大多数据情况,证书大都用于开启服务安全访问(即https访问)所需要,在kubernetes集群中,证书处了用于组件https服务开启,还用于各组件间TLS双向认证,如worker节点组件基于https访问apiserver时,apiserver还需要验证客户是否合法,此时就需要为worker节点上的组件生成kubeconfig文件用于连接apiserver。
1. 基本设置
变量设置
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
K8S_CONF_PATH=/etc/k8s/kubernetes
CA_DIR=/etc/k8s/ssl
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
kubectl、kubens工具集安装
tocken文件创建及同步
cat > ${K8S_CONF_PATH}/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
同步
ansible master_k8s_vgs -m copy -a "src=${K8S_CONF_PATH}/token.csv dest=${K8S_CONF_PATH}/" -b
kubeconfig文件创建
生成kubeconfig目录路径
# 1.Check if directory exists .
if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
mkdir -p $K8S_KUBECONFIG_PATH
chmod 755 $K8S_KUBECONFIG_PATH
fi
创建kube-controller-manager kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=${CA_DIR}/kube-controller-manager.pem \
--client-key=${CA_DIR}/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
创建kube-shceduler kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=${CA_DIR}/kube-scheduler.pem \
--client-key=${CA_DIR}/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
创建kubelet bootstrapping kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=${CA_DIR}/kube-proxy.pem \
--client-key=${CA_DIR}/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
创建kubectl kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-credentials admin \
--client-certificate=${CA_DIR}/admin.pem \
--client-key=${CA_DIR}/admin-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config use-context kubernetes \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig