本文详细介绍了如何使用Guacd连接到Kubernetes服务器,包括所需参数如hostname、port、namespace、container等,以及获取和修改K8s服务器的APIServer配置,确保安全连接和测试服务正常运行。
Guacd连接k8s服务器
guacd连接k8s服务器所需参数
| 字符串 | 备注 |
|---|---|
| hostname | Guacamole 应连接到的 Kubernetes 服务器的主机名或 IP 地址 |
| port | Kubernetes 服务器监听 API 连接的端口(此参数是可选的),如果省略,默认使用端口 8080 |
| namespace | Kubernetes 所附加容器的pod的的名称(此参数是可选的),如果省略,将使用默认空间default |
| pod | Kubernetes容器中pod的名称 |
| container | 要附加到的pod的名称(此参数是可选的),如果省略,将使用 pod 中的第一个container |
| exec-command | 在容器内运行的命令,输入和输出附加到此命令的进程 |
| use-ssl | 如果设置为“true”,则使用 SSL/TLS 连接到 Kubernetes 服务器 |
| ignore-cert | 如果设置为“true”,则 Kubernetes 服务器使用的 SSL/TLS 证书的有效性在无法通过验证时将被忽略 |
| ca-cert | 签署 Kubernetes 服务器证书的证书颁发机构的证书 |
| client-cert | 客户端证书 |
| client-key | 客户端密钥 |
获取K8S服务器参数
查看环境上运行的 APIServer
[root@node201 ~]# kubectl get pods -o wide -n kube-system | grep api
kube-apiserver-node201.example.com 1/1 Running 3 162d 172.24.114.201 node201.example.com <none> <none>
## kube-apiserver-node201.example.com为APIServer名称
[root@node201 ~]# kubectl describe service kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 172.17.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 172.24.114.201:6443 ##ip地址以及连接端口
Session Affinity: None
Events: <none>
获取APIServer配置文件
[root@node201 ~]# kubectl describe pods kube-apiserver-node -n kube-system
Name: kube-apiserver-node
Namespace: kube-system
Priority: 2000001000
Priority Class Name: system-node-critical
Node: node/11.11.11.11
Start Time: Wed, 26 Oct 2022 09:00:47 +0800
Labels: component=kube-apiserver
tier=control-plane
Annotations: kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.24.114.201:6443
kubernetes.io/config.hash: d0a71857f3f76b81b1bc980c6d70e3fd
kubernetes.io/config.mirror: d0a71857f3f76b81b1bc980c6d70e3fd
kubernetes.io/config.seen: 2022-10-26T09:00:40.612785747+08:00
kubernetes.io/config.source: file
Status: Running
IP: 11.11.11.11
IPs:
IP: 11.11.11.11
Controlled By: Node/text
Containers:
kube-apiserver:
Container ID: docker://a250dea1193900f6837a077ed53aa23352d305f5bd22f7570c434033ac4c403e
Image: k8s.gcr.io/kube-apiserver:v1.19.5
Image ID: docker://sha256:72efb76839e7f6095ec891219b23d33b576261edcaee89e3b7b9dd11705876cd
Port: <none>
Host Port: <none>
Command:
kube-apiserver
--advertise-address=11.11.11.11
--allow-privileged=true
--authorization-mode=Node,RBAC
--client-ca-file=/etc/kubernetes/pki/ca.crt ##ca-cert
--enable-admission-plugins=NodeRestriction
--enable-bootstrap-token-auth=true
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.pem
--etcd-certfile=/etc/kubernetes/pki/etcd/client.pem
--etcd-keyfile=/etc/kubernetes/pki/etcd/client-key.pem
--etcd-servers=https://node201.example.com:2381
--insecure-port=0
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt ##client-cert
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key ##client-key
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
--requestheader-allowed-names=front-proxy-client
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--secure-port=6443
--service-account-key-file=/etc/kubernetes/pki/sa.pub
--service-cluster-ip-range=11.11.11.0/16
--service-node-port-range=30000-32767
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
State: Running
Started: Mon, 27 Feb 2023 10:36:26 +0800
Last State: Terminated
Reason: Error
Exit Code: 255
Started: Thu, 16 Feb 2023 21:49:04 +0800
Finished: Mon, 27 Feb 2023 10:35:56 +0800
Ready: True
Restart Count: 3
Requests:
cpu: 250m
Liveness: http-get https://172.24.114.201:6443/livez delay=10s timeout=15s period=10s #success=1 #failure=8
Readiness: http-get https://172.24.114.201:6443/readyz delay=0s timeout=15s period=1s #success=1 #failure=3
Startup: http-get https://172.24.114.201:6443/livez delay=10s timeout=15s period=10s #success=1 #failure=24
Environment: <none>
Mounts:
/etc/kubernetes/pki from k8s-certs (ro)
/etc/pki from etc-pki (ro)
/etc/ssl/certs from ca-certs (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
ca-certs:
Type: HostPath (bare host directory volume)
Path: /etc/ssl/certs
HostPathType: DirectoryOrCreate
etc-pki:
Type: HostPath (bare host directory volume)
Path: /etc/pki
HostPathType: DirectoryOrCreate
k8s-certs:
Type: HostPath (bare host directory volume)
Path: /etc/kubernetes/pki
HostPathType: DirectoryOrCreate
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: :NoExecuteop=Exists
Events: <none>
查看K8S服务中中正在运行节点
[root@node201 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
test 2/2 Running 6 162d
查看所选节点中container的名称及资料
kubectl describe pod/test -n default ##test为所选pod名称 default为所选namespace名称
修改k8s服务器设置
vim /var/lib/kubelet/config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: true ####修改为true
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: AlwaysAllow ###修改为所有人皆可访问
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
测试k8s服务是否正常
##获取k8s中pod信息 可以用来测试K8s是否正常
curl https://<ip>:6443/api/v1/namespaces/default/pods/<pod_name> --cacert <ca.crt> --cert <client.crt> --key <client.key>
参考链接:
https://www.cnblogs.com/xingzheanan/p/14867340.html
https://www.jianshu.com/p/4a1af3ee06ba
1374
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
