一 部署 kubectl
1.1 安装kubectl
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# wget https://dl.k8s.io/v1.14.2/kubernetes-client-linux-amd64.tar.gz 3 [[email protected] work]# tar -zxvf kubernetes-client-linux-amd64.tar.gz
1.2 分发kubectl
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# source /opt/k8s/bin/environment.sh 3 [[email protected] work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 scp kubernetes/client/bin/kubectl [email protected]${master_ip}:/opt/k8s/bin/ 7 ssh [email protected]${master_ip} "chmod +x /opt/k8s/bin/*" 8 done
1.3 创建admin证书和密钥
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# cat > admin-csr.json <<EOF 3 { 4 "CN": "admin", 5 "hosts": [], 6 "key": { 7 "algo": "rsa", 8 "size": 2048 9 }, 10 "names": [ 11 { 12 "C": "CN", 13 "ST": "Shanghai", 14 "L": "Shanghai", 15 "O": "system:masters", 16 "OU": "System" 17 } 18 ] 19 } 20 EOF 21 #创建admin的CA证书请求文件
解释:
O 为 system:masters:kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters;
预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,即该 Role 授予所有 API的权限;
该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空。
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# cfssl gencert -ca=/opt/k8s/work/ca.pem \ 3 -ca-key=/opt/k8s/work/ca-key.pem -config=/opt/k8s/work/ca-config.json 4 -profile=kubernetes admin-csr.json | cfssljson -bare admin #生成CA密钥(ca-key.pem)和证书(ca.pem)
1.4 创建kubeconfig文件
kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址和认证信息。只需在master节点部署一次,其生成的 kubeconfig 文件是通用的,可以拷贝到需要执行 kubectl 命令的机器,重命名为/.kube/config即可。
注意:如果没有特殊指明,本文档的所有操作均在 k8smaster 节点上执行,然后远程分发文件和执行命令。
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# source /opt/k8s/bin/environment.sh 3 [[email protected] work]# kubectl config set-cluster kubernetes 4 --certificate-authority=/opt/k8s/work/ca.pem 5 --embed-certs=true 6 --server=${KUBE_APISERVER} 7 --kubeconfig=kubectl.kubeconfig # 设置集群参数 8 [[email protected] work]# kubectl config set-credentials admin 9 --client-certificate=/opt/k8s/work/admin.pem 10 --client-key=/opt/k8s/work/admin-key.pem 11 --embed-certs=true 12 --kubeconfig=kubectl.kubeconfig # 设置客户端认证参数 13 [[email protected] work]# kubectl config set-context kubernetes 14 --cluster=kubernetes 15 --user=admin 16 --kubeconfig=kubectl.kubeconfig # 设置上下文参数 17 [[email protected] work]# kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig # 设置默认上下文
解释:
--certificate-authority:验证 kube-apiserver 证书的根证书;
--client-certificate、--client-key:刚生成的 admin 证书和私钥,连接 kube-apiserver 时使用;
--embed-certs=true:将 ca.pem 和 admin.pem 证书内容嵌入到生成的 kubectl.kubeconfig 文件中(默认写入的是证书文件路径,后续需要拷贝 kubeconfig 和该证书文件至到其它机器。)。
1.5 分发kubeconfig
1 [[email protected] ~]# cd /opt/k8s/work 2 [[email protected] work]# source /opt/k8s/bin/environment.sh 3 [[email protected] work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh [email protected]${master_ip} "mkdir -p ~/.kube" 7 scp kubectl.kubeconfig [email protected]${master_ip}:~/.kube/config 8 done
原文地址:https://www.cnblogs.com/itzgr/p/11865195.html
时间: 2024-10-03 20:09:43