kubectl客戶端工具遠程鏈接k8s集羣

時間  2020-12-01
標籤 node linux web json api 工具 spa code orm 欄目 負載均衡 简体版
原文   原文鏈接

1、概述

  通常狀況下,在k8smaster節點上集羣管理工具kubectl是鏈接的本地http8080端口和apiserver進行通信的,固然也能夠經過https端口進行通信前提是要生成證書。因此說kubectl不必定部署在master上,只要能和apiserver進行通信,那麼你能夠將kubectl部署在任何一臺你想鏈接到集羣的主機上,如下將介紹基於證書的kubectl部署方式,如下基於kubernets1.13部署。node

2、生成ca證書

 若是已經有了ca證書那就不須要在生成了,只須要利用該證書生成admin證書便可。linux

安裝生成證書工具web

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

生成ca配置json

cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF

生成csr配置api

cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF

生成ca證書工具

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

3、生成admin證書

證書配置ui

cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF

生成證書spa

[root@master master]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/01/09 15:25:20 [INFO] generate received request 2019/01/09 15:25:20 [INFO] received CSR 2019/01/09 15:25:20 [INFO] generating key: rsa-2048
2019/01/09 15:25:20 [INFO] encoded CSR 2019/01/09 15:25:20 [INFO] signed certificate with serial number 496018729932380195936891977997946670147442472383
2019/01/09 15:25:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").

查看證書code

[root@master master]# ls admin*
admin.csr  admin-csr.json  admin-key.pem  admin.pem

4、配置kubectl

拷貝證書以及相關kubectl到目標機器orm

scp /opt/kubernetes/bin/kubectl 10.1.210.32:/usr/bin     #拷貝命令
scp admin* ca.pem 10.1.210.32:/opt/kubernetes/kubectl/ssl # 拷貝證書

配置kubectl配置文件

#進入證書目錄
cd /opt/kubernetes/kubectl/ssl #生成kubectl配置文件
kubectl config set-cluster kubernetes --server=https://10.1.210.33:6443 --certificate-authority=ca.pem #設置用戶項中cluster-admin用戶證書認證字段
kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem #設置默認上下文
kubectl config set-context default --cluster=kubernetes --user=cluster-admin #設置當前環境的default
kubectl config use-context default

查看配置文件

[root@node1 ssl]# cat /root/.kube/config 
apiVersion: v1 clusters: - cluster: certificate-authority: /opt/kubernetes/kubectl/ssl/ca.pem server: https://10.1.210.33:6443 name: kubernetes contexts: - context: cluster: kubernetes user: cluster-admin name: default current-context: default kind: Config preferences: {} users: - name: cluster-admin user: client-certificate: /opt/kubernetes/kubectl/ssl/admin.pem client-key: /opt/kubernetes/kubectl/ssl/admin-key.pem

5、管理集羣

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程