• kubectl客户端工具远程连接k8s集群


    一、概述

      一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,那么你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.13部署。

    二、生成ca证书

     如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可。

    安装生成证书工具

    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl
    mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
    mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

    生成ca配置

    cat > ca-config.json <<EOF
    {
      "signing": {
        "default": {
          "expiry": "87600h"
        },
        "profiles": {
          "kubernetes": {
             "expiry": "87600h",
             "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
          }
        }
      }
    }
    EOF

    生成csr配置

    cat > ca-csr.json <<EOF
    {
        "CN": "kubernetes",
        "key": {
            "algo": "rsa",
            "size": 2048
        },
        "names": [
            {
                "C": "CN",
                "L": "Beijing",
                "ST": "Beijing",
                  "O": "k8s",
                "OU": "System"
            }
        ]
    }
    EOF

    生成ca证书

    cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

    三、生成admin证书

    证书配置

    cat > admin-csr.json <<EOF
    {
      "CN": "admin",
      "hosts": [],
      "key": {
        "algo": "rsa",
        "size": 2048
      },
      "names": [
        {
          "C": "CN",
          "L": "BeiJing",
          "ST": "BeiJing",
          "O": "system:masters",
          "OU": "System"
        }
      ]
    }
    EOF

    生成证书

    [root@master master]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
    2019/01/09 15:25:20 [INFO] generate received request
    2019/01/09 15:25:20 [INFO] received CSR
    2019/01/09 15:25:20 [INFO] generating key: rsa-2048
    2019/01/09 15:25:20 [INFO] encoded CSR
    2019/01/09 15:25:20 [INFO] signed certificate with serial number 496018729932380195936891977997946670147442472383
    2019/01/09 15:25:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
    websites. For more information see the Baseline Requirements for the Issuance and Management
    of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
    specifically, section 10.2.3 ("Information Requirements").

    查看证书

    [root@master master]# ls admin*
    admin.csr  admin-csr.json  admin-key.pem  admin.pem

    四、配置kubectl

    拷贝证书以及相关kubectl到目标机器

    scp /opt/kubernetes/bin/kubectl 10.1.210.32:/usr/bin     #拷贝命令
    scp admin* ca.pem 10.1.210.32:/opt/kubernetes/kubectl/ssl # 拷贝证书

    配置kubectl配置文件

    #进入证书目录
    cd /opt/kubernetes/kubectl/ssl
    
    #生成kubectl配置文件
    kubectl config set-cluster kubernetes --server=https://10.1.210.33:6443 --certificate-authority=ca.pem
    
    #设置用户项中cluster-admin用户证书认证字段
    kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem
    
    #设置默认上下文
    kubectl config set-context default --cluster=kubernetes --user=cluster-admin
    
    #设置当前环境的default
    kubectl config use-context default

    查看配置文件

    [root@node1 ssl]# cat /root/.kube/config 
    apiVersion: v1
    clusters:
    - cluster:
        certificate-authority: /opt/kubernetes/kubectl/ssl/ca.pem
        server: https://10.1.210.33:6443
      name: kubernetes
    contexts:
    - context:
        cluster: kubernetes
        user: cluster-admin
      name: default
    current-context: default
    kind: Config
    preferences: {}
    users:
    - name: cluster-admin
      user:
        client-certificate: /opt/kubernetes/kubectl/ssl/admin.pem
        client-key: /opt/kubernetes/kubectl/ssl/admin-key.pem

    五、管理集群

  • 相关阅读:
    php socket 客户端代码
    linux crontab定时执行
    加载 pcntl 多进程
    Xdebug 配置
    Zend Debugger 配置
    windows SVN搭建
    深度学习笔记:优化方法总结(BGD,SGD,Momentum,AdaGrad,RMSProp,Adam)
    操作系统-分段机制
    C++中的new、operator new与placement new
    线程安全的概念
  • 原文地址:https://www.cnblogs.com/wdliu/p/10244869.html
Copyright © 2020-2023  润新知