1、kubectl 默认通过127.0.0.1:8080端口去访问apiserver,这个在前面apiserver的配置文件里有定义了。在master通过http访问apiserver,而在其他节点通过https来访问
在master上可以看到6443端口,用于集群接口https访问的
[root@k8s-master-101 ~]# netstat -tlunp | grep 6443
tcp 0 0 10.0.0.101:6443 0.0.0.0:* LISTEN 12913/kube-apiserve
[root@k8s-master-101 ~]# kubectl -s 127.0.0.1:8080 get node
NAME STATUS ROLES AGE VERSION
10.0.0.102 Ready <none> 19d v1.12.2
10.0.0.103 Ready <none> 19d v1.12.2
2、在master将kubectl和admin证书复制到node上
[root@k8s-master-101 ~]# scp /opt/kubernetes/bin/kubectl [email protected]:/usr/bin/
kubectl 100% 55MB 18.2MB/s 00:03
[root@k8s-master-101 ~]# scp /opt/kubernetes/bin/kubectl [email protected]:/usr/bin/
kubectl 100% 55MB 54.6MB/s 00:01
[root@k8s-master-101 ~]# scp /opt/kubernetes/ssl/admin*pem [email protected]:/root/
admin-key.pem 100% 1675 92.3KB/s 00:00
admin.pem 100% 1407 445.5KB/s 00:00
[root@k8s-master-101 ~]# scp /opt/kubernetes/ssl/admin*pem [email protected]:/root/
admin-key.pem 100% 1675 1.2MB/s 00:00
admin.pem
3、在两台node上都执行,配置证书访问https
#把ca证书也复制到root目录下
cp /opt/kubernetes/ssl/ca.pem ./
#设置集群项中名为kubernetes的apiserver地址和证书
kubectl config set-cluster kubernetes --server=https://10.0.0.101:6443 --certificate-authority=ca.pem
ls .kube/ 会在.kube文件夹写生成config文件
[root@k8s-node1-102 ~]# ls .kube/
config
[root@k8s-node1-102 ~]# cat .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: /root/ca.pem
server: https://10.0.0.101:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
#设置用户项中cluster-admin用户证书认证字段
kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem
#设置环境项中名为default的默认集群和用户
kubectl config set-context default --cluster=kubernetes --user=cluster-admin
#设置默认环境项为default
kubectl config use-context default
#最后测试一下
[root@k8s-node1-102 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
10.0.0.102 Ready <none> 19d v1.12.2
10.0.0.103 Ready <none> 19d v1.12.2
4、这时候配置文件指定了访问的master地址以及证书
[root@k8s-node1-102 ~]# cat .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: /root/ca.pem
server: https://10.0.0.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: cluster-admin
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: cluster-admin
user:
client-certificate: /root/admin.pem
client-key: /root/admin-key.pem