一、概述
一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,那么你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.13部署。
二、生成ca证书
如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可。
安装生成证书工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成ca配置
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
生成csr配置
cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF
生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
三、生成admin证书
证书配置
cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF
生成证书
[root@master master]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/01/09 15:25:20 [INFO] generate received request 2019/01/09 15:25:20 [INFO] received CSR 2019/01/09 15:25:20 [INFO] generating key: rsa-2048 2019/01/09 15:25:20 [INFO] encoded CSR 2019/01/09 15:25:20 [INFO] signed certificate with serial number 496018729932380195936891977997946670147442472383 2019/01/09 15:25:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
查看证书
[root@master master]# ls admin* admin.csr admin-csr.json admin-key.pem admin.pem
四、配置kubectl
拷贝证书以及相关kubectl到目标机器
scp /opt/kubernetes/bin/kubectl 10.1.210.32:/usr/bin #拷贝命令 scp admin* ca.pem 10.1.210.32:/opt/kubernetes/kubectl/ssl # 拷贝证书
配置kubectl配置文件
#进入证书目录 cd /opt/kubernetes/kubectl/ssl #生成kubectl配置文件 kubectl config set-cluster kubernetes --server=https://10.1.210.33:6443 --certificate-authority=ca.pem #设置用户项中cluster-admin用户证书认证字段 kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem #设置默认上下文 kubectl config set-context default --cluster=kubernetes --user=cluster-admin #设置当前环境的default kubectl config use-context default
查看配置文件
[root@node1 ssl]# cat /root/.kube/config apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/kubectl/ssl/ca.pem server: https://10.1.210.33:6443 name: kubernetes contexts: - context: cluster: kubernetes user: cluster-admin name: default current-context: default kind: Config preferences: {} users: - name: cluster-admin user: client-certificate: /opt/kubernetes/kubectl/ssl/admin.pem client-key: /opt/kubernetes/kubectl/ssl/admin-key.pem
五、管理集群