<!-- 4. Generates static Pod manifests for the API server,controller-manager and scheduler. In case an external etcd is not provided,an additional static Pod manifest is generated for etcd. -->
4. 为 API 服务器、控制器管理器和调度器生成静态 Pod 的清单文件。假使没有提供一个外部的 etcd 服务的话,也会为 etcd 生成一份额外的静态 Pod 清单文件。
<!--
4. Generates static Pod manifests for the API server,controller-manager and scheduler. In case an external etcd is not provided,an additional static Pod manifest is generated for etcd.
-->
4. 为 API 服务器、控制器管理器和调度器生成静态 Pod 的清单文件。假使没有提供一个外部的 etcd
服务的话,也会为 etcd 生成一份额外的静态 Pod 清单文件。
<!--
Static Pod manifests are written to `/etc/kubernetes/manifests`; the kubelet watches this directory for Pods to create on startup.
@ -68,15 +85,29 @@ Once control plane Pods are up and running, the `kubeadm init` sequence can cont
一旦控制平面的 Pod 都运行起来, `kubeadm init` 的工作流程就继续往下执行。
<!-- 1. Apply labels and taints to the control-plane node so that no additional workloads will
run there. -->1. 对控制平面节点应用 labels 和 taints 标记以便不会在它上面运行其它的工作负载。
<!--
1. Apply labels and taints to the control-plane node so that no additional workloads will
run there.
-->
1. 对控制平面节点应用 labels 和 taints 标记以便不会在它上面运行其它的工作负载。
<!-- 2. Generates the token that additional nodes can use to register themselves with a control-plane in the future. Optionally, the user can provide a token via `--token`, as described in the [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs. -->2. 生成令牌以便其它节点以后可以使用这个令牌向控制平面节点注册它们自己。(可选),用户可以通过 `--token` 提供一个令牌,正如文档 [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) 所述。
<!--
2. Generates the token that additional nodes can use to register themselves with a control-plane in the future. Optionally, the user can provide a token via `-token`, as described in the [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token/) docs.
<!-- 3. Makes all the necessary configurations for allowing node joining with the [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) mechanism:
<!--
3. Makes all the necessary configurations for allowing node joining with the [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) and [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) mechanism:
- Write a ConfigMap for making available all the information required for joining, and set up related RBAC access rules.
- Let Bootstrap Tokens access the CSR signing API.
- Configure auto-approval for new CSR requests. -->3. 为了使得节点能够遵照 [Bootstrap Tokens](/docs/reference/access-authn-authz/bootstrap-tokens/) 和 [TLS Bootstrap](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/) 这两份文档中描述的机制加入到集群中,kubeadm 会执行所有的必要配置:
1. Installs a DNS server (CoreDNS) and the kube-proxy addon components via the API server.
@ -94,7 +125,8 @@ See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additi
Please note that although the DNS server is deployed, it will not be scheduled until CNI is installed. -->
1. 通过 API 服务器安装一个 DNS 服务器 (CoreDNS) 和 kube-proxy 附加组件。
在 1.11 版本以及更新版本的 Kubernetes 中 CoreDNS 是默认的 DNS 服务器。
要安装 kube-dns 而不是 CoreDNS,必须在 kubeadm `ClusterConfiguration` 中配置 DNS 插件。有关配置的更多信息,请参见下面的 `Using kubeadm init with a configuration file` 一节。
要安装 kube-dns 而不是 CoreDNS,必须在 kubeadm `ClusterConfiguration` 中配置 DNS 插件。
有关配置的更多信息,请参见下面的"带配置文件使用 kubeadm init" 一节。
请注意,尽管已部署 DNS 服务器,但直到安装 CNI 时才调度它。
<!--
@ -105,10 +137,10 @@ See [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/) for additi
<!--
Kubeadm allows you to create a control-plane node in phases using the `kubeadm init phase` command.
-->
Kubeadm 允许您使用 `kubeadm init phase` 命令分阶段创建控制平面节点。
Kubeadm 允许你使用 `kubeadm init phase` 命令分阶段创建控制平面节点。
<!--
To view the ordered list of phases and sub-phases you can call `kubeadm init --help`. The list will be located at the top of the help screen and each phase will have a description next to it.
To view the ordered list of phases and sub-phases you can call `kubeadm init -help`. The list will be located at the top of the help screen and each phase will have a description next to it.
Note that by calling `kubeadm init` all of the phases and sub-phases will be executed in this exact order.
-->
要查看阶段和子阶段的有序列表,可以调用 `kubeadm init --help`。
@ -116,7 +148,7 @@ Note that by calling `kubeadm init` all of the phases and sub-phases will be exe
注意,通过调用 `kubeadm init`,所有阶段和子阶段都将按照此确切顺序执行。
<!--
Some phases have unique flags, so if you want to have a look at the list of available options add `--help`, for example:
Some phases have unique flags, so if you want to have a look at the list of available options add `-help`, for example:
You can also use `--help` to see the list of sub-phases for a certain parent phase:
You can also use `-help` to see the list of sub-phases for a certain parent phase:
-->
您也可以使用 `--help` 查看特定父阶段的子阶段列表:
你也可以使用 `--help` 查看特定父阶段的子阶段列表:
```shell
sudo kubeadm init phase control-plane --help
```
<!--
`kubeadm init` also exposes a flag called `--skip-phases` that can be used to skip certain phases. The flag accepts a list of phase names and the names can be taken from the above ordered list.
`kubeadm init` also exposes a flag called `-skip-phases` that can be used to skip certain phases. The flag accepts a list of phase names and the names can be taken from the above ordered list.
What this example would do is write the manifest files for the control plane and etcd in `/etc/kubernetes/manifests` based on the configuration in `configfile.yaml`. This allows you to modify the files and then skip these phases using `--skip-phases`. By calling the last command you will create a control plane node with the custom manifest files.
What this example would do is write the manifest files for the control plane and etcd in `/etc/kubernetes/manifests` based on the configuration in `configfile.yaml`. This allows you to modify the files and then skip these phases using `-skip-phases`. By calling the last command you will create a control plane node with the custom manifest files.
### Managing the kubeadm drop-in file for the kubelet {#kubelet-drop-in}
@ -355,12 +404,15 @@ point to the CA certificate and key.
<!--
The `kubeadm` package ships with a configuration file for running the `kubelet` by `systemd`. Note that the kubeadm CLI never touches this drop-in file. This drop-in file is part of the kubeadm DEB/RPM package.
For further information, see [Managing the kubeadm drop-in file for systemd](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#the-kubelet-drop-in-file-for-systemd).
### Running kubeadm without an internet connection
@ -394,12 +449,12 @@ value to the kubelet.
<!--
For running kubeadm without an internet connection you have to pre-pull the required control-plane images.
-->
要在没有互联网连接的情况下运行 kubeadm,您必须提前拉取所需的控制平面镜像。
要在没有互联网连接的情况下运行 kubeadm,你必须提前拉取所需的控制平面镜像。
<!--
You can list and pull the images using the `kubeadm config images` sub-command:
-->
您可以使用 `kubeadm config images` 子命令列出并拉取镜像:
你可以使用 `kubeadm config images` 子命令列出并拉取镜像:
```shell
kubeadm config images list
@ -423,13 +478,16 @@ token distribution for easier automation. To implement this automation, you must
know the IP address that the control-plane node will have after it is started,
or use a DNS name or an address of a load balancer.
-->
不必像文档[kubeadm 基础教程](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/)所述,将从 `kubeadm init` 取得的令牌复制到每个节点,而是简单自动地并行化令牌分发。要实现自动化,您必须知道控制平面节点启动后将拥有的 IP 地址,或使用 DNS 名称或负载均衡器的地址。
<!-- 3. Similar can be done for `--certificate-key` when joining additional control-plane nodes. The key can be generated using: -->3. 当加入其他控制平面节点时,可以对 `--certificate-key` 执行类似的操作。可以使用以下方式生成密钥:
```shell
kubeadm alpha certs certificate-key
```
@ -451,17 +514,18 @@ As they come up they should find each other and form the cluster. The same `--to
Once the cluster is up, you can grab the admin credentials from the control-plane node
at `/etc/kubernetes/admin.conf` and use that to talk to the cluster.
Note that this style of bootstrap has some relaxed security guarantees because
it does not allow the root CA hash to be validated with
`--discovery-token-ca-cert-hash` (since it's not generated when the nodes are
`-discovery-token-ca-cert-hash` (since it's not generated when the nodes are
provisioned). For details, see the [kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/).
-->
注意这种搭建集群的方式在安全保证上会有一些宽松,因为这种方式不允许使用 `--discovery-token-ca-cert-hash`来验证根 CA 的哈希值(因为当配置节点的时候,它还没有被生成)。获取需更多信息请参阅[kubeadm join](/docs/reference/setup-tools/kubeadm/kubeadm-join/)文档。
This page does not address running your cluster on a cloud provider. In a cloud
environment, neither approach documented here works with Service objects of type
@ -133,7 +133,6 @@ option. Your cluster requirements may need a different configuration.
- Read the [Options for Software Load Balancing](https://github.com/kubernetes/kubeadm/blob/master/docs/ha-considerations.md#options-for-software-load-balancing)
For information how to create a cluster with kubeadm once you have performed this installation process, see the [Using kubeadm to Create a Cluster](/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/) page.
Kubernetes Prow Robot
GitHub