1.创建kubectl 证书
cat > /etc/ssl/kubectl/admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ChengDu",
"L": "ChengDu",
"O": "system:masters",
"OU": "dessler"
}
]
}
EOF
cfssl gencert -ca=/etc/ssl/ca.pem \
-ca-key=/etc/ssl/ca-key.pem \
-config=//etc/ssl/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
ls
admin.csr admin-csr.json admin-key.pem admin.pem
- 说明:
- 为system:masters,kube-apiserver 收到该证书后将请求的 Group 设置为 system:masters
- 预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予所有 API的权限
- 该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空
2.分发kubctl 二进制文件及证书
3.创建kubectl.kubeconfig配置文件
kubectl config set-cluster kubernetes \
> --certificate-authority=/etc/ssl/ca.pem \
> --embed-certs=true \
> --server=https://192.168.1.43:8443 \
> --kubeconfig=kubectl.kubeconfig
Cluster "kubernetes" set.
kubectl config set-credentials admin \
> --client-certificate=/etc/ssl/kubectl/admin.pem \
> --client-key=/etc/ssl/kubectl/admin-key.pem \
> --embed-certs=true \
> --kubeconfig=kubectl.kubeconfig
User "admin" set.
kubectl config set-context kubernetes \
> --cluster=kubernetes \
> --user=admin \
> --kubeconfig=kubectl.kubeconfig
Context "kubernetes" created.
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
Switched to context "kubernetes".
- 说明:
- --certificate-authority:验证 kube-apiserver 证书的根证书
- --client-certificate、--client-key:刚生成的admin 证书和私钥,连接 kube-apiserver 时使用
- --embed-certs=true:将pem 和 admin.pem 证书内容嵌入到生成的 kubectl.kubeconfig 文件中(不加时,写入的是证书文件路径)
4.将kubectl.kubeconfig 分发到/root/.kube/config文件
其他服务如果需要使用kubectl命令,只要有二进制文件和这个配置文件,就可以直接连接kubernetes集群
