1. 问题描述
1.1. 主机信息
| 主机名称 | 主机IP地址 | 操作系统 | Kubernetes版本 | Kubernetes角色 |
|---|---|---|---|---|
| c7u6km1 | 192.168.122.21 | CentOS-7.6 | 1.19 | Master |
| c7u6kn1-1 | 192.168.122.22 | CentOS-7.6 | 1.19 | Worker |
| c7u6kn1-2 | 192.168.122.23 | CentOS-7.6 | 1.19 | Worker |
| c7u6kn1-3 | 192.168.122.24 | CentOS-7.6 | 1.19 | Worker |
1.2. 集群环境检查
登陆master节点,检查kubelet服务状态,检查集群证书状态。
# 登陆k8s的master节点,检查集群服务状态
[root@LiuXianQiE network-scripts]# ssh 192.168.122.21
Last login: Mon Apr 12 20:04:47 2021
[root@c7u6km1 ~]# kubectl get nodes
The connection to the server 192.168.122.21:6443 was refused - did you specify the right host or port?
[root@c7u6km1 ~]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: activating (auto-restart) (Result: exit-code) since Fri 2025-08-01 21:14:42 CST; 6s ago
Docs: https://kubernetes.io/docs/
Process: 2953 ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS (code=exited, status=255)
Main PID: 2953 (code=exited, status=255)
Aug 01 21:14:42 c7u6km1 kubelet[2953]: /workspace/anago-v1.19.0-rc.4.197+594f888e19d8da/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/signal.go:48 +0x36
Aug 01 21:14:42 c7u6km1 kubelet[2953]: created by k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server.SetupSignalContext
Aug 01 21:14:42 c7u6km1 kubelet[2953]: /workspace/anago-v1.19.0-rc.4.197+594f888e19d8da/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/server/signal.go:47 +0xf3
Aug 01 21:14:42 c7u6km1 kubelet[2953]: goroutine 88 [syscall]:
Aug 01 21:14:42 c7u6km1 kubelet[2953]: os/signal.signal_recv(0x0)
Aug 01 21:14:42 c7u6km1 kubelet[2953]: /usr/local/go/src/runtime/sigqueue.go:147 +0x9d
Aug 01 21:14:42 c7u6km1 kubelet[2953]: os/signal.loop()
Aug 01 21:14:42 c7u6km1 kubelet[2953]: /usr/local/go/src/os/signal/signal_unix.go:23 +0x25
Aug 01 21:14:42 c7u6km1 kubelet[2953]: created by os/signal.Notify.func1.1
Aug 01 21:14:42 c7u6km1 kubelet[2953]: /usr/local/go/src/os/signal/signal.go:150 +0x45
[root@c7u6km1 ~]# systemctl list-unit-files --type service | egrep kube
kubelet.service enabled
# 检查apiserver证书是否过期
[root@c7u6km1 tls]# cd /etc/kubernetes/
[root@c7u6km1 kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@c7u6km1 kubernetes]# cd pki/
[root@c7u6km1 pki]# ls
apiserver.crt apiserver-etcd-client.key apiserver-kubelet-client.crt ca.crt ca.srl front-proxy-ca.crt front-proxy-client.crt kube-user1.crt kube-user1.key sa.pub
apiserver-etcd-client.crt apiserver.key apiserver-kubelet-client.key ca.key etcd front-proxy-ca.key front-proxy-client.key kube-user1.csr sa.key
[root@c7u6km1 pki]# openssl x509 -in apiserver.crt -noout -dates
notBefore=Sep 1 17:04:26 2020 GMT
notAfter=Sep 1 17:04:26 2021 GMT
# 检查集群所有证书过期时间
[root@c7u6km1 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
W0803 10:43:55.869836 7935 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Sep 01, 2021 17:04 UTC <invalid> no
apiserver Sep 01, 2021 17:04 UTC <invalid> ca no
apiserver-etcd-client Sep 01, 2021 17:04 UTC <invalid> etcd-ca no
apiserver-kubelet-client Sep 01, 2021 17:04 UTC <invalid> ca no
controller-manager.conf Sep 01, 2021 17:04 UTC <invalid> no
etcd-healthcheck-client Sep 01, 2021 17:04 UTC <invalid> etcd-ca no
etcd-peer Sep 01, 2021 17:04 UTC <invalid> etcd-ca no
etcd-server Sep 01, 2021 17:04 UTC <invalid> etcd-ca no
front-proxy-client Sep 01, 2021 17:04 UTC <invalid> front-proxy-ca no
scheduler.conf Sep 01, 2021 17:04 UTC <invalid> no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 30, 2030 17:04 UTC 5y no
etcd-ca Aug 30, 2030 17:04 UTC 5y no
front-proxy-ca Aug 30, 2030 17:04 UTC 5y no
[root@c7u6km1 pki]#
# 检查kubelet的证书过期时间
[root@c7u6km1 pki]# openssl x509 -in apiserver-kubelet-client.crt -noout -dates
notBefore=Sep 1 17:04:26 2020 GMT
notAfter=Sep 1 17:04:26 2021 GMT
[root@c7u6km1 pki]#
上述输出的第122行显示,2021年9月1日,这套k8s集群的证书除了ca证书之外,其他证书已经过期了。
当时的k8s版本用的还是1.19,现在已经出到1.3x了。
2. 解决方案
要解决证书过期的问题,需要对集群证书进行更新。
2.1. 更新master节点的证书
要更新master节点的证书,需要执行命令kubeadm alpha certs renew all命令对集群证书进行续签。具体如下:
[root@c7u6km1 pki]# kubeadm alpha certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[renew] Error reading configuration from the Cluster. Falling back to default configuration
W0803 10:46:59.597737 8159 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
[root@c7u6km1 pki]#
续签master节点的k8s相关的集群证书之后,重新检查证书过期时间:
[root@c7u6km1 pki]# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration
W0803 10:48:28.438537 8289 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Aug 03, 2026 02:46 UTC 364d no
apiserver Aug 03, 2026 02:46 UTC 364d ca no
apiserver-etcd-client Aug 03, 2026 02:46 UTC 364d etcd-ca no
apiserver-kubelet-client Aug 03, 2026 02:47 UTC 364d ca no
controller-manager.conf Aug 03, 2026 02:47 UTC 364d no
etcd-healthcheck-client Aug 03, 2026 02:47 UTC 364d etcd-ca no
etcd-peer Aug 03, 2026 02:47 UTC 364d etcd-ca no
etcd-server Aug 03, 2026 02:47 UTC 364d etcd-ca no
front-proxy-client Aug 03, 2026 02:47 UTC 364d front-proxy-ca no
scheduler.conf Aug 03, 2026 02:47 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Aug 30, 2030 17:04 UTC 5y no
etcd-ca Aug 30, 2030 17:04 UTC 5y no
front-proxy-ca Aug 30, 2030 17:04 UTC 5y no
[root@c7u6km1 pki]#
从上述的结果中可以看出,证书已经自动续签1年。ca证书仍然没有过期。
2.2. 更新配置文件中的证书
检查相关的配置文件的状态:
[root@c7u6km1 kubernetes]# ls -lh
total 32K
-rw------- 1 root root 5.5K Aug 3 10:46 admin.conf
-rw------- 1 root root 5.5K Aug 3 10:47 controller-manager.conf
-rw------- 1 root root 1.9K Sep 2 2020 kubelet.conf
drwxr-xr-x 2 root root 113 Sep 4 2020 manifests
drwxr-xr-x 3 root root 4.0K Sep 17 2020 pki
-rw------- 1 root root 5.5K Aug 3 10:47 scheduler.conf
[root@c7u6km1 kubernetes]#
从上述输出中可以看出,admin.conf配置文件以及controller-manager.conf配置文件和scheduler.conf配置文件已经更新过了。但是kubelet服务的的配置文件kubelet.conf则没有更新。
接下来需要重新生成上述的相关的配置文件:
# 备份旧的配置文件
[root@c7u6km1 pki]# pwd
/etc/kubernetes/pki
[root@c7u6km1 pki]# cd ..
[root@c7u6km1 kubernetes]# ls -lh
total 32K
-rw------- 1 root root 5.5K Aug 3 10:46 admin.conf
-rw------- 1 root root 5.5K Aug 3 10:47 controller-manager.conf
-rw------- 1 root root 1.9K Sep 2 2020 kubelet.conf
drwxr-xr-x 2 root root 113 Sep 4 2020 manifests
drwxr-xr-x 3 root root 4.0K Sep 17 2020 pki
-rw------- 1 root root 5.5K Aug 3 10:47 scheduler.conf
[root@c7u6km1 kubernetes]# mkdir /tmp/etc_kubernetes_conf
[root@c7u6km1 kubernetes]# cp ./*.conf /tmp/etc_kubernetes_conf
[root@c7u6km1 kubernetes]# kubectl get nodes
The connection to the server 192.168.122.21:6443 was refused - did you specify the right host or port?
# 检查安装的kubernetes版本
[root@c7u6km1 kubernetes]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:30:33Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
The connection to the server 192.168.122.21:6443 was refused - did you specify the right host or port?
[root@c7u6km1 kubernetes]# rpm -qa| egrep kube
kubernetes-cni-0.8.6-0.x86_64
kubectl-1.19.0-0.x86_64
kubelet-1.19.0-0.x86_64
kubeadm-1.19.0-0.x86_64
[root@c7u6km1 kubernetes]#
# 使用新的证书重新生成配置文件
[root@c7u6km1 kubernetes]# kubeadm init --kubernetes-version 1.19.0 phase kubeconfig all
W0803 11:14:16.493865 9985 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
[root@c7u6km1 kubernetes]# ls -lh
total 32K
-rw------- 1 root root 5.5K Aug 3 10:46 admin.conf
-rw------- 1 root root 5.5K Aug 3 10:47 controller-manager.conf
-rw------- 1 root root 1.9K Sep 2 2020 kubelet.conf
drwxr-xr-x 2 root root 113 Sep 4 2020 manifests
drwxr-xr-x 3 root root 4.0K Sep 17 2020 pki
-rw------- 1 root root 5.5K Aug 3 10:47 scheduler.conf
[root@c7u6km1 kubernetes]#
# 上述并没有更新完成,因为配置文件的存放路径/etc/kubernetes中已经有了同名的配置文件,所以此处都使用了默认的配置文件,在前面备份完旧的配置文件之后,此处需要将这些旧的配置文件都删除,然后在重新执行上述的命令。
[root@c7u6km1 kubernetes]# ls ./*.conf
./admin.conf ./controller-manager.conf ./kubelet.conf ./scheduler.conf
[root@c7u6km1 kubernetes]# rm -f ./*.conf
[root@c7u6km1 kubernetes]# ls -lh
total 4.0K
drwxr-xr-x 2 root root 113 Sep 4 2020 manifests
drwxr-xr-x 3 root root 4.0K Sep 17 2020 pki
[root@c7u6km1 kubernetes]# kubeadm init --kubernetes-version 1.19.0 phase kubeconfig all
W0803 11:16:26.159710 10152 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[root@c7u6km1 kubernetes]# ls -lh
total 36K
-rw------- 1 root root 5.5K Aug 3 11:16 admin.conf
-rw------- 1 root root 5.5K Aug 3 11:16 controller-manager.conf
-rw------- 1 root root 5.5K Aug 3 11:16 kubelet.conf
drwxr-xr-x 2 root root 113 Sep 4 2020 manifests
drwxr-xr-x 3 root root 4.0K Sep 17 2020 pki
-rw------- 1 root root 5.5K Aug 3 11:16 scheduler.conf
[root@c7u6km1 kubernetes]#
上述就完成了配置文件的更新操作。
2.3. 更新~/.kube/config配置文件
此时需要是用新生成的/etc/kubernetes/admin.conf配置文件替换~/.kube/config配置文件。才能执行即全管理命令:
[root@c7u6km1 kubernetes]# ls -lh ~/.kube/config
-rw------- 1 root root 9.1K Sep 17 2020 /root/.kube/config
[root@c7u6km1 kubernetes]# ls -lh ~/.kube
total 16K
drwxr-x--- 4 root root 35 Sep 2 2020 cache
-rw------- 1 root root 9.1K Sep 17 2020 config
drwxr-x--- 3 root root 4.0K Sep 12 2020 http-cache
[root@c7u6km1 kubernetes]#
[root@c7u6km1 kubernetes]# mv ~/.kube/config /tmp/etc_kubernetes_conf/
[root@c7u6km1 kubernetes]# cp admin.conf ~/.kube/config
[root@c7u6km1 kubernetes]# ls -lh ~/.kube/config
-rw------- 1 root root 5.5K Aug 3 11:19 /root/.kube/config
[root@c7u6km1 kubernetes]#
2.4. 在master节点检查集群状态
做完上述的操作之后,此时就可以在master节点上正常执行管理命令了。具体如下:
[root@c7u6km1 kubernetes]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
c7u6km1 Ready master 4y336d v1.19.0
c7u6kn1 NotReady <none> 4y335d v1.19.0
c7u6kn2 NotReady <none> 4y335d v1.19.0
c7u6kn3 NotReady <none> 4y335d v1.19.0
[root@c7u6km1 kubernetes]#
此时由于还没有给worker节点更新kubelet证书以及配置文件,所以此时的worker节点仍然不可用。master节点此时已经恢复正常了。
2.5. 更新worker节点的kubelet配置文件以及证书
2.5.1. 检查worker节点的证书
查看worker节点的证书以及配置文件状态:
[root@c7u6kn1 ~]# cd /etc/kubernetes/
[root@c7u6kn1 kubernetes]# ls
kubelet.conf pki
[root@c7u6kn1 kubernetes]# ls pki/
ca.crt
[root@c7u6kn1 kubernetes]# ls /var/lib/kubelet/pki/
kubelet-client-2020-09-03-00-15-22.pem kubelet-client-current.pem kubelet.crt kubelet.key
[root@c7u6kn1 kubernetes]# ls -lh /var/lib/kubelet/pki/
total 12K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-00-15-22.pem
lrwxrwxrwx 1 root root 59 Sep 3 2020 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2020-09-03-00-15-22.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn1 kubernetes]#
[root@c7u6kn1 kubernetes]# openssl x509 -in pki/ca.crt -noout -dates
notBefore=Sep 1 17:04:26 2020 GMT
notAfter=Aug 30 17:04:26 2030 GMT
[root@c7u6kn1 kubernetes]#
上述输出中显示,ca证书有效期到2030年。检查kubelet的证书,具体如下:
[root@c7u6kn1 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -noout -dates
notBefore=Sep 2 15:15:21 2020 GMT
notAfter=Sep 2 15:15:21 2021 GMT
[root@c7u6kn1 kubernetes]#
kubelet证书也是过期状态,毫无疑问,/etc/kubernetes/kubelet.conf配置文件用的证书也是过期的。
2.5.2. master节点上重新生成特定worker节点的kubelet.conf配置文件
需要在master节点上使用新续签的证书,生成特定worker节点的kubelet.conf配置文件,具体如下:
[root@c7u6km1 kubernetes]# cd /tmp/
[root@c7u6km1 tmp]# ls
etc_kubernetes_conf systemd-private-a463519d4f4649fb8fa6daaa3e117636-chronyd.service-Rm5WFz systemd-private-a463519d4f4649fb8fa6daaa3e117636-cups.service-t1Hnt9
[root@c7u6km1 tmp]# mkdir kubelet_config_hosts
[root@c7u6km1 tmp]# cd kubelet_config_hosts
[root@c7u6km1 kubelet_config_hosts]# ls
[root@c7u6km1 kubelet_config_hosts]# kubeadm init --kubernetes-version 1.19.0 phase kubeconfig kubelet --node-name c7u6kn1 --kubeconfig-dir .
W0803 11:42:26.512237 22352 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 8.0K
-rw------- 1 root root 5.5K Aug 3 11:42 kubelet.conf
[root@c7u6km1 kubelet_config_hosts]#
将上述生成的kubelet.conf配置文件拷贝到远程目标主机c7u6kn1上,具体如下所示:
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 8.0K
-rw------- 1 root root 5.5K Aug 3 11:42 kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# scp kubelet.conf c7u6kn1:/etc/kubernetes/
kubelet.conf 100% 5582 10.4MB/s 00:00
[root@c7u6km1 kubelet_config_hosts]# ssh c7u6kn1 'ls -lh /etc/kubernetes/'
total 8.0K
-rw------- 1 root root 5.5K Aug 3 11:44 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6km1 kubelet_config_hosts]#
2.5.3. 重启worker节点的kubelet服务
更新完kubelet.conf配置文件之后,重启目标主机上的kubelet服务,具体如下:
[root@c7u6kn1 kubernetes]# systemctl restart kubelet
[root@c7u6kn1 kubernetes]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Sun 2025-08-03 11:46:25 CST; 3s ago
Docs: https://kubernetes.io/docs/
Main PID: 16215 (kubelet)
Tasks: 7
Memory: 21.3M
CGroup: /system.slice/kubelet.service
└─16215 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=k...
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: I0803 11:46:25.634332 16215 remote_image.go:50] scheme "" not registered, fallback to default scheme
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: I0803 11:46:25.634340 16215 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{/var/run/dockershim.sock <nil> 0 <nil>}] <nil> <nil>}
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: I0803 11:46:25.634344 16215 clientconn.go:948] ClientConn switching balancer to "pick_first"
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: I0803 11:46:25.634365 16215 kubelet.go:261] Adding pod path: /etc/kubernetes/manifests
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: I0803 11:46:25.634380 16215 kubelet.go:273] Watching apiserver
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: E0803 11:46:25.634867 16215 file.go:98] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 11:46:25 c7u6kn1 kubelet[16215]: E0803 11:46:25.634895 16215 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 11:46:26 c7u6kn1 kubelet[16215]: E0803 11:46:26.635515 16215 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 11:46:27 c7u6kn1 kubelet[16215]: E0803 11:46:27.635668 16215 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 11:46:28 c7u6kn1 kubelet[16215]: E0803 11:46:28.635793 16215 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
[root@c7u6kn1 kubernetes]#
检查目标主机上的kubelet配置文件和证书文件:
[root@c7u6kn1 kubernetes]# ls -lh
total 8.0K
-rw------- 1 root root 5.5K Aug 3 11:44 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6kn1 kubernetes]# ls -lh /var/lib/kubelet/pki
total 16K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-00-15-22.pem
-rw------- 1 root root 1.1K Aug 3 11:45 kubelet-client-2025-08-03-11-45-03.pem
lrwxrwxrwx 1 root root 59 Aug 3 11:45 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2025-08-03-11-45-03.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn1 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -dates
notBefore=Aug 3 03:40:02 2025 GMT
notAfter=Aug 3 03:40:02 2026 GMT
[root@c7u6kn1 kubernetes]#
上述的kubelet服务的配置文件已经更新完成,且在重启完kubelet服务之后,也自动更新了kubelet-client-current.pem证书。此时在master节点检查worker节点,应该是已经处于Ready状态了。具体如下:
[root@c7u6km1 kubelet_config_hosts]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
c7u6km1 Ready master 4y336d v1.19.0
c7u6kn1 Ready <none> 4y335d v1.19.0
c7u6kn2 NotReady <none> 4y335d v1.19.0
c7u6kn3 NotReady <none> 4y335d v1.19.0
You have mail in /var/spool/mail/root
[root@c7u6km1 kubelet_config_hosts]#
2.5.4. 其他节点的恢复
对于集群中其他的worker节点,按照上述的2.5.1 - 2.5.3的操作步骤全部单独执行一遍即可。具体过程如下:
2.5.4.1. worker节点c7u6kn2的恢复
检查目标worker节点c7u6kn2的配置文件以及证书文件状态:
[root@c7u6kn2 ~]# cd /etc/kubernetes/
[root@c7u6kn2 kubernetes]# ls
kubelet.conf pki
[root@c7u6kn2 kubernetes]# ls -lh .
total 4.0K
-rw------- 1 root root 1.9K Sep 3 2020 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6kn2 kubernetes]# ls -lh /var/lib/kubelet/
total 16K
-rw-r--r-- 1 root root 817 Sep 3 2020 config.yaml
-rw------- 1 root root 62 Sep 3 2020 cpu_manager_state
drwxr-xr-x 2 root root 80 Oct 13 2020 device-plugins
-rw-r--r-- 1 root root 93 Sep 3 2020 kubeadm-flags.env
drwxr-xr-x 2 root root 124 Sep 3 2020 pki
drwxr-x--- 2 root root 6 Sep 3 2020 plugins
drwxr-x--- 2 root root 6 Sep 3 2020 plugins_registry
drwxr-x--- 2 root root 26 Oct 13 2020 pod-resources
drwxr-x--- 10 root root 4.0K Oct 13 2020 pods
[root@c7u6kn2 kubernetes]# ls -lh /var/lib/kubelet/pki/
total 12K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-10-51-06.pem
lrwxrwxrwx 1 root root 59 Sep 3 2020 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2020-09-03-10-51-06.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn2 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -dates
notBefore=Sep 3 02:46:06 2020 GMT
notAfter=Sep 3 02:46:06 2021 GMT
[root@c7u6kn2 kubernetes]#
在master节点生成该节点的kubelet.conf配置文件,并传送到c7u6kn2节点的/etc/kubernetes/中。具体如下:
[root@c7u6km1 kubelet_config_hosts]# ls
kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# mv kubelet.conf c7u6kn1-kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# ls
c7u6kn1-kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# kubeadm init --kubernetes-version 1.19.0 phase kubeconfig kubelet --node-name c7u6kn2 --kubeconfig-dir .
W0803 12:27:23.768450 6849 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 16K
-rw------- 1 root root 5.5K Aug 3 11:42 c7u6kn1-kubelet.conf
-rw------- 1 root root 5.5K Aug 3 12:27 kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# scp kubelet.conf c7u6kn2:/etc/kubernetes/
The authenticity of host 'c7u6kn2 (192.168.122.23)' can't be established.
ECDSA key fingerprint is SHA256:60seU6lKEwcHgZJ8HfRxq9QWUKI2rAXYS945Lbx8stk.
ECDSA key fingerprint is MD5:73:ea:ed:bf:1f:f3:1e:24:3f:61:5b:2c:56:59:a5:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'c7u6kn2,192.168.122.23' (ECDSA) to the list of known hosts.
root@c7u6kn2's password:
kubelet.conf 100% 5582 12.3MB/s 00:00
[root@c7u6km1 kubelet_config_hosts]#
在c7u6kn2节点上重启kubelet服务
[root@c7u6kn2 kubernetes]# pwd
/etc/kubernetes
[root@c7u6kn2 kubernetes]# ls -lh
total 8.0K
-rw------- 1 root root 5.5K Aug 3 12:27 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6kn2 kubernetes]# systemctl restart kubelet
[root@c7u6kn2 kubernetes]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Sun 2025-08-03 12:30:24 CST; 2s ago
Docs: https://kubernetes.io/docs/
Main PID: 16401 (kubelet)
Tasks: 8
Memory: 19.7M
CGroup: /system.slice/kubelet.service
└─16401 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=k...
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766545 16401 remote_image.go:50] parsed scheme: ""
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766549 16401 remote_image.go:50] scheme "" not registered, fallback to default scheme
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766554 16401 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{/var/run/dockershim.sock <nil> 0 <nil>}] <nil> <nil>}
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766558 16401 clientconn.go:948] ClientConn switching balancer to "pick_first"
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766579 16401 kubelet.go:261] Adding pod path: /etc/kubernetes/manifests
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: I0803 12:30:24.766596 16401 kubelet.go:273] Watching apiserver
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: E0803 12:30:24.768728 16401 file.go:98] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:30:24 c7u6kn2 kubelet[16401]: E0803 12:30:24.768763 16401 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:30:25 c7u6kn2 kubelet[16401]: E0803 12:30:25.768898 16401 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:30:26 c7u6kn2 kubelet[16401]: E0803 12:30:26.768990 16401 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
[root@c7u6kn2 kubernetes]# ls -lh /var/lib/kubelet/pki/
total 16K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-10-51-06.pem
-rw------- 1 root root 1.1K Aug 3 12:27 kubelet-client-2025-08-03-12-27-50.pem
lrwxrwxrwx 1 root root 59 Aug 3 12:27 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2025-08-03-12-27-50.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn2 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -dates
notBefore=Aug 3 04:22:49 2025 GMT
notAfter=Aug 3 04:22:49 2026 GMT
[root@c7u6kn2 kubernetes]#
更新完配置文件,并重启完kubelet服务之后,kubelet服务的证书也已经自动完成了更新操作。此时在master节点上查看节点的状态应该是已经恢复正常了。具体如下:
[root@c7u6km1 kubelet_config_hosts]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
c7u6km1 Ready master 4y336d v1.19.0
c7u6kn1 Ready <none> 4y335d v1.19.0
c7u6kn2 Ready <none> 4y335d v1.19.0
c7u6kn3 NotReady <none> 4y335d v1.19.0
[root@c7u6km1 kubelet_config_hosts]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
c7u6km1 Ready master 4y336d v1.19.0 192.168.122.21 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn1 Ready <none> 4y335d v1.19.0 192.168.122.22 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn2 Ready <none> 4y335d v1.19.0 192.168.122.23 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn3 NotReady <none> 4y335d v1.19.0 192.168.122.24 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
[root@c7u6km1 kubelet_config_hosts]#
至此,c7u6kn2这个worker节点就已经恢复正常了。
2.5.4.2. worker节点c7u6kn3的恢复
检查目标worker节点c7u6kn3的配置文件以及证书文件状态:
[root@c7u6kn3 ~]# cd /etc/kubernetes/
[root@c7u6kn3 kubernetes]# ls -lh
total 4.0K
-rw------- 1 root root 1.9K Sep 3 2020 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6kn3 kubernetes]# ls -lh /var/lib/kubelet/
total 16K
-rw-r--r-- 1 root root 817 Sep 3 2020 config.yaml
-rw------- 1 root root 62 Sep 3 2020 cpu_manager_state
drwxr-xr-x 2 root root 80 Oct 13 2020 device-plugins
-rw-r--r-- 1 root root 93 Sep 3 2020 kubeadm-flags.env
drwxr-xr-x 2 root root 124 Sep 3 2020 pki
drwxr-x--- 2 root root 6 Sep 3 2020 plugins
drwxr-x--- 2 root root 6 Sep 3 2020 plugins_registry
drwxr-x--- 2 root root 26 Oct 13 2020 pod-resources
drwxr-x--- 10 root root 4.0K Sep 15 2020 pods
[root@c7u6kn3 kubernetes]# ls -lh /var/lib/kubelet/pki
total 12K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-10-52-00.pem
lrwxrwxrwx 1 root root 59 Sep 3 2020 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2020-09-03-10-52-00.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn3 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -dates
notBefore=Sep 3 02:47:00 2020 GMT
notAfter=Sep 3 02:47:00 2021 GMT
[root@c7u6kn3 kubernetes]#
上述的kubelet服务的配置文件以及证书文件都是过期的。
在master节点生成该节点的kubelet.conf配置文件,并传送到c7u6kn3节点的/etc/kubernetes/中。具体如下:
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 16K
-rw------- 1 root root 5.5K Aug 3 11:42 c7u6kn1-kubelet.conf
-rw------- 1 root root 5.5K Aug 3 12:27 kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# mv {,c7u6kn2-}kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 16K
-rw------- 1 root root 5.5K Aug 3 11:42 c7u6kn1-kubelet.conf
-rw------- 1 root root 5.5K Aug 3 12:27 c7u6kn2-kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# kubeadm init --kubernetes-version 1.19.0 phase kubeconfig kubelet --node-name c7u6kn3 --kubeconfig-dir `pwd`
W0803 12:45:57.346356 14002 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[root@c7u6km1 kubelet_config_hosts]# ls -lh
total 24K
-rw------- 1 root root 5.5K Aug 3 11:42 c7u6kn1-kubelet.conf
-rw------- 1 root root 5.5K Aug 3 12:27 c7u6kn2-kubelet.conf
-rw------- 1 root root 5.5K Aug 3 12:45 kubelet.conf
[root@c7u6km1 kubelet_config_hosts]# ssh c7u6kn3 'ls -lh /etc/kubernetes/'
total 8.0K
-rw------- 1 root root 5.5K Aug 3 12:46 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6km1 kubelet_config_hosts]#
更新kubelet服务的配置文件之后,在c7u6kn3节点上重启kubelet服务
[root@c7u6kn3 kubernetes]# pwd
/etc/kubernetes
[root@c7u6kn3 kubernetes]# ls -lh
total 8.0K
-rw------- 1 root root 5.5K Aug 3 12:46 kubelet.conf
drwxr-xr-x 2 root root 20 Sep 3 2020 pki
[root@c7u6kn3 kubernetes]# systemctl restart kubelet
[root@c7u6kn3 kubernetes]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Sun 2025-08-03 12:48:02 CST; 4s ago
Docs: https://kubernetes.io/docs/
Main PID: 16976 (kubelet)
Tasks: 7
Memory: 21.7M
CGroup: /system.slice/kubelet.service
└─16976 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=k...
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: I0803 12:48:02.210967 16976 remote_image.go:50] scheme "" not registered, fallback to default scheme
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: I0803 12:48:02.210971 16976 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{/var/run/dockershim.sock <nil> 0 <nil>}] <nil> <nil>}
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: I0803 12:48:02.210975 16976 clientconn.go:948] ClientConn switching balancer to "pick_first"
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: I0803 12:48:02.210993 16976 kubelet.go:261] Adding pod path: /etc/kubernetes/manifests
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: I0803 12:48:02.211014 16976 kubelet.go:273] Watching apiserver
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: E0803 12:48:02.211555 16976 file.go:98] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:48:02 c7u6kn3 kubelet[16976]: E0803 12:48:02.211576 16976 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:48:03 c7u6kn3 kubelet[16976]: E0803 12:48:03.211712 16976 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:48:04 c7u6kn3 kubelet[16976]: E0803 12:48:04.211835 16976 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
Aug 03 12:48:05 c7u6kn3 kubelet[16976]: E0803 12:48:05.211958 16976 file_linux.go:60] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring
[root@c7u6kn3 kubernetes]#
# 检查kubelet的证书文件
[root@c7u6kn3 kubernetes]# ls -lh /var/lib/kubelet/pki
total 16K
-rw------- 1 root root 1.1K Sep 3 2020 kubelet-client-2020-09-03-10-52-00.pem
-rw------- 1 root root 1.1K Aug 3 12:46 kubelet-client-2025-08-03-12-46-24.pem
lrwxrwxrwx 1 root root 59 Aug 3 12:46 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2025-08-03-12-46-24.pem
-rw-r--r-- 1 root root 2.2K Sep 3 2020 kubelet.crt
-rw------- 1 root root 1.7K Sep 3 2020 kubelet.key
[root@c7u6kn3 kubernetes]# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -dates
notBefore=Aug 3 04:41:23 2025 GMT
notAfter=Aug 3 04:41:23 2026 GMT
[root@c7u6kn3 kubernetes]# ls -lh /var/lib/kubelet/
total 12K
-rw-r--r-- 1 root root 817 Sep 3 2020 config.yaml
-rw------- 1 root root 62 Sep 3 2020 cpu_manager_state
drwxr-xr-x 2 root root 80 Aug 3 12:48 device-plugins
-rw-r--r-- 1 root root 93 Sep 3 2020 kubeadm-flags.env
drwxr-xr-x 2 root root 170 Aug 3 12:46 pki
drwxr-x--- 2 root root 6 Sep 3 2020 plugins
drwxr-x--- 2 root root 6 Sep 3 2020 plugins_registry
drwxr-x--- 2 root root 26 Aug 3 12:48 pod-resources
drwxr-x--- 4 root root 94 Aug 3 12:47 pods
[root@c7u6kn3 kubernetes]#
更新完配置文件,并重启完kubelet服务之后,kubelet服务的证书也已经自动完成了更新操作。此时在master节点上查看节点的状态应该是已经恢复正常了。具体如下:
[root@c7u6km1 kubelet_config_hosts]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
c7u6km1 Ready master 4y336d v1.19.0
c7u6kn1 Ready <none> 4y335d v1.19.0
c7u6kn2 Ready <none> 4y335d v1.19.0
c7u6kn3 Ready <none> 4y335d v1.19.0
[root@c7u6km1 kubelet_config_hosts]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
c7u6km1 Ready master 4y336d v1.19.0 192.168.122.21 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn1 Ready <none> 4y335d v1.19.0 192.168.122.22 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn2 Ready <none> 4y335d v1.19.0 192.168.122.23 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
c7u6kn3 Ready <none> 4y335d v1.19.0 192.168.122.24 <none> CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://19.3.12
[root@c7u6km1 kubelet_config_hosts]#
此时,节点就将恢复正常了。
至此,所有的master节点以及worker节点就全部都恢复正常了。微服务也已经恢复正常了。
3. kubeadm命令的使用帮助信息
下面的帮助信息都是基于Kubernetes-1.19.0版本。后续的新版本,子命令的分组可能有差异。具体参见具体的版本帮助信息。
3.1. kubeadm命令
这个命令的使用帮助信息如下:
[root@c7u6km1 kubernetes]# kubeadm -h
┌──────────────────────────────────────────────────────────┐
│ KUBEADM │
│ Easily bootstrap a secure Kubernetes cluster │
│ │
│ Please give us feedback at: │
│ https://github.com/kubernetes/kubeadm/issues │
└──────────────────────────────────────────────────────────┘
Example usage:
Create a two-machine cluster with one control-plane node
(which controls the cluster), and one worker node
(where your workloads, like Pods and Deployments run).
┌──────────────────────────────────────────────────────────┐
│ On the first machine: │
├──────────────────────────────────────────────────────────┤
│ control-plane# kubeadm init │
└──────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────┐
│ On the second machine: │
├──────────────────────────────────────────────────────────┤
│ worker# kubeadm join <arguments-returned-from-init> │
└──────────────────────────────────────────────────────────┘
You can then repeat the second step on as many other machines as you like.
Usage:
kubeadm [command]
Available Commands:
alpha Kubeadm experimental sub-commands
completion Output shell completion code for the specified shell (bash or zsh)
config Manage configuration for a kubeadm cluster persisted in a ConfigMap in the cluster
help Help about any command
init Run this command in order to set up the Kubernetes control plane
join Run this on any machine you wish to join an existing cluster
reset Performs a best effort revert of changes made to this host by 'kubeadm init' or 'kubeadm join'
token Manage bootstrap tokens
upgrade Upgrade your cluster smoothly to a newer version with this command
version Print the version of kubeadm
Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
-h, --help help for kubeadm
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm [command] --help" for more information about a command.
其中包含了10个子命令:
kubeadm alpha子命令:这个里面包含了一些kubeadm的实验性子命令kubeadm completion子命令:为特定的shell实现代码补全功能kubeadm config子命令:管理kubeadm集群中的持久化到ConfigMap中的配置信息kubeadm help子命令:打印各个子命令的帮助信息kubeadm init子命令:使用这个命令设置k8s集群(Control Plane),安装集群的时候,用于初始化master节点,同时也可以生成对应服务的配置文件kubeadm join子命令:在需要加入到k8s集群的节点上执行这个命令,就可以在初始化完成的master节点上增加新的worker节点kubeadm reset子命令:用于重置k8s集群的master节点(执行命令kubeadm init初始化过的节点)以及worker节点(执行kubeadm join命令加入到集群中的节点)kubeadm token子命令:管理启动令牌,引导令牌kubeadm upgrade子命令:使用这个命令可以将集群平滑的升级到较新的版本kubeadm version子命令:打印kubeadm的版本信息
3.2. kubeadm alpha命令
这个命令的具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help alpha
Kubeadm experimental sub-commands
Usage:
kubeadm alpha [command]
Available Commands:
certs Commands related to handling kubernetes certificates
kubeconfig Kubeconfig file utilities
selfhosting Make a kubeadm cluster self-hosted
Flags:
-h, --help help for alpha
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Additional help topics:
kubeadm alpha phase Invoke subsets of kubeadm functions separately for a manual install
Use "kubeadm alpha [command] --help" for more information about a command.
[root@c7u6km1 ~]#
包含了3个子命令
kubeadm alpha certs子命令:用于处理k8s集群证书相关的子命令,这个命令最常用,通常用于处理k8s集群证书过期的问题kubeadm alpha kubeconfig子命令:kubeconfig配置文件系统的子命令kubeadm alpha selfhosting子命令:构建一个自托管的kubeadm集群
3.3. kubeadm alpha certs命令
这个命令的主要作用是管理集群的证书文件,包括证书过期检查、生成证书密钥文件、生成证书密钥文件以及证书签发请求文件、更新集群证书等。用的最多的命令是kubeadm alpha certs check-expiration以及kubeadm alpha certs renew all,前者用于检查集群中证书文件的过期时间;后者用于更新集群中的证书文件。其帮助信息如下:
[root@c7u6km1 kubernetes]# kubeadm alpha certs -h
Commands related to handling kubernetes certificates
Usage:
kubeadm alpha certs [command]
Aliases:
certs, certificates
Available Commands:
certificate-key Generate certificate keys
check-expiration Check certificates expiration for a Kubernetes cluster
generate-csr Generate keys and certificate signing requests
renew Renew certificates for a Kubernetes cluster
Flags:
-h, --help help for certs
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm alpha certs [command] --help" for more information about a command.
[root@c7u6km1 kubernetes]#
上述命令包含4个子命令:
-
kubeadm alpha certs certificate-key子命令:用于生成证书密钥文件具体的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help alpha certs certificate-key This command will print out a secure randomly-generated certificate key that can be used with the "init" command. You can also use "kubeadm init --upload-certs" without specifying a certificate key and it will generate and print one for you. Usage: kubeadm alpha certs certificate-key [flags] Flags: -h, --help help for certificate-key Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#该命令没有子命令。
-
kubeadm alpha certs check-expiration子命令:用于检查k8s集群的证书过期时间该命令的具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help alpha certs check-expiration Checks expiration for the certificates in the local PKI managed by kubeadm. Usage: kubeadm alpha certs check-expiration [flags] Flags: --cert-dir string The path where to save the certificates (default "/etc/kubernetes/pki") --config string Path to a kubeadm configuration file. -h, --help help for check-expiration --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#该命令没有子命令。
-
kubeadm alpha certs generate-csr子命令:用于生成密钥以及对应的证书签发请求文件该命令的具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help alpha certs generate-csr Generates keys and certificate signing requests (CSRs) for all the certificates required to run the control plane. This command also generates partial kubeconfig files with private key data in the "users > user > client-key-data" field, and for each kubeconfig file an accompanying ".csr" file is created. This command is designed for use in [Kubeadm External CA Mode](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode). It generates CSRs which you can then submit to your external certificate authority for signing. The PEM encoded signed certificates should then be saved alongside the key files, using ".crt" as the file extension, or in the case of kubeconfig files, the PEM encoded signed certificate should be base64 encoded and added to the kubeconfig file in the "users > user > client-certificate-data" field. Usage: kubeadm alpha certs generate-csr [flags] Examples: # The following command will generate keys and CSRs for all control-plane certificates and kubeconfig files: kubeadm alpha certs generate-csr --kubeconfig-dir /tmp/etc-k8s --cert-dir /tmp/etc-k8s/pki Flags: --cert-dir string The path where to save the certificates --config string Path to a kubeadm configuration file. -h, --help help for generate-csr --kubeconfig-dir string The path where to save the kubeconfig file. (default "/etc/kubernetes") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#该命令没有子命令。
-
kubeadm alpha certs renew子命令:用于更新k8s集群的证书文件具体的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help alpha certs renew This command is not meant to be run on its own. See list of available subcommands. Usage: kubeadm alpha certs renew [flags] kubeadm alpha certs renew [command] Available Commands: admin.conf Renew the certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself all Renew all available certificates apiserver Renew the certificate for serving the Kubernetes API apiserver-etcd-client Renew the certificate the apiserver uses to access etcd apiserver-kubelet-client Renew the certificate for the API server to connect to kubelet controller-manager.conf Renew the certificate embedded in the kubeconfig file for the controller manager to use etcd-healthcheck-client Renew the certificate for liveness probes to healthcheck etcd etcd-peer Renew the certificate for etcd nodes to communicate with each other etcd-server Renew the certificate for serving etcd front-proxy-client Renew the certificate for the front proxy client scheduler.conf Renew the certificate embedded in the kubeconfig file for the scheduler manager to use Flags: -h, --help help for renew Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm alpha certs renew [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令包含了11个子命令,不过最常用的是
kubeadm alpha certs renew all命令,用于更新集群的master节点上的所有证书。
3.4. kubeadm init命令
这个命令主要用于使用新的证书生成对应的配置文件,在处理集群证书过期的问题上,常用的命令主要为如下两个:
- 更新master节点上所有的配置文件:
kubeadm init --kubernetes-version ${k8s_version} phase kubeconfig all - 为特定的worker节点更新kubelet服务配置文件:
kubeadm init --kubernetes-version ${k8s_version} phase kubeconfig kubelet --node-name ${nodename} --kubeconfig-dir ${output_dir}
这个子命令的帮助信息如下:
[root@c7u6km1 kubernetes]# kubeadm init -h
Run this command in order to set up the Kubernetes control plane
The "init" command executes the following phases:
```
preflight Run pre-flight checks
certs Certificate generation
/ca Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components
/apiserver Generate the certificate for serving the Kubernetes API
/apiserver-kubelet-client Generate the certificate for the API server to connect to kubelet
/front-proxy-ca Generate the self-signed CA to provision identities for front proxy
/front-proxy-client Generate the certificate for the front proxy client
/etcd-ca Generate the self-signed CA to provision identities for etcd
/etcd-server Generate the certificate for serving etcd
/etcd-peer Generate the certificate for etcd nodes to communicate with each other
/etcd-healthcheck-client Generate the certificate for liveness probes to healthcheck etcd
/apiserver-etcd-client Generate the certificate the apiserver uses to access etcd
/sa Generate a private key for signing service account tokens along with its public key
kubeconfig Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
/admin Generate a kubeconfig file for the admin to use and for kubeadm itself
/kubelet Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
/controller-manager Generate a kubeconfig file for the controller manager to use
/scheduler Generate a kubeconfig file for the scheduler to use
kubelet-start Write kubelet settings and (re)start the kubelet
control-plane Generate all static Pod manifest files necessary to establish the control plane
/apiserver Generates the kube-apiserver static Pod manifest
/controller-manager Generates the kube-controller-manager static Pod manifest
/scheduler Generates the kube-scheduler static Pod manifest
etcd Generate static Pod manifest file for local etcd
/local Generate the static Pod manifest file for a local, single-node local etcd instance
upload-config Upload the kubeadm and kubelet configuration to a ConfigMap
/kubeadm Upload the kubeadm ClusterConfiguration to a ConfigMap
/kubelet Upload the kubelet component config to a ConfigMap
upload-certs Upload certificates to kubeadm-certs
mark-control-plane Mark a node as a control-plane
bootstrap-token Generates bootstrap tokens used to join a node to a cluster
kubelet-finalize Updates settings relevant to the kubelet after TLS bootstrap
/experimental-cert-rotation Enable kubelet client certificate rotation
addon Install required addons for passing Conformance tests
/coredns Install the CoreDNS addon to a Kubernetes cluster
/kube-proxy Install the kube-proxy addon to a Kubernetes cluster
```
Usage:
kubeadm init [flags]
kubeadm init [command]
Available Commands:
phase Use this command to invoke single phase of the init workflow
Flags:
--apiserver-advertise-address string The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--apiserver-bind-port int32 Port for the API Server to bind to. (default 6443)
--apiserver-cert-extra-sans strings Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
--cert-dir string The path where to save and store the certificates. (default "/etc/kubernetes/pki")
--certificate-key string Key used to encrypt the control-plane certificates in the kubeadm-certs Secret.
--config string Path to a kubeadm configuration file.
--control-plane-endpoint string Specify a stable IP address or DNS name for the control plane.
--cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
--dry-run Don't apply any changes; just output what would be done.
--experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
--feature-gates string A set of key=value pairs that describe feature gates for various features. Options are:
IPv6DualStack=true|false (ALPHA - default=false)
PublicKeysECDSA=true|false (ALPHA - default=false)
-h, --help help for init
--ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--image-repository string Choose a container registry to pull control plane images from (default "k8s.gcr.io")
--kubernetes-version string Choose a specific Kubernetes version for the control plane. (default "stable-1")
--node-name string Specify the node name.
--pod-network-cidr string Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
--service-cidr string Use alternative range of IP address for service VIPs. (default "10.96.0.0/12")
--service-dns-domain string Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")
--skip-certificate-key-print Don't print the key used to encrypt the control-plane certificates.
--skip-phases strings List of phases to be skipped
--skip-token-print Skip printing of the default bootstrap token generated by 'kubeadm init'.
--token string The token to use for establishing bidirectional trust between nodes and control-plane nodes. The format is [a-z0-9]{6}\.[a-z0-9]{16} - e.g. abcdef.0123456789abcdef
--token-ttl duration The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default 24h0m0s)
--upload-certs Upload control-plane certificates to the kubeadm-certs Secret.
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm init [command] --help" for more information about a command.
[root@c7u6km1 kubernetes]#
上述帮助信息中,包含了12个子命令,各个子命令对应的组件相关的详细命令如下:
kubeadm init phase pre-flight:运行pre-flight检查,起飞前检查kubeadm init phase certs:生成证书,支持的k8s组件如下:kubeadm init phase certs ca:生成自签的CA,用于给k8s集群的其他组件提供身份(identity)kubeadm init phase certs apiserver: 生成apiserver的证书kubeadm init phase certs apiserver-kubelet-client:用于给apiserver的客户端服务kubelet生成证书kubeadm init phase certs front-proxy-ca:生成自签CA,用于给前端代理服务提供身份(identity)kubeadm init phase certs front-proxy-client:给前端代理服务客户端生成证书kubeadm init phase certs etcd-ca:生成自签CA用于给etcd服务提供身份(identity)kubeadm init phase certs etcd-server:给etcd服务生成证书kubeadm init phase certs etcd-peer:给etcd集群的其他节点生成证书用于彼此之间的通信kubeadm init phase certs etcd-healthcheck-client:给etcd的健康检查探针生成证书kubeadm init phase certs apiserver-etcd-client:给apiserver生成证书,用于访问etcd服务kubeadm init phase certs sa:使用签发服务账号的token以及其公钥生成对应的私钥
kubeadm init phase kubeconfig:用于生成master节点上需要的所有kubeconfig配置文件,并可以管理kubeconfig配置文件支持的k8s组件如下:kubeadm init phase kubeconfig admin:为admin生成可用的kubeconfig配置文件,同时也是kubeadm自身可用的配置文件kubeadm init phase kubeconfig kubelet:为kubelet服务生成只能用于集群启动引导目的的kubeconfig配置文件kubeadm init phase kubeconfig controller-manager:用于给控制器管理器生成kubeconfig配置文件kubeadm init phase kubeconfig scheduler:用于给调度器生成kubeconfig配置文件
kubeadm init phase kubelet-start:用于写入kubelet服务配置并启动或者重启kubelet服务kubeadm init phase control-plane:用于生成建立master节点所需要的所有静态pod的声明定义文件,支持的k8s组件包括:kubeadm init phase control-plane apiserver:生成kube-apiserver的静态pod声明定义文件kubeadm init phase control-plane controller-manager:生成kube-controller-manager的静态pod声明定义文件kubeadm init phase control-plane scheudler:生成kube-scheduler的静态pod声明定义文件
kubeadm init phase etcd:为本地堆叠部署的etcd服务生成静态pod声明定义文件,支持的组件包括:kubeadm init phase etcd local:为本地堆叠部署的单节点etcd实例生成静态的pod定义文件
kubeadm init phase upload-config:将kubeadm以及kubelet服务的配置内容上传到ConfigMap,支持的组件包括:kubeadm init phase upload-config kubeadm:上传kubeadm的ClusterConfiguration配置信息到ConfigMapkubeadm init phase upload-config kubelet:上传kubelet组件的配置信息到ConfigMap
kubeadm init phase upload-certs:上传证书到kubeadm-certskbueadm init phase mark-control-plane:将节点标记为master节点kubeadm init phase bootstrap-token:生成启动引导令牌,用于将节点添加到k8s集群中kubeadm init phase kubelet-finalize:在TLS启动引导之后更新kubelet相关的设置,支持的组件有:kubeadm init phase kubelet-finalize experimental-cert-rotation:开启kubelet客户端证书轮转
kubeadm init phase addon:为通过一致性测试安装必要的插件,支持的组件包括:kubeadm init phase addon coredns:将CoreDNS服务安装到k8s集群中kubeadm init phase addon kube-proxy:将kube-proxy插件安装到k8s集群中
3.5. kubeadm completion命令
该命令用于在特定的shell环境(比如bash或者zsh)补全子命令,具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help completion
Output shell completion code for the specified shell (bash or zsh).
The shell code must be evaluated to provide interactive
completion of kubeadm commands. This can be done by sourcing it from
the .bash_profile.
Note: this requires the bash-completion framework.
To install it on Mac use homebrew:
$ brew install bash-completion
Once installed, bash_completion must be evaluated. This can be done by adding the
following line to the .bash_profile
$ source $(brew --prefix)/etc/bash_completion
If bash-completion is not installed on Linux, please install the 'bash-completion' package
via your distribution's package manager.
Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2
Usage:
kubeadm completion SHELL [flags]
Examples:
# Install bash completion on a Mac using homebrew
brew install bash-completion
printf "\n# Bash completion support\nsource $(brew --prefix)/etc/bash_completion\n" >> $HOME/.bash_profile
source $HOME/.bash_profile
# Load the kubeadm completion code for bash into the current shell
source <(kubeadm completion bash)
# Write bash completion code to a file and source it from .bash_profile
kubeadm completion bash > ~/.kube/kubeadm_completion.bash.inc
printf "\n# Kubeadm shell completion\nsource '$HOME/.kube/kubeadm_completion.bash.inc'\n" >> $HOME/.bash_profile
source $HOME/.bash_profile
# Load the kubeadm completion code for zsh[1] into the current shell
source <(kubeadm completion zsh)
Flags:
-h, --help help for completion
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
[root@c7u6km1 ~]#
对于Linux环境普遍使用的bash,要实现自动补全,需要在命令行中执行source <(kubeadm completion bash)。执行之后的效果如下:
[root@c7u6km1 ~]# source <(kubeadm completion bash)
[root@c7u6km1 ~]# kubeadm
alpha completion config init join reset token upgrade version
[root@c7u6km1 ~]#
3.6. kubeadm config命令
这个命令用于管理k8s集群中持久化到ConfigMap中的配置信息,具体的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config
There is a ConfigMap in the kube-system namespace called "kubeadm-config" that kubeadm uses to store internal configuration about the
cluster. kubeadm CLI v1.8.0+ automatically creates this ConfigMap with the config used with 'kubeadm init', but if you
initialized your cluster using kubeadm v1.7.x or lower, you must use the 'config upload' command to create this
ConfigMap. This is required so that 'kubeadm upgrade' can configure your upgraded cluster correctly.
Usage:
kubeadm config [flags]
kubeadm config [command]
Available Commands:
images Interact with container images used by kubeadm
migrate Read an older version of the kubeadm configuration API types from a file, and output the similar config object for the newer version
print Print configuration
Flags:
-h, --help help for config
--kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf")
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm config [command] --help" for more information about a command.
[root@c7u6km1 ~]#
该命令包含3个子命令:
-
kubeadm config images子命令:用于kubeadm与容器镜像交互该命令的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config images Interact with container images used by kubeadm Usage: kubeadm config images [flags] kubeadm config images [command] Available Commands: list Print a list of images kubeadm will use. The configuration file is used in case any images or image repositories are customized pull Pull images used by kubeadm Flags: -h, --help help for images Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm config images [command] --help" for more information about a command. [root@c7u6km1 ~]#这个命令同样包含了两个子命令:
-
kubeadm config images list:用于打印kubeadm将会使用到的镜像列表,这个命令的使用场景是存在自定义镜像仓库或者自定义镜像。详细的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config images list Print a list of images kubeadm will use. The configuration file is used in case any images or image repositories are customized Usage: kubeadm config images list [flags] Flags: --allow-missing-template-keys If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true) --config string Path to a kubeadm configuration file. -o, --experimental-output string Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. (default "text") --feature-gates string A set of key=value pairs that describe feature gates for various features. Options are: IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false) -h, --help help for list --image-repository string Choose a container registry to pull control plane images from (default "k8s.gcr.io") --kubernetes-version string Choose a specific Kubernetes version for the control plane. (default "stable-1") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm config images pull:用于拉取kubeadm使用到的镜像详细的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config images pull Pull images used by kubeadm Usage: kubeadm config images pull [flags] Flags: --config string Path to a kubeadm configuration file. --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. --feature-gates string A set of key=value pairs that describe feature gates for various features. Options are: IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false) -h, --help help for pull --image-repository string Choose a container registry to pull control plane images from (default "k8s.gcr.io") --kubernetes-version string Choose a specific Kubernetes version for the control plane. (default "stable-1") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
-
-
kubeadm config migrate子命令:用于从文件中读取旧版本的kubeadm配置API类型,并生成类似的新版本配置对像该命令的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config migrate This command lets you convert configuration objects of older versions to the latest supported version, locally in the CLI tool without ever touching anything in the cluster. In this version of kubeadm, the following API versions are supported: - kubeadm.k8s.io/v1beta2 Further, kubeadm can only write out config of version "kubeadm.k8s.io/v1beta2", but read both types. So regardless of what version you pass to the --old-config parameter here, the API object will be read, deserialized, defaulted, converted, validated, and re-serialized when written to stdout or --new-config if specified. In other words, the output of this command is what kubeadm actually would read internally if you submitted this file to "kubeadm init" Usage: kubeadm config migrate [flags] Flags: -h, --help help for migrate --new-config string Path to the resulting equivalent kubeadm config file using the new API version. Optional, if not specified output will be sent to STDOUT. --old-config string Path to the kubeadm config file that is using an old API version and should be converted. This flag is mandatory. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm config print子命令:用于打印配置信息该命令的帮助信息如下:
[root@c7u6km1 ~]# kubeadm help config print This command prints configurations for subcommands provided. For details, see: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2 Usage: kubeadm config print [flags] kubeadm config print [command] Available Commands: init-defaults Print default init configuration, that can be used for 'kubeadm init' join-defaults Print default join configuration, that can be used for 'kubeadm join' Flags: -h, --help help for print Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm config print [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令同样包含两个子命令,用于打印master节点的初始化信息,以及worker节点的加入命令。具体帮助信息如下:
-
kubeadm config print init-defaults:用于打印默认的初始化配置,可以用于kubeadm init命令中,具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help config print init-defaults This command prints objects such as the default init configuration that is used for 'kubeadm init'. Note that sensitive values like the Bootstrap Token fields are replaced with placeholder values like {"abcdef.0123456789abcdef" "" "nil" <nil> [] []} in order to pass validation but not perform the real computation for creating a token. Usage: kubeadm config print init-defaults [flags] Flags: --component-configs strings A comma-separated list for component config API objects to print the default values for. Available values: [KubeProxyConfiguration KubeletConfiguration]. If this flag is not set, no component configs will be printed. -h, --help help for init-defaults Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm config print join-defaults:这个命令用于打印添加worker节点的命令,可以被用于kubeadm join命令中。
-
3.7. kubeadm help命令
该命令用于查看kubeadm命令的子命令的帮助信息,具体如下:
[root@c7u6km1 ~]# kubeadm help help
Help provides help for any command in the application.
Simply type kubeadm help [path to command] for full details.
Usage:
kubeadm help [command] [flags]
Flags:
-h, --help help for help
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
You have new mail in /var/spool/mail/root
[root@c7u6km1 ~]#
3.8. kubeadm join命令
该命令用于向集群中添加master节点或者worker节点。其帮助信息如下:
[root@c7u6km1 ~]# kubeadm help join
When joining a kubeadm initialized cluster, we need to establish bidirectional trust. This is split into discovery (having the Node trust the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes Control Plane trust the Node).
There are 2 main schemes for discovery. The first is to use a shared token along with the IP address of the API server. The second is to provide a file - a subset of the standard kubeconfig file. This file can be a local file or downloaded via an HTTPS URL. The forms are kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443, kubeadm join --discovery-file path/to/file.conf, or kubeadm join --discovery-file https://url/file.conf. Only one form can be used. If the discovery information is loaded from a URL, HTTPS must be used. Also, in that case the host installed CA bundle is used to verify the connection.
If you use a shared token for discovery, you should also pass the --discovery-token-ca-cert-hash flag to validate the public key of the root certificate authority (CA) presented by the Kubernetes Control Plane. The value of this flag is specified as "<hash-type>:<hex-encoded-value>", where the supported hash type is "sha256". The hash is calculated over the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
This value is available in the output of "kubeadm init" or can be calculated using standard tools. The --discovery-token-ca-cert-hash flag may be repeated multiple times to allow more than one public key.
If you cannot know the CA public key hash ahead of time, you can pass the --discovery-token-unsafe-skip-ca-verification flag to disable this verification. This weakens the kubeadm security model since other nodes can potentially impersonate the Kubernetes Control Plane.
The TLS bootstrap mechanism is also driven via a shared token. This is used to temporarily authenticate with the Kubernetes Control Plane to submit a certificate signing request (CSR) for a locally created key pair. By default, kubeadm will set up the Kubernetes Control Plane to automatically approve these signing requests. This token is passed in with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
Often times the same token is used for both parts. In this case, the --token flag can be used instead of specifying each token individually.
The "join [api-server-endpoint]" command executes the following phases:
```
preflight Run join pre-flight checks
control-plane-prepare Prepare the machine for serving a control plane
/download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
/certs Generate the certificates for the new control plane components
/kubeconfig Generate the kubeconfig for the new control plane components
/control-plane Generate the manifests for the new control plane components
kubelet-start Write kubelet settings, certificates and (re)start the kubelet
control-plane-join Join a machine as a control plane instance
/etcd Add a new local etcd member
/update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
/mark-control-plane Mark a node as a control-plane
```
Usage:
kubeadm join [api-server-endpoint] [flags]
kubeadm join [command]
Available Commands:
phase Use this command to invoke single phase of the join workflow
Flags:
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
--apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443)
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
--config string Path to kubeadm config file.
--control-plane Create a new control plane instance on this node
--cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
--experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically.
-h, --help help for join
--ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
--node-name string Specify the node name.
--skip-phases strings List of phases to be skipped
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm join [command] --help" for more information about a command.
[root@c7u6km1 ~]#
上述命令包含一个子命令phase,具体用法如下:
-
kubeadm join phase子命令:调用单一的phase来完成特定的工作流,其中phase后面支持4个子命令,分别为control-plane-join,control-plane-prepare,kubelet-start以及preflight,该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase Use this command to invoke single phase of the join workflow Usage: kubeadm join phase [command] Available Commands: control-plane-join Join a machine as a control plane instance control-plane-prepare Prepare the machine for serving a control plane kubelet-start Write kubelet settings, certificates and (re)start the kubelet preflight Run join pre-flight checks Flags: -h, --help help for phase Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm join phase [command] --help" for more information about a command. [root@c7u6km1 ~]#这个命令中包含4个可用的子命令:
-
kubeadm join phase control-plane-join:向k8s集群中添加新的master节点,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-join Join a machine as a control plane instance Usage: kubeadm join phase control-plane-join [flags] kubeadm join phase control-plane-join [command] Examples: # Joins a machine as a control plane instance kubeadm join phase control-plane-join all Available Commands: all Join a machine as a control plane instance etcd Add a new local etcd member mark-control-plane Mark a node as a control-plane update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap Flags: -h, --help help for control-plane-join Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm join phase control-plane-join [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令包含4个子命令:
-
kubeadm join phase control-plane-join all:添加master节点实例,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-join all Join a machine as a control plane instance Usage: kubeadm join phase control-plane-join all [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node -h, --help help for all --node-name string Specify the node name. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-join etcd:该命令用于向k8s集群中添加一个本地堆叠部署的etcd成员节点,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-join etcd Add a new local etcd member Usage: kubeadm join phase control-plane-join etcd [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. -h, --help help for etcd --node-name string Specify the node name. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-join mark-control-plane:该命令用于将k8s集群中的其他非master节点标记为master节点,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-join mark-control-plane Mark a node as a control-plane Usage: kubeadm join phase control-plane-join mark-control-plane [flags] Flags: --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node -h, --help help for mark-control-plane --node-name string Specify the node name. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-join update-status:该命令用于新的master节点注册到kubeadm-config的配置信息ConfigMap的ClusterStatus中。[root@c7u6km1 ~]# kubeadm help join phase control-plane-join update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap Usage: kubeadm join phase control-plane-join update-status [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node -h, --help help for update-status --node-name string Specify the node name. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
上述就是
kubeadm join phase control-plane-join命令以及其子命令的帮助信息 -
-
kubeadm join phase control-plane-prepare:准备主机,使其后续可以作为master节点,该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare Prepare the machine for serving a control plane Usage: kubeadm join phase control-plane-prepare [flags] kubeadm join phase control-plane-prepare [command] Examples: # Prepares the machine for serving a control plane kubeadm join phase control-plane-prepare all Available Commands: all Prepare the machine for serving a control plane certs Generate the certificates for the new control plane components control-plane Generate the manifests for the new control plane components download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret kubeconfig Generate the kubeconfig for the new control plane components Flags: -h, --help help for control-plane-prepare Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm join phase control-plane-prepare [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令包含5个子命令,具体帮助信息如下:
-
kubeadm join phase control-plane-prepare all:准备主机,使其后续可以作为k8s集群的master节点,该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare all Prepare the machine for serving a control plane Usage: kubeadm join phase control-plane-prepare all [api-server-endpoint] [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. -h, --help help for all --node-name string Specify the node name. --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-prepare certs:为新master的所有相关组件生成所需要的证书,该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare certs Generate the certificates for the new control plane components Usage: kubeadm join phase control-plane-prepare certs [api-server-endpoint] [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. -h, --help help for certs --node-name string Specify the node name. --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-prepare control-plane:为新master必须的相关组件生成新的静态pod的定义清单文件,该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare control-plane Generate the manifests for the new control plane components Usage: kubeadm join phase control-plane-prepare control-plane [flags] Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. -h, --help help for control-plane Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-prepare download-certs:[实验性的子命令]从kubeadm-certs的Secret资源中下载证书,以便在master节点之间共享。该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret Usage: kubeadm join phase control-plane-prepare download-certs [api-server-endpoint] [flags] Flags: --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. -h, --help help for download-certs --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase control-plane-prepare kubeconfig:该命令用于为新的master节点中的相关组件生成必要的kubeconfig文件。其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase control-plane-prepare kubeconfig Generate the kubeconfig for the new control plane components Usage: kubeadm join phase control-plane-prepare kubeconfig [api-server-endpoint] [flags] Flags: --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. -h, --help help for kubeconfig --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
上述就是
kubeadm join phase control-plane-prepare命令以及其5个子命令的帮助信息。 -
-
kubeadm join phase kubelet-start:该命令用于写如kubelet的设置、证书并且重启kubelet服务。该命令的帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase kubelet-start Write a file with KubeletConfiguration and an environment file with node specific kubelet settings, and then (re)start kubelet. Usage: kubeadm join phase kubelet-start [api-server-endpoint] [flags] Flags: --config string Path to kubeadm config file. --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. -h, --help help for kubelet-start --node-name string Specify the node name. --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]# -
kubeadm join phase preflight:该命令用于运行加入前的检查。其帮助信息如下:[root@c7u6km1 ~]# kubeadm help join phase preflight Run pre-flight checks for kubeadm join. Usage: kubeadm join phase preflight [api-server-endpoint] [flags] Examples: # Run join pre-flight checks using a config file. kubeadm join phase preflight --config kubeadm-config.yml Flags: --apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on. If not set the default network interface will be used. --apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443) --certificate-key string Use this key to decrypt the certificate secrets uploaded by init. --config string Path to kubeadm config file. --control-plane Create a new control plane instance on this node --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. --discovery-file string For file-based discovery, a file or URL from which to load cluster information. --discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server. --discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>"). --discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning. -h, --help help for preflight --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. --node-name string Specify the node name. --tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node. --token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
-
上述就是kubeadm join命令以及其子命令的帮助信息。
3.9. kubeadm reset命令
kubeadm reset命令用于重置由kubeadm init初始化的k8s集群中的master节点以及kubeadm join命令加入的master节点或者worker节点。该命令支持4个phase的子命令,其帮助信息如下:
[root@c7u6km1 ~]# kubeadm help reset Performs a best effort revert of changes made to this host by 'kubeadm init' or 'kubeadm join' The "reset" command executes the following phases: ``` preflight Run reset pre-flight checks update-cluster-status Remove this node from the ClusterStatus object. remove-etcd-member Remove a local etcd member. cleanup-node Run cleanup node. ``` Usage: kubeadm reset [flags] kubeadm reset [command] Available Commands: phase Use this command to invoke single phase of the reset workflow Flags: --cert-dir string The path to the directory where the certificates are stored. If specified, clean this directory. (default "/etc/kubernetes/pki") --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. -f, --force Reset the node without prompting for confirmation. -h, --help help for reset --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --skip-phases strings List of phases to be skipped Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm reset [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令支持的4个
phase子命令及其帮助信息如下:
kbueadm reset phase preflight:该命令用于执行重置k8s集群的master节点或worker节点的前置检查操作,其具体帮助信息:[root@c7u6km1 ~]# kubeadm help reset phase preflight Run pre-flight checks for kubeadm reset. Usage: kubeadm reset phase preflight [flags] Aliases: preflight, pre-flight Flags: -f, --force Reset the node without prompting for confirmation. -h, --help help for preflight --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm reset phase update-cluster-status:该命令用于从ClusterStatus对象中移除k8s集群的master节点或者worker节点,其帮助信息:[root@c7u6km1 ~]# kubeadm help reset phase update-cluster-status Remove this node from the ClusterStatus object if the node is a control plane node. Usage: kubeadm reset phase update-cluster-status [flags] Flags: -h, --help help for update-cluster-status Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm reset phase remove-etcd-member:该命令用于从k8s集群中移除本地堆叠部署的etcd成员。其帮助信息:[root@c7u6km1 ~]# kubeadm help reset phase remove-etcd-member Remove a local etcd member for a control plane node. Usage: kubeadm reset phase remove-etcd-member [flags] Flags: -h, --help help for remove-etcd-member --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm reset phase cleanup-node:该命令用于清理k8s集群中的节点。其帮助信息:[root@c7u6km1 ~]# kubeadm help reset phase cleanup-node Run cleanup node. Usage: kubeadm reset phase cleanup-node [flags] Aliases: cleanup-node, cleanupnode Flags: --cert-dir string The path to the directory where the certificates are stored. If specified, clean this directory. (default "/etc/kubernetes/pki") --cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket. -h, --help help for cleanup-node Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
上述就是kubeadm reset命令以及其子命令的详细帮助信息。
3.10. kubeadm token命令
`kubeadm token命令用于管理k8s集群的启动引导令牌信息,这个命令只有在高级管理场景中才会被用到,平时极少被用到。其帮助信息:
[root@c7u6km1 ~]# kubeadm help token This command manages bootstrap tokens. It is optional and needed only for advanced use cases. In short, bootstrap tokens are used for establishing bidirectional trust between a client and a server. A bootstrap token can be used when a client (for example a node that is about to join the cluster) needs to trust the server it is talking to. Then a bootstrap token with the "signing" usage can be used. bootstrap tokens can also function as a way to allow short-lived authentication to the API Server (the token serves as a way for the API Server to trust the client), for example for doing the TLS Bootstrap. What is a bootstrap token more exactly? - It is a Secret in the kube-system namespace of type "bootstrap.kubernetes.io/token". - A bootstrap token must be of the form "[a-z0-9]{6}.[a-z0-9]{16}". The former part is the public token ID, while the latter is the Token Secret and it must be kept private at all circumstances! - The name of the Secret must be named "bootstrap-token-(token-id)". You can read more about bootstrap tokens here: https://kubernetes.io/docs/admin/bootstrap-tokens/ Usage: kubeadm token [flags] kubeadm token [command] Available Commands: create Create bootstrap tokens on the server delete Delete bootstrap tokens on the server generate Generate and print a bootstrap token, but do not create it on the server list List bootstrap tokens on the server Flags: --dry-run Whether to enable dry-run mode or not -h, --help help for token --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm token [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令包含4个子命令,具体帮助信息如下:
kubeadm token create:该命令用于在k8s集群的服务器上创建启动引导令牌,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help token create This command will create a bootstrap token for you. You can specify the usages for this token, the "time to live" and an optional human friendly description. The [token] is the actual token to write. This should be a securely generated random token of the form "[a-z0-9]{6}.[a-z0-9]{16}". If no [token] is given, kubeadm will generate a random token instead. Usage: kubeadm token create [token] Flags: --certificate-key string When used together with '--print-join-command', print the full 'kubeadm join' flag needed to join the cluster as a control-plane. To create a new certificate key you must use 'kubeadm init phase upload-certs --upload-certs'. --config string Path to a kubeadm configuration file. --description string A human friendly description of how this token is used. --groups strings Extra groups that this token will authenticate as when used for authentication. Must match "\\Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\\z" (default [system:bootstrappers:kubeadm:default-node-token]) -h, --help help for create --print-join-command Instead of printing only the token, print the full 'kubeadm join' flag needed to join the cluster using the token. --ttl duration The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default 24h0m0s) --usages strings Describes the ways in which this token can be used. You can pass --usages multiple times or provide a comma separated list of options. Valid options: [signing,authentication] (default [signing,authentication]) Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --dry-run Whether to enable dry-run mode or not --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm token delete:该命令用于删除k8s集群中节点上的启动引导令牌,其帮助信息如下:[root@c7u6km1 ~]# kubeadm help token delete This command will delete a list of bootstrap tokens for you. The [token-value] is the full Token of the form "[a-z0-9]{6}.[a-z0-9]{16}" or the Token ID of the form "[a-z0-9]{6}" to delete. Usage: kubeadm token delete [token-value] ... Flags: -h, --help help for delete Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --dry-run Whether to enable dry-run mode or not --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm token generate:该命令用于在k8s集群中生成并打印启动引导令牌信息,但并不会真的在k8s集群中创建启动引导令牌。其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help token generate This command will print out a randomly-generated bootstrap token that can be used with the "init" and "join" commands. You don't have to use this command in order to generate a token. You can do so yourself as long as it is in the format "[a-z0-9]{6}.[a-z0-9]{16}". This command is provided for convenience to generate tokens in the given format. You can also use "kubeadm init" without specifying a token and it will generate and print one for you. Usage: kubeadm token generate [flags] Flags: -h, --help help for generate Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --dry-run Whether to enable dry-run mode or not --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm token list:该命令用于列出k8s集群中的启动引导令牌信息,其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help token list This command will list all bootstrap tokens for you. Usage: kubeadm token list [flags] Flags: --allow-missing-template-keys If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. (default true) -o, --experimental-output string Output format. One of: text|json|yaml|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file. (default "text") -h, --help help for list Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --dry-run Whether to enable dry-run mode or not --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
上述就是kubeadm token命令以及其子命令的帮助信息。
3.11. kubeadm upgrade命令
kubeadm upgrade命令用于将k8s集群的版本平滑的升级到更新的版本。其具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help upgrade Upgrade your cluster smoothly to a newer version with this command Usage: kubeadm upgrade [flags] kubeadm upgrade [command] Available Commands: apply Upgrade your Kubernetes cluster to the specified version diff Show what differences would be applied to existing static pod manifests. See also: kubeadm upgrade apply --dry-run node Upgrade commands for a node in the cluster plan Check which versions are available to upgrade to and validate whether your current cluster is upgradeable. To skip the internet check, pass in the optional [version] parameter Flags: -h, --help help for upgrade Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm upgrade [command] --help" for more information about a command. [root@c7u6km1 ~]#该命令中包含4个子命令,各个子命令的具体帮助信息如下:
kubeadm upgrade apply:该命令用于将k8s集群升级到指定的版本。其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade apply Upgrade your Kubernetes cluster to the specified version Usage: kubeadm upgrade apply [version] Flags: --allow-experimental-upgrades Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes. --allow-release-candidate-upgrades Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes. --certificate-renewal Perform the renewal of certificates used by component changed during upgrades. (default true) --config string Path to a kubeadm configuration file. --dry-run Do not change any state, just output what actions would be performed. --etcd-upgrade Perform the upgrade of etcd. (default true) --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. --feature-gates string A set of key=value pairs that describe feature gates for various features. Options are: IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false) -f, --force Force upgrading although some requirements might not be met. This also implies non-interactive mode. -h, --help help for apply --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --print-config Specifies whether the configuration file that will be used in the upgrade should be printed or not. -y, --yes Perform the upgrade and do not prompt for confirmation (non-interactive mode). Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm upgrade diff:该命令用于显示可以被应用到已经存在的静态pod定义清单文件中有差异的部分内容。也可以使用kubeadm upgrade apply --dry-run命令查看。该命令的具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade diff Show what differences would be applied to existing static pod manifests. See also: kubeadm upgrade apply --dry-run Usage: kubeadm upgrade diff [version] [flags] Flags: --api-server-manifest string path to API server manifest (default "/etc/kubernetes/manifests/kube-apiserver.yaml") --config string Path to a kubeadm configuration file. -c, --context-lines int How many lines of context in the diff (default 3) --controller-manager-manifest string path to controller manifest (default "/etc/kubernetes/manifests/kube-controller-manager.yaml") -h, --help help for diff --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --scheduler-manifest string path to scheduler manifest (default "/etc/kubernetes/manifests/kube-scheduler.yaml") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm upgrade node:该命令用于升级k8s集群中的节点,其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade node Upgrade commands for a node in the cluster The "node" command executes the following phases: ``` preflight Run upgrade node pre-flight checks control-plane Upgrade the control plane instance deployed on this node, if any kubelet-config Upgrade the kubelet configuration for this node ``` Usage: kubeadm upgrade node [flags] kubeadm upgrade node [command] Available Commands: phase Use this command to invoke single phase of the node workflow Flags: --certificate-renewal Perform the renewal of certificates used by component changed during upgrades. (default true) --dry-run Do not change any state, just output the actions that would be performed. --etcd-upgrade Perform the upgrade of etcd. (default true) --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. -h, --help help for node --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --skip-phases strings List of phases to be skipped Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity Use "kubeadm upgrade node [command] --help" for more information about a command. [root@c7u6km1 ~]#这个命令包含3个
phase的子命令,分别为preflight,control-plane,kubelet-config,各个子命令的帮助信息如下:
kubeadm upgrade node phase preflight:该命令用于执行k8s集群节点升级的前置检查操作。其帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade node phase preflight Run pre-flight checks for kubeadm upgrade node. Usage: kubeadm upgrade node phase preflight [flags] Flags: -h, --help help for preflight --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm upgrade node phase control-plane:该命令用于升级部署在节点上的master控制面板实例,如果存在的话。其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade node phase control-plane Upgrade the control plane instance deployed on this node, if any Usage: kubeadm upgrade node phase control-plane [flags] Flags: --certificate-renewal Perform the renewal of certificates used by component changed during upgrades. (default true) --dry-run Do not change any state, just output the actions that would be performed. --etcd-upgrade Perform the upgrade of etcd. (default true) --experimental-patches string Path to a directory that contains files named "target[suffix][+patchtype].extension". For example, "kube-apiserver0+merge.yaml" or just "etcd.json". "patchtype" can be one of "strategic", "merge" or "json" and they match the patch formats supported by kubectl. The default "patchtype" is "strategic". "extension" must be either "json" or "yaml". "suffix" is an optional string that can be used to determine which patches are applied first alpha-numerically. -h, --help help for control-plane --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
kubeadm upgrade node phase kubelet-config:该命令用于为当前节点升级kubelet服务的配置信息。其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade node phase kubelet-config Download the kubelet configuration from a ConfigMap of the form "kubelet-config-1.X" in the cluster, where X is the minor version of the kubelet. kubeadm uses the KuberneteVersion field in the kubeadm-config ConfigMap to determine what the _desired_ kubelet version is. Usage: kubeadm upgrade node phase kubelet-config [flags] Flags: --dry-run Do not change any state, just output the actions that would be performed. -h, --help help for kubelet-config --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]
kubeadm upgrade plan:该命令用于检查当前的k8s集群中可以升级到哪个版本,并且对当前集群的k8s版本是否可以执行有效的升级进行验证。这个检查需要连接互联网,所以要跳过这个检查,可以直接传递可选的版本参数。其具体帮助信息如下:[root@c7u6km1 ~]# kubeadm help upgrade plan Check which versions are available to upgrade to and validate whether your current cluster is upgradeable. To skip the internet check, pass in the optional [version] parameter Usage: kubeadm upgrade plan [version] [flags] Flags: --allow-experimental-upgrades Show unstable versions of Kubernetes as an upgrade alternative and allow upgrading to an alpha/beta/release candidate versions of Kubernetes. --allow-release-candidate-upgrades Show release candidate versions of Kubernetes as an upgrade alternative and allow upgrading to a release candidate versions of Kubernetes. --config string Path to a kubeadm configuration file. --feature-gates string A set of key=value pairs that describe feature gates for various features. Options are: IPv6DualStack=true|false (ALPHA - default=false) PublicKeysECDSA=true|false (ALPHA - default=false) -h, --help help for plan --ignore-preflight-errors strings A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks. --kubeconfig string The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file. (default "/etc/kubernetes/admin.conf") --print-config Specifies whether the configuration file that will be used in the upgrade should be printed or not. Global Flags: --add-dir-header If true, adds the file directory to the header of the log messages --log-file string If non-empty, use this log file --log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem. --skip-headers If true, avoid header prefixes in the log messages --skip-log-headers If true, avoid headers when opening log files -v, --v Level number for the log level verbosity [root@c7u6km1 ~]#
上述就是kubeadm upgrade命令以及其子命令的帮助信息。
3.12. kubeadm version命令
kubeadm version命令用于打印kubeadm命令的版本信息,其具体帮助信息如下:
[root@c7u6km1 ~]# kubeadm help version
Print the version of kubeadm
Usage:
kubeadm version [flags]
Flags:
-h, --help help for version
-o, --output string Output format; available options are 'yaml', 'json' and 'short'
Global Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
[root@c7u6km1 ~]#
扫一扫
3639
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
