bmctl 是适用于 Google Distributed Cloud 的命令行工具,可简化集群的创建和管理。本文档全面介绍了 bmctl 命令和相关标志。
准备工作
bmctl 使用应用默认凭据 (ADC) 验证集群规范 (clusterOperations.location) 中的 location 值(如果未设置为 global)。许多 bmctl 命令都需要进行此验证。如需让 ADC 正常运行,您需要执行以下操作之一:
将管理工作站上的
GOOGLE_APPLICATION_CREDENTIALS环境变量设置为服务账号凭据文件的路径。使用 gcloud CLI 将您的用户凭据设置为应用默认凭据 (ADC):
gcloud auth application-default login
某些 bmctl 命令允许您使用标志指定凭据文件的路径。
备份
备份集群信息。
选项
-h, --help help for backup
备份集群
备份集群,并将备份保存到 tar 文件中。
backup cluster [flags]
选项
--backup-file string path to the output backup files.
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--use-disk Perform the backup using the disk instead of in-memory buffer. This option only works when the command is run by the root user or with sudo.
--yes Perform the backup, and do not prompt for confirmation (non-interactive mode).
如需详细了解如何使用 bmctl 备份和恢复集群,请参阅使用 bmctl 备份和恢复集群。
检查
对集群或基础架构执行预检或健康检查。
选项
-h, --help help for check
检查插件
检查集群插件(例如 stackdriver-log-aggregator、stackdriver-log-forwarder 和 gke-connect-agent)的操作健康。
check add-ons [flags]
示例
# Do a health check for add-ons.
bmctl check add-ons --cluster=cluster1
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for add-ons
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查集群
检查集群的健康状况或生成集群快照。
check cluster [flags]
示例
# Do a health check for cluster.
bmctl check cluster --cluster=cluster1
# Take a snapshot of the cluster (requires admin cluster to be available).
bmctl check cluster --snapshot --cluster=cluster1 --admin-kubeconfig=admin-kubeconfig
# Take a snapshot of the cluster (requires admin cluster to be available) using 30 threads.
bmctl check cluster --snapshot --cluster=cluster1 --admin-kubeconfig=admin-kubeconfig --num-of-parallel-threads=30
# Take a snapshot of the cluster nodes only (does not require admin cluster to be available).
bmctl check cluster --snapshot --cluster=cluster1 --snapshot-config=snapshot-config
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
--ca-file string The file that contains the Node Agent server CA certificate for authenticating nodes to capture snapshots. While this flag is fully optional, when provided, nodes must also be provided.
--cert-file string The file that contains the Node Agent client certificate for authenticating with nodes to capture snapshots. While this flag is fully optional, when provided, nodes must also be provided.
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--enforce-allowlist Enforces allowlist checking for kubectl/node commands executed as part of collecting a snapshot to ensure that they are read-only. Commands that are not allowed will be skipped. (default true)
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--key-file string The file that contains the Node Agent client private key for authenticating with nodes to capture snapshots. While this flag is fully optional, when provided, nodes must also be provided.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--local Save the snapshot on your workstation only. This will allow you to explicitly opt out of uploading the snapshot to Google Cloud.
--login-user string The user to log in to each node. This will be ignored when admin-kubeconfig is set. (default "root")
--node-ssh-key string The file that contains the SSH key to the nodes to capture snapshots against. While this flag is fully optional, when provided, nodes must also be provided.
--nodeagent-port int The Node Agent server port for the client side to connect to. This flag is optional and only applies with 'nodes' options; when provided, it will override the default port.
--nodes strings The comma-separated IP address list of the nodes to capture snapshots against. While this flag is fully optional, when provided, node-ssh-key must also be provided.
--num-of-parallel-threads int The number of parallel threads used for processing snapshots. Note that the --snapshot-config and --num-of-parallel-threads flags cannot be used at the same time. (default 10)
--quiet During a snapshot run, suppress logging to stdout. (The console log is available in the 'bmctl_diagnose_snapshot.log' file, which is part of the snapshot.)
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--service-account-key-file string The service account key file that is needed to upload the snapshot to your Google Cloud Storage bucket and provision a dedicated Google Cloud service account for your project to facilitate snapshot sharing with Google.
Make sure that the service account key has the ability to create and list buckets and objects in your project.
We recommend creating a custom role with the following permissions and assigning this custom role to your service account:
- storage.buckets.create
- storage.buckets.get
- storage.buckets.list
- storage.objects.create
- resourcemanager.projects.get
Note that all the storage permissions fall under the "roles/storage.admin" IAM role. You can also use that role, but it is too powerful and is not recommended
Note that:
- this flag is defaulted to the environment variable GOOGLE_APPLICATION_CREDENTIALS, if not provided.
- this flag is ignored if the "--upload-to" flag is empty.
--since duration This only returns logs newer than a relative duration like 5s, 4m, or 3h. It defaults to all logs.
--snapshot Takes a snapshot of the cluster's logs, configurations, and other data if true.
Note that if a service account key is provided either through the flag --service-account-key-file or GOOGLE_APPLICATION_CREDENTIALS, the snapshot will be automatically uploaded to your Google Cloud Storage bucket. Also, a dedicated Google Cloud service account for your project will be provisioned for your project to facilitate snapshot sharing with Google.
Use --local to opt out of snapshot uploading.
--snapshot-config --enforce_allowlist=false The config file of the snapshot. When this flag is omitted, a default configuration is applied. An allowlist enforcing read-only commands is in effect by default. To bypass it, specify the --enforce_allowlist=false option. Note that the --snapshot-config and --num-of-parallel-threads flags cannot be used at the same time.
--snapshot-dry-run In dry-run mode, the command does not take the snapshot. Instead, it prints out the actions to be taken and the snapshot configuration.
--snapshot-output string The output file of the snapshot.
--snapshot-scenario string The scenario of the snapshot. This is ignored when the --config flag is specified. The supported scenarios are:
- system: a snapshot of system components, including their logs
- all: a snapshot of all pods, including their logs (default "system")
--snapshot-temp-output-dir string The temporary landing directory for the snapshot.
--upload-to string The Google Cloud Storage bucket name for uploading the snapshot. A new bucket will be created if it doesn't exist. Please follow the naming guidelines here (https://cloud.google.com/storage/docs/naming-buckets).
检查配置
检查集群配置文件。
check config [flags]
示例
# Do check for cluster1.yaml file.
bmctl check config --cluster=cluster1
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for config
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查 GCP
与 Google Cloud 健康检查的集群连接。
check gcp [flags]
示例
# Do a Google Cloud connectivity health check for cluster machines.
bmctl check gcp --cluster=cluster1
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for gcp
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查 Kubernetes
检查 Kubernetes 的健康状况。
check kubernetes [flags]
示例
# Do a Kubernetes health check for the cluster.
bmctl check kubernetes --cluster=cluster1
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for kubernetes
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查节点
检查节点的健康状况。
check nodes [flags]
示例
# Do a health check for some provisioned nodes.
bmctl check nodes --addresses=192.168.0.1,192.168.0.4
选项
--addresses strings Node addresses; addresses should be a comma-separated list, and each address must be a single IP address (e.g., 192.168.0.1).
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for nodes
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查预检
健康检查。
Synopsis
集群安装和升级的预检检查。如需运行升级预检检查,请传入 --kubeconfig <admin_cluster_kubeconfig_path> 并更新集群 YAML 文件中的版本。
check preflight [flags]
示例
# Do a preflight check for cluster1.yaml in bmctl-workspace/cluster1
bmctl check preflight --cluster=cluster1. If kubeconfig flag (for example, --kubeconfig=bmctl-workspace/cluster1/cluster1-kubeconfig) is included and cluster1's spec version is updated, the command will trigger a preflight check for upgrading the cluster
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for preflight
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
检查 vmruntimepfc
VM Runtime for GDC 预检检查。
Synopsis
用于检查虚拟机创建前提条件的虚拟机运行时预检检查。
check vmruntimepfc [flags]
示例
# Do vmruntime preflight check.
bmctl check vmruntimepfc --kubeconfig=$KUBECONFIG
选项
-h, --help help for vmruntimepfc
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
如需详细了解预检检查,请参阅了解预检检查。
configure
在 Google Cloud 上配置服务账号和 IAM 角色并启用 API,以进行 Workload Identity 集群身份验证。
选项
-h, --help help for configure
配置项目
为 Workload Identity 集群身份验证配置 IAM 政策绑定。创建所需的服务账号并启用所需的 API。
configure projects [flags]
选项
--admin-cluster string admin cluster name
--cloud-ops-service-account string cloud ops service account
--controller-service-account string controller GCP service account
--gcr-service-account string GCR image pull service account
-h, --help help for projects
--location string GKE hub membership location (default "global")
--project-id string GCP project used in GKE connect
--proxy-url string proxy URL for accessing GCP services. If not specified, bmctl looks for env variables HTTPS_PROXY and HTTP_PROXY
--user-clusters string one or more comma-delimited user cluster names
如需详细了解如何启用和使用 Workload Identity 集群身份验证,请参阅 Workload Identity 集群身份验证。
create
创建集群配置文件、集群或 Kubernetes 服务账号 (KSA)。
选项
-h, --help help for create
创建集群
根据集群配置文件创建集群。
Synopsis
创建集群。此命令将生成所创建集群的 kubeconfig。由于此文件包含集群的凭据,因此请务必确保其安全。此命令需要 serviceusage.services.get 权限来检查 Google Cloud 项目的 API 启用情况。
create cluster [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--force If true, ignore errors from preflight checks and validation except for GCP check errors.
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
如需详细了解如何创建集群,请参阅集群创建概览。
创建配置
创建集群配置文件。默认情况下,此文件是在 bmctl-workspace/<cluster_name> 文件夹中创建的。
create config [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--create-service-accounts Automatically create GCP service account keys, if they do not already exist in the workspace
--enable-apis Automatically enable APIs used by Anthos clusters on bare metal for the GCP project specified by the project-id flag
--force Overwrite existing config
-h, --help help for config
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--project-id string GCP project where the new cluster will connect with via GKE Hub and Stackdriver logging/monitoring, required if --create-service-accounts or --enable-apis is true
--proxy-url string Proxy URL for accessing GCP services. If not specified, bmctl will look for the HTTPS_PROXY and HTTP_PROXY environment variables
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
创建 ksa
使用目标集群的 cluster-admin 角色创建 Kubernetes 服务账号。
Kubernetes 服务账号的默认名称为 kubernetes-service-account,因此 --ksa-name 标志是可选的。该命令会生成不记名令牌,您可以使用该令牌登录集群。
默认情况下,不记名令牌存储在 bmctl-workspace/<cluster_name> 文件夹中。
create ksa [flags]
选项
-c, --cluster string Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml.
-h, --help help for ksa
--ksa-name string Name of the Kubernetes service account and default value is kubernetes-service-account. (default "kubernetes-service-account")
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
停用
在集群中停用 VM Runtime for GDC。
选项
-h, --help help for disable
停用 vmruntime
在集群中停用 VM Runtime for GDC。
disable vmruntime [flags]
选项
--force If true, delete all VM resources and disable VM Runtime.
-h, --help help for vmruntime
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
如需详细了解如何在 GDC 上启用和停用虚拟机运行时,请参阅在 GDC 上启用或停用虚拟机运行时。
启用
在集群中启用 VM Runtime for GDC。
选项
-h, --help help for enable
启用 vmruntime
在集群中启用 VM Runtime for GDC。
enable vmruntime [flags]
选项
-h, --help help for vmruntime
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
如需详细了解如何在 GDC 上启用和停用虚拟机运行时,请参阅在 GDC 上启用或停用虚拟机运行时。
get
获取集群配置或集群凭据。
选项
-h, --help help for get
获取配置
获取集群配置文件。该命令会拉取目标集群的自定义资源并生成配置文件。
get config [flags]
选项
-c, --cluster string Cluster name; the cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml.
-h, --help help for config
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
如需了解详情,请参阅获取集群配置详情。
获取凭据
获取目标集群凭证。该命令会在管理员工作站的 <workspace dir>/<cluster name> 文件夹中生成 kubeconfig 文件。
get credentials [flags]
选项
-c, --cluster string Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml.
-h, --help help for credentials
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
如需了解详情,请参阅获取集群凭据。
安装
执行软件安装操作。
选项
-h, --help help for install
安装 virtctl
将 virtctl 作为 kubectl 插件安装到当前机器中。virtctl 插件支持基本虚拟机操作,例如创建、连接和更改电源状态。
install virtctl [flags]
选项
-d, --dst-dir string The dir virtctl binary to be installed. This path must be a valid one within the PATH env variable.
-h, --help help for virtctl
move
在管理集群之间移动 Google Distributed Cloud 资源及所有依赖项。
- 目标集群命名空间可以包含其他资源,有冲突的资源会被替换。
move [flags]
选项
--cluster-move-timeout duration Cluster move timeout; the default value is 15m. The input should contain the duration unit, e.g. 3600s, 60m, or 1h. (default 15m0s)
--from-kubeconfig string Kubeconfig file path for the source management cluster. If unspecified, the default discovered kubeconfig will be used.
--from-kubeconfig-context string Context to be used within the kubeconfig file for the source management cluster. If empty, the current context will be used.
-h, --help help for move
-n, --namespace string The namespace where the cluster resources are stored. If unspecified, the current context's namespace is used.
--to-kubeconfig string Kubeconfig file path for the destination management cluster.
--to-kubeconfig-context string Context to be used within the kubeconfig file for the destination management cluster. If empty, the current context will be used.
nodeagent
管理 Node Agent 部署。
Synopsis
提供用于管理集群节点上的 Node Agent 服务的命令。
选项
-h, --help help for nodeagent
nodeagent deploy
使用 SSH 将 Node Agent 服务部署到指定节点。
Synopsis
使用 SSH 将 Node Agent 服务部署到指定集群中的一个或多个目标节点。
此命令可以安装或重新安装 Node Agent。它通过 SSH 连接并执行必要的步骤,包括转移二进制文件、视需要生成和转移证书,以及设置 systemd 服务。
Node Agent 需要具有目标节点的 SSH 访问权限和 sudo 权限。
此命令可处理节点代理的初始设置及其恢复。
您可以通过多种方式指定目标节点:直接使用 --nodes 标志指定,通过集群配置文件使用 --cluster 标志指定,或通过引用集群的自定义资源指定。
nodeagent deploy [flags]
选项
--cluster string Name of the target cluster (required).
--concurrency int Number of parallel node deployments. (default 25)
--deploy-creds Deploy the server certificate, private key, and client CA to nodes. (default true)
--enforce-host-key-verify Verifies the remote host's SSH key against known_hosts (recommended). (default true)
--generate-ca-creds Generate the necessary CAs and client credentials for the Node Agent.
-h, --help help for deploy
--key-algorithm string The private key algorithm for the CA, client certificate, and server certificate. (default "rsa")
--key-length int The private key length for the CA, client certificate, and server certificate. (default 4096)
--kubeconfig string Path to the cluster kubeconfig.
--nodeagent-version string The Node Agent version to pull. (default "0.0.0-gke.0")
--nodes strings List of node IPs to deploy to (comma-delimited).
--non-interactive Run non-interactively, skipping all user prompts.
--port string The Node Agent port. (default "9192")
--pull-binaries Download Node Agent binaries.
--sa-key string Path to the service account key to pull from GCS and GCR.
--server-cert-validity int The validity for the server certificate. (default 1825)
--ssh-key string Path to the SSH private key file. (default "~/.ssh/id_rsa")
--ssh-user string SSH username for connecting to nodes. (default "root")
nodeagent enable
为正在运行的集群启用 Node Agent 模式。
Synopsis
为集群启用 Node Agent 模式。
此命令会修改集群的配置,还会创建或更新此模式正常运行所需的相关凭证。
当 Node Agent 模式处于有效状态时,集群管理由直接在每个节点上运行的 Node Agent 处理。
nodeagent enable [flags]
选项
--client-ca-key-path string Path for the client private key file.
--client-ca-path string Path for the client CA certificate file.
--client-cert-path string Path for the client certificate file.
--client-key-path string Path for the client private key file.
-c, --cluster string Name of the target cluster (required).
--ensure-status Ensure the Node Agent is running on all nodes in the cluster. (default true)
-h, --help help for enable
-k, --kubeconfig string Path to the kubeconfig file (required).
--port string The Node Agent port. (default "9192")
--server-ca-key-path string Path for the server CA key file.
--server-ca-path string Path for the server CA file.
nodeagent rotate-credentials
使用 SSH 转换指定节点上和集群内的 Node Agent 凭证。
Synopsis
使用 SSH 轮换一个或多个目标节点上的 nodeagentd 凭据。此命令还会更新存储在集群中的相应 Node Agent 凭证。
此命令可以转换 Node Agent 凭证。 Node Agent 需要具有目标节点的 SSH 访问权限和 sudo 权限。
您可以通过多种方式指定目标节点:直接使用 --nodes 标志指定,通过集群配置文件使用 --cluster 标志指定,或通过引用集群的自定义资源指定。
nodeagent rotate-credentials [flags]
选项
--cluster string Name of the target cluster (required).
--concurrency int Number of parallel node deployments. (default 25)
--enforce-host-key-verify Verify remote host's SSH key against known_hosts. (default true)
--generate-ca-creds Generate necessary CAs and client credentials for Node Agent.
-h, --help help for rotate-credentials
--key-algorithm string The private key algorithm for the CA, client certificatem and server certificate. (default "rsa")
--key-length int The private key length for the CA, client certificate and server certificate. (default 4096)
--kubeconfig string Path to the cluster kubeconfig.
--nodes strings List of node IPs to deploy to (comma-delimited).
--non-interactive Run non-interactively, skipping all user prompts.
--server-cert-validity int The validity for the server certificate. (default 1825)
--ssh-key string Path to the SSH private key file. (default "~/.ssh/id_rsa")
--ssh-user string SSH username for connecting to nodes. (default "root")
nodeagent 状态
检查集群节点上 Node Agent 的运行状态。
Synopsis
检查集群节点上 Node Agent 的运行状态。
您可以通过多种方式指定目标节点:直接使用 --nodes 标志指定,通过集群配置文件使用 --cluster 标志指定,或通过引用集群的自定义资源指定。
nodeagent status [flags]
选项
--client-cert-path string Path for the client certificate file.
--client-key-path string Path for the client private key file.
-c, --cluster string Name of the target cluster (required).
-h, --help help for status
-k, --kubeconfig string Path to the kubeconfig file.
--nodes strings List of node IPs to deploy to (comma-delimited).
--port string The Node Agent port. (default "9192")
--server-ca-path string Path for the server CA file.
推送
将容器映像推送到私有注册表。
选项
-h, --help help for push
推送映像
将本地容器映像 tar 文件推送到私有注册表。
push images [flags]
选项
--cacert string Private registry CA certificate file path.
--dry-run Dry run.
--email string Email for private registry.
--force-push If set to true, will always push images even if images already exist in registry.
--format string Format of images in the source file. Should be one of tarball or oci (default). (default "oci")
-h, --help help for images
--need-credential Whether credential is needed for private registry. (default true)
--password string Password for private registry authentication.
-r, --private-registry string Private registry path that stores all bare metal images.
Format should be <registry-name>/<optional-registry-namespace>.
--source string Path to bare metal container images compressed file.
-t, --threads int Push images with multiple threads. (default 4)
--username string Username for private registry authentication.
如需了解如何为裸金属容器映像设置和使用注册表镜像,请参阅使用容器映像的注册表镜像。
register
注册资源。
选项
-h, --help help for register
注册引导
将引导集群注册到 GKE Hub API。
Synopsis
将引导集群注册到 GKE Hub API。此命令将本地种类集群注册为管理员集群。该命令会等待集群在 Google Cloud 控制台中创建,并在集群成功创建后退出。
register bootstrap [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
--cloud-operation-service-account-key string Optional, service account key file used to access Google cloud service, service account key specified by environment variable GOOGLE_APPLICATION_CREDENTIALS will be used to fetch or create the Service account.
--enable-apis Auto enable APIs used by Anthos Bare Metal cluster, for the GCP Project specified by project-id flag
--gcr-service-account-key string Optional, service account key file used to pull GCR images, service account key specified by environment variable GOOGLE_APPLICATION_CREDENTIALS will be used to fetch or create the Service account.
--gke-agent-service-account-key string Optional, service account key file used to connect the GKE cluster in Google Cloud, service account key specified by environment variable GOOGLE_APPLICATION_CREDENTIALS will be used to fetch or create the Service account.
--gke-register-service-account-key string Optional, service account key file used to register the cluster in Google Cloud, service account key specified by environment variable GOOGLE_APPLICATION_CREDENTIALS will be used to fetch or create the Service account.
-h, --help help for bootstrap
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--location string Optional, Location of the GKEHub Membership, e.g. us-central1. If unspecified, global will be used. (default "global")
--name string Mandatory (either --name or --target-cluster-name needs to be provided), Name of the bootstrap cluster. bmctl will register the bootstrap cluster with this name with GKE Connect.
--project-id string Optional, GCP project for GKE Connect. bmctl will register this bootstrap cluster into GCP project temporarily, and un-register it after cluster is provisioned successfully.
--registry-mirror-ca string Registry mirror CA file.
--registry-mirror-credential string Registry mirror credential file.
--registry-mirror-endpoint string Registry mirror endpoint.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--ssh-client-cert string Optional, Path of the SSH certificate. ABM will use this ssh key certificate while sshing in the machines.
--ssh-key string Mandatory, Path of the SSH key. ABM will use this ssh key while sshing in the machines.
--target-cluster-name string Optional, The target cluster name.
重置
将集群机器重置为安装之前的状态。
Synopsis
此命令会尝试撤消在先前安装尝试时所做的更改。这是尽力从部分安装故障中恢复的操作。
reset [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for reset
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
重置引导
删除引导集群。
示例
bmctl reset bootstrap
选项
-h, --help help for bootstrap
重置节点
通过从集群中移除指定节点,将集群中的这些节点重置为其预安装状态。如果节点无法访问,则可以使用 --force 选项绕过重置步骤。如果集群控制平面无法访问,则可以使用 --ssh-private-key-path、--login-user 和 --gcr-service-account-key 选项将指定节点重置为预安装状态,而无需从集群中删除这些节点。
示例
bmctl reset nodes --addresses 10.200.0.10,10.200.0.11 --cluster cluster1 --kubeconfig admin-kubeconfig
选项
--addresses strings Node addresses; the addresses should be a comma-separated list, and each address must be a single IP address (e.g., 192.168.0.1).
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--force Optional. If provided, nodes will be forcefully removed from the cluster without running reset jobs.
--gcr-service-account-key string Optional, path to the service account JSON key to pull GCR images. Mutually exclusive with the --cluster flag. If not provided, the environment variable GOOGLE_APPLICATION_CREDENTIALS will be used.
-h, --help help for nodes
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--login-user string Login user to use to connect to the nodes. Mutually exclusive with the --cluster flag. Optional, and should be used together with --ssh-private-key-path. Defaults to root.
--registry-mirror-ca string Registry mirror CA file.
--registry-mirror-credential string Registry mirror credential file.
--registry-mirror-endpoint string Registry mirror endpoint.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--ssh-private-key-path string Path to the SSH private key to connect to the nodes. Either --cluster or --ssh-private-key-path should be provided, but not both. Use this flag to reset the machines if the original cluster YAML is no longer available.
如需详细了解如何使用 bmctl reset nodes 将集群节点恢复到预安装状态或删除集群,请参阅重置 Google Distributed Cloud 中的故障节点。
restore
恢复集群或尝试恢复集群的仲裁。
Synopsis
恢复集群。在没有集群子命令的情况下使用此命令时,此命令会尝试从仲裁丢失中恢复高可用性集群。与集群子命令搭配使用时,该命令会从备份文件中恢复集群。
restore [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--control-plane-node string IP for the surviving host address, should be a single IP address(e.g., 192.168.0.1).
-h, --help help for restore
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string kubeconfig file path for the management cluster. This only needs to be provided if restoring a broken user cluster.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
恢复集群
使用备份文件恢复集群。
restore cluster [flags]
选项
--backup-file string path to the backup file of the cluster.
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string path to the kubeconfig of the management cluster.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--use-disk Perform the restore using the disk instead of in-memory buffer. This option only works when the command is run by the root user or with sudo.
如需详细了解如何使用 bmctl 备份和恢复集群,请参阅使用 bmctl 备份和恢复集群。
update
更新集群资源。
选项
-h, --help help for update
更新集群
更新集群和节点池配置。此命令会应用在集群配置文件中所做的更改。默认情况下,配置文件 <cluster_name>.yaml 存储在管理员工作站上的 bmctl-workspace/<cluster_name>/ 文件夹中。
update cluster [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
如需详细了解如何使用 bmctl 更新集群,请参阅更新集群。如需查看哪些集群配置文件是可变的,请参阅集群配置字段参考文档。
更新凭据
更新集群凭据
Synopsis
更新集群的凭据。此命令会更新管理员集群凭据以及由员集群管理的用户集群的凭据。
update credentials [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
--cloud-operations-service-account-key-path string New credential: path to the cloud operations service account key.
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--gcr-key-path string New credential: path to the GCR service account key.
--gke-connect-agent-service-account-key-path string New credential: path to the GKE Connect agent service account key.
--gke-connect-register-service-account-key-path string New credential: path to the GKE Connect register service account key.
-h, --help help for credentials
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--node-agent-client-cert-path string New credential: path to the Node Agent client certificates.
--node-agent-client-private-key-path string New credential: path to the Node Agent client private key.
--node-agent-server-ca-path string New credential: path to the Node Agent server CA.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--ssh-private-key-path string New credential: path to the SSH private key.
更新凭据证书授权机构
更新集群上的证书授权机构。
选项
-h, --help help for certificate-authorities
从父命令继承的选项
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
更新凭据证书授权机构轮替
轮替证书授权机构
update credentials certificate-authorities rotate [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--cluster-ca-cert-path string New credential: path to the custom cluster CA certificate.
--cluster-ca-private-key-path string New credential: path to the custom cluster CA private key.
--etcd-ca-cert-path string New credential: path to the custom etcd CA certificate.
--etcd-ca-private-key-path string New credential: path to the custom etcd CA private key.
--front-proxy-ca-cert-path string New credential: path to the custom front proxy CA certificate.
--front-proxy-ca-private-key-path string New credential: path to the custom front proxy CA private key.
-h, --help help for rotate
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
````
#### Options inherited from parent commands
```none
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
升级
就地将集群升级到新版本。
选项
-h, --help help for upgrade
升级集群
升级集群。
Synopsis
升级集群。 此命令会从集群配置文件中读取目标版本,并将目标集群升级到指定版本。集群配置文件中的所有其他更改都会被忽略。该命令需要 serviceusage.services.get 权限,以检查配置文件中指定的 Google Cloud 项目的 API 启用情况。
upgrade cluster [flags]
选项
--bootstrap-cluster-pod-cidr string Bootstrap cluster pod CIDR (default "192.168.122.0/24")
--bootstrap-cluster-service-cidr string Bootstrap cluster service CIDR (default "10.96.0.0/27")
-c, --cluster cluster name Cluster name, cluster config is expected to be placed under <workspace dir>/<cluster name>/<cluster name>.yaml
--cluster-update-timeout duration Cluster update timeout; the default value is 24h. The input should contain the duration unit, e.g. 3600s, 60m, or 1h. (default 24h0m0s)
--force If true, ignore errors from preflight checks.
-h, --help help for cluster
--ignore-validation-errors A validation error override, allowing to proceed despite the validation errors.
--kubeconfig string Optional, path to the kubeconfig file for the admin cluster. If not provided, will fall back to read env var ANTHOS_ADMIN_KUBECONFIG.
--reuse-bootstrap-cluster If true, use existing bootstrap cluster.
--skip-bootstrap-cidr-check If true, skip checking the CIDR and the number of nodes to determine whether the upgrade would succeed.
--skip-paused-annotation-check If true, continue the upgrade even if the cluster is paused by skipping the paused annotation check.
--skip-preflight If true, skip standalone preflight checks.
升级中间版本
在执行跳过次要版本升级时,打印集群将首先升级到的中间版本。
Synopsis
在执行跳过次要版本升级时,打印集群将首先升级到的中间版本。
跳过次要版本升级可让集群升级两个次要版本。如果集群从 1.31.x 升级到 1.33.z,则会遵循 1.31.x -> 1.32.y -> 1.33.z 的升级路径,其中 1.32.y 是中间版本。
upgrade intermediate-version [flags]
选项
-h, --help help for intermediate-version
如需详细了解集群升级,请参阅以下文档:
版本
输出 bmctl 版本
version [flags]
选项
-h, --help help for version
-o, --output string Output format of version string. Supported options: [version, commit, metadata-digest]
-t, --timestamps Prefix each line with a timestamp. This will be removed in future releases.