!TIP 二进制部署
k8s
- 部署kubectl
转载请注明出处:https://janrs.com/3x5q 有任何问题欢迎在底部评论区发言。
kubectl
作为 kube-apiserver
的客户端工具,需要访问 kube-apiserver
的服务,所以需要 kube-apiserver
的 ca
机构为其签发客户端 client
证书。
!NOTE
CN
参数表示用户名,这里设置为k8s
中设定的admin
O
参数表示用户组,这里设置为k8s
中设定的system:masters
kubectl
作为客户端,不需要设置hosts
参数。CN
可以设置其他的,这里设置常用的admin
用户角色就行。不推荐设置成cluster-admin
超级管理员角色。
cat > /ssl/apiserver-admin-client-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
cd /ssl/ && \
cfssl gencert \
-ca=apiserver-ca.pem \
-ca-key=apiserver-ca-key.pem \
-config=ca-config.json \
-profile=client apiserver-admin-client-csr.json | \
cfssljson -bare apiserver-admin-client && \
ls apiserver-admin-client* | \
grep apiserver-admin-client
scp /ssl/apiserver-admin-client*.pem root@172.16.222.121:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-admin-client*.pem root@172.16.222.122:/etc/kubernetes/pki/apiserver/ && \
scp /ssl/apiserver-admin-client*.pem root@172.16.222.123:/etc/kubernetes/pki/apiserver/
!NOTE
kubectl
是使用kubeconfig
跟kube-apiserver
进行通信的。 在kubeconfig
配置文件中会包含了kubectl
的客户端client
证书信息以及身份信息。 需要在每台服务器都创建该请求文件。 以下操作在每台master
服务器创建,ip
地址设置为本地的kube-apiserver
的服务地址ip
。 文件存放目录为:/etc/kubernetes/kubeconfig/
。
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem \
--embed-certs=true \
--server=https://172.16.222.121:6443 \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem \
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置当前上下文
kubectl config use-context kubernetes \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
复制到 k8s
默认的引用目录位置
一般是 /root/.kube/
目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem \
--embed-certs=true \
--server=https://172.16.222.122:6443 \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem \
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置当前上下文
kubectl config use-context kubernetes \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
复制到 k8s
默认的引用目录位置
一般是 /root/.kube/
目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config
设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/apiserver/apiserver-ca.pem \
--embed-certs=true \
--server=https://172.16.222.123:6443 \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/pki/apiserver/apiserver-admin-client.pem \
--client-key=/etc/kubernetes/pki/apiserver/apiserver-admin-client-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
设置当前上下文
kubectl config use-context kubernetes \
--kubeconfig=/etc/kubernetes/kubeconfig/admin.kubeconfig
复制到 k8s
默认的引用目录位置
一般是 /root/.kube/
目录
cp /etc/kubernetes/kubeconfig/admin.kubeconfig /root/.kube/config
!NOTE 每台
master
服务器配置admin.kubeconfig
都验证一遍。
随便执行 kubectl
命令查看是否可以正常访问 kube-apiserver
查看集群信息
kubectl cluster-info
显示
Kubernetes control plane is running at https://172.16.222.122:6443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
查看所有服务
kubectl get all --all-namespaces
显示
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.68.0.1 <none> 443/TCP 120m
!NOTE
kubectl
很多时候需要查看pod
的日志等其他信息,kubectl
是通过kube-apiserver
访问kubelet
的服务的。k8s
有自带的集群角色:system:kubelet-api-admin
拥有此权限,需要绑定到kubectl
的用户上。kubectl
的用户这里设置的是:kubernetes
。
cat > /etc/kubernetes/init_k8s_config/allow-kubectl-access-kube-apiserver-kubelet-apis.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-kubectl-access-kube-apiserver-kubelet-apis
subjects:
- kind: User
name: kubernetes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:kubelet-api-admin
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-kubectl-access-kube-apiserver-kubelet-apis.yaml
!NOTE 以下是开启
TLS Bootstrap
所需要的权限。 这里可以先不管,直接下一步。
cat > /etc/kubernetes/init_k8s_config/allow-kubelet-create-client-csr.yaml <<EOF
# 允许启动引导节点创建 CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-kubelet-create-client-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-kubelet-create-client-csr.yaml
cat > /etc/kubernetes/init_k8s_config/allow-auto-approve-kubelet-client-csr.yaml <<EOF
# 批复 "system:bootstrappers" 组的所有 CSR
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: allow-auto-approve-kubelet-client-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-approve-kubelet-client-csr.yaml
# 批复 "system:nodes" 组的 CSR 续约请求
cat > /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-client-csr.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-renewals-kubelet-client-csr
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-client-csr.yaml
cat > /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-server-csr.yaml <<EOF
---
# 创建进群角色
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create","list","get","watch"]
---
# 绑定角色
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-renewal-kubelet-server-csr
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
apiGroup: rbac.authorization.k8s.io
EOF
kubectl apply -f /etc/kubernetes/init_k8s_config/allow-auto-renewal-kubelet-server-csr.yaml
转载请注明出处:https://janrs.com/3x5q 有任何问题欢迎在底部评论区发言。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。