Skip to content

Commit 6be4218

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #27720 from tengqm/zh-sync-kubeadm-1
[zh] Resync kubeadm files (1)
2 parents 24fd0d4 + c4438bd commit 6be4218

File tree

6 files changed

+795
-780
lines changed

6 files changed

+795
-780
lines changed

content/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm.md

Lines changed: 20 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,13 @@ content_type: task
66
weight: 30
77
---
88

9-
<!-- ---
9+
<!--
1010
reviewers:
1111
- sig-cluster-lifecycle
1212
title: Creating a cluster with kubeadm
1313
content_type: task
1414
weight: 30
15-
--- -->
15+
-->
1616

1717
<!-- overview -->
1818

@@ -346,6 +346,20 @@ Alternatively, if you are the `root` user, you can run:
346346
export KUBECONFIG=/etc/kubernetes/admin.conf
347347
```
348348

349+
{{< warning >}}
350+
<!--
351+
Kubeadm signs the certificate in the `admin.conf` to have `Subject: O = system:masters, CN = kubernetes-admin`.
352+
`system:masters` is a break-glass, super user group that bypasses the authorization layer (e.g. RBAC).
353+
Do not share the `admin.conf` file with anyone and instead grant users custom permissions by generating
354+
them a kubeconfig file using the `kubeadm kubeconfig user` command.
355+
-->
356+
kubeadm 对 `admin.conf` 中的证书进行签名时,将其配置为
357+
`Subject: O = system:masters, CN = kubernetes-admin`
358+
`system:masters` 是一个例外的、超级用户组,可以绕过鉴权层(例如 RBAC)。
359+
不要将 `admin.conf` 文件与任何人共享,应该使用 `kubeadm kubeconfig user`
360+
命令为其他用户生成 kubeconfig 文件,完成对他们的定制授权。
361+
{{< /warning >}}
362+
349363
<!--
350364
Make a record of the `kubeadm join` command that `kubeadm init` outputs. You
351365
need this command to [join nodes to your cluster](#join-nodes).
@@ -428,13 +442,14 @@ Cluster DNS (CoreDNS) will not start up before a network is installed.**
428442
{{< /caution >}}
429443

430444
<!--
431-
Currently Calico is the only CNI plugin that the kubeadm project performs e2e tests against.
445+
Kubeadm should be CNI agnostic and the validation of CNI providers is out of the scope of our current e2e testing.
432446
If you find an issue related to a CNI plugin you should log a ticket in its respective issue
433447
tracker instead of the kubeadm or kubernetes issue trackers.
434448
-->
435449
{{< note >}}
436-
目前 Calico 是 kubeadm 项目中执行 e2e 测试的唯一 CNI 插件。
437-
如果你发现与 CNI 插件相关的问题,应在其各自的问题跟踪器中记录而不是在 kubeadm 或 kubernetes 问题跟踪器中记录。
450+
kubeadm 应该是与 CNI 无关的,对 CNI 驱动进行验证目前不在我们的端到端测试范畴之内。
451+
如果你发现与 CNI 插件相关的问题,应在其各自的问题跟踪器中记录而不是在 kubeadm
452+
或 kubernetes 问题跟踪器中记录。
438453
{{< /note >}}
439454

440455
<!--

0 commit comments

Comments
 (0)