kubernetes config
环境
192.168.48.101 master01
192.168.48.201 node01
192.168.48.202 node02
查看config文件
[root@master01 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
创建新用户
在原来集群基础上创建新的登录用户
配置证书
证书目录/etc/kubernetes/pki/
[root@master01 ~]# cd /etc/kubernetes/pki/
[root@master01 pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@master01 pki]# openssl genrsa -out tk8s.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
......................................................+++
e is 65537 (0x10001)
[root@master01 pki]# openssl req -new -out tk8s.csr -key tk8s.key -subj "/CN=tk8s"
[root@master01 pki]# openssl x509 -req -in tk8s.csr -out tk8s.crt -signkey tk8s.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
Signature ok
subject=/CN=tk8s
Getting Private key
Getting CA Private Key
[root@master01 pki]# ls
apiserver.crt apiserver.key ca.crt etcd front-proxy-client.crt tk8s.csr sa.pub
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.crt front-proxy-client.key tk8s.key
apiserver-etcd-client.key apiserver-kubelet-client.key ca.srl front-proxy-ca.key tk8s.crt sa.key
建立k8s用户
[root@master01 pki]# kubectl config set-credentials tk8s --client-certificate=tk8s.crt --client-key=tk8s.key --embed-certs=true
User "tk8s" set.
[root@master01 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tk8s
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
创建k8s上下文
[root@master01 pki]# kubectl config set-context tk8s@kubernetes --cluster=kubernetes --user=tk8s
Context "tk8s@kubernetes" created.
[root@master01 pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tk8s
name: tk8s@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tk8s
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
切换上下文
[root@master01 ~]# kubectl config use-context tk8s@kubernetes
Switched to context "tk8s@kubernetes".
[root@master01 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tk8s
name: tk8s@kubernetes
current-context: tk8s@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tk8s
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
创建新的集群
[root@master01 ~]# kubectl config set-cluster k8s --certificate-authority=/etc/kubernetes/pki/ca.crt --server="https://192.168.48.101:6443" --embed-certs=true
Cluster "k8s" set.
[root@master01 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: k8s
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.48.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: tk8s
name: tk8s@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: tk8s
user:
client-certificate-data: REDACTED
client-key-data: REDACTED