配置生成配置
本部分内容将会创建 kubeconfig 配置文件,它们是 Kubernetes 客户端与 API Server 认证与鉴权的保证。

客户端认证配置

本节将会创建用于 kube-proxykube-controller-managerkube-schedulerkubelet 的 kubeconfig 文件。

Kubernetes 公有 IP 地址

每一个 kubeconfig 文件都需要一个 Kubernetes API Server 的 IP 地址。为了保证高可用性,我们将该 IP 分配给 API Server 之前的外部负载均衡器。
查询 kubernetes-the-hard-way 的静态 IP 地址:
1
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
2
--region $(gcloud config get-value compute/region) \
3
--format 'value(address)')
Copied!

kubelet 配置文件

为了确保 Node Authorizer 授权,Kubelet 配置文件中的客户端证书必需匹配 Node 名字。
为每个 worker 节点创建 kubeconfig 配置:
1
for instance in worker-0 worker-1 worker-2; do
2
kubectl config set-cluster kubernetes-the-hard-way \
3
--certificate-authority=ca.pem \
4
--embed-certs=true \
5
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
6
--kubeconfig=${instance}.kubeconfig
7
8
kubectl config set-credentials system:node:${instance} \
9
--client-certificate=${instance}.pem \
10
--client-key=${instance}-key.pem \
11
--embed-certs=true \
12
--kubeconfig=${instance}.kubeconfig
13
14
kubectl config set-context default \
15
--cluster=kubernetes-the-hard-way \
16
--user=system:node:${instance} \
17
--kubeconfig=${instance}.kubeconfig
18
19
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
20
done
Copied!
结果将会生成以下 3 个文件:
1
worker-0.kubeconfig
2
worker-1.kubeconfig
3
worker-2.kubeconfig
Copied!

kube-proxy 配置文件

为 kube-proxy 服务生成 kubeconfig 配置文件:
1
{
2
kubectl config set-cluster kubernetes-the-hard-way \
3
--certificate-authority=ca.pem \
4
--embed-certs=true \
5
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
6
--kubeconfig=kube-proxy.kubeconfig
7
8
kubectl config set-credentials system:kube-proxy \
9
--client-certificate=kube-proxy.pem \
10
--client-key=kube-proxy-key.pem \
11
--embed-certs=true \
12
--kubeconfig=kube-proxy.kubeconfig
13
14
kubectl config set-context default \
15
--cluster=kubernetes-the-hard-way \
16
--user=system:kube-proxy \
17
--kubeconfig=kube-proxy.kubeconfig
18
19
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
20
}
Copied!

kube-controller-manager 配置文件

1
{
2
kubectl config set-cluster kubernetes-the-hard-way \
3
--certificate-authority=ca.pem \
4
--embed-certs=true \
5
--server=https://127.0.0.1:6443 \
6
--kubeconfig=kube-controller-manager.kubeconfig
7
8
kubectl config set-credentials system:kube-controller-manager \
9
--client-certificate=kube-controller-manager.pem \
10
--client-key=kube-controller-manager-key.pem \
11
--embed-certs=true \
12
--kubeconfig=kube-controller-manager.kubeconfig
13
14
kubectl config set-context default \
15
--cluster=kubernetes-the-hard-way \
16
--user=system:kube-controller-manager \
17
--kubeconfig=kube-controller-manager.kubeconfig
18
19
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
20
}
Copied!

kube-scheduler 配置文件

1
{
2
kubectl config set-cluster kubernetes-the-hard-way \
3
--certificate-authority=ca.pem \
4
--embed-certs=true \
5
--server=https://127.0.0.1:6443 \
6
--kubeconfig=kube-scheduler.kubeconfig
7
8
kubectl config set-credentials system:kube-scheduler \
9
--client-certificate=kube-scheduler.pem \
10
--client-key=kube-scheduler-key.pem \
11
--embed-certs=true \
12
--kubeconfig=kube-scheduler.kubeconfig
13
14
kubectl config set-context default \
15
--cluster=kubernetes-the-hard-way \
16
--user=system:kube-scheduler \
17
--kubeconfig=kube-scheduler.kubeconfig
18
19
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
20
}
Copied!

Admin 配置文件

1
{
2
kubectl config set-cluster kubernetes-the-hard-way \
3
--certificate-authority=ca.pem \
4
--embed-certs=true \
5
--server=https://127.0.0.1:6443 \
6
--kubeconfig=admin.kubeconfig
7
8
kubectl config set-credentials admin \
9
--client-certificate=admin.pem \
10
--client-key=admin-key.pem \
11
--embed-certs=true \
12
--kubeconfig=admin.kubeconfig
13
14
kubectl config set-context default \
15
--cluster=kubernetes-the-hard-way \
16
--user=admin \
17
--kubeconfig=admin.kubeconfig
18
19
kubectl config use-context default --kubeconfig=admin.kubeconfig
20
}
Copied!

分发配置文件

kubeletkube-proxy kubeconfig 配置文件复制到每个 worker 节点上:
1
for instance in worker-0 worker-1 worker-2; do
2
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
3
done
Copied!
adminkube-controller-managerkube-scheduler kubeconfig 配置文件复制到每个 controller 节点上:
1
for instance in controller-0 controller-1 controller-2; do
2
gcloud compute scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
3
done
Copied!
下一步:配置和生成密钥
最近更新 1yr ago