I. deployment of kubectl
1.1 installation of kubectl
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# wget https://dl.k8s.io/v1.14.2/kubernetes-client-linux-amd64.tar.gz 3 [root@k8smaster01 work]# tar -zxvf kubernetes-client-linux-amd64.tar.gz
1.2 distribution of kubectl
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 scp kubernetes/client/bin/kubectl root@${master_ip}:/opt/k8s/bin/ 7 ssh root@${master_ip} "chmod +x /opt/k8s/bin/*" 8 done
1.3 create admin certificate and key
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# cat > admin-csr.json <<EOF 3 { 4 "CN": "admin", 5 "hosts": [], 6 "key": { 7 "algo": "rsa", 8 "size": 2048 9 }, 10 "names": [ 11 { 12 "C": "CN", 13 "ST": "Shanghai", 14 "L": "Shanghai", 15 "O": "system:masters", 16 "OU": "System" 17 } 18 ] 19 } 20 EOF 21 #Create CA certificate request file for admin
Interpretation:
O is system:masters: Kube apiserver. After receiving the certificate, set the requested Group to system:masters;
The predefined clusterrolebinding cluster admin binds Group system:masters to Role cluster admin, that is, the Role grants permissions to all API s;
The certificate will only be used by kubectl as the client certificate, so the hosts field is empty.
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# cfssl gencert -ca=/opt/k8s/work/ca.pem \ 3 -ca-key=/opt/k8s/work/ca-key.pem -config=/opt/k8s/work/ca-config.json \ 4 -profile=kubernetes admin-csr.json | cfssljson -bare admin #Generate CA key (CA key. PEM) and certificate (ca.pem)
1.4 create kubeconfig file
By default, kubectl reads the Kube API server address and authentication information from the ~ /. kube/config file. The Kube config file generated by the master node can be copied to the machine that needs to execute the kubectl command and renamed as /. kube/config.
Note: unless otherwise specified, all operations in this document are performed on the k8smaster node, and then the files and commands are distributed remotely.
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# kubectl config set-cluster kubernetes \ 4 --certificate-authority=/opt/k8s/work/ca.pem \ 5 --embed-certs=true \ 6 --server=${KUBE_APISERVER} \ 7 --kubeconfig=kubectl.kubeconfig # Set cluster parameters 8 [root@k8smaster01 work]# kubectl config set-credentials admin \ 9 --client-certificate=/opt/k8s/work/admin.pem \ 10 --client-key=/opt/k8s/work/admin-key.pem \ 11 --embed-certs=true \ 12 --kubeconfig=kubectl.kubeconfig # Set client authentication parameters 13 [root@k8smaster01 work]# kubectl config set-context kubernetes \ 14 --cluster=kubernetes \ 15 --user=admin \ 16 --kubeconfig=kubectl.kubeconfig # Set context parameters 17 [root@k8smaster01 work]# kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig # Set default context
Interpretation:
--Certificate Authority: verify the root certificate of the Kube API server certificate;
--Client certificate, -- client key: the newly generated admin certificate and private key, which are used when connecting to Kube API server;
--Embed certs = true: embed the ca.pem and admin.pem certificate contents into the generated kubectl.kubeconfig file (the default is to write the path of the certificate file. Later, you need to copy the kubeconfig and the certificate file to other machines. )
1.5 distribute kubeconfig
1 [root@k8smaster01 ~]# cd /opt/k8s/work 2 [root@k8smaster01 work]# source /opt/k8s/bin/environment.sh 3 [root@k8smaster01 work]# for master_ip in ${MASTER_IPS[@]} 4 do 5 echo ">>> ${master_ip}" 6 ssh root@${master_ip} "mkdir -p ~/.kube" 7 scp kubectl.kubeconfig root@${master_ip}:~/.kube/config 8 done