公告

特别推出京东优惠挖掘小程序 [点击这里,扫码收藏] 专门收集京东今日特价爆品,商家漏洞等,拼手速,手慢无! 新增优惠: 1,美团外卖红包:扫码至少节省3元[点击收藏],全国可用,用完还能领。 2,车主加油打折服务:一键导航到加油站,选择油枪,支付时直减。 [点击查看] 3,电影票购买返利,覆盖所有主流院线。 [点击查看]

#1 2022-08-14 17:56:57

小天天
Moderator
注册时间: 2019-09-29
帖子: 886

kubeadm 集群搭建

两条命令的事情:

init和join

[root@k8s-master-1 k8s]# kubeadm init --config init-k8s.yaml  --upload-certs --ignore-preflight-errors=all
若失败:docker ps |grep -v pause 检查是哪个容器导致的
然后: docker log  container-id,检查错误原因

[root@k8s-master-1 k8s]# cat init-k8s.yaml     ####基于kubeadm config print init-defaults > init-k8s.yaml 来修改
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: abcdef.0123456789abcdef
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: k8s-master-1
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
   external:
      endpoints:
      - https://192.158.13.69:2379
      - https://192.158.13.114:2379
      - https://192.158.13.97:2379
      caFile: /etc/kubernetes/pki/etcd/ca.crt
      certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
      keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
kind: ClusterConfiguration
kubernetesVersion: v1.15.0
imageRepository: reg.harbar.com/base
apiServer:
   certSANs:
   - "192.158.13.69"
   - "192.158.13.114"
   - "192.158.13.97"
   - "127.0.0.1"
   - "k8s-master-1"
   - "k8s-master-2"
   - "k8s-master-3"
controlPlaneEndpoint: "127.0.0.1:8443"
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}




其它master和node
如有历史残留,先执行:kubeadm reset
再执行
kubeadm join 127.0.0.1:8443 --token abcdef.0123456789abcdef     --discovery-token-ca-cert-hash sha256:6dc4aeb0a3caec8c6838d90651abacf9d6c5400212d2e8d5bcffxxxxxx --ignore-preflight-errors=all



参考:https://github.com/cby-chen/Kubernetes/blob/main/kubeadm-install-IPV6-IPV4.md

最近编辑记录 小天天 (2022-08-14 18:11:22)

离线

#2 2022-08-14 18:00:25

小天天
Moderator
注册时间: 2019-09-29
帖子: 886

Re: kubeadm 集群搭建

遇到的证书添加问题: json中的ip需在gencert时再添加一遍

cfssl gencert \
-ca=ca.crt \
-ca-key=ca.key \
-config=ca-config.json \
-hostname=localhost,127.0.0.1,192.158.13.69,192.158.13.114,192.158.13.97,k8s-master-1,k8s-master-2,k8s-master-3 \
-profile=www server-csr.json | cfssljson -bare server

离线

#3 2022-08-17 22:45:51

小天天
Moderator
注册时间: 2019-09-29
帖子: 886

Re: kubeadm 集群搭建

kube-proxy报认证失败 Failed to list *v1.Service: Unauthorized

认证失败的原因是:etcd保存的serviceaccount产生的secret数据是旧master的ca,而新master的ca已经变化,所以认证失败

解决办法:

1.删除所有现有proxy、cordns的serviceaccount

kubectl get sa -n kube-system|grep -E "kube-proxy|coredns"|awk '{print "kubectl delete sa",$1,"-n kube-system"}'|/bin/bash

2.重新初始化master,让K8S自动生成和ca匹配的serviceaccount和secret,该secret是proxy的认证依据。

yes|kubeadm reset

kubeadm init --config <yourconfig.yaml>

3.删除所有旧flannel资源

kubectl delete -f <kube-fannel.yaml>

4.重新生成flannel

kubectl applay -f <kube-fannel.yaml>

5.重新reset其他节点再jion

yes|kubeadm reset

kubeadm join <API_HA_IP:6443> --token <TOKEN> --discovery-token-ca-cert-hash <CERT-HASH>

离线

页脚

Powered by 华新企财帮

京ICP备19031397号-1