基于 openstack 的 kubernetes(rancher RKE) 测试

Posted on |
Symbols count in article: 7.6k | Reading time ≈ 0:08

近日测试 openstack 作为 kubernetes 的基础设施平台为 kubernetes 提供基础服务(storage, loadbalancer)

目标:

  • kubernetes 提供 cinder 作为持久卷
  • 通过 openstack 的 LBAAS v2 为 kubernetes 提供 LoadBalancer

集群架构

k8s-rancher-ops

遇到的问题

x509: cannot validate certificate for <ipaddress> because it doesn't contain any IP SANs

这个问题没有解决,最后通过创建一个新的 openstack region,让 cinder, neutron, compute 的接口都不走 https 来规避这个问题

cloud-config

由于是通过 rancher 进行管理,所以 cloud-config 直接写在 rancher 集群配置文件中即可

如果是原始的 kubernetes 集群,需要在 kubelet 启动时指定 cloud-config 文件

cloud_provider: 
  name: "openstack"
  openstackCloudProvider: 
    block_storage: 
      ignore-volume-az: true
      trust-device-path: false
    global: 
      auth-url: "http://10.10.23.100:45000/v3"
      domain-id: "default"
      password: "******"
      region: "RegionTest" # 笔者创建所有 endpoints 走 http 的 region
      tenant-id: "287da09439154ae7a00c5583fa28de4f"
      username: "anyisalin"
    load_balancer: 
      create-monitor: false
      manage-security-groups: false
      monitor-delay: 0
      monitor-max-retries: 0
      monitor-timeout: 0
      subnet-id: "092e753f-cead-4af0-9200-cf779d0cdf04" # 这里是 private network 的 uuid
      use-octavia: false
    metadata: 
      request-timeout: 0
    route: 
      router-id: "8c98f2a8-eec5-451d-9249-d9f2078f768d"

cinder storageclass

cinder 作为持久卷要指定 volume type 作为参数

apiVersion: storage.k8s.io/v1
kind: StorageClass
parameters:
  type: RBD
provisioner: kubernetes.io/cinder
$ openstack volume list # 持久卷在 openstack 中的展现
+--------------------------------------+-------------------------------------------------------------+-----------+------+---------------------------------------------------------------+
| ID                                   | Display Name                                                | Status    | Size | Attached to                                                   |
+--------------------------------------+-------------------------------------------------------------+-----------+------+---------------------------------------------------------------+
| e437f3b4-7f02-412a-b8ac-38d36d79c424 | kubernetes-dynamic-pvc-5bee62ff-aec6-11e8-868b-fa163efa03b6 | available |    1 |                                                               |
| c360e7f0-4bfa-4424-a564-fdb7330f5fa2 | kubernetes-dynamic-pvc-404fe3e5-aec6-11e8-868b-fa163efa03b6 | available |    1 |                                                               |
| 7e2347af-752c-42e3-a92a-c2565ab6b12c | kubernetes-dynamic-pvc-1193480a-aec6-11e8-b38a-fa163eccc6d3 | in-use    |    1 | Attached to worker3 on /dev/vdc                               |
| 77d26e4e-40d1-4227-b605-5150559a5ccf | tst222                                                      | available |    2 |                                                               |
| c40a48cd-c36e-4cf6-bc08-2c5f326794c4 | kubernetes-dynamic-pvc-d22e1c0e-aebf-11e8-868b-fa163efa03b6 | in-use    |   10 | Attached to worker3 on /dev/vdd                               |
| b331a11a-c533-41fe-89aa-e4bca48484c7 | kubernetes-dynamic-pvc-d234bd67-aebf-11e8-868b-fa163efa03b6 | in-use    |   10 | Attached to worker2 on /dev/vdc                               |
| 19bc473b-8215-45ef-b280-4e1d7c26dc56 | kubernetes-dynamic-pvc-d239d596-aebf-11e8-868b-fa163efa03b6 | in-use    |   10 | Attached to worker1 on /dev/vdc                               |
| f03591f7-a69f-402d-9ab5-d6350d8078e9 | kubernetes-dynamic-pvc-5c4a5d33-aebf-11e8-868b-fa163efa03b6 | in-use    |    8 | Attached to worker3 on /dev/vdb                               |
| a1383dde-bbc3-4148-a931-f86962d482a6 | kubernetes-dynamic-pvc-5c36d2c2-aebf-11e8-868b-fa163efa03b6 | in-use    |    8 | Attached to worker2 on /dev/vdb                               |
| 568f72bc-6b74-4cd2-b795-ab109f753501 | kubernetes-dynamic-pvc-5c406970-aebf-11e8-868b-fa163efa03b6 | in-use    |    2 | Attached to worker1 on /dev/vdb                               |
| 4e3d531e-3ea6-4f3f-a40b-3639548ed9bc | kubernetes-dynamic-pvc-0742b2bc-aebe-11e8-8fc8-fa163e64cc4c | available |    1 |                                                               |
| 9528824a-35f0-47be-88b9-2108ba10e4cb | kubernetes-dynamic-pvc-1dae4606-acce-11e8-ad52-fa163eae37fd | in-use    |    2 | Attached to 1a5e3cee-ed4e-4a31-963f-2c7a96470c63 on /dev/vdb  |
| f573db1e-2df1-48f9-b45f-237667b891fa | kubernetes-dynamic-pvc-1b7761b6-acc0-11e8-81f7-fa163ef239c4 | in-use    |    1 | Attached to 454551f2-5736-4b52-8c85-321f795e0cff on /dev/vdb  |
| 2aa122b4-887b-4eaa-977e-7bbd6a001449 | kubernetes-dynamic-pvc-6a297820-ac29-11e8-b902-fa163e785cc9 | available |    1 |                                                               |
| c6af8fc5-9c1e-4ae2-87c0-2798dbf80bc4 | kubernetes-dynamic-pvc-37419971-ac22-11e8-b864-fa163ecfcbd0 | available |    1 |                                                               |
| 4eef9daa-3311-4787-afb8-2e41fd39c9ca | kubernetes-dynamic-pvc-b9f73456-ac18-11e8-b932-fa163e0fecaa | available |    8 |                                                               |
| a0c0ad15-d674-4389-918f-d37126ffb59d | kubernetes-dynamic-pvc-b9fe461d-ac18-11e8-b932-fa163e0fecaa | available |   10 |                                                               |
+--------------------------------------+-------------------------------------------------------------+-----------+------+---------------------------------------------------------------+

LoadBalancer

$ neutron lbaas-member-list  2e75b034-d291-4e87-b9bf-2421bce1fc3a # LoadBalancer 服务在 openstack 中的展现
neutron CLI is deprecated and will be removed in the future. Use openstack CLI instead.
+--------------------------------------+-----------------------------------------------------+------------+---------------+--------+--------------------------------------+----------------+
| id                                   | name                                                | address    | protocol_port | weight | subnet_id                            | admin_state_up |
+--------------------------------------+-----------------------------------------------------+------------+---------------+--------+--------------------------------------+----------------+
| 2b09be24-e6b8-4fa2-872a-7840691e3f74 | member_a11a75f2eaec611e8b38afa163eccc6d_0_worker3   | 13.20.0.16 |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
| 34b22906-d794-4c10-976f-74e00dfdbb91 | member_a11a75f2eaec611e8b38afa163eccc6d_0_control-2 | 13.20.0.14 |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
| 5a98c11c-544f-4414-9ec8-2991b7d123e8 | member_a11a75f2eaec611e8b38afa163eccc6d_0_worker2   | 13.20.0.9  |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
| 68a65652-7c4f-4b68-82e4-4a2731542664 | member_a11a75f2eaec611e8b38afa163eccc6d_0_control-3 | 13.20.0.24 |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
| 8fe6c1a0-c802-4eda-b3b7-ccef920500b6 | member_a11a75f2eaec611e8b38afa163eccc6d_0_worker1   | 13.20.0.22 |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
| b3a05a40-7428-4d77-a773-bfec5f93544e | member_a11a75f2eaec611e8b38afa163eccc6d_0_control-1 | 13.20.0.20 |         31127 |      1 | 092e753f-cead-4af0-9200-cf779d0cdf04 | True           |
+--------------------------------------+-----------------------------------------------------+------------+---------------+--------+--------------------------------------+----------------+

kubernetes LoadBalancer 的原理就是通过外部服务对 service 的 NodePort 进行反代,NodePort 是通过 Kube-Proxy 做转发的,无法获取真实客户端的 IP 地址,最好还是通过 ingress 服务访问集群中的服务