kubectl config配置示例
kubectl config操作详解
- kubectl config操作的是$HOME/.kube/config文件,eg:/root/.kube/config
1、查看config文件
[root@SZD-L0105331 kube-system-rbac]# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@SZD-L0105331 kube-system-rbac]# cat /root/.kube/config
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@SZD-L0105331 kube-system-rbac]#2、config文件重要配置项说明
- clusters :配置要访问的kubernetes集群
- contexts :配置访问kubernetes集群的具体上下文环境
- current-context: 配置当前使用的上下文环境
- users: 配置访问的用户信息,用户名以及证书信息
3、以配置访问kube-system命名空间下的资源信息举例
- 环境信息:k8s集群VIP(10.25.72.62)
1> 配置访问的集群
[root@SZD-L0105331 kube-system-rbac]# kubectl config set-cluster k8s-cluster1 --server=https://10.25.72.62:6443 --certificate-authority=/etc/kubernetes/ssl/ca.pem --embed-certs=true
Cluster "k8s-cluster1" set.
[root@SZD-L0105331 kube-system-rbac]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.25.72.62:6443
name: k8s-cluster1
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []2> 配置访问集群环境的上下文
[root@SZD-L0105331 ssl]# kubectl config set-context kube-system-ctx --cluster=k8s-cluster1 --user=kubectl --namespace=kube-system
Context "kube-system-ctx" modified.
[root@SZD-L0105331 ssl]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.25.72.62:6443
name: k8s-cluster1
contexts:
- context:
cluster: k8s-cluster1
namespace: kube-system
user: kubectl
name: kube-system-ctx
current-context: ""
kind: Config
preferences: {}
users: []
[root@SZD-L0105331 ssl]#
3> 配置用户信息(生成用户证书)
[root@SZD-L0105331 ssl]# cfssl gencert -ca /etc/kubernetes/ssl/ca.pem -ca-key /etc/kubernetes/ssl/ca-key.pem -config /etc/kubernetes/ssl/ca-config.json -profile kubernetes kubectl-csr.json | cfssljson -bare kubectl
2018/08/14 18:23:34 [INFO] generate received request
2018/08/14 18:23:34 [INFO] received CSR
2018/08/14 18:23:34 [INFO] generating key: rsa-2048
2018/08/14 18:23:35 [INFO] encoded CSR
2018/08/14 18:23:35 [INFO] signed certificate with serial number 545978585073071366006772508641697961321859804168
2018/08/14 18:23:35 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@SZD-L0105331 ssl]# ll
total 36
-rw-r----- 1 root root 372 Aug 8 18:56 ca-config.json
-rw------- 1 root root 1675 Jul 13 10:29 ca-key.pem
-rw-r----- 1 root root 1359 Jul 13 10:29 ca.pem
-rw-r----- 1 root root 997 Aug 14 18:23 kubectl.csr
-rw-r----- 1 root root 220 Aug 14 18:16 kubectl-csr.json
-rw------- 1 root root 1675 Aug 14 18:23 kubectl-key.pem
-rw-r----- 1 root root 1387 Aug 14 18:23 kubectl.pem
-rw------- 1 root root 1675 Jul 12 21:18 kubernetes-key.pem
-rw-r----- 1 root root 1610 Jul 12 21:18 kubernetes.pem
[root@SZD-L0105331 ssl]# kubectl config set-credentials kubectl --client-key=/etc/kubernetes/ssl/kubectl-key.pem --client-certificate=/etc/kubernetes/ssl/kubectl.pem --user=kubectl --embed-certs=true
User "kubectl-credential" set.
[root@SZD-L0105331 ssl]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.25.72.62:6443
name: k8s-cluster1
contexts:
- context:
cluster: k8s-cluster1
namespace: kube-system
user: kubectl
name: kube-system-ctx
current-context: ""
kind: Config
preferences: {}
users:
- name: kubectl-credential
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@SZD-L0105331 ssl]#
[root@SZD-L0105331 ssl]#
4> 使用context
[root@SZD-L0105331 ssl]# kubectl config use-context kube-system-ctx
Switched to context "kube-system-ctx".
[root@SZD-L0105331 ssl]#
[root@SZD-L0105331 ssl]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://10.25.72.62:6443
name: k8s-cluster1
contexts:
- context:
cluster: k8s-cluster1
namespace: kube-system
user: kubectl
name: kube-system-ctx
current-context: kube-system-ctx
kind: Config
preferences: {}
users:
- name: kubectl
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@SZD-L0105331 ssl]#
5> 创建role和rolebinding
[root@SZD-L0105331 kube-system-rbac]# cat kubectl-role-kubesystem.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kubectl-role-kube-system
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
resources:
- deployments
- deployments/rollback
- deployments/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
[root@SZD-L0105331 kube-system-rbac]# cat kubectl-rolebinding-kubesystem.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubectl-rolebinding-kubesystem
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubectl-role-kubesystem
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubectl
附录:
1、 ca-config.json 和 kubectl-csr.json
[root@SZD-L0105331 ssl]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "87600h"
}
}
}
}
[root@SZD-L0105331 ssl]# cat kubectl-csr.json
{
"CN": "kubectl",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
2、清理config配置项
kubectl config unset [clusters | contexts | users | current-context]