!TIP 二进制部署
k8s- 部署kubectl
转载请注明出处:https://janrs.com/3x5q 有任何问题欢迎在底部评论区发言。
部署 kubectl
kubectl 作为 kube-apiserver 的客户端工具,需要访问 kube-apiserver 的服务,所以需要 kube-apiserver 的 ca
机构为其签发客户端 client 证书。
1.生成 ssl 证书
1-1.创建 csr 请求文件
代码语言:shell复制!NOTE
CN参数表示用户名,这里设置为k8s中设定的adminO参数表示用户组,这里设置为k8s中设定的system:masterskubectl作为客户端,不需要设置hosts参数。CN可以设置其他的,这里设置常用的admin用户角色就行。不推荐设置成cluster-admin超级管理员角色。
cat > /ssl/apiserver-admin-client-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
cd /ssl/ &&
cfssl gencert
-ca=apiserver-ca.pem
-ca-key=apiserver-ca-key.pem
-config=ca-config.json
-profile=client apiserver-admin-client-csr.json |
cfssljson -bare apiserver-admin-client &&
ls apiserver-admin-client* |
grep apiserver-admin-client1-2.分发证书
代码语言:shell复制scp /ssl/apiserver-admin-client*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-admin-client*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ &&
scp /ssl/apiserver-admin-client*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/2.创建 kubeconfig
!NOTE
kubectl是使用kubeconfig跟kube-apiserver进行通信的。 在kubeconfig配置文件中会包含了kubectl的客户端client证书信息以及身份信息。 需要在每台服务器都创建该请求文件。 以下操作在每台master服务器创建,ip地址设置为本地的kube-apiserver的服务地址ip。 文件存放目录为:/etc/kubernetes/kubeconfig/。
2-1.在 master-01 创建
设置集群参数
代码语言:shell复制kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--embed-certs=true
--server=https://172.16.222.121:6443
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置客户端认证参数
代码语言:shell复制kubectl config set-credentials admin
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem
--embed-certs=true
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置上下文参数
代码语言:shell复制kubectl config set-context kubernetes
--cluster=kubernetes
--user=admin
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置当前上下文
代码语言:shell复制kubectl config use-context kubernetes
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig复制到 k8s 默认的引用目录位置
一般是 /root/.kube/ 目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config2-2.在 master-02 创建
设置集群参数
代码语言:shell复制kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--embed-certs=true
--server=https://172.16.222.122:6443
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置客户端认证参数
代码语言:shell复制kubectl config set-credentials admin
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem
--embed-certs=true
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置上下文参数
代码语言:shell复制kubectl config set-context kubernetes
--cluster=kubernetes
--user=admin
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置当前上下文
代码语言:shell复制kubectl config use-context kubernetes
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig复制到 k8s 默认的引用目录位置
一般是 /root/.kube/ 目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config2-3.在 master-03 创建
设置集群参数
代码语言:shell复制kubectl config set-cluster kubernetes
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem
--embed-certs=true
--server=https://172.16.222.123:6443
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置客户端认证参数
代码语言:shell复制kubectl config set-credentials admin
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem
--embed-certs=true
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置上下文参数
代码语言:shell复制kubectl config set-context kubernetes
--cluster=kubernetes
--user=admin
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig设置当前上下文
代码语言:shell复制kubectl config use-context kubernetes
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig复制到 k8s 默认的引用目录位置
一般是 /root/.kube/ 目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config3.验证
!NOTE 每台
master服务器配置admin.kubeconfig都验证一遍。
随便执行 kubectl 命令查看是否可以正常访问 kube-apiserver
查看集群信息
代码语言:shell复制kubectl cluster-info显示
代码语言:text复制Kubernetes control plane is running at https://172.16.222.122:6443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.查看所有服务
代码语言:shell复制kubectl get all --all-namespaces显示
代码语言:text复制NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.68.0.1 <none> 443/TCP 120m4.授予访问 kubelet 的权限
代码语言:shell复制!NOTE
kubectl很多时候需要查看pod的日志等其他信息,kubectl是通过kube-apiserver访问kubelet的服务的。k8s有自带的集群角色:system:kubelet-api-admin拥有此权限,需要绑定到kubectl的用户上。kubectl的用户这里设置的是:kubernetes。
cat > /etc/kubernetes/init_k8s_config/allow-kubectl-access-kube-apiserver-kubelet-apis.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-kubectl-access-kube-apiserver-kubelet-apis
subjects:
- kind: User
name: kubernetes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:kubelet-api-admin
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-kubectl-access-kube-apiserver-kubelet-apis.yaml5.创建 TLS Bootstrap 权限
!NOTE 以下是开启
TLS Bootstrap所需要的权限。 这里可以先不管,直接下一步。
5-1. kubelet 的 bootstrapers 权限
代码语言:shell复制cat > /etc/kubernetes/init_k8s_config/allow-kubelet-create-client-csr.yaml <<EOF
# 允许启动引导节点创建 CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-kubelet-create-client-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-kubelet-create-client-csr.yaml5-2. kubelet 的 client 证书自动批复权限
代码语言:shell复制cat > /etc/kubernetes/init_k8s_config/allow-auto-approve-kubelet-client-csr.yaml <<EOF
# 批复 "system:bootstrappers" 组的所有 CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-auto-approve-kubelet-client-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-approve-kubelet-client-csr.yaml5-3. kubelet 的 client 证书自动轮换权限
代码语言:shell复制# 批复 "system:nodes" 组的 CSR 续约请求
cat > /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-client-csr.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-renewals-kubelet-client-csr
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-client-csr.yaml5-4. kubelet 的 server 证书自动轮换
代码语言:shell复制cat > /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-server-csr.yaml <<EOF
---
# 创建进群角色
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create","list","get","watch"]
---
# 绑定角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-renewal-kubelet-server-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-server-csr.yaml至此。kubectl 部署成功。
转载请注明出处:https://janrs.com/3x5q 有任何问题欢迎在底部评论区发言。
