如何在CentOS上为Kubernetes设置HA,运行已经使用kubeadm的1 Master 2 Worker

时间:2017-11-15 12:06:51

标签: kubernetes etcd

我已成功设置普通群集,现在我正在尝试按照文档https://kubernetes.io/docs/admin/high-availability/

进行HA设置

在/ etc / kubernetes / manifest中复制etcd.yaml文件之后,我在我的集​​群中看到3个etcd容器

default etcd-server-kuber-poc-app1 1/1 Running 1 2d default etcd-server-kuber-poc-app2 1/1 Running 72 20h kube-system etcd-kuber-poc-app1 1/1 Running 4 13d

但是当我检查任何etcd pod的日志时,我看到错误如

  

2017-11-15 08:53:25.398815 E |发现:错误#0:x509:失败了   加载系统根,没有提供根

     

2017-11-15 08:53:25.398907我|发现:集群状态检查:错误   连接到https://discovery.etcd.io,在18h12m16s重试

似乎缺少他们的证书

但我不确定要创建哪些证书以及在哪里放置

Yaml内容

apiVersion: v1
kind: Pod
metadata:
  name: etcd-server
spec:
  hostNetwork: true
  containers:
  - image: gcr.io/google_containers/etcd:3.0.17
    name: etcd-container
    command:
    - /usr/local/bin/etcd
    - --name
    - NODE-1
    - --initial-advertise-peer-urls
    - http://10.127.38.18:2380
    - --listen-peer-urls
    - http://10.127.38.18:2380
    - --advertise-client-urls
    - http://10.127.38.18:4001
    - --listen-client-urls
    - http://127.0.0.1:4001
    - --data-dir
    - /var/etcd/data
    - --discovery
    - https://discovery.etcd.io/9458bcd46077d558fd26ced5cb9f2a6a
    ports:
    - containerPort: 2380
      hostPort: 2380
      name: serverport
    - containerPort: 4001
      hostPort: 4001
      name: clientport
    volumeMounts:
    - mountPath: /var/etcd
      name: varetcd
    - mountPath: /etc/ssl
      name: etcssl
      readOnly: true
    - mountPath: /usr/share/ssl
      name: usrsharessl
      readOnly: true
    - mountPath: /var/ssl
      name: varssl
      readOnly: true
    - mountPath: /usr/ssl
      name: usrssl
      readOnly: true
    - mountPath: /usr/lib/ssl
      name: usrlibssl
      readOnly: true
    - mountPath: /usr/local/openssl
      name: usrlocalopenssl
      readOnly: true
    - mountPath: /etc/openssl
      name: etcopenssl
      readOnly: true
    - mountPath: /etc/pki/tls
      name: etcpkitls
      readOnly: true
  volumes:
  - hostPath:
      path: /var/etcd/data
    name: varetcd
  - hostPath:
      path: /etc/ssl
    name: etcssl
  - hostPath:
      path: /usr/share/ssl
    name: usrsharessl
  - hostPath:
      path: /var/ssl
    name: varssl
  - hostPath:
      path: /usr/ssl
    name: usrssl
  - hostPath:
      path: /usr/lib/ssl
    name: usrlibssl
  - hostPath:
      path: /usr/local/openssl
    name: usrlocalopenssl
  - hostPath:
      path: /etc/openssl
    name: etcopenssl
  - hostPath:
      path: /etc/pki/tls
    name: etcpkitls

所以2问题

1)如何创建Certs?

2)在哪里保留它们?

1 个答案:

答案 0 :(得分:0)

我认为我们不能将kubeadm集群作为HA。您可以选择使用kubespray https://github.com/kubespray/kubespray-cli工具重新创建集群,这将创建包含所有节点的证书。

逐步说明遵循Kubernetes The Hard Way https://github.com/kelseyhightower/kubernetes-the-hard-way