投稿
  1. 3A网络资讯门户首页
  2. 网络运维

K8S 中使用kubectl工具远程连接K8S集群

郭靖 网络运维 阅读 1037

一、概述

一般情况下,在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,

当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上,只要能和apiserver进行通讯,

所以你可以将kubectl部署在任何一台你想连接到集群的主机上,以下将介绍基于证书的kubectl部署方式,以下基于kubernets1.16部署

二、生成ca证书

如果已经有了ca证书那就不需要在生成了,只需要利用该证书生成admin证书即可,跳过此步骤直接看第三步骤,生成admin证书

使用cfssl自签证书

安装生成证书工具

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson

[root@node1 ~ ]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo

[root@node1 ~ ]# chmod +x /usr/local/bin/cfssl*

创建证书目录:

[root@node1 ~]# mkdir /opt/kubernetes/ssl/

自建一个本地CA,生成ca证书, 准备配置文件:

[root@node1 ssl]# vim ca-csr.json

{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"etcd CA"</span>,
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"Beijing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"Beijing"</span>
     }
   ]
 }

[root@node1 ssl]# vim ca-config.json #证书过期时间默认是10年




{
<span class="hljs-attr">"signing"</span>: {
<span class="hljs-attr">"default"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>
},
<span class="hljs-attr">"profiles"</span>: {
<span class="hljs-attr">"www"</span>: {
<span class="hljs-attr">"expiry"</span>: <span class="hljs-string">"87600h"</span>,
<span class="hljs-attr">"usages"</span>: [
<span class="hljs-string">"signing"</span>,
<span class="hljs-string">"key encipherment"</span>,
<span class="hljs-string">"server auth"</span>,
<span class="hljs-string">"client auth"</span>
]
          }
    }
}

执行命令生成ca文件:

[root@master1 cert]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
K8S 中使用kubectl工具远程连接K8S集群

三、生成admin证书

#如有ca证书(请忽略上面的ca证书生成步骤)

[root@node1 ssl]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

#拷贝之前生成的ca证书到本机的/admin目录下

[root@manager ~]# mkdir /admin
[root@manager ~]# scp root@192.168.31.63:/opt/kubernetes/ssl/ca* /admin
[root@manager admin]# ls ca*
<span class="hljs-selector-tag">ca-config</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.csr</span>   <span class="hljs-selector-tag">ca-csr</span><span class="hljs-selector-class">.json</span>   <span class="hljs-selector-tag">ca-key</span><span class="hljs-selector-class">.pem</span>   <span class="hljs-selector-tag">ca</span><span class="hljs-selector-class">.pem</span>

证书配置: 生成请求证书文件

[root@manager admin]# vim admin-csr.on
{
<span class="hljs-attr">"CN"</span>: <span class="hljs-string">"admin"</span>,
<span class="hljs-attr">"hosts"</span>: [],
<span class="hljs-attr">"key"</span>: {
<span class="hljs-attr">"algo"</span>: <span class="hljs-string">"rsa"</span>,
<span class="hljs-attr">"size"</span>: <span class="hljs-number">2048</span>
},
<span class="hljs-attr">"names"</span>: [
{
<span class="hljs-attr">"C"</span>: <span class="hljs-string">"CN"</span>,
<span class="hljs-attr">"L"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"ST"</span>: <span class="hljs-string">"BeiJing"</span>,
<span class="hljs-attr">"O"</span>: <span class="hljs-string">"system:masters"</span>,
<span class="hljs-attr">"OU"</span>: <span class="hljs-string">"System"</span>
        }
    ]
}

生成证书

[root@manager admin]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">generate</span> <span class="hljs-string">received</span> <span class="hljs-string">request</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">received</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-attr">generating key:</span> <span class="hljs-string">rsa-2048</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">encoded</span> <span class="hljs-string">CSR</span>
<span class="hljs-string">2020/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[INFO]</span> <span class="hljs-string">signed</span> <span class="hljs-string">certificate</span> <span class="hljs-string">with</span> <span class="hljs-string">serial</span> <span class="hljs-string">number</span> <span class="hljs-number">346834438687956883750356425567391001485757864749</span>
<span class="hljs-number">2020</span><span class="hljs-string">/07/23</span> <span class="hljs-number">12</span><span class="hljs-string">:06:24</span> <span class="hljs-string">[WARNING]</span> <span class="hljs-string">This</span> <span class="hljs-string">certificate</span> <span class="hljs-string">lacks</span> <span class="hljs-string">a</span> <span class="hljs-string">"hosts"</span> <span class="hljs-string">field.</span> <span class="hljs-string">This</span> <span class="hljs-string">makes</span> <span class="hljs-string">it</span> <span class="hljs-string">unsuitable</span> <span class="hljs-string">for</span>
<span class="hljs-string">websites.</span> <span class="hljs-string">For</span> <span class="hljs-string">more</span> <span class="hljs-string">information</span> <span class="hljs-string">see</span> <span class="hljs-string">the</span> <span class="hljs-string">Baseline</span> <span class="hljs-string">Requirements</span> <span class="hljs-string">for</span> <span class="hljs-string">the</span> <span class="hljs-string">Issuance</span> <span class="hljs-string">and</span> <span class="hljs-string">Management</span>
<span class="hljs-string">of</span> <span class="hljs-string">Publicly-Trusted</span> <span class="hljs-string">Certificates,</span> <span class="hljs-string">v.1.1.6,</span> <span class="hljs-string">from</span> <span class="hljs-string">the</span> <span class="hljs-string">CA/Browser</span> <span class="hljs-string">Forum</span> <span class="hljs-string">(https://cabforum.org);</span>
<span class="hljs-string">specifically,</span> <span class="hljs-string">section</span> <span class="hljs-number">10.2</span><span class="hljs-number">.3</span> <span class="hljs-string">("Information</span> <span class="hljs-string">Requirements").</span>

查看证书

[root@manager admin]# ls admin*
<span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.csr</span>  <span class="hljs-selector-tag">admin-csr</span><span class="hljs-selector-class">.json</span>  <span class="hljs-selector-tag">admin-key</span><span class="hljs-selector-class">.pem</span>  <span class="hljs-selector-tag">admin</span><span class="hljs-selector-class">.pem</span>

四、配置kubectl配置文件

拷贝kubectl 二进制可执行文件 到目标机器

[root@manager admin]#scp root@192.168.31.63:/opt/kubernetes/bin/kubectl /usr/bin/

进入证书目录

[root@manager ~]# cd /admin

生成kubectl配置文件

[root@manager admin]# kubectl config set-cluster kubernetes –server=https://192.168.31.60:6443 –certificate-authority=ca.pem
Cluster <span class="hljs-string">"kubernetes"</span> <span class="hljs-built_in">set</span>.

设置用户项中cluster-admin用户证书认证字段

[root@manager admin]# kubectl config set-credentials cluster-admin –certificate-authority=ca.pem –client-key=admin-key.pem –client-certificate=admin.pem
User <span class="hljs-string">"cluster-admin"</span> <span class="hljs-built_in">set</span>.

设置默认上下文

[root@manager admin]# kubectl config set-context default –cluster=kubernetes –user=cluster-admin
<span class="hljs-attribute">Context</span> <span class="hljs-string">"default"</span> created.

设置当前环境的default

[root@manager admin]# kubectl config use-context default
<span class="hljs-attribute">Switched</span> to context <span class="hljs-string">"default"</span>.

查看配置文件

[root@manager admin]# cat /root/.kube/config
<span class="hljs-attribute">apiVersion</span>: <span class="hljs-attribute">v1</span><span class="hljs-attribute">clusters</span>:- <span class="hljs-attribute">cluster</span>:<span class="hljs-attribute">certificate-authority</span>: /admin/ca.<span class="hljs-attribute">pem</span><span class="hljs-attribute">server</span>: <span class="hljs-attribute">https</span>:<span class="hljs-comment">//192.168.31.60:6443</span><span class="hljs-comment">name: kubernetes</span><span class="hljs-comment">contexts:</span><span class="hljs-comment">- context:</span><span class="hljs-comment">cluster: kubernetes</span><span class="hljs-comment">user: cluster-admin</span><span class="hljs-comment">name: default</span><span class="hljs-comment">current-context: default</span><span class="hljs-comment">kind: Config</span><span class="hljs-comment">preferences: {}</span><span class="hljs-comment">users:</span><span class="hljs-comment">- name: cluster-admin</span><span class="hljs-comment">user:</span><span class="hljs-comment">client-certificate: /admin/admin.pem</span><span class="hljs-comment">client-key: /admin/admin-key.pem</span>

五、管理集群

[root@manager admin]# kubectl get nodes
<span class="hljs-selector-tag">NAME</span> <span class="hljs-selector-tag">STATUS</span> <span class="hljs-selector-tag">ROLES</span> <span class="hljs-selector-tag">AGE</span> <span class="hljs-selector-tag">VERSION</span><span class="hljs-selector-tag">node1</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node2</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 19<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span><span class="hljs-selector-class">node3</span> <span class="hljs-selector-tag">Ready</span> <<span class="hljs-selector-tag">none</span>> 9<span class="hljs-selector-tag">d</span> <span class="hljs-selector-tag">v1</span><span class="hljs-selector-class">.16</span><span class="hljs-selector-class">.0</span>
[root@manager admin]# kubectl get cs
<span class="hljs-attribute">NAME</span> STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-2 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-1 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}
etcd-0 Healthy {<span class="hljs-string">"health"</span>:<span class="hljs-string">"true"</span>}

文章来源:https://www.cnaaa.net,转载请注明出处:https://www.cnaaa.net/archives/8250

(0)
郭靖的头像郭靖
0 0
上一篇 2023年5月26日 下午5:29
下一篇 2023年5月29日 下午5:25

相关推荐

  • 配置ospf路由实现内网访问外网 网络运维

    配置ospf路由实现内网访问外网

    1、网络拓扑图 2、核心命令 [r1-ospf-100]default-route-advertise always  说明:给ospf 进程中添加一条缺省路由 3、具体配置如下

    凯影的头像 凯影
    2024年6月20日
    87500
  • GoAccess - 实时 Apache 和 Nginx 日志分析工具 网络运维

    GoAccess – 实时 Apache 和 Nginx 日志分析工具

    一、使用yum方式安装goaccess1.2 操作系统环境 1.1、安装使用yum源 首先安装epel的yum源,否则系统中没有goaccess的包 1.2、安装依赖包 1.3、安装goaccess 1.4、调整goaccess配置 使用yum安装的goaccess,默认配置文件是在/etc/goaccess.conf 1.5、调整nginx.conf配置 …

    郭靖的头像 郭靖
    2023年9月14日
    1.1K00
  • ELK日志系统之使用Rsyslog快速方便的收集Nginx日志 网络运维

    ELK日志系统之使用Rsyslog快速方便的收集Nginx日志

    Rsyslog Rsyslog是高速的日志收集处理服务,它具有高性能、安全可靠和模块化设计的特点,能够接收来自各种来源的日志输入(例如:file,tcp,udp,uxsock等),并通过处理后将结果输出的不同的目的地(例如:mysql,mongodb,elasticsearch,kafka等),每秒处理日志量能够超过百万条。 Rsyslog作为syslog的…

    郭靖的头像 郭靖
    2023年5月24日
    1.3K00
  • 一分钟解决打不开网页的故障 网络运维

    一分钟解决打不开网页的故障

    做IT外包N多年了,每天就是面对各种大大小小的报修,有些小事,也算值得一记,分享给各位。 本文讲述的是一个非常多见的问题——微信和QQ能正常收发消息,但是所有网页都打不开,这个问题具有一定的普遍性和高发性,所以,我也是再一次地发文讲述 客户报修给技术小伙,他当时正开车,就直接转发给我了,我一看这种问题,大概率就是DNS的问题,与其我再安排别的技术小伙,还不如…

    凯影的头像 凯影
    2024年5月17日
    92600
  • IIS6.0安装不同版本PHP 网络运维

    IIS6.0安装不同版本PHP

    智创PHP8安装包下载:https://www.zcnt.com/IIsSafeWeb.asp 1、将下载的 PHP 8 安装包解压缩     2、运行 setup.exe ,然后点“下一步”开始安装     3、开始复制 php文件     4、文件复制完成后,会弹出一个 DOS界面窗口,开始检查 IIS环境和对 IIS增加 PHP 8 支持     5、…

    郭靖的头像 郭靖
    2023年4月14日
    93300

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

在线咨询: QQ交谈

邮件:712342017@qq.com

工作时间:周一至周五,8:30-17:30,节假日休息

关注微信