投稿
  1. 3A网络资讯门户首页
  2. 网络运维

K8S 中使用kubectl工具远程连接K8S集群

杰斯 网络运维 阅读 307

一、概述

一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,

当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,

所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署

二、生成ca证书

如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书

使用cfssl自签证书

安装生成证书工具

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*

创建证书目录:

[root@node1 ~]# mkdir /opt/kubernetes/ssl/

自建一个本地CA,生成ca证书, 准备配置文件:

[root@node1 ssl]# vim ca-csr.json

{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"etcd CA"</span>,
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"Beijing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"Beijing"</span>
     }
   ]
 }

[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年




{
<span class="hljs-attr">"signing"</span>: {
<span class="hljs-attr">"default"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>
},
<span class="hljs-attr">"profiles"</span>: {
<span class="hljs-attr">"www"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>,
<span class="hljs-attr">"usages"</span>: [
<span class="hljs-string">"signing"</span>,
<span class="hljs-string">"key encipherment"</span>,
<span class="hljs-string">"server auth"</span>,
<span class="hljs-string">"client auth"</span>
]
          }
    }
}

执行命令生成ca文件:

[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
K8S 中使用kubectl工具远程连接K8S集群

三、生成admin证书

#如有ca证书(请忽略上面的ca证书生成步骤)

[root@node1 ssl]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

#拷贝之前生成的ca证书到本机的/admin目录下

[root@manager ~]# mkdir /admin
[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin
[root@manager admin]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

证书配置: 生成请求证书文件

[root@manager admin]# vim admin-csr.on
{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"admin"</span>,
<span class="hljs-attr">"hosts"</span>: [],
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"O"</span>: <span class="hljs-string">"system:masters"</span>,
<span class="hljs-attr">"OU"</span>: <span class="hljs-string">"System"</span>
        }
    ]
}

生成证书

[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">generate</span> <span class="hljs-string">received</span> <span class="hljs-string">request</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">received</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-attr">generating key:</span> <span class="hljs-string">rsa-2048</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">encoded</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">signed</span> <span class="hljs-string">certificate</span> <span class="hljs-string">with</span> <span class="hljs-string">serial</span> <span class="hljs-string">number</span> <span class="hljs-number">346834438687956883750356425567391001485757864749</span>
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[WARNING]</span> <span class="hljs-string">This</span> <span class="hljs-string">certificate</span> <span class="hljs-string">lacks</span> <span class="hljs-string">a</span> <span class="hljs-string">"hosts"</span> <span class="hljs-string">field.</span> <span class="hljs-string">This</span> <span class="hljs-string">makes</span> <span class="hljs-string">it</span> <span class="hljs-string">unsuitable</span> <span class="hljs-string">for</span>
<span class="hljs-string">websites.</span> <span class="hljs-string">For</span> <span class="hljs-string">more</span> <span class="hljs-string">information</span> <span class="hljs-string">see</span> <span class="hljs-string">the</span> <span class="hljs-string">Baseline</span> <span class="hljs-string">Requirements</span> <span class="hljs-string">for</span> <span class="hljs-string">the</span> <span class="hljs-string">Issuance</span> <span class="hljs-string">and</span> <span class="hljs-string">Management</span>
<span class="hljs-string">of</span> <span class="hljs-string">Publicly-Trusted</span> <span class="hljs-string">Certificates,</span> <span class="hljs-string">v.1.1.6,</span> <span class="hljs-string">from</span> <span class="hljs-string">the</span> <span class="hljs-string">CA/Browser</span> <span class="hljs-string">Forum</span> <span class="hljs-string">(https://cabforum.org);</span>
<span class="hljs-string">specifically,</span> <span class="hljs-string">section</span> <span class="hljs-number">10.2</span><span class="hljs-number">.3</span> <span class="hljs-string">("Information</span> <span class="hljs-string">Requirements").</span>

查看证书

[root@manager admin]# ls admin*
<span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.csr</span>  <span class="hljs-selector-tag">admin-csr</span><span class="hljs-selector-class">.json</span>  <span class="hljs-selector-tag">admin-key</span><span class="hljs-selector-class">.pem</span>  <span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.pem</span>

四、配置kubectl配置文件

拷贝kubectl 二进制可执行文件 到目标机器

[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/

进入证书目录

[root@manager ~]# cd /admin

生成kubectl配置文件

[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem
Cluster <span class="hljs-string">"kubernetes"</span> <span class="hljs-built_in">set</span>.

设置用户项中cluster-admin用户证书认证字段

[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem
User <span class="hljs-string">"cluster-admin"</span> <span class="hljs-built_in">set</span>.

设置默认上下文

[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin
<span class="hljs-attribute">Context</span> <span class="hljs-string">"default"</span> created.

设置当前环境的default

[root@manager admin]# kubectl config use-context default
<span class="hljs-attribute">Switched</span> to context <span class="hljs-string">"default"</span>.

查看配置文件

[root@manager admin]# cat /root/.kube/config
<span class="hljs-attribute">apiVersion</span>: <span class="hljs-attribute">v1</span><span class="hljs-attribute">clusters</span>:- <span class="hljs-attribute">cluster</span>:<span class="hljs-attribute">certificate-authority</span>: /admin/ca.<span class="hljs-attribute">pem</span><span class="hljs-attribute">server</span>: <span class="hljs-attribute">https</span>:<span class="hljs-comment">//192.168.31.60:6443</span><span class="hljs-comment">name: kubernetes</span><span class="hljs-comment">contexts:</span><span class="hljs-comment">- context:</span><span class="hljs-comment">cluster: kubernetes</span><span class="hljs-comment">user: cluster-admin</span><span class="hljs-comment">name: default</span><span class="hljs-comment">current-context: default</span><span class="hljs-comment">kind: Config</span><span class="hljs-comment">preferences: {}</span><span class="hljs-comment">users:</span><span class="hljs-comment">- name: cluster-admin</span><span class="hljs-comment">user:</span><span class="hljs-comment">client-certificate: /admin/admin.pem</span><span class="hljs-comment">client-key: /admin/admin-key.pem</span>

五、管理集群

[root@manager admin]# kubectl get nodes
<span class="hljs-selector-tag">NAME</span> <span class="hljs-selector-tag">STATUS</span> <span class="hljs-selector-tag">ROLES</span> <span class="hljs-selector-tag">AGE</span> <span class="hljs-selector-tag">VERSION</span><span class="hljs-selector-tag">node1</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node2</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node3</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 9<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span>
[root@manager admin]# kubectl get cs
<span class="hljs-attribute">NAME</span> STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-1 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-0 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}

文章来源:https://www.cnaaa.net,转载请注明出处:https://www.cnaaa.net/archives/8250

(0)
杰斯的头像杰斯
0 0
上一篇 2023年5月26日 下午5:29
下一篇 2023年5月29日 下午5:25

相关推荐

  • 网站常见错误代码及解决方案 网络运维

    网站常见错误代码及解决方案

    有时候大家在打开网页时会遇到各种各样的错误报告,比如404,500之类的,这些错误是服务器接到浏览器的请求后访回的状态码,专业术语叫服务器信息头,不同的状态码有不同的含义,了解一些有利于搞清楚哪里出了问题。 注:本文仅供学习 一、HTTP4xx(请求错误) HTTP错误400 由于语法格式有误,服务器无法理解此请求。不作修改,客户程序就无法重复此请求。 HT…

    郭靖的头像 郭靖
    2022年6月13日
    82200
  • 网络概念趣讲:IP地址、子网掩码、网关、DHCP服务和PPPoE拨号 网络运维

    网络概念趣讲:IP地址、子网掩码、网关、DHCP服务和PPPoE拨号

    下午好,我的网工朋友。 5G技术的更新,推动了新一代的网络通信发展,家庭宽带上网也从最初的十几K的速度,提升到了现在动则上百上千兆的速度。 很多有部署了家庭NAS的用户,甚至都已经更新到了10G级别的内部局域网了。现在6G都要来了。 在这个信息互联的时代,网络的基础知识肯定得掌握,今天就说一下不得不提的五大基础概念: IP地址,子网掩码、网关、DHCP服务和…

    凯影的头像 凯影
    2024年1月17日
    18200
  • Iperf3测速教程 网络运维

    Iperf3测速教程

    Iperf3介绍 iperf3 是一个 TCP、UDP 和 SCTP 网络带宽测量工具。是用于主动测量 IP 网络上可达到的最大带宽的工具。它支持调整与时序,协议和缓冲区有关的各种参数。对于每个测试,它都会报告测得的吞吐量 / 比特率,损耗和其他参数。 Iperf3下载地址:https://iperf.fr/ Iperf3常用参数 1. 通用参数:…

    郭靖的头像 郭靖
    2022年7月26日
    61400
  • ELK构建MySQL慢日志收集平台详解 网络运维

    ELK构建MySQL慢日志收集平台详解

    ELK介绍 ELK最早是Elasticsearch(以下简称ES)、Logstash、Kibana三款开源软件的简称,三款软件后来被同一公司收购,并加入了Xpark、Beats等组件,改名为Elastic Stack,成为现在最流行的开源日志解决方案,虽然有了新名字但大家依然喜欢叫她ELK,现在所说的ELK就指的是基于这些开源软件构建的日志系统。 我们收集m…

    杰斯的头像 杰斯
    2023年5月24日
    27300
  • iptables与firewalld的区别 网络运维

    iptables与firewalld的区别

    iptables与firewalld的区别 firewalld可以动态修改单条规则,动态管理规则集,允许更新规则而不破坏现有会话和连接。而iptables,在修改了规则后必须得全部刷新才可以生效; firewalld使用区域和服务而不是链式规则; firewalld默认是拒绝的,需要设置以后才能放行。而iptables默认是允许的,需要拒绝的才去限制; fi…

    胖大海的头像 胖大海
    2022年8月9日
    49800

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

在线咨询: QQ交谈

邮件:712342017@qq.com

工作时间:周一至周五,8:30-17:30,节假日休息

关注微信