1. Certificate
In the previous article, we built our own certificate in order to successfully use heapster: enter the /var/run/kubernetes/
directory of the master machine and execute the following commands:
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=abc.com" -days 5000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=kubernetes" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000
One of /CN in the first subj can be written at will, and /CN in the second subj must be the hostname of the machine where the apiserver is located (if it is only used for internal services, you can fill in kubernetes here), two /CN are recommended here. Do not be the same, if the test is the same, the signature is invalid. Execute on this machine:
echo $HOSTNAME
Just know what to write.
Add to the startup parameters of apiserver:
--admission_control=ServiceAccount(加入这个参数后,k8s会给每个namespace都设置至少一个secret,secret作为一个存储介质,可以存储证书,token,甚至配置文件)
--client_ca_file=/var/run/kubernetes/ca.crt(加入这个参数后,每个namespace的默认的secret中都会记录ca.crt)
--tls-private-key-file=/var/run/kubernetes/server.key
--tls-cert-file=/var/run/kubernetes/server.crt
Add to the startup parameters of controller-manager:
--service_account_private_key_file=/var/run/kubernetes/server.key
--root-ca-file="/var/run/kubernetes/ca.crt"
What we want to achieve is to execute the https API of apiserver on any machine (ping to get the master). Here we must:
1. Copy ca.crt to the machine;
2. Add the hostname of the master machine to the hosts of its IP on the machine.
In this case, we access the https api:
curl --cacert ca.crt -X GET https://vm-56-65:6443/api/v1/namespaces/default/pods -v
will prompt:
unauthorized.
This shows that we also need tokens.
2.token
There are many forms of token, you can refer to these two articles:
http://wangzhezhe.github.io/b...
http://segmentfault.com/a/119...
Here is the simplest one.
Enter the master and create a token file anywhere such as:
/etc/kubernetes.io/heapster/token
To edit this token, we simply write three strings:
huang123,huang,huang
Restart the apiserver and add this parameter when starting:
--token_auth_file=/etc/kubernetes.io/heapster/token
On other machines, we execute the curl command again with -H:
curl --cacert ca.crt -X GET https://vm-56-65:6443/api/v1/namespaces/default/pods -H 'Authorization: Bearer huang123' -v
Did it work?
https://segmentfault.com/a/1190000003115642