K8S 中使用kubectl工具远程连接K8S集群

一、概述

一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,

当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,

所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署

二、生成ca证书

如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书

使用cfssl自签证书

安装生成证书工具

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*

创建证书目录:

[root@node1 ~]# mkdir /opt/kubernetes/ssl/

自建一个本地CA,生成ca证书, 准备配置文件:

[root@node1 ssl]# vim ca-csr.json

{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
     }
   ]
 }

[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年


{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
					}
		}
}

执行命令生成ca文件:

[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca

K8S 中使用kubectl工具远程连接K8S集群

三、生成admin证书

#如有ca证书(请忽略上面的ca证书生成步骤)

[root@node1 ssl]# ls ca*

ca-config.json   ca.csr   ca-csr.json   ca-key.pem   ca.pem

#拷贝之前生成的ca证书到本机的/admin目录下

[root@manager ~]# mkdir /admin

[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin

[root@manager admin]# ls ca*

ca-config.json   ca.csr   ca-csr.json   ca-key.pem   ca.pem

证书配置: 生成请求证书文件

[root@manager admin]# vim admin-csr.on

{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
				}
		]
}

生成证书

[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

2020/07/23 12:06:24 [INFO] generate received request
2020/07/23 12:06:24 [INFO] received CSR
2020/07/23 12:06:24 [INFO] generating key: rsa-2048
2020/07/23 12:06:24 [INFO] encoded CSR
2020/07/23 12:06:24 [INFO] signed certificate with serial number 346834438687956883750356425567391001485757864749
2020/07/23 12:06:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

查看证书

[root@manager admin]# ls admin*

admin.csr  admin-csr.json  admin-key.pem  admin.pem

四、配置kubectl配置文件

拷贝kubectl 二进制可执行文件 到目标机器

[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/

进入证书目录

[root@manager ~]# cd /admin

生成kubectl配置文件

[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem

Cluster "kubernetes" set.

设置用户项中cluster-admin用户证书认证字段

[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem

User "cluster-admin" set.

设置默认上下文

[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin

Context "default" created.

设置当前环境的default

[root@manager admin]# kubectl config use-context default

Switched to context "default".

查看配置文件

[root@manager admin]# cat /root/.kube/config

apiVersion: v1
clusters:
- cluster:
certificate-authority: /admin/ca.pem
server: https://192.168.31.60:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: cluster-admin
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: cluster-admin
user:
client-certificate: /admin/admin.pem
client-key: /admin/admin-key.pem

五、管理集群

[root@manager admin]# kubectl get nodes

NAME STATUS ROLES AGE VERSION
node1 Ready <none> 19d v1.16.0
node2 Ready <none> 19d v1.16.0
node3 Ready <none> 9d v1.16.0

[root@manager admin]# kubectl get cs

NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}

至此,使用kubectl工具远程连接K8S集群 演示完毕

本文版权归 飞翔沫沫情 作者所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出 原文链接 如有问题, 可发送邮件咨询,转贴请注明出处:https://www.fxkjnj.com/2243/

发表评论

登录后才能评论