k8s集羣部署v1.15實踐3: 部署kubectl命令工具行
參考文檔node
部署kubectl命令工具行
1.下載和分發kubectl二進制執行文件linux
[root@k8s-node1 k8s_software]# pwd /opt/k8s/k8s_software
[root@k8s-node1 k8s_software]# wget https://dl.k8s.io/v1.15.5/kubernetes-client-linux-amd64.tar.gz --2019-10-30 00:38:35-- https://dl.k8s.io/v1.15.5/kubernetes-client-linux-amd64.tar.gz Resolving dl.k8s.io (dl.k8s.io)... 35.201.71.162 Connecting to dl.k8s.io (dl.k8s.io)|35.201.71.162|:443... connected. HTTP request sent, awaiting response... 302 Moved Temporarily Location: https://storage.googleapis.com/kubernetes-release/release/v1.15.5/kubernetes-client-linux-amd64.tar.gz [following] --2019-10-30 00:38:36-- https://storage.googleapis.com/kubernetes-release/release/v1.15.5/kubernetes-client-linux-amd64.tar.gz Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.25.16, 2404:6800:4005:809::2010 Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.25.16|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 13338368 (13M) [application/x-tar] Saving to: ‘kubernetes-client-linux-amd64.tar.gz’ 100%[==============================================================================================>] 13,338,368 641KB/s in 16s 2019-10-30 00:38:53 (802 KB/s) - ‘kubernetes-client-linux-amd64.tar.gz’ saved [13338368/13338368] [root@k8s-node1 k8s_software]#
[root@k8s-node1 k8s_software]# ls kubernetes-client-linux-amd64.tar.gz [root@k8s-node1 k8s_software]# tar -zxvf kubernetes-client-linux-amd64.tar.gz kubernetes/ kubernetes/client/ kubernetes/client/bin/ kubernetes/client/bin/kubectl [root@k8s-node1 k8s_software]# ls kubernetes kubernetes-client-linux-amd64.tar.gz [root@k8s-node1 k8s_software]# cd kubernetes [root@k8s-node1 kubernetes]# ls client [root@k8s-node1 kubernetes]# cd client/ [root@k8s-node1 client]# ls bin [root@k8s-node1 client]# cd bin [root@k8s-node1 bin]# ls kubectl [root@k8s-node1 bin]# pwd /opt/k8s/k8s_software/kubernetes/client/bin [root@k8s-node1 bin]#
2.分發到全部節點,確保有執行權限github
[root@k8s-node1 k8s_software]# cp kubernetes/client/bin/kubectl /opt/k8s/bin/ [root@k8s-node1 k8s_software]# chmod +x /opt/k8s/bin [root@k8s-node1 k8s_software]# scp kubernetes/client/bin/kubectl root@k8s-node2:/opt/k8s/bin/ kubectl [root@k8s-node1 k8s_software]# ssh k8s-node2 "chmod +x /opt/k8s/bin/*" [root@k8s-node1 k8s_software]# scp kubernetes/client/bin/kubectl root@k8s-node3:/opt/k8s/bin/ kubectl 100% 41MB 103.8MB/s 00:00 [root@k8s-node1 k8s_software]# ssh k8s-node3 "chmod +x /opt/k8s/bin/*" [root@k8s-node1 k8s_software]#
3.建立admin證書和密鑰web
kubectl 與 apiserver https 安全端口通訊,apiserver 對提供的證書進行認證和受權.json
kubectl 做爲集羣的管理工具,須要被授予最高權限.這裏建立具備最高權限的 admin證書.api
建立證書籤名請求安全
O爲system:masters,kube-apiserver.收到該證書後將請求的 Group 設置爲system:masters;bash
預約義的 ClusterRoleBinding cluster-admin 將 Group system:masters 與Role cluster-admin 綁定,該 Role 授予全部 API的權限.app
該證書只會被 kubectl 當作 client 證書使用,因此 hosts 字段爲空.
[root@k8s-node1 kubectl]# pwd
/opt/k8s/k8s_software/kubectl
[root@k8s-node1 kubectl]# cat admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "SZ",
"L": "SZ",
"O": "system:masters",
"OU": "4Paradigm"
}
]
}
[root@k8s-node1 kubectl]#
生成證書和密鑰
[root@k8s-node1 kubectl]# cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/10/30 02:06:24 [INFO] generate received request
2019/10/30 02:06:24 [INFO] received CSR
2019/10/30 02:06:24 [INFO] generating key: rsa-2048
2019/10/30 02:06:24 [INFO] encoded CSR
2019/10/30 02:06:24 [INFO] signed certificate with serial number 368978383376795956608149123600782369631080400831
2019/10/30 02:06:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-node1 kubectl]# ls
admin.csr admin-csr.json admin-key.pem admin.pem
4.建立kubeconfig文件
kubeconfig爲kubectl讀取使用的配置文件,包含訪問 apiserver 的全部信息,如 apiserver 地址,CA 證書和自身使用的證書.
使用kubectl config命令建立生成
讀取環境變量
[root@k8s-node1 kubectl]# source /opt/k8s/bin/environment.sh
設置集羣參數,集羣名字爲kubernetes,認證證書爲ca.pem(注意路徑),集羣的地址爲$(KUBE_APISERVER).這個地址是從集羣變量讀取的.
[root@k8s-node1 kubectl]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kubectl.kubeconfig
Cluster "kubernetes" set.
設置客戶端認證參數,admin爲用戶名,
[root@k8s-node1 kubectl]# kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kubectl.kubeconfig
User "admin" set.
設置上下文參數,指定集羣,用戶
[root@k8s-node1 kubectl]# kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kubectl.kubeconfig
Context "kubernetes" created.
設置默認上下文,
[root@k8s-node1 kubectl]# kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
Switched to context "kubernetes".
[root@k8s-node1 kubectl]#
--certificate-authority:驗證 kube-apiserver 證書的根證書.
--client-certificate --client-key:剛生成的 admin 證書和私鑰,鏈接 kube-apiserver 時使用.
--embed-certs=true:將 ca.pem 和 admin.pem 證書內容嵌入到生成的kubectl.kubeconfig 文件中(不加時寫入的是證書文件路徑).
5.分發kubectl.kubeconfig文件
kubectl 默認從 ~/.kube/config 文件讀取 kube-apiserver 地址,證書,用戶名等信息
~/.kube/config路徑和名字必須是這個
注意分發的路徑,必須是這個路徑,若是沒有手動建立這個路徑.
[root@k8s-node1 kubectl]# cp kubectl.kubeconfig ~/.kube [root@k8s-node1 kubectl]# ssh k8s-node2 "mkdir .kube" [root@k8s-node1 kubectl]# scp kubectl.kubeconfig root@k8s-node2:~/.kube kubectl.kubeconfig 100% 6211 5.6MB/s 00:00 [root@k8s-node1 kubectl]# ssh k8s-node3 "mkdir .kube" [root@k8s-node1 kubectl]# scp kubectl.kubeconfig root@k8s-node3:~/.kube kubectl.kubeconfig 100% 6211 4.1MB/s 00:00 [root@k8s-node1 kubectl]#
名字也須要修改.
[root@k8s-node1 .kube]# pwd /root/.kube [root@k8s-node1 .kube]# ls kubectl.kubeconfig [root@k8s-node1 .kube]# mv kubectl.kubeconfig config [root@k8s-node1 .kube]# ls config [root@k8s-node1 .kube]# [root@k8s-node1 kubectl]# ssh k8s-node2 "mv ~/.kube/kubectl.kubeconfig ~/.kube/config" [root@k8s-node1 kubectl]# ssh k8s-node3 "mv ~/.kube/kubectl.kubeconfig ~/.kube/config"
6.測試和可能遇到的報錯
測試:執行命令,見下:
[root@k8s-node1 kubectl]# kubectl get all Unable to connect to the server: dial tcp 192.168.174.127:8443: connect: no route to host [root@k8s-node1 kubectl]#
由於集羣還沒搭建完成,報no route to host是正常的,忽略.
可能報錯,若是名字不對或者路徑不對,會報下面的錯誤.
$ kubectl get pods The connection to the server localhost:8080 was refused - did you specify the right host or port?
其它兩個節點,沒有定義永久路徑,會報錯
[root@k8s-node2 ~]# kubectl get all -bash: kubectl: command not found
添加路徑和加執行權限便可
[root@k8s-node2 ~]# echo "export PATH=/opt/k8s/bin:$PATH" >>.bashrc [root@k8s-node2 ~]# source .bashrc [root@k8s-node2 ~]# chmod +x /opt/k8s/bin/*
相關文章
- 1. k8s集羣部署v1.15實踐4:部署etcd集羣
- 2. k8s集羣部署v1.15實踐7:部署kube-apiserver組件
- 3. k8s集羣部署v1.15實踐5:部署flannel網絡:
- 4. k8s集羣部署v1.15實踐8:部署高可用 kube-controller-manager 集羣
- 5. k8s集羣部署v1.15實踐9:部署高可用 kube-scheduler 集羣
- 6. Kubernetes V1.15 二進制部署k8s集羣
- 7. k8s實踐19:kubernetes二進制部署集羣v1.12升級v1.15
- 8. k8s集羣部署v1.15實踐1:基礎環境準備
- 9. k8s集羣部署(3)
- 10. k8s集羣部署v1.15實踐2:建立集羣使用的證書
- 更多相關文章...
- • Maven 自動化部署 - Maven教程
- • ionic 頭部與底部 - ionic 教程
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
- • Docker 清理命令
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. k8s集羣部署v1.15實踐4:部署etcd集羣
- 2. k8s集羣部署v1.15實踐7:部署kube-apiserver組件
- 3. k8s集羣部署v1.15實踐5:部署flannel網絡:
- 4. k8s集羣部署v1.15實踐8:部署高可用 kube-controller-manager 集羣
- 5. k8s集羣部署v1.15實踐9:部署高可用 kube-scheduler 集羣
- 6. Kubernetes V1.15 二進制部署k8s集羣
- 7. k8s實踐19:kubernetes二進制部署集羣v1.12升級v1.15
- 8. k8s集羣部署v1.15實踐1:基礎環境準備
- 9. k8s集羣部署(3)
- 10. k8s集羣部署v1.15實踐2:建立集羣使用的證書