Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
K
Kubespray
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Model registry
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Mirror
Kubespray
Commits
1de12747
Commit
1de12747
authored
8 years ago
by
Smaine Kahlouch
Committed by
GitHub
8 years ago
Browse files
Options
Downloads
Plain Diff
Merge pull request #549 from bogdando/fix_ha_lb
Update ha docs
parents
f74d6b08
40de4684
No related branches found
No related tags found
No related merge requests found
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
docs/ha-mode.md
+11
-14
11 additions, 14 deletions
docs/ha-mode.md
with
11 additions
and
14 deletions
docs/ha-mode.md
+
11
−
14
View file @
1de12747
...
...
@@ -49,9 +49,11 @@ type. The following diagram shows how traffic to the apiserver is directed.
..n
ote:
:
Kubernetes master nodes still use insecure localhost access because
N
ote: Kubernetes master nodes still use insecure localhost access because
there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
services.
services. This makes backends receiving unencrypted traffic and may be a
security issue when interconnecting different nodes, or maybe not, if those
belong to the isolated management network without external access.
A user may opt to use an external loadbalancer (LB) instead. An external LB
provides access for external clients, while the internal LB accepts client
...
...
@@ -81,24 +83,19 @@ loadbalancer_apiserver:
This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
into the
`/etc/hosts`
file of all servers in the
`k8s-cluster`
group. Note that
the HAProxy service should as well be HA and requires a VIP management, which
is out of scope of this doc.
is out of scope of this doc. Specifying an external LB overrides any internal
localhost LB configuration.
Specifying an external LB overrides any internal localhost LB configuration.
Note that for this example, the
`kubernetes-apiserver-http`
endpoint
has backends receiving unencrypted traffic, which may be a security issue
when interconnecting different nodes, or maybe not, if those belong to the
isolated management network without external access.
In order to achieve HA for HAProxy instances, those must be running on the
each node in the
`k8s-cluster`
group as well, but require no VIP, thus
Note: In order to achieve HA for HAProxy instances, those must be running on
the each node in the
`k8s-cluster`
group as well, but require no VIP, thus
no VIP management.
Access endpoints are evaluated automagically, as the following:
| Endpoint type | kube-master | non-master |
|------------------------------|---------------|---------------------|
| Local LB | http://lc:p | http://lc:sp
|
| External LB, no internal | http://l
c:p
| https://lb:lp |
| Local LB | http://lc:p | http
s
://lc:sp |
| External LB, no internal | http
s
://l
b:lp
| https://lb:lp |
| No ext/int LB (default) | http://lc:p | https://m[0].aip:sp |
Where:
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
