kubernetes-v1.20.8二进制安装(四)-kubectl

Kubectl 是 Kubernetes 的集群管理命令行客户端工具集。通过 Kubectl 命令对 API Server 进行操作，API Server 响应并返回对应的命令结果，从而达到对 Kubernetes 集群的管理

1. kubectl命令部署

提前部署kubectl命令, 方便kube-apiserver、kube-controller-manager 、kube-scheduler组件验证集群情况

1.1. 生成客户端证书

OPS操作

cat >/opt/software/kubernetes/certs/kubectl-csr.json<<EOF
{
  "CN": "admin",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
          {
         "C": "CN",
         "ST": "GuangZhou",
         "L": "TainHe",
         "O": "system:masters",
         "OU": "system"
        }
  ]
}
EOF

签发证书

cd /opt/software/kubernetes/certs/

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubectl-csr.json | cfssl-json -bare kubectl

$ ll kubectl*
-rw-r--r-- 1 root root 1009 Jul 30 17:50 kubectl.csr
-rw-r--r-- 1 root root  240 Jul 30 17:50 kubectl-csr.json
-rw------- 1 root root 1675 Jul 30 17:50 kubectl-key.pem
-rw-r--r-- 1 root root 1399 Jul 30 17:50 kubectl.pem

1.2. 生成kubeconfig

设置集群参数

kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https://islb.k8s-host.com:6443 --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig

设置客户端认证参数

kubectl config set-credentials admin --client-certificate=kubectl.pem --client-key=kubectl-key.pem --embed-certs=true --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig

设置上下文参数

kubectl config set-context admin --cluster=kubernetes --user=admin --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig

设置默认上下文

kubectl config use-context admin --kubeconfig=/opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig

1.3. OPS节点成为k8s客户端

mkdir -p /root/.kube

\cp /opt/software/kubernetes/master/kubeconfig/kubectl.kubeconfig /root/.kube/config

1.4. 分发

hosts=(master01 master02 master03)
domain='k8s-host.com'
config_files=('kubectl.kubeconfig')
cd /opt/software/kubernetes
for host in ${hosts[*]}
do
    for file in ${config_files[*]}
    do
	scp -r master/kubeconfig/${file} ${host}.${domain}:/opt/software/kubernetes/kubeconfig/
	done
done

1.5. 软链接kubeconfig

hosts=(master01 master02 master03)
domain='k8s-host.com'
for host in ${hosts[*]}
do
    ssh root@${host}.${domain} "mkdir -p /root/.kube && \cp /opt/software/kubernetes/kubeconfig/kubectl.kubeconfig /root/.kube/config"
done

1.6. 创建角色绑定

在执行 kubectl exec、run、logs 等命令时，apiserver 会将请求转发到 kubelet 的 https 端口。这里定义 RBAC 规则，授权 apiserver 使用的证书（kubernetes.pem）用户名（CN：kuberntes-master）访问 kubelet API 的权限：

kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

1.7. 验证节点kubectl命令

ops节点和master节点操作

source /etc/profile

# 无报错,则成功
kubectl get pods 

问题

问题一:

$ kubectl exec -ti nginx /bin/bash
error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)

权限问题：执行

kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

问题二:

The Pod "curl_test" is invalid: 
* metadata.name: Invalid value: "curl_test": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
* spec.containers[0].name: Invalid value: "curl_test": a lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')

修复建议: 配置文件或pod名不能为'_'下划线 可改为 '-'