You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

112 lines
4.7 KiB

  1. HA endpoints for K8s
  2. ====================
  3. The following components require a highly available endpoints:
  4. * etcd cluster,
  5. * kube-apiserver service instances.
  6. The former provides the
  7. [etcd-proxy](https://coreos.com/etcd/docs/latest/proxy.html) service to access
  8. the cluster members in HA fashion.
  9. The latter relies on a 3rd side reverse proxies, like Nginx or HAProxy, to
  10. achieve the same goal.
  11. Etcd
  12. ----
  13. Etcd proxies are deployed on each node in the `k8s-cluster` group. A proxy is
  14. a separate etcd process. It has a `localhost:2379` frontend and all of the etcd
  15. cluster members as backends. Note that the `access_ip` is used as the backend
  16. IP, if specified. Frontend endpoints cannot be accessed externally as they are
  17. bound to a localhost only.
  18. The `etcd_access_endpoint` fact provides an access pattern for clients. And the
  19. `etcd_multiaccess` (defaults to `false`) group var controlls that behavior.
  20. When enabled, it makes deployed components to access the etcd cluster members
  21. directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
  22. do a loadbalancing and handle HA for connections. Note, a pod definition of a
  23. flannel networking plugin always uses a single `--etcd-server` endpoint!
  24. Kube-apiserver
  25. --------------
  26. K8s components require a loadbalancer to access the apiservers via a reverse
  27. proxy. Kargo includes support for an nginx-based proxy that resides on each
  28. non-master Kubernetes node. This is referred to as localhost loadbalancing. It
  29. is less efficient than a dedicated load balancer because it creates extra
  30. health checks on the Kubernetes apiserver, but is more practical for scenarios
  31. where an external LB or virtual IP management is inconvenient.
  32. This option is configured by the variable `loadbalancer_apiserver_localhost`.
  33. you will need to configure your own loadbalancer to achieve HA. Note that
  34. deploying a loadbalancer is up to a user and is not covered by ansible roles
  35. in Kargo. By default, it only configures a non-HA endpoint, which points to
  36. the `access_ip` or IP address of the first server node in the `kube-master`
  37. group. It can also configure clients to use endpoints for a given loadbalancer
  38. type. The following diagram shows how traffic to the apiserver is directed.
  39. ![Image](figures/loadbalancer_localhost.png?raw=true)
  40. ..note:: Kubernetes master nodes still use insecure localhost access because
  41. there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
  42. services.
  43. A user may opt to use an external loadbalancer (LB) instead. An external LB
  44. provides access for external clients, while the internal LB accepts client
  45. connections only to the localhost, similarly to the etcd-proxy HA endpoints.
  46. Given a frontend `VIP` address and `IP1, IP2` addresses of backends, here is
  47. an example configuration for a HAProxy service acting as an external LB:
  48. ```
  49. listen kubernetes-apiserver-https
  50. bind <VIP>:8383
  51. option ssl-hello-chk
  52. mode tcp
  53. timeout client 3h
  54. timeout server 3h
  55. server master1 <IP1>:443
  56. server master2 <IP2>:443
  57. balance roundrobin
  58. ```
  59. And the corresponding example global vars config:
  60. ```
  61. apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
  62. loadbalancer_apiserver:
  63. address: <VIP>
  64. port: 8383
  65. ```
  66. This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
  67. into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
  68. the HAProxy service should as well be HA and requires a VIP management, which
  69. is out of scope of this doc.
  70. Specifying an external LB overrides any internal localhost LB configuration.
  71. Note that for this example, the `kubernetes-apiserver-http` endpoint
  72. has backends receiving unencrypted traffic, which may be a security issue
  73. when interconnecting different nodes, or maybe not, if those belong to the
  74. isolated management network without external access.
  75. In order to achieve HA for HAProxy instances, those must be running on the
  76. each node in the `k8s-cluster` group as well, but require no VIP, thus
  77. no VIP management.
  78. Access endpoints are evaluated automagically, as the following:
  79. | Endpoint type | kube-master | non-master |
  80. |------------------------------|---------------|---------------------|
  81. | Local LB | http://lc:p | http://lc:sp |
  82. | External LB, no internal | http://lc:p | https://lb:lp |
  83. | No ext/int LB (default) | http://lc:p | https://m[0].aip:sp |
  84. Where:
  85. * `m[0]` - the first node in the `kube-master` group;
  86. * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
  87. * `lc` - localhost;
  88. * `p` - insecure port, `kube_apiserver_insecure_port`
  89. * `sp` - secure port, `kube_apiserver_port`;
  90. * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
  91. * `ip` - the node IP, defers to the ansible IP;
  92. * `aip` - `access_ip`, defers to the ip.