Kubernetes:58.kubeadm join
2019-08-16 本文已影响0人
小六的昵称已被使用
语法
[09:33:04 root@ceshi-01 ~ $]kubeadm join --help
When joining a kubeadm initialized cluster, we need to establish bidirectional trust.
在加入 kubeadm 集群初始化时,我们需要建立双向信任
This is split into discovery (having the Node trust the Kubernetes Control Plane) and TLS bootstrap (having the Kubernetes Control Plane trust the Node).
这被分为发现(使节点信任 Kubernetes 控制平面)和 TLS 引导(使 Kubernetes 控制平面信任节点)
There are 2 main schemes for discovery.
有两种主要的发现方案
The first is to use a shared token along with the IP address of the API server.
第一种是使用共享令牌以及 API Server 的 IP 地址
The second is to provide a file - a subset of the standard kubeconfig file.
第二种是使用文件:标准的 kubeconfig 文件的子集
This file can be a local file or downloaded via an HTTPS URL.
此文件可以是本地文件,也可以通过 HTTPS URL 下载
The forms are
kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
kubeadm join --discovery-file path/to/file.conf,
or
kubeadm join --discovery-file https://url/file.conf.
Only one form can be used.
只能使用一种表格
If the discovery information is loaded from a URL, HTTPS must be used.
如果使用从 URL 加载发现信息,则必须使用 HTTPS
Also, in that case the host installed CA bundle is used to verify the connection.
此外,在这种情况下,主机安装的 CA 证书用于验证链接
If you use a shared token for discovery,
如果您使用共享令牌进行发现
you should also pass the --discovery-token-ca-cert-hash flag to validate the public key of the root certificate authority (CA) presented by the Kubernetes Control Plane.
您还应该传递 --discovery-token-ca-cert-hash 标志来验证 Kubernetes 控制平面提供的跟证书颁发机构(CA)的公钥
The value of this flag is specified as "<hash-type>:<hex-encoded-value>", where the supported hash type is "sha256".
此标志的值指定为:"<hash-type>:<hex-encoded-value>",其中支持的哈希类型为:"sha256".
The hash is calculated over the bytes of the Subject Public Key Info (SPKI) object (as in RFC7469).
散列是在主题公钥信息(SPKI)对象的字节上计算的(如RFC7469中所示)。
This value is available in the output of "kubeadm init" or can be calculated using standard tools.
该值在“kubeadm init”的输出中可用,或者可以使用标准工具计算。
The --discovery-token-ca-cert-hash flag may be repeated multiple times to allow more than one public key.
--discovery-token-ca-cert-hash 标志可以重复多次以允许多个公钥。
If you cannot know the CA public key hash ahead of time,
如果您无法提前知道CA公钥哈希,
you can pass the --discovery-token-unsafe-skip-ca-verification flag to disable this verification.
您可以传递--discovery-token-unsafe-skip-ca-verification标志来禁用此验证。
This weakens the kubeadm security model since other nodes can potentially impersonate the Kubernetes Control Plane.
这削弱了kubeadm安全模型,因为其他节点可能会冒充Kubernetes控制平面。
The TLS bootstrap mechanism is also driven via a shared token.
TLS引导机制也通过共享令牌驱动。
This is used to temporarily authenticate with the Kubernetes Control Plane to submit a certificate signing request (CSR) for a locally created
key pair.
这用于临时通过Kubernetes控制平面进行身份验证,以便为本地创建的密钥对提交证书签名请求(CSR)。
By default, kubeadm will set up the Kubernetes Control Plane to automatically approve these signing requests.
默认情况下,kubeadm将设置Kubernetes控制平面以自动批准这些签名请求。
This token is passed in with the --tls-bootstrap-token abcdef.1234567890abcdef flag.
此令牌使用 --tls-bootstrap-token abcdef.1234567890abcdef 标志传入。
Often times the same token is used for both parts. In this case, the --token flag can be used instead of specifying each token individually.
通常,两个部分都使用相同的标记。 在这种情况下,可以使用--token标志,而不是单独指定每个标记。
The "join [api-server-endpoint]" command executes the following phases:
“join [api-server-endpoint]”命令执行以下阶段:
```
preflight Run join pre-flight checks
运行加入飞行前检查
control-plane-prepare Prepare the machine for serving a control plane
准备机器以服务控制平面
/download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
/certs Generate the certificates for the new control plane components
/kubeconfig Generate the kubeconfig for the new control plane components
/control-plane Generate the manifests for the new control plane components
kubelet-start Write kubelet settings, certificates and (re)start the kubelet
control-plane-join Join a machine as a control plane instance
/etcd Add a new local etcd member
/update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
/mark-control-plane Mark a node as a control-plane
```
用法:
kubeadm join [api-server-endpoint] [flags]
kubeadm join [command]
可用命令:
phase Use this command to invoke single phase of the join workflow
使用此命令可以调用连接工作流的单个阶段
Flags:
--apiserver-advertise-address string If the node should host a new control plane instance, the IP address the API Server will advertise it's listening on.
如果此节点要托管一个新的控制平面,那么应该告诉 API Server 需要监听的 IP 地址
If not set the default network interface will be used.
如果未设置,将使用默认网络接口。
--apiserver-bind-port int32 If the node should host a new control plane instance, the port for the API Server to bind to. (default 6443)
如果节点承载新的控制明面示例,此端口用于要绑定的 API Server 端口(默认6443)
--certificate-key string Use this key to decrypt the certificate secrets uploaded by init.
使用此密钥解密init上载的证书机密。
--config string Path to kubeadm config file.
kubeadm 配置文件路径
--control-plane Create a new control plane instance on this node
在此节点上创建一个新的控制平面
--cri-socket string Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value;
要连接的CRI套接字的路径。 如果空kubeadm将尝试自动检测此值;
use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
仅当您安装了多个CRI或具有非标准CRI套接字时才使用此选项。
--discovery-file string For file-based discovery, a file or URL from which to load cluster information.
对于基于文件的发现,从中加载集群信息的文件或URL。
--discovery-token string For token-based discovery, the token used to validate cluster information fetched from the API server.
或基于令牌的发现,用于验证从API服务器获取的集群信息的令牌。
--discovery-token-ca-cert-hash strings For token-based discovery, validate that the root CA public key matches this hash (format: "<type>:<value>").
对于基于令牌的发现,请验证根CA公钥是否与此哈希匹配(格式:“<type>:<value>”)。
--discovery-token-unsafe-skip-ca-verification For token-based discovery, allow joining without --discovery-token-ca-cert-hash pinning.
对于基于令牌的发现,允许在没有--discovery-token-ca-cert-hash固定的情况下加入。
-h, --help help for join
显示帮助信息
--ignore-preflight-errors strings A list of checks whose errors will be shown as warnings.
将错误显示为警告,也就是忽略某些错误以继续安装
Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
例如:IsPrivilegedUser,Swap,如果值为 all 将忽略所有错误
--node-name string Specify the node name.
指定节点名称
--skip-phases strings List of phases to be skipped
要跳过的节点列表
--tls-bootstrap-token string Specify the token used to temporarily authenticate with the Kubernetes Control Plane while joining the node.
在加入节点时,指定用于临时通过Kubernetes控制平面进行身份验证的令牌。
--token string Use this token for both discovery-token and tls-bootstrap-token when those values are not provided.
如果未提供这些值,请将此标记用于discovery-token和tls-bootstrap-token。
Global Flags:
--log-file string If non-empty, use this log file
--log-file-max-size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--rootfs string [EXPERIMENTAL] The path to the 'real' host root filesystem.
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files
-v, --v Level number for the log level verbosity
Use "kubeadm join [command] --help" for more information about a command.
