richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1326 Commits
29 Branches
81 Tags
146 MiB
Tree: b4327fdc99
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4327fdc99'
${ noResults }
kubespray/docs/ha-mode.md

112 lines
4.9 KiB
Raw Normal View History

Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add doc updates.
7 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
use nginx proxy on non-master nodes to proxy apiserver traffic Also adds all masters by hostname and localhost/127.0.0.1 to apiserver SSL certificate. Includes documentation update on how localhost loadbalancer works.
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Remove etcd-proxy from all nodes and use etcd multiaccess
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
Update ha docs Fix mismatch in code and docs, see https://github.com/kubespray/kargo/pull/528 Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add doc updates.
7 years ago
  1. HA endpoints for K8s
  2. ====================
  4. The following components require a highly available endpoints:
  5. * etcd cluster,
  6. * kube-apiserver service instances.
  8. The latter relies on a 3rd side reverse proxies, like Nginx or HAProxy, to
  9. achieve the same goal.
  11. Etcd
  12. ----
  14. Etcd proxies are deployed on each node in the `k8s-cluster` group. A proxy is
  15. a separate etcd process. It has a `localhost:2379` frontend and all of the etcd
  16. cluster members as backends. Note that the `access_ip` is used as the backend
  17. IP, if specified. Frontend endpoints cannot be accessed externally as they are
  18. bound to a localhost only.
  20. The `etcd_access_endpoint` fact provides an access pattern for clients. And the
  21. `etcd_multiaccess` (defaults to `false`) group var controlls that behavior.
  22. When enabled, it makes deployed components to access the etcd cluster members
  23. directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
  24. do a loadbalancing and handle HA for connections. Note, a pod definition of a
  25. flannel networking plugin always uses a single `--etcd-server` endpoint!
  28. Kube-apiserver
  29. --------------
  31. K8s components require a loadbalancer to access the apiservers via a reverse
  32. proxy. Kargo includes support for an nginx-based proxy that resides on each
  33. non-master Kubernetes node. This is referred to as localhost loadbalancing. It
  34. is less efficient than a dedicated load balancer because it creates extra
  35. health checks on the Kubernetes apiserver, but is more practical for scenarios
  36. where an external LB or virtual IP management is inconvenient. This option is
  37. configured by the variable `loadbalancer_apiserver_localhost`. You may also
  38. define the port the local internal loadbalancer users by changing,
  39. `nginx_kube_apiserver_port`. This defaults to the value of `kube_apiserver_port`.
  40. It is also import to note that Kargo will only configure kubelet and kube-proxy
  41. on non-master nodes to use the local internal loadbalancer.
  43. If you choose to NOT use the local internal loadbalancer, you will need to configure
  44. your own loadbalancer to achieve HA. Note that deploying a loadbalancer is up to
  45. a user and is not covered by ansible roles in Kargo. By default, it only configures
  46. a non-HA endpoint, which points to the `access_ip` or IP address of the first server
  47. node in the `kube-master` group. It can also configure clients to use endpoints
  48. for a given loadbalancer type. The following diagram shows how traffic to the
  49. apiserver is directed.
  51. ![Image](figures/loadbalancer_localhost.png?raw=true)
  53. Note: Kubernetes master nodes still use insecure localhost access because
  54. there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
  55. services. This makes backends receiving unencrypted traffic and may be a
  56. security issue when interconnecting different nodes, or maybe not, if those
  57. belong to the isolated management network without external access.
  59. A user may opt to use an external loadbalancer (LB) instead. An external LB
  60. provides access for external clients, while the internal LB accepts client
  61. connections only to the localhost.
  62. Given a frontend `VIP` address and `IP1, IP2` addresses of backends, here is
  63. an example configuration for a HAProxy service acting as an external LB:
  64. ```
  65. listen kubernetes-apiserver-https
  66. bind <VIP>:8383
  67. option ssl-hello-chk
  68. mode tcp
  69. timeout client 3h
  70. timeout server 3h
  71. server master1 <IP1>:443
  72. server master2 <IP2>:443
  73. balance roundrobin
  74. ```
  76. And the corresponding example global vars config:
  77. ```
  78. apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
  79. loadbalancer_apiserver:
  80. address: <VIP>
  81. port: 8383
  82. ```
  84. This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
  85. into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
  86. the HAProxy service should as well be HA and requires a VIP management, which
  87. is out of scope of this doc. Specifying an external LB overrides any internal
  88. localhost LB configuration.
  90. Note: In order to achieve HA for HAProxy instances, those must be running on
  91. the each node in the `k8s-cluster` group as well, but require no VIP, thus
  92. no VIP management.
  94. Access endpoints are evaluated automagically, as the following:
  96. | Endpoint type | kube-master | non-master |
  97. |------------------------------|---------------|---------------------|
  98. | Local LB | http://lc:p | https://lc:nsp |
  99. | External LB, no internal | https://lb:lp | https://lb:lp |
  100. | No ext/int LB (default) | http://lc:p | https://m[0].aip:sp |
  102. Where:
  103. * `m[0]` - the first node in the `kube-master` group;
  104. * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
  105. * `lc` - localhost;
  106. * `p` - insecure port, `kube_apiserver_insecure_port`
  107. * `nsp` - nginx secure port, `nginx_kube_apiserver_port`;
  108. * `sp` - secure port, `kube_apiserver_port`;
  109. * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
  110. * `ip` - the node IP, defers to the ansible IP;
  111. * `aip` - `access_ip`, defers to the ip.