table of Contents
Foreword
Here, ETCD cluster, kube-nginx + keepalived, kube-apiserver have been installed.
At this point you can test the previous installation is normal
Create a certificate and private key admin
kubectl https communication with apiserver, apiserver of the certificate provided for authentication and authorization. kubectl as a cluster management tools need to be awarded the highest authority, created with the highest authority here admin credentials
Creating a Certificate Signing Request
cd /opt/k8s/work
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "4Paradigm"
}
]
}
EOF
###################
● O 为system:masters,kube-apiserver收到该证书后将请求的Group设置为system:masters
● 预定的ClusterRoleBinding cluster-admin将Group system:masters与Role cluster-admin绑定,该Role授予API的权限
● 该证书只有被kubectl当做client证书使用,所以hosts字段为空Generate a certificate and private key
cd /opt/k8s/work
cfssl gencert -ca=/opt/k8s/work/ca.pem \
-ca-key=/opt/k8s/work/ca-key.pem \
-config=/opt/k8s/work/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
ls admin*Create a file kubeconfig
All information kubeconfig as kubectl configuration file that contains access apiserver, such as apiserver address, CA certificate and use the certificate itself
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
# 设置集群参数
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/k8s/work/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kubectl.kubeconfig
#设置客户端认证参数
kubectl config set-credentials admin \
--client-certificate=/opt/k8s/work/admin.pem \
--client-key=/opt/k8s/work/admin-key.pem \
--embed-certs=true \
--kubeconfig=kubectl.kubeconfig
# 设置上下文参数
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=kubectl.kubeconfig
# 设置默认上下文
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
################
--certificate-authority 验证kube-apiserver证书的根证书
--client-certificate、--client-key 刚生成的admin证书和私钥,连接kube-apiserver时使用
--embed-certs=true 将ca.pem和admin.pem证书嵌入到生成的kubectl.kubeconfig文件中 (如果不加入,写入的是证书文件路径,后续拷贝kubeconfig到其它机器时,还需要单独拷贝证书)Distribution kubeconfig file
Distributed to all nodes using the command kubectl
cd /opt/k8s/work
source /opt/k8s/bin/environment.sh
for node_ip in ${NODE_IPS[@]}
do
echo ">>> ${node_ip}"
ssh root@${node_ip} "mkdir -p ~/.kube"
scp kubectl.kubeconfig root@${node_ip}:~/.kube/config
done
#保存文件名为~/.kube/configCheck the cluster information
[root@node01 work]# kubectl cluster-info
Kubernetes master is running at https://vip.k8s.com:8443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
[root@node01 work]# kubectl get all --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 10.254.0.1 <none> 443/TCP 98
[root@node01 work]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused
controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused
etcd-0 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-1 Healthy {"health":"true"}If there is an error prompt, please check ~ / .kube / config and configure certificates if there are problems
Authorized kube-apiserver kubelet API access permissions
In the implementation of kubectl command, apiserver forwards the request to kubelet https port. Certificate (kubernetes.pem) RBAC rules defined here, use authorization apiserver user name (CN: kubernetes) kubelet API access permissions
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetesMounted here, the above operation to display the same result, then, represents a normal operation before, can continue down
If not, carefully controlled every step, if not enough, you can contact bloggers. Most have my contact information below.