1. kubeconfig
1.1 简介
Kubernetes 使用YAML 文件存储
kubectl
的集群身份验证信息。kubeconfig
包含 kubectl 在运行命令时引用的上下文列表。默认情况下,该文件为 $HOME/.kube/config,也可以使用–kubeconfig参数指定kubeconfig文件
1.2 组成
一个完整的kubeconfig文件包含clusters、contexts、users、current-context以及一些元信息组成,一个kubeconfig文件可以定义多个cluster、多个context以及多个user,可以实现一个config管理多套k8s集群的目的
clusters
用来配置k8s的连接信息,可以有多个,每个cluster需要指定集群的api-server地址以及证书
contexts
用来配置k8s的连接信息,可以有多个,每个cluster需要指定集群的api-server地址以及证书
users
用来配置k8s的上下文信息,可以有多个,每个context需要指定属于哪个集群,以及使用哪个用户进行认证
current-context
指定当前kubectl使用的上下文,使用kubectl config usecontext context-name命令可以切换上下文
示例文件
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJME1ERXdOREF5TlRreU5Gb1lEekl4TWpNeE1qRXhNREkxT1RJMFdqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjV4ZzFLNllmN0laa0xraHNCdUx5SCs3M212WTF4SjZrUmxuMnErckpGeksyVE1zNmM2R1poZG1GR2V4TTFyNysKMndyOGRpcUlmRGxvYXBBczUvcWQxZGovS1loUGdWNVgvcW16RFpEcG1xaTNhMCsrRkdXUDNDNE5DdklvMkY2QgpnVlpMRWozdWh4dGVhSUhxNG51MEQxaUJkeFU1MXJnaG0rNElyZFdwWDZQL2U4Uyt3ZG5LeHBlRUVid2lBK1JUCnJFZXJJd1VlcS95RFg1aXNrTjZQTlJXQ1RRZStsOGVPOEtFdUt3cXlhcmYyc3YycGVJTUJkY01SZmxWMHJYaXcKSjFpNVBmKzhRMmwyUWJiYjI1VCt0MkpaSjlWeS81QkloQVFHSlAxZlB5V1JML21vOHRGYkVmNE9ZNyt5VG5yUgo4RmFwV1lGeVZhT2pYVTBpUG5HZTd3SURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVWaWRPV2dSOVo0VTZaS0JOOVdrdTkvd054SXd3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHUk9hOS9PczExdmMwSXYxQmw1S0NkV0dxSWp4Nk8rZDQ0MWx2V0VzV0cxYVpUMQpNZGorNkl3cUZGUStWUm9aSGdPbHdncEdyTzQ3MmpIeVI3Q0VGNkZGeXB1eXE1TnNzT1V5K3VmTWdsWDBlMGtUClBlSjJUbHBEVjlneksxdHgzWk0yRXk3alhxUjdpWnhGV1dUd3BTZFlUS09YRDZ6TXY1WWs3Y3ZHQzd1bHF0Vi8KZEY4aWpHY3lwQjFiTDNXVnN4N3BmSjlyRjA5NW5LaEJ0WnNNN3l2cnFzdGRlMlRvYW05emNYMjFZZVlWOSs2egp2S00ydWg0d2F1WGRNZ04rVUZCd3ArQWlyV0lGL29VbGxKTElNTFZza3FOb3pwbFhIclVYL2EyNlBFRTRrbFBsCmx3UFludzQzUDltQWZKcHZaMmkwdnFydmVoenJ2eXZUOHloa01JWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://xxx.xxx.xxx:6443
name: xxx.xxx.xxx
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJek1EZ3lNREEwTVRNek5Wb1lEekl4TWpNd056STNNRFF4TXpNMVdqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCm4vTFJDN1ZGdzkxVUFhYXNKTzhEaXU0c0FjK3hqRHhCVFIrUTNjUHVOSlVCUk1BSVNUQjhMNG9PV3E4TDNvMGgKbkpGcGlTR0dFcXVaV3JGUkZBWU9oN1JGb2pxUW5IaVowQ2gzc2ZUVWxENU16aG9QZzlWOFF6MlZGa3NOMkx2MApHcEpSQ2VUTFhMWG4vMUZSVUNIQWlMdXV5UHoreXFBZW1ZSUR4dVZWdFM0RmJQYVJHMkNYQTU1T280Y3FYQkVDCmZvT3grcEhoVjA4K1FPMFBla1B4SW45NXozVmREaGZ2NmcrMmJyYm5KVW90ZEZpQ0I1Vy9ibjdZc21keTJFTHUKS0FiSE5zOHhQSkY3bGZqMUIwUGpMVXp3Y1pwZ29zNU5TNUgxWXZjUUREYngvb0FhVHNXTVVkRHZDNk9sNm13UQo1ME5COWRKMnVabFU0UXB6eVNOZGNRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVaZVJWWWozZXhIYmZYREorS09mYzcwclMrcFl3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHdVBwZ21oTGtoL0k1S0VCRG1majZwT2EvUjluMWJQdkpPMnJTSGhDUGlFbEdQLwpMZHZ6MzdNTmpWNTFTK2NVMm1JVUZTVVFXeVNpZzkyenFFOVJZNzgxdmRvSk9rcWxqdDhxQm83cUhZRUt0dEJWCmZZR0U1ZFAvSlpNSFlNcU9rSUhOYkx1YkVUNWw3cUVkSlgxS0kyVXJZbXc0dTErYWJCR2d2QUhOSDQwT1QvYmUKaVJyYkpUWW4vTW00VDlQVnFPTkJSajY1eUxaUjdNR2JQeDFzUklQWVpycUJ6NnJwMlA1QzlyYXptTmFKbDV4YwpyMjZnZ2lGbkRuM0ZBMWw2SVRkQW5HTUNIYVVMNDVyWDhLbnkySU1iZlZSMmtmRlBjL0NpQkN6U3JGZWJqbldUClZCSjNJNHh4T2gvaldpdDlrT2piWXYySzVlK3l2Zk9TQ1hXWkNEZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://xxx.xxx.xxx:6443
name: xxx.xxx.xxx
contexts:
- context:
cluster: xxx.xxx.xxx
user: admin2
name: xxx.xxx.xxx
- context:
cluster: xxx.xxx.xxx
user: admin
name: xxx.xxx.xxx
current-context: xxx.xxx.xxx
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1akNDQWFJQ0NRRC92aXBtTUNUYmR6QU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFF3T0RBek1EWTBOMW9YRFRJMU1EUXdPREF6TURZME4xb3dLVEVPTUF3RwpBMVVFQXd3RllXUnRhVzR4RnpBVkJnTlZCQW9NRG5ONWMzUmxiVHB0WVhOMFpYSnpNSUlCSWpBTkJna3Foa2lHCjl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0NGp4blpSMEdjZW82K0x1ZFQ0NUlWSVlMODRiSCtCaTZudkkKY0xVNjg1ZjNhdWVGODcyd0NpWEpJQWZrRXBIZkFsRS9qdU1EaFNSY2Z4VHNqUlpNK1poMlJMclBUejdhdTROcApKaHo2NFdoeWV1T1RZWEIwb2hyemtaVU84RjRqTkFnakhNNDg1OG1OaGNTMW9lVjk3bFBZbWhRU3BQSmMyL3BQClNiaEJLWmFWU3RHdnU2NGtUaFdPQ3I5RU5IOVJTTHB4QlZja0EvaGV2WmNFVitmekd3SjhTN2ExUEpzazlyV08KaU40R2t5cnI3SmMwQlQ2OCtkSFZMS1VnS1dtS0QwWXIzUUgvaGN3MGlGRXJrZEc2Yno4NmtlSjhzZURUUUR0awpqWTk4RC8zMmtQTGFHcENrck9YY2prek5kRzhzUXoxVExXclNEZ2xoQ2drOVQ4eGVhUUlEQVFBQk1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUNZTTFxTkVzNGRMU0dsN2dETi9rSjE2K2U1dFdnbEVWQjQxNUdJSmIxU2lhR0YKUEcrNFBaQ2pkMHpaMVdTZVE5VHRtaE02bHFET2RSYnNZUUFEQ0FVVEc5YXBVMHltUk1Ja0lyNlRIeCt1RjlYeApjdThBd3JVUWlKeGJpTkxqSDltQ1N2alBkNE9IdC9EQ1IvYitGdGFJc3JwZnMxd2thMWNKZFFmRjB2WXJtTXpZCmprcXlyOExMQmh1bmoyQlJQd1lNTjIyeGlVNndoYWxRdkorZitESzRPb2hxR3VRSW84MmJ2M1dBOFNkbWYwc1AKbG52UXhtUnZ5OFdrZmVaWGpJeHRTL0wxRVhoSDJ2RG91OGdTajh2Nnc1T3ZObXlGeFRQUGE2Q0pJaklQQjFTeApGRUFYUlZTM0MxNVdibGVralpSSTVreTBuQWhYWisrUlk1eGVleldJCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdDRqeG5aUjBHY2VvNitMdWRUNDVJVklZTDg0YkgrQmk2bnZJY0xVNjg1ZjNhdWVGCjg3MndDaVhKSUFma0VwSGZBbEUvanVNRGhTUmNmeFRzalJaTStaaDJSTHJQVHo3YXU0TnBKaHo2NFdoeWV1T1QKWVhCMG9ocnprWlVPOEY0ak5BZ2pITTQ4NThtTmhjUzFvZVY5N2xQWW1oUVNwUEpjMi9wUFNiaEJLWmFWU3RHdgp1NjRrVGhXT0NyOUVOSDlSU0xweEJWY2tBL2hldlpjRVYrZnpHd0o4UzdhMVBKc2s5cldPaU40R2t5cnI3SmMwCkJUNjgrZEhWTEtVZ0tXbUtEMFlyM1FIL2hjdzBpRkVya2RHNmJ6ODZrZUo4c2VEVFFEdGtqWTk4RC8zMmtQTGEKR3BDa3JPWGNqa3pOZEc4c1F6MVRMV3JTRGdsaENnazlUOHhlYVFJREFRQUJBb0lCQUQzT2VqOXMzT1JKbnBOQgphcmhFNmd4VWp4eWFOZnc0SGxlRXMrMXd1cGVKMTZKQ3NaTnhqN1Q3SUk0TzJqbCtzakVmbDEzUkNVQnZERThuCmhybkVoc3VQRWxUMjdCVnR2MDlpWTZpWUhjeUcxZmFZYU90cGFYMmx3ZHlHNis3NlpMU0RBUUFVVytKYXQ3UVMKbUhBYXpwdlIxS0dlbk9DN1ZaWW01MGlXS2l1TW5jdGJvaXVKdzhWQU9nWlFuSTdmbmdsTnlvcDhPNzBSdFdDbgo5TG95dm5xR3pZQUlibTU1VkhhTWxrVS9MRzVUZ0lxZUkxcEFIT20zVUdsRWY4UnFtSnBZVzVZaEJDTFE1WnUrCkpVcWc2WTZKd0Ixb1pJMUZXYzZTVG5SbXNsSjA3aHNCZFN2V090WVV5UnRibi9vMEFjVjByU00wS2dPeEp5ckMKaWhab1E3a0NnWUVBN1BZTDJjeVJ0Q1V2ZVVKRUhQMXI1QlJ2ODZZTXdoMUxtcFVuZTEzWmVGdVdtaWluTnY2dwpNM3pSQWdhOHJxb0hRSjlHQXdXcDg2N2NPQ2pOSE9oeHF0ZEtqbkVXYXhyZmNEVDlhMHZ0LzlUcU9SQVh1OUFCCmtDcEMveHZ6dlowSkZhZlJlTlZKNENBRFkvNGsybmx2eGg4M1NPY1Faa0szS2U2ZFZ2Zml2Q2NDZ1lFQXhrZi8KTUZtTVozTEpqZytPSHFra2xVM3pjdi9GaXZpaklpM05aNjgvQnVhYzJ4OEdVdjBVWFp1UXZyQ0M1Z2gxYVh3OQpuS01HRTRnRUxrZWt4d3EvaUgxL3RkZ296SEhyUVFrUi9reEVVN2pZdnJReWhjeHYvTkUxR0kzcnY2UmJFRERYCjRqM1dKd2F1N3JDNEJhaFhFV2E5REtwckVGS1VtYi81aXVIZld1OENnWUIyaXppdWd1cTVab2p6YnJWSWszY3cKS1JGQW9PZHRETjdQdktKOTB4dUNYTDlnNjhtTGQ2cUtkM3pRT0xLWDVyT3VIb0FWN3ZWdzFSK1NjTWI4R1VVVQpKSlJGNGtsRzE3REVINTVQMlRKOWMvU2hDMjMwSlVGQzhBR0lRbUdUa0VZRk1XbFh1OHd6ZFpCOHE1MmdOblEyCmQxTmZBMGx1L3gxR3V2cTNrVmM2clFLQmdRQ0owRnJYVVRaY1pKVWd6MEQ1b0ppVHliVlBGZVZJblY1TmtFWTMKTGNBQjNPSGpEeUpISmk0MGpiN0NPMDhQOFlzaUFUK1ZrbDNUejNNUWM2MWN4dVN2U29Nc2NneVJaUkNkaUY5ZwpQOFF4Nk1XRmJ4dTZrWWk0MFBRMWw5Ym13YWFsanoxTnU2c1FQdjN4V3hUY29jKzZnWTBlczRoc3RPa2lJQ09pCjJ6RnlNd0tCZ0ZUUzNYTHlmVEM5cUVUUGZzV2o1elNhRkxwUGxnanNVMlloSGVuTWE3VytCSmhOdDZCYjM4S3cKa1lqMkd5cnUrMUpOSkNIdVJIOW45UFNFTVRYREdkdXZiTm9rQ1hDZm41K1I2STZ0ci85SFoyQ2kzdXBud1J0bwpkaUg0WmF4VTdpWTk4SDhldTVKSk1UQjY5MEN4ZS9NOTA5Q0pxeCs5SzhOdDgyb2srOUtMCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- name: admin2
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN1ekNDQWFNQ0NRQ09LV2Z6UWJ2VjBUQU5CZ2txaGtpRzl3MEJBUXNGQURBVk1STXdFUVlEVlFRREV3cHIKZFdKbGNtNWxkR1Z6TUI0WERUSTBNRFF3T0RBek1UY3lORm9YRFRJMU1EUXdPREF6TVRjeU5Gb3dLakVQTUEwRwpBMVVFQXd3R1lXUnRhVzR5TVJjd0ZRWURWUVFLREE1emVYTjBaVzA2YldGemRHVnljekNDQVNJd0RRWUpLb1pJCmh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBT3EwVUdaMlJMVHBTY3J3K0RyTHdjT01CTktPeUJobDRSZVYKZytISzVwVHlGNlVUM2NmNzkwditTc1o4Ky9nYkJuM1BqMUFDbVZhUUQzemk1THNQenpSc05mYWpFSG5YL3ovVwo4clR0RmJzNk9XUGRiNFlnWnVxUWtzajR3bkhWZDRlN2RBYnR3aVRqSWpObFMvNGlVV3c1RmdKYkJobVZTVWZSCkZGcTVSTE90ekJDU2RLSTFWTTdYWHV4OFU0U0J2Z3FKYXJRU1JpUStSbzlqZldlTHhnMGZjWE5BcHEwcWhlMzQKVWYvZjJMZFMwb2JVTlVYekZWMGZONnR2YWZhbUVWUlJweDZ3U3VpZHVSenM2OGZBZGo3YWlKc2FBdDhma3AwYQppb2JvdjZkbDRwc2hEcWxKV25NcW9Uc25yUU9oQ3JTVFRmZ3VGeDRpYnhRcnRMWEtUZmNDQXdFQUFUQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBUUVBMjVEMUp3ZTNRdzVmbkxXZGVnd0l3NHJEejVKaGluK01nM3E5RU1VeEp4UG8KWFRzT2xUc0pEWlFBa0xzTFZzWXNlYmtLMW4yQVp2TC9MUDFodVBIaTUzRkNyWFJITW1IQTJuMFdjaXBkeG14agpFbEVGbjZ6Y1plU3VZbGplbnA2WDNFMUtYVGR3dCtsRjMreFROVk8zNDRIUDJkdGl0b3NZRWdsWWg5RGVwUU53Cmpvb2ZJYlVGb2VhV2hmNW01WW5ZVjRFZWJJOWZmSEkrVThrcDR3VGdWSFZESmFvMDA1WHd3cXJnelhxSnVFNUEKTThUbEYzelYrTlBDWFJtTUFrdlR6UlhrTzlEZkZhbzFRa21Gc1kyS05LYnJOb29ra25oZWxQZTVVS09EdG5nNgp4SWxxYUErc0ttODdJeGk0Z3k1VmtnZW5RNWUrN1Z0NEFxSk5LNnZYQXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNnJSUVpuWkV0T2xKeXZENE9zdkJ3NHdFMG83SUdHWGhGNVdENGNybWxQSVhwUlBkCngvdjNTLzVLeG56NytCc0dmYytQVUFLWlZwQVBmT0xrdXcvUE5HdzE5cU1RZWRmL1A5Ynl0TzBWdXpvNVk5MXYKaGlCbTZwQ1N5UGpDY2RWM2g3dDBCdTNDSk9NaU0yVkwvaUpSYkRrV0Fsc0dHWlZKUjlFVVdybEVzNjNNRUpKMApvalZVenRkZTdIeFRoSUcrQ29scXRCSkdKRDVHajJOOVo0dkdEUjl4YzBDbXJTcUY3ZmhSLzkvWXQxTFNodFExClJmTVZYUjgzcTI5cDlxWVJWRkduSHJCSzZKMjVIT3pyeDhCMlB0cUlteG9DM3grU25ScUtodWkvcDJYaW15RU8KcVVsYWN5cWhPeWV0QTZFS3RKTk4rQzRYSGlKdkZDdTB0Y3BOOXdJREFRQUJBb0lCQUZLSmZLaTd1S2ZDVHBBTwpzOHpCY08rYW91dUZDTHNEd09leFRjS3V2dTNzUVFKdGZSWGg5dktEaDdwTG83UjVsSXZUM1RzdTNzdkJONkVjCmpZRjNLcy90cWdDRkViczNpV3ppNDFGYStzUnYwbFRiUDJmMHB4eWdJTzZLQko5UmlZcHpFbmVKVHpmM3BFUmMKd0IrcjQrUmlJdXBMSmxjQzE5Vm9vbmJSSm1iazhDN2t0bGc1SVhtMlhBcnZyL05OSmR4UVdmWlR6MnlvMFRoMgpIdVRUMlMrU294d0lDLzA5eFlzTjZWdWFLUGRwT0owMGpsdDhOUWdxVUZpU1lydkt5N2dnMjJKbzVqNk5Xc0JLCkNQa0NSbmdZb1pBZ1NieHBDQytYZHZZbkc3cnhHMmJ5OEZSTnVwOS9RQVk3NERCT2JSL2xCdldRQ3FvRG9nSHgKSnNBUVpnRUNnWUVBK0MwWHNJdk1FcXR0TklZYnhPWmlGc1hIYU10bWp4elN0eVFOc2M5T2RFd2Z4cmcyU3UwYQpyZjRBU2xkVlJzMVBzV01YQWFvdmZTdzFxbmpmL0NrQjRHUm11VFlEbUVMdFFCRmFCSHV5aVd0TStOancrNGl6CnoyenhRejhWcFpORmJoTHZ5RzgyMHVNRkhNUEJSZlN5S0NLd2plOXhxcGxOS3YwNkh0dnBGUGNDZ1lFQThocC8KVVVkWXVPZHNkTisrU1JKL2tTQXdWbWl6ZUkzSnFwTVkxOXV6SGVNZnBrMWs3ajg1MVVqWkVXMXVaOUlQMWgvVAp4d0gxeGdSM1p4dy9jRS9JNnpRaWovSVJqMWVCcG4yc3hVQmE3Z0xDZm1OOW5aaGtjbXEyeU94WExKVmpxZzgvClpuaE1HZ3lrdW9MaTh1ekgrRWdzVVh1KzJwNCtpS1BqVTVHZlR3RUNnWUVBNVI3MFpRamJza3pUK0k3cnFrQXMKUk92NXF2VkdUVkFGOWhEeUY3dlZxYWJ5RzB2TXpDWFU0TmZFdXQyZ0hFckdqWFYzTXhGRTRLSmxOV3A5RjlkZwpKU05zZHdlNEQrV1NGZmt2Q3o2TVdUUllEdEp5d1RhM0V3UjRSV1pEZk9iWFRjVnIzTGRZZlNBY2d5N3pDN3ZhCmt4VmJ2TjVZS1hGNC9meGxvVUhVRVljQ2dZQkc0eFZHUWlLck9TK2JaT3U5VDRwRWZ1MUlUNjNFN1pjUHQ3UTkKZDltUk5iQk5yRG1TUExiOVNUQXRseUlOaWdjVEJneW5KMTdFRlFpMUN5TlVDamhsRGNYVTZlYlVWcVhpanNlbwpsYmhLR2tyQ1lQVWwwTG9RZWtoOHVoNm9NakdWV0pPU3VFUm9HQzJmWXJWNnRYT3pzY1l3TVpCblNKQTh4K2ZHCnowdWJBUUtCZ1FET1BEdmgvVWRTSkFLR0VaNVJuclJaaEkxZEt1b2xua3NEOGlUbi9UYmhPU1hBSk1NZmllZTgKbUJ2YUpvaWVrdm9BeEt5eDlKOEExUWlYMUJhZ0JSU0VFRS9IRzkxV1IwTjNqRXVNVm1FeERncllhdDc2N0ZDTgpLNkhhYW9ETjN5OG5qQ0FMQ2NmVSt0czN6RWp5bjZnY1BZcjhydGdGaEF5QkRNbHg2MTZGMnc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
一般来说kubelet会使用一个默认的kubeconfig文件,也及时/root/.kube/config
文件,如果是使用kubeadm
安装的集群,其实也就是复制的/etc/kubernetes/admin.conf
文件,那么如何自己生成一个kubeconfig文件呢??
要生成一个完整的kubeconfig文件,一般包括如下几个步骤
1. 生成私钥
使用openssh生成一个2048位的私钥
openssl genrsa -out user1.key 2048
2. 生成证书请求文件(csr)
通过私钥生成csr文件,后面通过csr文件想kubernetes请求证书
注意-subj
中的CN
相当于用户名,o
相当于用户组
在k8s中有两类用户,一类是由Kubernetes 管理的service account,另一类是普通用户,对于普通用户k8s是没有存储用户信息的,当像k8s请求资源时,会解析证书中的用户和用户组然后通过RCBA进行鉴权
参考: https://kubernetes.io/zh-cn/docs/reference/access-authn-authz/rbac/#discovery-roles
openssl req -new -key user1.key -out user1.csr -subj "/CN=user1/O=group1"
3. 申请证书
通过csr文件向k8s请求证书
openssl x509 -req -in user1.csr \
-CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial \
-out user1.crt -days 365
4. 添加clusters
向kubeconfig文件中配置clusters信息,可配置多个
--server
:kube-apiserver
的地址-certificate-authority
: k8s的ca文件--embed-certs
: 将证书嵌入到kubeconfig文件中,方便客户端认证
kubectl --kubeconfig=kubeconfig.config config \
set-cluster demo1 --server=https://xxx.xxx.xxx:6443 \
--embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt
5. 添加user
向kubeconfig文件中配置用户信息,可配置多个
--client-key
:第一步的私钥文件-client-certificate
: 第三步的公钥--embed-certs
: 将证书嵌入到kubeconfig文件中,方便客户端认证
kubectl --kubeconfig=kubeconfig.config config \
set-credentials user1 \
--client-key=user1.key --embed-certs --client-certificate=user1.crt
6. 添加context
向kubeconfig文件中配置上下文信息,可配置多个
--user
:用户名--cluster
: 集群名
kubectl --kubeconfig=kubeconfig.config config \
set-context ctx-demo1 --user=user1 --cluster=demo1
7. 设置current-context
设置当前使用的k8s上下文
kubectl --kubeconfig=kubeconfig.config config use-context ctx-demo1
下面是一个自动生成kubeconfig的简单脚本
#!/bin/bash
work_dir=$(
cd $(dirname $0)
pwd
)
read -p "输入用户名: " username
read -p "输入用户组(默认system:masters): " group
if [ -z "$username" ];then
echo -e "\033[31m用户名不能为空\033[0m"
exit -1
fi
if [ -z "$group" ];then
group="system:masters"
fi
echo -e "\033[32m用户名:${username},用户组:${group}\033[0m"
root_path=${work_dir}/${username}
mkdir -p $root_path
private_key_path="${root_path}/${username}.key"
openssl genrsa -out ${private_key_path} 2048
echo -e "\033[32m私钥生成成功: ${private_key_path}\033[0m"
csr_path="${root_path}/${username}.csr"
openssl req -new -key ${private_key_path} -out $csr_path -subj "/CN=${username}/O=${group}" > /dev/null
echo -e "\033[32m证书请求文件生成成功: ${csr_path}\033[0m"
crt_path="${root_path}/${username}.crt"
openssl x509 -req -in ${csr_path} -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ${crt_path} -days 365
echo -e "\033[32m证书生成成功: ${crt_path}\033[0m"
config_path="${root_path}/${username}.config"
master_ip=` kubectl get nodes -owide --no-headers | grep control-plane,master | awk -F " " '{print $6}'`
cluster_name="k8s-${master_ip}"
context_name="k8s-${master_ip}"
kubectl --kubeconfig=$config_path config set-cluster $cluster_name --server=https://${master_ip}:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt
kubectl --kubeconfig=$config_path config set-credentials $username --client-key=$private_key_path --embed-certs --client-certificate=$crt_path
kubectl --kubeconfig=$config_path config set-context $context_name --user=$username --cluster=${cluster_name}
kubectl --kubeconfig=$config_path config use-context $context_name
echo -e "\033[32mconfig生成成功: ${config_path}\033[0m"
至此一个完整的kubeconfig文件就已经生成好了,但是如果只做上面的这些操作是没有任何意义的,因为在生成csr文件的时候我们使用的用户是user1,用户组是group1,如果在k8s集群中没有为user1或group1绑定角色,通过这个kubeconfig文件去访问k8s资源时会报如下错误:
这是没有为对应的用户组或者用户创建rolebind或者clusterrolebind绑定权限,这个问题如何解决,在后面的k8s RBAC中再介绍k8s RBAC权限控制
完结,撒花~~~~~