企业级Keepalived高可用离线部署实战(附K8S集群VIP配置)
摘要:本文详细讲解在离线环境下部署Keepalived实现Kubernetes集群高可用的完整流程,涵盖源码编译安装、多节点配置、健康检查联动等核心环节,并提供生产级参数调优方案。适用于金融、政务等隔离网络的容灾架构建设。
一、环境规划与架构设计
1.1 节点信息
| 节点IP | 角色 | 优先级 | 网卡接口 |
|---|---|---|---|
| 192.167.14.119 | MASTER | 101 | eno3 |
| 192.167.14.223 | BACKUP | 100 | ens192 |
| 192.167.14.226 | BACKUP | 99 | ens192 |
1.2 虚拟IP(VIP)
- VIP地址:192.167.14.205
- 作用:作为Kubernetes API Server的统一接入点,实现故障自动切换
二、离线安装Keepalived
2.1 源码编译安装
# 下载源码包(需提前在有网环境操作)
wget https://www.keepalived.org/software/keepalived-2.2.8.tar.gz
# 解压并编译
tar xvf keepalived-2.2.8.tar.gz
cd keepalived-2.2.8
./configure --prefix=/usr/local/keepalived --disable-track-process
make && make install
2.2 系统服务配置
# 复制配置文件
cp /usr/local/keepalived/etc/sysconfig/keepalived /etc/sysconfig/
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
# 配置启动脚本
cp keepalived-2.2.8/keepalived/etc/init.d/keepalived /etc/init.d/
chmod +x /etc/init.d/keepalived
# 创建配置目录
mkdir /etc/keepalived
cp /usr/local/keepalived/etc/keepalived/keepalived.conf.sample /etc/keepalived/keepalived.conf
# 设置开机启动
chkconfig --add keepalived
chkconfig keepalived on
三、多节点配置详解
3.1 MASTER节点配置(119)
cat > /etc/keepalived/keepalived.conf << EOF
! Configuration File for keepalived
global_defs {
router_id K8S_MASTER_119 # 唯一标识
enable_script_security # 启用脚本安全
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh" # 健康检测脚本
interval 5 # 检测间隔(秒)
weight -5 # 检测失败权重变化
fall 2 # 连续失败2次判定异常
rise 1 # 成功1次恢复
}
vrrp_instance VI_1 {
state MASTER # 初始状态
interface eno3 # 绑定网卡
virtual_router_id 51 # 集群ID(同一组需相同)
priority 101 # 优先级(MASTER最高)
advert_int 2 # 心跳间隔
authentication { # 认证配置
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress { # 虚拟IP配置
192.167.14.205
}
track_script { # 关联检测脚本
chk_apiserver
}
}
EOF
3.2 BACKUP节点配置(223/226)
# 以223节点为例,修改以下参数:
state BACKUP
interface ens192
mcast_src_ip 192.167.14.223
priority 100 # 226节点设为99
四、健康检查联动机制
4.1 检测脚本配置
cat > /etc/keepalived/check_apiserver.sh << EOF
#!/bin/bash
timeout=3
err=0
# 检测haproxy服务状态
for ((i=0; i<timeout; i++)); do
if systemctl is-active --quiet haproxy; then
break
else
err=$((err+1))
sleep 1
fi
done
# 服务异常时停止keepalived触发切换
if [[ $err -eq $timeout ]]; then
systemctl stop keepalived
exit 1
else
exit 0
fi
EOF
chmod +x /etc/keepalived/check_apiserver.sh
4.2 服务状态联动逻辑
五、服务启动与验证
5.1 启动服务
# 所有节点执行
systemctl daemon-reload
systemctl enable --now keepalived
systemctl status keepalived
5.2 VIP验证命令
# 查看VIP绑定情况
ip addr show eno3 | grep 192.167.14.205
# 模拟故障测试
MASTER节点执行:
systemctl stop haproxy
tail -f /var/log/messages # 观察切换日志
六、生产环境调优建议
6.1 安全加固措施
# 限制VRRP协议通信(所有节点)
iptables -A INPUT -p vrrp -s 192.167.14.0/24 -j ACCEPT
iptables -A INPUT -p vrrp -j DROP
6.2 参数优化
vrrp_instance VI_1 {
...
nopreempt # 禁止抢占,避免网络抖动
debug 1 # 调试日志级别
notify_master "/path/to/notify.sh master" # 状态切换通知
}
七、常见问题排查指南
| 故障现象 | 排查命令 | 解决方案 |
|---|---|---|
| VIP未正确绑定 | ip addr show |
检查网卡配置、防火墙规则 |
| 节点状态始终为BACKUP | journalctl -u keepalived |
确认priority配置高于其他节点 |
| 健康检查误触发切换 | systemctl status haproxy |
调整检测间隔/失败阈值 |
| 节点间无法通信 | tcpdump -i eno3 vrrp |
检查网络连通性、组播配置 |
扩展阅读:《Keepalived双主模式部署方案》
如果本教程帮助您解决了问题,请点赞❤️收藏⭐支持!欢迎在评论区留言交流技术细节!欲了解密码学知识,请订阅《密码学实战》专栏 → 密码学实战