提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
文章目录
前言
提示:这里可以添加本文要记录的大概内容:
本篇为deploy kubernete hard way的第2篇,如果想从头操作或者了解此过程参照 CKA-kubernetes 部署-hard-way-1.1-1.3。 在上述文章中完成了VMs的部署,下面进行kubernetes config文件的配置,包含了controller manager, kube-proxy, scheduler clients and the admin user 组件或者角色。
提示:以下是本篇文章正文内容,下面案例可供参考
1.4 Generating Kubernetes Configuration Files for Authentication
this part will generate kubeconfig files for the controller manager, kube-proxy, scheduler clients and the admin user.借助配置文件,k8s的不同组件之间的访问就不需要在命令后面跟上certifiacte 以及key的文件路径。
- kube-proxy
配置文件分为3个部分,cluster、client、context,其中cluster部分定义关于clauster的CA,server的ip:port,以及写入的配置文件名称;
client 为访问上述server的客户端,定义包含了访问需要的crt文件和private key以及写入的配置文件名称;context,链接起cluster与client,即定义client与cluster的相互关系。
{
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://${LOADBALANCER_ADDRESS}:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.crt \
--client-key=kube-proxy.key \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
##生成配置文件,kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
- kube-controller-manager Kubernetes Configuration File
{
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.crt \
--client-key=kube-controller-manager.key \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
- kube-scheduler Kubernetes Configuration File
{
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.crt \
--client-key=kube-scheduler.key \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
- admin Kubernetes Configuration File
{
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
}
- Distribute the Kubernetes Configuration Files
- 把kube-proxy拷贝到worker node
for instance in worker-1 worker-2; do
scp kube-proxy.kubeconfig ${instance}:~/
done
- 像 admin.kubeconfig, kube-controller-manager and kube-scheduler kubeconfig files,拷贝到 master node。
for instance in master-1 master-2; do
scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
done
ps:上述配置文件来自kubernetes-hard-way
1.5 Generating the Data Encryption Config and Key
##Encryption key
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
EOF
##拷贝生成config文件到master-1和master-2
for instance in master-1 master-2; do
scp encryption-config.yaml ${instance}:~/
done
#移动config文件到合适的文件位置,
#如果提示不存在路径,可以手动生成/var/lib/kubernetes/ 路径
for instance in master-1 master-2; do
ssh ${instance} sudo mv encryption-config.yaml /var/lib/kubernetes/
done
总结
综上,通过上述的命令,完成了相关组件TLS配置文件,一共生成了kube-proxy,kube-admin,kube-controller-manager,kube-scheduler的配置文件,并把这些配置文件分散到不同的nodes中去。在1.5中分布了加密配置文件,用做将来生成Secret object。下一篇。将进入部署K8的不同组件部分包含了etcd,controller manger等