richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5821 Commits
29 Branches
81 Tags
146 MiB
Tree: b3d9f2b4a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b3d9f2b4a2'
${ noResults }
kubespray/docs/ha-mode.md

168 lines
7.2 KiB
Raw Normal View History

Add markdown CI (#5380)
4 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add markdown CI (#5380)
4 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add markdown CI (#5380)
4 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add markdown CI (#5380)
4 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
rename almost all mentions of kargo
7 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add doc updates.
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
fix some typos in HA doc
7 years ago
Add HAProxy as internal loadbalancer (#4480)
5 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add doc updates.
7 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation
3 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Remove etcd-proxy from all nodes and use etcd multiaccess
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add markdown CI (#5380)
4 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Enhance ha document (#5664) * Fix HAproxy config to avoid client offered only unsupported versions error * Add HAproxy SSL check interval * Fix ha mode document markdown
4 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Enhance ha document (#5664) * Fix HAproxy config to avoid client offered only unsupported versions error * Add HAproxy SSL check interval * Fix ha mode document markdown
4 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add markdown CI (#5380)
4 years ago
Defaults for apiserver_loadbalancer_domain_name (#1993) * Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Fix some typos Signed-off-by: Rui Cao <ruicao@alauda.io>
6 years ago
Allow setting --bind-address for apiserver hyperkube (#1985) * Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Rename ansible groups to use _ instead of - (#7552) * rename ansible groups to use _ instead of - k8s-cluster -> k8s_cluster k8s-node -> k8s_node calico-rr -> calico_rr no-floating -> no_floating Note: kube-node,k8s-cluster groups in upgrade CI need clean-up after v2.16 is tagged * ensure old groups are mapped to the new ones
3 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Fix some typos (#3690) Signed-off-by: mooncake <xcoder@tenxcloud.com>
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Correct the wrong words
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation
3 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add markdown CI (#5380)
4 years ago
Replace kube-master with kube_control_plane (#7256) This replaces kube-master with kube_control_plane because of [1]: The Kubernetes project is moving away from wording that is considered offensive. A new working group WG Naming was created to track this work, and the word "master" was declared as offensive. A proposal was formalized for replacing the word "master" with "control plane". This means it should be removed from source code, documentation, and user-facing configuration from Kubernetes and its sub-projects. NOTE: The reason why this changes it to kube_control_plane not kube-control-plane is for valid group names on ansible. [1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation
3 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Add HAProxy as internal loadbalancer (#4480)
5 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
Fix HA docs API access endpoints explained (#2126) * Fix HA docs API access endpoints explained Follow-up commit 81347298a3ef7932cbeb55e877644ca22d1625f1 and fix the endpoint value provided in HA docs. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Clarify internal LB with external LB use case * Clarify how to use both internal and external, non-cluster aware and not managed with Kubespray, LB solutions. * Clarify the requirements, like TLS/SSL termination, for such an external LB. Unlike to the 'cluster-aware' external LB config, endpoints' security must be managed by that non-cluster aware external LB. * Note that masters always contact their local apiservers via https://bip:sp. It's highly unlikely to go down and it reduces latency that might be introduced when going host->lb->host. Only computes go that path. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Add a note for supplementary_addresses_in_ssl_keys Explain how to benefit from supplementary_addresses_in_ssl_keys Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Fix auto-evaluated API access endpoint for bind IP (#2086) Auto configure API access endpoint with a custom bind IP, if provided. Fix HA docs' http URLs are https in fact, clarify the insecure vs secure API access modes as well. Closes: #issues/2051 Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
6 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
Add markdown CI (#5380)
4 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
Add markdown CI (#5380)
4 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
Add markdown CI (#5380)
4 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
Add markdown CI (#5380)
4 years ago
Update ha-mode.md (#3696) * Update ha-mode.md
6 years ago
  1. # HA endpoints for K8s
  3. The following components require a highly available endpoints:
  5. * etcd cluster,
  6. * kube-apiserver service instances.
  8. The latter relies on a 3rd side reverse proxy, like Nginx or HAProxy, to
  9. achieve the same goal.
  11. ## Etcd
  13. The etcd clients (kube-api-masters) are configured with the list of all etcd peers. If the etcd-cluster has multiple instances, it's configured in HA already.
  15. ## Kube-apiserver
  17. K8s components require a loadbalancer to access the apiservers via a reverse
  18. proxy. Kubespray includes support for an nginx-based proxy that resides on each
  19. non-master Kubernetes node. This is referred to as localhost loadbalancing. It
  20. is less efficient than a dedicated load balancer because it creates extra
  21. health checks on the Kubernetes apiserver, but is more practical for scenarios
  22. where an external LB or virtual IP management is inconvenient. This option is
  23. configured by the variable `loadbalancer_apiserver_localhost` (defaults to
  24. `True`. Or `False`, if there is an external `loadbalancer_apiserver` defined).
  25. You may also define the port the local internal loadbalancer uses by changing,
  26. `loadbalancer_apiserver_port`. This defaults to the value of
  27. `kube_apiserver_port`. It is also important to note that Kubespray will only
  28. configure kubelet and kube-proxy on non-master nodes to use the local internal
  29. loadbalancer.
  31. If you choose to NOT use the local internal loadbalancer, you will need to
  32. configure your own loadbalancer to achieve HA. Note that deploying a
  33. loadbalancer is up to a user and is not covered by ansible roles in Kubespray.
  34. By default, it only configures a non-HA endpoint, which points to the
  35. `access_ip` or IP address of the first server node in the `kube_control_plane` group.
  36. It can also configure clients to use endpoints for a given loadbalancer type.
  37. The following diagram shows how traffic to the apiserver is directed.
  39. ![Image](figures/loadbalancer_localhost.png?raw=true)
  41. Note: Kubernetes master nodes still use insecure localhost access because
  42. there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
  43. services. This makes backends receiving unencrypted traffic and may be a
  44. security issue when interconnecting different nodes, or maybe not, if those
  45. belong to the isolated management network without external access.
  47. A user may opt to use an external loadbalancer (LB) instead. An external LB
  48. provides access for external clients, while the internal LB accepts client
  49. connections only to the localhost.
  50. Given a frontend `VIP` address and `IP1, IP2` addresses of backends, here is
  51. an example configuration for a HAProxy service acting as an external LB:
  53. ```raw
  54. listen kubernetes-apiserver-https
  55. bind <VIP>:8383
  56. mode tcp
  57. option log-health-checks
  58. timeout client 3h
  59. timeout server 3h
  60. server master1 <IP1>:6443 check check-ssl verify none inter 10000
  61. server master2 <IP2>:6443 check check-ssl verify none inter 10000
  62. balance roundrobin
  63. ```
  65. Note: That's an example config managed elsewhere outside of Kubespray.
  67. And the corresponding example global vars for such a "cluster-aware"
  68. external LB with the cluster API access modes configured in Kubespray:
  70. ```yml
  71. apiserver_loadbalancer_domain_name: "my-apiserver-lb.example.com"
  72. loadbalancer_apiserver:
  73. address: <VIP>
  74. port: 8383
  75. ```
  77. Note: The default kubernetes apiserver configuration binds to all interfaces,
  78. so you will need to use a different port for the vip from that the API is
  79. listening on, or set the `kube_apiserver_bind_address` so that the API only
  80. listens on a specific interface (to avoid conflict with haproxy binding the
  81. port on the VIP address)
  83. This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
  84. into the `/etc/hosts` file of all servers in the `k8s_cluster` group and wired
  85. into the generated self-signed TLS/SSL certificates as well. Note that
  86. the HAProxy service should as well be HA and requires a VIP management, which
  87. is out of scope of this doc.
  89. There is a special case for an internal and an externally configured (not with
  90. Kubespray) LB used simultaneously. Keep in mind that the cluster is not aware
  91. of such an external LB and you need no to specify any configuration variables
  92. for it.
  94. Note: TLS/SSL termination for externally accessed API endpoints' will **not**
  95. be covered by Kubespray for that case. Make sure your external LB provides it.
  96. Alternatively you may specify an externally load balanced VIPs in the
  97. `supplementary_addresses_in_ssl_keys` list. Then, kubespray will add them into
  98. the generated cluster certificates as well.
  100. Aside of that specific case, the `loadbalancer_apiserver` considered mutually
  101. exclusive to `loadbalancer_apiserver_localhost`.
  103. Access API endpoints are evaluated automatically, as the following:
  105. | Endpoint type | kube_control_plane | non-master | external |
  106. |------------------------------|--------------------|-------------------------|-----------------------|
  107. | Local LB (default) | `https://bip:sp` | `https://lc:nsp` | `https://m[0].aip:sp` |
  108. | Local LB + Unmanaged here LB | `https://bip:sp` | `https://lc:nsp` | `https://ext` |
  109. | External LB, no internal | `https://bip:sp` | `<https://lb:lp>` | `https://lb:lp` |
  110. | No ext/int LB | `https://bip:sp` | `<https://m[0].aip:sp>` | `https://m[0].aip:sp` |
  112. Where:
  114. * `m[0]` - the first node in the `kube_control_plane` group;
  115. * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
  116. * `ext` - Externally load balanced VIP:port and FQDN, not managed by Kubespray;
  117. * `lc` - localhost;
  118. * `bip` - a custom bind IP or localhost for the default bind IP '0.0.0.0';
  119. * `nsp` - nginx secure port, `loadbalancer_apiserver_port`, defers to `sp`;
  120. * `sp` - secure port, `kube_apiserver_port`;
  121. * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
  122. * `ip` - the node IP, defers to the ansible IP;
  123. * `aip` - `access_ip`, defers to the ip.
  125. A second and a third column represent internal cluster access modes. The last
  126. column illustrates an example URI to access the cluster APIs externally.
  127. Kubespray has nothing to do with it, this is informational only.
  129. As you can see, the masters' internal API endpoints are always
  130. contacted via the local bind IP, which is `https://bip:sp`.
  132. **Note** that for some cases, like healthchecks of applications deployed by
  133. Kubespray, the masters' APIs are accessed via the insecure endpoint, which
  134. consists of the local `kube_apiserver_insecure_bind_address` and
  135. `kube_apiserver_insecure_port`.
  137. ## Optional configurations
  139. ### ETCD with a LB
  141. In order to use an external loadbalancing (L4/TCP or L7 w/ SSL Passthrough VIP), the following variables need to be overridden in group_vars
  143. * `etcd_access_addresses`
  144. * `etcd_client_url`
  145. * `etcd_cert_alt_names`
  146. * `etcd_cert_alt_ips`
  148. #### Example of a VIP w/ FQDN
  150. ```yaml
  151. etcd_access_addresses: https://etcd.example.com:2379
  152. etcd_client_url: https://etcd.example.com:2379
  153. etcd_cert_alt_names:
  154. - "etcd.kube-system.svc.{{ dns_domain }}"
  155. - "etcd.kube-system.svc"
  156. - "etcd.kube-system"
  157. - "etcd"
  158. - "etcd.example.com" # This one needs to be added to the default etcd_cert_alt_names
  159. ```
  161. #### Example of a VIP w/o FQDN (IP only)
  163. ```yaml
  164. etcd_access_addresses: https://2.3.7.9:2379
  165. etcd_client_url: https://2.3.7.9:2379
  166. etcd_cert_alt_ips:
  167. - "2.3.7.9"
  168. ```