richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5007 Commits
29 Branches
81 Tags
147 MiB
Tree: 724a316204
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '724a316204'
${ noResults }
kubespray/docs/nodes.md

131 lines
4.2 KiB
Raw Normal View History

Add document about adding/replacing a node (#5570) * Add document about adding/replacing a node * Update nodes.md Amend for comments
4 years ago
Gather just the necessary facts (#5955) * Gather just the necessary facts * Move fact gathering to separate playbook.
4 years ago
Add document about adding/replacing a node (#5570) * Add document about adding/replacing a node * Update nodes.md Amend for comments
4 years ago
  1. # Adding/replacing a node
  3. Modified from [comments in #3471](https://github.com/kubernetes-sigs/kubespray/issues/3471#issuecomment-530036084)
  5. ## Adding/replacing a worker node
  7. This should be the easiest.
  9. ### 1) Add new node to the inventory
  11. ### 2) Run `scale.yml`
  13. You can use `--limit=node1` to limit Kubespray to avoid disturbing other nodes in the cluster.
  15. Before using `--limit` run playbook `facts.yml` without the limit to refresh facts cache for all nodes.
  17. ### 3) Drain the node that will be removed
  19. ```sh
  20. kubectl drain NODE_NAME
  21. ```
  23. ### 4) Run the remove-node.yml playbook
  25. With the old node still in the inventory, run `remove-node.yml`. You need to pass `-e node=NODE_NAME` to the playbook to limit the execution to the node being removed.
  27. ### 5) Remove the node from the inventory
  29. That's it.
  31. ## Adding/replacing a master node
  33. ### 1) Recreate apiserver certs manually to include the new master node in the cert SAN field
  35. For some reason, Kubespray will not update the apiserver certificate.
  37. Edit `/etc/kubernetes/kubeadm-config.yaml`, include new host in `certSANs` list.
  39. Use kubeadm to recreate the certs.
  41. ```sh
  42. cd /etc/kubernetes/ssl
  43. mv apiserver.crt apiserver.crt.old
  44. mv apiserver.key apiserver.key.old
  46. cd /etc/kubernetes
  47. kubeadm init phase certs apiserver --config kubeadm-config.yaml
  48. ```
  50. Check the certificate, new host needs to be there.
  52. ```sh
  53. openssl x509 -text -noout -in /etc/kubernetes/ssl/apiserver.crt
  54. ```
  56. ### 2) Run `cluster.yml`
  58. Add the new host to the inventory and run cluster.yml.
  60. ### 3) Restart kube-system/nginx-proxy
  62. In all hosts, restart nginx-proxy pod. This pod is a local proxy for the apiserver. Kubespray will update its static config, but it needs to be restarted in order to reload.
  64. ```sh
  65. # run in every host
  66. docker ps | grep k8s_nginx-proxy_nginx-proxy | awk '{print $1}' | xargs docker restart
  67. ```
  69. ### 4) Remove old master nodes
  71. If you are replacing a node, remove the old one from the inventory, and remove from the cluster runtime.
  73. ```sh
  74. kubectl drain NODE_NAME
  75. kubectl delete node NODE_NAME
  76. ```
  78. After that, the old node can be safely shutdown. Also, make sure to restart nginx-proxy in all remaining nodes (step 3)
  80. From any active master that remains in the cluster, re-upload `kubeadm-config.yaml`
  82. ```sh
  83. kubeadm config upload from-file --config /etc/kubernetes/kubeadm-config.yaml
  84. ```
  86. ## Adding/Replacing an etcd node
  88. You need to make sure there are always an odd number of etcd nodes in the cluster. In such a way, this is always a replace or scale up operation. Either add two new nodes or remove an old one.
  90. ### 1) Add the new node running cluster.yml
  92. Update the inventory and run `cluster.yml` passing `--limit=etcd,kube-master -e ignore_assert_errors=yes`.
  94. Run `upgrade-cluster.yml` also passing `--limit=etcd,kube-master -e ignore_assert_errors=yes`. This is necessary to update all etcd configuration in the cluster.
  96. At this point, you will have an even number of nodes. Everything should still be working, and you should only have problems if the cluster decides to elect a new etcd leader before you remove a node. Even so, running applications should continue to be available.
  98. ### 2) Remove an old etcd node
  100. With the node still in the inventory, run `remove-node.yml` passing `-e node=NODE_NAME` as the name of the node that should be removed.
  102. ### 3) Make sure the remaining etcd members have their config updated
  104. In each etcd host that remains in the cluster:
  106. ```sh
  107. cat /etc/etcd.env | grep ETCD_INITIAL_CLUSTER
  108. ```
  110. Only active etcd members should be in that list.
  112. ### 4) Remove old etcd members from the cluster runtime
  114. Acquire a shell prompt into one of the etcd containers and use etcdctl to remove the old member.
  116. ```sh
  117. # list all members
  118. etcdctl member list
  120. # remove old member
  121. etcdctl member remove MEMBER_ID
  122. # careful!!! if you remove a wrong member you will be in trouble
  124. # note: these command lines are actually much bigger, since you need to pass all certificates to etcdctl.
  125. ```
  127. ### 5) Make sure the apiserver config is correctly updated
  129. In every master node, edit `/etc/kubernetes/manifests/kube-apiserver.yaml`. Make sure only active etcd nodes are still present in the apiserver command line parameter `--etcd-servers=...`.
  131. ### 6) Shutdown the old instance