|NO.Z.00095|——————————|^^ 升級 ^^|——|KuberNetes&二進位制升級.V06|-----------------------|kubernetes元件|calico.v3.15.3——>v3.19.1|
阿新 • • 發佈:2022-03-29
[CloudNative:KuberNetes&二進位制升級.V06] [Applications.KuberNetes] [|DevOps|kubernetes|二進位制升級|kubernetes.v1.17.0——>v1.19.5|元件|calico.v3.15.3——>v3.19.1|]
一、calico元件說明
### --- calico官網 ~~~ https://docs.projectcalico.org/maintenance/kubernetes-upgrade#upgrading-an-installation-that-uses-the-kubernetes-api-datastore
### --- calico安裝手冊
~~~ https://docs.projectcalico.org/getting-started/kubernetes/self-managed-onprem/onpremises### --- calico安裝方式有兩種:
~~~ 第一種:通過etcd直連的
~~~ 第二種:通過aliserver連線etcd,就是通過apiserver中繼了一個過程
~~~ 方案一:少於50個節點
~~~ 方案二:大於50個節點;多了一個管理的容器### --- calico安裝選擇方式 ~~~ apiserver方式:官網建議使用apiserver連線的方式安裝calico,方式比較簡單;無需任何配置,直接執行即可 ~~~ etcd的方式:把etcd的證書和節點的IP地址配置進去即可 ~~~ 使用apiserver連線的方式連線的etcd,若是當etcd全部都掛掉,會導致每個宿主機上的容器不通;在虛擬化環境下:openstack環境。在物理節點是沒有任何問題的。 ~~~ etcd直連的方式,對apiserver的併發要求會少一點 ~~~ # calico所在節點和kubelet並行的去升級,這樣就不會出現2次節點下線,pod漂移的情況
二、kubernetes元件calico升級:calico.v3.15.3——>v3.19.1### --- calico升級方案: ~~~ # Calico for policy and networking: ~~~ 若是網路管理和網路策略都是使用的是calico的話使用下面的安裝方式 curl https://docs.projectcalico.org/manifests/calico.yaml -O ~~~ # Calico for policy and flannel for networking ~~~ 若是網路管理使用的是calico,而網路策略使用的是flannel,使用下面的安裝方式 curl https://docs.projectcalico.org/manifests/canal.yaml -O
### --- 下線kubernetes.calico所在節點
~~~ # 下線kubernetes.node節點k8s-master01節點;設定為不可排程狀態
[root@k8s-master01 ~]# kubectl drain k8s-master01 --delete-local-data --force --ignore-daemonsets
node/k8s-master01 cordoned~~~ # 停止執行kubelet服務
~~~ 注:根據環境選擇執行
[root@k8s-master01 ~]# systemctl stop kubelet### --- 下載calico.v3.19.1版本包
~~~ # 下載calico版本yaml檔案
[root@k8s-master01 calico]# pwd
/root/upgrade/calico
[root@k8s-master01 calico]# curl -O https://docs.projectcalico.org/manifests/calico.yaml
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 185k 100 185k 0 0 12144 0 0:00:15 0:00:15 --:--:-- 20860~~~ # 修改calico版本配置檔案
~~~ 注:升級方式最好是ONDelete
~~~ 注:滾動更新模式,若是更新失敗的就會迴圈更新。
~~~ 注:這種方案;若是calico升級失敗的話,只會影響當前節點,不會影響其它節點
[root@k8s-master01 calico]# vim /root/upgrade/calico/calico.yaml
image: docker.io/calico/cni:v3.19.1
# 註釋一:此配置檔案calico版本為3.19.1
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable:1
# 註釋二:將如上配置引數更改為如下內容
updateStrategy:
type: OnDelete
# rollingUpdate:
# maxUnavailable:1### --- 備份calico.v3.15.3
~~~ # 檢視coredns的配置資源
[root@k8s-master01 ~]# kubectl get secret -n kube-system -owide | grep calico
calico-etcd-secrets Opaque 3 55d
calico-kube-controllers-token-nclr9 kubernetes.io/service-account-token 3 55d
calico-node-token-j6s6w kubernetes.io/service-account-token 3 55d
[root@k8s-master01 ~]# kubectl get configmap,deployment -n kube-system -owide
NAME DATA AGE
configmap/calico-config 4 55d
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/calico-kube-controllers 1/1 1 1 55d calico-kube-controllers docker.io/calico/kube-controllers:v3.19.1 k8s-app=calico-kube-controllers~~~ # 備份coredns配置檔案
[root@k8s-master01 ~]# mkdir upgrade/calico/calico.bak/
[root@k8s-master01 ~]# kubectl get secret calico-etcd-secrets -n kube-system -oyaml > upgrade/calico/calico.bak/calico-etcd.secret.yaml
[root@k8s-master01 ~]# kubectl get secret calico-kube-controllers-token-nclr9 -n kube-system -oyaml > upgrade/calico/calico.bak/calico-controllers-token-secret.yaml
[root@k8s-master01 ~]# kubectl get secret calico-node-token-j6s6w -n kube-system -oyaml > upgrade/calico/calico.bak/calico-node-token-secret.yaml
[root@k8s-master01 ~]# kubectl get configmap calico-config -n kube-system -oyaml > upgrade/calico/calico.bak/calico-etcd-cm.yaml
[root@k8s-master01 ~]# kubectl get deployment calico-kube-controllers -n kube-system -oyaml > upgrade/calico/calico.bak/calico-etcd-dy.yaml### --- 升級calico.v.3.19.1
~~~ # 檢視當前環境calico版本
[root@k8s-master01 calico]# kubectl edit daemonset calico-node -n kube-system
image: calico/cni:v3.15.3~~~ # 更新calico.v3.19.1
[root@k8s-master01 calico]# kubectl apply -f /root/upgrade/calico/calico.yaml
configmap/calico-config configured~~~ # 檢視更新後calico版本及配置資訊
[root@k8s-master01 calico]# kubectl edit daemonset calico-node -n kube-system
image: docker.io/calico/node:v3.19.1 //注:版本號為v3.19.1
image: docker.io/calico/node:v3.19.1
********************************************
updateStrategy:
type: OnDelete //注:更新策略為OnDelete### --- 上線kubernetes.calico所在節點
~~~ # 啟動kubelet服務
~~~ 注:根據環境選擇執行
[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl status kubelet~~~ # 恢復node節點k8s-master01加入到叢集中
[root@k8s-master01 ~]# kubectl uncordon k8s-master01
node/k8s-master01 uncordoned### --- 更新calico.pod
~~~ # 檢視k8s-master01節點的calico.pod版本號
~~~ 注:calico.pod的版本還是為v3.15.3;沒有更新
[root@k8s-master01 ~]# kubectl get po -n kube-system -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
calico-node-w79vx 1/1 Running 2 54d 192.168.1.11 k8s-master01 <none> <none>
[root@k8s-master01 ~]# kubectl get po calico-node-w79vx -n kube-system -oyaml | grep image
image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.15.3~~~ # 刪除kube-system下k8s-master01節點的calico.pod重啟calico
[root@k8s-master01 ~]# kubectl delete po calico-node-w79vx -n kube-system
pod "calico-node-w79vx" deleted~~~ # 檢視k8s-master01節點的calico.pod版本號
~~~ 注:更新後calico版本為V3.19.1
~~~ 注:更新方案採用的滾動更新,只有當calico.pod重啟後實現更新
~~~ 注:這種方案若是calico更新失敗後隻影響當前節點,其他節點是不會受到影響的。
~~~ 注:若是當前節點calico沒有問題,持續更新其它節點的calico
[root@k8s-master01 ~]# kubectl get po calico-node-rk46z -n kube-system -oyaml | grep image
image: docker.io/calico/node:v3.19.1 ~~~ # 更新其它節點的calico.pod的版本
[root@k8s-master01 ~]# kubectl get po -n kube-system -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
calico-node-k57sz 1/1 Running 29 54d 192.168.1.15 k8s-node02 <none> <none>
calico-node-k6v5h 1/1 Running 7 54d 192.168.1.13 k8s-master03 <none> <none>
calico-node-mtkph 1/1 Running 3 54d 192.168.1.12 k8s-master02 <none> <none>
calico-node-rk46z 1/1 Running 0 13m 192.168.1.11 k8s-master01 <none> <none>
calico-node-s8pcf 1/1 Running 2 2d3h 192.168.1.14 k8s-node01 <none> <none>~~~ # 逐步重啟calico.pod
[root@k8s-master01 ~]# kubectl delete po calico-node-s8pcf -n kube-system
[root@k8s-master01 ~]# kubectl delete po calico-node-mtkph -n kube-system
[root@k8s-master01 ~]# kubectl delete po calico-node-k6v5h -n kube-system
[root@k8s-master01 ~]# kubectl delete po calico-node-k57sz -n kube-system### --- 驗證calico網路策略是否正常解析
~~~ # 建立一個nginxpod
[root@k8s-master01 ~]# kubectl get po -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-78658dcf78-87gqv 2/2 Running 7 30h 172.18.195.38 k8s-master03 <none> <none>~~~ # curl解析該pod
~~~ 注:可以正常訪問
~~~ 注:calico路由規則一旦建立完成,升級calico是不會影響已經建立的路由的
~~~ 注:雖然說不能影響現有的服務,但是建議還是下線節點,然後再進行升級
~~~ 注:這樣升級的對應節點,若是出現問題,就不會影響現有的服務
[root@k8s-master01 ~]# curl 172.18.195.38
<title>Welcome to nginx!</title>### --- 檢視路由規則
~~~ # 檢視ipvsadm規則
[root@k8s-master01 ~]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 127.0.0.1:30508 rr
-> 172.16.195.1:8888 Masq 1 0 0
TCP 127.0.0.1:31000 rr~~~ # 檢視路由規則
[root@k8s-master01 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 ens33
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 ens33
172.16.32.128 0.0.0.0 255.255.255.192 U 0 0 0 *===============================END===============================
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart ——W.S.Landor
來自為知筆記(Wiz)