diff --git a/ClusterBackup/etcd.yaml b/ClusterBackup/etcd.yaml new file mode 100644 index 00000000..d97c6568 --- /dev/null +++ b/ClusterBackup/etcd.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.168.1.147:2379 + creationTimestamp: null + labels: + component: etcd + tier: control-plane + name: etcd + namespace: kube-system +spec: + containers: + - command: + - etcd + - --advertise-client-urls=https://192.168.1.147:2379 + - --cert-file=/etc/kubernetes/pki/etcd/server.crt + - --client-cert-auth=true + - --data-dir=/var/lib/etcd + - --experimental-initial-corrupt-check=true + - --experimental-watch-progress-notify-interval=5s + - --initial-advertise-peer-urls=https://192.168.1.147:2380 + - --initial-cluster=k8s-server=https://192.168.1.147:2380 + - --key-file=/etc/kubernetes/pki/etcd/server.key + - --listen-client-urls=https://127.0.0.1:2379,https://192.168.1.147:2379 + - --listen-metrics-urls=http://127.0.0.1:2381 + - --listen-peer-urls=https://192.168.1.147:2380 + - --name=k8s-server + - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt + - --peer-client-cert-auth=true + - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key + - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt + - --snapshot-count=10000 + - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt + image: registry.k8s.io/etcd:3.5.4-0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + host: 127.0.0.1 + path: /health?exclude=NOSPACE&serializable=true + port: 2381 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + name: etcd + resources: + requests: + cpu: 100m + memory: 100Mi + startupProbe: + failureThreshold: 24 + httpGet: + host: 127.0.0.1 + path: /health?serializable=false + port: 2381 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /var/lib/etcd + name: etcd-data + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + hostNetwork: true + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /etc/kubernetes/pki/etcd + type: DirectoryOrCreate + name: etcd-certs + - hostPath: + path: /var/lib/etcd + type: DirectoryOrCreate + name: etcd-data +status: {} diff --git a/ClusterBackup/kube-apiserver.yaml b/ClusterBackup/kube-apiserver.yaml new file mode 100644 index 00000000..bd46fadd --- /dev/null +++ b/ClusterBackup/kube-apiserver.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.1.147:6443 + creationTimestamp: null + labels: + component: kube-apiserver + tier: control-plane + name: kube-apiserver + namespace: kube-system +spec: + containers: + - command: + - kube-apiserver + - --advertise-address=192.168.1.147 + - --allow-privileged=true + - --authorization-mode=Node,RBAC + - --client-ca-file=/etc/kubernetes/pki/ca.crt + - --enable-admission-plugins=NodeRestriction + - --enable-bootstrap-token-auth=true + - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt + - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt + - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key + - --etcd-servers=https://127.0.0.1:2379 + - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt + - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt + - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key + - --requestheader-allowed-names=front-proxy-client + - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt + - --requestheader-extra-headers-prefix=X-Remote-Extra- + - --requestheader-group-headers=X-Remote-Group + - --requestheader-username-headers=X-Remote-User + - --secure-port=6443 + - --service-account-issuer=https://kubernetes.default.svc.cluster.local + - --service-account-key-file=/etc/kubernetes/pki/sa.pub + - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key + - --service-cluster-ip-range=10.96.0.0/12 + - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt + - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key + image: registry.k8s.io/kube-apiserver:v1.25.15 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + host: 192.168.1.147 + path: /livez + port: 6443 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + name: kube-apiserver + readinessProbe: + failureThreshold: 3 + httpGet: + host: 192.168.1.147 + path: /readyz + port: 6443 + scheme: HTTPS + periodSeconds: 1 + timeoutSeconds: 15 + resources: + requests: + cpu: 250m + startupProbe: + failureThreshold: 24 + httpGet: + host: 192.168.1.147 + path: /livez + port: 6443 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/ssl/certs + name: ca-certs + readOnly: true + - mountPath: /etc/ca-certificates + name: etc-ca-certificates + readOnly: true + - mountPath: /etc/pki + name: etc-pki + readOnly: true + - mountPath: /etc/kubernetes/pki + name: k8s-certs + readOnly: true + - mountPath: /usr/local/share/ca-certificates + name: usr-local-share-ca-certificates + readOnly: true + - mountPath: /usr/share/ca-certificates + name: usr-share-ca-certificates + readOnly: true + hostNetwork: true + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /etc/ssl/certs + type: DirectoryOrCreate + name: ca-certs + - hostPath: + path: /etc/ca-certificates + type: DirectoryOrCreate + name: etc-ca-certificates + - hostPath: + path: /etc/pki + type: DirectoryOrCreate + name: etc-pki + - hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + name: k8s-certs + - hostPath: + path: /usr/local/share/ca-certificates + type: DirectoryOrCreate + name: usr-local-share-ca-certificates + - hostPath: + path: /usr/share/ca-certificates + type: DirectoryOrCreate + name: usr-share-ca-certificates +status: {} diff --git a/ClusterBackup/kube-controller-manager.yaml b/ClusterBackup/kube-controller-manager.yaml new file mode 100644 index 00000000..7ce7e99a --- /dev/null +++ b/ClusterBackup/kube-controller-manager.yaml @@ -0,0 +1,119 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-controller-manager + tier: control-plane + name: kube-controller-manager + namespace: kube-system +spec: + containers: + - command: + - kube-controller-manager + - --allocate-node-cidrs=true + - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf + - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf + - --bind-address=127.0.0.1 + - --client-ca-file=/etc/kubernetes/pki/ca.crt + - --cluster-cidr=10.34.0.0/16 + - --cluster-name=kubernetes + - --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt + - --cluster-signing-key-file=/etc/kubernetes/pki/ca.key + - --controllers=*,bootstrapsigner,tokencleaner + - --kubeconfig=/etc/kubernetes/controller-manager.conf + - --leader-elect=true + - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt + - --root-ca-file=/etc/kubernetes/pki/ca.crt + - --service-account-private-key-file=/etc/kubernetes/pki/sa.key + - --service-cluster-ip-range=10.96.0.0/12 + - --use-service-account-credentials=true + image: registry.k8s.io/kube-controller-manager:v1.25.15 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 10257 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + name: kube-controller-manager + resources: + requests: + cpu: 200m + startupProbe: + failureThreshold: 24 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 10257 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/ssl/certs + name: ca-certs + readOnly: true + - mountPath: /etc/ca-certificates + name: etc-ca-certificates + readOnly: true + - mountPath: /etc/pki + name: etc-pki + readOnly: true + - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec + name: flexvolume-dir + - mountPath: /etc/kubernetes/pki + name: k8s-certs + readOnly: true + - mountPath: /etc/kubernetes/controller-manager.conf + name: kubeconfig + readOnly: true + - mountPath: /usr/local/share/ca-certificates + name: usr-local-share-ca-certificates + readOnly: true + - mountPath: /usr/share/ca-certificates + name: usr-share-ca-certificates + readOnly: true + hostNetwork: true + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /etc/ssl/certs + type: DirectoryOrCreate + name: ca-certs + - hostPath: + path: /etc/ca-certificates + type: DirectoryOrCreate + name: etc-ca-certificates + - hostPath: + path: /etc/pki + type: DirectoryOrCreate + name: etc-pki + - hostPath: + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec + type: DirectoryOrCreate + name: flexvolume-dir + - hostPath: + path: /etc/kubernetes/pki + type: DirectoryOrCreate + name: k8s-certs + - hostPath: + path: /etc/kubernetes/controller-manager.conf + type: FileOrCreate + name: kubeconfig + - hostPath: + path: /usr/local/share/ca-certificates + type: DirectoryOrCreate + name: usr-local-share-ca-certificates + - hostPath: + path: /usr/share/ca-certificates + type: DirectoryOrCreate + name: usr-share-ca-certificates +status: {} diff --git a/ClusterBackup/kube-scheduler.yaml b/ClusterBackup/kube-scheduler.yaml new file mode 100644 index 00000000..1479d7ea --- /dev/null +++ b/ClusterBackup/kube-scheduler.yaml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler + namespace: kube-system +spec: + containers: + - command: + - kube-scheduler + - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf + - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf + - --bind-address=127.0.0.1 + - --kubeconfig=/etc/kubernetes/scheduler.conf + - --leader-elect=true + image: registry.k8s.io/kube-scheduler:v1.25.15 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 8 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 10259 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + name: kube-scheduler + resources: + requests: + cpu: 100m + startupProbe: + failureThreshold: 24 + httpGet: + host: 127.0.0.1 + path: /healthz + port: 10259 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/kubernetes/scheduler.conf + name: kubeconfig + readOnly: true + hostNetwork: true + priorityClassName: system-node-critical + securityContext: + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /etc/kubernetes/scheduler.conf + type: FileOrCreate + name: kubeconfig +status: {} diff --git a/RENOVACION_CERTIFICADOS.md b/RENOVACION_CERTIFICADOS.md index 09c465a6..2c7a4e25 100644 --- a/RENOVACION_CERTIFICADOS.md +++ b/RENOVACION_CERTIFICADOS.md @@ -47,7 +47,7 @@ después de ejecutar este comando, hay que copiar el fichero de configuración e sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config -Y, según las instrucciones del enlace de arriba y del propio comando de renovación, hay que reiniciar ```kube-apiserver, kube-controller-manager, kube-scheduler y etcd```. No lo hice y parece que funciona. +Y, según las instrucciones del enlace de arriba y del propio comando de renovación, hay que reiniciar ```kube-apiserver, kube-controller-manager, kube-scheduler y etcd```. Hay que hacerlo, siguiendo las instrucciones de más abajo. ## reiniciar los servicios del clúster.