Kubelet bootstrap认证配置步骤
kubelet 授权 kube-apiserver 的一些操作 exec run logs 等 RBAC 只需创建一次就可以 kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes ? 创建 bootstrap kubeconfig 文件 注意: token 生效时间为 1day,超过时间未创建自动失效,需要重新创建 token kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:kubernetes-clientgroup --kubeconfig ~/.kube/config
查看生成的 token kubeadm token list --kubeconfig ~/.kube/config ?TOKEN? ? ? ? ? ? ? ? ? ? TTL? EXPIRES? ? ? ? ? ? ? ? ? ? USAGES? ? ? ? ? ? ? ? ? DESCRIPTION? ? ? ? ? ? ? EXTRA GROUPS 配置集群参数,生成kubernetes-clientgroup-bootstrap.kubeconfig kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true --server=https://192.168.1.7:6443 #master节点ip --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig 配置客户端认证 kubectl config set-credentials kubelet-bootstrap --token=?2kcmsb.hyl5s4g0l1mkff9z #上面生成的token --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig 配置关联 kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig 配置默认关联 kubectl config use-context default --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig 拷贝生成的 kubernetes-clientgroup-bootstrap.kubeconfig 文件到其它所有的node节点,并重命名 scp kubernetes-clientgroup-bootstrap.kubeconfig 192.168.1.8:/etc/kubernetes/bootstrap.kubeconfig ? 配置 bootstrap RBAC 权限 kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers 否则报如下错误 ? 创建自动批准相关 CSR 请求的 ClusterRole vi /etc/kubernetes/tls-instructs-csr.yaml 导入 yaml 文件 kubectl apply -f /etc/kubernetes/tls-instructs-csr.yaml clusterrole.rbac.authorization.k8s.io "system:certificates.k8s.io:certificatesigningrequests:selfnodeserver" created 查看创建的ClusterRole kubectl describe ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
?
将 ClusterRole 绑定到适当的用户组
# 自动批准 system:bootstrappers 组用户 TLS bootstrapping 首次申请证书的 CSR 请求 kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers ? 动态 kubelet 配置 创建kubelet服务文件 mkdir -p /var/lib/kubelet 创建 kubelet config 配置文件 vim /etc/kubernetes/kubelet.config.json { "kind": "KubeletConfiguration","apiVersion": "kubelet.config.k8s.io/v1beta1","authentication": { "x509": { "clientCAFile": "/etc/kubernetes/ssl/ca.pem" },"webhook": { "enabled": true,"cacheTTL": "2m0s" },"anonymous": { "enabled": false } },"authorization": { "mode": "Webhook","webhook": { "cacheAuthorizedTTL": "5m0s","cacheUnauthorizedTTL": "30s" } },"address": "172.16.6.66",#本地node节点的IP "port": 10250,"readOnlyPort": 0,"cgroupDriver": "cgroupfs","hairpinMode": "promiscuous-bridge","serializeImagePulls": false,"RotateCertificates": true,"featureGates": { "RotateKubeletClientCertificate": true,"RotateKubeletServerCertificate": true },"MaxPods": "512","failSwapOn": false,"containerLogMaxSize": "10Mi","containerLogMaxFiles": 5,"clusterDomain": "cluster.local.","clusterDNS": ["10.254.0.2"] } 以上配置中: cluster.local. 为 kubernetes 集群的 domain ?
启动Kubelet服务
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet
验证nodes 注意:这里的 ROLES 是节点标签 ? 查看自动生成的证书配置文件 ls -lt /etc/kubernetes/ssl/kubelet-* (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |