【原】kubeadm 安装高可用集群初始化文件模板
ansible k8s -m shell -a "yum install kubelet-1.19.4 kubeadm-1.19.4 kubectl-1.19.4 -y"
1. 生成文件
kubeadm config print init-defaults >init-config.yaml
2.修改文件
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.0.18 #本机 ip
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: uk8s1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
certSANs:
- "192.168.0.238" # 内网 slb
- "192.168.0.18"
- "192.168.0.169"
- "192.168.0.131"
- "127.0.0.1"
- "117.50.84.64" # 外网 slb
#如果多主需要填一个LB地址
controlPlaneEndpoint: "192.168.0.238:6443"
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
# 如果是外部 etcd 用下面的
#etcd:
# external:
# endpoints:
# - https://192.168.0.18:2379
# - https://192.168.0.169:2379
# - https://192.168.0.131:2379
# caFile: /etc/kubernetes/pki/etcd/ca.crt
# certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
# keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
# 镜像地址
#imageRepository: k8s.gcr.io
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.19.4 # 修改版本
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12 # service 网段
podSubnet: "10.244.0.0/16" # pod 段
scheduler: {}
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "ipvs" # ipvs 模式
3.通过文件部署
# 如果是部署多主,需要加 --upload-certs 用来将在所有控制平面实例之间的共享证书上传到集群
kubeadm init --config=init-config.yaml --upload-certs
4.查看证书过期时间
[root@uk8s1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 22, 2021 13:01 UTC 364d no
apiserver Nov 22, 2021 13:01 UTC 364d ca no
apiserver-etcd-client Nov 22, 2021 13:01 UTC 364d etcd-ca no
apiserver-kubelet-client Nov 22, 2021 13:01 UTC 364d ca no
controller-manager.conf Nov 22, 2021 13:01 UTC 364d no
etcd-healthcheck-client Nov 22, 2021 13:01 UTC 364d etcd-ca no
etcd-peer Nov 22, 2021 13:01 UTC 364d etcd-ca no
etcd-server Nov 22, 2021 13:01 UTC 364d etcd-ca no
front-proxy-client Nov 22, 2021 13:01 UTC 364d front-proxy-ca no
scheduler.conf Nov 22, 2021 13:01 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 20, 2030 13:01 UTC 9y no
etcd-ca Nov 20, 2030 13:01 UTC 9y no
front-proxy-ca Nov 20, 2030 13:01 UTC 9y no
5.续签证书
[root@uk8s1 ~]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@uk8s1 ~]#
[root@uk8s1 ~]#
[root@uk8s1 ~]#
[root@uk8s1 ~]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 22, 2021 13:12 UTC 364d no
apiserver Nov 22, 2021 13:12 UTC 364d ca no
apiserver-etcd-client Nov 22, 2021 13:12 UTC 364d etcd-ca no
apiserver-kubelet-client Nov 22, 2021 13:12 UTC 364d ca no
controller-manager.conf Nov 22, 2021 13:12 UTC 364d no
etcd-healthcheck-client Nov 22, 2021 13:12 UTC 364d etcd-ca no
etcd-peer Nov 22, 2021 13:12 UTC 364d etcd-ca no
etcd-server Nov 22, 2021 13:12 UTC 364d etcd-ca no
front-proxy-client Nov 22, 2021 13:12 UTC 364d front-proxy-ca no
scheduler.conf Nov 22, 2021 13:12 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 20, 2030 13:01 UTC 9y no
etcd-ca Nov 20, 2030 13:01 UTC 9y no
front-proxy-ca Nov 20, 2030 13:01 UTC 9y no