大多情况,证书用于服务安全访问(即https访问)所需要,在kubernetes集群中,如果关闭了匿名访问,开启了集群HTTPS访问以及TLS双向认证;如:worker节点组件HTTPS访问apiserver服务时,Apiserver还需要验证客户端是否合法,此时就需要为worker节点上的组件生成kubeconfig认证文件用于连接apiserver。
PACKAGE=kubernetes-server-v1.12.0-linux-amd64.tar.gz
K8S_DOWNLOAD_URL=https://github.com/devops-apps/download/raw/master/kubernetes/$PACKAGE
K8S_CONF_PATH=/etc/k8s/kubernetes
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
sudo wget $K8S_DOWNLOAD_URL -P /root/software
cd $SOFTWARE
tar -xzfkubernetes-server-v1.12.0-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/{kubectl,kubens} /usr/local/sbin
if [ ! -d "$K8S_CONF_PATH" ]; then
mkdir -p $K8S_CONF_PATH
fi
if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
mkdir -p $K8S_KUBECONFIG_PATH
fi
cat > ${K8S_CONF_PATH}/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=${CA_DIR}/kube-controller-manager.pem \
--client-key=${CA_DIR}/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=${CA_DIR}/kube-scheduler.pem \
--client-key=${CA_DIR}/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=${CA_DIR}/kube-proxy.pem \
--client-key=${CA_DIR}/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-credentials admin \
--client-certificate=${CA_DIR}/admin.pem \
--client-key=${CA_DIR}/admin-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config use-context kubernetes \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
备注:kubeconfig文件是用于安全连接apiserver服务的认证文件。
master节点:
cd $K8S_KUBECONFIG_PATH
ansible master_k8s_vgs -m copy -a \
"src=kube-controller-manager.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
ansible master_k8s_vgs -m copy -a \
"src=kube-scheduler.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
cd $K8S_KUBECONFIG_PATH
ansible worker_k8s_vgs -m copy -a \
"src=bootstrap.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
ansible worker_k8s_vgs -m copy -a \
"src=kube-proxy.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
创建完kubernetes集群组件相关认证文件后,接下来正式部署kubernetes集群相关组件etcd集群,请参考:kubernetes集群安装指南:etcd集群部署
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。