master1:kubeadm init --config=/etc/kubernetes/kubeadm-config.yaml --upload-certs
其余master:
0.阶段
只有master才需要证书,worker只需要kubelet<->api-server.
0.1 init
preflight Run pre-flight checks
certs Certificate generation
/ca Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components
/apiserver Generate the certificate for serving the Kubernetes API
/apiserver-kubelet-client Generate the certificate for the API server to connect to kubelet
/front-proxy-ca Generate the self-signed CA to provision identities for front proxy
/front-proxy-client Generate the certificate for the front proxy client
/etcd-ca Generate the self-signed CA to provision identities for etcd
/etcd-server Generate the certificate for serving etcd
/etcd-peer Generate the certificate for etcd nodes to communicate with each other
/etcd-healthcheck-client Generate the certificate for liveness probes to healthcheck etcd
/apiserver-etcd-client Generate the certificate the apiserver uses to access etcd
/sa Generate a private key for signing service account tokens along with its public key
kubeconfig Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
/admin Generate a kubeconfig file for the admin to use and for kubeadm itself
/kubelet Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
/controller-manager Generate a kubeconfig file for the controller manager to use
/scheduler Generate a kubeconfig file for the scheduler to use
kubelet-start Write kubelet settings and (re)start the kubelet
control-plane Generate all static Pod manifest files necessary to establish the control plane
/apiserver Generates the kube-apiserver static Pod manifest
/controller-manager Generates the kube-controller-manager static Pod manifest
/scheduler Generates the kube-scheduler static Pod manifest
etcd Generate static Pod manifest file for local etcd
/local Generate the static Pod manifest file for a local, single-node local etcd instance
upload-config Upload the kubeadm and kubelet configuration to a ConfigMap
/kubeadm Upload the kubeadm ClusterConfiguration to a ConfigMap
/kubelet Upload the kubelet component config to a ConfigMap
upload-certs Upload certificates to kubeadm-certs
mark-control-plane Mark a node as a control-plane
bootstrap-token Generates bootstrap tokens used to join a node to a cluster
kubelet-finalize Updates settings relevant to the kubelet after TLS bootstrap
/experimental-cert-rotation Enable kubelet client certificate rotation
addon Install required addons for passing Conformance tests
/coredns Install the CoreDNS addon to a Kubernetes cluster
/kube-proxy Install the kube-proxy addon to a Kubernetes cluster
0.2 join
preflight Run join pre-flight checks
control-plane-prepare Prepare the machine for serving a control plane[仅针对master节点]
/download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
/certs Generate the certificates for the new control plane components
/kubeconfig Generate the kubeconfig for the new control plane components
/control-plane Generate the manifests for the new control plane components
kubelet-start Write kubelet settings, certificates and (re)start the kubelet
control-plane-join Join a machine as a control plane instance
/etcd Add a new local etcd member
/update-status Register the new control-plane node into the ClusterStatus maintained in the kubeadm-config ConfigMap
/mark-control-plane Mark a node as a control-plane
1.证书
1.1 kubeadm init
证书名 | common Name | group |
---|---|---|
ca | kubernetes | 无 |
apiserver | kube-apiserver makeAltNamesMutator(pkiutil.GetEtcdPeerAltNames), | 无 |
apiserver-kubelet-client | kube-apiserver-kubelet-client | system:masters |
front-proxy-ca | front-proxy-ca | 无 |
front-proxy-client | front-proxy-client | 无 |
etcd-ca | etcd-ca | 无 |
etcd-server | makeAltNamesMutator(pkiutil.GetEtcdPeerAltNames), setCommonNameToNodeName(), | 无 |
etcd-peer | makeAltNamesMutator(pkiutil.GetEtcdPeerAltNames), setCommonNameToNodeName(), | 无 |
etcd-healthcheck-client | kube-etcd-healthcheck-client | system:masters |
apiserver-etcd-client | apiserver-etcd-client | system:masters |
1.2 kubeadm join
1.2.1 针对master
control-plane-prepare Prepare the machine for serving a control plane
/download-certs [EXPERIMENTAL] Download certificates shared among control-plane nodes from the kubeadm-certs Secret
/certs Generate the certificates for the new control plane components
1)下载证书阶段
从kube-system的sercert"kubeadm-certs"中下载证书。
需要下载的证书:
2)certs阶段
1.创建未下载的证书。
2.创建serviceAccount使用的密钥。
1.2.2 针对worker节点
需要证书:kubelet访问api-server。
kubeadm未对上述证书进行操作。
kubedam启动时,根据--token参数生成"/etc/kubernetes/bootstrap-kubelet.conf"。
之后
kubelet执行TLS Bootstrap,将"/etc/kubernetes/bootstrap-kubelet.conf"转化为"/etc/kubernetes/kubelet.conf".
1)/etc/kubernetes/bootstrap-kubelet.conf
2)/etc/kubernetes/kubelet.conf