YAZONG 我的开源

Kubernetes(五)kubernetes-the-hard-way方式(5.3) kubernetes各组件的认证配置(使用证书)

  , , ,
0 评论0 浏览

K8S的证书在上章节配置完了,K8S的组件该怎样使用证书呢?

所以K8S的组件使用证书的场景特别多,K8S事先把这些证书的使用方式定义了一个配置文件,叫做kubeconfigs,专门用于让kubernetes的客户端定位kube-apiserver并通过apiserver的安全认证。

kubernetes的认证配置文件,也叫kubeconfigs,用于让kubernetes的客户端定位kube-apiserver并通过apiserver的安全认证。

接下来我们一起来生成各个组件的kubeconfigs,包括controller-manager,kubelet,kube-proxy,scheduler,以及admin用户。

以下命令需要与上一节“生成证书”在同一个目录下执行。

#在这个目录生成各个组件的安全认证配置

[root@node-1 pki]# pwd

/root/pki

Kubelet

#kubelet是运行在worker节点上的

#kubelet是运行在worker节点上的。在每个节点上运行kubectl config的命令,通过一系列的参数,一步一步的生成kubeconfig的文件。

#生成kubelet的kubeconfig配置。

# 指定你的worker列表(hostname),空格分隔
#看到只有kubectl要有一个循环的,要在每一个节点上都生成一份。其他的只需要一份,每个节点都可以去使用。
[root@node-1 pki]# WORKERS="node-2 node-3"
[root@node-1 pki]# for instance in ${WORKERS}; do
  kubectl config set-cluster kubernetes \
	#一些基础的证书文件,CA是必须要有的。
    --certificate-authority=ca.pem \
    --embed-certs=true \
	#kubeconfig中的参数主要包括了API SERVER的地址,这里是本机6443,因为给API SERVER做的高可用是在本机的代理而不是直接访问API SERVER。
	#是用本机地址来代理API SERVER的,所以这里的地址是127.0.0.1。
    --server=https://127.0.0.1:6443 \
    --kubeconfig=${instance}.kubeconfig
  #节点相关的证书。
  kubectl config set-credentials system:node:${instance} \
    --client-certificate=${instance}.pem \
    --client-key=${instance}-key.pem \
    --embed-certs=true \
    --kubeconfig=${instance}.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes \
    --user=system:node:${instance} \
    --kubeconfig=${instance}.kubeconfig

  kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done

#执行了上面的对比一下输出是否匹配
Cluster "kubernetes" set.
User "system:node:node-2" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes" set.
User "system:node:node-3" set.
Context "default" created.
Switched to context "default".

[root@node-1 pki]# ll | grep kubeconfig
-rw------- 1 root root 6369 Nov  3 20:32 node-2.kubeconfig
-rw------- 1 root root 6365 Nov  3 20:32 node-3.kubeconfig

Kube-proxy

[root@node-1 pki]# pwd
/root/pki

[root@node-1 pki]# kubectl config set-cluster kubernetes \
    --certificate-authority=ca.pem \
    --embed-certs=true \
    --server=https://127.0.0.1:6443 \
    --kubeconfig=kube-proxy.kubeconfig

Cluster "kubernetes" set.

[root@node-1 pki]# kubectl config set-credentials system:kube-proxy \
   --client-certificate=kube-proxy.pem \
   --client-key=kube-proxy-key.pem \
   --embed-certs=true \
   --kubeconfig=kube-proxy.kubeconfig

User "system:kube-proxy" set.

[root@node-1 pki]# kubectl config set-context default \
   --cluster=kubernetes \
   --user=system:kube-proxy \
   --kubeconfig=kube-proxy.kubeconfig

Context "default" created.

[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

Switched to context "default".

[root@node-1 pki]# ll | grep kube-proxy
-rw-r--r-- 1 root root 1009 Nov  3 15:25 kube-proxy.csr
-rw-r--r-- 1 root root  214 Nov  3 15:25 kube-proxy-csr.json
-rw------- 1 root root 1675 Nov  3 15:25 kube-proxy-key.pem
-rw------- 1 root root 6295 Nov  3 21:05 kube-proxy.kubeconfig
-rw-r--r-- 1 root root 1407 Nov  3 15:25 kube-proxy.pem

Kube-controller-manager

[root@node-1 pki]# kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=kube-controller-manager.kubeconfig

Cluster "kubernetes" set.

[root@node-1 pki]# kubectl config set-credentials system:kube-controller-manager \
  --client-certificate=kube-controller-manager.pem \
  --client-key=kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-controller-manager.kubeconfig

User "system:kube-controller-manager" set.

[root@node-1 pki]# kubectl config set-context default \
  --cluster=kubernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=kube-controller-manager.kubeconfig

Context "default" created.

[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig

Switched to context "default".

[root@node-1 pki]# ll | grep kube-controller-manager
-rw-r--r-- 1 root root 1066 Nov  3 15:21 kube-controller-manager.csr
-rw-r--r-- 1 root root  286 Nov  3 15:21 kube-controller-manager-csr.json
-rw------- 1 root root 1679 Nov  3 15:21 kube-controller-manager-key.pem
-rw------- 1 root root 6401 Nov  3 21:12 kube-controller-manager.kubeconfig
-rw-r--r-- 1 root root 1464 Nov  3 15:21 kube-controller-manager.pem

Kube-scheduler

[root@node-1 pki]# kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=kube-scheduler.kubeconfig

Cluster "kubernetes" set.

[root@node-1 pki]# kubectl config set-credentials system:kube-scheduler \
  --client-certificate=kube-scheduler.pem \
  --client-key=kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-scheduler.kubeconfig

User "system:kube-scheduler" set.

[root@node-1 pki]# kubectl config set-context default \
  --cluster=kubernetes \
  --user=system:kube-scheduler \
  --kubeconfig=kube-scheduler.kubeconfig

Context "default" created.

[root@node-1 pki]# kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
Switched to context "default".

[root@node-1 pki]# ll |grep kube-scheduler
-rw-r--r-- 1 root root 1041 Nov  3 15:30 kube-scheduler.csr
-rw-r--r-- 1 root root  268 Nov  3 15:30 kube-scheduler-csr.json
-rw------- 1 root root 1675 Nov  3 15:30 kube-scheduler-key.pem
-rw------- 1 root root 6347 Nov  3 21:14 kube-scheduler.kubeconfig
-rw-r--r-- 1 root root 1440 Nov  3 15:30 kube-scheduler.pem

admin用户配置

[root@node-1 pki]# kubectl config set-cluster kubernetes \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=admin.kubeconfig

Cluster "kubernetes" set.

[root@node-1 pki]# kubectl config set-credentials admin \
  --client-certificate=admin.pem \
  --client-key=admin-key.pem \
  --embed-certs=true \
  --kubeconfig=admin.kubeconfig

User "admin" set.

[root@node-1 pki]# kubectl config set-context default \
  --cluster=kubernetes \
  --user=admin \
  --kubeconfig=admin.kubeconfig

Context "default" created.

[root@node-1 pki]# kubectl config use-context default --kubeconfig=admin.kubeconfig

Switched to context "default".

[root@node-1 pki]# ll |grep admin
-rw-r--r-- 1 root root 1009 Nov  3 15:11 admin.csr
-rw-r--r-- 1 root root  213 Nov  3 15:11 admin-csr.json
-rw------- 1 root root 1679 Nov  3 15:11 admin-key.pem
-rw------- 1 root root 6275 Nov  3 21:15 admin.kubeconfig
-rw-r--r-- 1 root root 1407 Nov  3 15:11 admin.pem

分发配置文件

image.png

[root@node-1 pki]# ll | grep kubeconfig
-rw------- 1 root root 6271 Dec 22 18:21 admin.kubeconfig
-rw------- 1 root root 6397 Dec 22 18:14 kube-controller-manager.kubeconfig
-rw------- 1 root root 6299 Dec 22 18:13 kube-proxy.kubeconfig
-rw------- 1 root root 6347 Dec 22 18:19 kube-scheduler.kubeconfig
-rw------- 1 root root 6369 Dec 22 18:12 node-2.kubeconfig
-rw------- 1 root root 6365 Dec 22 18:12 node-3.kubeconfig

#6.1把kubelet和kube-proxy需要的kubeconfig配置分发到每个worker节点

[root@node-1 pki]# WORKERS="node-2 node-3"
[root@node-1 pki]# for instance in ${WORKERS}; do
    scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
done

node-2.kubeconfig                                                                                 100% 6369     6.0MB/s   00:00  
kube-proxy.kubeconfig                                                                             100% 6295     4.6MB/s   00:00  
node-3.kubeconfig                                                                                 100% 6365     4.8MB/s   00:00  
kube-proxy.kubeconfig                                                                             100% 6295     5.3MB/s   00:00  

[root@node-2 ~]# ll |grep kubeconfig
-rw-------  1 root root 6295 Nov  3 21:19 kube-proxy.kubeconfig
-rw-------  1 root root 6369 Nov  3 21:19 node-2.kubeconfig

[root@node-3 ~]# ll |grep kubeconfig
-rw-------  1 root root 6295 Nov  3 21:19 kube-proxy.kubeconfig
-rw-------  1 root root 6365 Nov  3 21:19 node-3.kubeconfig

#6.2 把kube-controller-manager和kube-scheduler需要的kubeconfig配置分发到master节点

[root@node-1 pki]# MASTERS="node-1 node-2"
[root@node-1 pki]# for instance in ${MASTERS}; do
    scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
done

admin.kubeconfig                                                                                  100% 6275    18.1MB/s   00:00  
kube-controller-manager.kubeconfig                                                                100% 6401    13.6MB/s   00:00  
kube-scheduler.kubeconfig                                                                         100% 6347    13.7MB/s   00:00  
admin.kubeconfig                                                                                  100% 6275     3.8MB/s   00:00  
kube-controller-manager.kubeconfig                                                                100% 6401     4.8MB/s   00:00  
kube-scheduler.kubeconfig                                                                         100% 6347     9.0MB/s   00:00  


[root@node-1 pki]# ll ~|grep kubeconfig
-rw-------  1 root root      6275 Nov  3 21:20 admin.kubeconfig
-rw-------  1 root root      6401 Nov  3 21:20 kube-controller-manager.kubeconfig
-rw-------  1 root root      6347 Nov  3 21:20 kube-scheduler.kubeconfig


[root@node-2 ~]# ll ~|grep kubeconfig
-rw-------  1 root root 6275 Nov  3 21:20 admin.kubeconfig
-rw-------  1 root root 6401 Nov  3 21:20 kube-controller-manager.kubeconfig
-rw-------  1 root root 6295 Nov  3 21:19 kube-proxy.kubeconfig
-rw-------  1 root root 6347 Nov  3 21:20 kube-scheduler.kubeconfig
-rw-------  1 root root 6369 Nov  3 21:19 node-2.kubeconfig

标题:Kubernetes(五)kubernetes-the-hard-way方式(5.3) kubernetes各组件的认证配置(使用证书)
作者:yazong
地址:https://blog.llyweb.com/articles/2022/11/03/1667482834270.html