升级之前需要注意:
运行的版本为1.15.1的kubeadm Kubernetes集群,确保备份所有重要组件,例如存储在数据库中的应用程序级状态。kubeadm upgrade不会触及您的工作负载,只会触及Kubernetes内部的组件,但备份始终是最佳实践。
附加信息升级后重新启动所有容器,因为容器规范哈希值已更改。
您只能从一个MINOR版本升级到下一个MINOR版本,或者在同一个MINOR的PATCH版本之间升级。也就是说,升级时不能跳过MINOR版本。例如,您可以从1.y升级到1.y + 1,但不能从1.y升级到1.y + 2。
eg:1.15.1—>1.16.2 ----ok <--------------> 1.15.1—>1.17.2—no
升级顺序: master --> node
1、查看当前集群版本
[root@k8s-master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 49d v1.15.1
k8s-node01 Ready <none> 49d v1.15.1
k8s-node02 Ready <none> 49d v1.15.1
[root@k8s-master01 ~]# kubeadm alpha certs check-expiration # 查看当前集群证书过期时间
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Dec 16, 2021 02:52 UTC 315d no
apiserver Dec 16, 2021 02:52 UTC 315d no
apiserver-etcd-client Dec 16, 2021 02:52 UTC 315d no
apiserver-kubelet-client Dec 16, 2021 02:52 UTC 315d no
controller-manager.conf Dec 16, 2021 02:52 UTC 315d no
etcd-healthcheck-client Dec 16, 2021 02:52 UTC 315d no
etcd-peer Dec 16, 2021 02:52 UTC 315d no
etcd-server Dec 16, 2021 02:52 UTC 315d no
front-proxy-client Dec 16, 2021 02:52 UTC 315d no
scheduler.conf Dec 16, 2021 02:52 UTC 315d no
2、配置 Kubernetes 国内yum源(master节点)
[root@k8s-master01 ~]# cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
3、升级 Kubeadm 工具版本(master 节点)
[root@k8s-master01 ~]# yum --enablerepo=kubernetes list kubelet kubeadm kubectl --showduplicates | sort -r
格式:kubeadm upgrade plan [version] [flags]
[root@k8s-master01 ~]# kubeadm upgrade plan # 在升级前执行 kubeadm 检测命令,检测当前Kubernetes最新版本
[root@k8s-master01 ~]# kubeadm upgrade plan v1.15.12 # 指定版本
日志内容如下:
Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply':
COMPONENT CURRENT AVAILABLE
Kubelet 3 x v1.15.1 v1.15.12
Upgrade to the latest version in the v1.15 series:
COMPONENT CURRENT AVAILABLE
API Server v1.15.1 v1.15.12
Controller Manager v1.15.1 v1.15.12
Scheduler v1.15.1 v1.15.12
Kube Proxy v1.15.1 v1.15.12
CoreDNS 1.3.1 1.3.1
Etcd 3.3.10 3.3.10
You can now apply the upgrade by executing the following command:
kubeadm upgrade apply v1.15.12
Note: Before you can perform this upgrade, you have to update kubeadm to v1.15.12.
_____________________________________________________________________
[root@k8s-master01 ~]# yum update -y kubeadm-1.15.12 -y
3、通过 kubeadm 升级 Kubernetes 集群
1)查看待升级的 kubernetes 组件镜像列表
[root@k8s-master01 ~]# kubeadm config images list --kubernetes-version=v1.15.12
k8s.gcr.io/kube-apiserver:v1.15.12
k8s.gcr.io/kube-controller-manager:v1.15.12
k8s.gcr.io/kube-scheduler:v1.15.12
k8s.gcr.io/kube-proxy:v1.15.12
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.3.10
k8s.gcr.io/coredns:1.3.1
2)创建拉取待升级Kubernetes组件镜像脚本(Master、Worker)
[root@k8s-master01 ~]# cat > kubernetes-imagesPull.sh << EOF
#!/bin/bash
# kubeadm config images list --kubernetes-version=v1.15.12 查看当前容器版本
images=(
kube-apiserver:v1.15.12
kube-controller-manager:v1.15.12
kube-scheduler:v1.15.12
kube-proxy:v1.15.12
pause:3.1
etcd:3.3.10
coredns:1.3.1
)
for imageName in \${images[@]} ; do
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/\${imageName}
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/\${imageName} k8s.gcr.io/\${imageName}
docker rmi registry.cn-hangzhou.aliyuncs.com/google_containers/\${imageName}
done
EOF
[root@k8s-master01 ~]# sh kubernetes-imagesPull.sh
3)通过 Kubeamd 升级 Kubernetes 集群
[root@k8s-master01 ~]# kubeadm upgrade apply v1.15.12
...
...
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
[upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.15.12". Enjoy!
[upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so.
注:升级过程中,不用备份当前节点的 Etcd 和 Kubernetes 清单数据,Kubeadm 会自动备份相关数据存于 /etc/kuberntes/tmp 目录下。
4、升级 Kubelet 与 Kubectl 工具(Master节点)
[root@k8s-master01 ~]# yum update -y kubectl-1.15.12 kubelet-1.15.12 -y
[root@k8s-master01 ~]# systemctl daemon-reload
[root@k8s-master01 ~]# systemctl restart kubelet
[root@k8s-master01 ~]# systemctl status kubelet
5 、升级工作节点 kubeadm、kubelet版本(全部worker节点)
升级各个工作节点上的 kubelet 版本:
[root@k8s-master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 49d v1.15.12
k8s-node01 Ready <none> 49d v1.15.1
k8s-node02 Ready <none> 49d v1.15.1
[root@k8s-master01 ~]# kubectl drain [节点名称] --ignore-daemonsets # 设置节点进入维护状态,方便升级 kubelet 版本
[root@k8s-master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 49d v1.15.12
k8s-node01 Ready,SchedulingDisabled <none> 49d v1.15.1
k8s-node02 Ready,SchedulingDisabled <none> 49d v1.15.1
[root@k8s-node01 ~]# yum update kubelet-1.15.12 kubeadm-1.15.12 -y
[root@k8s-node01 ~]# systemctl daemon-reload
[root@k8s-node01 ~]# systemctl restart kubelet
[root@k8s-node01 ~]# systemctl status kubelet
[root@k8s-master01 ~]# kubectl uncordon [node名称] # 设置工作节点取消维护状态,允许应用镜像调度
6、查看版本是否升级成功(master节点)
[root@k8s-master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 49d v1.15.12
k8s-node01 Ready <none> 49d v1.15.12
k8s-node02 Ready <none> 49d v1.15.12
[root@k8s-master01 ~]# kubeadm alpha certs check-expiration # 在这里注意的是如果我们更新了kubernetes那么他的证书也会跟着更新,时长1年
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Feb 04, 2022 02:36 UTC 364d no
apiserver Feb 04, 2022 02:36 UTC 364d no
apiserver-etcd-client Feb 04, 2022 02:36 UTC 364d no
apiserver-kubelet-client Feb 04, 2022 02:36 UTC 364d no
controller-manager.conf Feb 04, 2022 02:36 UTC 364d no
etcd-healthcheck-client Dec 16, 2021 02:52 UTC 314d no
etcd-peer Dec 16, 2021 02:52 UTC 314d no
etcd-server Dec 16, 2021 02:52 UTC 314d no
front-proxy-client Feb 04, 2022 02:36 UTC 364d no
scheduler.conf Feb 04, 2022 02:36 UTC 364d no
注:在对集群中所有节点的 kubelet 进行升级之后,请执行以下命令,以确认所有节点又重新变为 Ready 可用状态:
7、升级网络插件(master 节点)
Kubernetes 有很多网络插件,一般都是安装时候选择的,所以 Kubeadm 并不维护这些网络插件镜像的升级,需要根据自己安装的插件信息,选择性更新,下面是常用的 Flannel、calico 网络插件升级文档信息供参考:
注:注意:升级网络插件时,注意配置网络插件的子网域和
kubeadm
配置中的podSubnet.podSubnet
值保持一致,可以通过kubectl describe configmaps kubeadm-config -n kube-system
命令查看。
- Calico 升级参考文档: 如果 Kubernetes 集群使用的是 Calico 网络插件,请参考:https://docs.projectcalico.org/maintenance/kubernetes-upgrade
- Flannel 升级参考文档:如果 Kubernetes 集群使用的是 Flannel 网络插件,请参考:https://github.com/coreos/flannel/blob/master/Documentation/kubernetes.md
8、升级Docker版本(全部节点)
[root@k8s-master01 ~]# docker info | grep "Server Version"
Server Version: 19.03.1
[root@k8s-master01 ~]# yum list docker-ce --showduplicates | sort -r
...
...
docker-ce.x86_64 3:20.10.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:20.10.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:20.10.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:20.10.0-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.9-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.8-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.7-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.6-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.5-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.4-3.el7 docker-ce-stable
[root@k8s-master01 ~]# yum update -y docker-ce-19.03.8 # 升级Docker版本
[root@k8s-master01 ~]# systemctl daemon-reload && systemctl restart docker # 重启Docker
[root@k8s-master01 ~]# systemctl restart kubelet # 重启kubelet
注:在这里需要注意一下有一个BUG,Docker的存储路径默认用的是/var/lib/docker如果说修改了Docker的存储路径那么在这里需要你自己在手动改一下,否则还是会使用默认的路径。
就是因为这个问题导致我kubelet一直提示错误信息如下:
2月 04 11:07:58 k8s-master01 kubelet[4045]: E0204 11:07:58.014281 4045 kubelet_node_status.go:94] Unable to register node “k8s-master01” with API server: Post https://172.16.3.225:6443/api/v1/nodes: dial tcp 172.16.3.225:6443: connect: connection refused
2月 04 11:07:58 k8s-master01 kubelet[4045]: E0204 11:07:58.016950 4045 kubelet.go:2252] node “k8s-master01” not found
2月 04 11:07:58 k8s-master01 kubelet[4045]: E0204 11:07:58.117232 4045 kubelet.go:2252] node “k8s-master01” not found
结果最后解决了半天,发现docker images、docker ps -a所有的镜像都没有了,才知道问题所在。