LimitRange
This commit is contained in:
huanqing.shao
@ -121,7 +121,7 @@ hostnamectl status
|
||||
``` sh
|
||||
# 在 master 节点和 worker 节点都要执行
|
||||
|
||||
curl -sSL https://kuboard.cn/install-script/v1.15.3/install_kubelet.sh | sh
|
||||
curl -sSL https://kuboard.cn/install-script/v1.15.3/install-kubelet.sh | sh
|
||||
|
||||
```
|
||||
|
||||
@ -130,7 +130,7 @@ curl -sSL https://kuboard.cn/install-script/v1.15.3/install_kubelet.sh | sh
|
||||
|
||||
手动执行以下代码,效果与快速安装完全相同。
|
||||
|
||||
<<< @/.vuepress/public/install-script/v1.15.3/install_kubelet.sh
|
||||
<<< @/.vuepress/public/install-script/v1.15.3/install-kubelet.sh
|
||||
|
||||
::: warning
|
||||
如果此时执行 `service status kubelet` 命令,将得到 kubelet 启动失败的错误提示,请忽略此错误,因为必须完成后续步骤中 kubeadm init 的操作,kubelet 才能正常启动
|
||||
@ -183,7 +183,7 @@ export APISERVER_NAME=apiserver.demo
|
||||
# Kubernetes 容器组所在的网段,该网段安装完成后,由 kubernetes 创建,事先并不存在于您的物理网络中
|
||||
export POD_SUBNET=10.100.0.1/16
|
||||
echo "127.0.0.1 ${APISERVER_NAME}" >> /etc/hosts
|
||||
curl -sSL https://kuboard.cn/install-script/v1.15.3/init_master.sh | sh
|
||||
curl -sSL https://kuboard.cn/install-script/v1.15.3/init-master.sh | sh
|
||||
```
|
||||
|
||||
</el-tab-pane>
|
||||
@ -198,7 +198,7 @@ export POD_SUBNET=10.100.0.1/16
|
||||
echo "127.0.0.1 ${APISERVER_NAME}" >> /etc/hosts
|
||||
```
|
||||
|
||||
<<< @/.vuepress/public/install-script/v1.15.3/init_master.sh
|
||||
<<< @/.vuepress/public/install-script/v1.15.3/init-master.sh
|
||||
|
||||
</el-tab-pane>
|
||||
</el-tabs>
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
---
|
||||
vssueId: 92
|
||||
description: Kubernete升级_使用kubeadm升级K8S集群到v1.15.4
|
||||
description: Kubernete升级_使用kubeadm升级K8S集群到v1.15.5
|
||||
meta:
|
||||
- name: keywords
|
||||
content: Kubernetes升级,K8S升级,升级Kuberentes1.15.4
|
||||
content: Kubernetes升级,K8S升级,升级Kuberentes1.15.5
|
||||
---
|
||||
|
||||
# K8S从1.15.x升级到 1.15.4
|
||||
# K8S从1.15.x升级到 1.15.5
|
||||
|
||||
<AdSenseTitle/>
|
||||
|
||||
@ -15,11 +15,11 @@ meta:
|
||||
|
||||
## 前提条件
|
||||
|
||||
* 您使用 kubeadm 安装了 kubernetes v1.15.0 / v1.15.1 / v1.15.2 / v1.15.3 集群
|
||||
* 您想要将其升级到最新的版本 kubernetes v1.15.4
|
||||
* 您使用 kubeadm 安装了 kubernetes v1.15.0 / v1.15.1 / v1.15.2 / v1.15.3 / v1.15.4 集群
|
||||
* 您想要将其升级到最新的版本 kubernetes v1.15.5
|
||||
|
||||
::: tip
|
||||
www.kuboard.cn 是一款免费的基于 Kubernetes 的微服务管理界面,目前只能提供 kubernetes v1.15.0 / v1.15.1 / v1.15.2 / v1.15.3 到 kubernetes v1.15.4 的升级文档,其他版本的集群,请参考 kubernetes 官网文档 [kubeadm upgrade](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
|
||||
www.kuboard.cn 是一款免费的基于 Kubernetes 的微服务管理界面,目前只能提供 kubernetes v1.15.0 / v1.15.1 / v1.15.2 / v1.15.3 到 kubernetes v1.15.5 的升级文档,其他版本的集群,请参考 kubernetes 官网文档 [kubeadm upgrade](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
|
||||
:::
|
||||
|
||||
## 升级 kubeadm/kubelet/kubectl
|
||||
@ -28,7 +28,7 @@ www.kuboard.cn 是一款免费的基于 Kubernetes 的微服务管理界面,
|
||||
|
||||
``` sh
|
||||
# 在所有节点执行(包括 master 和 worker 节点)
|
||||
yum install -y kubelet-1.15.4 kubeadm-1.15.4 kubectl-1.15.4
|
||||
yum install -y kubelet-1.15.5 kubeadm-1.15.5 kubectl-1.15.5
|
||||
systemctl daemon-reload
|
||||
systemctl restart kubelet
|
||||
```
|
||||
@ -74,7 +74,7 @@ scheduler: {}
|
||||
|
||||
文件内容如下所示,根据前面 `kubeadm config view` 的执行结果,修改了如下字段:
|
||||
* imageRepository 的值修改为:registry.cn-hangzhou.aliyuncs.com/google_containers
|
||||
* kubernetesVersion 的值修改为: v1.15.4
|
||||
* kubernetesVersion 的值修改为: v1.15.5
|
||||
``` yaml {15,17}
|
||||
apiServer:
|
||||
extraArgs:
|
||||
@ -92,7 +92,7 @@ etcd:
|
||||
dataDir: /var/lib/etcd
|
||||
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
|
||||
kind: ClusterConfiguration
|
||||
kubernetesVersion: v1.15.4
|
||||
kubernetesVersion: v1.15.5
|
||||
networking:
|
||||
dnsDomain: cluster.local
|
||||
serviceSubnet: 10.96.0.0/12
|
||||
|
||||
@ -6,12 +6,38 @@ meta:
|
||||
content: Kubernetes升级,K8S升级,升级Kuberentes1.16.x,Kubernetes升级到1.16
|
||||
---
|
||||
|
||||
# K8S从1.15.x(1.16.x)升级到 1.16.x
|
||||
# Kubernetes高危漏洞及解决办法(CVE-2019-11253)
|
||||
<!-- # K8S从1.15.x(1.16.x)升级到 1.16.x -->
|
||||
|
||||
<AdSenseTitle/>
|
||||
|
||||
参考文档: kubernetes 官网文档 [kubeadm upgrade](https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-upgrade/)
|
||||
|
||||
**【漏洞详情】**
|
||||
|
||||
2019年10月17日,Kubernetes发布漏洞公告 [[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads](https://discuss.kubernetes.io/t/announce-cve-2019-11253-denial-of-service-vulnerability-from-malicious-yaml-or-json-payloads/8349)。具备一定权限的攻击者通过发送恶意的 YAML 或 JSON 格式的攻击包可导致 kube-apiserver CPU 或内存资源耗尽,无法正常提供服务,1.14.0 之前的版本由于默认RBAC策略允许匿名用户提交请求,所以之前的版本均在影响范围。
|
||||
|
||||
【风险等级】
|
||||
|
||||
<font color="red" weight="500">高风险</font>
|
||||
|
||||
【影响版本】
|
||||
* Kubernetes v1.0.0-1.12.x
|
||||
* Kubernetes v1.13.0-1.13.11(v1.13.12版本已修复)
|
||||
* Kubernetes v1.14.0-1.14.7(v1.14.8版本已修复)
|
||||
* Kubernetes v1.15.0-1.15.4(v1.15.5版本已修复)
|
||||
* Kubernetes v1.16.0-1.16.1(v1.16.2版本已修复)
|
||||
|
||||
【安全版本】
|
||||
* Kubernetes v1.13.12
|
||||
* Kubernetes v1.14.8
|
||||
* Kubernetes v1.15.5
|
||||
* Kubernetes v1.16.2
|
||||
|
||||
【修复建议】
|
||||
|
||||
请升级到对应的【安全版本】。本文提供了如何升级到 1.16.2 的方法。另可参考 [K8S从1.15.x升级到 1.15.5](./1.15.x-1.15.4.html)
|
||||
|
||||
本文描述了如何从 kubernetes v1.15.x(或1.16.x)升级到 Kubernetes v1.16.y,前提是,您的 Kubernetes 集群是使用 kubeadm 安装的。
|
||||
|
||||
升级的高阶过程如下所示:
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
# vssueId: 107
|
||||
vssueId: 141
|
||||
description: Kubernetes升级1.16.x。本文描述了如何从 Kubernetes 网络插件 calico 3.8.x 升级到 3.9。执行命令 kubectl describe deployment calico-kube-controllers -n kube-system 确认当前 calico 版本
|
||||
meta:
|
||||
- name: keywords
|
||||
@ -60,13 +60,52 @@ Pod Template:
|
||||
``` sh
|
||||
# 如果版本号是 v3.8.2 或者 v3.8.x,则删除命令如下
|
||||
# calico.yaml 的URL中,不带版本号的最后一位
|
||||
kubectl delete -f https://docs.projectcalico.org/v3.8/manifests/calico.yaml --no-check-certificate
|
||||
kubectl delete -f https://docs.projectcalico.org/v3.8/manifests/calico.yaml
|
||||
```
|
||||
|
||||
## 安装新版本
|
||||
|
||||
执行以下命令,安装 calico 3.9:
|
||||
执行命令查看kubernetes
|
||||
|
||||
``` sh
|
||||
kubectl delete -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml --no-check-certificate
|
||||
``` yaml {21}
|
||||
apiServer:
|
||||
extraArgs:
|
||||
authorization-mode: Node,RBAC
|
||||
timeoutForControlPlane: 4m0s
|
||||
apiVersion: kubeadm.k8s.io/v1beta2
|
||||
certificatesDir: /etc/kubernetes/pki
|
||||
clusterName: kubernetes
|
||||
controlPlaneEndpoint: apiserver.demo:6443
|
||||
controllerManager: {}
|
||||
dns:
|
||||
type: CoreDNS
|
||||
etcd:
|
||||
local:
|
||||
dataDir: /var/lib/etcd
|
||||
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
|
||||
kind: ClusterConfiguration
|
||||
kubernetesVersion: v1.16.0
|
||||
networking:
|
||||
dnsDomain: cluster.local
|
||||
serviceSubnet: 10.96.0.0/12
|
||||
podSubnet: 10.100.0.1/16
|
||||
scheduler: {}
|
||||
```
|
||||
|
||||
执行以下命令,安装 calico 3.9,请注意,下面的 POD_SUBNET 环境变量来自于上面的输出结果:
|
||||
|
||||
``` sh {2}
|
||||
# 命令行中环境变量 POD_SUBNET 的取值 10.100.0.1/16 来自于上一个命令的输出结果
|
||||
export POD_SUBNET=10.100.0.1/16
|
||||
rm -f calico.yaml
|
||||
wget https://docs.projectcalico.org/v3.9/manifests/calico.yaml --no-check-certificate
|
||||
sed -i "s#192\.168\.0\.0/16#${POD_SUBNET}#" calico.yaml
|
||||
kubectl apply -f https://docs.projectcalico.org/v3.9/manifests/calico.yaml
|
||||
```
|
||||
|
||||
此时可执行命令检查 calico 的版本:
|
||||
``` sh
|
||||
kubectl describe deployment calico-kube-controllers -n kube-system
|
||||
```
|
||||
|
||||
:tada: :tada: :tada:
|
||||
|
||||
Reference in New Issue
Block a user