【Kubernetes硬核部署方式kubernetes-the-hard-way】03-kubernetes各组件的认证配置
三、kubernetes各组件的认证配置
kubernetes的认证配置文件,也叫kubeconfigs,用于让kubernetes的客户端定位kube-apiserver并通过apiserver的安全认证。
接下来我们一起来生成各个组件的kubeconfigs,包括controller-manager,kubelet,kube-proxy,scheduler,以及admin用户。
注意:以下命令需要与上一节“生成证书”在同一个目录下执行
1. kubelet
# 指定你的worker列表(hostname),空格分隔
$ WORKERS="node-2 node-3"
$ for instance in ${WORKERS}; do
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=${instance}.kubeconfig
kubectl config set-credentials system:node:${instance} \
--client-certificate=${instance}.pem \
--client-key=${instance}-key.pem \
--embed-certs=true \
--kubeconfig=${instance}.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:${instance} \
--kubeconfig=${instance}.kubeconfig
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done
# 检测是否生成配置文件
$ ll|grep kubeconfig
2. kube-proxy
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
# 检测是否生成配置文件
$ ll|grep kube-proxy
3. kube-controller-manager
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
# 检测是否生成配置文件
$ ll|grep kube-controller-manager
4. kube-scheduler
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
# 检测是否生成配置文件
$ ll|grep kube-scheduler
5. admin用户配置
为admin用户生成kubeconfig配置
kubectl config set-cluster kubernetes \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
# 检测是否生成配置文件
$ ll|grep kubeconfig
6. 分发配置文件
6.1把kubelet和kube-proxy需要的kubeconfig配置分发到每个worker节点
$ WORKERS="node-2 node-3"
$ for instance in ${WORKERS}; do
scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
done
6.2 把kube-controller-manager和kube-scheduler需要的kubeconfig配置分发到master节点
$ MASTERS="node-1 node-2"
$ for instance in ${MASTERS}; do
scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
done