docs: update readme, restart pods

yuyicai · Apr 20, 2023 · 2007b4e · 2007b4e
1 parent a171c25
commit 2007b4e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/README-zh_CN.md b/README-zh_CN.md
@@ -24,7 +24,12 @@ chmod 755 update-kubeadm-cert.sh
 
 ## 1.2. 更新证书
 
-**如果使用 `containerd` 作为 CRI 运行时，使用 `update-kubeadm-cert-crictl.sh` 代替 `update-kubeadm-cert.sh`**
+**如果使用 `containerd` 作为 CRI 运行时：**
+
+- 使用 `update-kubeadm-cert-crictl.sh` 代替 `update-kubeadm-cert.sh`
+- 手动重启控制平面 Pods（必须）
+  > 执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持，所有这项操作是必须的。 静态 Pods 是被本地 kubelet 而不是 API Server 管理， 所以 kubectl 不能用来删除或重启他们。 要重启静态 Pod 你可以临时将清单文件从 /etc/kubernetes/manifests/ 移除并等待 20 秒 （参考 KubeletConfiguration 结构 中的 fileCheckFrequency 值）。 如果 Pod 不在清单目录里，kubelet 将会终止它。 在另一个 fileCheckFrequency 周期之后你可以将文件移回去，为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。  
+  > https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal
 
 执行时请使用 `./update-kubeadm-cert.sh all` 或者 `bash update-kubeadm-cert.sh all` ，不要使用 `sh update-kubeadm-cert.sh all`，因为某些 Linux 发行版 sh 并不是链接到 bash，可能会不兼容
 

diff --git a/README.md b/README.md
@@ -24,7 +24,12 @@ chmod 755 update-kubeadm-cert.sh
 
 ## 1.2 Renew the certificate
 
-**If you use `containerd` as CRI runtime, use `update-kubeadm-cert-crictl.sh` instead of `update-kubeadm-cert.sh`**
+**If you use `containerd` as CRI runtime：**
+
+- use `update-kubeadm-cert-crictl.sh` instead of `update-kubeadm-cert.sh`
+- manual restart the control plane Pods (necessary)
+  > After running the command you should restart the control plane Pods. This is required since dynamic certificate reload is currently not supported for all components and certificates. Static Pods are managed by the local kubelet and not by the API Server, thus kubectl cannot be used to delete and restart them. To restart a static Pod you can temporarily remove its manifest file from /etc/kubernetes/manifests/ and wait for 20 seconds (see the fileCheckFrequency value in KubeletConfiguration struct. The kubelet will terminate the Pod if it's no longer in the manifest directory. You can then move the file back and after another fileCheckFrequency period, the kubelet will recreate the Pod and the certificate renewal for the component can complete.  
+  > https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal
 
 Use `./update-kubeadm-cert.sh all` or `bash update-kubeadm-cert.sh all` to execute it. Please do not use `sh update-kubeadm-cert.sh all`，Because some of Linux distributions doesn't link sh to bash. it may cause the problem of compatibility.