HAProxy安装
dnf -y install haproxy keepalived
修改HAProxy配置
#删除配置文件中62行以下的全部内容,添加以下配置信息
vim /etc/haproxy/haproxy.cfg
listen kube-apiserver
mode tcp
bind *:9443
balance leastconn
server master1 192.168.88.51:6443 check inter 2000 rise 2 fall 5
server master2 192.168.88.52:6443 check inter 2000 rise 2 fall 5
server master3 192.168.88.53:6443 check inter 2000 rise 2 fall 5
listen stats
bind *:8888
stats enable
mode http
stats uri /stats
stats refresh 30s
stats auth admin:admin
log 127.0.0.1 local3 info
开启HAProxy日志记录
vim /etc/rsyslog.conf
$ModLoad imudp # 取消该行注释,
$UDPServerRun 514 # 取消该行注释
local3.* /var/log/haproxy.log # 添加该行
#重启rsyslog
systemctl restart rsyslog
启动HAProxy
# 启动并设置开机自启
systemctl enable haproxy --now
#查看日志日志文件
less /var/log/haproxy.log
#将配置文件复制到master2和master3
scp /etc/haproxy/haproxy.cfg master2:/etc/haproxy/
scp /etc/haproxy/haproxy.cfg master3:/etc/haproxy/
scp /etc/rsyslog.conf master2:/etc/rsyslog.conf
scp /etc/rsyslog.conf master3:/etc/rsyslog.conf
systemctl restart rsyslog
systemctl enable haproxy --now
部署keepalived
修改配置文件
vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_1
}
vrrp_script checkhaproxy
{
script "/usr/bin/check-haproxy.sh"
interval 2
weight -30
}
vrrp_instance VI_1 {
state MASTER
interface eth0
virtual_router_id 51
priority 100
advert_int 1
virtual_ipaddress {
192.168.88.100/24 dev eth0
}
authentication {
auth_type PASS
auth_pass password
}
track_script {
checkhaproxy
}
}
HAproxy健康检查脚本
vim /usr/bin/check-haproxy.sh
#!/bin/bash
count=`netstat -apn | grep 9443 | wc -l`
if [ $count -gt 0 ]; then
exit 0
else
exit 1
fi
拷贝配置文件
scp master1:/usr/bin/check-haproxy.sh /usr/bin/check-haproxy.sh
scp master1:/etc/keepalived/keepalived.conf /etc/keepalived/keepalived.conf
修改配置文件
#修改以下部分
vim /etc/keepalived/keepalived.conf
# 为本机取一个唯一id
router_id LVS_2
state BACKUP
#将状态改为备份状态
启动服务
systemctl enable --now keepalived
验证集群是否可以访问
curl -v -k https://192.168.88.100:9443
* About to connect() to 192.168.88.100 port 9443 (#0)
* Trying 192.168.88.100...
* Connected to 192.168.88.100 (192.168.88.100) port 9443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=192.168.18.51
* start date: 3月 31 06:56:28 2025 GMT
* expire date: 3月 07 06:56:28 2125 GMT
* common name: 192.168.18.51
* issuer: CN=192.168.88.51
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 192.168.88.100:9443
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Audit-Id: 93b30652-4597-4c8e-a3c0-5f531596e25d
< Cache-Control: no-cache, private
< Content-Type: application/json
< Date: Tue, 01 Apr 2025 08:02:25 GMT
< Content-Length: 157
<
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
* Connection #0 to host 192.168.88.100 left intact
评论 (0)