K8S之kubeadm安装v1.21.1

#kubernetes 主节点的高可用参考v1.14.3版本的keepalived+haproxy 安装配置

init.yaml文件

apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: ccf1qx.tr3s1vltq4j85cbb
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 172.23.210.22
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: test-01
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
---
apiServer:
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 172.23.210.26:12567	# 高可用api
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers	# 国内镜像源
kind: ClusterConfiguration
kubernetesVersion: v1.21.0
networking:
  dnsDomain: cluster.local
  podSubnet: 172.7.0.0/16		# pod网段
  serviceSubnet: 10.96.0.0/12	# 服务网段
scheduler: {}

提前在所有主节点拉取镜像,其中coredns镜像这个源没有,所以手动从docker.io拉取了一个官方镜像再改标签

kubeadm config images pull --config=init.yaml

docker pull coredns/coredns:1.8.0
docker tag 296a6d5035e2 registry.aliyuncs.com/google_containers/coredns/coredns:v1.8.0
kubeadm init --config=init.yaml --upload-certs
	...
	You can now join any number of the control-plane node running the following command on each as root:

	  kubeadm join 172.23.210.26:12567 --token ccf1qx.tr3s1vltq4j85cbb \
		--discovery-token-ca-cert-hash sha256:a94572e6aba617ebb08221a6322be1a6c23b71f78016d349b7f299d8c32d322e \
		--control-plane --certificate-key 1badb0f2faec023df33cf0598f0f4052bb16fd9b116d2fea5508cfb56bdd7daa

	Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
	As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
	"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

	Then you can join any number of worker nodes by running the following on each as root:

	kubeadm join 172.23.210.26:12567 --token ccf1qx.tr3s1vltq4j85cbb \
		--discovery-token-ca-cert-hash sha256:a94572e6aba617ebb08221a6322be1a6c23b71f78016d349b7f299d8c32d322e 
	...

如果主节点加入时token和key过期了,按下面的操作生成新的token和key进行替换再尝试加入集群,

kubeadm token list	# 查看所有token
kubeadm token create	# 新建token
	qn9c55.hs7z15ynhx40lgei	# 生的新token

kubeadm init phase upload-certs --upload-certs	# 更新key

	[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
	[upload-certs] Using certificate key:
	f46155cffdc9e8eb7b026255881a9fd290b35607047907a4ad66dce02d421aa6


# 获取ca证书sha256编码hash值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

网络组件

flannel

上一页K8S之kubeadm安装v1.14.3下一页K8S之kubeadm安装v1.26

最后更新于