客户端使用kubectl访问
由于默认使用的Http访问,在master中访问是连接的http://127.0.0.1:8080地址,客户端只能通过10.16.8.156:6443访问,需要配置https
1、生成证书
[root@k8s-master01 k8s]# pwd /root/k8s/tls/k8s [root@k8s-master01 k8s]# cat admin-csr.json { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HuBei", "ST": "WuHan", "O": "system:masters", "OU": "System" } ] }
#下面的CA证书在前面部署master自签证书时已经生成了 [root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin 2019/11/07 16:59:08 [INFO] generate received request 2019/11/07 16:59:08 [INFO] received CSR 2019/11/07 16:59:08 [INFO] generating key: rsa-2048 2019/11/07 16:59:08 [INFO] encoded CSR 2019/11/07 16:59:08 [INFO] signed certificate with serial number 615183675351926100941011275121168596608133541272 2019/11/07 16:59:08 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 k8s]# ls admin*pem admin-key.pem admin.pem
2、拷贝证书和kubelet命令到客户端主机
[root@k8s-master01 k8s]# scp admin*.pem 10.16.8.161:/root/ [root@k8s-master01 k8s]# scp ca.pem 10.16.8.161:/root/ [root@k8s-master01 k8s]# scp /opt/kubernetes/bin/kubectl 10.16.8.161:/usr/local/bin/
3、在客户端主机上配置
[root@etcd01 ~]# ifconfig ens32 |grep "inet " inet 10.16.8.161 netmask 255.255.255.0 broadcast 10.16.8.255 [root@etcd01 ~]# ls *.pem admin-key.pem admin.pem ca.pem
[root@etcd01 ~]# kubectl config set-cluster kubernetes --server=https://10.16.8.156:6443 --certificate-authority=ca.pem --embed-certs=true --kubeconfig=config Cluster "kubernetes" set. [root@etcd01 ~]# kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem --embed-certs=true --kubeconfig=config User "cluster-admin" set. [root@etcd01 ~]# kubectl config set-context default --cluster=kubernetes --user=cluster-admin --kubeconfig=config Context "default" created. [root@etcd01 ~]# kubectl config use-context default --kubeconfig=config Switched to context "default".
[root@etcd01 ~]# ls config config [root@etcd01 ~]# mv config .kube/ [root@etcd01 ~]# ll .kube 总用量 8 -rw------- 1 root root 6241 11月 7 17:16 config
3、测试连接
[root@etcd01 ~]# kubectl get node NAME STATUS ROLES AGE VERSION k8s-node01 Ready <none> 2d5h v1.16.0 k8s-node02 Ready <none> 2d5h v1.16.0 k8s-node03 Ready <none> 2d5h v1.16.0