一、概述
一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,那么你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.13部署。
二、生成ca证书
如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可。
安装生成证书工具
- wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
- wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
- wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
- chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl
- mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
- mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成ca配置
- cat > ca-config.json <<EOF
- {
- "signing": {
- "default": {
- "expiry": "87600h"
- },
- "profiles": {
- "kubernetes": {
- "expiry": "87600h",
- "usages": [
- "signing",
- "key encipherment",
- "server auth",
- "client auth"
- ]
- }
- }
- }
- }
- EOF
生成csr配置
- cat > ca-csr.json <<EOF
- {
- "CN": "kubernetes",
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "CN",
- "L": "Beijing",
- "ST": "Beijing",
- "O": "k8s",
- "OU": "System"
- }
- ]
- }
- EOF
生成ca证书
- cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
三、生成admin证书
证书配置
- cat > admin-csr.json <<EOF
- {
- "CN": "admin",
- "hosts": [],
- "key": {
- "algo": "rsa",
- "size": 2048
- },
- "names": [
- {
- "C": "CN",
- "L": "BeiJing",
- "ST": "BeiJing",
- "O": "system:masters",
- "OU": "System"
- }
- ]
- }
- EOF
生成证书
- [root@master master]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
- 2019/01/09 15:25:20 [INFO] generate received request
- 2019/01/09 15:25:20 [INFO] received CSR
- 2019/01/09 15:25:20 [INFO] generating key: rsa-2048
- 2019/01/09 15:25:20 [INFO] encoded CSR
- 2019/01/09 15:25:20 [INFO] signed certificate with serial number 496018729932380195936891977997946670147442472383
- 2019/01/09 15:25:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
- websites. For more information see the Baseline Requirements for the Issuance and Management
- of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
- specifically, section 10.2.3 ("Information Requirements").
查看证书
- [root@master master]# ls admin*
- admin.csr admin-csr.json admin-key.pem admin.pem
四、配置kubectl
拷贝证书以及相关kubectl到目标机器
- scp /opt/kubernetes/bin/kubectl 10.1.210.32:/usr/bin #拷贝命令
- scp admin* ca.pem 10.1.210.32:/opt/kubernetes/kubectl/ssl # 拷贝证书
配置kubectl配置文件
- #进入证书目录
- cd /opt/kubernetes/kubectl/ssl
- #生成kubectl配置文件
- kubectl config set-cluster kubernetes --server=https://10.1.210.33:6443 --certificate-authority=ca.pem
- #设置用户项中cluster-admin用户证书认证字段
- kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem
- #设置默认上下文
- kubectl config set-context default --cluster=kubernetes --user=cluster-admin
- #设置当前环境的default
- kubectl config use-context default
查看配置文件
- [root@node1 ssl]# cat /root/.kube/config
- apiVersion: v1
- clusters:
- - cluster:
- certificate-authority: /opt/kubernetes/kubectl/ssl/ca.pem
- server: https://10.1.210.33:6443
- name: kubernetes
- contexts:
- - context:
- cluster: kubernetes
- user: cluster-admin
- name: default
- current-context: default
- kind: Config
- preferences: {}
- users:
- - name: cluster-admin
- user:
- client-certificate: /opt/kubernetes/kubectl/ssl/admin.pem
- client-key: /opt/kubernetes/kubectl/ssl/admin-key.pem
五、管理集群
经验首页