Cloud Controller Manager (CCM) mengintegrasikan Kubernetes dengan layanan infrastruktur Alibaba Cloud, seperti Classic Load Balancer (CLB) dan Virtual Private Cloud (VPC). CCM memungkinkan Anda menyambungkan node dalam kluster maupun server di luar kluster ke backend CLB yang sama, sehingga membantu mencegah gangguan lalu lintas selama migrasi. Anda juga dapat meneruskan lalu lintas bisnis ke beberapa kluster Kubernetes untuk pencadangan dan pemulihan bencana, memastikan ketersediaan tinggi bagi aplikasi Anda. Topik ini menjelaskan cara men-deploy CCM di kluster Kubernetes yang dikelola sendiri.
Prasyarat
VNode telah di-deploy di kluster Kubernetes yang dikelola sendiri Anda.
Jika kluster Kubernetes Anda di-deploy di pusat data lokal, pastikan konektivitas jaringan antara pusat data dan Alibaba Cloud telah terbentuk.
Informasi latar belakang
CCM adalah komponen Alibaba Cloud yang mengintegrasikan Kubernetes dengan layanan infrastruktur Alibaba Cloud. CCM menyediakan kemampuan berikut:
Mengelola load balancing
Saat tipe Service diatur ke LoadBalancer, CCM membuat dan mengonfigurasi Classic Load Balancer (CLB) Alibaba Cloud untuk Service tersebut, termasuk sumber daya seperti instans CLB, listener, dan kelompok server backend. Ketika Endpoints Service atau node kluster berubah, CCM secara otomatis memperbarui kelompok server backend CLB tersebut.
Mengaktifkan komunikasi lintas node
Saat menggunakan Flannel sebagai komponen jaringan kluster, CCM membangun konektivitas jaringan antara kontainer dan node. CCM menulis blok CIDR pod setiap node ke tabel rute VPC, sehingga memungkinkan komunikasi lintas node untuk kontainer. Fitur ini diaktifkan secara default dan tidak memerlukan konfigurasi tambahan.
Untuk informasi lebih lanjut, lihat cloud controller manager.
CCM bersifat open source. Untuk detail proyek, lihat cloud-provider-alibaba-cloud.
Persiapan
Lewati bagian ini jika kluster Kubernetes yang dikelola sendiri Anda tidak menggunakan instans Elastic Compute Service (ECS) sebagai node. Jika menggunakan, ikuti langkah-langkah berikut untuk mengonfigurasi providerID pada node ECS Anda, sehingga CCM dapat mengelola rutenya.
Deploy OpenKruise untuk menggunakan controller BroadcastJob.
Jalankan perintah berikut:
helm repo add openkruise https://openkruise.github.io/charts/ helm repo update helm install kruise openkruise/kruise --version 1.3.0Untuk informasi lebih lanjut, lihat dokumentasi OpenKruise.
Konfigurasikan providerID untuk node ECS menggunakan BroadcastJob.
Simpan konten berikut sebagai provider.yaml.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: ecs-node-initor rules: - apiGroups: - "" resources: - nodes verbs: - get - patch --- apiVersion: v1 kind: ServiceAccount metadata: name: ecs-node-initor --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ecs-node-initor subjects: - kind: ServiceAccount name: ecs-node-initor namespace: default roleRef: kind: ClusterRole name: ecs-node-initor apiGroup: rbac.authorization.k8s.io --- apiVersion: apps.kruise.io/v1alpha1 kind: BroadcastJob metadata: name: create-ecs-node-provider-id spec: template: spec: serviceAccount: ecs-node-initor restartPolicy: OnFailure affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: type operator: NotIn values: - virtual-kubelet tolerations: - operator: Exists containers: - name: create-ecs-node-provider-id image: registry.cn-beijing.aliyuncs.com/eci-release/provider-initor:v1 command: [ "/usr/bin/init" ] env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName completionPolicy: type: Never failurePolicy: type: FailFast restartLimit: 3Deploy BroadcastJob tersebut.
kubectl apply -f provider.yaml
Periksa hasil BroadcastJob.
kubectl get pods -o wideJika semua pod terkait create-ecs-node-provider-id berada dalam status Completed, providerID untuk node ECS yang sesuai telah berhasil dikonfigurasi. Berikut contoh output-nya:
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES create-ecs-node-provider-id-9jvms 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.206 <none> 1/1 create-ecs-node-provider-id-f5sb8 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.202 <none> 1/1 create-ecs-node-provider-id-f6r2c 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.201 <none> 1/1 create-ecs-node-provider-id-nhrsp 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.203 <none> 1/1 create-ecs-node-provider-id-ntn4d 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.204 <none> 1/1 create-ecs-node-provider-id-rr2bk 0/1 Completed 0 34m 172.23.xxx cn-shanghai.10.10.156.205 <none> 1/1(Opsional) Bersihkan BroadcastJob.
kubectl delete -f provider.yaml
Prosedur
Buat ConfigMap.
Simpan pasangan AccessKey untuk Akun Alibaba Cloud Anda sebagai variabel lingkungan.
export ACCESS_KEY_ID=LTAI******************** export ACCESS_KEY_SECRET=HAeS**************************Untuk informasi cara memperoleh ID AccessKey dan Secret AccessKey, lihat Obtain an AccessKey pair.
Jalankan skrip berikut untuk membuat ConfigMap.
Simpan konten berikut sebagai configmap-ccm.sh, ganti nilai region dengan ID wilayah Anda, lalu jalankan skrip tersebut.
#!/bin/bash ## create ConfigMap kube-system/cloud-config for CCM. accessKeyIDBase64=`echo -n "$ACCESS_KEY_ID" |base64 -w 0` accessKeySecretBase64=`echo -n "$ACCESS_KEY_SECRET"|base64 -w 0` cat <<EOF >cloud-config.yaml apiVersion: v1 kind: ConfigMap metadata: name: cloud-config namespace: kube-system data: cloud-config.conf: |- { "Global": { "accessKeyID": "$accessKeyIDBase64", "accessKeySecret": "$accessKeySecretBase64", "region": "cn-hangzhou" } } EOF kubectl create -f cloud-config.yamlbash configmap-ccm.shSetelah skrip dijalankan, ConfigMap bernama cloud-config dibuat di namespace kube-system.
Deploy CCM.
Ubah
${ImageVersion}dan{$ClusterCIDR}, lalu simpan konten berikut sebagai ccm.yaml.Anda dapat memperoleh
ImageVersiondari changelog CCM. Untuk informasi lebih lanjut, lihat cloud controller manager.Anda dapat melihat
ClusterCIDRdengan menjalankan perintahkubectl cluster-info dump | grep -m1 cluster-cidr.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:cloud-controller-manager rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - update - create - apiGroups: - "" resources: - persistentvolumes - services - secrets - endpoints - serviceaccounts verbs: - get - list - watch - create - update - patch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - delete - patch - update - apiGroups: - "" resources: - services/status verbs: - update - patch - apiGroups: - "" resources: - nodes/status verbs: - patch - update - apiGroups: - "" resources: - events - endpoints verbs: - create - patch - update --- apiVersion: v1 kind: ServiceAccount metadata: name: cloud-controller-manager namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:cloud-controller-manager roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: cloud-controller-manager namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:shared-informers roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: shared-informers namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:cloud-node-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: cloud-node-controller namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:pvl-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: pvl-controller namespace: kube-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: system:route-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:cloud-controller-manager subjects: - kind: ServiceAccount name: route-controller namespace: kube-system --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: app: cloud-controller-manager tier: control-plane name: cloud-controller-manager namespace: kube-system spec: selector: matchLabels: app: cloud-controller-manager tier: control-plane template: metadata: labels: app: cloud-controller-manager tier: control-plane annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: serviceAccountName: cloud-controller-manager tolerations: - effect: NoSchedule operator: Exists key: node-role.kubernetes.io/master - effect: NoSchedule operator: Exists key: node.cloudprovider.kubernetes.io/uninitialized nodeSelector: node-role.kubernetes.io/master: "" containers: - command: - /cloud-controller-manager - --leader-elect=true - --cloud-provider=alicloud - --use-service-account-credentials=true - --cloud-config=/etc/kubernetes/config/cloud-config.conf - --configure-cloud-routes=true - --route-reconciliation-period=3m - --leader-elect-resource-lock=endpoints # Replace ${ClusterCIDR} with your own cluster CIDR. # Example: 172.16.0.0/16 - --cluster-cidr=${ClusterCIDR} # Replace ${ImageVersion} with the latest release version. # Example: v2.1.0 image: registry.cn-hangzhou.aliyuncs.com/acs/cloud-controller-manager-amd64:${ImageVersion} livenessProbe: failureThreshold: 8 httpGet: host: 127.0.0.1 path: /healthz port: 10258 scheme: HTTP initialDelaySeconds: 15 timeoutSeconds: 15 name: cloud-controller-manager resources: requests: cpu: 200m volumeMounts: - mountPath: /etc/kubernetes/ name: k8s - mountPath: /etc/ssl/certs name: certs - mountPath: /etc/pki name: pki - mountPath: /etc/kubernetes/config name: cloud-config hostNetwork: true volumes: - hostPath: path: /etc/kubernetes name: k8s - hostPath: path: /etc/ssl/certs name: certs - hostPath: path: /etc/pki name: pki - configMap: defaultMode: 420 items: - key: cloud-config.conf path: cloud-config.conf name: cloud-config name: cloud-configJalankan perintah berikut untuk men-deploy CCM.
kubectl create -f ccm.yaml
Verifikasi deployment
Buat Service LoadBalancer dan Penyebaran backend contoh.
Simpan konten berikut sebagai ccm-test.yaml.
Untuk mencegah kegagalan pull image, ganti alamat image dengan yang berasal dari wilayah VNode Anda.
apiVersion: v1 kind: Service metadata: name: nginx namespace: default annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet" spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: nginx type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: test-nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: registry-vpc.cn-beijing.aliyuncs.com/eci_open/nginx:1.14.2Deploy Service dan Deployment tersebut.
kubectl create -f ccm-test.yamlSetelah deployment, CCM membuat dan mengonfigurasi CLB Alibaba Cloud untuk Service tersebut, termasuk instans CLB, listener, dan kelompok server backend.
Verifikasi bahwa Service berfungsi sebagaimana mestinya.
Jalankan perintah curl dengan alamat IP eksternal Service. Respons sukses, seperti contoh berikut, mengonfirmasi bahwa layanan Nginx backend dapat diakses.
[root@k8s-master ~]# kubectl get service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.xxx.x.1 <none> 443/TCP 7d1h nginx LoadBalancer 10.xxx.02.253 172.16.5.xxx 80:32554/TCP 14m [root@k8s-master ~]# kubectl get pods | grep nginx test-nginx-84cbc7685b-gvlvq 1/1 Running 0 22s test-nginx-84cbc7685b-w9np2 1/1 Running 0 22s [root@k8s-master ~]# curl 172.16.5.xxx <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p>Thank you for using nginx.</p> </body> </html>
Untuk informasi lebih lanjut tentang penggunaan Service, lihat CCM usage.