Rancher 2.X-RKE-七层负载均衡HA部署
- 基础环境配置
- 版本要求
- 准备四个节点
- CentOS关闭selinux
- 关闭防火墙(可选)或者放行相应端口
- Kernel性能调优
- Docker安装与配置
- Docker配置
- 节点配置
- 自签名ssl证书
- HTTP over SSL
- 生成自签名证书
- 创建四层负载均衡(172.18.85.207节点)
- 创建Nginx配置
- 运行NGINX
- 安装kubectl
- 七层负载均衡HA部署
- 架构说明
- 下载 RKE
- 编辑rancher-cluster.yml配置文件
- 运行RKE
基础环境配置
版本要求
- CentOS 7.5
- Docker 18.09.4
- kubectl v1.14.0
- rke version v0.2.1
准备四个节点
主机名 | IP | 备注 |
k8s-master | 172.18.85.207 | 负载均衡器,rancher url请求 |
k8s-node01 | 172.18.85.208 | rancher node,etcd controlplane |
k8s-node02 | 172.18.85.209 | rancher node,etcd controlplane |
k8s-node03 | 172.18.85.206 | rancher node,etcd controlplane |
CentOS关闭selinux
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
关闭防火墙(可选)或者放行相应端口
对于刚刚接触Rancher的用户,建议在关闭防火墙的测试环境或桌面虚拟机来运行rancher,以避免出现网络通信问题。
- 关闭防火墙
- CentOS
systemctl stop firewalld.service && systemctl disable firewalld.service
- Ubuntu
ufw disable
- 端口放行
端口放行请查看端口需求.
Kernel性能调优
cat >> /etc/sysctl.conf<<EOF
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
net.ipv4.neigh.default.gc_thresh1=4096
net.ipv4.neigh.default.gc_thresh2=6144
net.ipv4.neigh.default.gc_thresh3=8192
EOF
数值根据实际环境自行配置,最后执行sysctl -p保存配置。
Docker安装与配置
yum install epel-release –y
yum clean all
yum list
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum install docker-ce -y
service docker start
# 设置开机启动
sudo systemctl enable docker
因为CentOS的安全限制,通过RKE安装K8S集群时候无法使用root账户。所以,建议CentOS用户使用非root用户来运行docker,不管是RKE还是custom安装k8s
# 添加用户(可选)
sudo adduser `<new_user>`
# 为新用户设置密码
sudo passwd `<new_user>`
# 为新用户添加sudo权限
sudo echo '<new_user> ALL=(ALL) ALL' >> /etc/sudoers
# 把当前用户加入docker组
sudo usermod -aG docker `<new_user>`
Docker配置
daemon.json默认位于/etc/docker/daemon.json,如果没有可手动创建,基于systemd管理的系统都是相同的路径。通过修改daemon.json来改过Docker配置,也是Docker官方推荐的方法。
{
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
"registry-mirrors": ["https://7bezldxe.mirror.aliyuncs.com/"],
"storage-driver": "overlay2",
"storage-opts": ["overlay2.override_kernel_check=true"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
}
}
节点配置
节点免密登录
- 第一步:在任意一台Linux主机使用ssh-keygen命令产生公钥私钥对(一路回车键)
ssh-keygen
- 第二步:通过ssh-copy-id命令将公钥复制到远程机器中(包含当前节点)
ssh-copy-id -i .ssh/id_rsa.pub $user@192.168.x.xxx
自签名ssl证书
HTTP over SSL
要保证Web浏览器到服务器的安全连接,HTTPS几乎是唯一选择。HTTPS其实就是HTTP over SSL,也就是让HTTP连接建立在SSL安全连接之上。
SSL使用证书来创建安全连接。有两种验证模式:
1.仅客户端验证服务器的证书,客户端自己不提供证书;
2.客户端和服务器都互相验证对方的证书。
一般第二种方式用于网上银行等安全性要求较高的网站,普通的Web网站只采用第一种方式。
- 客户端如何验证服务器的证书呢?
服务器自己的证书必须经过某“权威”证书的签名,而这个“权威”证书又可能经过更权威的证书签名,这么一级一级追溯上去,最顶层那个最权威的证书就称为根证书。根证书直接内置在浏览器中,这样,浏览器就可以利用自己自带的根证书去验证某个服务器的证书是否有效。如果要提供一个有效的证书,服务器的证书必须从VeriSign这样的证书颁发机构签名。这样,浏览器就可以验证通过,否则,浏览器给出一个证书无效的警告。一般安全要求较高的内网环境,可以通过创建自签名SSL证书来加密通信。
生成自签名证书
- 一键生成ssl自签名证书脚本
#!/bin/bash -e
# * 为必改项
# * 更换为你自己的域名
CN='' # 例如: demo.rancher.com
# 扩展信任IP或域名
## 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,
## 多个IP用逗号隔开。如果想多个域名访问,则添加扩展域名(SSL_DNS),多个SSL_DNS用逗号隔开
SSL_IP='' # 例如: 1.2.3.4
SSL_DNS='' # 例如: demo.rancher.com
# 国家名(2个字母的代号)
C=CN
# 证书加密位数
SSL_SIZE=2048
# 证书有效期
DATE=${DATE:-3650}
# 配置文件
SSL_CONFIG='openssl.cnf'
if [[ -z $SILENT ]]; then
echo "----------------------------"
echo "| SSL Cert Generator |"
echo "----------------------------"
echo
fi
export CA_KEY=${CA_KEY-"cakey.pem"}
export CA_CERT=${CA_CERT-"cacerts.pem"}
export CA_SUBJECT=ca-$CN
export CA_EXPIRE=${DATE}
export SSL_CONFIG=${SSL_CONFIG}
export SSL_KEY=$CN.key
export SSL_CSR=$CN.csr
export SSL_CERT=$CN.crt
export SSL_EXPIRE=${DATE}
export SSL_SUBJECT=${CN}
export SSL_DNS=${SSL_DNS}
export SSL_IP=${SSL_IP}
export K8S_SECRET_COMBINE_CA=${K8S_SECRET_COMBINE_CA:-'true'}
[[ -z $SILENT ]] && echo "--> Certificate Authority"
if [[ -e ./${CA_KEY} ]]; then
[[ -z $SILENT ]] && echo "====> Using existing CA Key ${CA_KEY}"
else
[[ -z $SILENT ]] && echo "====> Generating new CA key ${CA_KEY}"
openssl genrsa -out ${CA_KEY} ${SSL_SIZE} > /dev/null
fi
if [[ -e ./${CA_CERT} ]]; then
[[ -z $SILENT ]] && echo "====> Using existing CA Certificate ${CA_CERT}"
else
[[ -z $SILENT ]] && echo "====> Generating new CA Certificate ${CA_CERT}"
openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} \
-days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" > /dev/null || exit 1
fi
echo "====> Generating new config file ${SSL_CONFIG}"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_DNS} || -n ${SSL_IP} ]]; then
cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
IFS=","
dns=(${SSL_DNS})
dns+=(${SSL_SUBJECT})
for i in "${!dns[@]}"; do
echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
done
if [[ -n ${SSL_IP} ]]; then
ip=(${SSL_IP})
for i in "${!ip[@]}"; do
echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
done
fi
fi
[[ -z $SILENT ]] && echo "====> Generating new SSL KEY ${SSL_KEY}"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} > /dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CSR ${SSL_CSR}"
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} \
-subj "/CN=${SSL_SUBJECT}" -config ${SSL_CONFIG} > /dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CERT ${SSL_CERT}"
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \
-CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
-days ${SSL_EXPIRE} -extensions v3_req \
-extfile ${SSL_CONFIG} > /dev/null || exit 1
if [[ -z $SILENT ]]; then
echo "====> Complete"
echo "keys can be found in volume mapped to $(pwd)"
echo
echo "====> Output results as YAML"
echo "---"
echo "ca_key: |"
cat $CA_KEY | sed 's/^/ /'
echo
echo "ca_cert: |"
cat $CA_CERT | sed 's/^/ /'
echo
echo "ssl_key: |"
cat $SSL_KEY | sed 's/^/ /'
echo
echo "ssl_csr: |"
cat $SSL_CSR | sed 's/^/ /'
echo
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/ /'
echo
fi
if [[ -n $K8S_SECRET_NAME ]]; then
if [[ -n $K8S_SECRET_COMBINE_CA ]]; then
[[ -z $SILENT ]] && echo "====> Adding CA to Cert file"
cat ${CA_CERT} >> ${SSL_CERT}
fi
[[ -z $SILENT ]] && echo "====> Creating Kubernetes secret: $K8S_SECRET_NAME"
kubectl delete secret $K8S_SECRET_NAME --ignore-not-found
if [[ -n $K8S_SECRET_SEPARATE_CA ]]; then
kubectl create secret generic \
$K8S_SECRET_NAME \
--from-file="tls.crt=${SSL_CERT}" \
--from-file="tls.key=${SSL_KEY}" \
--from-file="ca.crt=${CA_CERT}"
else
kubectl create secret tls \
$K8S_SECRET_NAME \
--cert=${SSL_CERT} \
--key=${SSL_KEY}
fi
if [[ -n $K8S_SECRET_LABELS ]]; then
[[ -z $SILENT ]] && echo "====> Labeling Kubernetes secret"
IFS=$' \n\t' # We have to reset IFS or label secret will misbehave on some systems
kubectl label secret \
$K8S_SECRET_NAME \
$K8S_SECRET_LABELS
fi
fi
echo "4. 重命名服务证书"
mv ${CN}.key tls.key
mv ${CN}.crt tls.crt
复制以上代码另存为create_self-signed-cert.sh或者其他您喜欢的文件名。修改代码开头的CN(域名),如果需要使用ip去访问rancher server,那么需要给ssl证书添加扩展IP,多个IP用逗号隔开。如果想实现多个域名访问rancher server,则添加扩展域名(SSL_DNS),多个SSL_DNS用逗号隔开
创建四层负载均衡(172.18.85.207节点)
添加nginx源
vim /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
下载nginx
yum install -y nginx
创建Nginx配置
创建rancher代理配置文件/etc/nginx/conf.d/rancher.conf
- 复制粘贴以下文件到编辑器,并保存到 /etc/nginx/conf.d/rancher.conf.
upstream rancher {
server IP_NODE_1:80;
server IP_NODE_2:80;
server IP_NODE_3:80;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name FQDN;
ssl_certificate /etc/your_certificate_directory/fullchain.pem;
ssl_certificate_key /etc/your_certificate_directory/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes.
## Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
proxy_buffering off;
}
}
server {
listen 80;
server_name FQDN;
return 301 https://$server_name$request_uri;
}
为了减少网络传输的数据量,可以在七层代理的http定义中添加GZIP功能。
# Gzip Settings
gzip on;
gzip_disable "msie6";
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_min_length 0;
gzip_comp_level 8;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml application/font-woff
text/javascript application/javascript application/x-javascript
text/x-json application/json application/x-web-app-manifest+json
text/css text/plain text/x-component
font/opentype application/x-font-ttf application/vnd.ms-fontobject font/woff2
image/x-icon image/png image/jpeg;
- 在/etc/nginx/conf.d/rancher.conf中, 替换 IP_NODE_1, IP_NODE_2, IP_NODE_3
- 在/etc/nginx/conf.d/rancher.conf中, 替换FQDN为你设置用来登录rancher的域名;
- 在/etc/nginx/conf.d/rancher.conf中, 替换/certs/fullchain.pem为证书的路径;
- 在/etc/nginx/conf.d/rancher.conf中, 替换/certs/privkey.pem为证书密钥的路径;
运行NGINX
- 重新加载或者重启NGINX
# Reload NGINX
nginx -s reload
# Restart NGINX
# Depending on your Linux distribution
service nginx restart
systemctl restart nginx
安装kubectl
kubectl是一个CLI命令行工具,用于运行Kubernetes集群的命令。Rancher 2.x中的许多维护和管理都需要它。
- 文件下载
通过 文件下载下载最新文档版本。 - 确保kubectl二进制文件是可执行文件
chmod +x ./kubectl
- 将kubectl二进制文件移动到PATH路径下
sudo mv ./kubectl /usr/local/bin/kubectl
七层负载均衡HA部署
架构说明
下载 RKE
RKE是一种快速,通用的Kubernetes安装程序,可用于在Linux主机上安装Kubernetes。我们将使用RKE来配置Kubernetes集群并运行Rancher。
- 打开浏览器访问 下载文件页面,根据你操作系统类型下载最新版本的RKE:
- MacOS: rke_darwin-amd64
- Linux: rke_linux-amd64
- Windows: rke_windows-amd64.exe
- 通过chmod +x命令给刚下载的RKE二进制文件添加可执行权限。
$ chmod +x rke_linux-amd64
编辑rancher-cluster.yml配置文件
编辑器打开 rancher-cluster.yml 文件,在nodes配置版块中,修改 IP_ADDRESS_X and USER为你真实的Linux主机IP和用户名,ssh_key_path为第一步生成的私钥文件,如果是在RKE所在主机上生成的公钥私钥对,此配置可保持默认:
nodes:
- address: <IP> # hostname or IP to access nodes
user: <USER> # root user (usually 'root')
role: [controlplane,etcd,worker] # K8s roles for node
ssh_key_path: <PEM_FILE> # path to PEM file
- address: <IP>
user: <USER>
role: [controlplane,etcd,worker]
ssh_key_path: <PEM_FILE>
- address: <IP>
user: <USER>
role: [controlplane,etcd,worker]
ssh_key_path: <PEM_FILE>
addons: |-
---
kind: Namespace
apiVersion: v1
metadata:
name: cattle-system
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: cattle-admin
namespace: cattle-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cattle-crb
namespace: cattle-system
subjects:
- kind: ServiceAccount
name: cattle-admin
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: cattle-keys-server
namespace: cattle-system
type: Opaque
data:
cacerts.pem: <BASE64_CA> # CA cert used to sign cattle server cert and key
---
apiVersion: v1
kind: Service
metadata:
namespace: cattle-system
name: cattle-service
labels:
app: cattle
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: cattle
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: cattle-system
name: cattle-ingress-http
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # Max time in seconds for ws to remain shell window open
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" # Max time in seconds for ws to remain shell window open
nginx.ingress.kubernetes.io/ssl-redirect: "false" # Disable redirect to ssl
spec:
rules:
- host: <FQDN>
http:
paths:
- backend:
serviceName: cattle-service
servicePort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
namespace: cattle-system
name: cattle
spec:
replicas: 1
template:
metadata:
labels:
app: cattle
spec:
serviceAccountName: cattle-admin
containers:
- image: rancher/rancher:latest
imagePullPolicy: Always
name: cattle-server
ports:
- containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /etc/rancher/ssl
name: cattle-keys-volume
readOnly: true
volumes:
- name: cattle-keys-volume
secret:
defaultMode: 420
secretName: cattle-keys-server
运行RKE
完成所有配置后,你可以通过运行rke up命令并使用–config参数指定配置文件来完成Rancher 集群的安装。
- 下载RKE二进制文档到你的主机,确保 rancher-cluster.yml与下载的rke 在同一目录下;
- 打开shell 终端,切换路径到RKE所在的目录;
- 根据操作系统类型,选择以下命令并执行:
# MacOS
./rke_darwin-amd64 up --config rancher-cluster.yml
# Linux
./rke_linux-amd64 up --config rancher-cluster.yml
结果: 应该会有以下日志输出:
INFO[0000] Building Kubernetes cluster
INFO[0000] [dialer] Setup tunnel for host [1.1.1.1]
INFO[0000] [network] Deploying port listener containers
INFO[0000] [network] Pulling image [alpine:latest] on host [1.1.1.1]
...
INFO[0101] Finished building Kubernetes cluster successfully
重启NGINX
systemctl restart nginx
安装成功后,通过https://FQDN来访问RANCHER UI(需要稍等几分钟)