投稿
  1. 3A网络资讯门户首页
  2. 网络运维

K8S 中使用kubectl工具远程连接K8S集群

郭靖 网络运维 阅读 779

一、概述

一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,

当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,

所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署

二、生成ca证书

如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书

使用cfssl自签证书

安装生成证书工具

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*

创建证书目录:

[root@node1 ~]# mkdir /opt/kubernetes/ssl/

自建一个本地CA,生成ca证书, 准备配置文件:

[root@node1 ssl]# vim ca-csr.json

{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"etcd CA"</span>,
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"Beijing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"Beijing"</span>
     }
   ]
 }

[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年




{
<span class="hljs-attr">"signing"</span>: {
<span class="hljs-attr">"default"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>
},
<span class="hljs-attr">"profiles"</span>: {
<span class="hljs-attr">"www"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>,
<span class="hljs-attr">"usages"</span>: [
<span class="hljs-string">"signing"</span>,
<span class="hljs-string">"key encipherment"</span>,
<span class="hljs-string">"server auth"</span>,
<span class="hljs-string">"client auth"</span>
]
          }
    }
}

执行命令生成ca文件:

[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
K8S 中使用kubectl工具远程连接K8S集群

三、生成admin证书

#如有ca证书(请忽略上面的ca证书生成步骤)

[root@node1 ssl]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

#拷贝之前生成的ca证书到本机的/admin目录下

[root@manager ~]# mkdir /admin
[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin
[root@manager admin]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

证书配置: 生成请求证书文件

[root@manager admin]# vim admin-csr.on
{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"admin"</span>,
<span class="hljs-attr">"hosts"</span>: [],
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"O"</span>: <span class="hljs-string">"system:masters"</span>,
<span class="hljs-attr">"OU"</span>: <span class="hljs-string">"System"</span>
        }
    ]
}

生成证书

[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">generate</span> <span class="hljs-string">received</span> <span class="hljs-string">request</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">received</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-attr">generating key:</span> <span class="hljs-string">rsa-2048</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">encoded</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">signed</span> <span class="hljs-string">certificate</span> <span class="hljs-string">with</span> <span class="hljs-string">serial</span> <span class="hljs-string">number</span> <span class="hljs-number">346834438687956883750356425567391001485757864749</span>
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[WARNING]</span> <span class="hljs-string">This</span> <span class="hljs-string">certificate</span> <span class="hljs-string">lacks</span> <span class="hljs-string">a</span> <span class="hljs-string">"hosts"</span> <span class="hljs-string">field.</span> <span class="hljs-string">This</span> <span class="hljs-string">makes</span> <span class="hljs-string">it</span> <span class="hljs-string">unsuitable</span> <span class="hljs-string">for</span>
<span class="hljs-string">websites.</span> <span class="hljs-string">For</span> <span class="hljs-string">more</span> <span class="hljs-string">information</span> <span class="hljs-string">see</span> <span class="hljs-string">the</span> <span class="hljs-string">Baseline</span> <span class="hljs-string">Requirements</span> <span class="hljs-string">for</span> <span class="hljs-string">the</span> <span class="hljs-string">Issuance</span> <span class="hljs-string">and</span> <span class="hljs-string">Management</span>
<span class="hljs-string">of</span> <span class="hljs-string">Publicly-Trusted</span> <span class="hljs-string">Certificates,</span> <span class="hljs-string">v.1.1.6,</span> <span class="hljs-string">from</span> <span class="hljs-string">the</span> <span class="hljs-string">CA/Browser</span> <span class="hljs-string">Forum</span> <span class="hljs-string">(https://cabforum.org);</span>
<span class="hljs-string">specifically,</span> <span class="hljs-string">section</span> <span class="hljs-number">10.2</span><span class="hljs-number">.3</span> <span class="hljs-string">("Information</span> <span class="hljs-string">Requirements").</span>

查看证书

[root@manager admin]# ls admin*
<span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.csr</span>  <span class="hljs-selector-tag">admin-csr</span><span class="hljs-selector-class">.json</span>  <span class="hljs-selector-tag">admin-key</span><span class="hljs-selector-class">.pem</span>  <span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.pem</span>

四、配置kubectl配置文件

拷贝kubectl 二进制可执行文件 到目标机器

[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/

进入证书目录

[root@manager ~]# cd /admin

生成kubectl配置文件

[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem
Cluster <span class="hljs-string">"kubernetes"</span> <span class="hljs-built_in">set</span>.

设置用户项中cluster-admin用户证书认证字段

[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem
User <span class="hljs-string">"cluster-admin"</span> <span class="hljs-built_in">set</span>.

设置默认上下文

[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin
<span class="hljs-attribute">Context</span> <span class="hljs-string">"default"</span> created.

设置当前环境的default

[root@manager admin]# kubectl config use-context default
<span class="hljs-attribute">Switched</span> to context <span class="hljs-string">"default"</span>.

查看配置文件

[root@manager admin]# cat /root/.kube/config
<span class="hljs-attribute">apiVersion</span>: <span class="hljs-attribute">v1</span><span class="hljs-attribute">clusters</span>:- <span class="hljs-attribute">cluster</span>:<span class="hljs-attribute">certificate-authority</span>: /admin/ca.<span class="hljs-attribute">pem</span><span class="hljs-attribute">server</span>: <span class="hljs-attribute">https</span>:<span class="hljs-comment">//192.168.31.60:6443</span><span class="hljs-comment">name: kubernetes</span><span class="hljs-comment">contexts:</span><span class="hljs-comment">- context:</span><span class="hljs-comment">cluster: kubernetes</span><span class="hljs-comment">user: cluster-admin</span><span class="hljs-comment">name: default</span><span class="hljs-comment">current-context: default</span><span class="hljs-comment">kind: Config</span><span class="hljs-comment">preferences: {}</span><span class="hljs-comment">users:</span><span class="hljs-comment">- name: cluster-admin</span><span class="hljs-comment">user:</span><span class="hljs-comment">client-certificate: /admin/admin.pem</span><span class="hljs-comment">client-key: /admin/admin-key.pem</span>

五、管理集群

[root@manager admin]# kubectl get nodes
<span class="hljs-selector-tag">NAME</span> <span class="hljs-selector-tag">STATUS</span> <span class="hljs-selector-tag">ROLES</span> <span class="hljs-selector-tag">AGE</span> <span class="hljs-selector-tag">VERSION</span><span class="hljs-selector-tag">node1</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node2</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node3</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 9<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span>
[root@manager admin]# kubectl get cs
<span class="hljs-attribute">NAME</span> STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-1 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-0 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}

文章来源:https://www.cnaaa.net,转载请注明出处:https://www.cnaaa.net/archives/8250

(0)
郭靖的头像郭靖
0 0
上一篇 2023年5月26日 下午5:29
下一篇 2023年5月29日 下午5:25

相关推荐

  • 将 COS 作为本地磁盘挂载到 Windows 服务器 网络运维

    将 COS 作为本地磁盘挂载到 Windows 服务器

    下载与安装 本案例实践使用到以下三种软件,您可选择安装适用于自己所使用系统的软件版本: 说明: Github 下载速度可能比较慢甚至打不开,可自行在其他官方渠道进行下载。 配置 Rclone 注意: 以下配置步骤以 rclone-v1.60.1-windows-amd64 版本为例,其他版本的配置过程可能存在一定差异,请注意相应调整。 修改配置文件 以上步骤…

    郭靖的头像 郭靖
    2023年3月8日
    90200
  • 内网穿透—frp 网络运维

    内网穿透—frp

    什么是frp内网穿透 frp 是一个开源项目, 采用 C/S 模式,将服务端部署在具有公网 IP 的机器上,客户端部署在内网或防火墙内的机器上,通过访问暴露在服务器上的端口,反向代理到处于内网的服务。 在此基础上,frp 支持 TCP, UDP, HTTP, HTTPS 等多种协议,提供了加密、压缩,身份认证,代理限速,负载均衡等众多能力。 为什么使用frp…

    郭靖的头像 郭靖
    2022年6月8日
    1.4K00
  • Cisco 交换机端口err-disable 解决方法 网络运维

    Cisco 交换机端口err-disable 解决方法

    我的一台2960GG透过多模 10G SFP-10GBase-LRM光纤接核心3850交换机,今天早上之间网络不通,3850G和2960上的SFP模块指示灯都不亮,查看CISCO 2960G端口有如下提示: 解决如下: 查阅关于link-flap及err-disable的资料如下: Cisco网站上关于link-flap的说明:Link-flap error…

    凯影的头像 凯影
    2024年6月19日
    79900
  • IIS6.0安装不同版本PHP 网络运维

    IIS6.0安装不同版本PHP

    智创PHP8安装包下载:https://www.zcnt.com/IIsSafeWeb.asp 1、将下载的 PHP 8 安装包解压缩     2、运行 setup.exe ,然后点“下一步”开始安装     3、开始复制 php文件     4、文件复制完成后,会弹出一个 DOS界面窗口,开始检查 IIS环境和对 IIS增加 PHP 8 支持     5、…

    郭靖的头像 郭靖
    2023年4月14日
    71500
  • Cisco防火墙HA实例 网络运维

    Cisco防火墙HA实例

    实验环境:2台ASA5508防火墙,组建HA使得一台作为主防火墙Active,另外一台平时作为standby作为备用防火墙。防火墙有3个端口,         gi 1/1 端口为outside出口   gi1/2 端口为inside进口 gi 1/3 端口为两台防火墙互连接口 实验目的:使得两台防火墙互为主备,平时只有一台工作,另一台作为热备在线。等主防火…

    凯影的头像 凯影
    2024年6月19日
    78800

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

在线咨询: QQ交谈

邮件:712342017@qq.com

工作时间:周一至周五,8:30-17:30,节假日休息

关注微信