kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #27722 from tengqm/zh-sync-kubeadm-2 

[zh] Resync kubeadm files (2)
pull/27726/head
Kubernetes Prow Robot 2021-04-26 00:37:02 -07:00 committed by GitHub
parent bae064d3b5 f0f5efe4f4
commit a3861c0ed1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 2368 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

601
content/zh/docs/reference/config-api/kube-proxy-config.v1alpha1.md Normal file
View File

@ -0,0 +1,601 @@
---
title: kube-proxy Configuration (v1alpha1)
content_type: tool-reference
package: kubeproxy.config.k8s.io/v1alpha1
auto_generated: true
---
## Resource Types
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
## `KubeProxyConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration}
KubeProxyConfiguration contains everything necessary to configure the
Kubernetes proxy server.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>apiVersion</code><br/>string</td><td><code>kubeproxy.config.k8s.io/v1alpha1</code></td></tr>
<tr><td><code>kind</code><br/>string</td><td><code>KubeProxyConfiguration</code></td></tr>
<tr><td><code>featureGates</code> <B>[Required]</B><br/>
<code>map[string]bool</code>
</td>
<td>
featureGates is a map of feature names to bools that enable or disable alpha/experimental features.</td>
</tr>
<tr><td><code>bindAddress</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
for all interfaces)</td>
</tr>
<tr><td><code>healthzBindAddress</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
healthzBindAddress is the IP address and port for the health check server to serve on,
defaulting to 0.0.0.0:10256</td>
</tr>
<tr><td><code>metricsBindAddress</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
metricsBindAddress is the IP address and port for the metrics server to serve on,
defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)</td>
</tr>
<tr><td><code>bindAddressHardFail</code> <B>[Required]</B><br/>
<code>bool</code>
</td>
<td>
bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit</td>
</tr>
<tr><td><code>enableProfiling</code> <B>[Required]</B><br/>
<code>bool</code>
</td>
<td>
enableProfiling enables profiling via web interface on /debug/pprof handler.
Profiling handlers will be handled by metrics server.</td>
</tr>
<tr><td><code>clusterCIDR</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
clusterCIDR is the CIDR range of the pods in the cluster. It is used to
bridge traffic coming from outside of the cluster. If not provided,
no off-cluster bridging will be performed.</td>
</tr>
<tr><td><code>hostnameOverride</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.</td>
</tr>
<tr><td><code>clientConnection</code> <B>[Required]</B><br/>
<a href="#ClientConnectionConfiguration"><code>ClientConnectionConfiguration</code></a>
</td>
<td>
clientConnection specifies the kubeconfig file and client connection settings for the proxy
server to use when communicating with the apiserver.</td>
</tr>
<tr><td><code>iptables</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-KubeProxyIPTablesConfiguration"><code>KubeProxyIPTablesConfiguration</code></a>
</td>
<td>
iptables contains iptables-related configuration options.</td>
</tr>
<tr><td><code>ipvs</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-KubeProxyIPVSConfiguration"><code>KubeProxyIPVSConfiguration</code></a>
</td>
<td>
ipvs contains ipvs-related configuration options.</td>
</tr>
<tr><td><code>oomScoreAdj</code> <B>[Required]</B><br/>
<code>int32</code>
</td>
<td>
oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
the range [-1000, 1000]</td>
</tr>
<tr><td><code>mode</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-ProxyMode"><code>ProxyMode</code></a>
</td>
<td>
mode specifies which proxy mode to use.</td>
</tr>
<tr><td><code>portRange</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.</td>
</tr>
<tr><td><code>udpIdleTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
Must be greater than 0. Only applicable for proxyMode=userspace.</td>
</tr>
<tr><td><code>conntrack</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConntrackConfiguration"><code>KubeProxyConntrackConfiguration</code></a>
</td>
<td>
conntrack contains conntrack-related configuration options.</td>
</tr>
<tr><td><code>configSyncPeriod</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
than 0.</td>
</tr>
<tr><td><code>nodePortAddresses</code> <B>[Required]</B><br/>
<code>[]string</code>
</td>
<td>
nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid
IP blocks. These values are as a parameter to select the interfaces where nodeport works.
In case someone would like to expose a service on localhost for local visit and some other interfaces for
particular purpose, a list of IP blocks would do that.
If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort.
If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node.
An empty string slice is meant to select all network interfaces.</td>
</tr>
<tr><td><code>winkernel</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-KubeProxyWinkernelConfiguration"><code>KubeProxyWinkernelConfiguration</code></a>
</td>
<td>
winkernel contains winkernel-related configuration options.</td>
</tr>
<tr><td><code>showHiddenMetricsForVersion</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.</td>
</tr>
<tr><td><code>detectLocalMode</code> <B>[Required]</B><br/>
<a href="#kubeproxy-config-k8s-io-v1alpha1-LocalMode"><code>LocalMode</code></a>
</td>
<td>
DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR</td>
</tr>
</tbody>
</table>
## `KubeProxyConntrackConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConntrackConfiguration}
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
KubeProxyConntrackConfiguration contains conntrack settings for
the Kubernetes proxy server.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>maxPerCore</code> <B>[Required]</B><br/>
<code>int32</code>
</td>
<td>
maxPerCore is the maximum number of NAT connections to track
per CPU core (0 to leave the limit as-is and ignore min).</td>
</tr>
<tr><td><code>min</code> <B>[Required]</B><br/>
<code>int32</code>
</td>
<td>
min is the minimum value of connect-tracking records to allocate,
regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).</td>
</tr>
<tr><td><code>tcpEstablishedTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
tcpEstablishedTimeout is how long an idle TCP connection will be kept open
(e.g. '2s'). Must be greater than 0 to set.</td>
</tr>
<tr><td><code>tcpCloseWaitTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
tcpCloseWaitTimeout is how long an idle conntrack entry
in CLOSE_WAIT state will remain in the conntrack
table. (e.g. '60s'). Must be greater than 0 to set.</td>
</tr>
</tbody>
</table>
## `KubeProxyIPTablesConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyIPTablesConfiguration}
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
KubeProxyIPTablesConfiguration contains iptables-related configuration
details for the Kubernetes proxy server.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>masqueradeBit</code> <B>[Required]</B><br/>
<code>int32</code>
</td>
<td>
masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
the pure iptables proxy mode. Values must be within the range [0, 31].</td>
</tr>
<tr><td><code>masqueradeAll</code> <B>[Required]</B><br/>
<code>bool</code>
</td>
<td>
masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.</td>
</tr>
<tr><td><code>syncPeriod</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
'2h22m'). Must be greater than 0.</td>
</tr>
<tr><td><code>minSyncPeriod</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
'2h22m').</td>
</tr>
</tbody>
</table>
## `KubeProxyIPVSConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyIPVSConfiguration}
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
KubeProxyIPVSConfiguration contains ipvs-related configuration
details for the Kubernetes proxy server.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>syncPeriod</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m',
'2h22m'). Must be greater than 0.</td>
</tr>
<tr><td><code>minSyncPeriod</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m',
'2h22m').</td>
</tr>
<tr><td><code>scheduler</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
ipvs scheduler</td>
</tr>
<tr><td><code>excludeCIDRs</code> <B>[Required]</B><br/>
<code>[]string</code>
</td>
<td>
excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch
when cleaning up ipvs services.</td>
</tr>
<tr><td><code>strictARP</code> <B>[Required]</B><br/>
<code>bool</code>
</td>
<td>
strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries
from kube-ipvs0 interface</td>
</tr>
<tr><td><code>tcpTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
tcpTimeout is the timeout value used for idle IPVS TCP sessions.
The default value is 0, which preserves the current timeout value on the system.</td>
</tr>
<tr><td><code>tcpFinTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN.
The default value is 0, which preserves the current timeout value on the system.</td>
</tr>
<tr><td><code>udpTimeout</code> <B>[Required]</B><br/>
<a href="https://godoc.org/k8s.io/apimachinery/pkg/apis/meta/v1#Duration"><code>meta/v1.Duration</code></a>
</td>
<td>
udpTimeout is the timeout value used for IPVS UDP packets.
The default value is 0, which preserves the current timeout value on the system.</td>
</tr>
</tbody>
</table>
## `KubeProxyWinkernelConfiguration` {#kubeproxy-config-k8s-io-v1alpha1-KubeProxyWinkernelConfiguration}
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
KubeProxyWinkernelConfiguration contains Windows/HNS settings for
the Kubernetes proxy server.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>networkName</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
networkName is the name of the network kube-proxy will use
to create endpoints and policies</td>
</tr>
<tr><td><code>sourceVip</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
sourceVip is the IP address of the source VIP endoint used for
NAT when loadbalancing</td>
</tr>
<tr><td><code>enableDSR</code> <B>[Required]</B><br/>
<code>bool</code>
</td>
<td>
enableDSR tells kube-proxy whether HNS policies should be created
with DSR</td>
</tr>
</tbody>
</table>
## `LocalMode` {#kubeproxy-config-k8s-io-v1alpha1-LocalMode}
(Alias of `string`)
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
LocalMode represents modes to detect local traffic from the node
## `ProxyMode` {#kubeproxy-config-k8s-io-v1alpha1-ProxyMode}
(Alias of `string`)
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
ProxyMode represents modes used by the Kubernetes proxy server.
Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables'
(newer, faster), 'ipvs'(newest, better in performance and scalability).
Two modes of proxy are available in Windows platform: 'userspace'(older, stable) and 'kernelspace' (newer, faster).
In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the
future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are
insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs',
and the fall back path is firstly iptables and then userspace.
In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the
future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy,
this always falls back to the userspace proxy.
## `ClientConnectionConfiguration` {#ClientConnectionConfiguration}
**Appears in:**
- [KubeProxyConfiguration](#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration)
ClientConnectionConfiguration contains details for constructing a client.
<table class="table">
<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
<tbody>
<tr><td><code>kubeconfig</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
kubeconfig is the path to a KubeConfig file.</td>
</tr>
<tr><td><code>acceptContentTypes</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
default value of 'application/json'. This field will control all connections to the server used by a particular
client.</td>
</tr>
<tr><td><code>contentType</code> <B>[Required]</B><br/>
<code>string</code>
</td>
<td>
contentType is the content type used when sending data to the server from this client.</td>
</tr>
<tr><td><code>qps</code> <B>[Required]</B><br/>
<code>float32</code>
</td>
<td>
qps controls the number of queries per second allowed for this connection.</td>
</tr>
<tr><td><code>burst</code> <B>[Required]</B><br/>
<code>int32</code>
</td>
<td>
burst allows extra queries to accumulate when a client is exceeding its rate.</td>
</tr>
</tbody>
</table>

1604
content/zh/docs/reference/config-api/kubelet-config.v1beta1.md Normal file
View File

File diff suppressed because it is too large Load Diff

72
content/zh/docs/reference/setup-tools/kubeadm/implementation-details.md
View File

@ -46,7 +46,7 @@ with the aim of sharing knowledge on Kubernetes cluster best practices.
- lock-down the kubelet API
- locking down access to the API for system components like the kube-proxy and CoreDNS
- locking down what a Bootstrap Token can access
- **Easy to use**: The user should not have to run anything more than a couple of commands:
- **User-friendly**: The user should not have to run anything more than a couple of commands:
- `kubeadm init`
- `export KUBECONFIG=/etc/kubernetes/admin.conf`
- `kubectl apply -f <network-of-choice.yaml>`
@ -63,7 +63,7 @@ with the aim of sharing knowledge on Kubernetes cluster best practices.
- 锁定 kubelet API
- 锁定对系统组件(例如 kube-proxy 和 CoreDNS的 API 的访问
- 锁定启动引导令牌Bootstrap Token可以访问的内容
- **易用的**:用户只需要运行几个命令即可:
- **用户友好**:用户只需要运行几个命令即可:
- `kubeadm init`
- `export KUBECONFIG=/etc/kubernetes/admin.conf`
- `kubectl apply -f <所选网络.yaml>`
@ -558,7 +558,7 @@ API 服务器的静态 Pod 清单会受到用户提供的以下参数的影响:
- `--requestheader-client-ca-file` to`front-proxy-ca.crt`
- `--proxy-client-cert-file` to `front-proxy-client.crt`
- `--proxy-client-key-file` to `front-proxy-client.key`
- Other flags for securing the front proxy ([API Aggregation](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/aggregated-api-servers.md)) communications:
- Other flags for securing the front proxy ([API Aggregation](/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)) communications:
- `--requestheader-username-headers=X-Remote-User`
- `--requestheader-group-headers=X-Remote-Group`
- `--requestheader-extra-headers-prefix=X-Remote-Extra-`
@ -580,7 +580,7 @@ API 服务器的静态 Pod 清单会受到用户提供的以下参数的影响:
- `--proxy-client-key-file` 设为 `front-proxy-client.key`
- 其他用于保护前端代理(
[API 聚合层](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/api-machinery/aggregated-api-servers.md)
[API 聚合层](/zh/docs/concepts/extend-kubernetes/api-extension/apiserver-aggregation/)
通信的标志:
- `--requestheader-username-headers=X-Remote-User`
@ -697,7 +697,7 @@ into `/var/lib/kubelet/config/init/kubelet` file.
<!--
The init configuration is used for starting the kubelet on this specific node, providing an alternative for the kubelet drop-in file;
such configuration will be replaced by the kubelet base configuration as described in following steps.
See [set Kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file) for additional info.
See [set Kubelet parameters via a config file](/docs/tasks/administer-cluster/kubelet-config-file) for additional information.
-->
初始化配置用于在这个特定节点上启动 kubelet从而为 kubelet 插件文件提供了
一种替代方法。如以下步骤中所述,这种配置将由 kubelet 基本配置所替代。
@ -710,17 +710,24 @@ See [set Kubelet parameters via a config file](/docs/tasks/administer-cluster/ku
<!--
1. To make dynamic kubelet configuration work, flag `--dynamic-config-dir=/var/lib/kubelet/config/dynamic` should be specified
in `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf`
2. The kubelet configuration can be changed by passing a `KubeletConfiguration` object to `kubeadm init` or `kubeadm join` by using
1. The kubelet configuration can be changed by passing a `KubeletConfiguration` object to `kubeadm init` or `kubeadm join` by using
a configuration file `--config some-file.yaml`. The `KubeletConfiguration` object can be separated from other objects such
as `InitConfiguration` using the `---` separator. For more details have a look at the `kubeadm config print-default` command.
-->
1. 要使动态 kubelet 配置生效,应在 `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf`
中指定 `--dynamic-config-dir=/var/lib/kubelet/config/dynamic` 标志。
2. 通过使用配置文件 `--config some-file.yaml``KubeletConfiguration` 对象传递给
1. 通过使用配置文件 `--config some-file.yaml``KubeletConfiguration` 对象传递给
`kubeadm init``kubeadm join` 来更改 kubelet 配置。
可以使用 `---` 分隔符将 `KubeletConfiguration` 对象与其他对象(例如 `InitConfiguration`
分开。更多的详细信息,请查看 `kubeadm config print-default` 命令。
<!--
For more details about the `KubeletConfiguration` struct, take a look at the
[`KubeletConfiguration` reference](/docs/reference/config-api/kubelet-config.v1beta1/).
-->
有关 `KubeletConfiguration` 结构的详细信息,可参阅
[`KubeletConfiguration` 参考文档](/docs/reference/config-api/kubelet-config.v1beta1/)。
<!--
### Wait for the control plane to come up
-->
@ -748,7 +755,7 @@ kubeadm 依靠 kubelet 拉取控制平面镜像并将其作为静态 Pod 正确
-->
### (可选)编写基本 kubelet 配置 {#write-base-kubelet-configuration}
{{< feature-state for_k8s_version="v1.9" state="alpha" >}}
{{< feature-state for_k8s_version="v1.11" state="beta" >}}
<!--
If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`:
@ -1028,24 +1035,28 @@ A ServiceAccount for `kube-proxy` is created in the `kube-system` namespace; the
- `kube-proxy` 的 ServiceAccount 绑定了 `system:node-proxier` ClusterRole
中的特权
#### DNS {#dns}
#### DNS
<!--
- In Kubernetes version 1.18 kube-dns usage with kubeadm is deprecated and will be removed in a future release
- The CoreDNS service is named `kube-dns`. This is done to prevent any interruption
in service when the user is switching the cluster DNS from kube-dns to CoreDNS or vice-versa
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
- A ServiceAccount for CoreDNS/kube-dns is created in the `kube-system` namespace.
- The `kube-dns` ServiceAccount is bound to the privileges in the `system:kube-dns` ClusterRole
in service when the user is switching the cluster DNS from kube-dns to CoreDNS,
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
- A ServiceAccount for CoreDNS is created in the `kube-system` namespace.
- The `coredns` ServiceAccount is bound to the privileges in the `system:coredns` ClusterRole
-->
- 在 Kubernetes 1.18 版本中,通过 kubeadm 部署 kube-dns 这一操作已经弃用,
将在未来的版本中删除。
- CoreDNS 服务的名称为 `kube-dns`。这样做是为了防止当用户将集群 DNS 从 kube-dns
切换到 CoreDNS 或者反过来出现服务中断。`--config` 方法在
切换到 CoreDNS 时出现服务中断。`--config` 方法在
[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
有描述。
- 在 `kube-system` 名字空间中创建 CoreDNS/kube-dns 的 ServiceAccount
- `kube-dns` 的 ServiceAccount 绑定了 `system:kube-dns` ClusterRole 中的特权
- 在 `kube-system` 名字空间中创建 CoreDNS 的 ServiceAccount
- `coredns` 的 ServiceAccount 绑定了 `system:coredns` ClusterRole 中的特权
<!--
In Kubernetes version 1.21, support for using `kube-dns` with kubeadm was removed.
You can use CoreDNS with kubeadm even when the related Service is named `kube-dns`.
-->
在 Kubernetes 1.21 版本中kubeadm 对 `kube-dns` 的支持被移除。
你可以在 kubeadm 使用 CoreDNS即使相关的 Service 名字仍然是 `kube-dns`
<!--
## kubeadm join phases internal design
@ -1183,17 +1194,16 @@ when the connection with the cluster is established, kubeadm try to access the `
## TLS 引导 {#tls-boostrap}
<!--
Once the cluster info are known, the file `bootstrap-kubelet.conf` is written, thus allowing kubelet to do TLS Bootstrapping
(conversely until v.1.7 TLS bootstrapping were managed by kubeadm).
Once the cluster info are known, the file `bootstrap-kubelet.conf` is written, thus allowing kubelet to do TLS Bootstrapping.
-->
知道集群信息后,将写入文件 `bootstrap-kubelet.conf`,从而允许 kubelet 执行
TLS 引导(相反,在 v1.7 之前 TLS 引导都是由 kubeadm 管理)
知道集群信息后,kubeadm 将写入文件 `bootstrap-kubelet.conf`,从而允许 kubelet 执行
TLS 引导。
<!--
The TLS bootstrap mechanism uses the shared token to temporarily authenticate with the Kubernetes Master to submit a certificate
The TLS bootstrap mechanism uses the shared token to temporarily authenticate with the Kubernetes API server to submit a certificate
signing request (CSR) for a locally created key pair.
-->
TLS 引导机制使用共享令牌对 Kubernetes 主控节点进行临时身份验证,以便
TLS 引导机制使用共享令牌对 Kubernetes API 服务器进行临时身份验证,以便
为本地创建的密钥对提交证书签名请求CSR
<!--
@ -1209,7 +1219,7 @@ kubelet 加入集群,同时删除 `bootstrap-kubelet.conf`。
<!--
- The temporary authentication is validated against the token saved during the `kubeadm init` process (or with additional tokens
created with `kubeadm token`)
- The temporary authentication resolve to a user member of `system:bootstrappers:kubeadm:default-node-token` group which was granted
- The temporary authentication resolve to a user member of `system:bootstrappers:kubeadm:default-node-token` group which was granted
access to CSR api during the `kubeadm init` process
- The automatic CSR approval is managed by the csrapprover controller, according with configuration done the `kubeadm init` process
-->
@ -1222,9 +1232,9 @@ kubelet 加入集群,同时删除 `bootstrap-kubelet.conf`。
<!--
### (optional) Write init kubelet configuration
-->
### (可选)编写 init kubelet 配置 {#write-init-kubelet-configuration}
### (可选)写入初始的 kubelet 配置 {#write-init-kubelet-configuration}
{{< feature-state for_k8s_version="v1.9" state="alpha" >}}
{{< feature-state for_k8s_version="v1.11" state="beta" >}}
<!--
If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`:
@ -1232,14 +1242,14 @@ If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`:
如果带 `--feature-gates=DynamicKubeletConfig` 参数调用 kubeadm则 kubeadm
<!--
1. Read the kubelet base configuration from the `kubelet-base-config-v1.9` ConfigMap in the `kube-system` namespace using the
1. Read the kubelet base configuration from the `kubelet-base-config-v1.x` ConfigMap in the `kube-system` namespace using the
Bootstrap Token credentials, and write it to disk as kubelet init configuration file `/var/lib/kubelet/config/init/kubelet`
2. As soon as kubelet starts with the Node's own credential (`/etc/kubernetes/kubelet.conf`), update current node configuration
specifying that the source for the node/kubelet configuration is the above ConfigMap.
-->
1. 使用引导令牌凭证从 `kube-system` 名字空间中 ConfigMap `kubelet-base-config-v1.9`
1. 使用引导令牌凭证从 `kube-system` 名字空间中 ConfigMap `kubelet-base-config-v1.x`
中读取 kubelet 基本配置,
并将其作为 kubelet init 配置文件 `/var/lib/kubelet/config/init/kubelet` 写入磁盘。
并将其作为 kubelet 初始配置文件 `/var/lib/kubelet/config/init/kubelet` 写入磁盘。
2. 一旦 kubelet 开始使用节点自己的凭据(`/etc/kubernetes/kubelet.conf`
就更新当前节点配置,指定该节点或 kubelet 配置来自上述 ConfigMap。

41
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha.md
View File

@ -18,47 +18,10 @@ weight: 90
请试用这些功能并给我们提供反馈!
{{< /caution >}}
## kubeadm alpha kubeconfig user {#cmd-phase-kubeconfig}
<!--
The `user` subcommand can be used for the creation of kubeconfig files for additional users.
Currently there are no experimental commands under `kubeadm alpha`.
-->
使用子命令 `user` 为其他用户创建 kubeconfig 文件。
{{< tabs name="tab-kubeconfig" >}}
{{< tab name="kubeconfig" include="generated/kubeadm_alpha_kubeconfig.md" />}}
{{< tab name="user" include="generated/kubeadm_alpha_kubeconfig_user.md" />}}
{{< /tabs >}}
## kubeadm alpha kubelet config {#cmd-phase-kubelet}
<!--
Use the following command to enable the DynamicKubeletConfiguration feature.
-->
使用以下命令启用 DynamicKubeletConfiguration 功能。
{{< tabs name="tab-kubelet" >}}
{{< tab name="kubelet" include="generated/kubeadm_alpha_kubelet.md" />}}
{{< tab name="enable-dynamic" include="generated/kubeadm_alpha_kubelet_config_enable-dynamic.md" />}}
{{< /tabs >}}
## kubeadm alpha selfhosting pivot {#cmd-selfhosting}
<!--
The subcommand `pivot` can be used to convert a static Pod-hosted control plane into a self-hosted one.
-->
子命令 `pivot` 可用于将 Pod 托管的静态控制平面转换为自托管的控制平面。
有关 `pivot` 更多信息,请参见
[文档](/zh/docs/setup/production-environment/tools/kubeadm/self-hosting/)。
<!--
[Documentation](/docs/setup/production-environment/tools/kubeadm/self-hosting/)
-->
{{< tabs name="selfhosting" >}}
{{< tab name="selfhosting" include="generated/kubeadm_alpha_selfhosting.md" />}}
{{< tab name="pivot" include="generated/kubeadm_alpha_selfhosting_pivot.md" />}}
{{< /tabs >}}
目前在 `kubeadm alpha` 之下没有试验性质的命令。
## {{% heading "whatsnext" %}}

69
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase.md
View File

@ -4,11 +4,9 @@ weight: 90
content_type: concept
---
<!--
---
title: kubeadm init phase
weight: 90
content_type: concept
---
-->
<!--
@ -16,14 +14,15 @@ content_type: concept
Hence, you can let kubeadm do some of the work and you can fill in the gaps
if you wish to apply customization.
-->
`kubeadm init phase` 能确保调用引导过程的原子步骤。因此,如果希望自定义应用,则可以让 kubeadm 做一些工作,然后填补空白。
`kubeadm init phase` 能确保调用引导过程的原子步骤。
因此,如果希望自定义应用,则可以让 kubeadm 做一些工作,然后填补空白。
<!--
`kubeadm init phase` is consistent with the [kubeadm init workflow](/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow),
and behind the scene both use the same code.
-->
`kubeadm init phase` 与 [kubeadm init 工作流](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)一致,后台都使用相同的代码。
`kubeadm init phase` 与 [kubeadm init 工作流](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow)
一致,后台都使用相同的代码。
<!--
## kubeadm init phase preflight {#cmd-phase-preflight}
@ -143,7 +142,8 @@ Use the following phase to create a local etcd instance based on a static Pod fi
You can use this command to upload the kubeadm configuration to your cluster.
Alternatively, you can use [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/).
-->
可以使用此命令将 kubeadm 配置文件上传到集群。或者使用 [kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)。
可以使用此命令将 kubeadm 配置文件上传到集群。或者使用
[kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)。
{{< tabs name="upload-config" >}}
{{< tab name="upload-config" include="generated/kubeadm_init_phase_upload-config.md" />}}
@ -177,7 +177,8 @@ By default the certs and encryption key expire after two hours.
<!--
Use the following phase to label and taint the node with the `node-role.kubernetes.io/master=""` key-value pair.
-->
使用以下阶段来给具有 `node-role.kubernetes.io/master=""` 键值对的节点打标签label和记录污点taint
使用以下阶段来给具有 `node-role.kubernetes.io/master=""` 键值对的节点
打标签label和记录污点taint
{{< tabs name="tab-mark-control-plane" >}}
{{< tab name="mark-control-plane" include="generated/kubeadm_init_phase_mark-control-plane.md" />}}
@ -232,50 +233,12 @@ install them selectively.
{{< tab name="kube-proxy" include="generated/kubeadm_init_phase_addon_kube-proxy.md" />}}
{{< /tabs >}}
<!--
To use kube-dns instead of CoreDNS you have to pass a configuration file:
-->
要使用 kube-dns 代替 CoreDNS必须传递一个配置文件
<!--
# for installing a DNS addon only
# 仅用于安装 DNS 插件
# for creating a complete control plane node
# 用于创建完整的控制平面节点
# for listing or pulling images
# 用于列出或者拉取镜像
# for upgrades
-->
```bash
# 仅用于安装 DNS 插件
kubeadm init phase addon coredns --config=someconfig.yaml
# 用于创建完整的控制平面节点
kubeadm init --config=someconfig.yaml
# 用于列出或者拉取镜像
kubeadm config images list/pull --config=someconfig.yaml
# 升级
kubeadm upgrade apply --config=someconfig.yaml
```
<!--
The file has to contain a [`DNS`](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2#DNS) field in[`ClusterConfiguration`](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2#ClusterConfiguration)
and also a type for the addon - `kube-dns` (default value is `CoreDNS`).
-->
该文件必须在 [`ClusterConfiguration`](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2#ClusterConfiguration) 中包含一个 [`DNS`](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2#DNS) 字段,以及包含一个插件的类型 - `kube-dns`(默认值为 `CoreDNS`)。
```yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
dns:
type: "kube-dns"
```
<!--
For more details on each field in the `v1beta2` configuration you can navigate to our
[API reference pages.] (https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2)
-->
有关 `v1beta2` 配置中每个字段的更多详细信息,可以访问 [API](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2)。
有关 `v1beta2` 配置中每个字段的更多详细信息,可以访问
[API](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2)。
## {{% heading "whatsnext" %}}
@ -285,7 +248,11 @@ For more details on each field in the `v1beta2` configuration you can navigate t
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) to try experimental functionality
-->
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 引导 Kubernetes 控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/) 将节点连接到集群
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 恢复通过 `kubeadm init``kubeadm join` 操作对主机所做的任何更改
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/) 尝试实验性功能
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
引导 Kubernetes 控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/)
将节点加入到集群
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
恢复通过 `kubeadm init``kubeadm join` 操作对主机所做的任何更改
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha/)
尝试实验性功能

18
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-init.md
View File

@ -129,22 +129,18 @@ following steps:
<!--
1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
In Kubernetes version 1.11 and later CoreDNS is the default DNS server.
To install kube-dns instead of CoreDNS, the DNS addon has to be configured in the kubeadm `ClusterConfiguration`.
For more information about the configuration see the section `Using kubeadm init with a configuration file` below.
Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed.
{{< warning >}}
kube-dns usage with kubeadm is deprecated as of v1.18 and will be removed in a future release.
kube-dns usage with kubeadm is deprecated as of v1.18 and is removed in v1.21.
{{< /warning >}}
-->
8. 通过 API 服务器安装一个 DNS 服务器 (CoreDNS) 和 kube-proxy 附加组件。
在 Kubernetes 版本 1.11 和更高版本中CoreDNS 是默认的 DNS 服务器。
要安装 kube-dns 而不是 CoreDNS必须在 kubeadm `ClusterConfiguration` 中配置 DNS 插件。
有关配置的更多信息,请参见下面的"带配置文件使用 kubeadm init" 一节。
请注意,尽管已部署 DNS 服务器,但直到安装 CNI 时才调度它。
{{< warning >}}
从 v1.18 开始,在 kubeadm 中使用 kube-dns 已废弃,并将在以后的版本中将其删除。
从 v1.18 开始,在 kubeadm 中使用 kube-dns 的支持已被废弃,并已在 v1.21 版本中删除。
{{< /warning >}}
<!--
@ -244,7 +240,7 @@ If your configuration is not using the latest version it is **recommended** that
the [kubeadm config migrate](/docs/reference/setup-tools/kubeadm/kubeadm-config/) command.
For more information on the fields and usage of the configuration you can navigate to our API reference
page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories).
page and pick a version from [the list](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories).
-->
可以使用 [kubeadm config print](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
命令打印出默认配置。
@ -255,7 +251,7 @@ page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/
有关配置的字段和用法的更多信息,
你可以访问 API 参考页面并从
[列表](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#pkg-subdirectories)
[列表](https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#section-directories)
中选择一个版本。
<!--
@ -265,15 +261,17 @@ page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/
<!--
For information about kube-proxy parameters in the kubeadm configuration see:
- [kube-proxy](https://godoc.org/k8s.io/kubernetes/pkg/proxy/apis/config#KubeProxyConfiguration)
- [kube-proxy reference](/docs/reference/config-api/kube-proxy-config.v1alpha1/)
For information about enabling IPVS mode with kubeadm see:
- [IPVS](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md)
-->
kubeadm 配置中有关 kube-proxy 的说明请查看:
- [kube-proxy](https://godoc.org/k8s.io/kubernetes/pkg/proxy/apis/config#KubeProxyConfiguration)
- [kube-proxy 参考](/zh/docs/reference/config-api/kube-proxy-config.v1alpha1/)
使用 kubeadm 启用 IPVS 模式的说明请查看:
- [IPVS](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md)
<!--

132
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-join.md
View File

@ -47,7 +47,7 @@ This action consists of the following steps:
with the Kubernetes API server to submit a certificate signing request (CSR); by
default the control plane signs this CSR request automatically.
-->
1. 一旦知道集群信息kubelet 就可以开始 TLS 引导过程。
2. 一旦知道集群信息kubelet 就可以开始 TLS 引导过程。
TLS 引导程序使用共享令牌与 Kubernetes API 服务器进行临时的身份验证,以提交证书签名请求 (CSR)
默认情况下,控制平面自动对该 CSR 请求进行签名。
@ -56,7 +56,7 @@ This action consists of the following steps:
1. Finally, kubeadm configures the local kubelet to connect to the API
server with the definitive identity assigned to the node.
-->
1. 最后kubeadm 配置本地 kubelet 使用分配给节点的确定标识连接到 API 服务器。
3. 最后kubeadm 配置本地 kubelet 使用分配给节点的确定标识连接到 API 服务器。
<!--
For control-plane nodes additional steps are performed:
@ -134,7 +134,8 @@ The right method for your environment depends on how you provision nodes and the
security expectations you have about your network and node lifecycles.
-->
Kubeadm 的发现有几个选项,每个选项都有安全性上的优缺点。
适合你的环境的正确方法取决于节点是如何准备的以及你对网络的安全性期望和节点的生命周期特点。
适合你的环境的正确方法取决于节点是如何准备的以及你对网络的安全性期望
和节点的生命周期特点。
<!--
#### Token-based discovery with CA pinning
@ -171,14 +172,18 @@ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outfor
-->
**`kubeadm join` 命令示例**
<!-- For worker nodes: -->
<!--
For worker nodes:
-->
对于工作节点:
```shell
kubeadm join --discovery-token abcdef.1234567890abcdef --discovery-token-ca-cert-hash sha256:1234..cdef 1.2.3.4:6443
```
<!-- For control-plane nodes: -->
<!--
For control-plane nodes:
-->
对于控制面节点:
```shell
@ -200,26 +205,28 @@ if the `kubeadm init` command was called with `--upload-certs`.
master even if other worker nodes or the network are compromised.
- Convenient to execute manually since all of the information required fits
into a single `kubeadm join` command that is easy to copy and paste.
into a single `kubeadm join` command.
-->
**优势:**
- 允许引导节点安全地发现主节点的信任根,即使其他工作节点或网络受到损害。
- 方便手动执行,因为所需的所有信息都适合于易于复制和粘贴的单个 `kubeadm join` 命令。
- 允许引导节点安全地发现主节点的信任根,即使其他工作节点或网络受到损害。
- 方便手动执行,因为所需的所有信息都可放到一个 `kubeadm join` 命令中。
<!--
**Disadvantages:**
- The CA hash is not normally known until the master has been provisioned,
which can make it more difficult to build automated provisioning tools that
use kubeadm. By generating your CA in beforehand, you may workaround this
limitation though.
- The CA hash is not normally known until the master has been provisioned,
which can make it more difficult to build automated provisioning tools that
use kubeadm. By generating your CA in beforehand, you may workaround this
limitation though.
-->
**劣势:**
- CA 哈希通常在主节点被提供之前是不知道的,这使得构建使用 kubeadm 的自动化配置工具更加困难。
通过预先生成CA你可以解除这个限制。
- CA 哈希通常在主节点被提供之前是不知道的,这使得构建使用 kubeadm 的自动化配置工具更加困难。
通过预先生成CA你可以解除这个限制。
<!--
#### Token-based discovery without CA pinning
@ -238,7 +245,8 @@ using one of the other modes if possible.
-->
_这是 Kubernetes 1.7 和早期版本_中的默认设置使用时要注意一些重要的补充说明。
此模式仅依赖于对称令牌来签名(HMAC-SHA256)发现信息,这些发现信息为主节点建立信任根。
在 Kubernetes 1.8 及以上版本中仍然可以使用 `--discovery-token-unsafe-skip-ca-verification` 参数,但是如果可能的话,你应该考虑使用一种其他模式。
在 Kubernetes 1.8 及以上版本中仍然可以使用 `--discovery-token-unsafe-skip-ca-verification`
参数,但是如果可能的话,你应该考虑使用一种其他模式。
**`kubeadm join` 命令示例**
@ -249,33 +257,34 @@ kubeadm join --token abcdef.1234567890abcdef --discovery-token-unsafe-skip-ca-ve
<!--
**Advantages:**
- Still protects against many network-level attacks.
- Still protects against many network-level attacks.
- The token can be generated ahead of time and shared with the master and
worker nodes, which can then bootstrap in parallel without coordination. This
allows it to be used in many provisioning scenarios.
- The token can be generated ahead of time and shared with the master and
worker nodes, which can then bootstrap in parallel without coordination. This
allows it to be used in many provisioning scenarios.
-->
**优势**
- 仍然可以防止许多网络级攻击。
- 仍然可以防止许多网络级攻击。
- 可以提前生成令牌并与主节点和工作节点共享,这样主节点和工作节点就可以并行引导而无需协调。
这允许它在许多配置场景中使用。
- 可以提前生成令牌并与主节点和工作节点共享,这样主节点和工作节点就可以并行引导而无需协调。
这允许它在许多配置场景中使用。
<!--
**Disadvantages:**
- If an attacker is able to steal a bootstrap token via some vulnerability,
they can use that token (along with network-level access) to impersonate the
master to other bootstrapping nodes. This may or may not be an appropriate
tradeoff in your environment.
- If an attacker is able to steal a bootstrap token via some vulnerability,
they can use that token (along with network-level access) to impersonate the
master to other bootstrapping nodes. This may or may not be an appropriate
tradeoff in your environment.
-->
**劣势**
- 如果攻击者能够通过某些漏洞窃取引导令牌,那么他们可以使用该令牌(连同网络级访问)为其它处于引导过程中的节点提供假冒的主节点。
在你的环境中,这可能是一个适当的折衷方法,也可能不是。
- 如果攻击者能够通过某些漏洞窃取引导令牌,那么他们可以使用该令牌(连同网络级访问)
为其它处于引导过程中的节点提供假冒的主节点。
在你的环境中,这可能是一个适当的折衷方法,也可能不是。
<!--
#### File or HTTPS-based discovery
@ -292,7 +301,8 @@ In case the discovery file does not contain credentials, the TLS discovery token
-->
这种方案提供了一种带外方式在主节点和引导节点之间建立信任根。
如果使用 kubeadm 构建自动配置,请考虑使用此模式。
发现文件的格式为常规的 Kubernetes [kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) 文件。
发现文件的格式为常规的 Kubernetes
[kubeconfig](/zh/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) 文件。
如果发现文件不包含凭据,则将使用 TLS 发现令牌。
@ -300,35 +310,36 @@ In case the discovery file does not contain credentials, the TLS discovery token
**Example `kubeadm join` commands:**
-->
**`kubeadm join` 命令示例:**
- `kubeadm join --discovery-file path/to/file.conf` (本地文件)
- `kubeadm join --discovery-file https://url/file.conf` (远程 HTTPS URL)
- `kubeadm join --discovery-file path/to/file.conf` (本地文件)
- `kubeadm join --discovery-file https://url/file.conf` (远程 HTTPS URL)
<!--
**Advantages:**
- Allows bootstrapping nodes to securely discover a root of trust for the
master even if the network or other worker nodes are compromised.
- Allows bootstrapping nodes to securely discover a root of trust for the
master even if the network or other worker nodes are compromised.
-->
**优势:**
- 允许引导节点安全地发现主节点的信任根,即使网络或其他工作节点受到损害。
- 允许引导节点安全地发现主节点的信任根,即使网络或其他工作节点受到损害。
<!--
**Disadvantages:**
- Requires that you have some way to carry the discovery information from
the master to the bootstrapping nodes. This might be possible, for example,
via your cloud provider or provisioning tool. The information in this file is
not secret, but HTTPS or equivalent is required to ensure its integrity.
- Requires that you have some way to carry the discovery information from
the master to the bootstrapping nodes. This might be possible, for example,
via your cloud provider or provisioning tool. The information in this file is
not secret, but HTTPS or equivalent is required to ensure its integrity.
-->
**劣势:**
- 要求你有某种方法将发现信息从主节点传送到引导节点。
例如,这可以通过云提供商或驱动工具实现。
该文件中的信息不是加密的,而是需要 HTTPS 或等效文件来保证其完整性。
- 要求你有某种方法将发现信息从主节点传送到引导节点。
例如,这可以通过云提供商或驱动工具实现。
该文件中的信息不是加密的,而是需要 HTTPS 或等效文件来保证其完整性。
<!--
### Securing your installation even more {#securing-more}
@ -352,7 +363,8 @@ By default, there is a CSR auto-approver enabled that basically approves any cli
for a kubelet when a Bootstrap Token was used when authenticating. If you don't want the cluster to
automatically approve kubelet client certs, you can turn it off by executing this command:
-->
默认情况下Kubernetes 启用了 CSR 自动批准器,如果在身份验证时使用 Bootstrap Token它会批准对 kubelet 的任何客户端证书的请求。
默认情况下Kubernetes 启用了 CSR 自动批准器,如果在身份验证时使用启动引导令牌,
它会批准对 kubelet 的任何客户端证书的请求。
如果不希望集群自动批准kubelet客户端证书可以通过执行以下命令关闭它
```shell
@ -362,13 +374,15 @@ kubectl delete clusterrolebinding kubeadm:node-autoapprove-bootstrap
<!--
After that, `kubeadm join` will block until the admin has manually approved the CSR in flight:
-->
关闭后,`kubeadm join` 操作将会被阻,直到管理员已经手动批准了在途中的 CSR 才会继续:
关闭后,`kubeadm join` 操作将会被阻,直到管理员已经手动批准了在途中的 CSR 才会继续:
```shell
kubectl get csr
```
<!-- The output is similar to this: -->
<!--
The output is similar to this:
-->
输出类似于:
```
@ -380,7 +394,9 @@ node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ 18s system:bootstra
kubectl certificate approve node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ
```
<!-- The output is similar to this: -->
<!--
The output is similar to this:
-->
输出类似于:
```
@ -391,7 +407,9 @@ certificatesigningrequest "node-csr-c69HXe7aYcqkS1bKmH4faEnHAWxn6i2bHZ2mD04jZyQ"
kubectl get csr
```
<!-- The output is similar to this: -->
<!--
The output is similar to this:
-->
输出类似于:
```
@ -416,7 +434,8 @@ default. While there is no private data in this ConfigMap, some users might wish
it off regardless. Doing so will disable the ability to use the `--discovery-token` flag of the
`kubeadm join` flow. Here are the steps to do so:
-->
为了实现使用令牌作为唯一验证信息的加入工作流,默认情况下会公开带有验证主节点标识所需数据的 ConfigMap。
为了实现使用令牌作为唯一验证信息的加入工作流,默认情况下会公开带有验证主节点标识
所需数据的 ConfigMap。
虽然此 ConfigMap 中没有私有数据,但一些用户可能希望无论如何都关闭它。
这样做需要禁用 `kubeadm join` 工作流的 `--discovery-token` 参数。
以下是实现步骤:
@ -430,7 +449,9 @@ it off regardless. Doing so will disable the ability to use the `--discovery-tok
kubectl -n kube-public get cm cluster-info -o yaml | grep "kubeconfig:" -A11 | grep "apiVersion" -A10 | sed "s/ //" | tee cluster-info.yaml
```
<!-- The output is similar to this: -->
<!--
The output is similar to this:
-->
输出类似于:
```
@ -457,9 +478,9 @@ users: []
* 关闭 `cluster-info` ConfigMap 的公开访问:
```shell
kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
```
```shell
kubectl -n kube-public delete rolebinding kubeadm:bootstrap-signer-clusterinfo
```
<!--
These commands should be run after `kubeadm init` but before `kubeadm join`.
@ -516,7 +537,10 @@ page and pick a version from [the list](https://godoc.org/k8s.io/kubernetes/cmd/
* [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) to manage tokens for `kubeadm join`
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
-->
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/) 初始化 Kubernetes 主节点
* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/) 管理 `kubeadm join` 的令牌
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/) 将 `kubeadm init``kubeadm join` 对主机的更改恢复到之前状态
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/)
初始化 Kubernetes 主节点
* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token/)
管理 `kubeadm join` 的令牌
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset/)
`kubeadm init``kubeadm join` 对主机的更改恢复到之前状态

34
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade.md
View File

@ -3,7 +3,7 @@ title: kubeadm upgrade
content_type: concept
weight: 40
---
<!-- ---
<!--
reviewers:
- mikedanese
- luxas
@ -11,7 +11,7 @@ reviewers:
title: kubeadm upgrade
content_type: concept
weight: 40
--- -->
-->
<!-- overview -->
<!--
@ -19,30 +19,25 @@ weight: 40
behind one command, with support for both planning an upgrade and actually performing it. -->
`kubeadm upgrade` 是一个对用户友好的命令,它将复杂的升级逻辑包装在一个命令后面,支持升级的规划和实际执行。
<!-- body -->
<!--
## kubeadm upgrade guidance
-->
## kubeadm 升级指南
## kubeadm upgrade 指南
<!--
The steps for performing a upgrade using kubeadm are outlined in [this document](/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/).
For older versions of kubeadm, please refer to older documentation sets of the Kubernetes website.
-->
[本文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述了使用 kubeadm 执行升级的步骤。
有关 kubeadm 旧版本,请参阅 Kubernetes 网站的旧版文档。
[本文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/)概述
使用 kubeadm 执行升级的步骤。
与 kubeadm 旧版本相关的文档,请参阅 Kubernetes 网站的旧版文档。
<!--
You can use `kubeadm upgrade diff` to see the changes that would be applied to static pod manifests.
-->
你可以使用 `kubeadm upgrade diff` 来查看将应用于静态 pod 清单的更改。
<!--
To use kube-dns with upgrades in Kubernetes v1.13.0 and later please follow [this guide](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon).
-->
要在 Kubernetes v1.13.0 及更高版本中使用 kube-dns 进行升级,请遵循[本指南](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)。
你可以使用 `kubeadm upgrade diff` 来查看将应用于静态 Pod 清单的更改。
<!--
In Kubernetes v1.15.0 and later, `kubeadm upgrade apply` and `kubeadm upgrade node` will also
@ -50,8 +45,10 @@ automatically renew the kubeadm managed certificates on this node, including tho
To opt-out, it is possible to pass the flag `--certificate-renewal=false`. For more details about certificate
renewal see the [certificate management documentation](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs).
-->
在 Kubernetes v1.15.0 和更高版本中,`kubeadm upgrade apply` 和 `kubeadm upgrade node` 也将自动续订该节点上的 kubeadm 托管证书,包括存储在 kubeconfig 文件中的证书。
要选择退出,可以传递参数 `--certificate-renewal=false`。有关证书续订的更多详细信息请参见[证书管理文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
在 Kubernetes v1.15.0 和更高版本中,`kubeadm upgrade apply` 和 `kubeadm upgrade node`
也将自动续订该节点上的 kubeadm 托管证书,包括存储在 kubeconfig 文件中的证书。
要选择退出,可以传递参数 `--certificate-renewal=false`
有关证书续订的更多详细信息请参见[证书管理文档](/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs)。
{{< note >}}
@ -78,11 +75,12 @@ reports of unexpected results.
## kubeadm upgrade node {#cmd-upgrade-node}
{{< include "generated/kubeadm_upgrade_node.md" >}}
## {{% heading "whatsnext" %}}
<!--
* [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade` -->
* 如果你使用 kubeadm v1.7.x 或更低版本初始化集群,则可以参考[kubeadm 配置](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)配置集群用于 `kubeadm upgrade`
* [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config/) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade`
-->
* 如果你使用 kubeadm v1.7.x 或更低版本初始化集群,则可以参考
[kubeadm 配置](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config/)
配置集群用于 `kubeadm upgrade`