Kubernetes 1.8 with TLS&RBAC 配置HA

原创 Jeff Tang  2018-08-20 17:29  阅读 164 次 次

# 安装 keepalived [k8s-m1,  k8s-m2, k8s-m3  执行]

yum install -y keepalived policycoreutils-python

 

# 配置 keepalived 检测脚本 [k8s-m1,  k8s-m2, k8s-m3  执行]

cat > /etc/keepalived/check_apiserver.sh <<EOF
#!/bin/sh

errorExit() {
    echo "*** $*" 1>&2
    exit 1
}

curl --silent --max-time 2 --insecure https://localhost:6443/ -o /dev/null || errorExit "Error GET https://localhost:6443/"
if ip addr | grep -q 10.0.3.230; then
    curl --silent --max-time 2 --insecure https://10.0.3.230:6443/ -o /dev/null || errorExit "Error GET https://10.0.3.230:6443/"
fi
EOF

 

# 配置SELinux权限 [k8s-m1,  k8s-m2, k8s-m3  执行]

chmod +x /etc/keepalived/check_apiserver.sh
chcon -t bin_t /etc/keepalived/check_apiserver.sh

 

# 配置 keepalived MASTER [k8s-m1 执行]

cat > /etc/keepalived/keepalived.conf <<EOF
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}

vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 3
weight -2
fall 10
rise 2
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 101
    authentication {
        auth_type PASS
        auth_pass 4be37dc3b4c90194d1600c483e10ad1d
    }
    virtual_ipaddress {
        10.0.3.230/24
    }
    track_script {
        check_apiserver
    }
}
EOF

 

# 配置 keepalived BACKUP [k8s-m2, k8s-m3  执行]

cat > /etc/keepalived/keepalived.conf <<EOF
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}

vrrp_script check_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 3
weight -2
fall 10
rise 2
}

vrrp_instance VI_1 {
    state BACKUP
    interface eth0
    virtual_router_id 51
    priority 100
    authentication {
        auth_type PASS
        auth_pass 4be37dc3b4c90194d1600c483e10ad1d
    }
    virtual_ipaddress {
        10.0.3.230/24
    }
    track_script {
        check_apiserver
    }
}
EOF

 

# 启动 keepalived [k8s-m1, k8s-m2, k8s-m3  执行]

systemctl enable keepalived
systemctl start keepalived
systemctl status keepalived

 

# 设置SELinux权限 [k8s-m1, k8s-m2, k8s-m3  执行]

setenforce 0
audit2allow -M keepalived_rw_centos74 -l -i /var/log/audit/audit.log
setenforce 1
semodule -i keepalived_rw_centos74.pp

 

 

 

 

本文地址:https://www.easylinux.cn/archives/648
版权声明:本文为原创文章,版权归 Jeff Tang 所有,欢迎分享本文,转载请保留出处!

发表评论


表情