碼上快樂

相關內容    簡體    繁體

Kubernetes集群添加節點

本文轉載自   查看原文   2021-08-15 14:47   111    Kubernetes集群管理

Kubernetes Cluster add ndoe

加入過程

  1. kubeadm 從 API 服務器下載需要的集群信息。 默認情況下,使用引導token和 CA 密鑰哈希來驗證數據的真實性。 也可以通過文件或 URL 直接發現根 CA
  2. 拿到集群驗證信息后,kubelet進入TLS bootstrapping 過程TLS bootstrap 使用共享token臨時向Kubernetes API服務器進行身份驗證以提交證書簽名請求(CSR); 默認情況下control-pane會自動簽署此CSR請求
  3. 最后,kubeadm 配置本地 kubelet 使用分配給節點的確定標識連接到 API 服務器

How to do

默認情況下token保留時間是24小時,如果超出該時間,token將會自動刪除,則需要手動創建token及hash值

  • 創建token

    <root@HK-K8S-CP ~># kubeadm token create
W0815 14:54:38.564119   10867 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
hnno8a.rnijnbrhejz72t7w
  • 生成token的hash值 
    <root@HK-K8S-CP ~># openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
      openssl dgst -sha256 -hex | sed 's/^.* //'
bcf878114948a608e3f47f2a3824bae94b1f3f9ce9bd529d21a19f0d8af4c6cb
  • 獲取control-plane-host:port,在加入集群之前,前提條件需要獲取Kubernetes集群的control-plane-host:port,具體查看方法如下 
    <root@HK-K8S-CP ~># kubectl describe configmaps -n kube-system  kubeadm-config
Name:         kubeadm-config
Namespace:    kube-system
Labels:       <none>
Annotations:  
Data
====
ClusterConfiguration:
----
apiServer:
  certSANs:
  - 47.57.234.123
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 172.19.0.203:6443
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.18.5
networking:
  dnsDomain: nflow.so
  podSubnet: 172.20.0.0/20
  serviceSubnet: 10.10.0.0/24
scheduler: {}

ClusterStatus:
----
apiEndpoints:
  hk-k8s-cp:
    advertiseAddress: 172.19.1.119
    bindPort: 6443
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterStatus

Events:  <none>
  • 加入集群(注意下面的Contraol Plane的地址與上文獲取的不同,這是由於阿里雲SLB自身問題,如果在創建的集群的時候,將CP節點作為SLB的后端服務器,需要創建一個公網地址並且指定certSANs參數即可繞過,但是如果只是添加節點到集群中,即可使用CP節點的內網地址) 
    <root@HK-K8S-WN4 ~># kubeadm join 172.19.1.119:6443 --token hnno8a.rnijnbrhejz72t7w --discovery-token-ca-cert-hash sha256:bcf878114948a608e3f47f2a3824bae94b1f3f9ce9bd529d21a19f0d8af4c6cb --v=5
W0815 15:03:45.687465    3589 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
I0815 15:03:45.687523    3589 join.go:371] [preflight] found NodeName empty; using OS hostname as NodeName
I0815 15:03:45.687568    3589 initconfiguration.go:103] detected and using CRI socket: /var/run/dockershim.sock
[preflight] Running pre-flight checks
I0815 15:03:45.687648    3589 preflight.go:90] [preflight] Running general checks
I0815 15:03:45.687704    3589 checks.go:249] validating the existence and emptiness of directory /etc/kubernetes/manifests
I0815 15:03:45.687757    3589 checks.go:286] validating the existence of file /etc/kubernetes/kubelet.conf
I0815 15:03:45.687773    3589 checks.go:286] validating the existence of file /etc/kubernetes/bootstrap-kubelet.conf
I0815 15:03:45.687783    3589 checks.go:102] validating the container runtime
I0815 15:03:45.770908    3589 checks.go:128] validating if the service is enabled and active
I0815 15:03:45.862041    3589 checks.go:335] validating the contents of file /proc/sys/net/bridge/bridge-nf-call-iptables
I0815 15:03:45.862110    3589 checks.go:335] validating the contents of file /proc/sys/net/ipv4/ip_forward
I0815 15:03:45.862136    3589 checks.go:649] validating whether swap is enabled or not
I0815 15:03:45.862166    3589 checks.go:376] validating the presence of executable conntrack
I0815 15:03:45.862191    3589 checks.go:376] validating the presence of executable ip
I0815 15:03:45.862217    3589 checks.go:376] validating the presence of executable iptables
I0815 15:03:45.862237    3589 checks.go:376] validating the presence of executable mount
I0815 15:03:45.862260    3589 checks.go:376] validating the presence of executable nsenter
I0815 15:03:45.862280    3589 checks.go:376] validating the presence of executable ebtables
I0815 15:03:45.862298    3589 checks.go:376] validating the presence of executable ethtool
I0815 15:03:45.862318    3589 checks.go:376] validating the presence of executable socat
I0815 15:03:45.862337    3589 checks.go:376] validating the presence of executable tc
I0815 15:03:45.862361    3589 checks.go:376] validating the presence of executable touch
I0815 15:03:45.862381    3589 checks.go:520] running all checks
I0815 15:03:45.955690    3589 checks.go:406] checking whether the given node name is reachable using net.LookupHost
I0815 15:03:45.955912    3589 checks.go:618] validating kubelet version
I0815 15:03:46.009037    3589 checks.go:128] validating if the service is enabled and active
I0815 15:03:46.017134    3589 checks.go:201] validating availability of port 10250
I0815 15:03:46.017322    3589 checks.go:286] validating the existence of file /etc/kubernetes/pki/ca.crt
I0815 15:03:46.017334    3589 checks.go:432] validating if the connectivity type is via proxy or direct
I0815 15:03:46.017366    3589 join.go:441] [preflight] Discovering cluster-info
I0815 15:03:46.017388    3589 token.go:78] [discovery] Created cluster-info discovery client, requesting info from "172.19.1.119:6443"
I0815 15:03:46.025145    3589 token.go:116] [discovery] Requesting info from "172.19.1.119:6443" again to validate TLS against the pinned public key
I0815 15:03:46.031503    3589 token.go:133] [discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "172.19.1.119:6443"
I0815 15:03:46.031521    3589 discovery.go:51] [discovery] Using provided TLSBootstrapToken as authentication credentials for the join process
I0815 15:03:46.031535    3589 join.go:455] [preflight] Fetching init configuration
I0815 15:03:46.031541    3589 join.go:493] [preflight] Retrieving KubeConfig objects
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
W0815 15:03:46.361210    3589 configset.go:76] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" is forbidden: User "system:bootstrap:hnno8a" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
I0815 15:03:46.364438    3589 interface.go:400] Looking for default routes with IPv4 addresses
I0815 15:03:46.364456    3589 interface.go:405] Default route transits interface "eth0"
I0815 15:03:46.364566    3589 interface.go:208] Interface eth0 is up
I0815 15:03:46.364624    3589 interface.go:256] Interface "eth0" has 1 addresses :[172.19.1.147/24].
I0815 15:03:46.364645    3589 interface.go:223] Checking addr  172.19.1.147/24.
I0815 15:03:46.364656    3589 interface.go:230] IP found 172.19.1.147
I0815 15:03:46.364671    3589 interface.go:262] Found valid IPv4 address 172.19.1.147 for interface "eth0".
I0815 15:03:46.364683    3589 interface.go:411] Found active IP 172.19.1.147 
I0815 15:03:46.364730    3589 preflight.go:101] [preflight] Running configuration dependant checks
I0815 15:03:46.364744    3589 controlplaneprepare.go:211] [download-certs] Skipping certs download
I0815 15:03:46.364763    3589 kubelet.go:111] [kubelet-start] writing bootstrap kubelet config file at /etc/kubernetes/bootstrap-kubelet.conf
I0815 15:03:46.365705    3589 kubelet.go:119] [kubelet-start] writing CA certificate at /etc/kubernetes/pki/ca.crt
I0815 15:03:46.367273    3589 kubelet.go:145] [kubelet-start] Checking for an existing Node in the cluster with name "hk-k8s-wn4" and status "Ready"
I0815 15:03:46.368707    3589 kubelet.go:159] [kubelet-start] Stopping the kubelet
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
I0815 15:03:51.547974    3589 cert_rotation.go:137] Starting client certificate rotation controller
I0815 15:03:51.552665    3589 kubelet.go:194] [kubelet-start] preserving the crisocket information for the node
I0815 15:03:51.552684    3589 patchnode.go:30] [patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "hk-k8s-wn4" as an annotation

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
  • 切換至CP節點查看節點是否加入成功 
    <root@HK-K8S-CP ~># kubectl get nodes
NAME         STATUS   ROLES    AGE     VERSION
hk-k8s-cp    Ready    master   152d    v1.18.5
hk-k8s-wn1   Ready    worker   152d    v1.18.5
hk-k8s-wn2   Ready    worker   150d    v1.18.5
hk-k8s-wn3   Ready    worker   150d    v1.18.5
hk-k8s-wn4   Ready    <none>   6m27s   v1.18.5
  • 修改加入節點的角色,如下 
    <root@HK-K8S-CP ~># kubectl label node hk-k8s-wn4  node-role.kubernetes.io/worker=worker
node/hk-k8s-wn4 labeled
<root@HK-K8S-CP ~># kubectl get nodes
NAME         STATUS   ROLES    AGE     VERSION
hk-k8s-cp    Ready    master   152d    v1.18.5
hk-k8s-wn1   Ready    worker   152d    v1.18.5
hk-k8s-wn2   Ready    worker   150d    v1.18.5
hk-k8s-wn3   Ready    worker   150d    v1.18.5
hk-k8s-wn4   Ready    worker   7m48s   v1.18.5


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 kubernetes 集群添加node節點 elasticsearch集群添加節點 etcd集群添加節點 kubernetes添加刪除重啟節點 為Kubernetes集群添加用戶認證 redis集群添加刪除節點 Redis 向集群添加新節點 etcd集群移除/添加節點 hadoop集群添加新節點 redis 集群添加新節點
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM