Kubeadm
Table of Contents
Token
- 현재 token 조회
▒ kubeadm token list
Worker join command
- Token 재사용 -
system:bootstrappers:kubeadm:default-node-token토큰이 expires 되지 않았다면
▒ TOKEN="$(sudo kubeadm token list | awk 'FNR==2 {print $1}')"
▒ HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
▒ END_POINT=$(echo "$(sudo kubeadm config view | grep controlPlaneEndpoint)" | awk '{ print $2}')
▒ echo "sudo kubeadm join ${END_POINT} --token ${TOKEN} --discovery-token-ca-cert-hash sha256:${HASH}"
- Token 신규 생성
▒ kubeadm token create --print-join-command
Control-plane join command
# certificate-key generate
▒ CERT_KEY=$(sudo kubeadm alpha certs certificate-key)
▒ TOKEN="$(sudo kubeadm token list | awk 'FNR==2 {print $1}')"
▒ HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
▒ END_POINT=$(echo "$(sudo kubeadm config view | grep controlPlaneEndpoint)" | awk '{ print $2}')
▒ echo "sudo kubeadm join ${END_POINT} --token ${TOKEN} --discovery-token-ca-cert-hash sha256:${HASH} --control-plane --certificate-key ${CERT_KEY}"
- Token & cert-key 신규 생성
# certificate-key 업로드
# - 업로드된 certificate-key 는 2시간 동안 유지 후 삭제
▒ kubeadm init phase upload-certs --upload-certs
CERT_KEY="<출력된 cert-key>"
▒ sudo kubeadm token create --print-join-command --certificate-key ${CERT_KEY}
Kubeadm config
-
https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/
- print defaults
▒ kubeadm config print init-defaults ▒ kubeadm config print join-defaults kubeadm init --config ....▒ sudo kubeadm init --v=5 --upload-certs --config kubeadm-config.yaml- kubeadm-config.yaml 예
▒ CERT_KEY="$(kubeadm certs certificate-key)"
▒ TOKEN="$(kubeadm token generate)"
▒ cat << EOF > kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
bootstrapTokens:
- token: "$(kubeadm token generate)"
description: "Proxy for managing TTL for the kubeadm-certs secret"
ttl: "1h"
- token: "${TOKEN}"
description: "kubeadm bootstrap token"
ttl: "24h"
usages:
- authentication
- signing
groups:
- system:bootstrappers:kubeadm:default-node-token
certificateKey: "${CERT_KEY}"
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
imageRepository: k8s.gcr.io
controlPlaneEndpoint: 35.243.98.12:9998
dns:
type: CoreDNS
apiServer:
extraArgs:
advertise-address: 35.243.98.12
authorization-mode: Node,RBAC
etcd:
external:
endpoints:
- https://10.146.0.16:2379
- https://10.146.0.17:2379
- https://10.146.0.18:2379
caFile: /etc/kubernetes/pki/etcd/ca.crt
certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt
keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
controllerManager: {}
scheduler: {}
EOF
▒ HASH="$(openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //')"
▒ sudo kubeadm join 10.146.0.16:6443 --control-plane --token ${TOKEN} --discovery-token-ca-cert-hash sha256:${HASH} --certificate-key ${CERT_KEY}
- images pull
▒ sudo kubeadm config images pull
▒ sudo kubeadm config images pull --image-repository=registry.k8s.io
Cleanup for nodes provisioned
https://ranchermanager.docs.rancher.com/v2.5/how-to-guides/advanced-user-guides/manage-clusters/clean-cluster-nodes
#!/bin/bash
CLEANUP_DIRS=(/etc/ceph /etc/cni /etc/kubernetes /opt/cni /run/secrets/kubernetes.io /run/calico /run/flannel /var/lib/calico /var/lib/weave /var/lib/etcd /var/lib/cni /var/lib/kubelet /var/lib/rancher/rke/log /var/log/containers /var/log/pods /var/run/calico)
CLEANUP_INTERFACES=(flannel.1 cni0 tunl0 weave datapath vxlan-6784)
cleanup-containers() {
echo "Removing containers..."
ctr -n k8s.io c rm $(ctr -n k8s.io c ls -q)
}
cleanup-dirs() {
echo "Unmounting filesystems..."
for mount in $(mount | grep tmpfs | grep '/var/lib/kubelet' | awk '{ print $3 }')
do
umount $mount
done
echo "Removing directories..."
for DIR in "${CLEANUP_DIRS[@]}"
do
echo "Removing $DIR"
rm -rf $DIR
done
}
cleanup-interfaces() {
echo "Removing interfaces..."
for INTERFACE in "${CLEANUP_INTERFACES[@]}"
do
if $(ip link show ${INTERFACE} > /dev/null 2>&1)
then
echo "Removing $INTERFACE"
ip link delete $INTERFACE
fi
done
}
flush-iptables() {
echo "Flushing iptables..."
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -F
iptables -X
echo "Restarting Docker..."
systemctl restart containerd
}
cleanup-containers
cleanup-dirs
cleanup-interfaces
flush-iptables
echo "Done!"
etcdctl
# etcd 에서 노드 조회
▒ etcdctl member list
# etcd 에서 노드 제
▒ etcdctl member remove <id>
Use Case
Simple
- 192.168.77.71 : public ip
- 10.30.20.101 : eth0
▒ cat << EOF > kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
controlPlaneEndpoint: 192.168.77.71:6443
dns:
type: CoreDNS
apiServer:
extraArgs:
advertise-address: 10.30.20.101
authorization-mode: Node,RBAC
certSANs:
- 10.30.20.101
- localhost
- 127.0.0.1
etcd:
local:
dataDir: /var/lib/etcd
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
controllerManager: {}
scheduler: {}
EOF
▒ sudo kubeadm init --v=5 --upload-certs --config kubeadm-config.yaml
posted at 2022/03/18 09:42 