commit
b4c41c87ee
|
@ -6,7 +6,7 @@ weight: 20
|
||||||
|
|
||||||
<!-- overview -->
|
<!-- overview -->
|
||||||
|
|
||||||
This command initializes a Kubernetes control-plane node.
|
This command initializes a Kubernetes control plane node.
|
||||||
|
|
||||||
<!-- body -->
|
<!-- body -->
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ This command initializes a Kubernetes control-plane node.
|
||||||
|
|
||||||
### Init workflow {#init-workflow}
|
### Init workflow {#init-workflow}
|
||||||
|
|
||||||
`kubeadm init` bootstraps a Kubernetes control-plane node by executing the
|
`kubeadm init` bootstraps a Kubernetes control plane node by executing the
|
||||||
following steps:
|
following steps:
|
||||||
|
|
||||||
1. Runs a series of pre-flight checks to validate the system state
|
1. Runs a series of pre-flight checks to validate the system state
|
||||||
|
@ -25,11 +25,11 @@ following steps:
|
||||||
1. Generates a self-signed CA to set up identities for each component in the cluster. The user can provide their
|
1. Generates a self-signed CA to set up identities for each component in the cluster. The user can provide their
|
||||||
own CA cert and/or key by dropping it in the cert directory configured via `--cert-dir`
|
own CA cert and/or key by dropping it in the cert directory configured via `--cert-dir`
|
||||||
(`/etc/kubernetes/pki` by default).
|
(`/etc/kubernetes/pki` by default).
|
||||||
The APIServer certs will have additional SAN entries for any `--apiserver-cert-extra-sans`
|
The API server certs will have additional SAN entries for any `--apiserver-cert-extra-sans`
|
||||||
arguments, lowercased if necessary.
|
arguments, lowercased if necessary.
|
||||||
|
|
||||||
1. Writes kubeconfig files in `/etc/kubernetes/` for the kubelet, the controller-manager and the
|
1. Writes kubeconfig files in `/etc/kubernetes/` for the kubelet, the controller-manager, and the
|
||||||
scheduler to use to connect to the API server, each with its own identity. Also
|
scheduler to connect to the API server, each with its own identity. Also
|
||||||
additional kubeconfig files are written, for kubeadm as administrative entity (`admin.conf`)
|
additional kubeconfig files are written, for kubeadm as administrative entity (`admin.conf`)
|
||||||
and for a super admin user that can bypass RBAC (`super-admin.conf`).
|
and for a super admin user that can bypass RBAC (`super-admin.conf`).
|
||||||
|
|
||||||
|
@ -42,13 +42,13 @@ following steps:
|
||||||
|
|
||||||
Once control plane Pods are up and running, the `kubeadm init` sequence can continue.
|
Once control plane Pods are up and running, the `kubeadm init` sequence can continue.
|
||||||
|
|
||||||
1. Apply labels and taints to the control-plane node so that no additional workloads will
|
1. Apply labels and taints to the control plane node so that no additional workloads will
|
||||||
run there.
|
run there.
|
||||||
|
|
||||||
1. Generates the token that additional nodes can use to register
|
1. Generates the token that additional nodes can use to register
|
||||||
themselves with a control-plane in the future. Optionally, the user can provide a
|
themselves with a control plane in the future. Optionally, the user can provide a
|
||||||
token via `--token`, as described in the
|
token via `--token`, as described in the
|
||||||
[kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs.
|
[kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) documents.
|
||||||
|
|
||||||
1. Makes all the necessary configurations for allowing node joining with the
|
1. Makes all the necessary configurations for allowing node joining with the
|
||||||
[Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
|
[Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and
|
||||||
|
@ -62,7 +62,7 @@ following steps:
|
||||||
|
|
||||||
- Configure auto-approval for new CSR requests.
|
- Configure auto-approval for new CSR requests.
|
||||||
|
|
||||||
See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additional info.
|
See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additional information.
|
||||||
|
|
||||||
1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
|
1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
|
||||||
In Kubernetes version 1.11 and later CoreDNS is the default DNS server.
|
In Kubernetes version 1.11 and later CoreDNS is the default DNS server.
|
||||||
|
@ -74,7 +74,7 @@ following steps:
|
||||||
|
|
||||||
### Using init phases with kubeadm {#init-phases}
|
### Using init phases with kubeadm {#init-phases}
|
||||||
|
|
||||||
Kubeadm allows you to create a control-plane node in phases using the `kubeadm init phase` command.
|
kubeadm allows you to create a control plane node in phases using the `kubeadm init phase` command.
|
||||||
|
|
||||||
To view the ordered list of phases and sub-phases you can call `kubeadm init --help`. The list
|
To view the ordered list of phases and sub-phases you can call `kubeadm init --help`. The list
|
||||||
will be located at the top of the help screen and each phase will have a description next to it.
|
will be located at the top of the help screen and each phase will have a description next to it.
|
||||||
|
@ -117,13 +117,13 @@ Alternatively, you can use the `skipPhases` field under `InitConfiguration`.
|
||||||
### Using kubeadm init with a configuration file {#config-file}
|
### Using kubeadm init with a configuration file {#config-file}
|
||||||
|
|
||||||
{{< caution >}}
|
{{< caution >}}
|
||||||
The config file is still considered beta and may change in future versions.
|
The configuration file is still considered beta and may change in future versions.
|
||||||
{{< /caution >}}
|
{{< /caution >}}
|
||||||
|
|
||||||
It's possible to configure `kubeadm init` with a configuration file instead of command
|
It's possible to configure `kubeadm init` with a configuration file instead of command
|
||||||
line flags, and some more advanced features may only be available as
|
line flags, and some more advanced features may only be available as
|
||||||
configuration file options. This file is passed using the `--config` flag and it must
|
configuration file options. This file is passed using the `--config` flag and it must
|
||||||
contain a `ClusterConfiguration` structure and optionally more structures separated by `---\n`
|
contain a `ClusterConfiguration` structure and optionally more structures separated by `---\n`.
|
||||||
Mixing `--config` with others flags may not be allowed in some cases.
|
Mixing `--config` with others flags may not be allowed in some cases.
|
||||||
|
|
||||||
The default configuration can be printed out using the
|
The default configuration can be printed out using the
|
||||||
|
@ -137,7 +137,7 @@ For more information on the fields and usage of the configuration you can naviga
|
||||||
|
|
||||||
### Using kubeadm init with feature gates {#feature-gates}
|
### Using kubeadm init with feature gates {#feature-gates}
|
||||||
|
|
||||||
Kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
|
kubeadm supports a set of feature gates that are unique to kubeadm and can only be applied
|
||||||
during cluster creation with `kubeadm init`. These features can control the behavior
|
during cluster creation with `kubeadm init`. These features can control the behavior
|
||||||
of the cluster. Feature gates are removed after a feature graduates to GA.
|
of the cluster. Feature gates are removed after a feature graduates to GA.
|
||||||
|
|
||||||
|
@ -190,10 +190,12 @@ kubeadm will attempt to read the CRI socket value from the file `/var/lib/kubele
|
||||||
: With this feature gate enabled, kubeadm will wait for all control plane components (kube-apiserver,
|
: With this feature gate enabled, kubeadm will wait for all control plane components (kube-apiserver,
|
||||||
kube-controller-manager, kube-scheduler) on a control plane node to report status 200 on their `/livez`
|
kube-controller-manager, kube-scheduler) on a control plane node to report status 200 on their `/livez`
|
||||||
or `/healthz` endpoints. These checks are performed on `https://ADDRESS:PORT/ENDPOINT`.
|
or `/healthz` endpoints. These checks are performed on `https://ADDRESS:PORT/ENDPOINT`.
|
||||||
|
|
||||||
- `PORT` is taken from `--secure-port` of a component.
|
- `PORT` is taken from `--secure-port` of a component.
|
||||||
- `ADDRESS` is `--advertise-address` for kube-apiserver and `--bind-address` for the kube-controller-manager
|
- `ADDRESS` is `--advertise-address` for kube-apiserver and `--bind-address` for the
|
||||||
and kube-scheduler.
|
kube-controller-manager and kube-scheduler.
|
||||||
- `ENDPOINT` is only `/healthz` for kube-controller-manager until it supports `/livez` as well.
|
- `ENDPOINT` is only `/healthz` for kube-controller-manager until it supports `/livez` as well.
|
||||||
|
|
||||||
If you specify custom `ADDRESS` or `PORT` in the kubeadm configuration they will be respected.
|
If you specify custom `ADDRESS` or `PORT` in the kubeadm configuration they will be respected.
|
||||||
Without the feature gate enabled, kubeadm will only wait for the kube-apiserver
|
Without the feature gate enabled, kubeadm will only wait for the kube-apiserver
|
||||||
on a control plane node to become ready. The wait process starts right after the kubelet on the host
|
on a control plane node to become ready. The wait process starts right after the kubelet on the host
|
||||||
|
@ -248,28 +250,32 @@ If you set this flag to `false`, the name of the ConfigMap includes the major an
|
||||||
(for example: `kubelet-config-{{< skew currentVersion >}}`). Kubeadm ensures that RBAC rules for reading and writing
|
(for example: `kubelet-config-{{< skew currentVersion >}}`). Kubeadm ensures that RBAC rules for reading and writing
|
||||||
that ConfigMap are appropriate for the value you set. When kubeadm writes this ConfigMap (during `kubeadm init`
|
that ConfigMap are appropriate for the value you set. When kubeadm writes this ConfigMap (during `kubeadm init`
|
||||||
or `kubeadm upgrade apply`), kubeadm respects the value of `UnversionedKubeletConfigMap`. When reading that ConfigMap
|
or `kubeadm upgrade apply`), kubeadm respects the value of `UnversionedKubeletConfigMap`. When reading that ConfigMap
|
||||||
(during `kubeadm join`, `kubeadm reset`, `kubeadm upgrade ...`), kubeadm attempts to use unversioned ConfigMap name first;
|
(during `kubeadm join`, `kubeadm reset`, `kubeadm upgrade`...), kubeadm attempts to use unversioned ConfigMap name first.
|
||||||
if that does not succeed, kubeadm falls back to using the legacy (versioned) name for that ConfigMap.
|
If that does not succeed, kubeadm falls back to using the legacy (versioned) name for that ConfigMap.
|
||||||
|
|
||||||
`UpgradeAddonsBeforeControlPlane`
|
`UpgradeAddonsBeforeControlPlane`
|
||||||
: This feature gate has been removed. It was introduced in v1.28 as a deprecated feature and then removed in v1.31. For documentation on older versions, please switch to the corresponding website version.
|
: This feature gate has been removed. It was introduced in v1.28 as a deprecated feature and then removed in v1.31.
|
||||||
|
For documentation on older versions, please switch to the corresponding website version.
|
||||||
|
|
||||||
### Adding kube-proxy parameters {#kube-proxy}
|
### Adding kube-proxy parameters {#kube-proxy}
|
||||||
|
|
||||||
For information about kube-proxy parameters in the kubeadm configuration see:
|
For information about kube-proxy parameters in the kubeadm configuration see:
|
||||||
|
|
||||||
- [kube-proxy reference](/docs/reference/config-api/kube-proxy-config.v1alpha1/)
|
- [kube-proxy reference](/docs/reference/config-api/kube-proxy-config.v1alpha1/)
|
||||||
|
|
||||||
For information about enabling IPVS mode with kubeadm see:
|
For information about enabling IPVS mode with kubeadm see:
|
||||||
|
|
||||||
- [IPVS](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md)
|
- [IPVS](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md)
|
||||||
|
|
||||||
### Passing custom flags to control plane components {#control-plane-flags}
|
### Passing custom flags to control plane components {#control-plane-flags}
|
||||||
|
|
||||||
For information about passing flags to control plane components see:
|
For information about passing flags to control plane components see:
|
||||||
|
|
||||||
- [control-plane-flags](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
|
- [control-plane-flags](/docs/setup/production-environment/tools/kubeadm/control-plane-flags/)
|
||||||
|
|
||||||
### Running kubeadm without an Internet connection {#without-internet-connection}
|
### Running kubeadm without an Internet connection {#without-internet-connection}
|
||||||
|
|
||||||
For running kubeadm without an Internet connection you have to pre-pull the required control-plane images.
|
For running kubeadm without an Internet connection you have to pre-pull the required control plane images.
|
||||||
|
|
||||||
You can list and pull the images using the `kubeadm config images` sub-command:
|
You can list and pull the images using the `kubeadm config images` sub-command:
|
||||||
|
|
||||||
|
@ -307,26 +313,24 @@ can consume, you must:
|
||||||
|
|
||||||
* Pull images from the defaults paths at `registry.k8s.io` using `kubeadm config images {list|pull}`.
|
* Pull images from the defaults paths at `registry.k8s.io` using `kubeadm config images {list|pull}`.
|
||||||
* Push images to the paths from `kubeadm config images list --config=config.yaml`,
|
* Push images to the paths from `kubeadm config images list --config=config.yaml`,
|
||||||
where `config.yaml` contains the custom `imageRepository`, and/or `imageTag`
|
where `config.yaml` contains the custom `imageRepository`, and/or `imageTag` for etcd and CoreDNS.
|
||||||
for etcd and CoreDNS.
|
|
||||||
* Pass the same `config.yaml` to `kubeadm init`.
|
* Pass the same `config.yaml` to `kubeadm init`.
|
||||||
|
|
||||||
#### Custom sandbox (pause) images {#custom-pause-image}
|
#### Custom sandbox (pause) images {#custom-pause-image}
|
||||||
|
|
||||||
To set a custom image for these you need to configure this in your
|
To set a custom image for these you need to configure this in your
|
||||||
{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
|
{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} to use the image.
|
||||||
to use the image.
|
|
||||||
Consult the documentation for your container runtime to find out how to change this setting;
|
Consult the documentation for your container runtime to find out how to change this setting;
|
||||||
for selected container runtimes, you can also find advice within the
|
for selected container runtimes, you can also find advice within the
|
||||||
[Container Runtimes](/docs/setup/production-environment/container-runtimes/) topic.
|
[Container Runtimes](/docs/setup/production-environment/container-runtimes/) topic.
|
||||||
|
|
||||||
### Uploading control-plane certificates to the cluster
|
### Uploading control plane certificates to the cluster
|
||||||
|
|
||||||
By adding the flag `--upload-certs` to `kubeadm init` you can temporary upload
|
By adding the flag `--upload-certs` to `kubeadm init` you can temporary upload
|
||||||
the control-plane certificates to a Secret in the cluster. Please note that this Secret
|
the control plane certificates to a Secret in the cluster. Please note that this Secret
|
||||||
will expire automatically after 2 hours. The certificates are encrypted using
|
will expire automatically after 2 hours. The certificates are encrypted using
|
||||||
a 32byte key that can be specified using `--certificate-key`. The same key can be used
|
a 32byte key that can be specified using `--certificate-key`. The same key can be used
|
||||||
to download the certificates when additional control-plane nodes are joining, by passing
|
to download the certificates when additional control plane nodes are joining, by passing
|
||||||
`--control-plane` and `--certificate-key` to `kubeadm join`.
|
`--control-plane` and `--certificate-key` to `kubeadm join`.
|
||||||
|
|
||||||
The following phase command can be used to re-upload the certificates after expiration:
|
The following phase command can be used to re-upload the certificates after expiration:
|
||||||
|
@ -334,6 +338,7 @@ The following phase command can be used to re-upload the certificates after expi
|
||||||
```shell
|
```shell
|
||||||
kubeadm init phase upload-certs --upload-certs --config=SOME_YAML_FILE
|
kubeadm init phase upload-certs --upload-certs --config=SOME_YAML_FILE
|
||||||
```
|
```
|
||||||
|
|
||||||
{{< note >}}
|
{{< note >}}
|
||||||
A predefined `certificateKey` can be provided in `InitConfiguration` when passing the
|
A predefined `certificateKey` can be provided in `InitConfiguration` when passing the
|
||||||
[configuration file](/docs/reference/config-api/kubeadm-config.v1beta4/) with `--config`.
|
[configuration file](/docs/reference/config-api/kubeadm-config.v1beta4/) with `--config`.
|
||||||
|
@ -366,12 +371,12 @@ For further information, see
|
||||||
|
|
||||||
### Use kubeadm with CRI runtimes
|
### Use kubeadm with CRI runtimes
|
||||||
|
|
||||||
By default kubeadm attempts to detect your container runtime. For more details on this detection,
|
By default, kubeadm attempts to detect your container runtime. For more details on this detection,
|
||||||
see the [kubeadm CRI installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
|
see the [kubeadm CRI installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
|
||||||
|
|
||||||
### Setting the node name
|
### Setting the node name
|
||||||
|
|
||||||
By default, `kubeadm` assigns a node name based on a machine's host address.
|
By default, kubeadm assigns a node name based on a machine's host address.
|
||||||
You can override this setting with the `--node-name` flag.
|
You can override this setting with the `--node-name` flag.
|
||||||
The flag passes the appropriate [`--hostname-override`](/docs/reference/command-line-tools-reference/kubelet/#options)
|
The flag passes the appropriate [`--hostname-override`](/docs/reference/command-line-tools-reference/kubelet/#options)
|
||||||
value to the kubelet.
|
value to the kubelet.
|
||||||
|
@ -384,12 +389,11 @@ Be aware that overriding the hostname can
|
||||||
Rather than copying the token you obtained from `kubeadm init` to each node, as
|
Rather than copying the token you obtained from `kubeadm init` to each node, as
|
||||||
in the [basic kubeadm tutorial](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/),
|
in the [basic kubeadm tutorial](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/),
|
||||||
you can parallelize the token distribution for easier automation. To implement this automation,
|
you can parallelize the token distribution for easier automation. To implement this automation,
|
||||||
you must know the IP address that the control-plane node will have after it is started, or use a
|
you must know the IP address that the control plane node will have after it is started, or use a
|
||||||
DNS name or an address of a load balancer.
|
DNS name or an address of a load balancer.
|
||||||
|
|
||||||
1. Generate a token. This token must have the form `<6 character string>.<16
|
1. Generate a token. This token must have the form `<6 character string>.<16 character string>`.
|
||||||
character string>`. More formally, it must match the regex:
|
More formally, it must match the regex: `[a-z0-9]{6}\.[a-z0-9]{16}`.
|
||||||
`[a-z0-9]{6}\.[a-z0-9]{16}`.
|
|
||||||
|
|
||||||
kubeadm can generate a token for you:
|
kubeadm can generate a token for you:
|
||||||
|
|
||||||
|
@ -397,11 +401,11 @@ DNS name or an address of a load balancer.
|
||||||
kubeadm token generate
|
kubeadm token generate
|
||||||
```
|
```
|
||||||
|
|
||||||
1. Start both the control-plane node and the worker nodes concurrently with this token.
|
1. Start both the control plane node and the worker nodes concurrently with this token.
|
||||||
As they come up they should find each other and form the cluster. The same
|
As they come up they should find each other and form the cluster. The same
|
||||||
`--token` argument can be used on both `kubeadm init` and `kubeadm join`.
|
`--token` argument can be used on both `kubeadm init` and `kubeadm join`.
|
||||||
|
|
||||||
1. Similar can be done for `--certificate-key` when joining additional control-plane
|
1. Similar can be done for `--certificate-key` when joining additional control plane
|
||||||
nodes. The key can be generated using:
|
nodes. The key can be generated using:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -409,13 +413,13 @@ DNS name or an address of a load balancer.
|
||||||
```
|
```
|
||||||
|
|
||||||
Once the cluster is up, you can use the `/etc/kubernetes/admin.conf` file from
|
Once the cluster is up, you can use the `/etc/kubernetes/admin.conf` file from
|
||||||
a control-plane node to talk to the cluster with administrator credentials or
|
a control plane node to talk to the cluster with administrator credentials or
|
||||||
[Generating kubeconfig files for additional users](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users).
|
[Generating kubeconfig files for additional users](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs#kubeconfig-additional-users).
|
||||||
|
|
||||||
Note that this style of bootstrap has some relaxed security guarantees because
|
Note that this style of bootstrap has some relaxed security guarantees because
|
||||||
it does not allow the root CA hash to be validated with
|
it does not allow the root CA hash to be validated with
|
||||||
`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are
|
`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are provisioned).
|
||||||
provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/).
|
For details, see the [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/).
|
||||||
|
|
||||||
## {{% heading "whatsnext" %}}
|
## {{% heading "whatsnext" %}}
|
||||||
|
|
||||||
|
@ -427,4 +431,3 @@ provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/ku
|
||||||
cluster to a newer version
|
cluster to a newer version
|
||||||
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made
|
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset/) to revert any changes made
|
||||||
to this host by `kubeadm init` or `kubeadm join`
|
to this host by `kubeadm init` or `kubeadm join`
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue