hostnamectl set-hostname k8s-master-0# 高可用浮动IP
10.16.10.60 vip-k8s-master
10.16.10.61 k8s-master-0
10.16.10.62 k8s-master-1
10.16.10.63 k8s-master-2
10.16.10.64 k8s-node-0
10.16.10.65 k8s-node-1
10.16.10.66 k8s-node-2
10.16.10.67 k8s-node-3yum install haproxy keepalived -y最后更新于
#!/bin/sh
APISERVER_VIP=10.16.10.60
APISERVER_DEST_PORT=6443
errorExit() {
echo "*** $*" 1>&2
exit 1
}
curl --silent --max-time 2 --insecure https://localhost:${APISERVER_DEST_PORT}/ -o /dev/null || errorExit "Error GET https://localhost:${APISERVER_DEST_PORT}/"
if ip addr | grep -q ${APISERVER_VIP}; then
curl --silent --max-time 2 --insecure https://${APISERVER_VIP}:${APISERVER_DEST_PORT}/ -o /dev/null || errorExit "Error GET https://${APISERVER_VIP}:${APISERVER_DEST_PORT}/"
fi
chmod +x /etc/keepalived/check_apiserver.sh# 备份文件
cp /etc/keepalived/keepalived.conf{,.save}
# 清空文件
> /etc/keepalived/keepalived.conf! /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 3
weight -2
fall 10
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 151
priority 255
authentication {
auth_type PASS
auth_pass P@##D321!
}
virtual_ipaddress {
10.16.10.60/24
}
track_script {
check_apiserver
}
}
# 备份文件
cp /etc/haproxy/haproxy.cfg{,.save}#---------------------------------------------------------------------
# apiserver frontend which proxys to the masters
#---------------------------------------------------------------------
frontend apiserver
bind *:8443
mode tcp
option tcplog
default_backend apiserver
#---------------------------------------------------------------------
# round robin balancing for apiserver
#---------------------------------------------------------------------
backend apiserver
option httpchk GET /healthz
http-check expect status 200
mode tcp
option ssl-hello-chk
balance roundrobin
server k8s-master-0 10.16.10.61:6443 check
server k8s-master-1 10.16.10.62:6443 check
server k8s-master-2 10.16.10.63:6443 check
for f in k8s-master-1 k8s-master-2; do scp /etc/keepalived/check_apiserver.sh /etc/keepalived/keepalived.conf root@$f:/etc/keepalived; scp /etc/haproxy/haproxy.cfg root@$f:/etc/haproxy; done# 修改防火墙
firewall-cmd --add-rich-rule='rule protocol value="vrrp" accept' --permanent
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reload
# 启用服务
systemctl enable keepalived --now
systemctl enable haproxy --now
# 修改控制节点防火墙
firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=2379-2380/tcp
firewall-cmd --permanent --add-port=10250/tcp
firewall-cmd --permanent --add-port=10251/tcp
firewall-cmd --permanent --add-port=10252/tcp
firewall-cmd --permanent --add-port=179/tcp
firewall-cmd --permanent --add-port=4789/udp
firewall-cmd --reload
modprobe br_netfilter
sh -c "echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables"
sh -c "echo '1' > /proc/sys/net/ipv4/ip_forward"
# 修改工作节点防火墙
firewall-cmd --permanent --add-port=10250/tcp
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=179/tcp
firewall-cmd --permanent --add-port=4789/udp
firewall-cmd --reload
modprobe br_netfilter
sh -c "echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables"
sh -c "echo '1' > /proc/sys/net/ipv4/ip_forward"swapoff -a
sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstabcat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOFyum install -y kubelet kubeadm kubectl --disableexcludes=kubernetessystemctl enable kubelet --now[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "swr.cq-region-2.sgic.sgcc.com.cn/k8s/pause:3.9"
[plugins.cri]
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."swr.cq-region-2.sgic.sgcc.com.cn"]
endpoint = ["http://swr.cq-region-2.sgic.sgcc.com.cn"]ctr -n k8s.io i tag swr.cq-region-2.sgic.sgcc.com.cn/k8s/pause:3.9 registry.k8s.io/pause:3.6kubeadm init --control-plane-endpoint "vip-k8s-master:8443" --upload-certs --pod-network-cidr=10.244.10.0/16 --image-repository=swr.cq-region-2.sgic.sgcc.com.cn/k8s --v=5kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/tigera-operator.yamlkubeadm join vip-k8s-master:8443 --token r3g4lg.808yznkgswngn1el \
--discovery-token-ca-cert-hash sha256:37501bfeab42b97b9a9a18728aea7a00fe3ba5a28c0207fc72180827612340c2 \
--control-plane --certificate-key 160ab777510190cd1576e7bdb6e24153d2e55acf6f2c6f972cc52eae364f560f
kubeadm join vip-k8s-master:8443 --token r3g4lg.808yznkgswngn1el \
--discovery-token-ca-cert-hash sha256:37501bfeab42b97b9a9a18728aea7a00fe3ba5a28c0207fc72180827612340c2