时间戳

首页 > 技术文章 > 【原】kubeadm 安装高可用集群初始化文件模板

【原】kubeadm 安装高可用集群初始化文件模板

liyongjian5179 2020-11-22 21:38 原文

ansible k8s -m shell -a "yum install kubelet-1.19.4 kubeadm-1.19.4 kubectl-1.19.4 -y"

1. 生成文件

kubeadm config print init-defaults >init-config.yaml

2.修改文件

apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.0.18   #本机 ip
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: uk8s1
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
  certSANs:
  - "192.168.0.238"    # 内网 slb
  - "192.168.0.18"
  - "192.168.0.169"
  - "192.168.0.131"
  - "127.0.0.1"
  - "117.50.84.64"     # 外网 slb
#如果多主需要填一个LB地址
controlPlaneEndpoint: "192.168.0.238:6443"
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
# 如果是外部 etcd 用下面的
#etcd:            
#  external:
#    endpoints:
#    - https://192.168.0.18:2379
#    - https://192.168.0.169:2379
#    - https://192.168.0.131:2379
#    caFile: /etc/kubernetes/pki/etcd/ca.crt
#    certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
#    keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
# 镜像地址
#imageRepository: k8s.gcr.io
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.4      # 修改版本
networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12   # service 网段
  podSubnet: "10.244.0.0/16"    # pod 段
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs"                    # ipvs 模式

3.通过文件部署

# 如果是部署多主,需要加 --upload-certs 用来将在所有控制平面实例之间的共享证书上传到集群
kubeadm init --config=init-config.yaml --upload-certs

4.查看证书过期时间

[root@uk8s1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 22, 2021 13:01 UTC   364d                                    no
apiserver                  Nov 22, 2021 13:01 UTC   364d            ca                      no
apiserver-etcd-client      Nov 22, 2021 13:01 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Nov 22, 2021 13:01 UTC   364d            ca                      no
controller-manager.conf    Nov 22, 2021 13:01 UTC   364d                                    no
etcd-healthcheck-client    Nov 22, 2021 13:01 UTC   364d            etcd-ca                 no
etcd-peer                  Nov 22, 2021 13:01 UTC   364d            etcd-ca                 no
etcd-server                Nov 22, 2021 13:01 UTC   364d            etcd-ca                 no
front-proxy-client         Nov 22, 2021 13:01 UTC   364d            front-proxy-ca          no
scheduler.conf             Nov 22, 2021 13:01 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 20, 2030 13:01 UTC   9y              no
etcd-ca                 Nov 20, 2030 13:01 UTC   9y              no
front-proxy-ca          Nov 20, 2030 13:01 UTC   9y              no

5.续签证书

[root@uk8s1 ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@uk8s1 ~]#
[root@uk8s1 ~]#
[root@uk8s1 ~]#
[root@uk8s1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 22, 2021 13:12 UTC   364d                                    no
apiserver                  Nov 22, 2021 13:12 UTC   364d            ca                      no
apiserver-etcd-client      Nov 22, 2021 13:12 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Nov 22, 2021 13:12 UTC   364d            ca                      no
controller-manager.conf    Nov 22, 2021 13:12 UTC   364d                                    no
etcd-healthcheck-client    Nov 22, 2021 13:12 UTC   364d            etcd-ca                 no
etcd-peer                  Nov 22, 2021 13:12 UTC   364d            etcd-ca                 no
etcd-server                Nov 22, 2021 13:12 UTC   364d            etcd-ca                 no
front-proxy-client         Nov 22, 2021 13:12 UTC   364d            front-proxy-ca          no
scheduler.conf             Nov 22, 2021 13:12 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 20, 2030 13:01 UTC   9y              no
etcd-ca                 Nov 20, 2030 13:01 UTC   9y              no
front-proxy-ca          Nov 20, 2030 13:01 UTC   9y              no

推荐阅读