主機列表
本次實驗選擇5臺主機,3臺作爲master主機,2臺作爲node節點
節點ip | OS版本 | hostname -f | 安裝軟件 |
---|---|---|---|
192.168.0.1 | RHEL7.4 | k8s-master01 | docker,etcd,flanneld,kube-apiserver,kube-controller-manager,kube-scheduler |
192.168.0.2 | RHEL7.4 | k8s-master02 | docker,etcd,flanneld,kube-apiserver,kube-controller-manager,kube-scheduler |
192.168.0.3 | RHEL7.4 | k8s-master03 | docker,etcd,flanneld,kube-apiserver,kube-controller-manager,kube-scheduler |
192.168.0.4 | RHEL7.4 | k8s-node01 | docker,flanneld,kubelet,kube-proxy |
192.168.0.5 | RHEL7.4 | k8s-node02 | docker,flanneld,kubelet,kube-proxy |
kubectl 是 kubernetes 集羣的命令行管理工具,默認從 ~/.kube/config
文件讀取 kube-apiserver 地址、證書、用戶名等信息,如果沒有配置,執行 kubectl 命令時可能會出錯,~/.kube/config
只需要部署一次,然後拷貝到其他的master。
下載解壓二進制文件
# wget https://dl.k8s.io/v1.15.3/kubernetes-server-linux-amd64.tar.gz
# tar xf kubernetes-server-linux-amd64.tar.gz# cd kubernetes/server/bin/
# cp kubeadm kubectl /k8s/kubernetes/bin/
創建請求證書
cat > admin-csr.json <<EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
EOF
- O 爲system:masters,kube-apiserver 收到該證書後將請求的 Group 設置爲 system:masters;
- 預定義的 ClusterRoleBinding cluster-admin 將 Group system:masters 與 Role cluster-admin綁定,該 Role 授予所有 API的權限;
- 該證書只會被 kubectl 當做 client 證書使用,所以 hosts 字段爲空;
生成證書和私鑰
cfssl gencert -ca=/k8s/kubernetes/ssl/ca.pem -ca-key=/k8s/kubernetes/ssl/ca-key.pem -config=/k8s/kubernetes/ssl/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
創建~/.kube/config文件
kubectl config set-cluster kubernetes --certificate-authority=/k8s/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.0.1:6443 --kubeconfig=kubectl.kubeconfig
kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kubectl.kubeconfig
kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kubectl.kubeconfig
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
分發~/.kube/config文件
cp kubectl.kubeconfig ~/.kube/config
scp -r /k8s/kubernetes/ssl/kubectl.kubeconfig 192.168.0.2:~/.kube/config
scp -r /k8s/kubernetes/ssl/kubectl.kubeconfig 192.168.0.3:~/.kube/config