将节点添加到Kubernetes控制平面时的证书密钥 [英] Certificate key when adding node to Kubernetes control plane
问题描述
所以我知道如何向现有的Kubernetes 1.14集群(使用kubeadm设置)中添加一个工作节点:
So I know how to add a worker node to an existing Kubernetes 1.14 cluster (that was set up with kubeadm): kubeadm token create --print-join-command will print a valid kubeadm join command with correct values for arguments --token and --discovery-token-ca-cert-hash.
I currently understand that for adding another node to the control plane (master node) kubeadm join requires the additional arguments --experimental-control-plane (w/o value) and --certificate-key. This is for stacked control plane and etcd nodes.
如何(在哪个文件中)为现有集群获取--certificate-key的正确值?
How (in which file) can I obtain the correct value for --certificate-key for an existing cluster?
更新我的第一个(也是当前唯一的)主节点是在没有参数--experimental-upload-certs至kubeadm init的情况下创建的(但由kubeadm init --pod-network-cidr=10.244.0.0/16代替).因此手动证书分发应该适用,并且可能的顺序步骤可能是:
UPDATE My first (and currently only) master node was created without the argument --experimental-upload-certs to kubeadm init (but by kubeadm init --pod-network-cidr=10.244.0.0/16 instead). Therefore manual certificate distribution should apply and a possible sequence of steps could thus be:
- 将
/etc/kubernetes/pki/{ca.*,sa.*,front-proxy-sa.*,etcd/ca.*}中的证书和密钥从第一个复制到新的主节点 - 在第一个主节点上运行
kubeadm token create --print-join-command - 在新的主节点上运行带有附加参数
--experimental-control-plane的打印的kubeadm join命令
- copy certificates and keys in
/etc/kubernetes/pki/{ca.*,sa.*,front-proxy-sa.*,etcd/ca.*}from the first to the new master node - run
kubeadm token create --print-join-commandon the first master node - run printed
kubeadm joincommand with the additional argument--experimental-control-planeon the new master node
这是正确的程序吗?
推荐答案
According to the documentation, this command provides a new decription key:
kubeadm init phase upload-certs --experimental-upload-certs
这篇关于将节点添加到Kubernetes控制平面时的证书密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
