資訊專欄INFORMATION COLUMN
摘要:廣告各版本離線安裝包證書配置生產(chǎn)環(huán)境中給配置證書相當(dāng)重要,如果沒有證書,那么集群很容易被黑客利用而去挖礦什么的。細(xì)節(jié)問題非常多,一個端口,一個都不要填錯,否則就會各種錯誤包括新加節(jié)點(diǎn)要清數(shù)據(jù)這些小細(xì)節(jié)問題。
廣告 | kubernetes各版本離線安裝包etcd 證書配置
生產(chǎn)環(huán)境中給etcd配置證書相當(dāng)重要,如果沒有證書,那么k8s集群很容易被黑客利用而去挖礦什么的。做法非常簡單,比如你下了一個不安全的鏡像,通過程序掃描到etcd的ip和端口,那么黑客就可以繞開apiserver的認(rèn)證直接寫數(shù)據(jù),寫一些deployment pod等等,apiserver就會讀到這些,從而去部署黑客的程序。 我們就有一個集群這樣被利用去挖礦了,安全無小事,如果黑客惡意攻擊也可輕松刪除你的所有數(shù)據(jù),所以證書與定期備份都很重要,即便有多個etcd節(jié)點(diǎn),本文深入探討etcd管理的重要的幾個東西。
證書生成cfssl安裝:
mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin
mkdir ~/cfssl cd ~/cfssl
寫入如下json文件,ip替換成自己的
root@dev-86-201 cfssl]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
[root@dev-86-201 cfssl]# cat ca-csr.json
{
"CN": "My own CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "CA",
"O": "My Company Name",
"ST": "San Francisco",
"OU": "Org Unit 1",
"OU": "Org Unit 2"
}
]
}
[root@dev-86-201 cfssl]# cat server.json
{
"CN": "etcd0",
"hosts": [
"127.0.0.1",
"0.0.0.0",
"10.1.86.201",
"10.1.86.203",
"10.1.86.202"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
[root@dev-86-201 cfssl]# cat member1.json # 填本機(jī)IP
{
"CN": "etcd0",
"hosts": [
"10.1.86.201"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
[root@dev-86-201 cfssl]# cat client.json
{
"CN": "client",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
生成證書:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client啟動etcd
cfssl目錄拷貝到/etc/kubernetes/pki/cfssl 目錄
[root@dev-86-201 manifests]# cat etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.86.201:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.pem
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.86.201:2380
- --initial-cluster=etcd0=https://10.1.86.201:2380
- --key-file=/etc/kubernetes/pki/etcd/server-key.pem
- --listen-client-urls=https://10.1.86.201:2379
- --listen-peer-urls=https://10.1.86.201:2380
- --name=etcd0
- --peer-cert-file=/etc/kubernetes/pki/etcd/member1.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/member1-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
#livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.pem
# --cert=/etc/kubernetes/pki/etcd/client.pem --key=/etc/kubernetes/pki/etcd/client-key.pem
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/cfssl
type: DirectoryOrCreate
name: etcd-certs
status: {}
進(jìn)入etcd容器執(zhí)行:
alias etcdv3="ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/client.pem --key=/etc/kubernetes/pki/etcd/client-key.pem" etcdv3 member add etcd1 --peer-urls="https://10.1.86.202:2380"增加節(jié)點(diǎn)
拷貝etcd0(10.1.86.201)節(jié)點(diǎn)上的證書到etcd1(10.1.86.202)節(jié)點(diǎn)上
修改member1.json:
{
"CN": "etcd1",
"hosts": [
"10.1.86.202"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
重新生成在etcd1上生成member1證書:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
啟動etcd1:
[root@dev-86-202 manifests]# cat etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.86.202:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.pem
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.86.202:2380
- --initial-cluster=etcd0=https://10.1.86.201:2380,etcd1=https://10.1.86.202:2380
- --key-file=/etc/kubernetes/pki/etcd/server-key.pem
- --listen-client-urls=https://10.1.86.202:2379
- --listen-peer-urls=https://10.1.86.202:2380
- --name=etcd1
- --peer-cert-file=/etc/kubernetes/pki/etcd/member1.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/member1-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --initial-cluster-state=existing # 千萬別加雙引號,被坑死
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
# livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.202]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
# --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/cfssl
type: DirectoryOrCreate
name: etcd-certs
status: {}
或者用docker起先測試一下:
docker run --net=host -v /etc/kubernetes/pki/cfssl:/etc/kubernetes/pki/etcd k8s.gcr.io/etcd-amd64:3.2.18 etcd --advertise-client-urls=https://10.1.86.202:2379 --cert-file=/etc/kubernetes/pki/etcd/server.pem --data-dir=/var/lib/etcd --initial-advertise-peer-urls=https://10.1.86.202:2380 --initial-cluster=etcd0=https://10.1.86.201:2380,etcd1=https://10.1.86.202:2380 --key-file=/etc/kubernetes/pki/etcd/server-key.pem --listen-client-urls=https://10.1.86.202:2379 --listen-peer-urls=https://10.1.86.202:2380 --name=etcd1 --peer-cert-file=/etc/kubernetes/pki/etcd/member1.pem --peer-key-file=/etc/kubernetes/pki/etcd/member1-key.pem --peer-client-cert-auth=true --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem --snapshot-count=10000 --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem --initial-cluster-state="existing"
etcd0上檢查集群健康:
# etcdctl --endpoints=https://[10.1.86.201]:2379 --ca-file=/etc/kubernetes/pki/etcd/ca.pem --cert-file=/etc/kubernetes/pki/etcd/client.pem --key-file=/etc/kubernetes/pki/etcd/client-key.pem cluster-heal th member 5856099674401300 is healthy: got healthy result from https://10.1.86.201:2379 member df99f445ac908d15 is healthy: got healthy result from https://10.1.86.202:2379 cluster is healthy
etcd2增加同理,略
apiserver etcd證書 配置:
- --etcd-cafile=/etc/kubernetes/pki/cfssl/ca.pem - --etcd-certfile=/etc/kubernetes/pki/cfssl/client.pem - --etcd-keyfile=/etc/kubernetes/pki/cfssl/client-key.pem快照與擴(kuò)展節(jié)點(diǎn) etcd快照恢復(fù)
說明:
有證書集群以下所有命令需帶上如下證書參數(shù),否則訪問不了
--cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/peer.crt --key=/etc/kubernetes/pki/etcd/peer.key
endpoints默認(rèn)為127.0.0.1:2379,若需指定遠(yuǎn)程etcd地址,可通過如下參數(shù)指定
--endpoints 172.16.154.81:2379
1、獲取數(shù)據(jù)快照
ETCDCTL_API=3 etcdctl snapshot save snapshot.db
2、從快照恢復(fù)數(shù)據(jù)
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --data-dir=/var/lib/etcd/
3、啟動新etcd節(jié)點(diǎn),指定--data-dir=/var/lib/etcd/
etcd節(jié)點(diǎn)擴(kuò)展| 節(jié)點(diǎn)名 | IP | 備注 |
|---|---|---|
| infra0 | 172.16.154.81 | 初始節(jié)點(diǎn),k8s的master節(jié)點(diǎn),kubeadm所部署的單節(jié)點(diǎn)etcd所在機(jī)器 |
| infra1 | 172.16.154.82 | 待添加節(jié)點(diǎn),k8s的node節(jié)點(diǎn) |
| infra2 | 172.16.154.83 | 待添加節(jié)點(diǎn),k8s的node節(jié)點(diǎn) |
1、從初始etcd節(jié)點(diǎn)獲取數(shù)據(jù)快照
ETCDCTL_API=3 etcdctl --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/peer.crt --key=/etc/kubernetes/pki/etcd/peer.key --endpoints=https://127.0.0.1:2379 snapshot save snapshot.db
2、將快照文件snapshot.db復(fù)制到infra1節(jié)點(diǎn),并執(zhí)行數(shù)據(jù)恢復(fù)命令
數(shù)據(jù)恢復(fù)命令
ETCDCTL_API=3 etcdctl snapshot restore snapshot.db --data-dir=/var/lib/etcd/ 注:執(zhí)行上述命令需要機(jī)器上有etcdctl
上述命令執(zhí)行成功會將快照中的數(shù)據(jù)存放到/var/lib/etcd目錄中
3、在infra1節(jié)點(diǎn)啟動etcd
將如下yaml放入/etc/kubernetes/manifests
apiVersion: v1
kind: Pod
metadata:
labels:
component: etcd
tier: control-plane
name: etcd-172.16.154.82
namespace: kube-system
spec:
containers:
- command:
- etcd
- --name=infra0
- --initial-advertise-peer-urls=http://172.16.154.82:2380
- --listen-peer-urls=http://172.16.154.82:2380
- --listen-client-urls=http://172.16.154.82:2379,http://127.0.0.1:2379
- --advertise-client-urls=http://172.16.154.82:2379
- --data-dir=/var/lib/etcd
- --initial-cluster-token=etcd-cluster-1
- --initial-cluster=infra0=http://172.16.154.82:2380
- --initial-cluster-state=new
image: hub.xfyun.cn/k8s/etcd-amd64:3.1.12
livenessProbe:
httpGet:
host: 127.0.0.1
path: /health
port: 2379
scheme: HTTP
failureThreshold: 8
initialDelaySeconds: 15
timeoutSeconds: 15
name: etcd
volumeMounts:
- name: etcd-data
mountPath: /var/lib/etcd
hostNetwork: true
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
4、infra2節(jié)點(diǎn)加入etcd集群中
在infra1中etcd容器中執(zhí)行
ETCDCTL_API=3 etcdctl member add infra2 --peer-urls="http://172.16.154.83:2380"
將如下yaml放入/etc/kubernetes/manifests,由kubelet啟動etcd容器
apiVersion: v1
kind: Pod
metadata:
labels:
component: etcd
tier: control-plane
name: etcd-172.16.154.83
namespace: kube-system
spec:
containers:
- command:
- etcd
- --name=infra1
- --initial-advertise-peer-urls=http://172.16.154.83:2380
- --listen-peer-urls=http://172.16.154.83:2380
- --listen-client-urls=http://172.16.154.83:2379,http://127.0.0.1:2379
- --advertise-client-urls=http://172.16.154.83:2379
- --data-dir=/var/lib/etcd
- --initial-cluster-token=etcd-cluster-1
- --initial-cluster=infra1=http://172.16.154.82:2380,infra2=http://172.16.154.83:2380
- --initial-cluster-state=existing
image: hub.xfyun.cn/k8s/etcd-amd64:3.1.12
livenessProbe:
httpGet:
host: 127.0.0.1
path: /health
port: 2379
scheme: HTTP
failureThreshold: 8
initialDelaySeconds: 15
timeoutSeconds: 15
name: etcd
volumeMounts:
- name: etcd-data
mountPath: /var/lib/etcd
hostNetwork: true
volumes:
- hostPath:
path: /home/etcd
type: DirectoryOrCreate
name: etcd-data
infra0節(jié)點(diǎn)加入集群重復(fù)上述操作;注意在加入集群之前,將之前/var/lib/etcd/的數(shù)據(jù)刪除。
實(shí)踐 - 給kubeadm單etcd增加etcd節(jié)點(diǎn) 環(huán)境介紹10.1.86.201 單點(diǎn)etcd etcd0
10.1.86.202 擴(kuò)展節(jié)點(diǎn) etcd1
10.1.86.203 擴(kuò)展節(jié)點(diǎn) etcd2
安裝k8s先在etcd0節(jié)點(diǎn)上啟動k8s,當(dāng)然是使用sealyun的安裝包 三步安裝不多說
修改證書按照上述生成證書的方法生成證書并拷貝到對應(yīng)目錄下
cp -r cfssl/ /etc/kubernetes/pki/修改etcd配置:
cd /etc/kubernetes/manifests/ mv etcd.yaml .. # 不要直接修改,防止k8s去讀swap文件 vim ../etcd.yaml
vim里面全局替換,把127.0.0.1替換成ip地址
:%s/127.0.0.1/10.1.86.201/g
注釋掉健康檢測探針,否則加節(jié)點(diǎn)時健康檢測會導(dǎo)致etcd0跪掉
# livenessProbe: # exec: # command: # - /bin/sh # - -ec # - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt # --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key # get foo # failureThreshold: 8 # initialDelaySeconds: 15 # timeoutSeconds: 15
修改證書掛載配置目錄
volumes:
- hostPath:
path: /etc/kubernetes/pki/cfssl
type: DirectoryOrCreate
name: etcd-certs
修改證書配置,全改完長這樣:
[root@dev-86-201 manifests]# cat ../etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.86.201:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.pem
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.86.201:2380
- --initial-cluster=etcd0=https://10.1.86.201:2380
- --key-file=/etc/kubernetes/pki/etcd/server-key.pem
- --listen-client-urls=https://10.1.86.201:2379
- --listen-peer-urls=https://10.1.86.201:2380
- --name=dev-86-201
- --peer-cert-file=/etc/kubernetes/pki/etcd/member1.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/member1-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
# livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
# --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /etc/kubernetes/pki/cfssl
type: DirectoryOrCreate
name: etcd-certs
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
status: {}
啟動etcd, 把yaml文件移回來:
mv ../etcd.yaml .
修改APIserver參數(shù):
mv kube-apiserver.yaml .. vim ../kube-apiserver.yaml
- --etcd-cafile=/etc/kubernetes/pki/cfssl/ca.pem
- --etcd-certfile=/etc/kubernetes/pki/cfssl/client.pem
- --etcd-keyfile=/etc/kubernetes/pki/cfssl/client-key.pem
- --etcd-servers=https://10.1.86.201:2379
啟動apiserver:
mv ../kube-apiserver.yaml .
驗(yàn)證:
kubectl get pod -n kube-system # 能正常返回pod標(biāo)志成功
到此etcd0上的操作完成
增加新節(jié)點(diǎn), 進(jìn)入到etcd容器內(nèi):
[root@dev-86-201 ~]# docker exec -it a7001397e1e5 sh / # alias etcdv3="ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.201]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.pem --cert=/etc/kubernetes/pki/etcd/client.pem --key=/etc/kubernetes/pki/etcd/client-key .pem" / # etcdv3 member update a874c87fd42044f --peer-urls="https://10.1.86.201:2380" # 更新peer url 很重要 / # etcdv3 member add etcd1 --peer-urls="https://10.1.86.202:2380" Member 20c2a99381581958 added to cluster c9be114fc2da2776 ETCD_NAME="etcd1" ETCD_INITIAL_CLUSTER="dev-86-201=https://127.0.0.1:2380,etcd1=https://10.1.86.202:2380" ETCD_INITIAL_CLUSTER_STATE="existing" / # alias etcdv2="ETCDCTL_API=2 etcdctl --endpoints=https://[10.1.86.201]:2379 --ca-file=/etc/kubernetes/pki/etcd/ca.pem --cert-file=/etc/kubernetes/pki/etcd/client.pem --key-file=/etc/kubernetes/pki/etcd/client-key.pem" / # etcdv2 cluster-healthetcd1上增加一個etcd節(jié)點(diǎn)
同樣先在etcd1(10.1.86.202) 上安裝k8s,同etcd0上的安裝
把etcd0的cfssl證書目錄拷貝到etcd1上備用
scp -r root@10.1.86.201:/etc/kubernetes/pki/cfssl /etc/kubernetes/pki
修改member1.json:
[root@dev-86-202 cfssl]# cat member1.json
{
"CN": "etcd1", # CN 改一下
"hosts": [
"10.1.86.202" # 主要改成自身ip
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
重新生成member1證書:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
驗(yàn)證證書:
openssl x509 -in member1.pem -text -noout
修改etcd1的etcd配置:
mv etcd.yaml .. rm /var/lib/etcd/ -rf # 因?yàn)檫@是個擴(kuò)展節(jié)點(diǎn),需要同步etcd0的數(shù)據(jù),所以把它自己數(shù)據(jù)刪掉 vim ../etcd.yaml
修改后yaml文件u
apiVersion: v1
kind: Pod
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://10.1.86.202:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.pem
- --data-dir=/var/lib/etcd
- --initial-advertise-peer-urls=https://10.1.86.202:2380
- --initial-cluster=etcd0=https://10.1.86.201:2380,etcd1=https://10.1.86.202:2380
- --key-file=/etc/kubernetes/pki/etcd/server-key.pem
- --listen-client-urls=https://10.1.86.202:2379
- --listen-peer-urls=https://10.1.86.202:2380
- --name=etcd1
- --peer-cert-file=/etc/kubernetes/pki/etcd/member1.pem
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/member1-key.pem
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --snapshot-count=10000
- --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.pem
- --initial-cluster-state=existing # 千萬別加雙引號,被坑死
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
# livenessProbe:
# exec:
# command:
# - /bin/sh
# - -ec
# - ETCDCTL_API=3 etcdctl --endpoints=https://[10.1.86.202]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt
# --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key
# get foo
# failureThreshold: 8
# initialDelaySeconds: 15
# timeoutSeconds: 15
name: etcd
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/cfssl
type: DirectoryOrCreate
name: etcd-certs
status: {}
在容器內(nèi)查看集群已經(jīng)健康運(yùn)行了:
/ # alias etcdv2="ETCDCTL_API=2 etcdctl --endpoints=https://[10.1.86.201]:2379 --ca-file=/etc/kubernetes/pki/etcd/ca.pem --cert-file=/etc/kubernetes/pki/etcd/client.pem --key-file=/etc/kubernetes/pki/etcd/client-key.pem" / # etcdv2 cluster-health member a874c87fd42044f is healthy: got healthy result from https://10.1.86.201:2379 member bbbbf223ec75e000 is healthy: got healthy result from https://10.1.86.202:2379 cluster is healthy
然后就可以把a(bǔ)piserver啟動參數(shù)再加一個etcd1:
- --etcd-servers=https://10.1.86.201:2379
- --etcd-servers=https://10.1.86.202:2379
第三個節(jié)點(diǎn)同第二個,不再贅述。
細(xì)節(jié)問題非常多,一個端口,一個IP都不要填錯,否則就會各種錯誤, 包括新加節(jié)點(diǎn)要清etcd數(shù)據(jù)這些小細(xì)節(jié)問題。
大功告成!
文章版權(quán)歸作者所有,未經(jīng)允許請勿轉(zhuǎn)載,若此文章存在違規(guī)行為,您可以聯(lián)系管理員刪除。
轉(zhuǎn)載請注明本文地址:http://specialneedsforspecialkids.com/yun/32703.html
摘要:廣告各版本離線安裝包證書配置生產(chǎn)環(huán)境中給配置證書相當(dāng)重要,如果沒有證書,那么集群很容易被黑客利用而去挖礦什么的。細(xì)節(jié)問題非常多,一個端口,一個都不要填錯,否則就會各種錯誤包括新加節(jié)點(diǎn)要清數(shù)據(jù)這些小細(xì)節(jié)問題。 廣告 | kubernetes各版本離線安裝包 etcd 證書配置 生產(chǎn)環(huán)境中給etcd配置證書相當(dāng)重要,如果沒有證書,那么k8s集群很容易被黑客利用而去挖礦什么的。做法非常簡單...
摘要:是集群的數(shù)據(jù)核心,最嚴(yán)重的情況是,當(dāng)出問題徹底無法恢復(fù)的時候,解決問題的辦法可能只有重新搭建一個環(huán)境。因此圍繞相關(guān)的運(yùn)維知識就比較重要,可以容器化部署,也可以在宿主機(jī)自行搭建,以下內(nèi)容是通用的。 etcd 是 Kubernetes 集群的數(shù)據(jù)核心,最嚴(yán)重的情況是,當(dāng) etcd 出問題徹底無法恢復(fù)的時候,解決問題的辦法可能只有重新搭建一個環(huán)境。因此圍繞 etcd 相關(guān)的運(yùn)維知識就比較重要...
摘要:是集群的數(shù)據(jù)核心,最嚴(yán)重的情況是,當(dāng)出問題徹底無法恢復(fù)的時候,解決問題的辦法可能只有重新搭建一個環(huán)境。因此圍繞相關(guān)的運(yùn)維知識就比較重要,可以容器化部署,也可以在宿主機(jī)自行搭建,以下內(nèi)容是通用的。 etcd 是 Kubernetes 集群的數(shù)據(jù)核心,最嚴(yán)重的情況是,當(dāng) etcd 出問題徹底無法恢復(fù)的時候,解決問題的辦法可能只有重新搭建一個環(huán)境。因此圍繞 etcd 相關(guān)的運(yùn)維知識就比較重要...
摘要:容器云的背景伴隨著微服務(wù)的架構(gòu)的普及,結(jié)合開源的和等微服務(wù)框架,宜信內(nèi)部很多業(yè)務(wù)線逐漸了從原來的單體架構(gòu)逐漸轉(zhuǎn)移到微服務(wù)架構(gòu)。 容器云的背景 伴隨著微服務(wù)的架構(gòu)的普及,結(jié)合開源的Dubbo和Spring Cloud等微服務(wù)框架,宜信內(nèi)部很多業(yè)務(wù)線逐漸了從原來的單體架構(gòu)逐漸轉(zhuǎn)移到微服務(wù)架構(gòu)。應(yīng)用從有狀態(tài)到無狀態(tài),具體來說將業(yè)務(wù)狀態(tài)數(shù)據(jù)如:會話、用戶數(shù)據(jù)等存儲到中間件中服務(wù)中。 showI...
摘要:容器云的背景伴隨著微服務(wù)的架構(gòu)的普及,結(jié)合開源的和等微服務(wù)框架,宜信內(nèi)部很多業(yè)務(wù)線逐漸了從原來的單體架構(gòu)逐漸轉(zhuǎn)移到微服務(wù)架構(gòu)。 容器云的背景 伴隨著微服務(wù)的架構(gòu)的普及,結(jié)合開源的Dubbo和Spring Cloud等微服務(wù)框架,宜信內(nèi)部很多業(yè)務(wù)線逐漸了從原來的單體架構(gòu)逐漸轉(zhuǎn)移到微服務(wù)架構(gòu)。應(yīng)用從有狀態(tài)到無狀態(tài),具體來說將業(yè)務(wù)狀態(tài)數(shù)據(jù)如:會話、用戶數(shù)據(jù)等存儲到中間件中服務(wù)中。 showI...
閱讀 1025·2021-11-23 10:11
閱讀 3863·2021-11-16 11:50
閱讀 930·2021-10-14 09:43
閱讀 2717·2021-10-14 09:42
閱讀 2716·2021-09-22 16:02
閱讀 1061·2019-08-29 10:57
閱讀 3383·2019-08-29 10:57
閱讀 2274·2019-08-26 13:52
