容器应用

在k8s集群外部管理k8s集群

2021-02-03 /
浏览数: 604 
#############################################################################################
#############################################################################################
#############################################################################################
###创建admin kubeconfig文件
IP="192.168.28.126"
_kubeconfig_admin  ()  {
cd /etc/kubernetes/ssl

cat > admin-csr.json  <<  'EOF'
{
    "CN": "admin",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}
EOF

cfssl  gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

#生成集群配置文件
kubectl config set-cluster myk8s \
--certificate-authority=/etc/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://${IP}:6443 \
--kubeconfig=kube-admin.kubeconfig

# 设置admin管理账号

kubectl config set-credentials admin \
--client-certificate=/etc/kubernetes/ssl/admin.pem \
--client-key=/etc/kubernetes/ssl/admin-key.pem \
--embed-certs=true \
--kubeconfig=kube-admin.kubeconfig
#绑定账号和管理的集群

kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=admin \
--kubeconfig=kube-admin.kubeconfig

#选择指定集群 一般在需要远程控制的机器上操作
kubectl config use-context myk8s-context --kubeconfig=kube-admin.kubeconfig

#绑定账号到指定的角色
cat  >  k8s-admin.yaml  << 'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: admin
EOF
kubectl apply -f k8s-admin.yaml
kubectl get clusterrolebinding  admin   -o yaml

#证书授权kubelet-client-current.pem
kubectl apply -f - << EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: approve-node-server-renewal-csr
rules:
- apiGroups: ["certificates.k8s.io"]
  resources: ["certificatesigningrequests/selfnodeserver"]
  verbs: ["create"]
EOF

kubectl get clusterrole|egrep approve
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --user=kubelet-bootstrap
kubectl create clusterrolebinding node-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes

} 

_kubeconfig_admin

留言

您的电子邮箱地址不会被公开。 必填项已用*标注

闽ICP备20008591号-1