《OpenShift 4.x HOL教程汇总》
说明:本文已经在OpenShift 4.6环境中验证
在安装OpenShift的时候会向OpenShift提供公钥,这样就可以用对应的私钥直接访问OpenShift集群的节点。在OpenShift安装过程中需要使用秘钥登录集群节点。虽然在OpenShift集群安装成功后可以使用“oc debug”命令进入集群节点,但是还可继续使用秘钥登录集群节点,以便在OpenShift API Server无法使用的时候还可继续登录集群节点。
创建新的SSH Key秘钥对
执行命令,创建新的SSH Key秘钥对
$ mkdir ssh-key
$ ssh-keygen -N '' -f ssh-key/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:TdXJAwu5jhA8/oKtprjzDTKwH5Eq+imEJttCrUT42uU xiaoyliu-redhat.com@bastion.pek-e7a3.internal
The key's randomart image is:
+---[RSA 3072]----+
| . ..o+ . |
| + .o .= |
|. . o ... . |
|.. . o o. |
|+.+ o oSo. |
|+B.oo o o . |
|%=+o . . |
|O*o=E |
|+B*o. |
+----[SHA256]-----+
查看创建结果中的公钥内容。
$ ll ssh-key/
total 8
-rw-------. 1 xiaoyliu-redhat.com users 2643 Apr 4 11:33 id_rsa
-rw-r--r--. 1 xiaoyliu-redhat.com users 599 Apr 4 11:33 id_rsa.pub
$ more ssh-key/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6NJpKq6qN97045mtBnSyLO1lMe9MQ43bPJ9+55WOkcZmPs3RrRjGRdFKN4qLkvleZVhNeabXvR79tmFal0npPbysjHEWQojzeLBYxhOTUgiGvLBjofAQxnfzsCaS24WzdltdBcWOVRliG6kF8h7aYhq4bW3uepJeocG2T4nA2bCS1gqmthIkZeeqx6BrifCfDfTNOcvIhAN61Jv8xo91f/9C6gmgMUb0O16yTpnPeVVfaAq2YKTUGzpZ5HwjOCKTMhv7ij5MHncAZgeS7AoZBY/0SeWidNgttF7xYeg1GISj8ii/4n/5fhUV0zJkDyUPUOqTaq25Ge+590xfIJcMnj18QA+DwKDDndjbKUgjfpnL6PHLYBFwVIN24Lz7AI2lzRS8i05mihma+nvOgZ0o49+CLUPrlBX2D/RAzRBfIsEsx/bld4jn812DrFwJuIwTcYVa1+YhGj86Nrk+JNKi84xBN6EMJMwhU5NEFt8g2AT/Cvh1KD6WOyQ1ub6Gaoc= xiaoyliu-redhat.com@bastion.pek-e7a3.internal
获取当前OpenShift已有SSH Key
ssh-key保存在OpenShift的MachineConfig对象中,可以执行以下命令获取到ssh-key。
$ oc get mc 99-master-ssh -o yaml > 99-master-ssh.yml
$ oc get mc 99-worker-ssh -o yaml > 99-worker-ssh.yml
查看文件内容,其中“sshAuthorizedKeys”中的“ssh-rsa”的内容即为公钥内容。
。。。
spec:
config:
ignition:
version: 3.2.0
passwd:
users:
- name: core
sshAuthorizedKeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCje3xSJLcOXbSBKVNPATHA7hYCmaUyupqOVjw0InTLlwwNyIZg0tKV5x1vYxcMJPy4V3jdOCclAqaeNqWzOD4EAKIQ07MNihPuFZckHDpXLsuV09vfD0iUSE6u
M97KhrcDl4gghTYn5z+ltS7ToNFoSxLJDmMVKPpANuagu9Yh+4TXVL5z4MMNmTKzuNBHzuZSaQK65HNTZivMXDlmGGrrsPB+F1Cy9xMT28omlZTKq0AUw8ck6fG5ysR4hRjPFFPZU3GZF+1tcpT8vPbh4e/1lwvfmlFk+ATzQl
ddv6PjifqzoBvczsXWYtggWWJlBPFZ3rZH72Mvm2RrR+iUhc6h root@support
。。。
更新OpenShift的SSH Key
将上一步生成的公钥加入到第一步生成的 99-master-ssh.yml 和 99-worker-ssh.yml 文件中。
。。。
sshAuthorizedKeys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1sUtNm/u8EPq13a2L5vhtEl/QtrKy8Vi9LYy2iSLtGi3uJ9l3kdFpccq/kxWoCfHk5EHsz1UDdehDG4sSf/XdSLLUfTp0VBLW2yqEVq0+5xW236h5c8ShZ3HM0ZS1Gl7z6tW0M9agW/au6Siqq/Cvrt+42nWlv8+tuoaQe44aTf9Rj4thiOUhRlu2A+WHpZMsqZgKph78B2VFa6UHMTqSmuPoMP56Z9HVi7/zWKx+InxaqWY9ohrDRpVcjer85br4EZ865wRkkzNk4Qf5SXcYcHbULBld3r9aS4RUxFLVJhtIkKudgJm0C0OcpEQoEjNxfgv7yHN54dbBwM9EvdMv ec2-user@bastion.pek-e7a3.internal
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDf6NJpKq6qN97045mtBnSyLO1lMe9MQ43bPJ9+55WOkcZmPs3RrRjGRdFKN4qLkvleZVhNeabXvR79tmFal0npPbysjHEWQojzeLBYxhOTUgiGvLBjofAQxnfzsCaS24WzdltdBcWOVRliG6kF8h7aYhq4bW3uepJeocG2T4nA2bCS1gqmthIkZeeqx6BrifCfDfTNOcvIhAN61Jv8xo91f/9C6gmgMUb0O16yTpnPeVVfaAq2YKTUGzpZ5HwjOCKTMhv7ij5MHncAZgeS7AoZBY/0SeWidNgttF7xYeg1GISj8ii/4n/5fhUV0zJkDyUPUOqTaq25Ge+590xfIJcMnj18QA+DwKDDndjbKUgjfpnL6PHLYBFwVIN24Lz7AI2lzRS8i05mihma+nvOgZ0o49+CLUPrlBX2D/RAzRBfIsEsx/bld4jn812DrFwJuIwTcYVa1+YhGj86Nrk+JNKi84xBN6EMJMwhU5NEFt8g2AT/Cvh1KD6WOyQ1ub6Gaoc= xiaoyliu-redhat.com@bastion.pek-e7a3.internal
。。。
执行命令,更新OpenShift集群节点的MachineConfig配置。
$ oc apply -f 99-master-ssh.yml
$ oc apply -f 99-worker-ssh.yml
可以查看节点重启状态。
$ oc get MachineConfigPool
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-42216de6f0c6919dae3b07593e9b7e27 True False False 3 3 3 0 4d10h
worker rendered-worker-45768542f13f0b2cd71b09fa9461d063 True False False 2 2 2 0 4d10h
可以查看节点的daemon运行日志。
$ oc -n openshift-machine-config-operator logs -c machine-config-daemon $(oc -n openshift-machine-config-operator get pod -l k8s-app=machine-config-daemon --field-selector spec.nodeName=${NODE} -o name) -f
。。。
I0111 19:59:07.360110 7993 update.go:258] SSH Keys reconcilable
...
I0111 19:59:07.371253 7993 update.go:569] Writing SSHKeys at "/home/core/.ssh"
...
I0111 19:59:07.372208 7993 update.go:613] machine-config-daemon initiating reboot: Node will reboot into config worker-96b48815fa067f651fa50541ea6a9b5d
。。。
最后用新秘钥登录OpenShift集群节点。
ssh -i ssh-key/id_rsa core@<OC-NODE>