文章目录
- 前提准备
- 1.修改Ingress-Controller 运行模式为`hostNetwork`并生效
- 2.给部署ingress-controller的节点打标签
- 3.查看ingress-controller的部署情况
- 方式一:LVS+Keepalived+Nginx+Ingress
- 一、部署ipvsadm和keepalived
- 二、配置keepalived
- 1.配置lvs01(keepalived master)
- 2.配置lvs02(keepalived backup)
- 三、启动两台keepalived
- 四、安装ngx并配置代理ingress启动
- 1.yum安装并配置ngx
- 2.ngx反向代理ingress
- 3.启动ngx
- 4.关闭后端服务器ngx的arp查询功能并设置回环IP
- 5.再次查看keepalived状态和lvs路由转发规则
- 五、验证
- 1.验证此架构是否可以正常处理请求
- 2.验证后端真实服务器ngx是否高可用
- 3.验证lvs+keepalived是否高可用
- 方式二:Nginx+Keepalived+Ingress
- 一、部署keepalived及nginx
- 二、配置nginx
- 1.修改ngx主配置文件
- 2.ngx反向代理ingress并启动
- 三、配置keepalived
- 1. 配置ngx01-master
- 2. 配置ngx02-slave
- 3.配置检查nginx运行状态的脚本
- 四、验证
- 方式三:LVS+Keepalived+Ingress
- 一、部署ipvsadm和keepalived
- 二、配置keepalived
- 1.配置lvs01(keepalived master)
- 2.配置lvs02(keepalived backup)
- 三、关闭ingress所在节点的arp查询功能并设置回环IP
- 四、验证
- 总结
前提准备
既然要实现ingress controller的高可用必须是多实例部署ingress,这里我们可以使用Daemonset+nodeseletor
的模式进行部署多实例,这样就可以将ingress部署多个实例且能根据标签选择
固定node(IP);
1.修改Ingress-Controller 运行模式为hostNetwork
并生效
apiVersion: apps/v1
kind: DaemonSet
metadata:labels:app.kubernetes.io/component: controllerapp.kubernetes.io/instance: ingress-nginxapp.kubernetes.io/name: ingress-nginxapp.kubernetes.io/part-of: ingress-nginxapp.kubernetes.io/version: 1.3.0name: ingress-nginx-controllernamespace: ingress-nginx
spec:minReadySeconds: 0revisionHistoryLimit: 10
...spec:#共享宿主机的网络协议栈(不给ingress controller分配独立的网路命名空间,与宿主机网络命名空间共享)hostNetwork: Truecontainers:- args:- /nginx-ingress-controller- --election-id=ingress-controller-leader- --controller-class=k8s.io/ingress-nginx- --ingress-class=nginx- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller- --validating-webhook=:8443- --validating-webhook-certificate=/usr/local/certificates/cert- --validating-webhook-key=/usr/local/certificates/key...volumeMounts:- mountPath: /usr/local/certificates/name: webhook-certreadOnly: truednsPolicy: ClusterFirst#添加节点调度器nodeSelector:#节点上含有的标签ingress: "yes"serviceAccountName: ingress-nginxterminationGracePeriodSeconds: 300volumes:- name: webhook-certsecret:secretName: ingress-nginx-admission
2.给部署ingress-controller的节点打标签
[root@k8s-master ~]# kubectl label nodes/k8s-node1 ingress=yes
[root@k8s-master ~]# kubectl label nodes/k8s-node2 ingress=yes
3.查看ingress-controller的部署情况
[root@k8s-master ~]# kubectl get pod -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-7gnc4 0/1 Completed 0 59d 10.244.107.200 k8s-node3 <none> <none>
ingress-nginx-admission-patch-ldmt4 0/1 Completed 0 59d 10.244.107.199 k8s-node3 <none> <none>
ingress-nginx-controller-qcfj8 1/1 Running 1 14d 192.168.1.3 k8s-node2 <none> <none>
ingress-nginx-controller-zf5vd 1/1 Running 2 14d 192.168.1.2 k8s-node1 <none> <none>
方式一:LVS+Keepalived+Nginx+Ingress
server | IP |
---|---|
lvs01-master(keepalived) | 192.168.1.5 |
lvs02-slave(keepalived) | 192.168.1.6 |
nginx01 | 192.168.1.7 |
nginx02 | 192.168.1.8 |
ingress-ngx-controller01 | 192.168.1.2 |
ingress-ngx-controller02 | 192.168.1.3 |
工作流程:
1、当客户端请求web2.study.com我们的服务时,DNS会解析出这个域名对应的IP为47.9x.5x.xx;
2、然后根据路由器上的nat将47.9x.5x.xx的请求都转发至VIP让LVS进行处理;
3、lvs(四层)再根据负载策略(这里是rr)将请求转发至后端服务器(nginx01,02)
4、nginx(七层)接收到请求后 根据相应的域名(这里可以设置泛域名) 转发至ingress处理;
ps:这里加nginx主要进行七层负载,根据客户端请求的域名来进行处理,代理ingress的同时,也可以当作正常的nginx(添加相应的vhost就行)处理业务;
一、部署ipvsadm和keepalived
lvs01和lvs02节点都部署
[root@localhost ~]# yum install ipvsadm keepalived
二、配置keepalived
1.配置lvs01(keepalived master)
[root@lvs01-master ~]# vim /etc/keepalived/keepalived.conf
global_defs {
# 这里将邮件设置的相关信息都注释掉了
# router_id是keepalived的一个标识,最好不同的keepalived配置成不一样router_id LVS_DEVEL_MASTER
}vrrp_instance VI_1 {# MASTER表示是主节点,备份节点是BACKUPstate MASTER# 工作接口用于选举,这里写网卡名称,这个不同的服务器,可能有所不同interface ens33# vrrp虚拟路由标识,如果是一组虚拟路由内的MASTER和BACKUP节点的该值要保持一致,如果是多组就定义多个,范围0-255virtual_router_id 51# 优先级,MASTER节点的值必须大于BACKUP的值priority 100# MASTER与BACKUP同步的时间间隔,单位为秒advert_int 1# lvs对应的真实IPmcast_src_ip=192.168.1.5authentication {auth_type PASSauth_pass 1111}# 虚拟IP的地址virtual_ipaddress {192.168.1.188}
}#定义lvs集群服务 这里就相当于设置lvs路由 也可以说是防火墙规则,当有请求来请求虚拟地址时转发至下面配置的真实服务器
virtual_server 192.168.1.188 80 {# 健康检查的时间,单位为秒delay_loop 6# 负载调度算法,这里设置为rr,即轮询算法lb_algo rr# 设置DR模式,返回请求时,不走LVS,直接返回到客户端。lb_kind DR# 虚拟地址的子网掩码nat_mask 255.255.255.0# 会话保持时间(对动态网页非常有用),单位为秒persistence_timeout 50#指定转发协议类型,有TCP和UDP两种protocol TCP# 配置后端真实服务器信息(这里指ngx)# 当然如果只是lvs+keepalived+ingress高可用的话,在这里就可以直接写ingress的信息real_server 192.168.1.7 80 {# 节点的权重,数字越大权重越高,被转发至此服务器的请求也就相应的多weight 1#realserver的状态监测设置 单位秒TCP_CHECK {# 连接超时时间connect_timeout 3# 重试次数nb_get_retry 3# 重试间隔delay_before_retry 3}}real_server 192.168.1.8 80 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}virtual_server 192.168.1.188 443 {delay_loop 6lb_algo rrlb_kind DRnat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.1.7 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.1.8 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
2.配置lvs02(keepalived backup)
[root@lvs02-slave ~]# vim /etc/keepalived/keepalived.conf
global_defs {
# 这里将邮件设置的相关信息都注释掉了
# router_id是keepalived的一个标识,最好不同的keepalived配置成不一样router_id LVS_DEVEL_BACKUP
}vrrp_instance VI_1 {# MASTER表示是主节点,备份节点是BACKUPstate BACKUP# 工作接口用于选举,这里写网卡名称,这个不同的服务器,可能有所不同interface ens33# vrrp虚拟路由标识,如果是一组虚拟路由内的MASTER和BACKUP节点的该值要保持一致,如果是多组就定义多个,范围0-255virtual_router_id 51# 优先级,MASTER节点的值必须大于BACKUP的值priority 99# MASTER与BACKUP同步的时间间隔,单位为秒advert_int 1# lvs对应的真实IPmcast_src_ip=192.168.1.6authentication {auth_type PASSauth_pass 1111}# 虚拟IP的址virtual_ipaddress {192.168.1.188}
}#定义lvs集群服务 这里就相当于设置lvs路由 也可以说是防火墙规则,当有请求来请求虚拟地址时转发至下面配置的真实服务器
virtual_server 192.168.1.188 80 {# 健康检查的时间,单位为秒delay_loop 6# 负载调度算法,这里设置为rr,即轮询算法lb_algo rr# 设置DR模式,返回请求时,不走LVS,直接返回到客户端。lb_kind DR# 虚拟地址的子网掩码nat_mask 255.255.255.0# 会话保持时间(对动态网页非常有用),单位为秒persistence_timeout 50#指定转发协议类型,有TCP和UDP两种protocol TCP# 配置后端真实服务器信息(这里指ngx)# 当然如果只是lvs+keepalived+ingress高可用的话,在这里就可以直接写ingress的信息real_server 192.168.1.7 80 {# 节点的权重,数字越大权重越高,被转发至此服务器的请求也就相应的多weight 1#realserver的状态监测设置 单位秒TCP_CHECK {# 连接超时时间connect_timeout 3# 重试次数nb_get_retry 3# 重试间隔delay_before_retry 3}}real_server 192.168.1.8 80 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}virtual_server 192.168.1.188 443 {delay_loop 6lb_algo rrlb_kind DRnat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.1.7 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.1.8 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
三、启动两台keepalived
分别启动两台keepalived并加入开机自启后查看此时的网络变化以及ipvs
[root@lvs01-master ~]# systemctl start keepalived
[root@lvs01-master ~]# systemctl enable keepalived
如下状态 keepalived已经正常运行了,可以看到简短日志指的是健康检查未检测到后端真是服务器节点然后在ipvs中删除了就不会路由请求了
在keepalived master节点查看网卡是否生成了虚拟VIP
[root@lvs01-master ~]# ip a
再查看路由转发情况(此时的lvs01 02节点都会有此路由转发的规则)
[root@lvs01-master ~]# ipvsadm -Ln
如上我们可以看到有两条TCP规则,分别代表的是keepalived里的"virtual_server"
的配置,但是现在他们下面没有真实的服务器 是因为我们后端真实的服务器ngx还没启动~
四、安装ngx并配置代理ingress启动
ngx01 nginx02 同操作
1.yum安装并配置ngx
[root@ngx01 ~]# yum -y install nginx nginx-all-modules
[root@ngx01 ~]# vim /etc/nginx/nginx.conf
#这里将默认的server块配置的端口监听改为除80以外的端口,因为80端口会用来代理ingress配合keepalived做检测
...server {listen 90;listen [::]:90;server_name _;root /usr/share/nginx/html;
...}
2.ngx反向代理ingress
upstream ingress-server-http{server 192.168.1.3:80 max_fails=2 fail_timeout=30s;server 192.168.1.2:80 max_fails=2 fail_timeout=30s;
}upstream ingress-server-https{server 192.168.1.3:443 max_fails=2 fail_timeout=30s;server 192.168.1.2:443 max_fails=2 fail_timeout=30s;
}server { # 设定虚拟主机配置listen 80; # 监听的端口server_name web2.study.com; # 监听的地址,多个域名用空格隔开location / { # 默认请求 ,后面 "/" 表示开启反向代理,也可以是正则表达式#proxy_set_header X-Real-IP $remote_addr;#proxy_set_header X-Real-Port $remote_port;#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#root html; # 监听地址的默认网站根目录位置proxy_set_header Host $http_host; # 重写请求头中的host字段#proxy_set_header X-Forward-For $remote_addr;# 配置XFF,记录HTTP的请求端真实的IPproxy_pass http://ingress-server-http; # 代理转发#index index.html index.htm; # 欢迎页面#proxy_set_header Host $host;#proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#proxy_set_header X-Forwarded-Proto $scheme; }add_header backendCode $upstream_status;add_header BackendIP "$upstream_addr;" always;
}server { # 设定虚拟主机配置#listen 80; # 监听的端口listen 443 ssl;server_name web2.study.com; # 监听的地址,多个域名用空格隔开ssl_certificate /etc/nginx/conf.d/cert/web2.study.com.crt;ssl_certificate_key /etc/nginx/conf.d/cert/web2.study.com.key;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;location / { # 默认请求 ,后面 "/" 表示开启反向代理,也可以是正则表达式proxy_pass https://ingress-server-https;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;}add_header backendCode $upstream_status;add_header BackendIP "$upstream_addr;" always;
}
3.启动ngx
[root@ngx01 ~]# nginx
[root@ngx01 ~]# ps -ef |grep nginx
root 65865 1 0 22:48 ? 00:00:00 nginx: master process nginx
nginx 65866 65865 0 22:48 ? 00:00:00 nginx: worker process
root 65868 65838 0 22:48 pts/1 00:00:00 grep --color=auto nginx
4.关闭后端服务器ngx的arp查询功能并设置回环IP
[root@ngx01 ~]# vim /etc/nginx/conf.d/lvs-rs.sh
vip=192.168.1.188
mask='255.255.255.255'
dev=lo:0echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announcesysctl -w net.ipv4.ip_forward=1
ifconfig $dev $vip broadcast $vip netmask $mask up
route add -host $vip dev $dev[root@ngx01 conf.d]# chmod +755 lvs-rs.sh
[root@ngx01 conf.d]# bash lvs-rs.sh
5.再次查看keepalived状态和lvs路由转发规则
后端服务器ngx启动并配置后查看keepalived日志,发现监听到了后端服务器并将路由加入了转发规则内
[root@lvs01-master ~]# journalctl -f -u keepalived
[root@lvs01-master ~]# ipvsadm
五、验证
1.验证此架构是否可以正常处理请求
k8s创建一个pod应用,并暴露ingress 模拟用户访问,此时需要将ingress的域名解析绑定为 虚拟VIP
浏览器模拟用户访问
如上 实现了nginx反向代理ingress的轮询流程
2.验证后端真实服务器ngx是否高可用
接下来验证每次请求都会负载到哪台后端真实服务器nginx来转发到ingress的呢,这就需要在ingress-controller上进行配置了
修改ingress的日志输出格式,并查看ingress的访问日志
[root@k8s-master ~]# vim /etc/kubernetes/manifests/ingress-controller.yaml
apiVersion: v1
data:log-format-upstream: '{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", "request_id": "$req_id","remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol","path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time,"method": "$request
_method", "http_referrer": "$http_referer","http_user_agent": "$http_user_agent" }'
kind: ConfigMap
...
[root@k8s-master ~]# kubectl apply -f /etc/kubernetes/manifests/ingress-controller.yaml
如上图可以发现现在我们的请求都是经过nginx01 IP为1.7这台机器转发过来的
现关闭1.7这台ngx01模拟故障,客户端接着请求看是否会把请求转发至另一台1.8nginx02上
[root@ngx01 conf.d]# killall nginx
当ngx01宕机后,我们也可以通过keepalived的日志看到ngx01会被健康检测剔除
此时lvs的路由规则如下
3.验证lvs+keepalived是否高可用
当 keepalived master节点和backup节点同时在线且运行正常时,虚拟VIP会在keepalived master上, 如下:
lvs01-master节点:
lvs02-backup节点:
此时将lvs01 master节点的 keeaplived服务停止模拟宕机故障,看虚拟Vip是否会漂移到lvs02 backup节点上
[root@lvs01-master ~]# systemctl stop keepalived
再次查看lvs02 backup节点
可以看到虚拟vip已经漂移过来了
,并可以正常的提供服务,可以通过keepalived的日志来查看漂移过程;
ps:附加一个https的访问
方式二:Nginx+Keepalived+Ingress
server | IP |
---|---|
ngx01-master(keepalived) | 192.168.1.5 |
ngx02-slave(keepalived) | 192.168.1.6 |
ingress-ngx-controller01 | 192.168.1.2 |
ingress-ngx-controller02 | 192.168.1.3 |
这种方式是直接用nginx做负载均衡,同时兼顾反向代理的角色,直接通过七层代理协议来通过域名来分发请求,当并发少时可以使用这种方式
ps:每日PV1000万以下或并发请求1万以下都可以考虑用Nginx;构建大型网站或者提供重要服务且机器较多时,可多加考虑利用LVS。
一、部署keepalived及nginx
两台同操作
[root@localhost ~]# yum -y install nginx keepalived nginx-all-modules
二、配置nginx
1.修改ngx主配置文件
两台同操作
[root@localhost ~]# vim /etc/nginx/nginx.conf
#这里将默认的server块配置的端口监听改为除80以外的端口,因为80端口会用来代理ingress配合keepalived做检测
...server {listen 90;listen [::]:90;server_name _;root /usr/share/nginx/html;
...}
2.ngx反向代理ingress并启动
两台ngx同操作
[root@localhost ~]# vim /etc/nginx/conf.d/proxy-ingress.conf
upstream ingress-server-http{server 192.168.1.3:80 max_fails=2 fail_timeout=30s;server 192.168.1.2:80 max_fails=2 fail_timeout=30s;
}upstream ingress-server-https{server 192.168.1.3:443 max_fails=2 fail_timeout=30s;server 192.168.1.2:443 max_fails=2 fail_timeout=30s;
}server { # 设定虚拟主机配置listen 80; # 监听的端口server_name *.study.com; # 监听的地址,多个域名用空格隔开location / { # 默认请求 ,后面 "/" 表示开启反向代理,也可以是正则表达式proxy_set_header Host $http_host; # 重写请求头中的host字段proxy_pass http://ingress-server-http; # 代理转发proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;}add_header backendCode $upstream_status;add_header BackendIP "$upstream_addr;" always;
}server { # 设定虚拟主机配置#listen 80; # 监听的端口listen 443 ssl;server_name *.study.com; # 监听的地址,多个域名用空格隔开ssl_certificate /etc/nginx/conf.d/cert/web2.study.com.crt;ssl_certificate_key /etc/nginx/conf.d/cert/web2.study.com.key;ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_prefer_server_ciphers on;location / { # 默认请求 ,后面 "/" 表示开启反向代理,也可以是正则表达式proxy_pass https://ingress-server-https;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;}add_header backendCode $upstream_status;add_header BackendIP "$upstream_addr;" always;
}
三、配置keepalived
1. 配置ngx01-master
[root@localhost ~]# vim /etc/keepalived/keepalived.conf
global_defs {router_id NGINX_MASTER
}vrrp_script check_nginx {script "/etc/keepalived/check_nginx.sh"
}vrrp_instance VI_1 {state MASTERinterface ens33 #修改为实际网卡名virtual_router_id 51 #每个虚拟路由器惟一标识,范围:0-255,同一组虚拟路由器的vrid必须一致priority 100 #优先级,备服务设置90advert_int 1 #指定VRRP心跳包通告间隔时间,默认为1秒authentication {auth_type PASSauth_pass 1111}#虚拟IPvirtual_ipaddress {192.168.1.99/24}track_script {check_nginx}
}
2. 配置ngx02-slave
global_defs {router_id NNGINX_BACKUP
}vrrp_script check_nginx {script "/etc/keepalived/check_nginx.sh"
}vrrp_instance VI_1 {state BACKUPinterface ens33virtual_router_id 51 #每个虚拟路由器惟一标识,范围:0-255,同一组虚拟路由器的vrid必须一致priority 90advert_int 1authentication {auth_type PASSauth_pass 1111}virtual_ipaddress {192.168.1.99/24}track_script {check_nginx}
}
3.配置检查nginx运行状态的脚本
两台同操作
check_nginx.sh 检测nginx脚本如下
[root@localhost ~]# vim /etc/keepalived/check_nginx.sh
nginx_status_http=$(ss -unptl |grep 80 |egrep -cv "grep|$$")
nginx_status_https=$(ss -unptl |grep 443 |egrep -cv "grep|$$")if [ $nginx_status_http -ne 0 ] && [ $nginx_status_https -ne 0 ];thenexit 0#echo "检测通过"
elseexit 1#echo "检测不通过"
fi
然后启动keepalived
systemctl start keepalived
四、验证
验证步骤跟第一种方式类似,keepalived起来之后看下虚拟vip,然后模拟kill掉其中一台的nginx服务看 IP是否会漂移到另一台上;
不同的是:
第一种方式两台lvs服务器挂掉一台VIP会漂移至另一台;
这种方式是两台服务器中的nginx服务挂掉一个VIP就会漂移至另一台;
方式三:LVS+Keepalived+Ingress
server | IP |
---|---|
lvs01-master(keepalived) | 192.168.1.5 |
lvs02-slave(keepalived) | 192.168.1.6 |
ingress-ngx-controller01 | 192.168.1.2 |
ingress-ngx-controller02 | 192.168.1.3 |
这种方式和第一种方式步骤相同,只不过不用添加ngx这一步了,
只需要 将keepalived配置的真实服务器(real_server)换成ingress controller的pod所在节点IP地址
和 关闭ingress controller的pod所在节点的arp查询功能并设置回环IP即可
一、部署ipvsadm和keepalived
lvs01和lvs02节点都部署
[root@localhost ~]# yum install ipvsadm keepalived
二、配置keepalived
1.配置lvs01(keepalived master)
[root@lvs01-master ~]# vim /etc/keepalived/keepalived.conf
global_defs {
# 这里将邮件设置的相关信息都注释掉了
# router_id是keepalived的一个标识,最好不同的keepalived配置成不一样router_id LVS_DEVEL_MASTER
}vrrp_instance VI_1 {# MASTER表示是主节点,备份节点是BACKUPstate MASTER# 工作接口用于选举,这里写网卡名称,这个不同的服务器,可能有所不同interface ens33# vrrp虚拟路由标识,如果是一组虚拟路由内的MASTER和BACKUP节点的该值要保持一致,如果是多组就定义多个,范围0-255virtual_router_id 51# 优先级,MASTER节点的值必须大于BACKUP的值priority 100# MASTER与BACKUP同步的时间间隔,单位为秒advert_int 1# lvs对应的真实IPmcast_src_ip=192.168.1.5authentication {auth_type PASSauth_pass 1111}# 虚拟IP的地址virtual_ipaddress {192.168.1.188}
}#定义lvs集群服务 这里就相当于设置lvs路由 也可以说是防火墙规则,当有请求来请求虚拟地址时转发至下面配置的真实服务器
virtual_server 192.168.1.188 80 {# 健康检查的时间,单位为秒delay_loop 6# 负载调度算法,这里设置为rr,即轮询算法lb_algo rr# 设置DR模式,返回请求时,不走LVS,直接返回到客户端。lb_kind DR# 虚拟地址的子网掩码nat_mask 255.255.255.0# 会话保持时间(对动态网页非常有用),单位为秒persistence_timeout 50#指定转发协议类型,有TCP和UDP两种protocol TCP# 配置后端真实服务器信息(这里指ngx)# 当然如果只是lvs+keepalived+ingress高可用的话,在这里就可以直接写ingress的信息real_server 192.168.1.2 80 {# 节点的权重,数字越大权重越高,被转发至此服务器的请求也就相应的多weight 1#realserver的状态监测设置 单位秒TCP_CHECK {# 连接超时时间connect_timeout 3# 重试次数nb_get_retry 3# 重试间隔delay_before_retry 3}}real_server 192.168.1.3 80 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}virtual_server 192.168.1.188 443 {delay_loop 6lb_algo rrlb_kind DRnat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.1.2 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.1.3 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
2.配置lvs02(keepalived backup)
[root@lvs02-slave ~]# vim /etc/keepalived/keepalived.conf
global_defs {
# 这里将邮件设置的相关信息都注释掉了
# router_id是keepalived的一个标识,最好不同的keepalived配置成不一样router_id LVS_DEVEL_BACKUP
}vrrp_instance VI_1 {# MASTER表示是主节点,备份节点是BACKUPstate BACKUP# 工作接口用于选举,这里写网卡名称,这个不同的服务器,可能有所不同interface ens33# vrrp虚拟路由标识,如果是一组虚拟路由内的MASTER和BACKUP节点的该值要保持一致,如果是多组就定义多个,范围0-255virtual_router_id 51# 优先级,MASTER节点的值必须大于BACKUP的值priority 99# MASTER与BACKUP同步的时间间隔,单位为秒advert_int 1# lvs对应的真实IPmcast_src_ip=192.168.1.6authentication {auth_type PASSauth_pass 1111}# 虚拟IP的址virtual_ipaddress {192.168.1.188}
}#定义lvs集群服务 这里就相当于设置lvs路由 也可以说是防火墙规则,当有请求来请求虚拟地址时转发至下面配置的真实服务器
virtual_server 192.168.1.188 80 {# 健康检查的时间,单位为秒delay_loop 6# 负载调度算法,这里设置为rr,即轮询算法lb_algo rr# 设置DR模式,返回请求时,不走LVS,直接返回到客户端。lb_kind DR# 虚拟地址的子网掩码nat_mask 255.255.255.0# 会话保持时间(对动态网页非常有用),单位为秒persistence_timeout 50#指定转发协议类型,有TCP和UDP两种protocol TCP# 配置后端真实服务器信息(这里指ngx)# 当然如果只是lvs+keepalived+ingress高可用的话,在这里就可以直接写ingress的信息real_server 192.168.1.2 80 {# 节点的权重,数字越大权重越高,被转发至此服务器的请求也就相应的多weight 1#realserver的状态监测设置 单位秒TCP_CHECK {# 连接超时时间connect_timeout 3# 重试次数nb_get_retry 3# 重试间隔delay_before_retry 3}}real_server 192.168.1.3 80 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}virtual_server 192.168.1.188 443 {delay_loop 6lb_algo rrlb_kind DRnat_mask 255.255.255.0persistence_timeout 50protocol TCPreal_server 192.168.1.2 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}real_server 192.168.1.3 443 {weight 1TCP_CHECK {connect_timeout 3nb_get_retry 3delay_before_retry 3}}
}
三、关闭ingress所在节点的arp查询功能并设置回环IP
ingress pod所在节点都要执行
[root@k8s-node2 ~]# vim /home/fands/lvs-rs.sh
vip=192.168.1.188
mask='255.255.255.255'
dev=lo:0echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announcesysctl -w net.ipv4.ip_forward=1
ifconfig $dev $vip broadcast $vip netmask $mask up
route add -host $vip dev $dev[root@ngx01 conf.d]# chmod +755 lvs-rs.sh
[root@ngx01 conf.d]# bash lvs-rs.sh
四、验证
这个方式验证方法跟方式一相同,不管是其中哪一个ingress pod 挂掉都不影响正常使用,其中lvs挂掉之后虚拟IP都会进行漂移至另一台lvs上不影响业务使用;可自行验证
总结
本文所有高可用的方式都是将域名解析至keepalived的VIP
遇到的问题如下:
当使用ingress配置了https时,
再使用nginx反向代理ingress的443端口的话,此时访问域名会发现访问地址被强制转了https,此时在ingress处并没有添加强制转https的配置,甚至还想能通过http访问
;
这样的话需要在ingress配置 将强制https关闭
;
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:annotations:nginx.ingress.kubernetes.io/ssl-redirect: "false"