大多情況,證書用于服務(wù)安全訪問(即https訪問)所需要,在kubernetes集群中,如果關(guān)閉了匿名訪問,開啟了集群HTTPS訪問以及TLS雙向認證;如:worker節(jié)點組件HTTPS訪問apiserver服務(wù)時,Apiserver還需要驗證客戶端是否合法,此時就需要為worker節(jié)點上的組件生成kubeconfig認證文件用于連接apiserver。
我們提供的服務(wù)有:成都網(wǎng)站設(shè)計、做網(wǎng)站、微信公眾號開發(fā)、網(wǎng)站優(yōu)化、網(wǎng)站認證、赫山ssl等。為成百上千企事業(yè)單位解決了網(wǎng)站和推廣的問題。提供周到的售前咨詢和貼心的售后服務(wù),是有科學管理、有技術(shù)的赫山網(wǎng)站制作公司
PACKAGE=kubernetes-server-v1.12.0-linux-amd64.tar.gz
K8S_DOWNLOAD_URL=https://github.com/devops-apps/download/raw/master/kubernetes/$PACKAGE
K8S_CONF_PATH=/etc/k8s/kubernetes
K8S_KUBECONFIG_PATH=/etc/k8s/kubeconfig
KUBE_APISERVER=https://dev-kube-api.mo9.com
BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
sudo wget $K8S_DOWNLOAD_URL -P /root/software
cd $SOFTWARE
tar -xzfkubernetes-server-v1.12.0-linux-amd64.tar.gz -C ./
cp -fp kubernetes/server/bin/{kubectl,kubens} /usr/local/sbin
if [ ! -d "$K8S_CONF_PATH" ]; then
mkdir -p $K8S_CONF_PATH
fi
if [ ! -d "$K8S_KUBECONFIG_PATH" ]; then
mkdir -p $K8S_KUBECONFIG_PATH
fi
cat > ${K8S_CONF_PATH}/token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=${CA_DIR}/kube-controller-manager.pem \
--client-key=${CA_DIR}/kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-context system:kube-controller-manager \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config use-context system:kube-controller-manager \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-controller-manager.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=${CA_DIR}/kube-scheduler.pem \
--client-key=${CA_DIR}/kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-context system:kube-scheduler \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config use-context system:kube-scheduler \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-scheduler.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/bootstrap.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=${CA_DIR}/kube-proxy.pem \
--client-key=${CA_DIR}/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config use-context default \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kube-proxy.kubeconfig
kubectl config set-cluster kubernetes \
--certificate-authority=${CA_DIR}/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-credentials admin \
--client-certificate=${CA_DIR}/admin.pem \
--client-key=${CA_DIR}/admin-key.pem \
--embed-certs=true \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
kubectl config use-context kubernetes \
--kubeconfig=${K8S_KUBECONFIG_PATH}/kubectl.kubeconfig
備注:kubeconfig文件是用于安全連接apiserver服務(wù)的認證文件。
master節(jié)點:
cd $K8S_KUBECONFIG_PATH
ansible master_k8s_vgs -m copy -a \
"src=kube-controller-manager.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
ansible master_k8s_vgs -m copy -a \
"src=kube-scheduler.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
cd $K8S_KUBECONFIG_PATH
ansible worker_k8s_vgs -m copy -a \
"src=bootstrap.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
ansible worker_k8s_vgs -m copy -a \
"src=kube-proxy.kubeconfig dest=$K8S_KUBECONFIG_PATH/ " -b
創(chuàng)建完kubernetes集群組件相關(guān)認證文件后,接下來正式部署kubernetes集群相關(guān)組件etcd集群,請參考:kubernetes集群安裝指南:etcd集群部署
網(wǎng)頁標題:kubernetes集群安裝指南:客戶端安裝及各組件認證文件創(chuàng)建
文章網(wǎng)址:http://muchs.cn/article28/jpgcjp.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供做網(wǎng)站、自適應(yīng)網(wǎng)站、網(wǎng)站制作、網(wǎng)站導(dǎo)航、、動態(tài)網(wǎng)站
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時間刪除。文章觀點不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時需注明來源: 創(chuàng)新互聯(lián)