kubeconfig

kubeconfig是用於在node節點上kubelet和kube-proxy訪問集群的認證。

以下操作在master上進行，然后到時候再統一分發到node節點上

kubernetes安裝包下載，下載后然后解壓

下載地址https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md

mkdir k8s_download
cd k8s_download
wget https://dl.k8s.io/v1.12.2/kubernetes-server-linux-amd64.tar.gz

下載地址https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.12.md

mkdir k8s_download
cd k8s_download
wget https://dl.k8s.io/v1.12.2/kubernetes-server-linux-amd64.tar.gz

解壓后可以看到有這些文件
[root@k8s-master-101 bin]# pwd
/root/k8s_download/kubernetes/server/bin
[root@k8s-master-101 bin]# ls
apiextensions-apiserver              kube-apiserver.docker_tag           kube-proxy.docker_tag
cloud-controller-manager             kube-apiserver.tar                  kube-proxy.tar
cloud-controller-manager.docker_tag  kube-controller-manager             kube-scheduler
cloud-controller-manager.tar         kube-controller-manager.docker_tag  kube-scheduler.docker_tag
hyperkube                            kube-controller-manager.tar         kube-scheduler.tar
kubeadm                              kubelet                             mounter
kube-apiserver                       kube-proxy

在master上下載kubectl

cd k8s_download/kubernetes/server/bin/
chmod +x kubectl
mv kubectl /opt/kubernetes/bin

創建 TLS Bootstrapping Token，即token.csv文件。TLS Bootstrapping Token用於引導kubelet自動生成證書。

export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ')
cat > token.csv <<EOF
${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap"
EOF
cp token.csv /opt/kubernetes/ssl/
cd /opt/kubernetes/ssl/

[root@k8s-master-101 ssl]# cat token.csv 
427699856e2f019164f5d0b61bbb8195,kubelet-bootstrap,10001,"system:kubelet-bootstrap"
其中涉及到RBAC的知識。它表示使用kubelet-bootstrap並擁有10001權限，通過kubelet-bootstrap用戶組使用第一個隨機字符串來訪問k8s集群。

創建bootstrap.kubeconfig，這個文件是用於kubelet自動簽發證書的。

#首先指定kube-api訪問入口，即master ip
export KUBE_APISERVER=https://10.0.0.101:6443

#設置集群參數
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=bootstrap.kubeconfig

#設置客戶端認證參數
kubectl config set-credentials kubelet-bootstrap \
--token=${BOOTSTRAP_TOKEN} \
--kubeconfig=bootstrap.kubeconfig

#設置上下文參數
kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig

#設置默認上下文
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig

 

執行完后將生成bootstrap.kubeconfig文件

 

[root@k8s-master-101 ssl]# cat bootstrap.kubeconfig 
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUR4RENDQXF5Z0F3SUJBZ0lVVFcwZFhZMEZBWEdvcFppcXE1N05JQTIvWGlZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FERUxNQWtHQTFVRUJoTUNRMDR4RWpBUUJnTlZCQWdUQ1VkMVlXNW5lbWh2ZFRFUk1BOEdBMVVFQnhNSQpVMmhsYm5wb1pXNHhEREFLQmdOVkJBb1RBMnM0Y3pFUE1BMEdBMVVFQ3hNR1UzbHpkR1Z0TVJNd0VRWURWUVFECkV3cHJkV0psY201bGRHVnpNQjRYRFRFNU1ETXdOekUyTVRRd01Gb1hEVEkwTURNd05URTJNVFF3TUZvd2FERUwKTUFrR0ExVUVCaE1DUTA0eEVqQVFCZ05WQkFnVENVZDFZVzVuZW1odmRURVJNQThHQTFVRUJ4TUlVMmhsYm5wbwpaVzR4RERBS0JnTlZCQW9UQTJzNGN6RVBNQTBHQTFVRUN4TUdVM2x6ZEdWdE1STXdFUVlEVlFRREV3cHJkV0psCmNtNWxkR1Z6TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFzZmQ2NDRiV3RHNEsKYTZJS052bXg0RWZReHl1czVPQy9kUkZVRng0eE1iakV3eGVWbXRiUXh0cEV0TWs1UVMxMXpFNmdIcUhRWXFuMQpMOXVjVG5NZUZVYmJDaTBITXVOTFdSUGpJWmtnNzRuTnV3VlBkSjYvYkZPL21qSFd1Q2gzY2xWdE9tNGg1by9IClFZZkdWR2VIeWFXL3kvWW5IbzFWaHZWMlJONTJNTHRoUG0rVUtLQTlLeUJIUVJKWURKbXVoV2owUDJ4R01vVmkKd3VaU0tiT0c2R2xFeUxoRlNjbEd2d0FtNjRrL3RPMDVwZ0tZWHZtbmg2S0UwelhHVzR5M3BMYVZrMmhkc3RNWgpvM3hjTkZab0tlei9XbzdSZXR2enA1UFNLYnBkNTB5UTZ6MDhvaE56UlJhL2xXRWFxa0xUbndhT0ZRekhMQk5KCjE2WHh5T0RzZVFJREFRQUJvMll3WkRBT0JnTlZIUThCQWY4RUJBTUNBUVl3RWdZRFZSMFRBUUgvQkFnd0JnRUIKL3dJQkFqQWRCZ05WSFE0RUZnUVVPejBPN2RKSUdBbXRUbkxOaWh5TFZWbkNIY1F3SHdZRFZSMGpCQmd3Rm9BVQpPejBPN2RKSUdBbXRUbkxOaWh5TFZWbkNIY1F3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUlSbndCT0hEdldyCjdmNFJGa3VzZXpVa25uWkRvYzZEOStIalF4YXJHYitFd2ZrZWNqUjkwOStOUjI4bUVmeDB3eXhRVkwwUjJrT28KRXFPOGtVc252eGxZdXZ4S1NiZHNhYTdTTEU2YS9mcHc3OTUxUzdSRDZEbktYREpMVENTZHRSRityeHBYYlBJUgp1WVVrVml1YndudU16VlMwRXZFSG1KcDNVTC9jVkFMYnJiV3JQVXkzellQM1J4ZXpEUTE0N2ZVajBFd3FLUTFWClNVRkRFNXkyTmRZZCtnbHV3MHRRRll2VlJBOWp1UjgvYnFYNVZLWHVublNLKzNEZVlKcGtTelU1dzlrcmhOUWQKTFZuQzBpdyttUm4zTm80WWpsdkR1eWJGeTdVSTJwV0w2aFg1c29SRlA4N2tyWEF2THgxcHNHdDFYYytYcmhVVwpkazlxMlF3bVVuQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://10.0.0.101:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubelet-bootstrap
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: kubelet-bootstrap
user:
token: 427699856e2f019164f5d0b61bbb8195

 

創建節點要用的kube-proxy kubeconfig文件

# 設置集群參數
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=${KUBE_APISERVER} \
--kubeconfig=kube-proxy.kubeconfig

# 設置客戶端認證參數
kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig

# 設置上下文參數
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig

# 設置默認上下文
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

 

最后生成了兩個kubeconfig文件

[root@k8s-master-101 ssl]# ls *config
bootstrap.kubeconfig kube-proxy.kubeconfig