红帽全球峰会4.4. 恢复一个休眠集群
当您在 90 天内恢复休眠集群时,您可能需要批准证书签名请求(CSR)以使节点就绪。
根据集群的大小,集群可能需要大约 45 分钟才能恢复。
先决条件
- 您在 90 天内休眠集群。
-
您可以使用具有
cluster-admin角色的用户访问集群。
流程
在集群休眠的 90 天内恢复集群虚拟机:
使用集群云环境原生的工具来恢复集群的虚拟机。
- 具体取决于集群中的节点数量,等待大约 5 分钟。
批准节点的 CSR:
检查每个节点是否处于
NotReady状态的 CSR:$ oc get csr输出示例
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION csr-4dwsd 37m kubernetes.io/kube-apiserver-client system:node:ci-ln-812tb4k-72292-8bcj7-worker-c-q8mw2 24h Pending csr-4vrbr 49m kubernetes.io/kube-apiserver-client system:node:ci-ln-812tb4k-72292-8bcj7-master-1 24h Pending csr-4wk5x 51m kubernetes.io/kubelet-serving system:node:ci-ln-812tb4k-72292-8bcj7-master-1 <none> Pending csr-84vb6 51m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Pending运行以下命令来批准每个有效的 CSR:
$ oc adm certificate approve <csr_name>运行以下命令验证所有必需的 CSR 是否已批准:
$ oc get csr输出示例
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION csr-4dwsd 37m kubernetes.io/kube-apiserver-client system:node:ci-ln-812tb4k-72292-8bcj7-worker-c-q8mw2 24h Approved,Issued csr-4vrbr 49m kubernetes.io/kube-apiserver-client system:node:ci-ln-812tb4k-72292-8bcj7-master-1 24h Approved,Issued csr-4wk5x 51m kubernetes.io/kubelet-serving system:node:ci-ln-812tb4k-72292-8bcj7-master-1 <none> Approved,Issued csr-84vb6 51m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper <none> Approved,IssuedCSR 应该在
CONDITION列中显示为Approved,Issued。
运行以下命令验证所有节点现在显示为 ready :
$ oc get nodes输出示例
NAME STATUS ROLES AGE VERSION ci-ln-812tb4k-72292-8bcj7-master-0 Ready control-plane,master 32m v1.33.4 ci-ln-812tb4k-72292-8bcj7-master-1 Ready control-plane,master 32m v1.33.4 ci-ln-812tb4k-72292-8bcj7-master-2 Ready control-plane,master 32m v1.33.4 Ci-ln-812tb4k-72292-8bcj7-worker-a-zhdvk Ready worker 19m v1.33.4 ci-ln-812tb4k-72292-8bcj7-worker-b-9hrmv Ready worker 19m v1.33.4 ci-ln-812tb4k-72292-8bcj7-worker-c-q8mw2 Ready worker 19m v1.33.4所有节点的
STATUS列都应显示Ready。批准 CSR 后,所有节点可能需要几分钟时间才会变为就绪。等待集群 Operator 重启以加载新证书。
这可能需要 5 分钟或 10 分钟。
运行以下命令,验证所有集群 Operator 是否都处于良好状态:
$ oc get clusteroperators输出示例
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE MESSAGE authentication 4.20.0-0 True False False 51m baremetal 4.20.0-0 True False False 72m cloud-controller-manager 4.20.0-0 True False False 75m cloud-credential 4.20.0-0 True False False 77m cluster-api 4.20.0-0 True False False 42m cluster-autoscaler 4.20.0-0 True False False 72m config-operator 4.20.0-0 True False False 72m console 4.20.0-0 True False False 55m ...所有集群 Operator 都应显示
AVAILABLE=True,PROGRESSING=False, 和DEGRADED=False。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}