配置生成配置
本部分内容将会创建 kubeconfig 配置文件,它们是 Kubernetes 客户端与 API Server 认证与鉴权的保证。
本节将会创建用于 kube-proxy、kube-controller-manager、kube-scheduler 和 kubelet 的 kubeconfig 文件。
每一个 kubeconfig 文件都需要一个 Kubernetes API Server 的 IP 地址。为了保证高可用性,我们将该 IP 分配给 API Server 之前的外部负载均衡器。
查询 kubernetes-the-hard-way 的静态 IP 地址:
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \--region $(gcloud config get-value compute/region) \--format 'value(address)')
为了确保 Node Authorizer 授权,Kubelet 配置文件中的客户端证书必需匹配 Node 名字。
为每个 worker 节点创建 kubeconfig 配置:
for instance in worker-0 worker-1 worker-2; dokubectl config set-cluster kubernetes-the-hard-way \--certificate-authority=ca.pem \--embed-certs=true \--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \--kubeconfig=${instance}.kubeconfigkubectl config set-credentials system:node:${instance} \--client-certificate=${instance}.pem \--client-key=${instance}-key.pem \--embed-certs=true \--kubeconfig=${instance}.kubeconfigkubectl config set-context default \--cluster=kubernetes-the-hard-way \--user=system:node:${instance} \--kubeconfig=${instance}.kubeconfigkubectl config use-context default --kubeconfig=${instance}.kubeconfigdone
结果将会生成以下 3 个文件:
worker-0.kubeconfigworker-1.kubeconfigworker-2.kubeconfig
为 kube-proxy 服务生成 kubeconfig 配置文件:
{kubectl config set-cluster kubernetes-the-hard-way \--certificate-authority=ca.pem \--embed-certs=true \--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \--kubeconfig=kube-proxy.kubeconfigkubectl config set-credentials system:kube-proxy \--client-certificate=kube-proxy.pem \--client-key=kube-proxy-key.pem \--embed-certs=true \--kubeconfig=kube-proxy.kubeconfigkubectl config set-context default \--cluster=kubernetes-the-hard-way \--user=system:kube-proxy \--kubeconfig=kube-proxy.kubeconfigkubectl config use-context default --kubeconfig=kube-proxy.kubeconfig}
{kubectl config set-cluster kubernetes-the-hard-way \--certificate-authority=ca.pem \--embed-certs=true \--server=https://127.0.0.1:6443 \--kubeconfig=kube-controller-manager.kubeconfigkubectl config set-credentials system:kube-controller-manager \--client-certificate=kube-controller-manager.pem \--client-key=kube-controller-manager-key.pem \--embed-certs=true \--kubeconfig=kube-controller-manager.kubeconfigkubectl config set-context default \--cluster=kubernetes-the-hard-way \--user=system:kube-controller-manager \--kubeconfig=kube-controller-manager.kubeconfigkubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig}
{kubectl config set-cluster kubernetes-the-hard-way \--certificate-authority=ca.pem \--embed-certs=true \--server=https://127.0.0.1:6443 \--kubeconfig=kube-scheduler.kubeconfigkubectl config set-credentials system:kube-scheduler \--client-certificate=kube-scheduler.pem \--client-key=kube-scheduler-key.pem \--embed-certs=true \--kubeconfig=kube-scheduler.kubeconfigkubectl config set-context default \--cluster=kubernetes-the-hard-way \--user=system:kube-scheduler \--kubeconfig=kube-scheduler.kubeconfigkubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig}
{kubectl config set-cluster kubernetes-the-hard-way \--certificate-authority=ca.pem \--embed-certs=true \--server=https://127.0.0.1:6443 \--kubeconfig=admin.kubeconfigkubectl config set-credentials admin \--client-certificate=admin.pem \--client-key=admin-key.pem \--embed-certs=true \--kubeconfig=admin.kubeconfigkubectl config set-context default \--cluster=kubernetes-the-hard-way \--user=admin \--kubeconfig=admin.kubeconfigkubectl config use-context default --kubeconfig=admin.kubeconfig}
将 kubelet 与 kube-proxy kubeconfig 配置文件复制到每个 worker 节点上:
for instance in worker-0 worker-1 worker-2; dogcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/done
将 admin、kube-controller-manager 与 kube-scheduler kubeconfig 配置文件复制到每个 controller 节点上:
for instance in controller-0 controller-1 controller-2; dogcloud compute scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/done
下一步:配置和生成密钥。
