配置haproxy
mkdir -p /etc/haproxy
vi /etc/haproxy/haproxy.cfg
########## Kube-API LB #####################
listen kube-api-lb
bind 0.0.0.0:6443
mode tcp
balance roundrobin
server k8s-master-01 192.168.205.122:6443 weight 1 maxconn 10000 check inter 10s
server k8s-master-02 192.168.205.123:6443 weight 1 maxconn 10000 check inter 10s
server k8s-master-03 192.168.205.124:6443 weight 1 maxconn 10000 check inter 10s
######## stast ############################
listen admin_stats
bind 0.0.0.0:8099
mode http
option httplog
maxconn 10
stats refresh 30s
stats uri /stats
部署
docker run -d --name haproxy \
-p 80:80 \
-p 443:443 \
-p 6443:6443 \
-p 2222:2222 \
-p 9090:9090 \
--restart=always \
-v /etc/haproxy:/usr/local/etc/haproxy \
haproxy:2.1.2
安装K8S
参见 https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/high-availability/
控制面join命令token过期,解决办法
1.执行kubeadm token create --print-join-command,重新生成,重新生成基础的 join 命令
2.使用 kubeadm init phase upload-certs --upload-certs 重新生成certificate-key
x509: certificate has expired or is not yet valid 解决办法:
ntpdate cn.pool.ntp.org #同步一下时间
Dashboard Web UI安装
参见 https://kubernetes.io/zh/docs/tasks/access-application-cluster/web-ui-dashboard/
注: 需要在Service部分下添加type: NodePort
默认用户访问权限不够,解决办法:
创建admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
$ kubectl create -f admin-user.yaml
获取token
$ kubectl describe secret admin-user --namespace=kube-system
