Kubelet bootstrap认证配置步骤

发布时间：2020-12-17 20:47:10 所属栏目：安全来源：网络整理

导读：kubelet 授权 kube-apiserver 的一些操作 exec run logs 等 RBAC 只需创建一次就可以 kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes ? 创建 bootstrap kubeconfig 文件注意: t

kubelet 授权 kube-apiserver 的一些操作 exec run logs 等

RBAC 只需创建一次就可以

kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

创建 bootstrap kubeconfig 文件

注意: token 生效时间为 1day,超过时间未创建自动失效，需要重新创建 token

kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:kubernetes-clientgroup --kubeconfig ~/.kube/config

查看生成的 token

kubeadm token list --kubeconfig ~/.kube/config

?TOKEN? ? ? ? ? ? ? ? ? ? TTL? EXPIRES? ? ? ? ? ? ? ? ? ? USAGES? ? ? ? ? ? ? ? ? DESCRIPTION? ? ? ? ? ? ? EXTRA GROUPS
?2kcmsb.hyl5s4g0l1mkff9z? 23h? 2018-11-16T11:08:00+08:00? authentication,signing? kubelet-bootstrap-token? system:bootstrappers:kubernetes-clientgroup

配置集群参数，生成kubernetes-clientgroup-bootstrap.kubeconfig

kubectl config set-cluster kubernetes   --certificate-authority=/etc/kubernetes/ssl/ca.pem   --embed-certs=true   --server=https://192.168.1.7:6443   #master节点ip
  --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置客户端认证

kubectl config set-credentials kubelet-bootstrap   --token=?2kcmsb.hyl5s4g0l1mkff9z   #上面生成的token --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置关联

kubectl config set-context default   --cluster=kubernetes   --user=kubelet-bootstrap   --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置默认关联

kubectl config use-context default --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

拷贝生成的 kubernetes-clientgroup-bootstrap.kubeconfig 文件到其它所有的node节点，并重命名

scp kubernetes-clientgroup-bootstrap.kubeconfig 192.168.1.8:/etc/kubernetes/bootstrap.kubeconfig

配置 bootstrap RBAC 权限

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers

否则报如下错误
failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:bootstrap:1jezb7" cannot create
certificatesigningrequests.certificates.k8s.io at the cluster scope

创建自动批准相关 CSR 请求的 ClusterRole

vi /etc/kubernetes/tls-instructs-csr.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/selfnodeserver"]
  verbs: ["create"]

导入 yaml 文件

kubectl apply -f /etc/kubernetes/tls-instructs-csr.yaml

clusterrole.rbac.authorization.k8s.io "system:certificates.k8s.io:certificatesigningrequests:selfnodeserver" created

查看创建的ClusterRole

kubectl describe ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeserver

将 ClusterRole 绑定到适当的用户组

# 自动批准 system:bootstrappers 组用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers 
# 自动批准 system:nodes 组用户更新 kubelet 自身与 apiserver 通讯证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
# 自动批准 system:nodes 组用户更新 kubelet 10250 api 端口证书的 CSR 请求
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes

查看已有绑定 kubectl get clusterrolebindings

动态 kubelet 配置

创建kubelet服务文件

mkdir -p /var/lib/kubelet

vim /etc/systemd/system/kubelet.service

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=docker.service
Requires=docker.service
[Service]
WorkingDirectory=/var/lib/kubelet
 
ExecStart=/usr/local/bin/kubelet   --hostname-override=k8s-wjoyxt    #本地node节点的hostname   --pod-infra-container-image=jicki/pause-amd64:3.1    #pod的基础镜像，即gcr的gcr.io/google_containers/pause-amd64:3.1镜像 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig   --config=/etc/kubernetes/kubelet.config.json   --cert-dir=/etc/kubernetes/ssl   --logtostderr=true   --v=2
[Install]
WantedBy=multi-user.target

创建 kubelet config 配置文件

vim /etc/kubernetes/kubelet.config.json

{
  "kind": "KubeletConfiguration","apiVersion": "kubelet.config.k8s.io/v1beta1","authentication": {
    "x509": {
      "clientCAFile": "/etc/kubernetes/ssl/ca.pem"
    },"webhook": {
      "enabled": true,"cacheTTL": "2m0s"
    },"anonymous": {
      "enabled": false
    }
  },"authorization": {
    "mode": "Webhook","webhook": {
      "cacheAuthorizedTTL": "5m0s","cacheUnauthorizedTTL": "30s"
    }
  },"address": "172.16.6.66",#本地node节点的IP "port": 10250,"readOnlyPort": 0,"cgroupDriver": "cgroupfs","hairpinMode": "promiscuous-bridge","serializeImagePulls": false,"RotateCertificates": true,"featureGates": {
    "RotateKubeletClientCertificate": true,"RotateKubeletServerCertificate": true
  },"MaxPods": "512","failSwapOn": false,"containerLogMaxSize": "10Mi","containerLogMaxFiles": 5,"clusterDomain": "cluster.local.","clusterDNS": ["10.254.0.2"]
}

以上配置中:

cluster.local. 为 kubernetes 集群的 domain
10.254.0.2 预分配的 dns 地址
"clusterDNS": ["10.254.0.2"] 可配置多个 dns地址，逗号可开,可配置宿主机dns

启动Kubelet服务

systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet

验证nodes

注意:这里的 ROLES 是节点标签
关于 kubectl get node 中的 ROLES 的标签
单 Master 打标签 kubectl label node es-60 node-role.kubernetes.io/master=""，当标签为 NoSchedule，表示不进行资源调度
更新标签命令为 kubectl taint nodes es-60 node-role.kubernetes.io/master=:NoSchedule
单 Node 打标签 kubectl label node es-61 node-role.kubernetes.io/node=""
关于删除 label 可使用 - 号相连如: kubectl label nodes es-61 node-role.kubernetes.io/node-

查看自动生成的证书配置文件

ls -lt /etc/kubernetes/ssl/kubelet-*

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!