metrics-server 使用ssl外部證書

時間 2019-11-07

標籤 metrics server 使用 ssl 外部證書欄目 SSL 简体版

原文原文鏈接

一、說明

簡單部署參考https://blog.51cto.com/juestnow/2409880

二、建立metrics-server 證書

cat << EOF | tee /apps/work/k8s/cfssl/k8s/metrics-server.json
{
  "CN": "metrics-server",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "niuke",
      "OU": "niuke"
    }
  ]
}
EOF
### 生成證書
cfssl gencert -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem \
    -config=/apps/work/k8s/cfssl/ca-config.json \
    -profile=kubernetes /apps/work/k8s/cfssl/k8s/metrics-server.json | cfssljson -bare ./metrics-server
        ### 建立secret
kubectl -n kube-system create secret generic metrics-server-certs --from-file=metrics-server-key.pem --from-file=metrics-server.pem
kubectl get secret -n kube-system | grep metrics-server-certs
kubectl get secret metrics-server-certs -n kube-system  -o yaml

三、修改metrics-server-deployment

vi metrics-server-deployment.yaml
 ---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-server
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: metrics-server
  namespace: kube-system
  labels:
    k8s-app: metrics-server
spec:
  selector:
    matchLabels:
      k8s-app: metrics-server
  template:
    metadata:
      name: metrics-server
      labels:
        k8s-app: metrics-server
    spec:
      serviceAccountName: metrics-server
      tolerations:
        - effect: NoSchedule
          key: node.kubernetes.io/unschedulable
          operator: Exists
        - key: NoSchedule
          operator: Exists
          effect: NoSchedule
      volumes:
      # mount in tmp so we can safely use from-scratch images and/or read-only containers
      - name: tmp-dir
        emptyDir: {}
      - name: metrics-server-certs
        secret:
          secretName: metrics-server-certs
      containers:
      - name: metrics-server
        image: juestnow/metrics-server-amd64:v0.3.3
        imagePullPolicy: Always
        command:
        - /metrics-server
        - --tls-cert-file=/certs/metrics-server.pem
        - --tls-private-key-file=/certs/metrics-server-key.pem
        - --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
        #- --kubelet-insecure-tls  ## kubelet 只簽發客戶端證書時必須添加這個參數，簽發server 證書時不不要添加此參數
        volumeMounts:
        - name: tmp-dir
          mountPath: /tmp
        - name: metrics-server-certs
          mountPath: /certs
      nodeSelector:
        metrics: "yes"

四、執行yaml

kubectl apply -f metrics-server-deployment.yaml

五、查看metrics-server 狀態

[root@jenkins vpa]# kubectl get pod  -n  kube-system | grep metrics-server
metrics-server-658bb99b66-z6xg4             1/1     Running   0          22h
kubectl get pod metrics-server-658bb99b66-z6xg4  -n  kube-system -o yaml
查看內容是否改變或者打開dashboard

查看services
[root@jenkins vpa]# kubectl get service  -n  kube-system | grep metrics-server                     
metrics-server         ClusterIP   10.64.53.220    <none>        443/TCP                  45d
https://10.64.53.220

正常打開獲取api地址
metrics-server 自簽名證書部署完成建議在生產環境使用node

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。