-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workarounds for the time before kubeadm HA becomes available #546
Comments
See also https://github.com/cookeem/kubeadm-ha - this seems to cover what I want to achieve here. |
@mbert we started implementing the HA features and chopped wood on the underlying dependency stack now in v1.9, but it's a short cycle for a big task, so the work will continue in v1.10 as you pointed out. For v1.9, we will document what you're describing here in the official docs though; how to achieve HA with external deps like setting up a LB |
Excellent. I am digging through all this right now. I am currently stuck at bootstrapping master 2 and 3, in particular how to configure kubelet and apiserver (how much can I reuse from master 1?) and etcd (I am thinking of using a bootstrap etc on a separate machine for discovery). The guide from the docs is a bit terse when it comes to this. |
@mbert I have been following your comments here and I just want to let you know I followed the guide in docs and was able to stand up a working HA k8s cluster using kubeadm (v1.8.x). If you are following this setup and you need to bootstrap master 2 and 3, you can reuse almost everything from the first master. You then need to fix up the following configuration files on master 2 and 3 to reflect the current host: /etc/kubernetes/manifests/kube-apiserver.yaml, /etc/kubernetes/kubelet.conf, /etc/kubernetes/admin.conf, and /etc/kubernetes/controller-manager.conf Regarding etcd, if you follow this guide docs you should stand up an external 3-node etcd cluster that spans across the 3 k8s master nodes. There is also one 'gotcha' item that has NOT yet been covered in the guide docs. I also asked a few questions related to kubeadm HA from this post: cookeem/kubeadm-ha#7 I really hope that can give me some thoughts on these. Thank you in advance for your time. |
This is great - definitely need this as I am sure 99% of kubeadm users have a nagging paranoia in the back of their heads about ha of their master(s). |
@kcao3 thank you. I will look into this all on coming Monday. So I understand that it is OK to use identical certificates on all three masters? If yes, I assume that next I'll try will be bring up kubelet and apiserver on master 2 and 3 using the configuration from master 1 (with modified IPs and host names in there of course) and then bootstrap the etcd cluster by putting a modified etcd.yaml into /etc/kubernetes/manifests. Today I ran into problems because the running etcd on master 1 already had cluster information in its data dir which I had to remove first, but I was still running into problems. I guess some good nights of sleep will be helpful. Once I've got this running I shall document the whole process and publish it. |
@srflaxu40 yep, and in particular if you have an application that indirectly requires apiserver at runtime (legacy application and service discovery in my case) you cannot afford to lose the only master at any time. |
Convert the single-instance etcd to a clusterI have been able to get replacing the single etcd instance by a cluster in a fresh K8s cluster. The steps are roughly these:
Step 5 is somewhat awkward, and I have found that if I miss the right time here or need too much time to get the other two masters to join (step 6) my cluster gets into a state from which it can hardly While this works, I'd be interested in possible improvements: Is there any alternative, more elegant and robust approach to this (provided that I still want to follow the approach of running etcd in containers on the masters)? This comment aims to collect feedback and hints at an early stage. I will post updates on the next steps in a similar way before finally documenting this as a followable guide. |
@mbert Why do not you use a independent ETCD cluster instead of creating in the k8s? |
@KeithTt Thank you for your feedback. I was thinking about these here:
If an independent etcd cluster's advantages outweigh the above list, I shall be happy to be convinced otherwise. |
@mbert Please make sure you sync with @jamiehannaford on this effort, he's also working on this / committed to making these docs a thing in v1.9 @mbert are you available to join our SIG meeting today 9PT or the kubeadm implementation PR tomorrow 9PT? I'd love to discuss this with you in a call 👍 |
@luxas actually it was @jamiehannaford who asked me to open this issue. Once I have got things running and documented I hope to get lots of feedback from him. |
Following guides here and there i manage to do it here is my final steps |
/cc @craigtracey |
Created - not converted - 3 master-node cluster using kubeadm with 3 node etcd cluster deployed on kubernetes Here's what I needed to do:
Problems:
The way I did it was using kubeadm alpha phase steps, short list follows: on all master nodes:
on masternode1:
This is really short list of what I did and it can be automated and reproduced in 5 minutes. Also, for me the greatest bonus was I was able to set non-standard pod-network CIDR as I had that restriction of not being able to spare B class IP address range. If you're interested in more detailed version, please let me know and I'll try and create some docs on how this was done. |
@dimitrijezivkovic thank you for your comment. I think it would make sense to put all the relevant information together so that one piece of documentation comes out. I plan to set up a google docs document and start documenting what I did (which is pretty bare-bones). I would then invite others to join and write extensions, corrections, comments? |
I have now "documented" a very simple setup in form of a small ansible project: https://github.com/mbert/kubeadm2ha It is of course still work in progress, but it already allows to set up a multi-master cluster without any bells and whistles. I have tried to keep it as simple as possible so that by reading one should be able to find out pretty easily what needs to be done in which order. Tomorrow I will start writing this up as a simple cooking recipe in a google docs document and invite others to collaborate. |
Just to call it out explicitly, there's a bunch of orthogonal issues mashed together in the above conversation/suggestions. It might be useful to break these out separately, and perhaps prioritise some above others:
Imo the bare minimum we need is etcd durability (or perhaps availability), and the rest can wait. That removes the "fear" factor, while still requiring some manual intervention to recover from a primary master failure (ie: an active/passive setup of sorts). I think the details of the rest depend hugely on self-hosted vs "legacy", so I feel like it would simplify greatly if we just decided now to assume self-hosted (or not?) - or we clearly fork the workarounds/docs into those two buckets so we don't confuse readers by chopping and changing. Aside: One of the challenges here is that just about everything to do with install+upgrade changes if you assume a self-hosted+HA setup (it mostly simplifies everything because you can use rolling upgrades, and in-built k8s machinery). I feel that by continually postponing this setup we've actually made it harder for ourselves to reach that eventual goal, and I worry that we're just going to keep pushing the "real" setup back further while we work on perfecting irrelevant single-master upgrades :( I would rather we addressed the HA setup first, and then worked backwards to try to produce a single-host approximation if required (perhaps by packing duplicate jobs temporarily onto the single host), rather than trying to solve single-host and then somehow think that experience will help us with multi-host. |
@mbert I have achieved the HA proposal by generating the certs manually for each node, and without deleting |
FYI all, @mbert has started working on a great WIP guide for kubeadm HA manually that we'll add to the v1.9 kubeadm docs eventually: https://docs.google.com/document/d/1rEMFuHo3rBJfFapKBInjCqm2d7xGkXzh0FpFO0cRuqg/edit Please take a look at the doc everyone, and provide your comments. We'll soon-ish convert this into markdown and send as a PR to kubernetes/website. Thank you @mbert and all the others that are active in thread, this will be a great collaboration! |
Hi @mbert and others - From the past year or so, I have several k8s clusters (kubeadm and otherwise) driven from Cobbler / Puppet on CoreOS and CentOS. However, none of these has been HA. My next task is to integrate K8s HA and I want to use kubeadm. I'm unsure whether to go with the @mbert's HA setup guide or @jamiehannaford's HA guide. Also - this morning I read @timothysc's Proposal for a highly available control plane configuration for ‘kubeadm’ deployments. and I like the "initial etcd seed" approach he outlines. However, I don't see that same approach in either @mbert or @jamiehannaford's work. @mbert appears to use a single, k8s-hosted etcd while @jamiehannaford's document documents the classic approach of external etcd (which is exactly what I have used for my other non-HA POC efforts). What do you all recommend? External etcd, single self-hosted, or locating and using the "seed" etcd (with pivot to k8s-hosted)? If the last - what guide or documentation do you suggest? TIA! |
@andybrucenet External etcd is recommended for HA setups (at least at this moment in time). CoreOS has recently dropped support for any kind of self-hosted. It should only really be used for dev, staging or casual clusters. |
@andybrucenet Not quite - I am using an external etcd cluster just like @jamiehannaford proposes in his guide. Actually the approaches described in our respective documents should be fairly similar. It is based on setting up the etcd cluster you feel you need and then have kubeadm use it when bootstrapping the Kubernetes cluster. I am currently more or less about to finish my guide and the ansible-based implementation by documenting and implementing a working upgrade procedure - that (and some bugfixes) should be done sometime next week. Not quite sure whether there will be any need to further transfer my guide into yours, @jamiehannaford what do you think? |
Actually the hostname-override was unnecessary. When running |
I have now written a chapter on upgrading HA clusters to my HA setup guide. Also I have added code for automating this process to my ansible project on github. Take a look into the README.md file there for more information. |
@mbert for the upgrade process you've outlined, what are the exact reasons for manually copying the configs and manifests from |
@mattkelly It seemed rather dangerous to me. |
Replying to myself: Having looked at Jamie's guide on kubernetes.io, running kubeadm on the masters may work, even when setting up the cluster. I'll try this out next week and probably make some changes to my documents accordingly. |
FWIW, running Edit: Also important to note is that I'm only testing on v1.9+. Upgrade was from v1.9.0 to v1.9.2. |
I have now followed the guide on kubernetes.io that @jamiehannaford created, i.e. ran Now I am running into trouble when trying to upgrade the cluster: Running
This step fails reproducably (I always start from the scratch, i.e. remove all configuration files plus etcd data from all nodes before starting a new setup). I tried out several variations, but no success:
I have attached some logs. However I cannot really find any common pattern that would explain this problem to me. Maybe it is something I just don't know? upgrade-failed-proxy-on-vip.log |
Having tried out another few things it boils down to the following:
Others like @mattkelly have been able to perform the upgrade without editing Anybody got a clue what I should change, so that upgrading works without this (rather dirty) trick? I have tried upgrading from both 1.8.3 and 1.9.0 to 1.9.2, with the same result. |
@mbert I'm now reproducing your issue from a fresh v1.9.0 cluster created using hakube-installer. Trying to upgrade to v1.9.3. I can't think of anything that has changed with my workflow. I'll try to figure it out today. I verified that deleting the |
Thank you, that's very helpful. I have now added patching |
@mbert oops, I figured out the difference :). For previous upgrades I had been providing the config generated during setup via |
- In the provided configuration file for `kubeadm init` the value for `apiserver-count` needs to be put in quotes. - In addition to /etc/kubernetes/pki/ca.* also /etc/kubernetes/pki/sa.* need to be copied to the additional masters. See [this comment](kubernetes/kubeadm#546 (comment)) by @petergardfjall for details.
- In the provided configuration file for `kubeadm init` the value for `apiserver-count` needs to be put in quotes. - In addition to /etc/kubernetes/pki/ca.* also /etc/kubernetes/pki/sa.* need to be copied to the additional masters. See [this comment](kubernetes/kubeadm#546 (comment)) by @petergardfjall for details.
- In the provided configuration file for `kubeadm init` the value for `apiserver-count` needs to be put in quotes. - In addition to /etc/kubernetes/pki/ca.* also /etc/kubernetes/pki/sa.* need to be copied to the additional masters. See [this comment](kubernetes/kubeadm#546 (comment)) by @petergardfjall for details.
- In the provided configuration file for `kubeadm init` the value for `apiserver-count` needs to be put in quotes. - In addition to /etc/kubernetes/pki/ca.* also /etc/kubernetes/pki/sa.* need to be copied to the additional masters. See [this comment](kubernetes/kubeadm#546 (comment)) by @petergardfjall for details.
Hello, |
- In the provided configuration file for `kubeadm init` the value for `apiserver-count` needs to be put in quotes. - In addition to /etc/kubernetes/pki/ca.* also /etc/kubernetes/pki/sa.* need to be copied to the additional masters. See [this comment](kubernetes/kubeadm#546 (comment)) by @petergardfjall for details.
Closing this item as 1.10 doc is out and we will be moving to further the HA story in 1.11 /cc @fabriziopandini |
The planned HA features in kubeadm are not going to make it into v1.9 (see #261). So what can be done to make a cluster setup by kubeadm sufficiently HA?
This is what it looks like now:
Hence an active/active or active/passive master setup needs to be created (i.e. mimic what kubeadm would supposedly be doing in the futue):
This seems achievable if converting the existing master instance to a cluster of masters (2) can be done (the Kubernetes guide for building HA clusters seems to indicate so). Active/active would be not more expensive than active/passive.
I am currently working on this. If I succeed I shall share what I find out here.
The text was updated successfully, but these errors were encountered: