K8S從入門到放棄系列-(4)kubernetes集羣之kubectl命令行工具部署

摘要：隨着版本的不斷迭代，k8s爲了集羣安全，集羣中趨向採用TLS+RBAC的安全配置方式，因此咱們在部署過程當中，全部組件都須要證書，並啓用RBAC認證。

咱們這裏採用二進制安裝，下載解壓後，把對應組件二進制文件copy到指定節點

master節點組件：kube-apiserver、etcd、kube-controller-manager、kube-scheduler、kubectl

node節點組件：kubelet、kube-proxy、docker、coredns、calico

部署master組件

1）下載kubernetes二進制安裝包

解壓下載的壓縮包，並把對應的二進制文件分發至對應master或者node節點的指定位置

[root@k8s-master01 ~]# cd k8s/
[root@k8s-master01 k8s]# wget https://storage.googleapis.com/kubernetes-release/release/v1.14.1/kubernetes-server-linux-amd64.tar.gz
[root@k8s-master01 k8s]# tar -xf kubernetes-server-linux-amd64.tar.gz
##master二進制命令文件傳輸
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.18:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.19:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.20:/usr/local/bin/
##node節點二進制文件傳輸
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.21:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.22:/usr/local/bin/

2）建立admin證書

kubectl用於平常直接管理K8S集羣，kubectl要進行管理k8s，就須要和k8s的組件進行通訊，也就須要用到證書。

kubectl咱們部署在三臺master節點

[root@k8s-master01 ~]# vim /opt/k8s/certs/admin-csr.json
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

3）生成admin證書和私鑰

[root@k8s-master01 ~]# cd /opt/k8s/certs/
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
     -ca-key=/etc/kubernetes/ssl/ca-key.pem \
     -config=/opt/k8s/certs/ca-config.json \
     -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/04/23 14:56:49 [INFO] generate received request
2019/04/23 14:56:49 [INFO] received CSR
2019/04/23 14:56:49 [INFO] generating key: rsa-2048
2019/04/23 14:56:49 [INFO] encoded CSR
2019/04/23 14:56:49 [INFO] signed certificate with serial number 506524128693715675957824591128854950490977162654
2019/04/23 14:56:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

4）查看證書

[root@k8s-master01 certs]# ll admin*
-rw-r--r-- 1 root root 1013 Apr 23 14:56 admin.csr
-rw-r--r-- 1 root root  231 Apr 23 14:54 admin-csr.json
-rw------- 1 root root 1679 Apr 23 14:56 admin-key.pem
-rw-r--r-- 1 root root 1407 Apr 23 14:56 admin.pem

5）分發證書

[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin-key.pem dest=/etc/kubernetes/ssl/'
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin.pem dest=/etc/kubernetes/ssl/'

6）生成kubeconfig 配置文件

下面幾個步驟會在家目錄下的.kube生成config文件，以後kubectl和api通訊就須要用到該文件，這也就是說若是在其餘節點上操做集羣須要用到這個kubectl，就須要將該文件拷貝到其餘節點。 

設置集羣參數
[root@k8s-master01 ~]# kubectl config set-cluster kubernetes \
     --certificate-authority=/etc/kubernetes/ssl/ca.pem \
     --embed-certs=true \
     --server=https://127.0.0.1:6443
Cluster "kubernetes" set.
# 設置客戶端認證參數
[root@k8s-master01 ~]# kubectl config set-credentials admin \
     --client-certificate=/etc/kubernetes/ssl/admin.pem \
     --embed-certs=true \
     --client-key=/etc/kubernetes/ssl/admin-key.pem
User "admin" set.
#設置上下文參數
[root@k8s-master01 ~]# kubectl config set-context admin@kubernetes \
     --cluster=kubernetes \
     --user=admin
Context "admin@kubernetes" created.
# 設置默認上下文
[root@k8s-master01 ~]# kubectl config use-context admin@kubernetes
Switched to context "admin@kubernetes".

以上操做會在當前目錄下生成.kube/config文件，後續操做集羣時，apiserver須要對該文件進行驗證，建立的admin用戶對kubernetes集羣有全部權限(集羣管理員)。