3s Channel:
-
Master
- Master:
3
-
Master Extra Args:
--write-kubeconfig-mode "644" --pause-image registry.cn-hangzhou.aliyuncs.com/rancher/pause:3.6 --etcd-s3 --etcd-snapshot-schedule-cron 0 0 * * * --etcd-s3-endpoint cos.ap-shanghai.myqcloud.com --etcd-s3-access-key <your-cos-access-key> --etcd-s3-secret-key <your-cos-secret-key> --etcd-s3-bucket <your-cos-bucket> --etcd-s3-folder /rancher/k3s
- Master:
-
Worker
- Worker:
0
- Worker:
- Advance: 留空
- TLS Sans: 留空 (⚠️ 如果后面会应用 CLB 作为负载平衡,那么倡议填上 CLB VIP)
- Registry, 见上面
registries.yaml
-
-
Additional Options
- UI:
explorer
- UI:
registries.yaml
:
mirrors:
docker.io:
endpoint:
- "https://mirror.ccs.tencentyun.com"
- "https://registry.cn-hangzhou.aliyuncs.com"
- "https://docker.mirrors.ustc.edu.cn"
quay.io:
endpoint:
- "https://mirror.ccs.tencentyun.com"
configs:
'ccr.ccs.tencentyun.com':
auth:
username: <your-account-id>
password: <your-registry-password>
AutoK3s 通过 UI 创立 K3S 集群
拜访 UI 界面, 点击 Quick Start, Provider 抉择 tencent;
而后在下方填入自定义的信息, 次要是填写 Network 的信息, 如下图:
点击 Create, 期待返回后果即可.
AutoK3s CLI 命令
您也能够通过以下 CLI 在 腾讯云上疾速创立一个 3 master, 0 worker 节点的 K3s 高可用集群。
autok3s create --provider tencent --cluster --enable ["explorer"] --k3s-channel stable --k3s-install-mirror INSTALL_K3S_MIRROR=cn --k3s-install-script http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh --k3s-version v1.21.7+k3s1 --master 3 --master-extra-args '--write-kubeconfig-mode"644"--pause-image registry.cn-hangzhou.aliyuncs.com/rancher/pause:3.6 --etcd-s3 --etcd-snapshot-schedule-cron 0 0 * * * --etcd-s3-endpoint cos.ap-shanghai.myqcloud.com --etcd-s3-access-key <your-cos-access-key> --etcd-s3-secret-key <your-cos-secret-key> --etcd-s3-bucket <your-cos-bucket> --etcd-s3-folder /rancher/k3s' --name rancher-1 --ssh-port 22 --ssh-user ubuntu --tls-sans <your-clb-ip> --worker 0 --disk-category CLOUD_SSD --disk-size 50 --image img-22trbn9x --instance-type S5.MEDIUM8 --internet-max-bandwidth-out 5 --keypair-id <your-keypair-id> --region ap-shanghai --secret-id <your-tencent-secret-id> --secret-key <your-tencent-secret-key> --tags 'app=rancher' --tags 'env=prod' --tags 'provider=k3s' --zone ap-shanghai-2 --vpc <your-vpc-id> --subnet <your-subnet-id> --registry /etc/autok3s/registries.yaml
装置胜利日志显示如下:
time="2022-02-12T14:52:16+08:00" level=info msg="[tencent] executing create logic..."
INFO[0000] [tencent] use existing key pair
time="2022-02-12T14:52:16+08:00" level=info msg="[tencent] 3 masters and 0 workers will be added"
time="2022-02-12T14:52:16+08:00" level=info msg="[tencent] check default security group autok3s in region ap-shanghai"
time="2022-02-12T14:52:16+08:00" level=info msg="[tencent] create default security group autok3s in region ap-shanghai"
time="2022-02-12T14:52:16+08:00" level=info msg="[tencent] check rules of security group autok3s"
time="2022-02-12T14:52:18+08:00" level=info msg="[tencent] 3 number of master instances will be created"
time="2022-02-12T14:52:23+08:00" level=info msg="[tencent] 3 number of master instances successfully created"
time="2022-02-12T14:52:23+08:00" level=info msg="[tencent] waiting for the instances [ins-xxxxx] to be in `RUNNING` status..."
time="2022-02-12T14:52:54+08:00" level=info msg="[tencent] instances [ins-xxxxx] are in `RUNNING` status"
time="2022-02-12T14:52:54+08:00" level=info msg="[tencent] executing init k3s cluster logic..."
time="2022-02-12T14:52:54+08:00" level=info msg="[tencent] creating k3s master-1..."
mirrors:
docker.io:
endpoint:
- https://mirror.ccs.tencentyun.com
- https://registry.cn-hangzhou.aliyuncs.com
- https://docker.mirrors.ustc.edu.cn
quay.io:
endpoint:
- https://mirror.ccs.tencentyun.com
configs:
ccr.ccs.tencentyun.com:
auth:
username:
password:
auth: ""identity_token:""
tls: null
auths: {}
time="2022-02-12T14:53:26+08:00" level=info msg="[cluster] k3s master command: curl -sLS http://rancher-mirror.cnrancher.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_TOKEN='xxxxxxx'INSTALL_K3S_EXEC='server --tls-san xxxxx --tls-san xxxxxxxx --tls-san xxxxxxx --node-external-ip xxxxxx --write-kubeconfig-mode \"644\" --pause-image registry.cn-hangzhou.aliyuncs.com/rancher/pause:3.6 --disable-cloud-controller --cluster-cidr 10.42.0.0/16 --cluster-init'INSTALL_K3S_VERSION='v1.21.7+k3s1'sh -"
[INFO] Using v1.21.7+k3s1 as release
[INFO] Downloading hash http://rancher-mirror.cnrancher.com/k3s/v1.21.7-k3s1/sha256sum-amd64.txt
[INFO] Downloading binary http://rancher-mirror.cnrancher.com/k3s/v1.21.7-k3s1/k3s
[INFO] Verifying binary download
[INFO] Installing k3s to /usr/local/bin/k3s
[INFO] Creating /usr/local/bin/kubectl symlink to k3s
[INFO] Creating /usr/local/bin/crictl symlink to k3s
[INFO] Creating /usr/local/bin/ctr symlink to k3s
[INFO] Creating killall script /usr/local/bin/k3s-killall.sh
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service
[INFO] systemd: Enabling k3s unit
[INFO] systemd: Starting k3s
time="2022-02-12T14:53:59+08:00" level=info msg="[tencent] successfully created k3s master-1"
time="2022-02-12T14:53:59+08:00" level=info msg="[tencent] creating k3s master-2..."
...
time="2022-02-12T14:54:35+08:00" level=info msg="[tencent] successfully created k3s master-2"
time="2022-02-12T14:54:35+08:00" level=info msg="[tencent] creating k3s master-3..."
...
time="2022-02-12T14:55:06+08:00" level=info msg="[tencent] successfully created k3s master-3"
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ......
server: https://127.0.0.1:6443
name: default
contexts:
- context:
cluster: default
user: default
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
user:
client-certificate-data: ......
client-key-data: ......
time="2022-02-12T14:55:06+08:00" level=info msg="[tencent] deploying additional manifests"
time="2022-02-12T14:55:06+08:00" level=info msg="[tencent] successfully deployed additional manifests"
time="2022-02-12T14:55:06+08:00" level=info msg="[tencent] successfully executed init k3s cluster logic"
---
time="2022-02-12T14:55:07+08:00" level=info msg="[tencent] successfully deployed manifests"
time="2022-02-12T14:55:07+08:00" level=info msg="=========================== Prompt Info ==========================="
time="2022-02-12T14:55:07+08:00" level=info msg="Use'autok3s kubectl config use-context prod-ha.ap-shanghai.tencent'"time="2022-02-12T14:55:07+08:00"level=info msg="Use 'autok3s kubectl get pods -A' get POD status`"
🎉 到这里, K3S 集群创立结束.
K3s 配置调整
🚩 Important:
装置后, 默认 k8s api 通过 公网 IP 进行通信, 出于平安思考,倡议调整 systemd 配置使其通过内网进行通信.
步骤如下:
批改后两台 master 的 /etc/systemd/system/k3s.service.env
的 K3S_URL
为第一台 master 的内网地址
K3S_URL=https://<master1-internal-ip>:6443
第一台 master, 批改 /etc/systemd/system/k3s.service
, 减少:
'--node-ip' \
'<master1-internal-ip>' \
'--advertise-address' \
'<master1-internal-ip>' \
另外 2 台, 减少及批改如下:
'--server' \
'https://<master1-internal-ip>:6443' \
...
'--node-ip' \
'<other-master-internal-ip>' \
'--advertise-address' \
'<other-master-internal-ip>' \
重启失效:
systemctl daemon-reload
systemctl restart k3s.service
验证:
查看 kubernetes
的 endpoint, 从公网地址变为内网地址, 如下:
apiVersion: v1
kind: Endpoints
metadata:
name: kubernetes
namespace: default
...
labels:
endpointslice.kubernetes.io/skip-mirror: 'true'
managedFields:
- manager: k3s
operation: Update
...
selfLink: /api/v1/namespaces/default/endpoints/kubernetes
subsets:
- addresses:
- ip: <master2-internal-ip>
- ip: <master1-internal-ip>
- ip: <master3-internal-ip>
ports:
- name: https
port: 6443
protocol: TCP
收尾工作
调整平安组
入站规定:
- TCP:22(SSH) 端口权限收紧
- TCP:6443(K8S API) 端口权限收紧
- UDP:8472(K3s vxlan) 只凋谢给内网
- TCP:10250(kube api-server) 只凋谢给内网
最终成果如下: (应该能够进一步收紧)
总结
🎉🎉🎉 至此, 实现腾讯云上 K3S 高可用集群的搭建, 并配置备份.
为前面的 Rancher 搭建做好了根底。
以下是装置后的相干输入信息:
K3s
- 3 个 Master 和 Server hostname、内外网 IP
- K3S API Server 地址:
https://< 以上 6 个 IP 地址任一个或 CLB 的 IP>:6443
- K3S kubeconfig 配置:位于 k3s 的
/etc/rancher/k3s/k3s.yaml
以及操作机的/root/.autok3s/.kube/config
三人行, 必有我师; 常识共享, 天下为公. 本文由东风微鸣技术博客 EWhisper.cn 编写.