kubernetes-v1.20.8二进制安装(四)-kubectl
Kubectl 是 Kubernetes 的集群管理命令行客户端工具集。通过 Kubectl 命令对 API Server 进行操作,API Server 响应并返回对应的命令结果,从而达到对 Kubernetes 集群的管理
1. kubectl命令部署
提前部署kubectl命令, 方便kube-apiserver、kube-controller-manager 、kube-scheduler组件验证集群情况
1.1. 生成客户端证书
OPS操作
cat >/opt/software/kubernetes/certs/kubectl-csr.json<<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "GuangZhou",
"L": "TainHe",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
签发证书
cd /opt/software/kubernetes/certs/
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubectl-csr.json | cfssl-json -bare kubectl
$ ll kubectl*
-rw-r--r-- 1 root root 1009 Jul 30 17:50 kubectl.csr
-rw-r--r-- 1 root root 240 Jul 30 17:50 kubectl-csr.json
-rw------- 1 root root 1675 Jul 30 17:50 kubectl-key.pem
-rw-r--r-- 1 root root 1399 Jul 30 17:50 kubectl.pem
1.2. 生成kubeconfig
设置集群参数
kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://islb.k8s-host.com:6443 --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig
设置客户端认证参数
kubectl config set-credentials admin --client-certificate=kubectl.pem --client-key=kubectl-key.pem --embed-certs=true --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig
设置上下文参数
kubectl config set-context admin --cluster=kubernetes --user=admin --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig
设置默认上下文
kubectl config use-context admin --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig
1.3. OPS节点成为k8s客户端
mkdir -p /root/.kube
\cp /opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig /root/.kube/config
1.4. 分发
hosts=(master01 master02 master03)
domain='k8s-host.com'
config_files=('kubectl.kubeconfig')
cd /opt/software/kubernetes
for host in ${hosts[*]}
do
for file in ${config_files[*]}
do
scp -r master/kubeconfig/${file} ${host}.${domain}:/opt/software/kubernetes/kubeconfig/
done
done
1.5. 软链接kubeconfig
hosts=(master01 master02 master03)
domain='k8s-host.com'
for host in ${hosts[*]}
do
ssh root@${host}.${domain} "mkdir -p /root/.kube && \cp /opt/software/kubernetes/kubeconfig/kubectl.kubeconfig /root/.kube/config"
done
1.6. 创建角色绑定
在执行 kubectl exec、run、logs 等命令时,apiserver 会将请求转发到 kubelet 的 https 端口。这里定义 RBAC 规则,授权 apiserver 使用的证书(kubernetes.pem)用户名(CN:kuberntes-master)访问 kubelet API 的权限:
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes
1.7. 验证节点kubectl命令
ops节点和master节点操作
source /etc/profile
# 无报错,则成功
kubectl get pods
问题
问题一:
$ kubectl exec -ti nginx /bin/bash
error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)
权限问题:执行
kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes
问题二:
The Pod "curl_test" is invalid:
* metadata.name: Invalid value: "curl_test": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
* spec.containers[0].name: Invalid value: "curl_test": a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')
修复建议: 配置文件或pod名不能为'_'下划线 可改为 '-'
