richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2369 Commits
29 Branches
80 Tags
156 MiB
Tree: b135bcb9d9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b135bcb9d9'
${ noResults }
kubespray/docs/ha-mode.md

113 lines
4.9 KiB
Raw Normal View History

Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
fix some typos in HA doc
7 years ago
Fix misleading HA docs Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Align LB defaults with the HA docs Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
rename almost all mentions of kargo
7 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add doc updates.
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
fix some typos in HA doc
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add doc updates.
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Remove etcd-proxy from all nodes and use etcd multiaccess
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Change kube-api default port from 443 to 6443 Operator can specify any port for kube-api (6443 default) This helps in case where some pods such as Ingress require 443 exclusively. Closes: 820 Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Align LB defaults with the HA docs Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Align LB defaults with the HA docs Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
  1. HA endpoints for K8s
  2. ====================
  4. The following components require a highly available endpoints:
  5. * etcd cluster,
  6. * kube-apiserver service instances.
  8. The latter relies on a 3rd side reverse proxies, like Nginx or HAProxy, to
  9. achieve the same goal.
  11. Etcd
  12. ----
  14. The `etcd_access_endpoint` fact provides an access pattern for clients. And the
  15. `etcd_multiaccess` (defaults to `True`) group var controls that behavior.
  16. It makes deployed components to access the etcd cluster members
  17. directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
  18. do a loadbalancing and handle HA for connections.
  21. Kube-apiserver
  22. --------------
  24. K8s components require a loadbalancer to access the apiservers via a reverse
  25. proxy. Kubespray includes support for an nginx-based proxy that resides on each
  26. non-master Kubernetes node. This is referred to as localhost loadbalancing. It
  27. is less efficient than a dedicated load balancer because it creates extra
  28. health checks on the Kubernetes apiserver, but is more practical for scenarios
  29. where an external LB or virtual IP management is inconvenient. This option is
  30. configured by the variable `loadbalancer_apiserver_localhost` (defaults to
  31. `True`. Or `False`, if there is an external `loadbalancer_apiserver` defined).
  32. You may also define the port the local internal loadbalancer uses by changing,
  33. `nginx_kube_apiserver_port`. This defaults to the value of
  34. `kube_apiserver_port`. It is also important to note that Kubespray will only
  35. configure kubelet and kube-proxy on non-master nodes to use the local internal
  36. loadbalancer.
  38. If you choose to NOT use the local internal loadbalancer, you will need to
  39. configure your own loadbalancer to achieve HA. Note that deploying a
  40. loadbalancer is up to a user and is not covered by ansible roles in Kubespray.
  41. By default, it only configures a non-HA endpoint, which points to the
  42. `access_ip` or IP address of the first server node in the `kube-master` group.
  43. It can also configure clients to use endpoints for a given loadbalancer type.
  44. The following diagram shows how traffic to the apiserver is directed.
  46. ![Image](figures/loadbalancer_localhost.png?raw=true)
  48. Note: Kubernetes master nodes still use insecure localhost access because
  49. there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
  50. services. This makes backends receiving unencrypted traffic and may be a
  51. security issue when interconnecting different nodes, or maybe not, if those
  52. belong to the isolated management network without external access.
  54. A user may opt to use an external loadbalancer (LB) instead. An external LB
  55. provides access for external clients, while the internal LB accepts client
  56. connections only to the localhost.
  57. Given a frontend `VIP` address and `IP1, IP2` addresses of backends, here is
  58. an example configuration for a HAProxy service acting as an external LB:
  59. ```
  60. listen kubernetes-apiserver-https
  61. bind <VIP>:8383
  62. option ssl-hello-chk
  63. mode tcp
  64. timeout client 3h
  65. timeout server 3h
  66. server master1 <IP1>:6443
  67. server master2 <IP2>:6443
  68. balance roundrobin
  69. ```
  71. And the corresponding example global vars config:
  72. ```
  73. apiserver_loadbalancer_domain_name: "my-apiserver-lb.example.com"
  74. loadbalancer_apiserver:
  75. address: <VIP>
  76. port: 8383
  77. ```
  79. Note: The default kubernetes apiserver configuration binds to all interfaces,
  80. so you will need to use a different port for the vip from that the API is
  81. listening on, or set the kube_apiserver_bind_address so that the API only
  82. listens on a specific interface (to avoid conflict with haproxy binding the
  83. port on the VIP adddress)
  85. This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
  86. into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
  87. the HAProxy service should as well be HA and requires a VIP management, which
  88. is out of scope of this doc. Specifying an external LB overrides any internal
  89. localhost LB configuration.
  91. Note: In order to achieve HA for HAProxy instances, those must be running on
  92. the each node in the `k8s-cluster` group as well, but require no VIP, thus
  93. no VIP management.
  95. Access endpoints are evaluated automagically, as the following:
  97. | Endpoint type | kube-master | non-master |
  98. |------------------------------|---------------|---------------------|
  99. | Local LB (default) | http://lc:p | https://lc:nsp |
  100. | External LB, no internal | https://lb:lp | https://lb:lp |
  101. | No ext/int LB | http://lc:p | https://m[0].aip:sp |
  103. Where:
  104. * `m[0]` - the first node in the `kube-master` group;
  105. * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
  106. * `lc` - localhost;
  107. * `p` - insecure port, `kube_apiserver_insecure_port`
  108. * `nsp` - nginx secure port, `nginx_kube_apiserver_port`;
  109. * `sp` - secure port, `kube_apiserver_port`;
  110. * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
  111. * `ip` - the node IP, defers to the ansible IP;
  112. * `aip` - `access_ip`, defers to the ip.