【原】kubeadm 安裝高可用叢集初始化檔案模板
阿新 • • 發佈:2020-11-23
ansible k8s -m shell -a "yum install kubelet-1.19.4 kubeadm-1.19.4 kubectl-1.19.4 -y"
1. 生成檔案
kubeadm config print init-defaults >init-config.yaml
2.修改檔案
apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef ttl: 24h0m0s usages: - signing - authentication kind: InitConfiguration localAPIEndpoint: advertiseAddress: 192.168.0.18 #本機 ip bindPort: 6443 nodeRegistration: criSocket: /var/run/dockershim.sock name: uk8s1 taints: - effect: NoSchedule key: node-role.kubernetes.io/master --- apiServer: timeoutForControlPlane: 4m0s certSANs: - "192.168.0.238" # 內網 slb - "192.168.0.18" - "192.168.0.169" - "192.168.0.131" - "127.0.0.1" - "117.50.84.64" # 外網 slb #如果多主需要填一個LB地址 controlPlaneEndpoint: "192.168.0.238:6443" apiVersion: kubeadm.k8s.io/v1beta2 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes controllerManager: {} dns: type: CoreDNS etcd: local: dataDir: /var/lib/etcd # 如果是外部 etcd 用下面的 #etcd: # external: # endpoints: # - https://192.168.0.18:2379 # - https://192.168.0.169:2379 # - https://192.168.0.131:2379 # caFile: /etc/kubernetes/pki/etcd/ca.crt # certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt # keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key # 映象地址 #imageRepository: k8s.gcr.io imageRepository: registry.aliyuncs.com/google_containers kind: ClusterConfiguration kubernetesVersion: v1.19.4 # 修改版本 networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 # service 網段 podSubnet: "10.244.0.0/16" # pod 段 scheduler: {} --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: "ipvs" # ipvs 模式
3.通過檔案部署
# 如果是部署多主,需要加 --upload-certs 用來將在所有控制平面例項之間的共享證書上傳到叢集
kubeadm init --config=init-config.yaml --upload-certs
4.檢視證書過期時間
[root@uk8s1 ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Nov 22, 2021 13:01 UTC 364d no apiserver Nov 22, 2021 13:01 UTC 364d ca no apiserver-etcd-client Nov 22, 2021 13:01 UTC 364d etcd-ca no apiserver-kubelet-client Nov 22, 2021 13:01 UTC 364d ca no controller-manager.conf Nov 22, 2021 13:01 UTC 364d no etcd-healthcheck-client Nov 22, 2021 13:01 UTC 364d etcd-ca no etcd-peer Nov 22, 2021 13:01 UTC 364d etcd-ca no etcd-server Nov 22, 2021 13:01 UTC 364d etcd-ca no front-proxy-client Nov 22, 2021 13:01 UTC 364d front-proxy-ca no scheduler.conf Nov 22, 2021 13:01 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Nov 20, 2030 13:01 UTC 9y no etcd-ca Nov 20, 2030 13:01 UTC 9y no front-proxy-ca Nov 20, 2030 13:01 UTC 9y no
5.續簽證書
[root@uk8s1 ~]# kubeadm alpha certs renew all [renew] Reading configuration from the cluster... [renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed certificate for serving the Kubernetes API renewed certificate the apiserver uses to access etcd renewed certificate for the API server to connect to kubelet renewed certificate embedded in the kubeconfig file for the controller manager to use renewed certificate for liveness probes to healthcheck etcd renewed certificate for etcd nodes to communicate with each other renewed certificate for serving etcd renewed certificate for the front proxy client renewed certificate embedded in the kubeconfig file for the scheduler manager to use renewed [root@uk8s1 ~]# [root@uk8s1 ~]# [root@uk8s1 ~]# [root@uk8s1 ~]# kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Nov 22, 2021 13:12 UTC 364d no apiserver Nov 22, 2021 13:12 UTC 364d ca no apiserver-etcd-client Nov 22, 2021 13:12 UTC 364d etcd-ca no apiserver-kubelet-client Nov 22, 2021 13:12 UTC 364d ca no controller-manager.conf Nov 22, 2021 13:12 UTC 364d no etcd-healthcheck-client Nov 22, 2021 13:12 UTC 364d etcd-ca no etcd-peer Nov 22, 2021 13:12 UTC 364d etcd-ca no etcd-server Nov 22, 2021 13:12 UTC 364d etcd-ca no front-proxy-client Nov 22, 2021 13:12 UTC 364d front-proxy-ca no scheduler.conf Nov 22, 2021 13:12 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Nov 20, 2030 13:01 UTC 9y no etcd-ca Nov 20, 2030 13:01 UTC 9y no front-proxy-ca Nov 20, 2030 13:01 UTC 9y no