二、kubectl在客户端使用

客户端使用kubectl访问
由于默认使用的Http访问,在master中访问是连接的http://127.0.0.1:8080地址,客户端只能通过10.16.8.156:6443访问,需要配置https

1、生成证书

[root@k8s-master01 k8s]# pwd
/root/k8s/tls/k8s
[root@k8s-master01 k8s]# cat admin-csr.json 
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "HuBei",
      "ST": "WuHan",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
#下面的CA证书在前面部署master自签证书时已经生成了
[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/11/07 16:59:08 [INFO] generate received request
2019/11/07 16:59:08 [INFO] received CSR
2019/11/07 16:59:08 [INFO] generating key: rsa-2048
2019/11/07 16:59:08 [INFO] encoded CSR
2019/11/07 16:59:08 [INFO] signed certificate with serial number 615183675351926100941011275121168596608133541272
2019/11/07 16:59:08 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-master01 k8s]# ls admin*pem
admin-key.pem  admin.pem

2、拷贝证书和kubelet命令到客户端主机

[root@k8s-master01 k8s]# scp admin*.pem 10.16.8.161:/root/
[root@k8s-master01 k8s]# scp ca.pem 10.16.8.161:/root/  
[root@k8s-master01 k8s]# scp /opt/kubernetes/bin/kubectl 10.16.8.161:/usr/local/bin/

3、在客户端主机上配置

[root@etcd01 ~]#  ifconfig ens32 |grep "inet "
        inet 10.16.8.161  netmask 255.255.255.0  broadcast 10.16.8.255
[root@etcd01 ~]# ls *.pem
admin-key.pem  admin.pem  ca.pem
[root@etcd01 ~]# kubectl config set-cluster kubernetes \
--server=https://10.16.8.156:6443 \
--certificate-authority=ca.pem \
--embed-certs=true \
--kubeconfig=config      
Cluster "kubernetes" set.

[root@etcd01 ~]# kubectl config set-credentials cluster-admin \
--certificate-authority=ca.pem \
--client-key=admin-key.pem \
--client-certificate=admin.pem \
--embed-certs=true \
--kubeconfig=config
User "cluster-admin" set.

[root@etcd01 ~]# kubectl config set-context default --cluster=kubernetes --user=cluster-admin --kubeconfig=config
Context "default" created.

[root@etcd01 ~]# kubectl config use-context default --kubeconfig=config
Switched to context "default".
[root@etcd01 ~]# ls config
config
[root@etcd01 ~]# mv config .kube/
[root@etcd01 ~]# ll .kube
总用量 8
-rw------- 1 root root 6241 11月  7 17:16 config

3、测试连接

[root@etcd01 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-node01 Ready <none> 2d5h v1.16.0
k8s-node02 Ready <none> 2d5h v1.16.0
k8s-node03 Ready <none> 2d5h v1.16.0

 

posted @ 2019-11-29 11:12  xw115428  阅读(542)  评论(0编辑  收藏  举报