二进制k8s集群创建 kubeconfig 文件

二进制k8s集群创建 kubeconfig 文件

鲜花的主人 767 2021-02-02

系统环境

  • 部署方式:二进制
  • Docker 版本:19.03.8
  • kubernetes 版本:1.18.4

二进制部署k8s集群后,如果其它节点或机器需要kubectl管理集群,需要相应的config文件,二进制部署会默认生成,二进制需要手动生成

创建 admin 证书

[root@k8s01 ssl]# cat admin-csr.json 
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
  • 后续 kube-apiserver 使用 RBAC 对客户端(如 kubelet、kube-proxy、Pod)请求进行授权;
  • kube-apiserver 预定义了一些 RBAC 使用的 RoleBindings,如 cluster-admin 将 Group system:masters 与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 的所有 API的权限;
  • O 指定该证书的 Group 为 system:masters,kubelet 使用该证书访问 kube-apiserver 时 ,由于证书被 CA 签名,所以认证通过,同时由于证书用户组为经过预授权的 system:masters,所以被授予访问所有 API 的权限;

注意:这个admin 证书,是将来生成管理员用的kube config 配置文件用的,现在我们一般建议使用RBAC 来对kubernetes 进行角色权限控制, kubernetes 将证书中的CN 字段 作为User, O 字段作为 Group(具体参考 Kubernetes中的用户与身份认证授权中 X509 Client Certs 一段)

生成admin证书和私钥

[root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2021/11/09 16:40:11 [INFO] generate received request
2021/11/09 16:40:11 [INFO] received CSR
2021/11/09 16:40:11 [INFO] generating key: rsa-2048
2021/11/09 16:40:12 [INFO] encoded CSR
{"code":5100,"message":"Invalid policy: no key usage available"}
Failed to parse input: unexpected end of JSON input

#根据上面报错,生成证书的时候需要注意参数-profile=kubernetes,查看ca-config.json里面是否一致
[root@k8s01 ssl]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
[root@k8s01 ssl]# cfssl gencert -ca=./ca.pem -ca-key=./ca-key.pem -config=./ca-config.json -profile=www admin-csr.json | cfssljson -bare admin2021/11/09 16:46:06 [INFO] generate received request
2021/11/09 16:46:06 [INFO] received CSR
2021/11/09 16:46:06 [INFO] generating key: rsa-2048
2021/11/09 16:46:07 [INFO] encoded CSR
2021/11/09 16:46:07 [INFO] signed certificate with serial number 98807368659369623997794399970109351201128658311
2021/11/09 16:46:07 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

[root@k8s01 ssl]# ls admin*
admin.csr  admin-csr.json  admin-key.pem  admin.pem

创建admin kubeconfig文件

export KUBE_APISERVER="https://x.x.x.x:6443" (根据实际的apiserver地址)
# 设置集群参数
[root@k8s01 ssl]# kubectl config set-cluster kubernetes \
 --certificate-authority=/opt/kubernetes/ssl/ca.pem \
 --embed-certs=true \
 --server=${KUBE_APISERVER} \
 --kubeconfig=admin.kubeconfig
Cluster "kubernetes" set.

# 设置客户端认证参数
[root@k8s01 ssl]# kubectl config set-credentials admin \
 --client-certificate=/opt/kubernetes/ssl/admin.pem \
 --client-key=/opt/kubernetes/ssl/admin-key.pem \
 --embed-certs=true \
 --kubeconfig=admin.kubeconfig
User "admin" set.

# 设置上下文参数
[root@k8s01 ssl]# kubectl config set-context kubernetes \
 --cluster=kubernetes \
 --user=admin \
 --kubeconfig=admin.kubeconfig
Context "kubernetes" created.

# 设置默认上下文
[root@k8s01 ssl]# kubectl config use-context kubernetes --kubeconfig=admin.kubeconfig
Switched to context "kubernetes".

[root@k8s01 ssl]# ls admin*
admin.csr  admin-csr.json  admin-key.pem  admin.kubeconfig  admin.pem

将生成的admin.kubeconfig拷贝相应机器的/root/.kube下,并改名config即可kubectl管理集群
在执行完上述操作后我们可以通过命令: kubectl get clusterrolebinding cluster-admin -o yaml ,查看到 clusterrolebinding cluster-admin 的 subjects 的 kind 是 Group,name 是 system:masters, roleRef 对象是 ClusterRole cluster-admin,意思是凡是 system:masters Group 的 user 或者 serviceAccount 都拥有 cluster-admin 的角色,因此我们在使用 kubectl 命令时候,才拥有整个集群的管理权限

[root@k8s01 ssl]# kubectl get clusterrolebinding cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2020-12-29T09:53:06Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:rbac.authorization.kubernetes.io/autoupdate: {}
        f:labels:
          .: {}
          f:kubernetes.io/bootstrapping: {}
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: kube-apiserver
    operation: Update
    time: "2020-12-29T09:53:06Z"
  name: cluster-admin
  resourceVersion: "97"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/cluster-admin
  uid: 6583f1fe-950b-4c62-a845-a2c655e3bb05
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:masters
Kubernetes