证书服务器上操作
cd /opt/certs
[root@hdss7-200 certs]# cat admin-csr.json
{ "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "beijing", "L": "beijing", "O": "od", "OU": "ops" } ] }
注意"hosts": []表示所有主机
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client admin-csr.json | cfssl-json -bare admin
生成的文件
[root@hdss7-200 certs]# ls | grep admin
admin.csr
admin-csr.json
admin-key.pem
admin.pem
[root@hdss
master上操作
cd /opt/kubernetes/server/bin/cert/
scp hdss7-200:/opt/certs/admin.pem ./
scp hdss7-200:/opt/certs/admin-key.pem ./
cd ../conf/
#生成集群配置文件
kubectl config set-cluster myk8s \ --certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \ --embed-certs=true \ --server=https://10.5.7.10:7443 \ --kubeconfig=kube-admin.kubeconfig
设置admin管理账号
kubectl config set-credentials admin \ --client-certificate=/opt/kubernetes/server/bin/cert/admin.pem \ --client-key=/opt/kubernetes/server/bin/cert/admin-key.pem \ --embed-certs=true \ --kubeconfig=kube-admin.kubeconfig
#绑定账号和管理的集群
kubectl config set-context myk8s-context \ --cluster=myk8s \ --user=admin \ --kubeconfig=kube-admin.kubeconfig
#选择指定集群 一般在需要远程控制的机器上操作
kubectl config use-context myk8s-context --kubeconfig=kube-admin.kubeconfig
#绑定账号到指定的角色
vi k8s-admin.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: admin
kubectl create -f k8s-admin.yaml kubectl get clusterrolebinding k8s-node -o yaml
200拷贝生成的文件后拷贝指定文件到指定位置
[root@hdss7-200 ~]# cp kube-admin.kubeconfig .kube/config
kubectl config use-context myk8s-context
[root@hdss7-200 ~]# kubectl config view
# 同时使用多个 kubeconfig 文件并查看合并后的配置
$ KUBECONFIG=~/.kube/config:~/.kube/kubconfig2 kubectl config view
命令大全参考
https://www.jianshu.com/p/0e3311bf94d5