页次: 1
两条命令的事情:
init和join
[root@k8s-master-1 k8s]# kubeadm init --config init-k8s.yaml --upload-certs --ignore-preflight-errors=all
若失败:docker ps |grep -v pause 检查是哪个容器导致的
然后: docker log container-id,检查错误原因
[root@k8s-master-1 k8s]# cat init-k8s.yaml ####基于kubeadm config print init-defaults > init-k8s.yaml 来修改
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master-1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
external:
endpoints:
- https://192.158.13.69:2379
- https://192.158.13.114:2379
- https://192.158.13.97:2379
caFile: /etc/kubernetes/pki/etcd/ca.crt
certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
kind: ClusterConfiguration
kubernetesVersion: v1.15.0
imageRepository: reg.harbar.com/base
apiServer:
certSANs:
- "192.158.13.69"
- "192.158.13.114"
- "192.158.13.97"
- "127.0.0.1"
- "k8s-master-1"
- "k8s-master-2"
- "k8s-master-3"
controlPlaneEndpoint: "127.0.0.1:8443"
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
其它master和node
如有历史残留,先执行:kubeadm reset
再执行
kubeadm join 127.0.0.1:8443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:6dc4aeb0a3caec8c6838d90651abacf9d6c5400212d2e8d5bcffxxxxxx --ignore-preflight-errors=all
参考:https://github.com/cby-chen/Kubernetes/blob/main/kubeadm-install-IPV6-IPV4.md
最近编辑记录 小天天 (2022-08-14 18:11:22)
离线
遇到的证书添加问题: json中的ip需在gencert时再添加一遍
cfssl gencert \
-ca=ca.crt \
-ca-key=ca.key \
-config=ca-config.json \
-hostname=localhost,127.0.0.1,192.158.13.69,192.158.13.114,192.158.13.97,k8s-master-1,k8s-master-2,k8s-master-3 \
-profile=www server-csr.json | cfssljson -bare server
离线
kube-proxy报认证失败 Failed to list *v1.Service: Unauthorized
认证失败的原因是:etcd保存的serviceaccount产生的secret数据是旧master的ca,而新master的ca已经变化,所以认证失败
解决办法:
1.删除所有现有proxy、cordns的serviceaccount
kubectl get sa -n kube-system|grep -E "kube-proxy|coredns"|awk '{print "kubectl delete sa",$1,"-n kube-system"}'|/bin/bash
2.重新初始化master,让K8S自动生成和ca匹配的serviceaccount和secret,该secret是proxy的认证依据。
yes|kubeadm reset
kubeadm init --config <yourconfig.yaml>
3.删除所有旧flannel资源
kubectl delete -f <kube-fannel.yaml>
4.重新生成flannel
kubectl applay -f <kube-fannel.yaml>
5.重新reset其他节点再jion
yes|kubeadm reset
kubeadm join <API_HA_IP:6443> --token <TOKEN> --discovery-token-ca-cert-hash <CERT-HASH>
离线
页次: 1