mirror of
https://github.com/kelseyhightower/kubernetes-the-hard-way.git
synced 2025-12-15 17:28:58 +03:00
The chapter 'Bootstrapping the Kubernetes Control Plane' is updated.
This commit is contained in:
Pick1a1username
@@ -277,59 +277,104 @@ EOF
|
|||||||
|
|
||||||
## The Kubernetes Frontend Load Balancer
|
## The Kubernetes Frontend Load Balancer
|
||||||
|
|
||||||
In this section you will provision an external load balancer to front the Kubernetes API Servers. The `kubernetes-the-hard-way` static IP address will be attached to the resulting load balancer.
|
In this section you will setup a load balancer to front the Kubernetes API Servers.
|
||||||
|
|
||||||
> The compute instances created in this tutorial will not have permission to complete this section. Run the following commands from the same machine used to create the compute instances.
|
|
||||||
|
|
||||||
|
|
||||||
### Provision a Network Load Balancer
|
### Setting up a Load Balancer
|
||||||
|
|
||||||
Create the external load balancer network resources:
|
Login to the load balancer:
|
||||||
|
|
||||||
```
|
```
|
||||||
{
|
$ ssh -i ~/.ssh/id_rsa-k8s.pub 10.240.0.10
|
||||||
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
|
||||||
--region $(gcloud config get-value compute/region) \
|
|
||||||
--format 'value(address)')
|
|
||||||
|
|
||||||
gcloud compute http-health-checks create kubernetes \
|
|
||||||
--description "Kubernetes Health Check" \
|
|
||||||
--host "kubernetes.default.svc.cluster.local" \
|
|
||||||
--request-path "/healthz"
|
|
||||||
|
|
||||||
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-health-check \
|
|
||||||
--network kubernetes-the-hard-way \
|
|
||||||
--source-ranges 209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 \
|
|
||||||
--allow tcp
|
|
||||||
|
|
||||||
gcloud compute target-pools create kubernetes-target-pool \
|
|
||||||
--http-health-check kubernetes
|
|
||||||
|
|
||||||
gcloud compute target-pools add-instances kubernetes-target-pool \
|
|
||||||
--instances controller-0,controller-1,controller-2
|
|
||||||
|
|
||||||
gcloud compute forwarding-rules create kubernetes-forwarding-rule \
|
|
||||||
--address ${KUBERNETES_PUBLIC_ADDRESS} \
|
|
||||||
--ports 6443 \
|
|
||||||
--region $(gcloud config get-value compute/region) \
|
|
||||||
--target-pool kubernetes-target-pool
|
|
||||||
}
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Install the required packages:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ sudo apt-get install -y haproxy
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Edit `haproxy.cfg`:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ sudo vi /etc/haproxy/haproxy.cfg
|
||||||
|
$ cat /etc/haproxy/haproxy.cfg
|
||||||
|
global
|
||||||
|
log /dev/log local0
|
||||||
|
log /dev/log local1 notice
|
||||||
|
chroot /var/lib/haproxy
|
||||||
|
stats socket /run/haproxy/admin.sock mode 660 level admin
|
||||||
|
stats timeout 30s
|
||||||
|
user haproxy
|
||||||
|
group haproxy
|
||||||
|
daemon
|
||||||
|
|
||||||
|
# Default SSL material locations
|
||||||
|
ca-base /etc/ssl/certs
|
||||||
|
crt-base /etc/ssl/private
|
||||||
|
|
||||||
|
# Default ciphers to use on SSL-enabled listening sockets.
|
||||||
|
# For more information, see ciphers(1SSL). This list is from:
|
||||||
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
||||||
|
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
|
||||||
|
ssl-default-bind-options no-sslv3
|
||||||
|
|
||||||
|
defaults
|
||||||
|
log global
|
||||||
|
mode http
|
||||||
|
option httplog
|
||||||
|
option dontlognull
|
||||||
|
timeout connect 5000
|
||||||
|
timeout client 50000
|
||||||
|
timeout server 50000
|
||||||
|
errorfile 400 /etc/haproxy/errors/400.http
|
||||||
|
errorfile 403 /etc/haproxy/errors/403.http
|
||||||
|
errorfile 408 /etc/haproxy/errors/408.http
|
||||||
|
errorfile 500 /etc/haproxy/errors/500.http
|
||||||
|
errorfile 502 /etc/haproxy/errors/502.http
|
||||||
|
errorfile 503 /etc/haproxy/errors/503.http
|
||||||
|
errorfile 504 /etc/haproxy/errors/504.http
|
||||||
|
|
||||||
|
frontend haproxynode
|
||||||
|
bind *:6443
|
||||||
|
mode tcp
|
||||||
|
default_backend backendnodes
|
||||||
|
|
||||||
|
backend backendnodes
|
||||||
|
mode tcp
|
||||||
|
balance roundrobin
|
||||||
|
option tcp-check
|
||||||
|
option log-health-checks
|
||||||
|
server node1 10.240.0.11:6443 check
|
||||||
|
server node2 10.240.0.12:6443 check
|
||||||
|
server node3 10.240.0.13:6443 check
|
||||||
|
|
||||||
|
listen stats
|
||||||
|
bind :32700
|
||||||
|
stats enable
|
||||||
|
stats uri /
|
||||||
|
stats hide-version
|
||||||
|
stats auth someuser:password
|
||||||
|
$
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
Enable and start `haproxy` service:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ sudo systemctl enable haproxy
|
||||||
|
$ sudo systemctl start haproxy
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Verification
|
### Verification
|
||||||
|
|
||||||
Retrieve the `kubernetes-the-hard-way` static IP address:
|
Login to one of the controller nodes, and make a HTTP request for the Kubernetes version info:
|
||||||
|
|
||||||
```
|
```
|
||||||
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
$ curl --cacert /var/lib/kubernetes/ca.pem https://10.240.0.10:6443/version
|
||||||
--region $(gcloud config get-value compute/region) \
|
|
||||||
--format 'value(address)')
|
|
||||||
```
|
|
||||||
|
|
||||||
Make a HTTP request for the Kubernetes version info:
|
|
||||||
|
|
||||||
```
|
|
||||||
curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version
|
|
||||||
```
|
```
|
||||||
|
|
||||||
> output
|
> output
|
||||||
|
|||||||
Reference in New Issue
Block a user