Kubernetes etcd 技术指南
1. 简介与核心作用
etcd 是 K8S 集群的核心数据存储,采用 Raft 共识算法保证分布式一致性。存储内容:
- Pod、Service、ConfigMap、Secret 等资源对象元数据
- API Server 所有状态信息
- 集群自举信息、调度器与 Controller Manager 状态
存储架构
plaintext
┌────────────────────────────────────────────────────────────┐ │ etcd 存储架构 │ ├────────────────────────────────────────────────────────────┤ │ Client → API Server → WAL (预写日志) → Boltdb (KV存储) │ │ ↓ │ │ MVCC 多版本控制 + Watch 机制 │ └────────────────────────────────────────────────────────────┘2. 工作原理
2.1 Raft 选举与日志复制
Leader 选举
plaintext
Follower ──(选举超时150-300ms)──► Candidate ──(获得多数票)──► Leader ↑ └──(未获多数)──► 重试选举Term 概念:每个任期最多一个 Leader,节点通过 Term 判断过期信息。
日志复制流程
plaintext
Client → Leader: PUT key=value │ ▼ ┌─────────────┐ │ 写入本地 WAL │ └──────┬──────┘ ▼ 广播 AppendEntries RPC │ │ │ │ ▼ ▼ ▼ ▼ Node2 Node3 Node4 Node5 │ │ │ │ └────────┴────────┴────────┘ │ (多数派确认 3/5) ▼ ┌─────────────┐ │ 应用到状态机 │ │ 返回客户端 │ └─────────────┘ 日志条目结构: Index │ Term │ Data │ Committed 1 │ 1 │ kv1 │ ✓ 2 │ 1 │ kv2 │ ✓ 3 │ 2 │ kv3 │ ✓ 4 │ 2 │ kv4 │ -2.2 读写流程
- 写: Leader → WAL → 广播 Followers → 多数派确认 → 状态机
- 读: Leader 直接读本地;Follower 可转发 Leader 读
- Watch: gRPC 流实时推送 key 变化事件
2.3 MVCC 多版本控制
bash
etcdctl get --rev=100 /registry/pods/default # 读取历史版本 etcdctl compaction 10000 # 压缩历史3. 集群部署
3.1 kubeadm 静态 Pod 部署
yaml
# /etc/kubernetes/manifests/etcd.yaml apiVersion: v1 kind: Pod metadata: labels: component: etcd tier: control-plane name: etcd namespace: kube-system spec: containers: - command: - etcd - --data-dir=/var/lib/etcd - --wal-dir=/var/lib/etcd/wal - --name=node1 - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --key-file=/etc/kubernetes/pki/etcd/server.key - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --client-cert-auth=true - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --peer-client-cert-auth=true - --listen-peer-urls=https://0.0.0.0:2380 - --listen-client-urls=https://0.0.0.0:2379 - --advertise-client-urls=https://192.168.1.10:2379 - --initial-cluster=node1=https://192.168.1.10:2380,node2=https://192.168.1.11:2380,node3=https://192.168.1.12:2380 - --initial-cluster-state=new - --initial-cluster-token=etcd-cluster - --quota-backend-bytes=8589934592 - --auto-compaction-retention=1 - --heartbeat-interval=500 - --election-timeout=2500 image: registry.k8s.io/etcd:3.5.9 livenessProbe: httpGet: host: 192.168.1.10 path: /health port: 2379 scheme: HTTPS initialDelaySeconds: 10 periodSeconds: 10 volumeMounts: - mountPath: /var/lib/etcd name: etcd-data - mountPath: /etc/kubernetes/pki/etcd name: etcd-certs volumes: - hostPath: path: /var/lib/etcd type: DirectoryOrCreate name: etcd-data - hostPath: path: /etc/kubernetes/pki/etcd type: DirectoryOrCreate name: etcd-certs3.2 关键参数
表格
| 参数 | 说明 | 推荐值 |
|---|---|---|
--quota-backend-bytes | 数据库配额 | 8GB |
--heartbeat-interval | 心跳间隔(ms) | 500 |
--election-timeout | 选举超时(ms) | 5000 |
--auto-compaction-retention | 自动压缩(小时) | 1 |
--snapshot-count | 快照触发事务数 | 5000 |
4. 常用操作命令
4.1 健康检查
bash
export ETCDCTL_API=3 export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key etcdctl member list -w table # 成员列表 etcdctl endpoint health -w table # 健康状态 etcdctl endpoint status -w table # 状态详情4.2 数据操作
bash
etcdctl put /registry/pods/default/nginx '{"apiVersion":"v1"}' # 写入 etcdctl get /registry/pods/default/nginx # 读取 etcdctl get --prefix /registry/pods/ # 前缀查询 etcdctl del /registry/pods/default/nginx # 删除 etcdctl get --rev=100 /registry/pods/default # 历史版本4.3 备份与恢复
bash
# 快照备份 etcdctl snapshot save /backup/etcd-snapshot-$(date +%Y%m%d).db # 检查快照 etcdctl snapshot status /backup/etcd-snapshot.db -w table # 恢复快照 etcdctl snapshot restore /backup/etcd-snapshot.db \ --name=node1 \ --initial-cluster=node1=https://192.168.1.10:2380,node2=https://192.168.1.11:2380 \ --initial-cluster-token=etcd-cluster \ --initial-advertise-peer-urls=https://192.168.1.10:2380 \ --data-dir=/var/lib/etcd4.4 成员管理
bash
etcdctl member add node4 --peer-urls=https://192.168.1.13:2380 # 添加 etcdctl member remove <member_id> # 移除 etcdctl member update <member_id> --peer-urls=https://... # 更新4.5 维护操作
bash
etcdctl defrag --endpoints=$ENDPOINTS # 碎片整理(必须定期) etcdctl compaction <revision> # 压缩历史版本 etcdctl alarm disarm # 取消空间告警5. 常见问题与排查
5.1 集群脑裂 / 成员故障
排查步骤:
bash
# 1. 检查日志 kubectl logs -n kube-system etcd-node1 --tail=100 # 2. 成员状态 etcdctl member list # 3. 网络连通性 nc -zv <peer_ip> 2380 # 4. 检查选举超时一致性 grep -E "heartbeat|election" /etc/kubernetes/manifests/etcd.yaml解决方案:
bash
# 重启故障节点 sudo systemctl restart etcd # 移除不可用节点 etcdctl member remove <故障节点ID> # 完全不可用时从快照恢复5.2 数据库空间不足
错误:etcdserver: mvcc: database space exceeded
排查:
bash
etcdctl endpoint status -w table # 查看配额使用 du -sh /var/lib/etcd/ # 查看实际大小解决:
bash
# 1. 取消告警 etcdctl alarm disarm # 2. 压缩历史版本 REVISION=$(etcdctl endpoint status --write-out=json | jq -r '.[0].Status.header.revision') etcdctl compaction $((REVISION - 1000)) # 3. 碎片整理 etcdctl defrag --endpoints=$ENDPOINTS # 4. 验证 etcdctl endpoint status -w table预防: 配额设 8GB + auto-compaction + 定期备份
5.3 API Server 连接超时
排查:
bash
# 1. etcd 服务状态 kubectl get pods -n kube-system -l component=etcd # 2. 健康状态 etcdctl endpoint health # 3. API Server 日志 kubectl logs -n kube-system kube-apiserver-<node> --tail=50 | grep -i etcd # 4. 证书检查 openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -noout -dates常见原因: 证书过期、CN 不匹配、网络不通、防火墙阻断
6. 最佳实践
6.1 集群规模建议
表格
| 规模 | 节点 | CPU | 内存 | 磁盘 |
|---|---|---|---|---|
| <100节点 | 1-3 | 2C | 4G | 50GB SSD |
| 100-500 | 3 | 4C | 8G | 100GB SSD |
| 500+ | 3-5 | 8C | 16G | 200GB SSD |
6.2 硬件配置
- 磁盘: NVMe SSD,WAL 独立分区
- 网络: 10Gbps,建议独立网络隔离
- 内存: 8GB 以上,内存直接影响性能
6.3 备份策略
bash
#!/bin/bash # /usr/local/bin/etcd-backup.sh BACKUP_DIR=/backup/etcd DATE=$(date +%Y%m%d%H%M%S) export ETCDCTL_API=3 export ETCDCTL_CACERT=/etc/kubernetes/pki/etcd/ca.crt export ETCDCTL_CERT=/etc/kubernetes/pki/etcd/server.crt export ETCDCTL_KEY=/etc/kubernetes/pki/etcd/server.key etcdctl snapshot save ${BACKUP_DIR}/etcd-snapshot-${DATE}.db find ${BACKUP_DIR} -name "etcd-snapshot-*.db" -mtime +7 -delete6.4 灾难恢复流程
bash
# 1. 停止控制平面 sudo systemctl stop kube-apiserver kube-controller-manager kube-scheduler # 2. 停止 etcd sudo systemctl stop etcd # 3. 清理数据 sudo mv /var/lib/etcd /var/lib/etcd.bak # 4. 恢复快照 etcdctl snapshot restore /backup/etcd-snapshot.db \ --name=node1 \ --initial-cluster=node1=https://192.168.1.10:2380,node2=https://192.168.1.11:2380 \ --initial-cluster-token=etcd-cluster \ --initial-advertise-peer-urls=https://192.168.1.10:2380 \ --data-dir=/var/lib/etcd # 5. 启动并验证 sudo systemctl start etcd etcdctl endpoint health kubectl get nodes6.5 监控指标
关键 Prometheus 指标:
etcd_server_leader_changes_seen_total- Leader 变更次数etcd_mvcc_db_total_size_in_bytes- 数据库大小etcd_server_quota_backend_bytes- 配额使用率etcd_network_peer_round_trip_time_seconds- 节点延迟
参考: K8S etcd 文档 | etcd 官方