kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[zh] Resync kubeadm files (3)

This commit is contained in:
Qiming Teng 2021-04-26 13:03:09 +08:00
parent acf2e99652
commit 9ba6ac6167
5 changed files with 229 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
content/zh/docs/reference/setup-tools/kubeadm/_index.md
View File

@ -13,19 +13,23 @@ card:
<!--
Kubeadm is a tool built to provide `kubeadm init` and `kubeadm join` as best-practice "fast paths" for creating Kubernetes clusters.
-->
Kubeadm 是一个提供了 `kubeadm init``kubeadm join` 的工具,作为创建 Kubernetes 集群的 “快捷途径” 的最佳实践。
Kubeadm 是一个提供了 `kubeadm init``kubeadm join` 的工具,
作为创建 Kubernetes 集群的 “快捷途径” 的最佳实践。
<!--
kubeadm performs the actions necessary to get a minimum viable cluster up and running. By design, it cares only about bootstrapping,
not about provisioning machines. Likewise, installing various nice-to-have addons, like the Kubernetes Dashboard, monitoring solutions, and cloud-specific addons, is not in scope.
-->
kubeadm 通过执行必要的操作来启动和运行最小可用集群。按照设计,它只关注启动引导,而非配置机器。同样的,安装各种 “锦上添花” 的扩展,例如 Kubernetes Dashboard,
监控方案,以及特定云平台的扩展,都不在讨论范围内。
kubeadm 通过执行必要的操作来启动和运行最小可用集群。
按照设计,它只关注启动引导,而非配置机器。同样的,
安装各种 “锦上添花” 的扩展,例如 Kubernetes Dashboard、
监控方案、以及特定云平台的扩展,都不在讨论范围内。
<!--
Instead, we expect higher-level and more tailored tooling to be built on top of kubeadm, and ideally, using kubeadm as the basis of all deployments will make it easier to create conformant clusters.
-->
相反,我们希望在 kubeadm 之上构建更高级别以及更加合规的工具,理想情况下,使用 kubeadm 作为所有部署工作的基准将会更加易于创建一致性集群。
相反,我们希望在 kubeadm 之上构建更高级别以及更加合规的工具,
理想情况下,使用 kubeadm 作为所有部署工作的基准将会更加易于创建一致性集群。
<!--
## How to install
@ -34,8 +38,9 @@ Instead, we expect higher-level and more tailored tooling to be built on top of
<!--
To install kubeadm, see the [installation guide](/docs/setup/production-environment/tools/kubeadm/install-kubeadm).
-->
要安装 kubeadm, 请查阅[安装指南](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
-->
要安装 kubeadm, 请查阅
[安装指南](/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).
## {{% heading "whatsnext" %}}
@ -46,14 +51,30 @@ To install kubeadm, see the [installation guide](/docs/setup/production-environm
* [kubeadm config](/docs/reference/setup-tools/kubeadm/kubeadm-config) if you initialized your cluster using kubeadm v1.7.x or lower, to configure your cluster for `kubeadm upgrade`
* [kubeadm token](/docs/reference/setup-tools/kubeadm/kubeadm-token) to manage tokens for `kubeadm join`
* [kubeadm reset](/docs/reference/setup-tools/kubeadm/kubeadm-reset) to revert any changes made to this host by `kubeadm init` or `kubeadm join`
* [kubeadm certs](/docs/reference/setup-tools/kubeadm/kubeadm-certs) to manage Kubernetes certificates
* [kubeadm kubeconfig](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig) to manage kubeconfig files
* [kubeadm version](/docs/reference/setup-tools/kubeadm/kubeadm-version) to print the kubeadm version
* [kubeadm alpha](/docs/reference/setup-tools/kubeadm/kubeadm-alpha) to preview a set of features made available for gathering feedback from the community
-->
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init) 用于搭建控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join) 用于搭建工作节点并将其加入到集群中
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade) 用于升级 Kubernetes 集群到新版本
* [kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config) 如果你使用了 v1.7.x 或更低版本的 kubeadm 版本初始化你的集群,则使用 `kubeadm upgrade` 来配置你的集群
* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token) 用于管理 `kubeadm join` 使用的令牌
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset) 用于恢复通过 `kubeadm init` 或者 `kubeadm join` 命令对节点进行的任何变更
* [kubeadm version](/zh/docs/reference/setup-tools/kubeadm/kubeadm-version) 用于打印 kubeadm 的版本信息
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha) 用于预览一组可用于收集社区反馈的特性
* [kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init)
用于搭建控制平面节点
* [kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join)
用于搭建工作节点并将其加入到集群中
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade)
用于升级 Kubernetes 集群到新版本
* [kubeadm config](/zh/docs/reference/setup-tools/kubeadm/kubeadm-config)
如果你使用了 v1.7.x 或更低版本的 kubeadm 版本初始化你的集群,则使用
`kubeadm upgrade` 来配置你的集群
* [kubeadm token](/zh/docs/reference/setup-tools/kubeadm/kubeadm-token)
用于管理 `kubeadm join` 使用的令牌
* [kubeadm reset](/zh/docs/reference/setup-tools/kubeadm/kubeadm-reset)
用于恢复通过 `kubeadm init` 或者 `kubeadm join` 命令对节点进行的任何变更
* [kubeadm certs](/docs/reference/setup-tools/kubeadm/kubeadm-certs)
用于管理 Kubernetes 证书
* [kubeadm kubeconfig](/docs/reference/setup-tools/kubeadm/kubeadm-kubeconfig)
用于管理 kubeconfig 文件
* [kubeadm version](/zh/docs/reference/setup-tools/kubeadm/kubeadm-version)
用于打印 kubeadm 的版本信息
* [kubeadm alpha](/zh/docs/reference/setup-tools/kubeadm/kubeadm-alpha)
用于预览一组可用于收集社区反馈的特性

57
content/zh/docs/reference/setup-tools/kubeadm/generated/kubeadm_config_print.md
View File

@ -1,17 +1,30 @@
<!--
The file is auto-generated from the Go source code of the component using a generic
[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
to generate the reference documentation, please read
[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
To update the reference conent, please follow the
[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
guide. You can file document formatting bugs against the
[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
-->
<!--
Print configuration
-->
打印配置
<!--
### Synopsis
-->
### 概要
<!--
This command prints configurations for subcommands provided.
For details, see: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
-->
此命令显示所提供子命令的配置。
有关详细信息请参阅https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
此命令打印子命令所提供的配置信息。
相关细节可参阅 https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
```
kubeadm config print [flags]
@ -20,7 +33,6 @@ kubeadm config print [flags]
<!--
### Options
-->
### 选项
<table style="width: 100%; table-layout: fixed;">
@ -34,22 +46,17 @@ kubeadm config print [flags]
<td colspan="2">-h, --help</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!-- help for print -->
print 操作的帮助命令
</td>
<td></td><td style="line-height: 130%; word-wrap: break-word;"><p><!--help for print-->print 命令的帮助信息</p></td>
</tr>
</tbody>
</table>
<!--
### Options inherited from parent commands
-->
### 从父命令继承的选项
### 从父命令继承而来的选项
<table style="width: 100%; table-layout: fixed;">
<colgroup>
@ -59,33 +66,23 @@ print 操作的帮助命令
<tbody>
<tr>
<td colspan="2">
<!--
--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Default: "/etc/kubernetes/admin.conf"
-->
--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;默认值:"/etc/kubernetes/admin.conf"
</td>
<td colspan="2">--kubeconfig string&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<!--Default:-->默认值:"/etc/kubernetes/admin.conf"</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.
-->
用于和集群通信的 kubeconfig 文件。如果它没有被设置,那么 kubeadm 将会搜索一个已经存在于标准路径的 kubeconfig 文件。
</td>
<!--td></td><td style="line-height: 130%; word-wrap: break-word;"><p>The kubeconfig file to use when talking to the cluster. If the flag is not set, a set of standard locations can be searched for an existing kubeconfig file.</p></td -->
<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>与集群通信时使用的 kubeconfig 文件。如此标志未设置将在一组标准位置中搜索现有的kubeconfig 文件。</p></td>
</tr>
<tr>
<td colspan="2">--rootfs string</td>
</tr>
<tr>
<td></td><td style="line-height: 130%; word-wrap: break-word;">
<!--
[EXPERIMENTAL] The path to the 'real' host root filesystem.
-->
[实验] 到 '真实' 主机根文件系统的路径。
</td>
<!--td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[EXPERIMENTAL] The path to the 'real' host root filesystem.</p></td-->
<td></td><td style="line-height: 130%; word-wrap: break-word;"><p>[试验性] 指向“真实”宿主根文件系统的路径。</p></td>
</tr>
</tbody>
</table>

36
content/zh/docs/reference/setup-tools/kubeadm/kubeadm-config.md
View File

@ -10,8 +10,8 @@ During `kubeadm init`, kubeadm uploads the `ClusterConfiguration` object to your
in a ConfigMap called `kubeadm-config` in the `kube-system` namespace. This configuration is then read during
`kubeadm join`, `kubeadm reset` and `kubeadm upgrade`. To view this ConfigMap call `kubeadm config view`.
-->
`kubeadm init` 执行期间kubeadm 将 `ClusterConfiguration` 对象上传到你的集群的 `kube-system` 名字空间下
名为 `kubeadm-config` 的 ConfigMap 对象中。
`kubeadm init` 执行期间kubeadm 将 `ClusterConfiguration` 对象上传
到你的集群的 `kube-system` 名字空间下名为 `kubeadm-config` 的 ConfigMap 对象中。
然后在 `kubeadm join`、`kubeadm reset` 和 `kubeadm upgrade` 执行期间读取此配置。
要查看此 ConfigMap请调用 `kubeadm config view`
@ -29,22 +29,34 @@ convert your old configuration files to a newer version. `kubeadm config images
For more information navigate to
[Using kubeadm init with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
or [Using kubeadm join with a configuration file](/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
In Kubernetes v1.13.0 and later to list/pull kube-dns images instead of the CoreDNS image
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
has to be used.
-->
更多信息请浏览[使用带配置文件的 kubeadm init](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file)
或[使用带配置文件的 kubeadm join](/zh/docs/reference/setup-tools/kubeadm/kubeadm-join/#config-file).
<!--
You can also configure several kubelet-configuration options with `kubeadm init`. These options will be the same on any node in your cluster.
See [Configuring each kubelet in your cluster using kubeadm](/docs/setup/production-environment/tools/kubeadm/kubelet-integration/) for details.
-->
你也可以在使用 `kubeadm init` 命令时配置若干 kubelet 配置选项。
这些选项对于集群中所有节点而言都是相同的。
参阅[使用 kubeadm 来配置集群中的各个 kubelet](/zh/docs/setup/production-environment/tools/kubeadm/kubelet-integration/)
了解详细信息。
<!--
In Kubernetes v1.13.0 and later to list/pull kube-dns images instead of the CoreDNS image
the `--config` method described [here](/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
has to be used.
-->
在 Kubernetes v1.13.0 及更高版本中,要列出/拉取 kube-dns 镜像而不是 CoreDNS 镜像,
必须使用[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)所描述的 `--config` 方法。
必须使用[这里](/zh/docs/reference/setup-tools/kubeadm/kubeadm-init-phase/#cmd-phase-addon)
所描述的 `--config` 方法。
<!-- body -->
## kubeadm config upload from-file {#cmd-config-from-file}
## kubeadm config print{#cmd-config-view}
{{< include "generated/kubeadm_config_print.md" >}}
## kubeadm config print init-defaults {#cmd-config-print-init-defaults}
{{< include "generated/kubeadm_config_print_init-defaults.md" >}}
@ -60,15 +72,13 @@ has to be used.
## kubeadm config images pull {#cmd-config-images-pull}
{{< include "generated/kubeadm_config_images_pull.md" >}}
## {{% heading "whatsnext" %}}
<!--
* [kubeadm upgrade](/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) to upgrade a Kubernetes cluster to a newer version
-->
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/) 将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]
* [kubeadm upgrade](/zh/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
将 Kubernetes 集群升级到更新版本 [kubeadm upgrade]

154
content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-certs.md
View File

@ -61,10 +61,9 @@ and kubeadm will use this CA for signing the rest of the certificates.
`/etc/kubernetes/pki/ca.key` 中,而 kubeadm 将使用此 CA 对其余证书进行签名。
<!--
## External CA mode {#external-ca-mode}
It is also possible to provide just the `ca.crt` file and not the
It is also possible to provide only the `ca.crt` file and not the
`ca.key` file (this is only available for the root CA file, not other cert pairs).
If all other certificates and kubeconfig files are in place, kubeadm recognizes
this condition and activates the "External CA" mode. kubeadm will proceed without the CA key on disk.
@ -72,27 +71,23 @@ this condition and activates the "External CA" mode. kubeadm will proceed withou
## 外部 CA 模式 {#external-ca-mode}
只提供了 `ca.crt` 文件但是不提供 `ca.key` 文件也是可以的(这只对 CA 根证书可用,其它证书不可用)。
如果所有的其它证书和 kubeconfig 文件已就绪, kubeadm 检测到满足以上条件就会激活
只提供了 `ca.crt` 文件但是不提供 `ca.key` 文件也是可以的
(这只对 CA 根证书可用,其它证书不可用)。
如果所有的其它证书和 kubeconfig 文件已就绪kubeadm 检测到满足以上条件就会激活
"外部 CA" 模式。kubeadm 将会在没有 CA 密钥文件的情况下继续执行。
<!--
Instead, run the controller-manager standalone with `--controllers=csrsigner` and
point to the CA certificate and key.
-->
否则, kubeadm 将独立运行 controller-manager附加一个 `--controllers=csrsigner` 的参数,并且指明 CA 证书和密钥。
否则, kubeadm 将独立运行 controller-manager附加一个
`--controllers=csrsigner` 的参数,并且指明 CA 证书和密钥。
<!--
[PKI certificates and requirements](/docs/setup/best-practices/certificates/) includes guidance on
setting up a cluster to use an external CA.
-->
[PKI证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部CA的设置指南。
<!--
[PKI certificates and requirements](/docs/setup/best-practices/certificates/) includes guidance on
setting up a cluster to use an external CA.
-->
[PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括关于用外部 CA 设置集群的指南。
[PKI 证书和要求](/zh/docs/setup/best-practices/certificates/)包括集群使用外部 CA 的设置指南。
<!--
## Check certificate expiration
@ -415,4 +410,137 @@ For more information about manual rotation or replacement of CA, see [manual rot
kubeadm 并不直接支持对 CA 证书的轮换或者替换。
关于手动轮换或者置换 CA 的更多信息,可参阅
[手动轮换 CA 证书](/zh/docs/tasks/tls/manual-rotation-of-ca-certificates/)。
[手动轮换 CA 证书](/zh/docs/tasks/tls/manual-rotation-of-ca-certificates/)。
<!--
## Enabling signed kubelet serving certificates {#kubelet-serving-certs}
By default the kubelet serving certificate deployed by kubeadm is self-signed.
This means a connection from external services like the
[metrics-server](https://github.com/kubernetes-sigs/metrics-server) to a
kubelet cannot be secured with TLS.
To configure the kubelets in a new kubeadm cluster to obtain properly signed serving
certificates you must pass the following minimal configuration to `kubeadm init`:
-->
## 启用已签名的 kubelet 服务证书 {#kubelet-serving-certs}
默认情况下kubeadm 所部署的 kubelet 服务证书是自签名Self-Signed
这意味着从 [metrics-server](https://github.com/kubernetes-sigs/metrics-server)
这类外部服务发起向 kubelet 的链接时无法使用 TLS 来完成保护。
要在新的 kubeadm 集群中配置 kubelet 以使用被正确签名的服务证书,
你必须向 `kubeadm init` 传递如下最小配置数据:
```yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
---
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
serverTLSBootstrap: true
```
<!--
If you have already created the cluster you must adapt it by doing the following:
- Find and edit the `kubelet-config-{{< skew latestVersion >}}` ConfigMap in the `kube-system` namespace.
In that ConfigMap, the `config` key has a
[KubeletConfiguration](/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
document as its value. Edit the KubeletConfiguration document to set `serverTLSBootstrap: true`.
- On each node, add the `serverTLSBootstrap: true` field in `/var/lib/kubelet/config.yaml`
and restart the kubelet with `systemctl restart kubelet`
-->
如果你已经创建了集群,你必须通过执行下面的操作来完成适配:
- 找到 `kube-system` 名字空间中名为 `kubelet-config-{{< skew latestVersion >}}`
的 ConfigMap 并编辑之。
在该 ConfigMap 中,`config` 键下面有一个
[KubeletConfiguration](/zh/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
文档作为其取值。编辑该 KubeletConfiguration 文档以设置
`serverTLSBootstrap: true`
- 在每个节点上,在 `/var/lib/kubelet/config.yaml` 文件中添加
`serverTLSBootstrap: true` 字段,并使用 `systemctl restart kubelet`
来重启 kubelet。
<!--
The field `serverTLSBootstrap: true` will enable the bootstrap of kubelet serving
certificates by requesting them from the `certificates.k8s.io` API. One known limitation
is that the CSRs (Certificate Signing Requests) for these certificates cannot be automatically
approved by the default signer in the kube-controller-manager -
[`kubernetes.io/kubelet-serving`](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers).
This will require action from the user or a third party controller.
These CSRs can be viewed using:
-->
字段 `serverTLSBootstrap` 将允许启动引导 kubelet 的服务证书,方式
是从 `certificates.k8s.io` API 处读取。这种方式的一种局限在于这些
证书的 CSR证书签名请求不能被 kube-controller-manager 中默认的
签名组件
[`kubernetes.io/kubelet-serving`](/zh/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers)
批准。需要用户或者第三方控制器来执行此操作。
可以使用下面的命令来查看 CSR
```shell
kubectl get csr
```
```none
NAME AGE SIGNERNAME REQUESTOR CONDITION
csr-9wvgt 112s kubernetes.io/kubelet-serving system:node:worker-1 Pending
csr-lz97v 1m58s kubernetes.io/kubelet-serving system:node:control-plane-1 Pending
```
<!--
To approve them you can do the following:
-->
你可以执行下面的操作来批准这些请求:
```shell
kubectl certificate approve <CSR-名称>
```
<!--
By default, these serving certificate will expire after one year. Kubeadm sets the
`KubeletConfiguration` field `rotateCertificates` to `true`, which means that close
to expiration a new set of CSRs for the serving certificates will be created and must
be approved to complete the rotation. To understand more see
[Certificate Rotation](/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation).
-->
默认情况下,这些服务证书上会在一年后过期。
kubeadm 将 `KubeletConfiguration``rotateCertificates` 字段设置为
`true`;这意味着证书快要过期时,会生成一组针对服务证书的新的 CSR
这些 CSR 也要被批准才能完成证书轮换。
要进一步了解这里的细节,可参阅
[证书轮换](/zh/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation)
文档。
<!--
If you are looking for a solution for automatic approval of these CSRs it is recommended
that you contact your cloud provider and ask if they have a CSR signer that verifies
the node identity with an out of band mechanism.
-->
如果你在寻找一种能够自动批准这些 CSR 的解决方案,建议你与你的云提供商
联系,询问他们是否有 CSR 签名组件用来以带外out-of-band的方式检查
节点的标识符。
{{% thirdparty-content %}}
<!--
Third party custom controllers can be used:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
Such a controller is not a secure mechanism unless it not only verifies the CommonName
in the CSR but also verifies the requested IPs and domain names. This would prevent
a malicious actor that has access to a kubelet client certificate to create
CSRs requesting serving certificates for any IP or domain name.
-->
也可以使用第三方定制的控制器:
- [kubelet-rubber-stamp](https://github.com/kontena/kubelet-rubber-stamp)
除非既能够验证 CSR 中的 CommonName也能检查请求的 IP 和域名,
这类控制器还算不得安全的机制。
只有完成彻底的检查,才有可能避免有恶意的、能够访问 kubelet 客户端证书的第三方
为任何 IP 或域名请求服务证书。

6
content/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade.md
View File

@ -585,10 +585,10 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
- Makes sure the control plane images are available or available to pull to the machine.
- Generates replacements and/or uses user supplied overwrites if component configs require version upgrades.
- Upgrades the control plane components or rollbacks if any of them fails to come up.
- Applies the new `kube-dns` and `kube-proxy` manifests and makes sure that all necessary RBAC rules are created.
- Applies the new `CoreDNS` and `kube-proxy` manifests and makes sure that all necessary RBAC rules are created.
- Creates new certificate and key files of the API server and backs up old files if they're about to expire in 180 days.
-->
## 工作原理
## 工作原理 {#how-it-works}
`kubeadm upgrade apply` 做了以下工作:
@ -600,7 +600,7 @@ and post-upgrade manifest file for a certain component, a backup file for it wil
- 确保控制面的镜像是可用的或可拉取到服务器上。
- 如果组件配置要求版本升级,则生成替代配置与/或使用用户提供的覆盖版本配置。
- 升级控制面组件或回滚(如果其中任何一个组件无法启动)。
- 应用新的 `kube-dns` 和 `kube-proxy` 清单,并强制创建所有必需的 RBAC 规则。
- 应用新的 `CoreDNS` 和 `kube-proxy` 清单,并强制创建所有必需的 RBAC 规则。
- 如果旧文件在 180 天后过期,将创建 API 服务器的新证书和密钥文件并备份旧文件。
<!--