操作系统信息
云服务器,Centos8,4C/8G

Kubernetes版本信息
Client Version: v1.30.6

Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3

Server Version: v1.30.6

容器运行时
Version: 0.1.0

RuntimeName: containerd

RuntimeVersion: v1.7.13

RuntimeApiVersion: v1

KubeSphere版本信息

v4.1.2

希望搭建Kubesphere网页的高可用,为ks-apiserver增加多副本,但如果将ks-apiserver的副本数量调整为2个或者更多时,由于没有使用redis作为ks-apiserver鉴权数据库,当在网页上键入用户名和密码后,无法登录系统。但在kubesphere-system的name space中搭建redis后,无法使用redis作为ks-apiserver存储登录信息的内存数据库,应该如何解决?

ks-apiserver的yaml内容如下:

kind: Deployment
apiVersion: apps/v1
metadata:
name: ks-apiserver
namespace: kubesphere-system
labels:
app: ks-apiserver
app.kubernetes.io/managed-by: Helm
tier: backend
version: v4.1.2
annotations:
deployment.kubernetes.io/revision: '28'
meta.helm.sh/release-name: ks-core
meta.helm.sh/release-namespace: kubesphere-system
spec:
replicas: 1
selector:
matchLabels:
app: ks-apiserver
tier: backend
template:
metadata:
creationTimestamp: null
labels:
app: ks-apiserver
tier: backend
annotations:
checksum/config: 5056df120376721279cd723870ab5f7683b736412056e9c5d98b35e04455f08d
kubectl.kubernetes.io/restartedAt: '2025-04-24T00:16:59+08:00'
kubesphere.io/imagepullsecrets: '{}'
kubesphere.io/restartedAt: '2025-04-23T16:12:30.490Z'
spec:
volumes:
- name: kubesphere-config
configMap:
name: kubesphere-config
defaultMode: 420
- name: host-time
hostPath:
path: /etc/localtime
type: ''
containers:
- name: ks-apiserver
image: >-
swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/ks-apiserver:v4.1.2
command:
- ks-apiserver
- '--logtostderr=true'
ports:
- name: http-0
containerPort: 9090
protocol: TCP
env:
- name: REDIS_HOST
value: redis.kubesphere-system.svc.cluster.local
- name: REDIS_PORT
value: '6379'
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 20m
memory: 100Mi
volumeMounts:
- name: kubesphere-config
mountPath: /etc/kubesphere/
- name: host-time
readOnly: true
mountPath: /etc/localtime
livenessProbe:
httpGet:
path: /version
port: 9090
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 15
periodSeconds: 10
successThreshold: 1
failureThreshold: 8
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
serviceAccountName: kubesphere
serviceAccount: kubesphere
securityContext: {}
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- ''
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: ks-apiserver
namespaces:
- kubesphere-system
topologyKey: kubernetes.io/hostname
schedulerName: default-scheduler
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: node-role.kubernetes.io/control-plane
effect: NoSchedule
- key: CriticalAddonsOnly
operator: Exists
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 0
maxSurge: 1
revisionHistoryLimit: 10
progressDeadlineSeconds: 600

kubesphere-config的config map内容如下:
redis:
host: redis.kubesphere-system.svc.cluster.local
port: 6379
authentication:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m0s
loginHistoryRetentionPeriod: 168h
multipleLogin: true
issuer:
url: "http://ks-console.kubesphere-system.svc:30880"
jwtSecret: "NOw582XJjdJ7foaAfasHf3urle9IjNFI"
maximumClockSkew: 10s
accessTokenMaxAge: 2h
accessTokenInactivityTimeout: 30m
s3:
endpoint: ""
region: us-east-1
disableSSL: true
forcePathStyle: true
accessKeyID: admin
secretAccessKey: admin
bucket: uploads
multicluster:
clusterRole: "host"
hostClusterName: "host"
terminal:
kubectl:
image: swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:v1.27.16
node:
image: swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:v1.27.16
uploadFileLimit: 100Mi
helmExecutor:
image: swr.cn-southwest-2.myhuaweicloud.com/ks/kubesphere/kubectl:v1.27.16
timeout: 10m
historyMax: 2
jobTTLAfterFinished: 0s
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
extension:
imageRegistry: "swr.cn-southwest-2.myhuaweicloud.com/ks"
experimental:
validationDirective: ""
composedApp:
appSelector: ""
kubesphere:
tls: false
telemetry:
ksCloudURL: "https://kubesphere.cloud"
auditing:
auditLevel: Metadata
enable: false
logOptions:
maxAge: 7
maxBackups: 10
maxSize: 100
path: /etc/audit/audit.log

问题已经解决,可以通过使用 Helm 指定kubesphere集群的高可用参数,从而将ks-apiserver切换为多副本模式。
helm upgrade --install -n kubesphere-system --create-namespace ks-core https://charts.kubesphere.io/main/ks-core-1.1.3.tgz --debug --wait \
--set global.imageRegistry=swr.cn-southwest-2.myhuaweicloud.com/ks \
--set extension.imageRegistry=swr.cn-southwest-2.myhuaweicloud.com/ks

如果https://charts.kubesphere.io/main/ks-core-1.1.3.tgz无法访问,可以首先将此文件通过科学上网下载至本地,上传服务器,然后通过离线方式升级kubesphere
helm upgrade --install -n kubesphere-system --create-namespace ks-core ./ks-core-1.1.3.tgz --debug --wait \
--set global.imageRegistry=swr.cn-southwest-2.myhuaweicloud.com/ks \
--set extension.imageRegistry=swr.cn-southwest-2.myhuaweicloud.com/ks --set ha.enabled=true --set redisHA.enabled=true

升级完成后,在kubesphere-system name space中,ks-apiserver切换为3副本,且新增了ks-core-redisha-haproxy 3副本的deployment。关闭master01服务器后,kubesphere控制台网站可以正常访问。

商业产品与合作咨询