三实例 kube-scheduler 的集群,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用时,阻塞的节点将再次进行选举产生新的 leader 节点,从而保证服务的可用性。
为保证通信安全,本文档先生成 x509 证书和私钥,kube-scheduler 在如下两种情况下使用该证书:
部署策略:
使用 kubeconfig 访问 apiserver 的安全端口;
在安全端口(https,10251) 输出 prometheus 格式的 metrics。
部署软件规划
01.创建kube-scheduler证书和私钥
创建证书签名请求:
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "China",
"L": "Beijing",
"O": "Kubernetes",
"OU": "Kubernetes",
"ST": "Beijing"
}
]
}
EOF
CN为 system:kube-scheduler,kubernetes 内置的 ClusterRoleBindings system:kube-scheduler 将赋予 kube-scheduler 工作所需的权限。
创建 kube-scheduler 凭证与私钥:
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
结果将产生以下两个文件:
kube-scheduler-key.pem
kube-scheduler.pem
02.创建kubeconfig文件
先确定apiserver对外提供服务的地址
export KUBE_APISERVER="https://apiserver-p001.svc.gxd88.cn:6443"
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-scheduler.kubeconfig
设置客户端认证参数
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
设置上下文参数
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
设置默认上下文
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
03.使用systemd管理kube-scheduler
tee /etc/systemd/system/kube-scheduler.service <<-EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/srv/kubernetes/bin/kube-scheduler \\
--kubeconfig=/srv/kubernetes/kubeconfig/kube-scheduler.kubeconfig \\
--address=0.0.0.0 \\
--leader-elect=true \\
--v=2 \\
--logtostderr=false \\
--log-dir=/srv/kubernetes/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
启动参数的请看kube-scheduler
04.启动/停止 kube-scheduler
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kube-scheduler.service
kube-schedulercan be started and stopped as follows:
sudo systemctl start kube-scheduler.service
sudo systemctl stop kube-scheduler.service
05.验证
检查服务:
$ systemctl status kube-scheduler|grep Active
Active: active (running) since 三 2020-04-15 15:14:23 CST; 3 days ago
检查端口:
kube-scheduler 监听 10251 和 10259 端口:
10251:接收 http 请求,非安全端口,不需要认证授权;
10259:接收 https 请求,安全端口,需要认证授权。
两个接口都对外提供 /metrics 和 /healthz 的访问。
$ netstat -lnpt |grep kube-sch
tcp6 0 0 :::10251 :::* LISTEN 13328/kube-schedule
tcp6 0 0 :::10259 :::* LISTEN 13328/kube-schedule
请求/metrice测试
$ curl -s http://127.0.0.1:10251/metrics |head
$ curl -s --cacert /root/certificated/ca.pem --cert /root/certificated/admin.pem --key /root/certificated/admin-key.pem https://127.0.0.1:10259/metrics |head
05.参数详解
专注于调度,参数没多少,全在代码逻辑中了。
启动命令
/srv/kubernetes/bin/kube-scheduler \
--kubeconfig=/srv/kubernetes/kubeconfig/kube-scheduler.kubeconfig \
--address=0.0.0.0 \
--leader-elect=true \
--v=2 \
--logtostderr=false \
--log-dir=/srv/kubernetes/log
参数用途说明
开启选举。
同kube-controller-manager
06.Q&A
Q:
kube-scheduler: tls: found a certificate rather than a key in the PEM for the private key
A: 设置客户端认证参数的时候--client-key和--client-certificate设置的相同, 正确的设置如下
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig