一、概述
一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,
当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,
所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署
二、生成ca证书
如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书
使用cfssl自签证书
安装生成证书工具
[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*
创建证书目录:
[root@node1 ~]# mkdir /opt/kubernetes/ssl/
自建一个本地CA,生成ca证书, 准备配置文件:
[root@node1 ssl]# vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
执行命令生成ca文件:
[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
三、生成admin证书
#如有ca证书(请忽略上面的ca证书生成步骤)
[root@node1 ssl]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
#拷贝之前生成的ca证书到本机的/admin目录下
[root@manager ~]# mkdir /admin
[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin
[root@manager admin]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
证书配置: 生成请求证书文件
[root@manager admin]# vim admin-csr.on
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
生成证书
[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2020/07/23 12:06:24 [INFO] generate received request
2020/07/23 12:06:24 [INFO] received CSR
2020/07/23 12:06:24 [INFO] generating key: rsa-2048
2020/07/23 12:06:24 [INFO] encoded CSR
2020/07/23 12:06:24 [INFO] signed certificate with serial number 346834438687956883750356425567391001485757864749
2020/07/23 12:06:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
查看证书
[root@manager admin]# ls admin*
admin.csr admin-csr.json admin-key.pem admin.pem
四、配置kubectl配置文件
拷贝kubectl 二进制可执行文件 到目标机器
[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/
进入证书目录
[root@manager ~]# cd /admin
生成kubectl配置文件
[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem
Cluster "kubernetes" set.
设置用户项中cluster-admin用户证书认证字段
[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem
User "cluster-admin" set.
设置默认上下文
[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin
Context "default" created.
设置当前环境的default
[root@manager admin]# kubectl config use-context default
Switched to context "default".
查看配置文件
[root@manager admin]# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: /admin/ca.pem
server: https://192.168.31.60:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: cluster-admin
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: cluster-admin
user:
client-certificate: /admin/admin.pem
client-key: /admin/admin-key.pem
五、管理集群
[root@manager admin]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
node1 Ready <none> 19d v1.16.0
node2 Ready <none> 19d v1.16.0
node3 Ready <none> 9d v1.16.0
[root@manager admin]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
至此,使用kubectl工具远程连接K8S集群 演示完毕
暂无评论内容