kubeadm 常见操作

renew 证书

使用下列命令直接 renew 所有证书：

[root@k8s-m01 ~]# kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0920 20:40:32.931747    5070 configset.go:77] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
[root@k8s-m01 ~]#

升级 Kubernetes

升级 Master 节点

参考文档：https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/

# 获取可用的 kubeadm 版本
yum list --showduplicates kubeadm --disableexcludes=kubernetes

# 安装新版本的 kubeadm 并检查
yum versionlock del kubadm
yum install -y kubeadm-1.21.9-0
kubeadm version
yum versionlock add kubeadm

# 查看升级计划，确保目标版本正确（目标版本和 kubeadm 版本保持一致）
kubeadm upgrade plan

[root@k8s-m01 ~]# kubeadm upgrade plan
[upgrade/config] Making sure the configuration is correct:
[upgrade/config] Reading configuration from the cluster...
[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[preflight] Running pre-flight checks.
[upgrade] Running cluster health checks
[upgrade] Fetching available versions to upgrade to
[upgrade/versions] Cluster version: v1.21.7
[upgrade/versions] kubeadm version: v1.21.9
W0921 12:38:49.345889    7397 version.go:102] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable.txt": Get "https://cdn.dl.k8s.io/release/stable.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0921 12:38:49.346004    7397 version.go:103] falling back to the local client version: v1.21.9
[upgrade/versions] Target version: v1.21.9
W0921 12:38:59.362137    7397 version.go:102] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.21.txt": Get "https://cdn.dl.k8s.io/release/stable-1.21.txt": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
W0921 12:38:59.362174    7397 version.go:103] falling back to the local client version: v1.21.9
[upgrade/versions] Latest version in the v1.21 series: v1.21.9

W0921 12:38:59.707062    7397 configset.go:77] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply':
COMPONENT   CURRENT       TARGET
kubelet     4 x v1.21.7   v1.21.9

Upgrade to the latest version in the v1.21 series:

COMPONENT                 CURRENT    TARGET
kube-apiserver            v1.21.7    v1.21.9
kube-controller-manager   v1.21.7    v1.21.9
kube-scheduler            v1.21.7    v1.21.9
kube-proxy                v1.21.7    v1.21.9
CoreDNS                   v1.8.0     v1.8.0
etcd                      3.4.13-0   3.4.13-0

You can now apply the upgrade by executing the following command:

	kubeadm upgrade apply v1.21.9

_____________________________________________________________________


The table below shows the current state of component configs as understood by this version of kubeadm.
Configs that have a "yes" mark in the "MANUAL UPGRADE REQUIRED" column require manual config upgrade or
resetting to kubeadm defaults before a successful upgrade can be performed. The version to manually
upgrade to is denoted in the "PREFERRED VERSION" column.

API GROUP                 CURRENT VERSION   PREFERRED VERSION   MANUAL UPGRADE REQUIRED
kubeproxy.config.k8s.io   -                 v1alpha1            no
kubelet.config.k8s.io     v1beta1           v1beta1             no
_____________________________________________________________________

开始升级：

kubeadm upgrade apply v1.21.9

相关升级日志：

[root@k8s-m01 ~]# kubeadm upgrade apply v1.21.9
[upgrade/config] Making sure the configuration is correct:
[upgrade/config] Reading configuration from the cluster...
[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0921 12:41:23.169228    8294 configset.go:77] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
[preflight] Running pre-flight checks.
[upgrade] Running cluster health checks
[upgrade/version] You have chosen to change the cluster version to "v1.21.9"
[upgrade/versions] Cluster version: v1.21.7
[upgrade/versions] kubeadm version: v1.21.9
[upgrade/confirm] Are you sure you want to proceed with the upgrade? [y/N]: y
[upgrade/prepull] Pulling images required for setting up a Kubernetes cluster
[upgrade/prepull] This might take a minute or two, depending on the speed of your internet connection
[upgrade/prepull] You can also perform this action in beforehand using 'kubeadm config images pull'
[upgrade/apply] Upgrading your Static Pod-hosted control plane to version "v1.21.9"...
Static pod: kube-apiserver-k8s-m01 hash: 03bdffad3f2449ff6607499dec09fbfe
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
[upgrade/etcd] Upgrading to TLS for etcd
Static pod: etcd-k8s-m01 hash: f846fe3975899cd607a67d6ede4f42fd
[upgrade/staticpods] Preparing for "etcd" upgrade
[upgrade/staticpods] Current and new manifests of etcd are equal, skipping upgrade
[upgrade/etcd] Waiting for etcd to become available
[upgrade/staticpods] Writing new Static Pod manifests to "/etc/kubernetes/tmp/kubeadm-upgraded-manifests275496096"
[upgrade/staticpods] Preparing for "kube-apiserver" upgrade
[upgrade/staticpods] Renewing apiserver certificate
[upgrade/staticpods] Renewing apiserver-kubelet-client certificate
[upgrade/staticpods] Renewing front-proxy-client certificate
[upgrade/staticpods] Renewing apiserver-etcd-client certificate
[upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-apiserver.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2023-09-21-12-41-52/kube-apiserver.yaml"
[upgrade/staticpods] Waiting for the kubelet to restart the component
[upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s)
Static pod: kube-apiserver-k8s-m01 hash: 03bdffad3f2449ff6607499dec09fbfe
Static pod: kube-apiserver-k8s-m01 hash: 03bdffad3f2449ff6607499dec09fbfe
Static pod: kube-apiserver-k8s-m01 hash: 03bdffad3f2449ff6607499dec09fbfe
Static pod: kube-apiserver-k8s-m01 hash: 9e78ffe647bed851b4d156c343563f79
[apiclient] Found 1 Pods for label selector component=kube-apiserver
[upgrade/staticpods] Component "kube-apiserver" upgraded successfully!
[upgrade/staticpods] Preparing for "kube-controller-manager" upgrade
[upgrade/staticpods] Renewing controller-manager.conf certificate
[upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-controller-manager.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2023-09-21-12-41-52/kube-controller-manager.yaml"
[upgrade/staticpods] Waiting for the kubelet to restart the component
[upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s)
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: 7831462d00b8a96ac4f2b00587ab197a
Static pod: kube-controller-manager-k8s-m01 hash: a5876789b084c46842004f9f9f098983
[apiclient] Found 1 Pods for label selector component=kube-controller-manager
[upgrade/staticpods] Component "kube-controller-manager" upgraded successfully!
[upgrade/staticpods] Preparing for "kube-scheduler" upgrade
[upgrade/staticpods] Renewing scheduler.conf certificate
[upgrade/staticpods] Moved new manifest to "/etc/kubernetes/manifests/kube-scheduler.yaml" and backed up old manifest to "/etc/kubernetes/tmp/kubeadm-backup-manifests-2023-09-21-12-41-52/kube-scheduler.yaml"
[upgrade/staticpods] Waiting for the kubelet to restart the component
[upgrade/staticpods] This might take a minute or longer depending on the component/version gap (timeout 5m0s)
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: 5d3751370e5d195bf49cd3d26dd73873
Static pod: kube-scheduler-k8s-m01 hash: b21794d83b7d1052cbbc550e81d02817
[apiclient] Found 1 Pods for label selector component=kube-scheduler
[upgrade/staticpods] Component "kube-scheduler" upgraded successfully!
[upgrade/postupgrade] Applying label node-role.kubernetes.io/control-plane='' to Nodes with label node-role.kubernetes.io/master='' (deprecated)
[upgrade/postupgrade] Applying label node.kubernetes.io/exclude-from-external-load-balancers='' to control plane Nodes
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.21" in namespace kube-system with the configuration for the kubelets in the cluster
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[addons] Applied essential addon: CoreDNS
W0921 12:43:17.363688    8294 postupgrade.go:141] the ConfigMap "kube-proxy" in the namespace "kube-system" was not found. Assuming that kube-proxy was not deployed for this cluster. Note that once 'kubeadm upgrade apply' supports phases you will have to skip the kube-proxy upgrade manually

[upgrade/successful] SUCCESS! Your cluster was upgraded to "v1.21.9". Enjoy!

[upgrade/kubelet] Now that your control plane is upgraded, please proceed with upgrading your kubelets if you haven't already done so.

升级 Master 节点的 kubelet

kubectl drain k8s-m01 --ignore-daemonsets

升级剩余的节点

依次登陆 Worker 节点，使用下列命令升级：

使用自定义的 kubeadm config

如果在升级时想调整 kubeadm 的配置，可以使用下列方法导出 kubeadm config，修改后再调用：

# 获取原来的 kubeadm config 文件，并导出为 oldkubeadm.yaml
kubectl get cm -o yaml -n kube-system kubeadm-config > oldkubeadm.yaml

# 复制 configmap
cp oldkubeadm.yaml newkubeadm.yaml

编辑 kubeadm config 文件，将里面的 data 提取出来，去掉 configmap 的内容。修改里面的 Kubernetes 版本号为目标版本 (此处为 v1.21.9)

# vi newkubeadm.yaml
apiServer:
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.21.10
networking:
  dnsDomain: cluster.local
  podSubnet: 10.20.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

使用 kubeadm upgrade plan 并调用上述的 yaml 文件，进行升级检查：

kubeadm upgrade plan  --config=newkubeadm.yaml
[upgrade/config] Making sure the configuration is correct:
W0921 13:18:03.135784   19506 common.go:94] WARNING: Usage of the --config flag with kubeadm config types for reconfiguring the cluster during upgrade is not recommended!
[preflight] Running pre-flight checks.
[upgrade] Running cluster health checks
[upgrade] Fetching available versions to upgrade to
[upgrade/versions] Cluster version: v1.21.9
[upgrade/versions] kubeadm version: v1.21.10
[upgrade/versions] Target version: v1.21.10
[upgrade/versions] Latest version in the v1.21 series: v1.21.10

W0921 13:18:05.664970   19506 configset.go:77] Warning: No kubeproxy.config.k8s.io/v1alpha1 config is loaded. Continuing without it: configmaps "kube-proxy" not found
Components that must be upgraded manually after you have upgraded the control plane with 'kubeadm upgrade apply':
COMPONENT   CURRENT       TARGET
kubelet     4 x v1.21.9   v1.21.10

Upgrade to the latest version in the v1.21 series:

COMPONENT                 CURRENT    TARGET
kube-apiserver            v1.21.9    v1.21.10
kube-controller-manager   v1.21.9    v1.21.10
kube-scheduler            v1.21.9    v1.21.10
kube-proxy                v1.21.9    v1.21.10
CoreDNS                   v1.8.0     v1.8.0
etcd                      3.4.13-0   3.4.13-0

You can now apply the upgrade by executing the following command:

	kubeadm upgrade apply v1.21.10

_____________________________________________________________________


The table below shows the current state of component configs as understood by this version of kubeadm.
Configs that have a "yes" mark in the "MANUAL UPGRADE REQUIRED" column require manual config upgrade or
resetting to kubeadm defaults before a successful upgrade can be performed. The version to manually
upgrade to is denoted in the "PREFERRED VERSION" column.

API GROUP                 CURRENT VERSION   PREFERRED VERSION   MANUAL UPGRADE REQUIRED
kubeproxy.config.k8s.io   -                 v1alpha1            no
kubelet.config.k8s.io     v1beta1           v1beta1             no

确保无问题后使用下列命令进行升级：

kubeadm upgrade apply v1.21.10 --config=newkubeadm.yaml

其余步骤和前面文章的一致。

新增节点

默认 kubeadm 生成的 token 只有一天的有效期，在 token 过期后，新增的 worker 不能再通过之前的 join 加入 Master，因此需要创建新的 token，同时生产加入集群的命令，之后在 Worker 直接执行即可：

kubeadm token create --print-join-command

清理节点

通过下列命令卸载 Kubernetes（注意这些步骤并不会卸载 CNI 残留的组件，所以如果卸载后安装其他 CNI 可能会出问题）：

这有帮助吗？

目录