kubectl 配置
kubectl 通过 kubeconfig 文件与 API Server 通信。kube-apiserver 使用 RBAC 对客户端请求进行授权,预定义了 cluster-admin 角色,将 system:masters 组与 cluster-admin 绑定,授予所有 API 权限。
生成管理员证书
# 创建证书请求配置
cat > admin-csr.json << EOF
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
EOF
bash
关键点:O 设为 system:masters,使证书拥有 cluster-admin 的完整权限。
# 生成证书
cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare /etc/kubernetes/pki/admin
bash
创建 kubeconfig
# 设置集群信息
kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://192.168.4.213:6443 \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# 设置用户凭证
kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/pki/admin.pem \
--client-key=/etc/kubernetes/pki/admin-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# 设置上下文
kubectl config set-context admin@kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# 使用上下文
kubectl config use-context admin@kubernetes \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
bash
分发 kubeconfig
# 在所有 Master 节点上
mkdir -p ~/.kube
cp /etc/kubernetes/admin.kubeconfig ~/.kube/config
# 同步到其他 Master
scp /etc/kubernetes/admin.kubeconfig master2:~/.kube/config
scp /etc/kubernetes/admin.kubeconfig master3:~/.kube/config
bash
高权限设置
授予更高权限以便查看日志等操作:
kubectl create clusterrolebinding kube-apiserver:kubelet-apis \
--clusterrole=system:kubelet-api-admin \
--user admin \
--kubeconfig=/root/.kube/config
bash
验证
# 查看集群信息
kubectl cluster-info
# 查看组件状态
kubectl get cs
# 查看节点
kubectl get nodes
bash
↑