一.简介
生产环境常用二进制部署,二进制部署与kubeadm部署方式不同的是,二进制安装方式需要自己生成所有的证书,包括etcd及k8s组件的(kube-apiserver,kube-controller-manager,kube-scheduler等)证书。证书有效期可以直接更改为876000小时,即100年,生成证书时注意IP地址不要漏掉,可以预留,不能少。
使用kubeadm安装k8s时,kubectl连接API用到的kubeconfig文件是kubeadm自动生成的,使用二进制安装方式需要手动生成。
二.二进制部署kubernetes
1.资源分配 centos7.X
master | 192.168.77.159 | 2C 8G | kube-apiserver,kube-controller-manager,kube-scheduler,etcd1 |
node1 | 192.168.77.156 | 2C 8G | kubelet,kube-proxy,docker ,etcd2 |
node2 | 192.168.77.157 | 2C 8G | kubelet,kube-proxy,docker ,etcd3 |
node3 | 192.168.77.158 | 2C 8G | kubelet,kube-proxy,docker ,etcd4 |
2.虚拟机准备
#以下步骤k8s所有节点执行
#配置hosts
cat >> /etc/hosts << EOF
192.168.77.159 master
192.168.77.156 node1
192.168.77.157 node2
192.168.77.158 node2
EOF
#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#关闭selinux
setenforce 0
sed -i 's/enforcing/disabled/' /etc/selinux/config
#关闭swap分区
#临时关闭
swapoff -a && sysctl -w vm.swappiness=0
#永久关闭
sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
#允许iptable检查桥接流量
cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF
cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
#检查各个节点MAC地址或product_uuid,虚拟机可能会不一样
ifconfig ens33 | grep ether | awk '{print $2}'
cat /sys/class/dmi/id/product_uuid
#时间同步
yum install ntpdate -y
ntpdate time2.windows.com
clock -w
3.部署etcd存储集群
准备证书生成工具cfssl
#master节点
#安装开源证书生成工具cfssl
#cfssl软件包下载 可以浏览器下载后上传
mkdir -p /k8s/softwares
cd /k8s/softwares
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
#授予执行权限
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
#创建软连接
ln -s /k8s/softwares/cfssl_linux-amd64 /usr/local/bin/cfssl
ln -s /k8s/softwares/cfssljson_linux-amd64 /usr/local/bin/cfssljson
ln -s /k8s/softwares/cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
自签证书颁发机构CA并自签etcd的https证书
#master节点
#创建cfssl工作目录
mkdir -p /k8s/softwares/TLS/{etcd,k8s}
cd /k8s/softwares/TLS/etcd
#自签证书颁发机构CA 过期时间100年
cat > ca-config.json << 'EOF'
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"etcd": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << 'EOF'
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
#生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#检查生成证书
ll *.pem
#签发etcd的https证书
cat > server-csr.json << 'EOF'
{
"CN": "etcd",
"hosts": [
"192.168.77.156",
"192.168.77.157",
"192.168.77.158",
"192.168.77.159"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
#hosts字段中IP为所有节点ip,一个不能少,为方便扩容IP可预留
#生成etcd的https证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd server-csr.json | cfssljson -bare server
#检查生成证书
ll server*.pem
部署etcd集群 github下载地址
#master节点操作
#etcd软件包下载 可以浏览器下载后上传
mkdir -p /k8s/softwares/ && cd /k8s/softwares/
wget https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
#创建etcd工作目录
mkdir -p /opt/etcd/{bin,cfg,ssl}
#解压
tar xf etcd-v3.4.9-linux-amd64.tar.gz
#etcd执行文件移动到/opt/etcd/bin/
cp /k8s/softwares/etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
#创建etcd配置文件(注意各个节点配置要修改)
cat > /opt/etcd/cfg/etcd.conf << 'EOF'
#[Member]
#节点名称 全局唯一 其他三个为etcd2 etcd3 etcd4
ETCD_NAME="etcd1"
#数据目录
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#集群通信监听地址 对应各个服务器本地IP
ETCD_LISTEN_PEER_URLS="https://192.168.77.159:2380"
#客户端访问监听地址 对应各个服务器本地IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.77.159:2379"
#[Clustering]
#集群通告地址 对应各个服务器本地IP
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.77.159:2380"
#客户端通告地址 对应各个服务器本地IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.77.159:2379"
#集群节点地址
ETCD_INITIAL_CLUSTER="etcd1=https://192.168.77.159:2380,etcd2=https://192.168.77.156:2380,etcd3=https://192.168.77.157:2380,etcd4=https://192.168.77.158:2380"
#集群token
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#加入集群的当前状态 new加入新集群
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
#将生成的etcd证书拷贝到/opt/etcd/ssl/目录下
cd /k8s/softwares/TLS/etcd
cp ca.pem /opt/etcd/ssl/
cp ca-key.pem /opt/etcd/ssl/
cp server.pem /opt/etcd/ssl/
cp server-key.pem /opt/etcd/ssl/
#配置systemd管理etcd
cat > /usr/lib/systemd/system/etcd.service << 'EOF'
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
#将maser上/opt/etcd下的文件拷贝到其他各个节点
scp -r /opt/etcd/ root@192.168.77.156:/opt/
scp -r /opt/etcd/ root@192.168.77.157:/opt/
scp -r /opt/etcd/ root@192.168.77.158:/opt/
#将maser上etcd.service文件拷贝到其他各个节点
scp /usr/lib/systemd/system/etcd.service root@192.168.77.156:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.77.157:/usr/lib/systemd/system/
scp /usr/lib/systemd/system/etcd.service root@192.168.77.158:/usr/lib/systemd/system/
#各个节点修改/opt/etcd/cfg/etcd.conf配置文件
#etcd2节点操作 192.168.77.156
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd2"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.156/g' /opt/etcd/cfg/etcd.conf
#etcd3节点操作 192.168.77.157
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd3"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.157/g' /opt/etcd/cfg/etcd.conf
#etcd4节点操作 192.168.77.158
sed -i 's/ETCD_NAME="etcd1"/ETCD_NAME="etcd4"/g' /opt/etcd/cfg/etcd.conf
sed -i '1,14s/192.168.77.159/192.168.77.158/g' /opt/etcd/cfg/etcd.conf
#所有etcd节点操作
#重新加载systemd
systemctl daemon-reload
#设置开启启动
systemctl start etcd
systemctl enable etcd
#使用ETCDCTL_API=3命令行工具查看etcd集群状态
ETCDCTL_API=3 /opt/etcd/bin/etcdctl \
--cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem \
--endpoints="https://192.168.77.156:2379,https://192.168.77.156:2379,https://192.168.77.156:2379,https://192.168.77.159:2379" \
endpoint health
etcd默认使用2379端口对外提供服务,使用端口2380端口对内提供服务
4.docker部署 docker下载地址
#所有节点执行
#下载docker二进制软件包
cd /k8s/softwares/
wget https://download.docker.com/linux/static/stable/x86_64/docker-20.10.24.tgz
#解压
tar -xf docker-20.10.24.tgz
#将docker文件复制到/usr/bin/
cp -r ./docker/* /usr/bin/
#配置镜像加速
mkdir -p /etc/docker
cat > /etc/docker/daemon.json << 'EOF'
{ "registry-mirrors": [
"https://docker.rainbond.cc",
"https://docker.m.daocloud.io",
"https://mirror.baidubce.com",
"https://docker.mirrors.ustc.edu.cn",
"https://docker.nju.edu.cn",
"https://mirror.iscas.ac.cn"]
}
EOF
#配置systemd管理docker
cat > /etc/systemd/system/docker.service <<'EOF'
[Unit]
Description=Docker Service
After=network.target
[Service]
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动docker 开机自启
systemctl start docker
systemctl enable docker
5.部署master node(安装api-server ,control manager ,scheduler组件)
#master节点
#生成kube-apiserver证书
#自签证书颁发机构CA 过期时间100年
cd /k8s/softwares/TLS/k8s
cat > ca-config.json << 'EOF'
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"kubernetes": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << 'EOF'
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "kubernetes",
"OU": "System"
}
]
}
EOF
#生成ca证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#检查生成证书
ll *.pem
#签发kube-apiserver的https证书
cat > server-csr.json << 'EOF'
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.77.156",
"192.168.77.157",
"192.168.77.158",
"192.168.77.159",
"192.168.77.160",
"192.168.77.161",
"192.168.77.162",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "kubernetes",
"OU": "System"
}
]
}
EOF
#hosts字段中IP为所有节点及lb相关ip,一个不能少,为方便扩容IP可预留
#生成kube-apiserver的https证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#检查生成证书
ll server*.pem
部署kubernetes组件 github下载地址 Server Binaries
#master节点
#下载二进制软件包
cd /k8s/softwares/
wget https://dl.k8s.io/v1.23.17/kubernetes-server-linux-amd64.tar.gz
#创建k8s工作目录
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
#解压
tar xf kubernetes-server-linux-amd64.tar.gz
#拷贝到k8s工作目录下
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
#创建软连接
ln -s /opt/kubernetes/bin/* /usr/local/bin/
#kubectl拷贝到/usr/bin/
cp kubectl /usr/bin/
部署kube-apiserver
cat > /opt/kubernetes/cfg/kube-apiserver.conf << 'EOF'
KUBE_APISERVER_OPTS="--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.77.156:2379,https://192.168.77.157:2379,https://192.168.77.158:2379,https://192.168.77.159:2379 \
--bind-address=192.168.77.159 \
--secure-port=6443 \
--advertise-address=192.168.77.159 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
EOF
#将生成的kube-apiserver证书拷贝到/opt/kubernetes/ssl/目录下
cd /k8s/softwares/TLS/k8s
cp ca.pem /opt/kubernetes/ssl/
cp ca-key.pem /opt/kubernetes/ssl/
cp server.pem /opt/kubernetes/ssl/
cp server-key.pem /opt/kubernetes/ssl/
#创建token文件 启用TLS Bootstrapping机制需要
#生成token 随机字符串
head -c 16 /dev/urandom | od -An -t x | tr -d ' '
60c6bd0e973c8956870d8338c8d1f6f7
#创建token文件 格式: token,用户名,UID,用户组
cat > /opt/kubernetes/cfg/token.csv << 'EOF'
60c6bd0e973c8956870d8338c8d1f6f7,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
#配置systemdctl管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << 'EOF'
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver $KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动 开机自启
systemctl start kube-apiserver
systemctl enable kube-apiserver
#检查进程 端口6443用于接收HTTPS请求,用于基于Token文件或客户端证书等认证
netstat -tlunp | grep 6443
kube-api启动参数解释
--logtostderr:日志标准错误输出控制台
--v:日志等级
--log-dir:日志目录
--etcd-servers:etcd集群地址
--bind-address:监听地址 默认0.0.0.0
--secure-port:https安全端口 默认6443
--advertise-address:集群通告地址
--allow-privileged:启用授权
--service-cluster-ip-range:Service虚拟IP地址段,指定Service Cluster IP地址段
--enable-admission-plugins:准入控制模块 AAA
--authorization-mode:认证授权,启用RBAC授权和节点自管理
--enable-bootstrap-token-auth:启用TLS bootstrap机制,apiserver上启用Bootstrap Token认证
--token-auth-file:指定bootstrap token文件路径
--service-node-port-range:Service nodeport类型默认分配端口范围
--kubelet-client-xxx:apiserver访问kubelet客户端证书
--service-account-xxx:1.27版本必须添加--service-account-issuer,--service-account-signing-key-file
--tls-xxx-file:apiserver https证书
--etcd-xxxfile:连接Etcd集群证书
--audit-log-xxx:审计日志
部署kube-control-manager
#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > kube-controller-manager-csr.json << 'EOF'
{
"CN": "system:kube-controller-manager",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
#生成kubeconfig文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-controller-manager.kubeconfig"
KUBE_APISERVER="https://192.168.77.159:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-credentials kube-controller-manager \
--client-certificate=./kube-controller-manager.pem \
--client-key=./kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-controller-manager \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
#创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << 'EOF'
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect=true \
--kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig \
--bind-address=127.0.0.1 \
--allocate-node-cidrs=true \
--cluster-cidr=10.244.0.0/16 \
--service-cluster-ip-range=10.0.0.0/24 \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--cluster-signing-duration=876000h0m0s"
EOF
#配置systemd管理kube-control-manager
cat > /usr/lib/systemd/system/kube-controller-manager.service << 'EOF'
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#启动 开机自启
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
部署kube-scheduler
#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > kube-scheduler-csr.json << 'EOF'
{
"CN": "system:kube-scheduler",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler
#生成kubeconfig文件
KUBE_CONFIG="/opt/kubernetes/cfg/kube-scheduler.kubeconfig"
KUBE_APISERVER="https://192.168.77.159:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
cd /k8s/softwares/TLS/k8s
kubectl config set-credentials kube-scheduler \
--client-certificate=./kube-scheduler.pem \
--client-key=./kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-scheduler \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
#创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << 'EOF'
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect=true \
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig \
--bind-address=127.0.0.1"
EOF
#配置systemd管理scheduler
cat > /usr/lib/systemd/system/kube-scheduler.service << 'EOF'
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler $KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新加载systemd
systemctl daemon-reload
#开启 开机启动
systemctl start kube-scheduler
systemctl enable kube-scheduler
查看集群状态
kubectl get cs
The connection to the server localhost:8080 was refused - did you specify the right host or port?
生成kubectl连接kubeconfig文件
#生成kubectl连接集群的证书和私钥,具有admin权限
#创建证书请求文件
cd /k8s/softwares/TLS/k8s
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
#生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#生成kubectl连接kubeconfig文件
mkdir /root/.kube
KUBE_CONFIG="/root/.kube/config"
KUBE_APISERVER="https://192.168.77.159:6443"
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${KUBE_CONFIG}
cd /k8s/softwares/TLS/k8s
kubectl config set-credentials cluster-admin \
--client-certificate=./admin.pem \
--client-key=./admin-key.pem \
--embed-certs=true \
--kubeconfig=${KUBE_CONFIG}
kubectl config set-context default \
--cluster=kubernetes \
--user=cluster-admin \
--kubeconfig=${KUBE_CONFIG}
kubectl config use-context default --kubeconfig=${KUBE_CONFIG}
查看集群状态
#使用kubectl查看集群状态
kubectl get cs