kubectl客户端工具远程连接k8s集群

一、概述

　　一般情况下，在k8smaster节点上集群管理工具kubectl是连接的本地http8080端口和apiserver进行通讯的,当然也可以通过https端口进行通讯前提是要生成证书。所以说kubectl不一定部署在master上，只要能和apiserver进行通讯，那么你可以将kubectl部署在任何一台你想连接到集群的主机上，以下将介绍基于证书的kubectl部署方式，以下基于kubernets1.13部署。

二、生成ca证书

如果已经有了ca证书那就不需要在生成了，只需要利用该证书生成admin证书即可。

安装生成证书工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

生成ca配置

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

生成csr配置

cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
              "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

生成ca证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

三、生成admin证书

证书配置

cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
    }
  ]
}
EOF

生成证书

[root@master master]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/01/09 15:25:20 [INFO] generate received request
2019/01/09 15:25:20 [INFO] received CSR
2019/01/09 15:25:20 [INFO] generating key: rsa-2048
2019/01/09 15:25:20 [INFO] encoded CSR
2019/01/09 15:25:20 [INFO] signed certificate with serial number 496018729932380195936891977997946670147442472383
2019/01/09 15:25:20 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

查看证书

[root@master master]# ls admin*
admin.csr  admin-csr.json  admin-key.pem  admin.pem

四、配置kubectl

拷贝证书以及相关kubectl到目标机器

scp /opt/kubernetes/bin/kubectl 10.1.210.32:/usr/bin     #拷贝命令
scp admin* ca.pem 10.1.210.32:/opt/kubernetes/kubectl/ssl # 拷贝证书

配置kubectl配置文件

#进入证书目录
cd /opt/kubernetes/kubectl/ssl
 
#生成kubectl配置文件
kubectl config set-cluster kubernetes --server=https://10.1.210.33:6443 --certificate-authority=ca.pem
 
#设置用户项中cluster-admin用户证书认证字段
kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem
 
#设置默认上下文
kubectl config set-context default --cluster=kubernetes --user=cluster-admin
 
#设置当前环境的default
kubectl config use-context default

查看配置文件

[root@node1 ssl]# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /opt/kubernetes/kubectl/ssl/ca.pem
    server: https://10.1.210.33:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: cluster-admin
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: cluster-admin
  user:
    client-certificate: /opt/kubernetes/kubectl/ssl/admin.pem
    client-key: /opt/kubernetes/kubectl/ssl/admin-key.pem

五、管理集群