K8S从入门到放弃系列-(4)kubernetes集群之kubectl命令行工具部署

摘要：随着版本的不断迭代，k8s为了集群安全，集群中趋向采用TLS+RBAC的安全配置方式，所以我们在部署过程中，所有组件都需要证书，并启用RBAC认证。

我们这里采用二进制安装，下载解压后，把对应组件二进制文件copy到指定节点

master节点组件：kube-apiserver、etcd、kube-controller-manager、kube-scheduler、kubectl

node节点组件：kubelet、kube-proxy、docker、coredns、calico

部署master组件

1）下载kubernetes二进制安装包

解压下载的压缩包，并把对应的二进制文件分发至对应master或者node节点的指定位置

[root@k8s-master01 ~]# cd k8s/
[root@k8s-master01 k8s]# wget https://storage.googleapis.com/kubernetes-release/release/v1.14.1/kubernetes-server-linux-amd64.tar.gz
[root@k8s-master01 k8s]# tar -xf kubernetes-server-linux-amd64.tar.gz
##master二进制命令文件传输
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.18:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.19:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-apiserver,kube-controller-manager,kube-scheduler,kubectl,kubeadm} 10.10.0.20:/usr/local/bin/
##node节点二进制文件传输
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.21:/usr/local/bin/
[root@k8s-master01 k8s]# scp kubernetes/server/bin/{kube-proxy,kubelet} 10.10.0.22:/usr/local/bin/

2）创建admin证书

kubectl用于日常直接管理K8S集群，kubectl要进行管理k8s，就需要和k8s的组件进行通信，也就需要用到证书。

kubectl我们部署在三台master节点

[root@k8s-master01 ~]# vim /opt/k8s/certs/admin-csr.json
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "ShangHai",
      "L": "ShangHai",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}

3）生成admin证书和私钥

[root@k8s-master01 ~]# cd /opt/k8s/certs/
[root@k8s-master01 certs]# cfssl gencert -ca=/etc/kubernetes/ssl/ca.pem \
     -ca-key=/etc/kubernetes/ssl/ca-key.pem \
     -config=/opt/k8s/certs/ca-config.json \
     -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/04/23 14:56:49 [INFO] generate received request
2019/04/23 14:56:49 [INFO] received CSR
2019/04/23 14:56:49 [INFO] generating key: rsa-2048
2019/04/23 14:56:49 [INFO] encoded CSR
2019/04/23 14:56:49 [INFO] signed certificate with serial number 506524128693715675957824591128854950490977162654
2019/04/23 14:56:49 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

4）查看证书

[root@k8s-master01 certs]# ll admin*
-rw-r--r-- 1 root root 1013 Apr 23 14:56 admin.csr
-rw-r--r-- 1 root root  231 Apr 23 14:54 admin-csr.json
-rw------- 1 root root 1679 Apr 23 14:56 admin-key.pem
-rw-r--r-- 1 root root 1407 Apr 23 14:56 admin.pem

5）分发证书

[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin-key.pem dest=/etc/kubernetes/ssl/'
[root@k8s-master01 certs]# ansible k8s-master -m copy -a 'src=/opt/k8s/certs/admin.pem dest=/etc/kubernetes/ssl/'

6）生成kubeconfig 配置文件

下面几个步骤会在家目录下的.kube生成config文件，之后kubectl和api通信就需要用到该文件，这也就是说如果在其他节点上操作集群需要用到这个kubectl，就需要将该文件拷贝到其他节点。 

设置集群参数
[root@k8s-master01 ~]# kubectl config set-cluster kubernetes \
     --certificate-authority=/etc/kubernetes/ssl/ca.pem \
     --embed-certs=true \
     --server=https://127.0.0.1:6443
Cluster "kubernetes" set.
# 设置客户端认证参数
[root@k8s-master01 ~]# kubectl config set-credentials admin \
     --client-certificate=/etc/kubernetes/ssl/admin.pem \
     --embed-certs=true \
     --client-key=/etc/kubernetes/ssl/admin-key.pem
User "admin" set.
#设置上下文参数
[root@k8s-master01 ~]# kubectl config set-context admin@kubernetes \
     --cluster=kubernetes \
     --user=admin
Context "admin@kubernetes" created.
# 设置默认上下文
[root@k8s-master01 ~]# kubectl config use-context admin@kubernetes
Switched to context "admin@kubernetes".

以上操作会在当前目录下生成.kube/config文件，后续操作集群时，apiserver需要对该文件进行验证，创建的admin用户对kubernetes集群有所有权限(集群管理员)。