确保docker和 kubelet 所使用的是相同的 cgroup 驱动(systemd )
在 /var/lib/kubelet/config.yaml 加个参数
cgroupDriver: systemd
---
kube-proxy启用ipvs模式:
- 使用 kubeadm 启用 IPVS 模式的说明请查看
- https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md
[root@k8s-01 manifests]# kubectl describe configmaps -n kube-system kube-proxy
Name: kube-proxy
Namespace: kube-system
Labels: app=kube-proxy
Annotations: kubeadm.kubernetes.io/component-config.hash: sha256:8faa951b7a7b5a8abed841d2326a38ed1000fa7f9dfae85fe2dbebb795c4d6da
...省略
#修改模式为ipvs即可
mode: "ipvs"
...省略
#验证
[root@k8s-01 manifests]# kubectl get svc --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2d22h
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 2d22h
[root@k8s-01 manifests]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.96.0.1:443 rr
-> 192.168.1.15:6443 Masq 1 0 0
TCP 10.96.0.10:53 rr
-> 10.244.0.2:53 Masq 1 0 0
-> 10.244.0.3:53 Masq 1 0 0
TCP 10.96.0.10:9153 rr
-> 10.244.0.2:9153 Masq 1 0 0
-> 10.244.0.3:9153 Masq 1 0 0
UDP 10.96.0.10:53 rr
-> 10.244.0.2:53 Masq 1 0 0
-> 10.244.0.3:53 Masq 1 0 0
---
kubectl命令补全:
source <(kubectl completion bash) # 在 bash 中设置当前 shell 的自动补全,要先安装 bash-completion 包。
echo "source <(kubectl completion bash)" >> ~/.bashrc # 在您的 bash shell 中永久的添加自动补全
您还可以为 kubectl 使用一个速记别名,该别名也可以与 completion 一起使用:
alias k=kubectl
complete -F __start_kubectl k
---
使用 Sonobuoy 验证集群是否正常运行:
#后续补
---
kubeadm 生成的客户端证书在 1 年后到期,解决方法:(其余方法参考参考官方文档:https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/)
①使用自定义的证书:
在运行 kubeadm init 之前存在给定的证书和私钥对,kubeadm 将不会重写它们。 例如,这意味着您可以将现有的 CA 复制到 /etc/kubernetes/pki/ca.crt 和 /etc/kubernetes/pki/ca.key 中,而 kubeadm 将使用此 CA 对其余证书进行签名
②手动更新证书:
你能随时通过 kubeadm certs renew 命令手动更新你的证书。此命令用 CA (或者 front-proxy-CA )证书和存储在 /etc/kubernetes/pki 中的密钥执行更新。
[root@k8s-01 pki]# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Oct 07, 2022 17:15 UTC 362d no apiserver Oct 07, 2022 17:15 UTC 362d ca no apiserver-etcd-client Oct 07, 2022 17:15 UTC 362d etcd-ca no apiserver-kubelet-client Oct 07, 2022 17:15 UTC 362d ca no controller-manager.conf Oct 07, 2022 17:15 UTC 362d no etcd-healthcheck-client Oct 07, 2022 17:15 UTC 362d etcd-ca no etcd-peer Oct 07, 2022 17:15 UTC 362d etcd-ca no etcd-server Oct 07, 2022 17:15 UTC 362d etcd-ca no front-proxy-client Oct 07, 2022 17:15 UTC 362d front-proxy-ca no scheduler.conf Oct 07, 2022 17:15 UTC 362d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Oct 05, 2031 17:15 UTC 9y no etcd-ca Oct 05, 2031 17:15 UTC 9y no front-proxy-ca Oct 05, 2031 17:15 UTC 9y no
#手动更新,运行该命令后,要重新kube-apiserver、kube-controller-manager、kube-scheduler 和 etcd。移走/etc/kubernetes/manifests/* 20S(请参阅 KubeletConfiguration 结构中的 fileCheckFrequency 值)后再移回去即重启
[root@k8s-01 pki]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
#日期更新了
[root@k8s-01 pki]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Oct 10, 2022 15:39 UTC 364d no
apiserver Oct 10, 2022 15:39 UTC 364d ca no
apiserver-etcd-client Oct 10, 2022 15:39 UTC 364d etcd-ca no
apiserver-kubelet-client Oct 10, 2022 15:39 UTC 364d ca no
controller-manager.conf Oct 10, 2022 15:39 UTC 364d no
etcd-healthcheck-client Oct 10, 2022 15:39 UTC 364d etcd-ca no
etcd-peer Oct 10, 2022 15:39 UTC 364d etcd-ca no
etcd-server Oct 10, 2022 15:39 UTC 364d etcd-ca no
front-proxy-client Oct 10, 2022 15:39 UTC 364d front-proxy-ca no
scheduler.conf Oct 10, 2022 15:39 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Oct 05, 2031 17:15 UTC 9y no
etcd-ca Oct 05, 2031 17:15 UTC 9y no
front-proxy-ca Oct 05, 2031 17:15 UTC 9y no
③自动证书更新:
kubeadm 在控制平面升级期间更新所有证书
---
定期备份etcd:
#后续补
