[zh] sync v1.24 kubeadm-24

pull/33897/head
huangminjie 2022-05-23 21:04:48 +08:00
parent c0cf43b1fe
commit 4c52949427
3 changed files with 229 additions and 91 deletions

View File

@ -166,13 +166,8 @@ Kubeadm 在启动 init 之前执行一组预检,目的是验证先决条件并
- Kubernetes system requirements:
- if running on linux:
- [error] if Kernel is older than the minimum required version
- [error] if required cgroups subsystem aren't in set up
- if using docker:
- [warning/error] if Docker service does not exist, if it is disabled, if it is not active.
- [error] if Docker endpoint does not exist or does not work
- [warning] if docker version is not in the list of validated docker versions
- If using other cri engine:
- [error] if crictl socket does not answer
- [error] if required cgroups subsystem aren't set up
- [error] if the CRI endpoint does not answer
-->
- [警告] 如果要使用的 Kubernetes 版本(由 `--kubernetes-version` 标志指定)比 kubeadm CLI
版本至少高一个小版本。
@ -180,12 +175,7 @@ Kubeadm 在启动 init 之前执行一组预检,目的是验证先决条件并
- 如果在 linux上运行
- [错误] 如果内核早于最低要求的版本
- [错误] 如果未设置所需的 cgroups 子系统
- 如果使用 docker
- [警告/错误] 如果 Docker 服务不存在、被禁用或未激活。
- [错误] 如果 Docker 端点不存在或不起作用
- [警告] 如果 docker 版本不在经过验证的 docker 版本列表中
- 如果使用其他 cri 引擎:
- [错误] 如果 crictl 套接字未应答
- [错误] 如果 CRI 端点未应答
<!--
- [error] if user is not root
- [error] if the machine hostname is not a valid DNS subdomain
@ -745,18 +735,20 @@ As soon as the control plane is available, kubeadm executes following actions:
一旦控制平面可用kubeadm 将执行以下操作:
<!--
- Labels the node as control-plane with `node-role.kubernetes.io/master=""`
- Taints the node with `node-role.kubernetes.io/master:NoSchedule`
- Labels the node as control-plane with `node-role.kubernetes.io/control-plane=""`
- Taints the node with `node-role.kubernetes.io/master:NoSchedule` and `node-role.kubernetes.io/control-plane:NoSchedule`
-->
- 给节点打上 `node-role.kubernetes.io/master=""` 标签,标记其为控制平面
- 给节点打上 `node-role.kubernetes.io/master:NoSchedule` 污点
- 给节点打上 `node-role.kubernetes.io/control-plane=""` 标签,标记其为控制平面
- 给节点打上 `node-role.kubernetes.io/master:NoSchedule` `node-role.kubernetes.io/control-plane:NoSchedule` 污点
<!-- Please note that: -->
请注意:
<!--
1. The `node-role.kubernetes.io/master` taint is deprecated and will be removed in kubeadm version 1.25
1. Mark control-plane phase can be invoked individually with the [`kubeadm init phase mark-control-plane`](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-mark-control-plane) command
-->
1. `node-role.kubernetes.io/master` 污点是已废弃的,将会在 kubeadm 1.25 版本中移除
1. 可以使用 [`kubeadm init phase mark-control-plane`](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-mark-control-plane)
命令单独触发控制平面标记
@ -1026,14 +1018,12 @@ cluster startup problems.
<!--
1. `kubeadm join` preflight checks are basically a subset `kubeadm init` preflight checks
1. Starting from 1.9, kubeadm provides better support for CRI-generic functionality; in that case, docker specific controls
are skipped or replaced by similar controls for crictl.
1. Starting from 1.24, kubeadm uses crictl to communicate to all known CRI endpoints.
1. Starting from 1.9, kubeadm provides support for joining nodes running on Windows; in that case, linux specific controls are skipped.
1. In any case the user can skip specific preflight checks (or eventually all preflight checks) with the `--ignore-preflight-errors` option.
-->
1. `kubeadm join` 预检基本上是 `kubeadm init` 预检的一个子集
2. 从 1.9 开始kubeadm 为 CRI 通用的功能提供了更好的支持;在这种情况下,
Docker 特定的控制参数将跳过或替换为 crictl 中与之相似的控制参数。
2. 从 1.24 开始kubeadm 使用 crictl 与所有已知的 CRI 端点进行通信。
3. 从 1.9 开始kubeadm 支持加入在 Windows 上运行的节点;在这种情况下,
将跳过 Linux 特定的控制参数。
4. 在任何情况下,用户都可以通过 `--ignore-preflight-errors` 选项跳过

View File

@ -8,53 +8,59 @@ weight: 50
<!--
During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your cluster
in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during
`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`. To view this ConfigMap call `kubeadm config view`.
`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`.
-->
`kubeadm init` 执行期间kubeadm 将 `ClusterConfiguration` 对象上传
到你的集群的 `kube-system` 名字空间下名为 `kubeadm-config` 的 ConfigMap 对象中。
然后在 `kubeadm join`、`kubeadm reset` 和 `kubeadm upgrade` 执行期间读取此配置。
要查看此 ConfigMap请调用 `kubeadm config view`
<!--
You can use `kubeadm config print` to print the default configuration and `kubeadm config migrate` to
convert your old configuration files to a newer version. `kubeadm config images list` and
`kubeadm config images pull` can be used to list and pull the images that kubeadm requires.
You can use `kubeadm config print` to print the default static configuration that kubeadm
uses for `kubeadm init` and `kubeadm join`.
-->
你可以使用 `kubeadm config print` 命令打印默认配置,
并使用 `kubeadm config migrate` 命令将旧版本的配置转化成新版本。
`kubeadm config images list``kubeadm config images pull`
命令可以用来列出并拉取 kubeadm 所需的镜像。
你可以使用 `kubeadm config print` 命令打印默认静态配置,
kubeadm 运行 `kubeadm init` and `kubeadm join` 时将使用此配置。
<!--
For more information navigate to
The output of the command is meant to serve as an example. You must manually edit the output
of this command to adapt to your setup. Remove the fields that you are not certain about and kubeadm
will try to default them on runtime by examining the host.
-->
{{< note >}}
此命令的输出旨在作为示例。你必须手动编辑此命令的输出来适配你的设置。
删除你不确定的字段kubeadm 将通过检查主机来尝试在运行时给它们设默认值。
{{< /note >}}
<!--
For more information on `init` and `join` navigate to
[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
or [Using kubeadm join with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
-->
更多信息请浏览[使用带配置文件的 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
或[使用带配置文件的 kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
更多有关 `init``join`信息请浏览[使用带配置文件的 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
或[使用带配置文件的 kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file)
<!--
You can also configure several kubelet-configuration options with `kubeadm init`. These options will be the same on any node in your cluster.
See [Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/) for details.
For more information on using the kubeadm configuration API navigate to
[Customizing components with the kubeadm API](/docs/setup/production-environment/tools/kubeadm/control-plane-flags).
-->
你也可以在使用 `kubeadm init` 命令时配置若干 kubelet 配置选项。
这些选项对于集群中所有节点而言都是相同的。
参阅[使用 kubeadm 来配置集群中的各个 kubelet](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)
了解详细信息。
有关使用 kubeadm 的配置 API 的更多信息,
请浏览[使用 kubeadm API 来自定义组件](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags)。
<!--
In Kubernetes v1.13.0 and later to list/pull kube-dns images instead of the CoreDNS image
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
has to be used.
You can use `kubeadm config migrate` to convert your old configuration files that contain a deprecated
API version to a newer, supported API version.
-->
在 Kubernetes v1.13.0 及更高版本中,要列出/拉取 kube-dns 镜像而不是 CoreDNS 镜像,
必须使用[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
所描述的 `--config` 方法。
你可以使用 `kubeadm config migrate` 来转换旧配置文件,
把其中已弃用的 API 版本更新为受支持的 API 版本。
<!--
`kubeadm config images list` and `kubeadm config images pull` can be used to list and pull the images
that kubeadm requires.
-->
`kubeadm config images list``kubeadm config images pull` 可以用来列出和拉取 kubeadm 所需的镜像。
<!-- body -->
## kubeadm config upload from-file {#cmd-config-from-file}
## kubeadm config print{#cmd-config-view}
## kubeadm config print {#cmd-config-print}
{{< include "generated/kubeadm_config_print.md" >}}
## kubeadm config print init-defaults {#cmd-config-print-init-defaults}

View File

@ -207,6 +207,13 @@ What this example would do is write the manifest files for the control plane and
这允许你修改文件,然后使用 `--skip-phases` 跳过这些阶段。
通过调用最后一个命令,你将使用自定义清单文件创建一个控制平面节点。
{{< feature-state for_k8s_version="v1.22" state="beta" >}}
<!--
Alternatively, you can use the `skipPhases` field under `InitConfiguration`.
-->
或者,你可以使用 `InitConfiguration` 下的 `skipPhases` 字段。
<!--
### Using kubeadm init with a configuration file {#config-file}
-->
@ -239,8 +246,8 @@ The default configuration can be printed out using the
If your configuration is not using the latest version it is **recommended** that you migrate using
the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
For more information on the fields and usage of the configuration you can navigate to our API reference
page and pick a version from [the list](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories).
For more information on the fields and usage of the configuration you can navigate to our
[API reference page](/docs/reference/config-api/kubeadm-config.v1beta3/).
-->
可以使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令打印出默认配置。
@ -249,10 +256,119 @@ page and pick a version from [the list](https://pkg.go.dev/k8s.io/kubernetes/cmd
**推荐**使用 [kubeadm config migrate](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令进行迁移。
有关配置的字段和用法的更多信息,
你可以访问 API 参考页面并从
[列表](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories)
中选择一个版本。
关于配置的字段和用法的更多信息,你可以访问 [API 参考页面](/zh/docs/reference/config-api/kubeadm-config.v1beta3/)。
<!--
### Using kubeadm init with feature gates {#feature-gates}
-->
### 使用 kubeadm init 时设置特性门控 {#feature-gates}
<!--
Kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
during cluster creation with `kubeadm init`. These features can control the behavior
of the cluster. Feature gates are removed after a feature graduates to GA.
-->
Kubeadm 支持一组独有的特性门控,只能在 `kubeadm init` 创建集群期间使用。
这些特性可以控制集群的行为。特性门控会在毕业到 GA 后被移除。
<!--
To pass a feature gate you can either use the `--feature-gates` flag for
`kubeadm init`, or you can add items into the `featureGates` field when you pass
a [configuration file](/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
using `--config`.
-->
你可以使用 `--feature-gates` 标志来为 `kubeadm init` 设置特性门控,
或者你可以在用 `--config` 传递[配置文件](/zh/docs/reference/config-api/kubeadm-config.v1beta3/#kubeadm-k8s-io-v1beta3-ClusterConfiguration)
时添加条目到 `featureGates` 字段中去。
<!--
Passing [feature gates for core Kubernetes components](/docs/reference/command-line-tools-reference/feature-gates)
directly to kubeadm is not supported. Instead, it is possible to pass them by
[Customizing components with the kubeadm API](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/).
-->
直接传递 [Kubernetes 核心组件的特性门控](/zh/docs/reference/command-line-tools-reference/feature-gates)给 kubeadm 是不支持的。
相反,可以通过[使用 kubeadm API 的自定义组件](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)来传递。
<!--
List of feature gates:
-->
特性门控的列表:
{{< table caption="kubeadm feature gates" >}}
特性 | 默认值 | Alpha | Beta
:-------|:--------|:------|:-----
`PublicKeysECDSA` | `false` | 1.19 | -
`RootlessControlPlane` | `false` | 1.22 | -
`UnversionedKubeletConfigMap` | `true` | 1.22 | 1.23
{{< /table >}}
<!--
Once a feature gate goes GA it is removed from this list as its value becomes locked to `true` by default.
-->
{{< note >}}
一旦特性门控变成了 GA那它将会从这个列表中移除因为它的值会被默认锁定为 `true`
{{< /note >}}
<!--
Feature gate descriptions:
-->
特性门控的描述:
<!--
`PublicKeysECDSA`
: Can be used to create a cluster that uses ECDSA certificates instead of the default RSA algorithm.
Renewal of existing ECDSA certificates is also supported using `kubeadm certs renew`, but you cannot
switch between the RSA and ECDSA algorithms on the fly or during upgrades.
-->
`PublicKeysECDSA`
: 可用于创建集群时使用 ECDSA 证书而不是默认 RSA 算法。
支持用 `kubeadm certs renew` 更新现有 ECDSA 证书,
但你不能在集群运行期间或升级期间切换 RSA 和 ECDSA 算法。
<!--
`RootlessControlPlane`
: Setting this flag configures the kubeadm deployed control plane component static Pod containers
for `kube-apiserver`, `kube-controller-manager`, `kube-scheduler` and `etcd` to run as non-root users.
If the flag is not set, those components run as root. You can change the value of this feature gate before
you upgrade to a newer version of Kubernetes.
-->
`RootlessControlPlane`
: 设置此标志来配置 kubeadm 所部署的控制平面组件中的静态 Pod 容器
`kube-apiserver`、`kube-controller-manager`、`kube-scheduler` 和 `etcd` 以非 root 用户身份运行。
如果未设置该标志,则这些组件以 root 身份运行。
你可以在升级到更新版本的 Kubernetes 之前更改此特性门控的值。
<!--
`UnversionedKubeletConfigMap`
: This flag controls the name of the {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} where kubeadm stores
kubelet configuration data. With this flag not specified or set to `true`, the ConfigMap is named `kubelet-config`.
If you set this flag to `false`, the name of the ConfigMap includes the major and minor version for Kubernetes
(for example: `kubelet-config-{{< skew currentVersion >}}`). Kubeadm ensures that RBAC rules for reading and writing
that ConfigMap are appropriate for the value you set. When kubeadm writes this ConfigMap (during `kubeadm init`
or `kubeadm upgrade apply`), kubeadm respects the value of `UnversionedKubeletConfigMap`. When reading that ConfigMap
(during `kubeadm join`, `kubeadm reset`, `kubeadm upgrade ...`), kubeadm attempts to use unversioned ConfigMap name first;
if that does not succeed, kubeadm falls back to using the legacy (versioned) name for that ConfigMap.
-->
`UnversionedKubeletConfigMap`
: 此标志控制 kubeadm 存储 kubelet 配置数据的 {{<glossary_tooltip text="ConfigMap" term_id="configmap" >}} 的名称。
在未指定此标志或设置为 `true` 的情况下,此 ConfigMap 被命名为 `kubelet-config`
如果将此标志设置为 `false`,则此 ConfigMap 的名称会包括 Kubernetes 的主要版本和次要版本(例如:`kubelet-config-{{< skew currentVersion >}}`)。
Kubeadm 会确保用于读写 ConfigMap 的 RBAC 规则适合你设置的值。
当 kubeadm 写入此 ConfigMap 时(在 `kubeadm init``kubeadm upgrade apply` 期间),
kubeadm 根据 `UnversionedKubeletConfigMap` 的设置值来执行操作。
当读取此 ConfigMap 时(在 `kubeadm join`、`kubeadm reset`、`kubeadm upgrade ...` 期间),
kubeadm 尝试首先使用无版本(后缀)的 ConfigMap 名称;
如果不成功kubeadm 将回退到使用该 ConfigMap 的旧(带版本号的)名称。
<!--
Setting `UnversionedKubeletConfigMap` to `false` is supported but **deprecated**.
-->
{{< note >}}
设置 `UnversionedKubeletConfigMap``false` 是被支持的特性,但该特性**已被弃用**。
{{< /note >}}
<!--
### Adding kube-proxy parameters {#kube-proxy}
@ -285,6 +401,37 @@ For information about passing flags to control plane components see:
有关向控制平面组件传递命令行参数的说明请查看:
[控制平面命令行参数](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
<!--
### Running kubeadm without an Internet connection {#without-internet-connection}
-->
### 在没有互联网连接的情况下运行 kubeadm {#without-internet-connection}
<!--
For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
-->
要在没有互联网连接的情况下运行 kubeadm你必须提前拉取所需的控制平面镜像。
<!--
You can list and pull the images using the `kubeadm config images` sub-command:
-->
你可以使用 `kubeadm config images` 子命令列出并拉取镜像:
```shell
kubeadm config images list
kubeadm config images pull
```
<!--
You can pass `--config` to the above commands with a [kubeadm configuration file](#config-file)
to control the `kubernetesVersion` and `imageRepository` fields.
-->
你可以通过 `--config` 把 [kubeadm 配置文件](#config-file) 传递给上述命令来控制 `kubernetesVersion``imageRepository` 字段。
<!--
All default `k8s.gcr.io` images that kubeadm requires support multiple architectures.
-->
kubeadm 需要的所有默认 `k8s.gcr.io` 镜像都支持多种硬件体系结构。
<!--
### Using custom images {#custom-images}
-->
@ -306,23 +453,44 @@ You can override this behavior by using [kubeadm with a configuration file](#con
<!--
Allowed customization are:
* To provide `kubernetesVersion` which affects the version of the images.
* To provide an alternative `imageRepository` to be used instead of
`k8s.gcr.io`.
* To set `useHyperKubeImage` to `true` to use the HyperKube image.
* To provide a specific `imageRepository` and `imageTag` for etcd or DNS add-on.
* To provide a specific `imageRepository` and `imageTag` for etcd or CoreDNS.
-->
允许的自定义功能有:
* 提供影响镜像版本的 `kubernetesVersion`
* 使用其他的 `imageRepository` 来代替 `k8s.gcr.io`
* 将 `useHyperKubeImage` 设置为 `true`,使用 HyperKube 镜像。
* 为 etcd 或 DNS 附件提供特定的 `imageRepository``imageTag`
* 为 etcd 或 CoreDNS 提供特定的 `imageRepository``imageTag`
<!--
Please note that the configuration field `kubernetesVersion` or the command line flag
`-kubernetes-version` affect the version of the images.
`imageRepository` may differ for backwards compatibility reasons. For example,
one image might have a subpath at `k8s.gcr.io/subpath/image`, but be defaulted
to `my.customrepository.io/image` when using a custom repository.
-->
请注意配置文件中的配置项 `kubernetesVersion` 或者命令行参数 `--kubernetes-version`
会影响到镜像的版本。
由于向后兼容的原因,`imageRepository` 可能会有所不同。
例如,某镜像的子路径可能是 `k8s.gcr.io/subpath/image`
但使用自定义仓库时默认为 `my.customrepository.io/image`
<!--
To ensure you push the images to your custom repository in paths that kubeadm
can consume, you must:
-->
确保将镜像推送到 kubeadm 可以使用的自定义仓库的路径中,你必须:
<!--
* Pull images from the defaults paths at `k8s.gcr.io` using `kubeadm config images {list|pull}`.
* Push images to the paths from `kubeadm config images list --config=config.yaml`,
where `config.yaml` contains the custom `imageRepository`, and/or `imageTag`
for etcd and CoreDNS.
* Pass the same `config.yaml` to `kubeadm init`.
-->
* 使用 `kubeadm config images {list|pull}``k8s.gcr.io` 的默认路径中拉取镜像。
* 将镜像推送到 `kubeadm config images list --config=config.yaml` 的路径,
其中 `config.yaml` 包含自定义的 `imageRepository` 和/或用于 etcd 和 CoreDNS 的 `imageTag`
* 将相同的 `config.yaml` 传递给 `kubeadm init`
<!--
### Uploading control-plane certificates to the cluster
@ -425,32 +593,6 @@ value to the kubelet.
[`--hostname-override`](/zh/docs/reference/command-line-tools-reference/kubelet/#options)
值传递给 kubelet。
<!--
### Running kubeadm without an internet connection
-->
### 在没有互联网连接的情况下运行 kubeadm
<!--
For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
-->
要在没有互联网连接的情况下运行 kubeadm你必须提前拉取所需的控制平面镜像。
<!--
You can list and pull the images using the `kubeadm config images` sub-command:
-->
你可以使用 `kubeadm config images` 子命令列出并拉取镜像:
```shell
kubeadm config images list
kubeadm config images pull
```
<!--
All images that kubeadm requires such as `k8s.gcr.io/kube-*`, `k8s.gcr.io/etcd` and `k8s.gcr.io/pause` support multiple architectures.
-->
kubeadm 需要的所有镜像,例如 `k8s.gcr.io/kube-*`、`k8s.gcr.io/etcd` 和 `k8s.gcr.io/pause`
都支持多种架构。
<!--
### Automating kubeadm
-->