温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

kubernetes集群安装指南:客户端安装及各组件认证文件创建

发布时间:2020-07-31 02:24:31 来源:网络 阅读:463 作者:清白之年 栏目:云计算

大多情况,证书用于服务安全访问(即https访问)所需要,在kubernetes集群中,如果关闭了匿名访问,开启了集群HTTPS访问以及TLS双向认证;如:worker节点组件HTTPS访问apiserver服务时,Apiserver还需要验证客户端是否合法,此时就需要为worker节点上的组件生成kubeconfig认证文件用于连接apiserver。

1. 基本设置

1.1 变量设置
PACKAGE=kubernetes-server-v1.12.0-linux-amd64.tar.gz
K8S_DOWNLOAD_URL=https://github.com/devops-apps/download/raw/master/kubernetes/$PACKAGE
K8S_CONF_PATH=/etc/k8s/kubernetes
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
1.2 kubectl、kubens工具集安装
sudo wget $K8S_DOWNLOAD_URL -P /root/software
cd $SOFTWARE 
tar -xzfkubernetes-server-v1.12.0-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/{kubectl,kubens} /usr/local/sbin
1.3 创建认证文件存放目录
if [ ! -d "$K8S_CONF_PATH" ]; then
     mkdir -p $K8S_CONF_PATH
fi

if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
     mkdir -p $K8S_KUBECONFIG_PATH
fi

2. 创建 TLS Bootstrapping Token

cat > ${K8S_CONF_PATH}/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
  • bootstrapping token文件主要用于为apiserver开启tocken认证而创建,如果没有开启apiserver token认证可以不用创建此文件;

3 kubeconfig文件创建

3.1 创建kube-controller-manager kubeconfig文件
kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config set-credentials system:kube-controller-manager \
  --client-certificate=${CA_DIR}/kube-controller-manager.pem \
  --client-key=${CA_DIR}/kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config set-context system:kube-controller-manager \
  --cluster=kubernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig

kubectl config use-context system:kube-controller-manager \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
3.2 创建kube-shceduler kubeconfig文件
kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config set-credentials system:kube-scheduler \
  --client-certificate=${CA_DIR}/kube-scheduler.pem \
  --client-key=${CA_DIR}/kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config set-context system:kube-scheduler \
  --cluster=kubernetes \
  --user=system:kube-scheduler \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig

kubectl config use-context system:kube-scheduler \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
3.3 创建kubelet bootstrapping kubeconfig文件
kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config set-credentials kubelet-bootstrap \
  --token=${BOOTSTRAP_TOKEN} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig

kubectl config use-context default \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
  • bootstrapping文件主要用于apiserver给kubelet证书做自动轮转,使用该文件,apiserver会自动给kubelet颁发服务端证书以及证书密钥,从而不必为kubelet证书
3.4 创建kube-proxy kubeconfig文件
kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=${CA_DIR}/kube-proxy.pem \
  --client-key=${CA_DIR}/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kube-proxy \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig

kubectl config use-context default \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
3.5 创建kubectl kubeconfig文件
kubectl config set-cluster kubernetes \
  --certificate-authority=${CA_DIR}/ca.pem \
  --embed-certs=true \
  --server=${KUBE_APISERVER} \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config set-credentials admin \
  --client-certificate=${CA_DIR}/admin.pem \
  --client-key=${CA_DIR}/admin-key.pem \
  --embed-certs=true \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config set-context kubernetes \
  --cluster=kubernetes \
  --user=admin \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig

kubectl config use-context kubernetes \
  --kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
  • --certificate-authority:验证 kube-apiserver 证书的根证书;
  • --client-certificate、--client-key:刚生成的 admin 证书和私钥,连接 kube-apiserver 时使用;
  • --embed-certs=true:将 ca.pem 和 admin.pem 证书内容嵌入到生成的 kubectl.kubeconfig 文件中(不加时,写入的是证书文件路径);

备注:kubeconfig文件是用于安全连接apiserver服务的认证文件。

4 同步token文件及kubeconfig文件到相应的节点

  • master节点:

    cd $K8S_KUBECONFIG_PATH
    ansible master_k8s_vgs -m copy -a \
    "src=kube-controller-manager.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
    ansible master_k8s_vgs -m copy -a \
    "src=kube-scheduler.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
  • worker节点
    cd $K8S_KUBECONFIG_PATH
    ansible worker_k8s_vgs -m copy -a \
    "src=bootstrap.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
    ansible worker_k8s_vgs -m copy -a \
    "src=kube-proxy.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
  • kubeconfig文件主要用于各组件在通过https访问apiserver时所需要的认证的文件,该文件包括对应组件的服务端证书、证书私钥、ca根证书以及apiserver的访问地址

创建完kubernetes集群组件相关认证文件后,接下来正式部署kubernetes集群相关组件etcd集群,请参考:kubernetes集群安装指南:etcd集群部署

向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI