我的书签
添加书签
移除书签OpenYurt 安装前置条件
1.背景说明
OpenYurt为适应边端环境,需要用户对K8S做一些调整,如:CoreDNS,KubeProxy等。
2. CoreDNS调整
一般场景下,CoreDNS是以Deployment形式部署,在边端场景下,域名解析请求无法跨NodePool,所以CoreDNS需要以Daemonset或者YurtAppDaemon形式部署,以实现将hostname解析为tunnelserver地址。
2.1 CoreDNS 配置修改
修改kube-system namespace下的ConfigMap coredns,增加如下内容:
hosts /etc/edge/tunnel-nodes { # 增加hosts插件reload 300msfallthrough}
修改后效果如下:
apiVersion: v1data:Corefile: |.:53 {errorslog . {class denial success}health {lameduck 5s}readyhosts /etc/edge/tunnel-nodes { # 增加hosts插件reload 300msfallthrough}kubernetes cluster.local in-addr.arpa ip6.arpa {pods insecurefallthrough in-addr.arpa ip6.arpattl 30}prometheus :9153forward . /etc/resolv.conf {max_concurrent 1000}cache 30loopreloadloadbalance}kind: ConfigMapmetadata:name: corednsnamespace: kube-system
2.2 CoreDNS 支持服务拓扑
增加annotation,利用openyurt的机制实现边缘服务选择。
# 利用openyurt实现endpoint过滤kubectl annotate svc kube-dns -n kube-system openyurt.io/topologyKeys='openyurt.io/nodepool'
修改后效果:
apiVersion: v1kind: Servicemetadata:annotations:openyurt.io/topologyKeys: openyurt.io/nodepoolprometheus.io/port: "9153"prometheus.io/scrape: "true"creationTimestamp: "2022-02-14T10:13:37Z"labels:k8s-app: kube-dnskubernetes.io/cluster-service: "true"kubernetes.io/name: KubeDNSname: kube-dnsnamespace: kube-systemresourceVersion: "65474309"selfLink: /api/v1/namespaces/kube-system/services/kube-dnsuid: ee23195f-44c3-4c70-99e2-aff4d5cf0ae1spec:clusterIP: 10.254.0.10ports:- name: dnsport: 53protocol: UDPtargetPort: 53- name: dns-tcpport: 53protocol: TCPtargetPort: 53- name: metricsport: 9153protocol: TCPtargetPort: 9153selector:k8s-app: kube-dnssessionAffinity: Nonetype: ClusterIP
2.2 CoreDNS DaemonSet部署
如果CoreDNS原本使用DaemonSet部署,可以手工进行如下调整:
1)可以调整CoreDNS的镜像为自己的版本;
2)需要挂载Volume ConfigMap yurt-tunnel-nodes;
apiVersion: apps/v1kind: DaemonSetmetadata:labels:k8s-app: kube-dnsname: corednsnamespace: kube-systemspec:selector:matchLabels:k8s-app: kube-dnstemplate:metadata:labels:k8s-app: kube-dnsspec:containers:- args:- -conf- /etc/coredns/Corefileimage: registry.aliyuncs.com/google_containers/coredns:1.7.0livenessProbe:failureThreshold: 5httpGet:path: /healthport: 8080scheme: HTTPinitialDelaySeconds: 60periodSeconds: 10successThreshold: 1timeoutSeconds: 5name: corednsports:- containerPort: 53name: dnsprotocol: UDP- containerPort: 53name: dns-tcpprotocol: TCP- containerPort: 9153name: metricsprotocol: TCPreadinessProbe:failureThreshold: 3httpGet:path: /readyport: 8181scheme: HTTPperiodSeconds: 10successThreshold: 1timeoutSeconds: 1resources:limits:memory: 170Mirequests:cpu: 100mmemory: 70MisecurityContext:allowPrivilegeEscalation: falsecapabilities:add:- NET_BIND_SERVICEdrop:- allreadOnlyRootFilesystem: truevolumeMounts:- mountPath: /etc/corednsname: config-volumereadOnly: true- mountPath: /etc/edgename: hostsreadOnly: truednsPolicy: DefaultnodeSelector:kubernetes.io/os: linuxpriorityClassName: system-cluster-criticalserviceAccount: corednsserviceAccountName: corednstolerations:- operator: Exists- key: CriticalAddonsOnlyoperator: Exists- effect: NoSchedulekey: node-role.kubernetes.io/mastervolumes:- configMap:defaultMode: 420items:- key: Corefilepath: Corefilename: corednsname: config-volume- configMap:defaultMode: 420name: yurt-tunnel-nodesname: hosts
2.4 减少CoreDNS Deployment 副本数
如果k8s不是用Deployment部署,可以不进行操作。
kubectl scale --replicas=0 deployment/coredns -n kube-system
3. KubeProxy调整
kubeadm部署的k8s集群会为KubeProxy生成kubeconfig配置,在不配置Service Topology 和 Topology Aware Hints 情况下,KubeProxy使用这个kubeconfig拿到的endpoints是全量的。
云边端场景下,边缘节点间很有可能无法互通,因此需要endpoints基于nodepool进行拓扑。直接将kube-proxy的kubeconfig配置删除,将apiserver请求经过yurthub即可解决服务拓扑问题。
KubeProxy支持流量拓扑
kubectl edit cm -n kube-system kube-proxy
注释掉config.conf文件下的clientConnection.kubeconfig,修改完后效果如下:
apiVersion: v1data:config.conf: |-apiVersion: kubeproxy.config.k8s.io/v1alpha1bindAddress: 0.0.0.0bindAddressHardFail: falseclientConnection:acceptContentTypes: ""burst: 0contentType: ""#kubeconfig: /var/lib/kube-proxy/kubeconfig.confqps: 0clusterCIDR: 100.64.0.0/10configSyncPeriod: 0s// 省略
重启KubeProxy Pod
为使上述配置生效,需要重启kubeproxy的pod,线上环境谨慎操作。
kubectl delete pod -n kube-system -l k8s-app=kube-proxy
KubeProxy功能验证
可以通过KubeProxy的日志进行验证是否修改成功,为防止日志过多,生产环境谨慎使用。
kubectl edit ds -n kube-system kube-proxy
在command后面追加参数--v=6,修改后效果:
apiVersion: apps/v1kind: DaemonSetmetadata:annotations:deprecated.daemonset.template.generation: "3"creationTimestamp: "2022-05-10T06:27:27Z"generation: 3labels:k8s-app: kube-proxyname: kube-proxynamespace: kube-systemresourceVersion: "5377081"uid: 0f8eccdd-d26f-48f0-8401-8d762a630dc8spec:revisionHistoryLimit: 10selector:matchLabels:k8s-app: kube-proxytemplate:metadata:creationTimestamp: nulllabels:k8s-app: kube-proxyspec:containers:- command:- /usr/local/bin/kube-proxy- --config=/var/lib/kube-proxy/config.conf- --hostname-override=$(NODE_NAME)- --v=6
检查KubeProxy的Pod输出日志,如果apiserver地址是:169.254.2.1:10268代表修改成功。日志输出样例:
I0521 02:57:01.986790 1 round_trippers.go:454] GET https://169.254.2.1:10268/api/v1/nodes/jd-sh-qianyi-test-02 200 OK in 12 millisecondsI0521 02:57:02.021682 1 round_trippers.go:454] POST https://169.254.2.1:10268/api/v1/namespaces/default/events 201 Created in 4 milliseconds
