kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

sync changes in docs/reference/setup-tools/kubeadm/ directory

pull/25275/head
Hao Yuan 2020-11-27 17:10:42 +08:00
parent 32cf18ecd2
commit 679b45e2c2
11 changed files with 436 additions and 268 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
View File

@ -23,13 +23,25 @@ weight: 90
`kubeadm alpha` 提供了一组可用于收集社区反馈的功能的预览。请尝试一下这些功能并给我们反馈!
{{< /caution >}}
## kubeadm alpha certs {#cmd-certs}
<!-- A collection of operations for operating Kubernetes certificates. -->
Kubernetes 证书的操作集合。
{{< tabs name="tab-certs" >}}
{{< tab name="overview" include="generated/kubeadm_alpha_certs.md" />}}
{{< /tabs >}}
## kubeadm alpha certs renew {#cmd-certs-renew}
<!--
You can renew all Kubernetes certificates using the `all` subcommand or renew them selectively.
For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
-->
使用 `all` 子命令来更新所有 Kubernetes 证书或有选择性地更新它们。有关证书到期和续订的更多详细信息,请参见[证书管理文档](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
使用 `all` 子命令来更新所有 Kubernetes 证书或有选择性地更新它们。
有关证书到期和续订的更多详细信息,
请参见[证书管理文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
{{< tabs name="tab-certs-renew" >}}
{{< tab name="renew" include="generated/kubeadm_alpha_certs_renew.md" />}}
@ -53,19 +65,34 @@ This command can be used to generate a new control-plane certificate key.
The key can be passed as `--certificate-key` to `kubeadm init` and `kubeadm join`
to enable the automatic copy of certificates when joining additional control-plane nodes.
-->
该命令可用于生成新的控制平面证书密钥。密钥可以作为 `--certificate-key` 参数传递给 `kubeadm init``kubeadm join` 操作,以在加入其他控制平面节点时启用证书的自动复制。
该命令可用于生成新的控制平面证书密钥。
密钥可以作为 `--certificate-key` 参数传递给 `kubeadm init``kubeadm join` 操作,
以在加入其他控制平面节点时启用证书的自动复制。
{{< tabs name="tab-certs-certificate-key" >}}
{{< tab name="certificate-key" include="generated/kubeadm_alpha_certs_certificate-key.md" />}}
{{< /tabs >}}
## kubeadm alpha certs generate-csr {#cmd-certs-generate-csr}
<!--
This command can be used to generate certificate signing requests (CSRs) which
can be submitted to a certificate authority (CA) for signing.
-->
该命令可用于生成证书签名请求CSRCSR 可以将其提交给证书颁发机构CA进行签名。
{{< tabs name="tab-certs-generate-csr" >}}
{{< tab name="certificate-generate-csr" include="generated/kubeadm_alpha_certs_generate-csr.md" />}}
{{< /tabs >}}
## kubeadm alpha certs check-expiration {#cmd-certs-check-expiration}
<!--
This command checks expiration for the certificates in the local PKI managed by kubeadm.
For more details about certificate expiration and renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
-->
此命令检查 kubeadm 管理的本地 PKI 中证书的到期时间。有关证书到期和续订的更多详细信息,请参见[证书管理文档](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
此命令检查 kubeadm 管理的本地 PKI 中证书的到期时间。
有关证书到期和续订的更多详细信息,请参见[证书管理文档](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
{{< tabs name="tab-certs-check-expiration" >}}
{{< tab name="check-expiration" include="generated/kubeadm_alpha_certs_check-expiration.md" />}}
@ -101,7 +128,7 @@ Use the following command to enable the DynamicKubeletConfiguration feature.
<!--
The subcommand `pivot` can be used to convert a static Pod-hosted control plane into a self-hosted one.
-->
子命令 `pivot` 可用于将 Pod 托管的静态控制平面转换为自托管的控制平面。有关 `pivot` 更多信息,请参见[文档](/docs/setup/production-environment/tools/kubeadm/self-hosting/)。
子命令 `pivot` 可用于将 Pod 托管的静态控制平面转换为自托管的控制平面。有关 `pivot` 更多信息,请参见[文档](zh/docs/setup/production-environment/tools/kubeadm/self-hosting/)。
<!--
[Documentation](/docs/setup/production-environment/tools/kubeadm/self-hosting/)
@ -120,6 +147,6 @@ The subcommand `pivot` can be used to convert a static Pod-hosted control plane
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to connect a node to the cluster
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
-->
* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导 Kubernetes 控制平面节点
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点连接到集群
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 会还原 `kubeadm init``kubeadm join` 操作对主机所做的任何更改。
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导 Kubernetes 控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点连接到集群
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 会还原 `kubeadm init``kubeadm join` 操作对主机所做的任何更改。

47
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-config.md
View File

@ -6,32 +6,39 @@ weight: 50
<!-- overview -->
<!--
Beginning with v1.8.0, kubeadm uploads the configuration of your cluster to a ConfigMap called
`kubeadm-config` in the `kube-system` namespace, and later reads the ConfigMap when upgrading.
This enables correct configuration of system components, and provides a seamless user experience.
During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your cluster
in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during
`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`. To view this ConfigMap call `kubeadm config view`.
-->
从 v1.8.0 开始kubeadm 将集群的配置上传到名为 kube-system 的 ConfigMap 对象中,对象位于 kube-system 命名空间内。并在以后的升级中读取这个 ConfigMap 配置对象。
这样可以保证系统组件的正确配置,提供无缝的用户体验。
`kubeadm init` 执行期间kubeadm 将 `ClusterConfiguration` 对象上传到你的集群的 `kube-system` 名字空间下
名为 `kubeadm-config` 的 ConfigMap 对象中。
然后在 `kubeadm join`、`kubeadm reset` 和 `kubeadm upgrade` 执行期间读取此配置。
要查看此 ConfigMap请调用 `kubeadm config view`
<!--
You can execute `kubeadm config view` to view the ConfigMap. If you initialized your cluster using
kubeadm v1.7.x or lower, you must use `kubeadm config upload` to create the ConfigMap before you
may use `kubeadm upgrade`.
You can use `kubeadm config print` to print the default configuration and `kubeadm config migrate` to
convert your old configuration files to a newer version. `kubeadm config images list` and
`kubeadm config images pull` can be used to list and pull the images that kubeadm requires.
-->
您可以执行 kubeadm config view 来查看 ConfigMap。如果使用 kubeadm v1.7.x 或更低版本来初始化群集,必须先使用 kubeadm config upload 创建 ConfigMap然后才能使用 kubeadm upgrade。
你可以使用 `kubeadm config print` 命令打印默认配置,
并使用 `kubeadm config migrate` 命令将旧版本的配置转化成新版本。
`kubeadm config images list``kubeadm config images pull`
命令可以用来列出并拉取 kubeadm 所需的镜像。
<!--
In Kubernetes v1.11.0, some new commands were added. You can use `kubeadm config print-default`
to print the default configuration and `kubeadm config migrate` to convert your old configuration
files to a newer version. `kubeadm config images list` and `kubeadm config images pull` can be used
to list and pull the images that kubeadm requires.
-->
For more information navigate to
[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
or [Using kubeadm join with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
在 Kubernetes v1.11.0 中,添加了一些新命令。你可以使用 kubeadm config print-default
打印默认配置,可以用 kubeadm config migrate 来将旧的配置文件转换到较新的版本,还可以使用 kubeadm config images list 和 kubeadm config images pull
列出并拉取 kubeadm 所需的镜像。
In Kubernetes v1.13.0 and later to list/pull kube-dns images instead of the CoreDNS image
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
has to be used.
-->
更多信息请浏览[使用带配置文件的 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
或[使用带配置文件的 kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
在 Kubernetes v1.13.0 及更高版本中,要列出/拉取 kube-dns 镜像而不是 CoreDNS 镜像,
必须使用[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)所描述的 `--config` 方法。
@ -65,6 +72,6 @@ to list and pull the images that kubeadm requires.
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
-->
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]

27
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
View File

@ -23,7 +23,7 @@ if you wish to apply customization.
`kubeadm init phase` is consistent with the [kubeadm init workflow](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow),
and behind the scene both use the same code.
-->
`kubeadm init phase` 与 [kubeadm init 工作流](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)一致,后台都使用相同的代码。
`kubeadm init phase` 与 [kubeadm init 工作流](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)一致,后台都使用相同的代码。
<!--
## kubeadm init phase preflight {#cmd-phase-preflight}
@ -143,7 +143,7 @@ Use the following phase to create a local etcd instance based on a static Pod fi
You can use this command to upload the kubeadm configuration to your cluster.
Alternatively, you can use [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/).
-->
可以使用此命令将 kubeadm 配置文件上传到集群。或者使用 [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/) 方式
可以使用此命令将 kubeadm 配置文件上传到集群。或者使用 [kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)。
{{< tabs name="upload-config" >}}
{{< tab name="upload-config" include="generated/kubeadm_init_phase_upload-config.md" />}}
@ -198,6 +198,21 @@ Use the following phase to configure bootstrap tokens.
{{< tab name="bootstrap-token" include="generated/kubeadm_init_phase_bootstrap-token.md" />}}
{{< /tabs >}}
## kubeadm init phase kubelet-finialize {#cmd-phase-kubelet-finalize-all}
<!--
Use the following phase to update settings relevant to the kubelet after TLS
bootstrap. You can use the `all` subcommand to run all `kubelet-finalize`
phases.
-->
使用以下阶段在 TLS 引导后更新与 kubelet 相关的设置。
你可以使用 `all` 子命令来运行所有 `kubelet-finalize` 阶段。
{{< tabs name="tab-kubelet-finalize" >}}
{{< tab name="kublet-finalize" include="generated/kubeadm_init_phase_kubelet-finalize.md" />}}
{{< tab name="kublet-finalize-all" include="generated/kubeadm_init_phase_kubelet-finalize_all.md" />}}
{{< tab name="kublet-finalize-cert-rotation" include="generated/kubeadm_init_phase_kubelet-finalize_experimental-cert-rotation.md" />}}
{{< /tabs >}}
<!--
## kubeadm init phase addon {#cmd-phase-addon}
@ -270,7 +285,7 @@ For more details on each field in the `v1beta2` configuration you can navigate t
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
-->
* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导 Kubernetes 控制平面节点
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点连接到集群
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 恢复通过 `kubeadm init``kubeadm join` 操作对主机所做的任何更改
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导 Kubernetes 控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点连接到集群
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 恢复通过 `kubeadm init``kubeadm join` 操作对主机所做的任何更改
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能

189
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md
View File

@ -40,28 +40,25 @@ following steps:
1. Runs a series of pre-flight checks to validate the system state
before making changes. Some checks only trigger warnings, others are
considered errors and will exit kubeadm until the problem is corrected or the
user specifies `-ignore-preflight-errors=<list-of-errors>`.
user specifies `--ignore-preflight-errors=<list-of-errors>`.
-->
1. 在做出变更前运行一系列的预检项来验证系统状态。一些检查项目仅仅触发警告,
其它的则会被视为错误并且退出 kubeadm除非问题得到解决或者用户指定了
`--ignore-preflight-errors=<list-of-errors>` 参数。
<!--
2. Generates a self-signed CA (or using an existing one if provided) to set up
identities for each component in the cluster. If the user has provided their
own CA cert and/or key by dropping it in the cert directory configured via `-cert-dir`
(`/etc/kubernetes/pki` by default) this step is skipped as described in the
[Using custom certificates](#custom-certificates) document.
The APIServer certs will have additional SAN entries for any `-apiserver-cert-extra-sans` arguments, lowercased if necessary.
1. Generates a self-signed CA to set up identities for each component in the cluster. The user can provide their
own CA cert and/or key by dropping it in the cert directory configured via `--cert-dir`
(`/etc/kubernetes/pki` by default).
The APIServer certs will have additional SAN entries for any `--apiserver-cert-extra-sans` arguments, lowercased if necessary.
-->
2. 生成一个自签名的 CA 证书 (或者使用现有的证书,如果提供的话) 来为集群中的每一个组件建立身份标识。
如果用户已经通过 `--cert-dir` 配置的证书目录(默认为 `/etc/kubernetes/pki`)提供了他们自己的
CA 证书以及/或者密钥,那么将会跳过这个步骤,正如文档[使用自定义证书](#custom-certificates)所述。
如果指定了 `--apiserver-cert-extra-sans` 参数, APIServer 的证书将会有额外的 SAN 条目,
如果必要的话,将会被转为小写。
2. 生成一个自签名的 CA 证书来为集群中的每一个组件建立身份标识。
用户可以通过将其放入 `--cert-dir` 配置的证书目录中(默认为 `/etc/kubernetes/pki`
来提供他们自己的 CA 证书以及/或者密钥。
APIServer 证书将为任何 `--apiserver-cert-extra-sans` 参数值提供附加的 SAN 条目,必要时将其小写。
<!--
3. Writes kubeconfig files in `/etc/kubernetes/` for
1. Writes kubeconfig files in `/etc/kubernetes/` for
the kubelet, the controller-manager and the scheduler to use to connect to the
API server, each with its own identity, as well as an additional
kubeconfig file for administration named `admin.conf`.
@ -71,17 +68,20 @@ following steps:
文件,用于管理操作。
<!--
4. Generates static Pod manifests for the API server,controller-manager and scheduler. In case an external etcd is not provided,an additional static Pod manifest is generated for etcd.
1. Generates static Pod manifests for the API server,
controller-manager and scheduler. In case an external etcd is not provided,
an additional static Pod manifest is generated for etcd.
Static Pod manifests are written to `/etc/kubernetes/manifests`; the kubelet
watches this directory for Pods to create on startup.
Once control plane Pods are up and running, the `kubeadm init` sequence can continue.
-->
4. 为 API 服务器、控制器管理器和调度器生成静态 Pod 的清单文件。假使没有提供一个外部的 etcd
服务的话,也会为 etcd 生成一份额外的静态 Pod 清单文件。
<!--
Static Pod manifests are written to `/etc/kubernetes/manifests`; the kubelet watches this directory for Pods to create on startup.
Once control plane Pods are up and running, the `kubeadm init` sequence can continue.
-->
静态 Pod 的清单文件被写入到 `/etc/kubernetes/manifests` 目录; kubelet 会监视这个目录以便在系统启动的时候创建 Pod。
静态 Pod 的清单文件被写入到 `/etc/kubernetes/manifests` 目录;
kubelet 会监视这个目录以便在系统启动的时候创建 Pod。
一旦控制平面的 Pod 都运行起来, `kubeadm init` 的工作流程就继续往下执行。
@ -89,46 +89,66 @@ Once control plane Pods are up and running, the `kubeadm init` sequence can cont
1. Apply labels and taints to the control-plane node so that no additional workloads will
run there.
-->
1. 对控制平面节点应用 labels 和 taints 标记以便不会在它上面运行其它的工作负载。
5. 对控制平面节点应用标签和污点标记以便不会在它上面运行其它的工作负载。
<!--
2. Generates the token that additional nodes can use to register themselves with a control-plane in the future. Optionally, the user can provide a token via `-token`, as described in the [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs.
1. Generates the token that additional nodes can use to register
themselves with a control-plane in the future. Optionally, the user can provide a
token via `--token`, as described in the
[kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs.
-->
2. 生成令牌以便其它节点以后可以使用这个令牌向控制平面节点注册它们自己。
(可选),用户可以通过 `--token` 提供一个令牌,正如文档
[kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/) 所述
6. 生成令牌,将来其他节点可使用该令牌向控制平面注册自己。
如文档 [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/) 所述,
用户可以选择通过 `--token` 提供令牌
<!--
3. Makes all the necessary configurations for allowing node joining with the [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) mechanism:
- Write a ConfigMap for making available all the information required for joining, and set up related RBAC access rules.
1. Makes all the necessary configurations for allowing node joining with the
[Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
[TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
mechanism:
- Write a ConfigMap for making available all the information required
for joining, and set up related RBAC access rules.
- Let Bootstrap Tokens access the CSR signing API.
- Configure auto-approval for new CSR requests.
See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additional info.
-->
3. 为了使得节点能够遵照[启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
7. 为了使得节点能够遵照[启动引导令牌](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)
和 [TLS 启动引导](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/)
这两份文档中描述的机制加入到集群中kubeadm 会执行所有的必要配置:
- 创建一份 ConfigMap 提供添加集群节点所需的信息,并为该 ConfigMap 设置相关的 RBAC 访问规则。
- 使得 Bootstrap Tokens 可以访问 CSR 签名 API。
- 对新的 CSR 请求配置为自动签发。
<!--
See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additional info.
-->
查阅[kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)文档以获取更多信息。
- 使得 Bootstrap Tokens 可以访问 CSR 签名 API。
- 配置自动签发新的 CSR 请求。
获取更多信息,请查看[kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)。
<!--
1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
In Kubernetes version 1.11 and later CoreDNS is the default DNS server.
To install kube-dns instead of CoreDNS, the DNS addon has to be configured in the kubeadm `ClusterConfiguration`. For more information about the configuration see the section
`Using kubeadm init with a configuration file` below.
Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. -->
1. 通过 API 服务器安装一个 DNS 服务器 (CoreDNS) 和 kube-proxy 附加组件。
在 1.11 版本以及更新版本的 Kubernetes 中 CoreDNS 是默认的 DNS 服务器。
To install kube-dns instead of CoreDNS, the DNS addon has to be configured in the kubeadm `ClusterConfiguration`.
For more information about the configuration see the section `Using kubeadm init with a configuration file` below.
Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed.
{{< warning >}}
kube-dns usage with kubeadm is deprecated as of v1.18 and will be removed in a future release.
{{< /warning >}}
-->
8. 通过 API 服务器安装一个 DNS 服务器 (CoreDNS) 和 kube-proxy 附加组件。
在 Kubernetes 版本 1.11 和更高版本中CoreDNS 是默认的 DNS 服务器。
要安装 kube-dns 而不是 CoreDNS必须在 kubeadm `ClusterConfiguration` 中配置 DNS 插件。
有关配置的更多信息,请参见下面的"带配置文件使用 kubeadm init" 一节。
请注意,尽管已部署 DNS 服务器,但直到安装 CNI 时才调度它。
{{< warning >}}
从 v1.18 开始,在 kubeadm 中使用 kube-dns 已废弃,并将在以后的版本中将其删除。
{{< /warning >}}
<!--
### Using init phases with kubeadm {#init-phases}
-->
@ -209,28 +229,35 @@ The config file is still considered beta and may change in future versions.
<!--
It's possible to configure `kubeadm init` with a configuration file instead of command
line flags, and some more advanced features may only be available as
configuration file options. This file is passed with the `-config` option.
configuration file options. This file is passed using the `--config` flag and it must
contain a `ClusterConfiguration` structure and optionally more structures separated by `---\n`
Mixing `--config` with others flags may not be allowed in some cases.
-->
通过一份配置文件而不是使用命令行参数来配置 `kubeadm init` 命令是可能的,
但是一些更加高级的功能只能够通过配置文件设定。这份配置文件通过 `--config` 选项参数指定。
但是一些更加高级的功能只能够通过配置文件设定。
这份配置文件通过 `--config` 选项参数指定的,
它必须包含 `ClusterConfiguration` 结构,并可能包含更多由 `---\n` 分隔的结构。
在某些情况下,可能不允许将 `--config` 与其他标志混合使用。
<!--
The default configuration can be printed out using the
[kubeadm config print](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
It is **recommended** that you migrate your old `v1beta1` configuration to `v1beta2` using
If your configuration is not using the latest version it is **recommended** that you migrate using
the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
For more details on each field in the `v1beta2` configuration you can navigate to our
[API reference pages](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2).
For more information on the fields and usage of the configuration you can navigate to our API reference
page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories).
-->
可以使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)命令打印出默认配置。
如果你的配置没有使用最新版本,
**推荐**使用 [kubeadm config migrate](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令将旧的 `v1beta1` 版本的配置迁移到 `v1beta2` 版本
命令进行迁移
获取 `v1beta2` 版本配置中每个字段的细节说明,查看我们的
[API 参考页面](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2)。
有关配置的字段和用法的更多信息,
你可以导航到我们的 API 参考页面并从
[列表](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories)中选择一个版本。
<!--
### Adding kube-proxy parameters {#kube-proxy}
@ -259,7 +286,7 @@ kubeadm 配置中有关 kube-proxy 的说明请查看:
For information about passing flags to control plane components see:
- [control-plane-flags](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/) -->
有关向控制平面组件传递命令行参数的说明请查看:
[控制平面命令行参数](//zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
[控制平面命令行参数](/zh/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
<!--
### Using custom images {#custom-images}
@ -323,8 +350,8 @@ The following phase command can be used to re-upload the certificates after expi
-->
以下阶段命令可用于证书到期后重新上传证书:
```
kubeadm init phase upload-certs --upload-certs --certificate-key=SOME_VALUE
```shell
kubeadm init phase upload-certs --upload-certs --certificate-key=SOME_VALUE --config=SOME_YAML_FILE
```
<!--
@ -339,62 +366,21 @@ The following command can be used to generate a new key on demand:
-->
以下命令可用于按需生成新密钥:
```
```shell
kubeadm alpha certs certificate-key
```
<!--
### Using custom certificates {#custom-certificates}
-->
### 使用自定义的证书 {#custom-certificates}
<!-- ### Certificate management with kubeadm -->
### 使用 kubeadm 管理证书
<!--
By default, kubeadm generates all the certificates needed for a cluster to run.
You can override this behavior by providing your own certificates.
For detailed information on certificate management with kubeadm see
[Certificate Management with kubeadm](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/).
The document includes information about using external CA, custom certificates
and certificate renewal.
-->
默认情况下, kubeadm 会生成运行一个集群所需的全部证书。
你可以通过提供你自己的证书来改变这个行为策略。
<!--
To do so, you must place them in whatever directory is specified by the
`-cert-dir` flag or `CertificatesDir` configuration file key. By default this
is `/etc/kubernetes/pki`.
-->
如果要这样做, 你必须将证书文件放置在通过 `--cert-dir` 命令行参数或者配置文件里的
`CertificatesDir` 配置项指明的目录中。默认的值是 `/etc/kubernetes/pki`
<!--
If a given certificate and private key pair exists before running `kubeadm init`,
kubeadm will not overwrite them. This means you can, for example, copy an existing
CA into `/etc/kubernetes/pki/ca.crt` and `/etc/kubernetes/pki/ca.key`,
and kubeadm will use this CA for signing the rest of the certificates.
-->
如果在运行 `kubeadm init` 之前存在给定的证书和私钥对,则 kubeadm 将不会重写它们。
例如,这意味着你可以将现有的 CA 复制到 `/etc/kubernetes/pki/ca.crt`
`/etc/kubernetes/pki/ca.key` 中,而 kubeadm 将使用此 CA 对其余证书进行签名。
<!--
#### External CA mode {#external-ca-mode}
-->
#### 外部 CA 模式 {#external-ca-mode}
<!--
It is also possible to provide just the `ca.crt` file and not the
`ca.key` file (this is only available for the root CA file, not other cert pairs).
If all other certificates and kubeconfig files are in place, kubeadm recognizes
this condition and activates the "External CA" mode. kubeadm will proceed without the
CA key on disk.
-->
如果只提供了 `ca.crt` 文件但是没有提供 `ca.key` 文件也是可以的 (这只对 CA 根证书可用,其它证书不可用)。
如果所有的其它证书和 kubeconfig 文件已就绪, kubeadm 检测到满足以上条件就会激活 "外部 CA" 模式。
kubeadm 将会在没有 CA 密钥文件的情况下继续执行。
<!--
Instead, run the controller-manager standalone with `-controllers=csrsigner` and
point to the CA certificate and key.
-->
否则, kubeadm 将独立运行 controller-manager附加一个 `--controllers=csrsigner` 的参数,
并且指明 CA 证书和密钥。
有关使用 kubeadm 进行证书管理的详细信息,请参阅[使用 kubeadm 进行证书管理](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)。
该文档包括有关使用外部 CA自定义证书和证书更新的信息。
<!--
### Managing the kubeadm drop-in file for the kubelet {#kubelet-drop-in}
@ -488,6 +474,7 @@ character string>`. More formally, it must match the regex: `[a-z0-9]{6}\.[a-z0-
kubeadm can generate a token for you: -->
1. 生成一个令牌。这个令牌必须具有以下格式:`< 6 >.< 16 >`。
更加正式的说法是,它必须符合以下正则表达式:`[a-z0-9]{6}\.[a-z0-9]{16}`。
kubeadm 可以为你生成一个令牌:
```shell
@ -536,7 +523,7 @@ provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/ku
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
-->
* 进一步阅读了解[kubeadm init 阶段](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
* 进一步阅读了解[kubeadm init phase](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/)
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)启动一个 Kubernetes 工作节点并且将其加入到集群
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)将 Kubernetes 集群升级到新版本
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)使用 `kubeadm init``kubeadm join` 来恢复对节点的变更

8
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join-phase.md
View File

@ -14,7 +14,7 @@ weight: 90
Hence, you can let kubeadm do some of the work and you can fill in the gaps
if you wish to apply customization.
-->
`kubeadm join phase` 使能够调用 `join` 过程的基本原子步骤。因此,如果希望执行自定义操作,可以让 kubeadm 做一些工作,然后由用户来补足剩余操作。
`kubeadm join phase` 使能够调用 `join` 过程的基本原子步骤。因此,如果希望执行自定义操作,可以让 kubeadm 做一些工作,然后由用户来补足剩余操作。
<!--
`kubeadm join phase` is consistent with the [kubeadm join workflow](/docs/reference/setup-tools/kubeadm/kubeadm-join/#join-workflow),
@ -44,7 +44,7 @@ Using this phase you can execute preflight checks on a joining node.
<!--
Using this phase you can prepare a node for serving a control-plane.
-->
使用此阶段,可以准备一个作为控制平面的节点。
使用此阶段,可以准备一个作为控制平面的节点。
{{< tabs name="tab-control-plane-prepare" >}}
{{< tab name="control-plane-prepare" include="generated/kubeadm_join_phase_control-plane-prepare.md" />}}
@ -60,7 +60,7 @@ Using this phase you can prepare a node for serving a control-plane.
<!--
Using this phase you can write the kubelet settings, certificates and (re)start the kubelet.
-->
使用此阶段,可以配置 kubelet 设置、证书和(重新)启动 kubelet。
使用此阶段,可以配置 kubelet 设置、证书和(重新)启动 kubelet。
{{< tabs name="tab-kubelet-start" >}}
{{< tab name="kubelet-start" include="generated/kubeadm_join_phase_kubelet-start.md" />}}
@ -71,7 +71,7 @@ Using this phase you can write the kubelet settings, certificates and (re)start
<!--
Using this phase you can join a node as a control-plane instance.
-->
使用此阶段,可以将节点作为控制平面实例加入。
使用此阶段,可以将节点作为控制平面实例加入。
{{< tabs name="tab-control-plane-join" >}}
{{< tab name="control-plane-join" include="generated/kubeadm_join_phase_control-plane-join.md" />}}

310
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join.md
View File

@ -18,14 +18,14 @@ This command initializes a Kubernetes worker node and joins it to the cluster.
{{< include "generated/kubeadm_join.md" >}}
<!--
### The joining workflow
### The join workflow {#join-workflow}
-->
### join 工作流 {#join-workflow}
<!--
`kubeadm join` bootstraps a Kubernetes worker node and joins it to the cluster.
This action consists of the following steps:
-->
### 加入流程
`kubeadm join` 初始化 Kubernetes 工作节点并将其加入集群。
该操作过程包含下面几个步骤:
@ -39,85 +39,160 @@ This action consists of the following steps:
默认情况下,它使用引导令牌和 CA 密钥哈希来验证数据的真实性。
也可以通过文件或 URL 直接发现根 CA。
<!-- 1. If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig` enabled,
it first retrieves the kubelet init configuration from the master and writes it to
the disk. When kubelet starts up, kubeadm updates the node `Node.spec.configSource` property of the node.
See [Set Kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file/)
and [Reconfigure a Node's Kubelet in a Live Cluster](/docs/tasks/administer-cluster/reconfigure-kubelet/)
for more information about Dynamic Kubelet Configuration.
-->
1. 如果调用 kubeadm 时启用了 `--feature-gates=DynamicKubeletConfig`,它首先从主机上检索 kubelet 初始化配置并将其写入磁盘。
当 kubelet 启动时kubeadm 更新节点的 `Node.spec.configSource` 属性。
进一步了解动态 kubelet 配置 请参考 [使用配置文件设置 Kubelet 参数](/docs/tasks/administer-cluster/kubelet-config-file/) 和 [重新配置集群中节点的 Kubelet](/docs/tasks/administer-cluster/reconfigure-kubelet/)。
<!-- 1. Once the cluster information is known, kubelet can start the TLS bootstrapping
<!--
1. Once the cluster information is known, kubelet can start the TLS bootstrapping
process.
The TLS bootstrap uses the shared token to temporarily authenticate
with the Kubernetes API server to submit a certificate signing request (CSR); by
default the control plane signs this CSR request automatically.
-->
1. 一旦知道集群信息kubelet 就可以开始 TLS 引导过程。
TLS 引导程序使用共享令牌与 Kubernetes API 服务器进行临时的身份验证,以提交证书签名请求 (CSR)
默认情况下,控制平面自动对该 CSR 请求进行签名。
<!-- 1. Finally, kubeadm configures the local kubelet to connect to the API
<!--
1. Finally, kubeadm configures the local kubelet to connect to the API
server with the definitive identity assigned to the node.
-->
1. 最后kubeadm 配置本地 kubelet 使用分配给节点的确定标识连接到 API 服务器。
<!--
### Discovering what cluster CA to trust
For control-plane nodes additional steps are performed:
1. Downloading certificates shared among control-plane nodes from the cluster
(if explicitly requested by the user).
1. Generating control-plane component manifests, certificates and kubeconfig.
1. Adding new local etcd member.
1. Adding this node to the ClusterStatus of the kubeadm cluster.
-->
对于控制平面节点,执行额外的步骤:
1. 从集群下载控制平面节点之间共享的证书(如果用户明确要求)。
1. 生成控制平面组件清单、证书和 kubeconfig。
1. 添加新的本地 etcd 成员。
1. 将此节点添加到 kubeadm 集群的 ClusterStatus。
<!--
### Using join phases with kubeadm {#join-phases}
-->
### 使用 kubeadm 的 join phase 命令 {#join-phases}
<!--
Kubeadm allows you join a node to the cluster in phases using `kubeadm join phase`.
-->
Kubeadm 允许你使用 `kubeadm join phase` 分阶段将节点加入集群。
<!--
To view the ordered list of phases and sub-phases you can call `kubeadm join --help`. The list will be located
at the top of the help screen and each phase will have a description next to it.
Note that by calling `kubeadm join` all of the phases and sub-phases will be executed in this exact order.
-->
要查看阶段和子阶段的有序列表,可以调用 `kubeadm join --help`
该列表将位于帮助屏幕的顶部,每个阶段旁边都有一个描述。
注意,通过调用 `kubeadm join`,所有阶段和子阶段都将按照此确切顺序执行。
<!--
Some phases have unique flags, so if you want to have a look at the list of available options add `--help`, for example:
-->
有些阶段具有唯一的标志,因此,如果要查看可用选项列表,请添加 `--help`,例如:
```shell
kubeadm join phase kubelet-start --help
```
<!--
Similar to the [kubeadm init phase](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases)
command, `kubeadm join phase` allows you to skip a list of phases using the `--skip-phases` flag.
For example:
-->
类似于 [kubeadm init phase](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-phases)命令,
`kubeadm join phase` 允许你使用 `--skip-phases` 标志跳过阶段列表。
例如:
```shell
sudo kubeadm join --skip-phases=preflight --config=config.yaml
```
<!--
### Discovering what cluster CA to trust
-->
### 发现要信任的集群 CA
<!--
The kubeadm discovery has several options, each with security tradeoffs.
The right method for your environment depends on how you provision nodes and the
security expectations you have about your network and node lifecycles.
-->
### 发现要信任的集群 CA
Kubeadm 的发现有几个选项,每个选项都有安全性上的优缺点。
适合您的环境的正确方法取决于节点是如何准备的以及您对网络的安全性期望和节点的生命周期特点。
适合你的环境的正确方法取决于节点是如何准备的以及你对网络的安全性期望和节点的生命周期特点。
<!--
#### Token-based discovery with CA pinning
-->
#### 带 CA 锁定模式的基于令牌的发现
<!--
This is the default mode in Kubernetes 1.8 and above. In this mode, kubeadm downloads
the cluster configuration (including root CA) and validates it using the token
as well as validating that the root CA public key matches the provided hash and
that the API server certificate is valid under the root CA.
-->
#### 带 CA 锁定模式的基于令牌的发现
这是 Kubernetes 1.8 及以上版本中的默认模式。
在这种模式下kubeadm 下载集群配置包括根CA并使用令牌验证它并且会验证根 CA 的公钥与所提供的哈希是否匹配,以及 API 服务器证书在根 CA 下是否有效。
在这种模式下kubeadm 下载集群配置包括根CA并使用令牌验证它
并且会验证根 CA 的公钥与所提供的哈希是否匹配,
以及 API 服务器证书在根 CA 下是否有效。
<!--
The CA key hash has the format `sha256:<hex_encoded_hash>`. By default, the hash value is returned in the `kubeadm join` command printed at the end of `kubeadm init` or in the output of `kubeadm token create --print-join-command`. It is in a standard format (see [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) and can also be calculated by 3rd party tools or provisioning systems. For example, using the OpenSSL CLI:
-->
CA 键哈希格式为 `sha256:<hex_encoded_hash>`
默认情况下,在 `kubeadm init` 最后打印的 `kubeadm join` 命令或者 `kubeadm token create --print-join-command` 的输出信息中返回哈希值。
它使用标准格式 (请参考 [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4)) 并且也能通过第三方工具或者驱动系统进行计算。
默认情况下,在 `kubeadm init` 最后打印的 `kubeadm join` 命令
或者 `kubeadm token create --print-join-command` 的输出信息中返回哈希值。
它使用标准格式 (请参考 [RFC7469](https://tools.ietf.org/html/rfc7469#section-2.4))
并且也能通过第三方工具或者制备系统进行计算。
例如,使用 OpenSSL CLI
```bash
```shell
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
```
<!--
**Example `kubeadm join` command:**
-->
**`kubeadm join` 命令示例**
```bash
<!-- For worker nodes: -->
对于工作节点:
```shell
kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443
```
<!-- For control-plane nodes: -->
对于控制面节点:
```shell
kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef --control-plane 1.2.3.4:6443
```
<!--
You can also call `join` for a control-plane node with `--certificate-key` to copy certificates to this node,
if the `kubeadm init` command was called with `--upload-certs`.
-->
如果使用 `--upload-certs` 调用 `kubeadm init` 命令,
你也可以对控制平面节点调用带 `--certificate-key` 参数的 `join` 命令,
将证书复制到该节点。
<!--
**Advantages:**
@ -144,11 +219,14 @@ kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert
**劣势:**
- CA 哈希通常在主节点被提供之前是不知道的,这使得构建使用 kubeadm 的自动化配置工具更加困难。
通过预先生成CA您可以解决这个限制。
通过预先生成CA你可以解除这个限制。
<!--
#### Token-based discovery without CA pinning
-->
#### 无 CA 锁定模式的基于令牌的发现
<!--
_This was the default in Kubernetes 1.7 and earlier_, but comes with some
important caveats. This mode relies only on the symmetric token to sign
(HMAC-SHA256) the discovery information that establishes the root of trust for
@ -158,17 +236,14 @@ using one of the other modes if possible.
**Example `kubeadm join` command:**
-->
#### 无 CA 锁定模式的基于令牌的发现
_这是 Kubernetes 1.7 和早期版本_中的默认设置使用时要注意一些重要的补充说明。
此模式仅依赖于对称令牌来签名(HMAC-SHA256)发现信息,这些发现信息为主节点建立信任根。
在 Kubernetes 1.8 及以上版本中仍然可以使用 `--discovery-token-unsafe-skip-ca-verification` 参数,但是如果可能的话,应该考虑使用一种其他模式。
在 Kubernetes 1.8 及以上版本中仍然可以使用 `--discovery-token-unsafe-skip-ca-verification` 参数,但是如果可能的话,你应该考虑使用一种其他模式。
**`kubeadm join` 命令示例**
```
kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443`
```shell
kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-verification 1.2.3.4:6443
```
<!--
@ -200,24 +275,30 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve
**劣势**
- 如果攻击者能够通过某些漏洞窃取引导令牌,那么他们可以使用该令牌(连同网络级访问)为其它处于引导过程中的节点提供假冒的主节点。
的环境中,这可能是一个适当的折衷方法,也可能不是。
的环境中,这可能是一个适当的折衷方法,也可能不是。
<!--
#### File or HTTPS-based discovery
This provides an out-of-band way to establish a root of trust between the master
and bootstrapping nodes. Consider using this mode if you are building automated provisioning
using kubeadm.
-->
#### 基于 HTTPS 或文件发现
<!--
This provides an out-of-band way to establish a root of trust between the control-plane node
and bootstrapping nodes. Consider using this mode if you are building automated provisioning
using kubeadm. The format of the discovery file is a regular Kubernetes
[kubeconfig](/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) file.
In case the discovery file does not contain credentials, the TLS discovery token will be used.
-->
这种方案提供了一种带外方式在主节点和引导节点之间建立信任根。
如果使用 kubeadm 构建自动配置,请考虑使用此模式。
发现文件的格式为常规的 Kubernetes [kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) 文件。
如果发现文件不包含凭据,则将使用 TLS 发现令牌。
<!--
**Example `kubeadm join` commands:**
-->
**`kubeadm join` 命令示例:**
- `kubeadm join --discovery-file path/to/file.conf` (本地文件)
@ -245,82 +326,116 @@ using kubeadm.
**劣势:**
- 要求有某种方法将发现信息从主节点传送到引导节点。
- 要求有某种方法将发现信息从主节点传送到引导节点。
例如,这可以通过云提供商或驱动工具实现。
该文件中的信息不是加密的,而是需要 HTTPS 或等效文件来保证其完整性。
<!--
### Securing your installation even more {#securing-more}
-->
### 确保你的安装更加安全 {#securing-more}
<!--
The defaults for kubeadm may not work for everyone. This section documents how to tighten up a kubeadm installation
at the cost of some usability.
-->
### 确保您的安装更加安全 {#securing-more}
Kubeadm 的默认值可能不适用于所有人。
本节说明如何以牺牲可用性为代价来加强 kubeadm 安装。
<!--
#### Turning off auto-approval of node client certificates
-->
#### 关闭节点客户端证书的自动批准
<!--
By default, there is a CSR auto-approver enabled that basically approves any client certificate request
for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to
automatically approve kubelet client certs, you can turn it off by executing this command:
-->
#### 关闭节点客户端证书的自动批准
默认情况下Kubernetes 启用了 CSR 自动批准器,如果在身份验证时使用 Bootstrap Token它会批准对 kubelet 的任何客户端证书的请求。
如果不希望集群自动批准kubelet客户端证书可以通过执行以下命令关闭它
```console
$ kubectl delete clusterrole kubeadm:node-autoapprove-bootstrap
```shell
kubectl delete clusterrolebinding kubeadm:node-autoapprove-bootstrap
```
<!--
After that, `kubeadm join` will block until the admin has manually approved the CSR in flight:
-->
关闭后,`kubeadm join` 操作将会被阻断,直到管理员已经手动批准了在途中的 CSR 才会继续:
```console
$ kubectl get csr
```shell
kubectl get csr
```
<!-- The output is similar to this: -->
输出类似于:
```
NAME AGE REQUESTOR CONDITION
node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 18s system:bootstrap:878f07 Pending
```
$ kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
```shell
kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
```
<!-- The output is similar to this: -->
输出类似于:
```
certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ" approved
```
$ kubectl get csr
```shell
kubectl get csr
```
<!-- The output is similar to this: -->
输出类似于:
```
NAME AGE REQUESTOR CONDITION
node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 1m system:bootstrap:878f07 Approved,Issued
```
<!--
Only after `kubectl certificate approve` has been run, `kubeadm join` can proceed.
This forces the workflow that `kubeadm join` will only succeed if `kubectl certificate approve` has been run.
-->
这迫使工作流只有在运行了 kubectl 证书批准后kubeadm join 才能成功。
<!--
#### Turning off public access to the cluster-info ConfigMap
-->
#### 关闭对集群信息 ConfigMap 的公开访问
<!--
In order to achieve the joining flow using the token as the only piece of validation information, a
ConfigMap with some data needed for validation of the master's identity is exposed publicly by
default. While there is no private data in this ConfigMap, some users might wish to turn
it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the
`kubeadm join` flow. Here are the steps to do so:
* Fetch the `cluster-info` file from the API Server:
-->
只有执行了 `kubectl certificate approve` 后,`kubeadm join` 才会继续。
#### 关闭对集群信息 ConfigMap 的公开访问
为了实现使用令牌作为唯一验证信息的加入工作流,默认情况下会公开带有验证主节点标识所需数据的 ConfigMap。
虽然此 ConfigMap 中没有私有数据,但一些用户可能希望无论如何都关闭它。
这样做需要禁用 `kubeadm join` 工作流的 `--discovery-token` 参数。
以下是实现步骤:
```console
$ kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml
<!--
* Fetch the `cluster-info` file from the API Server:
-->
* 从 API 服务器获取 `cluster-info` 文件:
```shell
kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml
```
<!-- The output is similar to this: -->
输出类似于:
```
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: <ca-cert>
@ -328,7 +443,6 @@ clusters:
name: ""
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
```
@ -343,18 +457,18 @@ users: []
* 关闭 `cluster-info` ConfigMap 的公开访问:
```console
$ kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
```shell
kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
```
<!--
These commands should be run after `kubeadm init` but before `kubeadm join`.
### Using kubeadm join with a configuration file {#config-file}
-->
这些命令应该在执行 `kubeadm init` 之后、在`kubeadm join` 之前执行。
<!--
### Using kubeadm join with a configuration file {#config-file}
-->
### 使用带有配置文件的 kubeadm join
{{< caution >}}
@ -366,25 +480,33 @@ These commands should be run after `kubeadm init` but before `kubeadm join`.
It's possible to configure `kubeadm join` with a configuration file instead of command
line flags, and some more advanced features may only be available as
configuration file options. This file is passed using the `--config` flag and it must
contain a `JoinConfiguration` structure.
To print the default values of `JoinConfiguration` run the following command:
contain a `JoinConfiguration` structure. Mixing `--config` with others flags may not be
allowed in some cases.
-->
可以用配置文件替代命令行参数的方法配置 `kubeadm join`,一些高级功能也只有在使用配置文件时才可选用。
该文件通过 `--config` 参数来传递,并且文件中必须包含 `JoinConfiguration` 结构。
执行下面的命令可以查看 `JoinConfiguration` 默认值:
```bash
kubeadm config print-default --api-objects=JoinConfiguration
```
在某些情况下,不允许将 `--config` 与其他标志混合使用。
<!--
For details on individual fields in `JoinConfiguration` see [the godoc](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#JoinConfiguration).
-->
The default configuration can be printed out using the
[kubeadm config print](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
要了解 `JoinConfiguration` 中各个字段的详细信息请参考 [godoc](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#JoinConfiguration)。
If your configuration is not using the latest version it is **recommended** that you migrate using
the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
-->
使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令可以打印默认配置。
如果你的配置没有使用最新版本,
**推荐**使用 [kubeadm config migrate](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令转换。
<!--
For more information on the fields and usage of the configuration you can navigate to our API reference
page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories).
-->
有关配置的字段和用法的更多信息,你可以导航到我们的 API 参考页
并从[列表]中选择一个版本(https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories)。
## {{% heading "whatsnext" %}}
@ -394,7 +516,7 @@ For details on individual fields in `JoinConfiguration` see [the godoc](https://
* [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) to manage tokens for `kubeadm join`
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
-->
* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) 初始化 Kubernetes 主节点
* [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) 管理 `kubeadm join` 的令牌
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 将 `kubeadm init``kubeadm join` 对主机的更改恢复到之前状态
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 初始化 Kubernetes 主节点
* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/) 管理 `kubeadm join` 的令牌
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 将 `kubeadm init``kubeadm join` 对主机的更改恢复到之前状态

10
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset-phase.md
View File

@ -16,7 +16,7 @@ weight: 90
Hence, you can let kubeadm do some of the work and you can fill in the gaps
if you wish to apply customization.
-->
`kubeadm reset phase` 使能够调用 `reset` 过程的基本原子步骤。因此,如果希望执行自定义操作,可以让 kubeadm 做一些工作,然后由用户来补足剩余操作。
`kubeadm reset phase` 使能够调用 `reset` 过程的基本原子步骤。因此,如果希望执行自定义操作,可以让 kubeadm 做一些工作,然后由用户来补足剩余操作。
<!--
`kubeadm reset phase` is consistent with the [kubeadm reset workflow](/docs/reference/setup-tools/kubeadm/kubeadm-reset/#reset-workflow),
@ -35,7 +35,7 @@ and behind the scene both use the same code.
<!--
Using this phase you can execute preflight checks on a node that is being reset.
-->
使用此阶段,可以在要重置的节点上执行启动前检查阶段。
使用此阶段,可以在要重置的节点上执行启动前检查阶段。
{{< tabs name="tab-preflight" >}}
{{< tab name="preflight" include="generated/kubeadm_reset_phase_preflight.md" />}}
@ -49,7 +49,7 @@ Using this phase you can execute preflight checks on a node that is being reset.
<!--
Using this phase you can remove this control-plane node from the ClusterStatus object.
-->
使用此阶段,可以从 ClusterStatus 对象中删除此控制平面节点。
使用此阶段,可以从 ClusterStatus 对象中删除此控制平面节点。
{{< tabs name="tab-update-cluster-status" >}}
{{< tab name="update-cluster-status" include="generated/kubeadm_reset_phase_update-cluster-status.md" />}}
@ -63,7 +63,7 @@ Using this phase you can remove this control-plane node from the ClusterStatus o
<!--
Using this phase you can remove this control-plane node's etcd member from the etcd cluster.
-->
使用此阶段,可以从 etcd 集群中删除此控制平面节点的 etcd 成员。
使用此阶段,可以从 etcd 集群中删除此控制平面节点的 etcd 成员。
{{< tabs name="tab-remove-etcd-member" >}}
{{< tab name="remove-etcd-member" include="generated/kubeadm_reset_phase_remove-etcd-member.md" />}}
@ -77,7 +77,7 @@ Using this phase you can remove this control-plane node's etcd member from the e
<!--
Using this phase you can perform cleanup on this node.
-->
使用此阶段,可以在此节点上执行清理工作。
使用此阶段,可以在此节点上执行清理工作。
{{< tabs name="tab-cleanup-node" >}}
{{< tab name="cleanup-node" include="generated/kubeadm_reset_phase_cleanup-node.md" />}}

10
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset.md
View File

@ -35,16 +35,16 @@ etcd member of this node from the etcd cluster and also removes this node's info
To skip a list of phases you can use the `--skip-phases` flag, which works in a similar way to
the `kubeadm join` and `kubeadm init` phase runners. -->
`kubeadm reset phase` 可用于执行上述工作流程的各个阶段。
要跳过阶段列表,可以使用 `--skip-phases` 参数,该参数的工作方式类似于 `kubeadm join``kubeadm init` 阶段运行器。
要跳过阶段列表,可以使用 `--skip-phases` 参数,该参数的工作方式类似于 `kubeadm join``kubeadm init` 阶段运行器。
<!-- ### External etcd clean up -->
### 外部 etcd 清理
<!-- `kubeadm reset` will not delete any etcd data if external etcd is used. This means that if you run `kubeadm init` again using the same etcd endpoints, you will see state from previous clusters. -->
如果使用了外部 etcd`kubeadm reset` 将不会删除任何 etcd 中的数据。这意味着,如果再次使用相同的 etcd 端点运行 `kubeadm init`将看到先前集群的状态。
如果使用了外部 etcd`kubeadm reset` 将不会删除任何 etcd 中的数据。这意味着,如果再次使用相同的 etcd 端点运行 `kubeadm init`将看到先前集群的状态。
<!-- To wipe etcd data it is recommended you use a client like etcdctl, such as: -->
要清理 etcd 中的数据,建议使用 etcdctl 这样的客户端,例如:
要清理 etcd 中的数据,建议使用 etcdctl 这样的客户端,例如:
```bash
etcdctl del "" --prefix
@ -58,6 +58,6 @@ etcdctl del "" --prefix
<!-- * [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) to bootstrap a Kubernetes control-plane node
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to bootstrap a Kubernetes worker node and join it to the cluster -->
* 参考 [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) 来初始化 Kubernetes 主节点。
* 参考 [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) 来初始化 Kubernetes 工作节点并加入集群。
* 参考 [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 来初始化 Kubernetes 主节点。
* 参考 [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 来初始化 Kubernetes 工作节点并加入集群。

11
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-token.md
View File

@ -1,5 +1,5 @@
---
title: kubeadm 令牌
title: kubeadm token
content_type: concept
weight: 70
---
@ -22,14 +22,14 @@ Bootstrap tokens are used for establishing bidirectional trust between a node jo
the cluster and a master node, as described in [authenticating with bootstrap tokens](/docs/reference/access-authn-authz/bootstrap-tokens/).
-->
如[使用引导令牌进行身份验证](/docs/reference/access-authn-authz/bootstrap-tokens/)所描述的,引导令牌用于在即将加入集群的节点和主节点间建立双向认证。
如[使用引导令牌进行身份验证](/zh/docs/reference/access-authn-authz/bootstrap-tokens/)所描述的,引导令牌用于在即将加入集群的节点和主节点间建立双向认证。
<!--
`kubeadm init` creates an initial token with a 24-hour TTL. The following commands allow you to manage
such a token and also to create and manage new ones.
-->
`kubeadm init` 创建了一个有效期为 24 小时的令牌,下面的命令允许管理令牌,也可以创建和管理新的令牌。
`kubeadm init` 创建了一个有效期为 24 小时的令牌,下面的命令允许管理令牌,也可以创建和管理新的令牌。
@ -49,10 +49,7 @@ such a token and also to create and manage new ones.
## {{% heading "whatsnext" %}}
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) 引导 Kubernetes 工作节点并将其加入群集
<!--
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) to bootstrap a Kubernetes worker node and join it to the cluster
-->
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 引导 Kubernetes 工作节点并将其加入集群

11
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade-phase.md
View File

@ -27,6 +27,7 @@ be called on a primary control-plane node.
{{< tabs name="tab-phase" >}}
{{< tab name="phase" include="generated/kubeadm_upgrade_node_phase.md" />}}
{{< tab name="preflight" include="generated/kubeadm_upgrade_node_phase_preflight.md" />}}
{{< tab name="control-plane" include="generated/kubeadm_upgrade_node_phase_control-plane.md" />}}
{{< tab name="kubelet-config" include="generated/kubeadm_upgrade_node_phase_kubelet-config.md" />}}
{{< /tabs >}}
@ -40,8 +41,8 @@ be called on a primary control-plane node.
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a kubeadm node
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
-->
* [kubeadm init](/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导一个 Kubernetes 控制平面节点
* [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点加入到
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 还原 `kubeadm init``kubeadm join` 命令对主机所做的任何更改
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 升级 kubeadm 节点
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导一个 Kubernetes 控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点加入到集
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 还原 `kubeadm init``kubeadm join` 命令对主机所做的任何更改
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 升级 kubeadm 节点
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能

22
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
View File

@ -31,18 +31,18 @@ behind one command, with support for both planning an upgrade and actually perfo
The steps for performing a upgrade using kubeadm are outlined in [this document](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
For older versions of kubeadm, please refer to older documentation sets of the Kubernetes website.
-->
[本文档](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述了使用 kubeadm 执行升级的步骤。
[本文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述了使用 kubeadm 执行升级的步骤。
有关 kubeadm 旧版本,请参阅 Kubernetes 网站的旧版文档。
<!--
You can use `kubeadm upgrade diff` to see the changes that would be applied to static pod manifests.
-->
可以使用 `kubeadm upgrade diff` 来查看将应用于静态 pod 清单的更改。
可以使用 `kubeadm upgrade diff` 来查看将应用于静态 pod 清单的更改。
<!--
To use kube-dns with upgrades in Kubernetes v1.13.0 and later please follow [this guide](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon).
-->
要在 Kubernetes v1.13.0 及更高版本中使用 kube-dns 进行升级,请遵循[本指南](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)。
要在 Kubernetes v1.13.0 及更高版本中使用 kube-dns 进行升级,请遵循[本指南](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)。
<!--
In Kubernetes v1.15.0 and later, `kubeadm upgrade apply` and `kubeadm upgrade node` will also
@ -51,9 +51,21 @@ To opt-out, it is possible to pass the flag `--certificate-renewal=false`. For m
renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs).
-->
在 Kubernetes v1.15.0 和更高版本中,`kubeadm upgrade apply` 和 `kubeadm upgrade node` 也将自动续订该节点上的 kubeadm 托管证书,包括存储在 kubeconfig 文件中的证书。
要选择退出,可以传递参数 `--certificate-renewal=false`。有关证书续订的更多详细信息请参见[证书管理文档](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
要选择退出,可以传递参数 `--certificate-renewal=false`。有关证书续订的更多详细信息请参见[证书管理文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
{{< note >}}
<!--
The commands `kubeadm upgrade apply` and `kubeadm upgrade plan` have a legacy `--config`
flag which makes it possible to reconfigure the cluster, while performing planning or upgrade of that particular
control-plane node. Please be aware that the upgrade workflow was not designed for this scenario and there are
reports of unexpected results.
-->
`kubeadm upgrade apply``kubeadm upgrade plan` 命令都具有遗留的 `--config` 标志,
可以在执行特定控制平面节点的规划或升级时重新配置集群。
请注意,升级工作流不是为这种情况而设计的,并且有意外结果的报告。
{{</ note >}}
## kubeadm upgrade plan {#cmd-upgrade-plan}
{{< include "generated/kubeadm_upgrade_plan.md" >}}
@ -72,5 +84,5 @@ renewal see the [certificate management documentation](/docs/tasks/administer-cl
<!--
* [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade` -->
* 如果使用 kubeadm v1.7.x 或更低版本初始化集群,则可以参考[kubeadm 配置](/docs/reference/setup-tools/kubeadm/kubeadm-config/)配置集群用于 `kubeadm upgrade`
* 如果使用 kubeadm v1.7.x 或更低版本初始化集群,则可以参考[kubeadm 配置](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)配置集群用于 `kubeadm upgrade`