kubeconfig

kubeconfig是用于在node节点上kubelet和kube-proxy访问集群的认证。

以下操作在master上进行，然后到时候再统一分发到node节点上

kubernetes安装包下载，下载后然后解压

下载地址https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md

mkdir k8s_download
cd k8s_download
wget https://dl.k8s.io/v1.12.2/kubernetes-server-linux-amd64.tar.gz

下载地址https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md

mkdir k8s_download
cd k8s_download
wget https://dl.k8s.io/v1.12.2/kubernetes-server-linux-amd64.tar.gz

解压后可以看到有这些文件
[root@k8s-master-101 bin]# pwd
/root/k8s_download/kubernetes/server/bin
[root@k8s-master-101 bin]# ls
apiextensions-apiserver              kube-apiserver.docker_tag           kube-proxy.docker_tag
cloud-controller-manager             kube-apiserver.tar                  kube-proxy.tar
cloud-controller-manager.docker_tag  kube-controller-manager             kube-scheduler
cloud-controller-manager.tar         kube-controller-manager.docker_tag  kube-scheduler.docker_tag
hyperkube                            kube-controller-manager.tar         kube-scheduler.tar
kubeadm                              kubelet                             mounter
kube-apiserver                       kube-proxy

在master上下载kubectl

cd k8s_download/kubernetes/server/bin/
chmod +x kubectl
mv kubectl /opt/kubernetes/bin

创建 TLS Bootstrapping Token，即token.csv文件。TLS Bootstrapping Token用于引导kubelet自动生成证书。

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
cp token.csv /opt/kubernetes/ssl/
cd /opt/kubernetes/ssl/

[root@k8s-master-101 ssl]# cat token.csv 
427699856e2f019164f5d0b61bbb8195,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
其中涉及到RBAC的知识。它表示使用kubelet-bootstrap并拥有10001权限，通过kubelet-bootstrap用户组使用第一个随机字符串来访问k8s集群。

创建bootstrap.kubeconfig，这个文件是用于kubelet自动签发证书的。

#首先指定kube-api访问入口，即master ip
export KUBE_APISERVER=https://10.0.0.101:6443

#设置集群参数
kubectl config set-cluster kubernetes 
--certificate-authority=/opt/kubernetes/ssl/ca.pem 
--embed-certs=true 
--server=${KUBE_APISERVER} 
--kubeconfig=bootstrap.kubeconfig

#设置客户端认证参数
kubectl config set-credentials kubelet-bootstrap 
--token=${BOOTSTRAP_TOKEN} 
--kubeconfig=bootstrap.kubeconfig

#设置上下文参数
kubectl config set-context default 
--cluster=kubernetes 
--user=kubelet-bootstrap 
--kubeconfig=bootstrap.kubeconfig

#设置默认上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

执行完后将生成bootstrap.kubeconfig文件

[root@k8s-master-101 ssl]# cat bootstrap.kubeconfig 
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVVFcwZFhZMEZBWEdvcFppcXE1N05JQTIvWGlZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkMVlXNW5lbWh2ZFRFUk1BOEdBMVVFQnhNSQpVMmhsYm5wb1pXNHhEREFLQmdOVkJBb1RBMnM0Y3pFUE1BMEdBMVVFQ3hNR1UzbHpkR1Z0TVJNd0VRWURWUVFECkV3cHJkV0psY201bGRHVnpNQjRYRFRFNU1ETXdOekUyTVRRd01Gb1hEVEkwTURNd05URTJNVFF3TUZvd2FERUwKTUFrR0ExVUVCaE1DUTA0eEVqQVFCZ05WQkFnVENVZDFZVzVuZW1odmRURVJNQThHQTFVRUJ4TUlVMmhsYm5wbwpaVzR4RERBS0JnTlZCQW9UQTJzNGN6RVBNQTBHQTFVRUN4TUdVM2x6ZEdWdE1STXdFUVlEVlFRREV3cHJkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzZmQ2NDRiV3RHNEsKYTZJS052bXg0RWZReHl1czVPQy9kUkZVRng0eE1iakV3eGVWbXRiUXh0cEV0TWs1UVMxMXpFNmdIcUhRWXFuMQpMOXVjVG5NZUZVYmJDaTBITXVOTFdSUGpJWmtnNzRuTnV3VlBkSjYvYkZPL21qSFd1Q2gzY2xWdE9tNGg1by9IClFZZkdWR2VIeWFXL3kvWW5IbzFWaHZWMlJONTJNTHRoUG0rVUtLQTlLeUJIUVJKWURKbXVoV2owUDJ4R01vVmkKd3VaU0tiT0c2R2xFeUxoRlNjbEd2d0FtNjRrL3RPMDVwZ0tZWHZtbmg2S0UwelhHVzR5M3BMYVZrMmhkc3RNWgpvM3hjTkZab0tlei9XbzdSZXR2enA1UFNLYnBkNTB5UTZ6MDhvaE56UlJhL2xXRWFxa0xUbndhT0ZRekhMQk5KCjE2WHh5T0RzZVFJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVPejBPN2RKSUdBbXRUbkxOaWh5TFZWbkNIY1F3SHdZRFZSMGpCQmd3Rm9BVQpPejBPN2RKSUdBbXRUbkxOaWh5TFZWbkNIY1F3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUlSbndCT0hEdldyCjdmNFJGa3VzZXpVa25uWkRvYzZEOStIalF4YXJHYitFd2ZrZWNqUjkwOStOUjI4bUVmeDB3eXhRVkwwUjJrT28KRXFPOGtVc252eGxZdXZ4S1NiZHNhYTdTTEU2YS9mcHc3OTUxUzdSRDZEbktYREpMVENTZHRSRityeHBYYlBJUgp1WVVrVml1YndudU16VlMwRXZFSG1KcDNVTC9jVkFMYnJiV3JQVXkzellQM1J4ZXpEUTE0N2ZVajBFd3FLUTFWClNVRkRFNXkyTmRZZCtnbHV3MHRRRll2VlJBOWp1UjgvYnFYNVZLWHVublNLKzNEZVlKcGtTelU1dzlrcmhOUWQKTFZuQzBpdyttUm4zTm80WWpsdkR1eWJGeTdVSTJwV0w2aFg1c29SRlA4N2tyWEF2THgxcHNHdDFYYytYcmhVVwpkazlxMlF3bVVuQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://10.0.0.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet-bootstrap
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
token: 427699856e2f019164f5d0b61bbb8195

创建节点要用的kube-proxy kubeconfig文件

# 设置集群参数
kubectl config set-cluster kubernetes 
--certificate-authority=/opt/kubernetes/ssl/ca.pem 
--embed-certs=true 
--server=${KUBE_APISERVER} 
--kubeconfig=kube-proxy.kubeconfig

# 设置客户端认证参数
kubectl config set-credentials kube-proxy 
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem 
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem 
--embed-certs=true 
--kubeconfig=kube-proxy.kubeconfig

# 设置上下文参数
kubectl config set-context default 
--cluster=kubernetes 
--user=kube-proxy 
--kubeconfig=kube-proxy.kubeconfig

# 设置默认上下文
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

最后生成了两个kubeconfig文件

[root@k8s-master-101 ssl]# ls *config
bootstrap.kubeconfig kube-proxy.kubeconfig