Kubelet bootstrap认证配置步骤

kubelet 授权 kube-apiserver 的一些操作 exec run logs 等

RBAC 只需创建一次就可以

kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes

 

创建 bootstrap kubeconfig 文件

注意: token 生效时间为 1day , 超过时间未创建自动失效,需要重新创建 token

kubeadm token create --description kubelet-bootstrap-token --groups system:bootstrappers:kubernetes-clientgroup --kubeconfig ~/.kube/config

查看生成的 token

kubeadm token list --kubeconfig ~/.kube/config

 TOKEN                    TTL  EXPIRES                    USAGES                  DESCRIPTION              EXTRA GROUPS
 2kcmsb.hyl5s4g0l1mkff9z  23h  2018-11-16T11:08:00+08:00  authentication,signing  kubelet-bootstrap-token  system:bootstrappers:kubernetes-clientgroup

配置集群参数,生成kubernetes-clientgroup-bootstrap.kubeconfig

kubectl config set-cluster kubernetes \
  --certificate-authority=/etc/kubernetes/ssl/ca.pem \
  --embed-certs=true \
  --server=https://192.168.1.7:6443 \  #master节点ip
  --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置客户端认证

kubectl config set-credentials kubelet-bootstrap \
  --token= 2kcmsb.hyl5s4g0l1mkff9z \  #上面生成的token
  --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置关联

kubectl config set-context default \
  --cluster=kubernetes \
  --user=kubelet-bootstrap \
  --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

配置默认关联

kubectl config use-context default --kubeconfig=kubernetes-clientgroup-bootstrap.kubeconfig

拷贝生成的 kubernetes-clientgroup-bootstrap.kubeconfig 文件到其它所有的node节点,并重命名

scp kubernetes-clientgroup-bootstrap.kubeconfig 192.168.1.8:/etc/kubernetes/bootstrap.kubeconfig

 

配置 bootstrap RBAC 权限

kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers
否则报如下错误
failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:bootstrap:1jezb7" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope

 

创建自动批准相关 CSR 请求的 ClusterRole

vi /etc/kubernetes/tls-instructs-csr.yaml
kind: ClusterRole apiVersion: rbac.authorization.k8s.io
/v1 metadata: name: system:certificates.k8s.io:certificatesigningrequests:selfnodeserver rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/selfnodeserver"] verbs: ["create"]

导入 yaml 文件

kubectl apply -f /etc/kubernetes/tls-instructs-csr.yaml

clusterrole.rbac.authorization.k8s.io "system:certificates.k8s.io:certificatesigningrequests:selfnodeserver" created

查看创建的ClusterRole

kubectl describe ClusterRole/system:certificates.k8s.io:certificatesigningrequests:selfnodeserver
 
将 ClusterRole 绑定到适当的用户组
# 自动批准 system:bootstrappers 组用户 TLS bootstrapping 首次申请证书的 CSR 请求
kubectl create clusterrolebinding node-client-auto-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers 
# 自动批准 system:nodes 组用户更新 kubelet 自身与 apiserver 通讯证书的 CSR 请求 kubectl create clusterrolebinding node
-client-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
# 自动批准 system:nodes 组用户更新 kubelet
10250 api 端口证书的 CSR 请求 kubectl create clusterrolebinding node-server-auto-renew-crt --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeserver --group=system:nodes

查看已有绑定 kubectl get clusterrolebindings

 

动态 kubelet 配置

创建kubelet服务文件

mkdir -p /var/lib/kubelet
vim
/etc/systemd/system/kubelet.service
[Unit] Description
=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/usr/local/bin/kubelet \ --hostname-override=k8s-wjoyxt \ #本地node节点的hostname --pod-infra-container-image=jicki/pause-amd64:3.1 \ #pod的基础镜像,即gcr的gcr.io/google_containers/pause-amd64:3.1镜像 --bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \ --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \ --config=/etc/kubernetes/kubelet.config.json \ --cert-dir=/etc/kubernetes/ssl \ --logtostderr=true \ --v=2 [Install] WantedBy=multi-user.target

创建 kubelet config 配置文件

vim /etc/kubernetes/kubelet.config.json

{
  "kind": "KubeletConfiguration",
  "apiVersion": "kubelet.config.k8s.io/v1beta1",
  "authentication": {
    "x509": {
      "clientCAFile": "/etc/kubernetes/ssl/ca.pem"
    },
    "webhook": {
      "enabled": true,
      "cacheTTL": "2m0s"
    },
    "anonymous": {
      "enabled": false
    }
  },
  "authorization": {
    "mode": "Webhook",
    "webhook": {
      "cacheAuthorizedTTL": "5m0s",
      "cacheUnauthorizedTTL": "30s"
    }
  },
  "address": "172.16.6.66", #本地node节点的IP
  "port": 10250,
  "readOnlyPort": 0,
  "cgroupDriver": "cgroupfs",
  "hairpinMode": "promiscuous-bridge",
  "serializeImagePulls": false,
  "RotateCertificates": true,
  "featureGates": {
    "RotateKubeletClientCertificate": true,
    "RotateKubeletServerCertificate": true
  },
  "MaxPods": "512",
  "failSwapOn": false,
  "containerLogMaxSize": "10Mi",
  "containerLogMaxFiles": 5,
  "clusterDomain": "cluster.local.",
  "clusterDNS": ["10.254.0.2"]
}

以上配置中:

cluster.local. 为 kubernetes 集群的 domain
10.254.0.2 预分配的 dns 地址
"clusterDNS": ["10.254.0.2"] 可配置多个 dns地址,逗号可开, 可配置宿主机dns

 

启动Kubelet服务
systemctl daemon-reload
systemctl enable kubelet
systemctl start kubelet
systemctl status kubelet

验证nodes

注意:这里的 ROLES 是节点标签
关于 kubectl get node 中的 ROLES 的标签
单 Master 打标签 kubectl label node es-60 node-role.kubernetes.io/master="",当标签为 NoSchedule,表示不进行资源调度
更新标签命令为 kubectl taint nodes es-60 node-role.kubernetes.io/master=:NoSchedule
单 Node 打标签 kubectl label node es-61 node-role.kubernetes.io/node=""
关于删除 label 可使用 - 号相连 如: kubectl label nodes es-61 node-role.kubernetes.io/node-

 

查看自动生成的证书配置文件

ls -lt /etc/kubernetes/ssl/kubelet-*

 

 

你可能感兴趣的:(Kubelet bootstrap认证配置步骤)