K8S的证书在上章节配置完了,K8S的组件该怎样使用证书呢?
所以K8S的组件使用证书的场景特别多,K8S事先把这些证书的使用方式定义了一个配置文件,叫做kubeconfigs,专门用于让kubernetes的客户端定位kube-apiserver并通过apiserver的安全认证。
kubernetes的认证配置文件,也叫kubeconfigs,用于让kubernetes的客户端定位kube-apiserver并通过apiserver的安全认证。
接下来我们一起来生成各个组件的kubeconfigs,包括controller-manager,kubelet,kube-proxy,scheduler,以及admin用户。
以下命令需要与上一节“生成证书”在同一个目录下执行。
#在这个目录生成各个组件的安全认证配置
[root@node-1 pki]# pwd
/root/pki
Kubelet
#kubelet是运行在worker节点上的
#kubelet是运行在worker节点上的。在每个节点上运行kubectl config的命令,通过一系列的参数,一步一步的生成kubeconfig的文件。
#生成kubelet的kubeconfig配置。
# 指定你的worker列表(hostname),空格分隔
#看到只有kubectl要有一个循环的,要在每一个节点上都生成一份。其他的只需要一份,每个节点都可以去使用。
[root@node-1 pki]# WORKERS="node-2 node-3"
[root@node-1 pki]# for instance in ${WORKERS}; do
kubectl config set-cluster kubernetes \
#一些基础的证书文件,CA是必须要有的。
--certificate-authority=ca.pem \
--embed-certs=true \
#kubeconfig中的参数主要包括了API SERVER的地址,这里是本机6443,因为给API SERVER做的高可用是在本机的代理而不是直接访问API SERVER。
#是用本机地址来代理API SERVER的,所以这里的地址是127.0.0.1。
--server=https://127.0.0.1:6443 \
--kubeconfig=${instance}.kubeconfig
#节点相关的证书。
kubectl config set-credentials system:node:${instance} \
--client-certificate=${instance}.pem \
--client-key=${instance}-key.pem \
--embed-certs=true \
--kubeconfig=${instance}.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:${instance} \
--kubeconfig=${instance}.kubeconfig
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done
#执行了上面的对比一下输出是否匹配
Cluster "kubernetes" set.
User "system:node:node-2" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "system:node:node-3" set.
Context "default" created.
Switched to context "default".
[root@node-1 pki]# ll | grep kubeconfig
-rw------- 1 root root 6369 Nov 3 20:32 node-2.kubeconfig
-rw------- 1 root root 6365 Nov 3 20:32 node-3.kubeconfig
Kube-proxy
[root@node-1 pki]# pwd
/root/pki
[root@node-1 pki]# kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@node-1 pki]# kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
User "system:kube-proxy" set.
[root@node-1 pki]# kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".
[root@node-1 pki]# ll | grep kube-proxy
-rw-r--r-- 1 root root 1009 Nov 3 15:25 kube-proxy.csr
-rw-r--r-- 1 root root 214 Nov 3 15:25 kube-proxy-csr.json
-rw------- 1 root root 1675 Nov 3 15:25 kube-proxy-key.pem
-rw------- 1 root root 6295 Nov 3 21:05 kube-proxy.kubeconfig
-rw-r--r-- 1 root root 1407 Nov 3 15:25 kube-proxy.pem
Kube-controller-manager
[root@node-1 pki]# kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
Cluster "kubernetes" set.
[root@node-1 pki]# kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
User "system:kube-controller-manager" set.
[root@node-1 pki]# kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
Context "default" created.
[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
Switched to context "default".
[root@node-1 pki]# ll | grep kube-controller-manager
-rw-r--r-- 1 root root 1066 Nov 3 15:21 kube-controller-manager.csr
-rw-r--r-- 1 root root 286 Nov 3 15:21 kube-controller-manager-csr.json
-rw------- 1 root root 1679 Nov 3 15:21 kube-controller-manager-key.pem
-rw------- 1 root root 6401 Nov 3 21:12 kube-controller-manager.kubeconfig
-rw-r--r-- 1 root root 1464 Nov 3 15:21 kube-controller-manager.pem
Kube-scheduler
[root@node-1 pki]# kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
Cluster "kubernetes" set.
[root@node-1 pki]# kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
User "system:kube-scheduler" set.
[root@node-1 pki]# kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
Context "default" created.
[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
Switched to context "default".
[root@node-1 pki]# ll |grep kube-scheduler
-rw-r--r-- 1 root root 1041 Nov 3 15:30 kube-scheduler.csr
-rw-r--r-- 1 root root 268 Nov 3 15:30 kube-scheduler-csr.json
-rw------- 1 root root 1675 Nov 3 15:30 kube-scheduler-key.pem
-rw------- 1 root root 6347 Nov 3 21:14 kube-scheduler.kubeconfig
-rw-r--r-- 1 root root 1440 Nov 3 15:30 kube-scheduler.pem
admin用户配置
[root@node-1 pki]# kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
Cluster "kubernetes" set.
[root@node-1 pki]# kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
User "admin" set.
[root@node-1 pki]# kubectl config set-context default \
--cluster=kubernetes \
--user=admin \
--kubeconfig=admin.kubeconfig
Context "default" created.
[root@node-1 pki]# kubectl config use-context default --kubeconfig=admin.kubeconfig
Switched to context "default".
[root@node-1 pki]# ll |grep admin
-rw-r--r-- 1 root root 1009 Nov 3 15:11 admin.csr
-rw-r--r-- 1 root root 213 Nov 3 15:11 admin-csr.json
-rw------- 1 root root 1679 Nov 3 15:11 admin-key.pem
-rw------- 1 root root 6275 Nov 3 21:15 admin.kubeconfig
-rw-r--r-- 1 root root 1407 Nov 3 15:11 admin.pem
分发配置文件
[root@node-1 pki]# ll | grep kubeconfig
-rw------- 1 root root 6271 Dec 22 18:21 admin.kubeconfig
-rw------- 1 root root 6397 Dec 22 18:14 kube-controller-manager.kubeconfig
-rw------- 1 root root 6299 Dec 22 18:13 kube-proxy.kubeconfig
-rw------- 1 root root 6347 Dec 22 18:19 kube-scheduler.kubeconfig
-rw------- 1 root root 6369 Dec 22 18:12 node-2.kubeconfig
-rw------- 1 root root 6365 Dec 22 18:12 node-3.kubeconfig
#6.1把kubelet和kube-proxy需要的kubeconfig配置分发到每个worker节点
[root@node-1 pki]# WORKERS="node-2 node-3"
[root@node-1 pki]# for instance in ${WORKERS}; do
scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
done
node-2.kubeconfig 100% 6369 6.0MB/s 00:00
kube-proxy.kubeconfig 100% 6295 4.6MB/s 00:00
node-3.kubeconfig 100% 6365 4.8MB/s 00:00
kube-proxy.kubeconfig 100% 6295 5.3MB/s 00:00
[root@node-2 ~]# ll |grep kubeconfig
-rw------- 1 root root 6295 Nov 3 21:19 kube-proxy.kubeconfig
-rw------- 1 root root 6369 Nov 3 21:19 node-2.kubeconfig
[root@node-3 ~]# ll |grep kubeconfig
-rw------- 1 root root 6295 Nov 3 21:19 kube-proxy.kubeconfig
-rw------- 1 root root 6365 Nov 3 21:19 node-3.kubeconfig
#6.2 把kube-controller-manager和kube-scheduler需要的kubeconfig配置分发到master节点
[root@node-1 pki]# MASTERS="node-1 node-2"
[root@node-1 pki]# for instance in ${MASTERS}; do
scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
done
admin.kubeconfig 100% 6275 18.1MB/s 00:00
kube-controller-manager.kubeconfig 100% 6401 13.6MB/s 00:00
kube-scheduler.kubeconfig 100% 6347 13.7MB/s 00:00
admin.kubeconfig 100% 6275 3.8MB/s 00:00
kube-controller-manager.kubeconfig 100% 6401 4.8MB/s 00:00
kube-scheduler.kubeconfig 100% 6347 9.0MB/s 00:00
[root@node-1 pki]# ll ~|grep kubeconfig
-rw------- 1 root root 6275 Nov 3 21:20 admin.kubeconfig
-rw------- 1 root root 6401 Nov 3 21:20 kube-controller-manager.kubeconfig
-rw------- 1 root root 6347 Nov 3 21:20 kube-scheduler.kubeconfig
[root@node-2 ~]# ll ~|grep kubeconfig
-rw------- 1 root root 6275 Nov 3 21:20 admin.kubeconfig
-rw------- 1 root root 6401 Nov 3 21:20 kube-controller-manager.kubeconfig
-rw------- 1 root root 6295 Nov 3 21:19 kube-proxy.kubeconfig
-rw------- 1 root root 6347 Nov 3 21:20 kube-scheduler.kubeconfig
-rw------- 1 root root 6369 Nov 3 21:19 node-2.kubeconfig
标题:Kubernetes(五)kubernetes-the-hard-way方式(5.3) kubernetes各组件的认证配置(使用证书)
作者:yazong
地址:https://blog.llyweb.com/articles/2022/11/03/1667482834270.html