kubernetes集群安装指南:客户端安装及各组件认证文件创建
admin
2023-04-03 01:41:53
0次
大多情况,证书用于服务安全访问(即https访问)所需要,在kubernetes集群中,如果关闭了匿名访问,开启了集群HTTPS访问以及TLS双向认证;如:worker节点组件HTTPS访问apiserver服务时,Apiserver还需要验证客户端是否合法,此时就需要为worker节点上的组件生成kubeconfig认证文件用于连接apiserver。
1. 基本设置
1.1 变量设置
PACKAGE=kubernetes-server-v1.12.0-linux-amd64.tar.gz
K8S_DOWNLOAD_URL=https://github.com/devops-apps/download/raw/master/kubernetes/$PACKAGE
K8S_CONF_PATH=/etc/k8s/kubernetes
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')1.2 kubectl、kubens工具集安装
sudo wget $K8S_DOWNLOAD_URL -P /root/software
cd $SOFTWARE
tar -xzfkubernetes-server-v1.12.0-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/{kubectl,kubens} /usr/local/sbin1.3 创建认证文件存放目录
if [ ! -d "$K8S_CONF_PATH" ]; then
mkdir -p $K8S_CONF_PATH
fi
if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
mkdir -p $K8S_KUBECONFIG_PATH
fi2. 创建 TLS Bootstrapping Token
cat > ${K8S_CONF_PATH}/token.csv <- bootstrapping token文件主要用于为apiserver开启tocken认证而创建,如果没有开启apiserver token认证可以不用创建此文件;
3 kubeconfig文件创建
3.1 创建kube-controller-manager kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=${CA_DIR}/kube-controller-manager.pem \
--client-key=${CA_DIR}/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig3.2 创建kube-shceduler kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=${CA_DIR}/kube-scheduler.pem \
--client-key=${CA_DIR}/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig3.3 创建kubelet bootstrapping kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig- bootstrapping文件主要用于apiserver给kubelet证书做自动轮转,使用该文件,apiserver会自动给kubelet颁发服务端证书以及证书密钥,从而不必为kubelet证书
3.4 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=${CA_DIR}/kube-proxy.pem \
--client-key=${CA_DIR}/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
3.5 创建kubectl kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-credentials admin \
--client-certificate=${CA_DIR}/admin.pem \
--client-key=${CA_DIR}/admin-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config use-context kubernetes \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig- --certificate-authority:验证 kube-apiserver 证书的根证书;
- --client-certificate、--client-key:刚生成的 admin 证书和私钥,连接 kube-apiserver 时使用;
- --embed-certs=true:将 ca.pem 和 admin.pem 证书内容嵌入到生成的 kubectl.kubeconfig 文件中(不加时,写入的是证书文件路径);
备注:kubeconfig文件是用于安全连接apiserver服务的认证文件。
4 同步token文件及kubeconfig文件到相应的节点
-
master节点:
cd $K8S_KUBECONFIG_PATH ansible master_k8s_vgs -m copy -a \ "src=kube-controller-manager.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b ansible master_k8s_vgs -m copy -a \ "src=kube-scheduler.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b - worker节点
cd $K8S_KUBECONFIG_PATH ansible worker_k8s_vgs -m copy -a \ "src=bootstrap.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b ansible worker_k8s_vgs -m copy -a \ "src=kube-proxy.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b - kubeconfig文件主要用于各组件在通过https访问apiserver时所需要的认证的文件,该文件包括对应组件的服务端证书、证书私钥、ca根证书以及apiserver的访问地址
创建完kubernetes集群组件相关认证文件后,接下来正式部署kubernetes集群相关组件etcd集群,请参考:kubernetes集群安装指南:etcd集群部署
相关内容
热门资讯
台湾演员赴陆偶遇“如花”高喊“...
据台媒TVBS,曾演出《破事精英第二季》的台湾演员萧子一,日前在中国大陆横店影视城巧遇景区知名NPC...
东盟“不选边”走到尽头?
第48届东盟峰会落幕,中东冲突外溢、美国关税施压、内部矛盾凸显,东盟陷入“经济要救生、安全走钢丝”的...
17岁高中生写作业至凌晨,外出...
5月11日,据青海大通县融媒体中心消息:大通县公安局表示,5月8日6时15分,大通县公安局桥头派出所...
天猫“国货严选”纯棉一次性内裤...
淘宝天猫国货严选旗舰店内一次性内裤宣称“纯棉”,“假一赔十”,实际收到商品为“100%聚酯纤维”。近...
字节砍掉30%的AI项目?背后...
来源:市场资讯 (来源:钛媒体APP) 5月9日,一则关于字节跳动AI战略的消息,在社交媒体上迅速发...
戴尔电脑频繁出现蓝屏死机、重启...
IT之家 5 月 11 日消息,Windows 11 更新时常出故障并引发各类问题,其中最让用户恼火...
分享PD氮化镓快充哪个品牌款式...
现在不少小伙伴选氮化镓快充头,尤其是苹果用户,找来找去都会纠结:PD氮化镓快充哪个品牌款式多,苹果氮...
激光近视手术和ICL晶体植入哪...
很多想摘镜的朋友都会纠结:选激光手术,还是ICL晶体植入?到底哪种更安全、更适合自己?广州英华眼科蔡...
原创 天...
备受科技圈关注的联发科技 MTK 天玑开发者大会即将启幕,# 天玑开发者大会# 话题提前霸占数码热搜...
量子力学如何开辟了人类认识和改...
量子力学是 20 世纪最具颠覆性、最具奠基性的基础科学革命成果,与相对论共同构筑起现代物理学两大支柱...