Open in app

Sign in

Write

Sign in

HAproxy and keepAlived for Multiple Kubernetes Master Nodes

j3ffyang
3 min readNov 29, 2021

.

Background

Several months ago, in a project, I was trying to deploy a Kubernetes cluster with kubespray. Considering to build an high available cluster with multiple master nodes and separate etcd (not in container but directly on file system), an haproxy can be a good option. I built my own haproxy to enable a floating IP for multiple Kubernetes APIs to which worker nodes connect.

Architecture

The above diagram is drawn in plantuml. Source code attached at the bottom

Description:

  • haproxy and keepalived are installed on 10.0.10.14 and 10.0.10.15 VMs respectively
  • 10.0.10.200 is the floating virtual IP failover between 10.0.10.14 and 10.0.10.15
  • Load Balancing (LB) service, bound to 10.0.10.200 over port 8383. Request hitting 10.0.10.200 over port 8383 will be forwarded to those 3 Kubernetes master nodes (10.0.10.14/15/16) over port 6443

Note: etcd cluster is created by Ansible as well

Reference >
https://kubesphere.io/docs/installing-on-linux/high-availability-configurations/set-up-ha-cluster-using-keepalived-haproxy/
https://kubespray.io/#/docs/ha-mode

Install

  • Install haproxy and keepalived on 10.0.10.14 and 10.0.10.15

Configure haproxy

  • /etc/haproxy/haproxy.cfg on 10.0.10.14 and 10.0.10.15

They’re identical on 2 HAproxy machines

ubuntu@node1:~$ cat /etc/haproxy/haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-ticketsdefaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.httpfrontend kube-apiserver
  bind *:8383
  mode tcp
  option tcplog
  default_backend kube-apiserverbackend kube-apiserver
    mode tcp
    option tcplog
    option tcp-check      
    balance roundrobin
    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
    server kube-apiserver-1 10.0.10.14:6443 check # Replace the IP address with your own.
    server kube-apiserver-2 10.0.10.15:6443 check # Replace the IP address with your own.
    server kube-apiserver-3 10.0.10.16:6443 check # Replace the IP address with your own.

Configure keepalived

  • /etc/keepalived/keepalived.conf on 10.0.10.14

unicast_src_ip = the current machine
unicast_peer = the remote peer(s). There could be multiple peers

ubuntu@node1:~$ cat /etc/keepalived/keepalived.conf
global_defs {
  notification_email {
  }
  router_id LVS_DEVEL
  vrrp_skip_check_adv_addr
  vrrp_garp_interval 0
  vrrp_gna_interval 0
}vrrp_script chk_haproxy {
  script "killall -0 haproxy"
  interval 2
  weight 2
}vrrp_instance haproxy-vip {
  state BACKUP
  priority 100
  interface eth0                # Network card
  virtual_router_id 60
  advert_int 1
  authentication {
    auth_type PASS
    auth_pass 1111
  }
  unicast_src_ip 10.0.10.14	# The IP address of this machine
  unicast_peer {
    10.0.10.15			# The IP address of peer machines
  }  virtual_ipaddress {
    10.0.10.200/24              # The virtualIP address
  }  track_script {
    chk_haproxy
  }
}

Change unicase_arc_ip and unicast_peer if adding additional peer(s)

  • Restart haproxy and keepalived
systemctl restart haproxy keepalived
systemctl enable haproxy keepalived

Test

systemctl stop haproxy

This will force the floatIP floating to the peer of haproxy

Reference > https://github.com/kubernetes-sigs/kubespray/blob/master/docs/ha-mode.md

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Kubernetes
Haproxy
Loadbalancing
Keepalived
Highavailability

j3ffyang
j3ffyang

Written by j3ffyang

145 Followers
320 Following

ardent linux user, opensource, kubernetes containerization, blockchain, data security. handler of @analyticsource and @j3ffyang

Responses (1)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech