K8S 中使用kubectl工具远程连接K8S集群

一、概述

一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,

当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,

所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署

二、生成ca证书

如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书

使用cfssl自签证书

安装生成证书工具

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*

创建证书目录:

[root@node1 ~]# mkdir /opt/kubernetes/ssl/

自建一个本地CA,生成ca证书, 准备配置文件:

[root@node1 ssl]# vim ca-csr.json

{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"etcd CA"</span>,
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"Beijing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"Beijing"</span>
     }
   ]
 }
[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年




{
<span class="hljs-attr">"signing"</span>: {
<span class="hljs-attr">"default"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>
},
<span class="hljs-attr">"profiles"</span>: {
<span class="hljs-attr">"www"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>,
<span class="hljs-attr">"usages"</span>: [
<span class="hljs-string">"signing"</span>,
<span class="hljs-string">"key encipherment"</span>,
<span class="hljs-string">"server auth"</span>,
<span class="hljs-string">"client auth"</span>
]
          }
    }
}

执行命令生成ca文件:

[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
K8S 中使用kubectl工具远程连接K8S集群

三、生成admin证书

#如有ca证书(请忽略上面的ca证书生成步骤)

[root@node1 ssl]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

#拷贝之前生成的ca证书到本机的/admin目录下

[root@manager ~]# mkdir /admin
[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin
[root@manager admin]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

证书配置: 生成请求证书文件

[root@manager admin]# vim admin-csr.on
{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"admin"</span>,
<span class="hljs-attr">"hosts"</span>: [],
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"O"</span>: <span class="hljs-string">"system:masters"</span>,
<span class="hljs-attr">"OU"</span>: <span class="hljs-string">"System"</span>
        }
    ]
}

生成证书

[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">generate</span> <span class="hljs-string">received</span> <span class="hljs-string">request</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">received</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-attr">generating key:</span> <span class="hljs-string">rsa-2048</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">encoded</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">signed</span> <span class="hljs-string">certificate</span> <span class="hljs-string">with</span> <span class="hljs-string">serial</span> <span class="hljs-string">number</span> <span class="hljs-number">346834438687956883750356425567391001485757864749</span>
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[WARNING]</span> <span class="hljs-string">This</span> <span class="hljs-string">certificate</span> <span class="hljs-string">lacks</span> <span class="hljs-string">a</span> <span class="hljs-string">"hosts"</span> <span class="hljs-string">field.</span> <span class="hljs-string">This</span> <span class="hljs-string">makes</span> <span class="hljs-string">it</span> <span class="hljs-string">unsuitable</span> <span class="hljs-string">for</span>
<span class="hljs-string">websites.</span> <span class="hljs-string">For</span> <span class="hljs-string">more</span> <span class="hljs-string">information</span> <span class="hljs-string">see</span> <span class="hljs-string">the</span> <span class="hljs-string">Baseline</span> <span class="hljs-string">Requirements</span> <span class="hljs-string">for</span> <span class="hljs-string">the</span> <span class="hljs-string">Issuance</span> <span class="hljs-string">and</span> <span class="hljs-string">Management</span>
<span class="hljs-string">of</span> <span class="hljs-string">Publicly-Trusted</span> <span class="hljs-string">Certificates,</span> <span class="hljs-string">v.1.1.6,</span> <span class="hljs-string">from</span> <span class="hljs-string">the</span> <span class="hljs-string">CA/Browser</span> <span class="hljs-string">Forum</span> <span class="hljs-string">(https://cabforum.org);</span>
<span class="hljs-string">specifically,</span> <span class="hljs-string">section</span> <span class="hljs-number">10.2</span><span class="hljs-number">.3</span> <span class="hljs-string">("Information</span> <span class="hljs-string">Requirements").</span>

查看证书

[root@manager admin]# ls admin*
<span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.csr</span>  <span class="hljs-selector-tag">admin-csr</span><span class="hljs-selector-class">.json</span>  <span class="hljs-selector-tag">admin-key</span><span class="hljs-selector-class">.pem</span>  <span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.pem</span>

四、配置kubectl配置文件

拷贝kubectl 二进制可执行文件 到目标机器

[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/

进入证书目录

[root@manager ~]# cd /admin

生成kubectl配置文件

[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem
Cluster <span class="hljs-string">"kubernetes"</span> <span class="hljs-built_in">set</span>.

设置用户项中cluster-admin用户证书认证字段

[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem
User <span class="hljs-string">"cluster-admin"</span> <span class="hljs-built_in">set</span>.

设置默认上下文

[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin
<span class="hljs-attribute">Context</span> <span class="hljs-string">"default"</span> created.

设置当前环境的default

[root@manager admin]# kubectl config use-context default
<span class="hljs-attribute">Switched</span> to context <span class="hljs-string">"default"</span>.

查看配置文件

[root@manager admin]# cat /root/.kube/config
<span class="hljs-attribute">apiVersion</span>: <span class="hljs-attribute">v1</span><span class="hljs-attribute">clusters</span>:- <span class="hljs-attribute">cluster</span>:<span class="hljs-attribute">certificate-authority</span>: /admin/ca.<span class="hljs-attribute">pem</span><span class="hljs-attribute">server</span>: <span class="hljs-attribute">https</span>:<span class="hljs-comment">//192.168.31.60:6443</span><span class="hljs-comment">name: kubernetes</span><span class="hljs-comment">contexts:</span><span class="hljs-comment">- context:</span><span class="hljs-comment">cluster: kubernetes</span><span class="hljs-comment">user: cluster-admin</span><span class="hljs-comment">name: default</span><span class="hljs-comment">current-context: default</span><span class="hljs-comment">kind: Config</span><span class="hljs-comment">preferences: {}</span><span class="hljs-comment">users:</span><span class="hljs-comment">- name: cluster-admin</span><span class="hljs-comment">user:</span><span class="hljs-comment">client-certificate: /admin/admin.pem</span><span class="hljs-comment">client-key: /admin/admin-key.pem</span>

五、管理集群

[root@manager admin]# kubectl get nodes
<span class="hljs-selector-tag">NAME</span> <span class="hljs-selector-tag">STATUS</span> <span class="hljs-selector-tag">ROLES</span> <span class="hljs-selector-tag">AGE</span> <span class="hljs-selector-tag">VERSION</span><span class="hljs-selector-tag">node1</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node2</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node3</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 9<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span>
[root@manager admin]# kubectl get cs
<span class="hljs-attribute">NAME</span> STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-1 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-0 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}

文章来源:https://www.cnaaa.net,转载请注明出处:https://www.cnaaa.net/archives/8250

(0)
郭靖的头像郭靖
上一篇 2023年5月26日 下午5:29
下一篇 2023年5月29日 下午5:25

相关推荐

  • Nginx一网打尽:动静分离、压缩、缓存、黑白名单、跨域、高可用、性能优化…

    引言 早期的业务都是基于单体节点部署,由于前期访问流量不大,因此单体结构也可满足需求,但随着业务增长,流量也越来越大,那么最终单台服务器受到的访问压力也会逐步增高。时间一长,单台服务器性能无法跟上业务增长,就会造成线上频繁宕机的现象发生,最终导致系统瘫痪无法继续处理用户的请求。 ❝ 从上面的描述中,主要存在两个问题:①单体结构的部署方式无法承载日益增长的业务…

    2023年3月16日
    40900
  • 配置ospf路由实现内网访问外网

    1、网络拓扑图 2、核心命令 [r1-ospf-100]default-route-advertise always  说明:给ospf 进程中添加一条缺省路由 3、具体配置如下

    2024年6月20日
    18900
  • 解决无线频繁断网,这个办法值得收藏!

    你们好,我的网工朋友。 在如今互联网普及率非常高的环境下,我们的日常生活和工作都与网络紧密相连。在追求较高网速的同时,稳定的网络传输质量越来越受到关注。 无线网络是现在办公中最常见的弱电网络系统,也是现代生活中最不可缺少的,没有网络,意味着你无法正常开展工作。 而在这个过程中一定会发生很多问题,你可能遇到过很多问题,也解决过不少,但你缺少了汇总这一步,所以就…

    2024年1月15日
    42500
  • 内网穿透—nps

    nps nps是一款轻量级、高性能、功能强大的内网穿透代理服务器。目前支持tcp、udp流量转发,可支持任何tcp、udp上层协议(访问内网网站、本地支付接口调试、ssh访问、远程桌面,内网dns解析等等……),此外还支持内网http代理、内网socks5代理、p2p等,并带有功能强大的web管理端 做微信公众号开发、小程序开发等—-> 域…

    2022年6月7日
    1.3K00
  • 小小的网络故障,带来深深的思考,运维的成败果然在于细节

    早晨8点多,收到Zabbix的邮件告警,显示客户的戴尔服务器和爱快路由器掉线了,由于该客户的机房之前有过多次停电,症状当然也是如此这般,加上客户没有电话或者微信报修,就先入为主地判定为机房又停电了,因此未采取任何措施。 直到过了下班时间,客户才反馈:外网无法使用向日葵远程控制服务器。因为不止一次,也就直说了,是不是机房又没电。 客户反馈有电,照片显示服务器处…

    2024年5月21日
    29700

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

在线咨询: QQ交谈

邮件:712342017@qq.com

工作时间:周一至周五,8:30-17:30,节假日休息

关注微信