쿠버네티스 클러스터를 구현하는 방법

쿠버네티스 클러스터(Kubernetes Cluster)를 구현하는 방법

쿠버네티스 클러스터를 멀티 마스터 환경에서 고가용성(HA)을 구현하는 것은 클러스터의 Control Plane을 여러 마스터 노드로 분산하여 단일 장애 지점을 없애는 중요한 작업입니다. 이를 통해 클러스터의 신뢰성과 가용성을 높일 수 있습니다.

테스트 환경

Hostname	IP Address	패키지	비고
k8s-lb1	192.168.10.110	haproxy
node111	192.168.10.111	kubelet kubeadm kubectl
node112	192.168.10.112	kubelet kubeadm kubectl
node113	192.168.10.113	kubelet kubeadm kubectl

1. 로드 밸런서 HAProxy 설정

로드 밸런서 : 클러스터 API 서버에 대한 요청을 분산시키기 위해 로드 밸런서를 설정합니다. 모든 마스터 노드의 API 서버 IP를 로드 밸런서에 등록합니다.

vim /etc/haproxy/haproxy.cfg

# Kubernetes API Server Frontend
frontend kubernetes
    bind 0.0.0.0:6443
    mode tcp
    option tcplog
    default_backend kubernetes-master-nodes

# Backend for Kubernetes Master Nodes
backend kubernetes-master-nodes
    mode tcp
    option tcp-check
    balance roundrobin
    server master1 192.168.10.111:6443 check fall 3 rise 2
    server master2 192.168.10.112:6443 check fall 3 rise 2
    server master3 192.168.10.113:6443 check fall 3 rise 2

---

sudo add-apt-repository -y ppa:vbernat/haproxy-3.0

sudo apt-get install haproxy=3.0.\*

sudo systemctl --now enable haproxy

sudo vim /etc/haproxy/haproxy.cfg

# HAProxy configuration file
global
    log 127.0.0.1   local0
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

# Kubernetes API Server Frontend
frontend kubernetes
    bind 0.0.0.0:6443
    mode tcp
    option tcplog
    default_backend kubernetes-master-nodes

# Backend for Kubernetes Master Nodes
backend kubernetes-master-nodes
    mode tcp
    option tcp-check
    balance roundrobin
    server master1 192.168.10.111:6443 check fall 3 rise 2
    server master2 192.168.10.112:6443 check fall 3 rise 2
    server master3 192.168.10.113:6443 check fall 3 rise 2

# Statistics interface
listen stats
    bind *:9000
    mode http
    stats enable
    stats uri /
    stats refresh 10s
    stats realm HAProxy\ Statistics
    stats auth admin:admin
    stats refresh 30s
    maxconn 30

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

HAProxy 재시작

sudo systemctl restart haproxy

sudo systemctl status haproxy --no-pager -l

---

2. CRI와 Kubernetes 패키지 설치

모든 마스터 노드에서 CRI와 Kubernetes 패키지를 삭제합니다.

curl -fsSL https://raw.githubusercontent.com/anti1346/codes/main/kubernetes/k8s_remove.sh -o k8s_remove.sh

bash k8s_remove.sh

모든 마스터 노드에서 Kubernetes 설치를 위한 시스템 설정을 합니다.

curl -fsSL https://raw.githubusercontent.com/anti1346/codes/main/kubernetes/k8s_system_setup.sh -o k8s_system_setup.sh

bash k8s_system_setup.sh

모든 마스터 노드에서 CRI와 Kubernetes 패키지를 설치합니다.

curl -fsSL https://raw.githubusercontent.com/anti1346/codes/main/kubernetes/k8s_install.sh -o k8s_install.sh

bash k8s_install.sh

3. Kubernetes 클러스터 초기화

클러스터 초기화

• 첫 번째 마스터 노드에서 클러스터를 초기화합니다.

sudo kubeadm init \
--pod-network-cidr=10.244.0.0/16 \
--control-plane-endpoint "Load Balancer IP Address:6443" \
--upload-certs

sudo kubeadm init \
--pod-network-cidr=10.244.0.0/16 \
--control-plane-endpoint 192.168.10.110:6443 \
--upload-certs | tee $HOME/kubeadm_init_output.log

• <LOAD_BALANCER_DNS> : API 서버에 접근할 수 있는 로드 밸런서의 DNS 또는 IP
• <PORT> : 기본 포트는 6443입니다.

...
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of the control-plane node running the following command on each as root:

  kubeadm join 192.168.10.110:6443 --token w65j4b.0t93qgejbhexxvxd \
	--discovery-token-ca-cert-hash sha256:d0283d0436c3737c581badda1f57550a683813ff50d0d6bb6f9f9ae600c8d630 \
	--control-plane --certificate-key 9e9ebb0e914f6e29985e61eb5f5ebdd6cbe67f2619c4528f8813084b261431b7

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.10.110:6443 --token w65j4b.0t93qgejbhexxvxd \
	--discovery-token-ca-cert-hash sha256:d0283d0436c3737c581badda1f57550a683813ff50d0d6bb6f9f9ae600c8d630

kubeconfig 설정

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

클러스터 상태 확인

kubectl get nodes

NAME      STATUS     ROLES           AGE   VERSION
node111   NotReady   control-plane   50s   v1.30.3

728x90

4. 다른 마스터 노드 연결

다른 마스터를 클러스터에 추가합니다.

kubeadm join 192.168.10.110:6443 \
  --token w65j4b.0t93qgejbhexxvxd \
  --discovery-token-ca-cert-hash sha256:d0283d0436c3737c581badda1f57550a683813ff50d0d6bb6f9f9ae600c8d630 \
  --control-plane --certificate-key 9e9ebb0e914f6e29985e61eb5f5ebdd6cbe67f2619c4528f8813084b261431b7

• <TOKEN> : 첫 번째 마스터에서 생성한 토큰
• <HASH> : 인증서 해시
• <CERTIFICATE_KEY> : 인증서 키

...
This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Control plane label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

        mkdir -p $HOME/.kube
        sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
        sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.

kubeconfig 설정

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

클러스터 상태 확인

kubectl get nodes

NAME      STATUS     ROLES           AGE     VERSION
node111   NotReady   control-plane   5m22s   v1.30.3
node112   NotReady   control-plane   3m5s    v1.30.3
node113   NotReady   control-plane   48s     v1.30.3

5. 네트워크 플러그인 설치

Cilium은 고성능 네트워킹과 보안을 제공하는 Kubernetes의 CNI(Container Network Interface) 플러그인입니다.

Cilium CLI 설치

Cilium CLI를 다운로드하고 설치해야 합니다.

curl -sL --remote-name https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz

Cilium CLI 다운로드

tar xzf cilium-linux-amd64.tar.gz

압축 해제 및 설치

sudo mv cilium /usr/local/bin/

Cilium CLI 버전 확인

cilium version

cilium-cli: v0.16.15 compiled with go1.22.5 on linux/amd64
cilium image (default): v1.16.0
cilium image (stable): v1.16.0
cilium image (running): unknown. Unable to obtain cilium version. Reason: release: not found

Cilium 설치

Cilium CLI를 사용해 Cilium을 Kubernetes 클러스터에 설치할 수 있습니다.

 

Cilium 설치 명령 실행

• Cilium을 기본 설정으로 설치합니다. 설치 과정에서는 Kubernetes 클러스터에 필요한 리소스를 생성하고 Cilium 에이전트를 모든 노드에 배포합니다.

cilium install

ℹ️  Using Cilium version 1.16.0
🔮 Auto-detected cluster name: kubernetes
🔮 Auto-detected kube-proxy has been installed

설치 확인

• Cilium의 상태와 네트워크가 정상적으로 동작하고 있는지 확인할 수 있습니다.

cilium status

cilium

kubectl get pods -n kube-system -o wide

 

kubectl get pods -n kube-system -l k8s-app=cilium

kubectl get pods -n kube-system -l k8s-app=cilium-envoy

또는

kubectl get pods -n kube-system --selector='k8s-app in (cilium-envoy, cilium)'

NAME                 READY   STATUS    RESTARTS   AGE
cilium-envoy-7w9x4   1/1     Running   0          3m33s
cilium-envoy-92mbh   1/1     Running   0          3m33s
cilium-envoy-sdzks   1/1     Running   0          3m33s
cilium-jkbw5         1/1     Running   0          3m33s
cilium-mqzgp         1/1     Running   0          3m33s
cilium-szvvq         1/1     Running   0          3m33s

Cilium CLI로 설치된 리소스 제거

cilium uninstall

Calico 네트워크 플러그인을 설치합니다.

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

클러스터 노드 상태 확인

kubectl get nodes

NAME      STATUS   ROLES           AGE   VERSION
node111   Ready    control-plane   16m   v1.30.3
node112   Ready    control-plane   13m   v1.30.3
node113   Ready    control-plane   11m   v1.30.3

클러스터 파드 상태 확인

kubectl get pods --all-namespaces

 

참고URL

- Kubernetes Documentation : Creating Highly Available Clusters with kubeadm

- Kubernetes Documentation : Kubernetes Components

- Kubernetes Documentation : Options for Highly Available Topology

- Kubernetes Components : 포트와 프로토콜