K8s生成kubeconfig访问集群

2023年 10月 5日 67.3k 0

创建工作目录

[root@node1 ~]# mkdir kubeconfig
[root@node1 ~]# cd kubeconfig/
[root@node1 kubeconfig]# 

下载创建证书使用的工具

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64


mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson

创建客户端证书请求文件

test-csr.json

{
  "CN": "test",
  "hosts": [
   "192.168.202.129"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "Beijing",
      "L": "Beijing",
      "O": "system:masters",             
      "OU": "system"
    }
  ]
}

说明:

  • CN表示用户名,
  • hosts表示使用该证书的域名,
  • key为加密方式,
  • names中的O指定该证书的 Group 为 system:masters,kubelet 使用该证书访问 kube-apiserver 时 ,由于证书被 CA 签名,所以认证通过,所以被授予访问所有 API 的权限

生成证书

cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key  test-csr.json |cfssljson -bare test

# 执行上述命令后生成的文件如下
[root@node1 kubeconfig]# ls
test.csr  test-csr.json  test-key.pem  test.pem

往配置文件中写入集群信息

[root@node1 kubeconfig]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://192.168.202.129:6443 --kubeconfig=kube.config
Cluster "kubernetes" set.

说明:

  • --certificate-authority 指定ca证书的路径
  • --server 指定apiServer的地址
  • --embed-certs 这个参数如果是true的话,生成的kubeconfig将会内嵌证书
  • --kubeconfig参数指定配置文件

往配置文件中写入用户信息

[root@node1 kubeconfig]# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=kube.config
User "test" set.

根据前面创建的集群信息和用户信息创建context

[root@node1 kubeconfig]# kubectl config set-context mycontext --cluster=kubernetes --user=test --kubeconfig=kube.config
Context "mycontext" created.

使用创建的context

[root@node1 config]# kubectl config use-context mycontext --kubeconfig=kube.config
Switched to context "mycontext".

查看生成的kube.config

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJVHBFMVBraGs2MnN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBNU1qZ3lNekEzTXpaYUZ3MHpNekE1TWpVeU16RXlNelphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNnRmxJNGVncmw3cDkyekNyY1NnVnRyeHI0ZGZmT1JhcW5Od1JRNWdrOVA4RUVCSnp3bU5VZm9tcXkKWVA3ZUMySTA1UmpJYWwxbFVEN3hlRURvRzAxUmEyNG1WcmZodzNVMlUyM3p4YWVPVnZvc0dsdmVXK084djJtQQp6SzZydWU3T3k2My9WWUw0akQ0OEFpRW1LN0E2RlY0RFBuMG5FN3lMQnd5UXZ0WHo2ZXZrc1hFVWhraUJFeTlTCmxkTHg5MXY1UEZxTnJTVFV2NGo0U0NOYkQ3c0x6SUE1UjdvZ09JUWxQVmpFMmh3dkNaNzEzeHV2RFdIWlE3MlEKYzc3a0dIUG5oSFN3RWZBaHZBODFTTU9KVytJOTZ5b25QTjZ0YXdZTlM2SXRlMkZvM0hxVzEwUHVXUW14LzFDSApFRzBMUW1teDl4WktjMzhLdXorTzRnVVFpdlhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRNm5MejNUbDgxSXBrR3J5T2RTS2hyNmpRQXF6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQUxhOUZDVVYzUwo3WGNFRFBXeVhSa2dQOUdSRk41QnRuYjFyUHFnblJxaEtxV3R4NHVrZWxRU2FFVnNGdUdJbUcwOS8yMUlwdFQvCnNCQVJsbFd1WUZNTTRhYWtNekEzaSttRldXdUVJajFkQmdzbE4xTkZwQXJHeUZRY2Zqclhha1RkUElqQUpoY3YKTlk5Y1psTFNFb3JLQytEUjFHUlJPR0VHS0lmTU0zbnJSUGFOcFFwbnJiVmRIbkgvaTlWK3ljcTZraUdUakdOeApPR3piMTNjcnJ3T01TcTVSMEpnZHUyRExiVXlNWFh0Tm5CMENlcGZtOXpVUEJiVktoaUIvNXpqNmpZVU9KS1dHCmRKWm11aldCRlBFU2JVRUUzM2djMlJMVUtrTjF1cjZXc0phWEM2UEhleW1wa0tOUlpmVEYvSmdMYm9UaTBVbUwKTVdJSVJZc20vWHBpCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://192.168.202.129:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: test
  name: mycontext
current-context: mycontext
kind: Config
preferences: {}
users:
- name: test
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuekNDQW9lZ0F3SUJBZ0lVVkhZZ2tmN0tIS2kvTVpUSjVzYVJyNGRKR2FFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU16RXdNRFV3TmpBMk1EQmFGdzB5TkRFdwpNRFF3TmpBMk1EQmFNR294Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xxYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldscWFXNW5NUmN3RlFZRFZRUUtFdzV6ZVhOMFpXMDZiV0Z6ZEdWeWN6RVBNQTBHQTFVRUN4TUcKYzNsemRHVnRNUTB3Q3dZRFZRUURFd1IwWlhOME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQTZGL0ZvRU1UcUpxNDA1SzkwbWpGT05pUDVwZjRsRVdWRmhUSjh2d2NlV1htQy95ZEtvT21haEttCkxNWlZxeEc0Vk1FWlBhRWhUalp3SUVqQ0hYL2UyeHVoOXpWU3dJd0lqVTlGTXBEN0NzSTBlalR6SjV1REhpVUoKZFJLUTJBOWRBdjhzQXJtZ2dER0NqRTZoVG5BYys0YU5TQ00zR3k2UzZRNlJGaURPKzVhZXhISEwxZXI0UVlLOAptV25yVWhlVXIwbFEweHhXeHFtWWFBbEkwZHpkUkpGajVXOVRJenRUV3BRMlIzZHcwcjhqMTJDMHgyNk52QjJnClozZVVDeldzYjc1U0t2Nm93NU5iTEM5Z00yZEY0MlpqVDVla3p1blhDZmREMlE3SUtCNXpqZjExUENmNUYwS2UKbDhpS3ZzcVI5K0hoSmRBNUpNeGVzV3grcGRQMEV3SURBUUFCbzRHUk1JR09NQTRHQTFVZER3RUIvd1FFQXdJRgpvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFkCkJnTlZIUTRFRmdRVXZhNDBSZUJ2ZUw0QVEwQUdEK2NPODVNWDdFY3dId1lEVlIwakJCZ3dGb0FVT3B5ODkwNWYKTlNLWkJxOGpuVWlvYStvMEFLc3dEd1lEVlIwUkJBZ3dCb2NFd0tqS2dUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBYWx2VmJpU3gyQUp5QlVoMVFJQkhzd0g0ZmFOWnJzQjU4UGJYMTZVMW9wVFAwUFdYOFE2MWJMWVZWNGxzClMyNCtYYnZUU0RzL2tpSlFDK3pxNXBPSXA4ZW55UHVXbFQvZmVpaGcyeE1PNFlYUFk4ZmlQM2NjS0pkRDFOMGMKQUJzcWdvV1JvQXNiWUxDNkx3VWlzTXg2VEZxVHR0eWlDbVozd1lIbEZuQmkyVUxjemxpRGdlQ0RpRTltc3Q1YgpzdHBxUlNrV2VBcEIza3JxZ3ZOTjZwa24rSnJkZUJoZE5NOHhRWEl2dFRacmhnUkxVaEZvYlVQM1IrYmdQN3UyCkROWVVVRFQvUVFBZkgrUXkvM09QSlNKSll3OWdGeDVMY3hpbzJoMWJ6OWV0QlEwMkc2MUg3dUQ0aEVEc1NXc2IKV2FZRWpyRlNhQzArcCt3RnNrdFdrbFNTcUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNkYvRm9FTVRxSnE0MDVLOTBtakZPTmlQNXBmNGxFV1ZGaFRKOHZ3Y2VXWG1DL3lkCktvT21haEttTE1aVnF4RzRWTUVaUGFFaFRqWndJRWpDSFgvZTJ4dWg5elZTd0l3SWpVOUZNcEQ3Q3NJMGVqVHoKSjV1REhpVUpkUktRMkE5ZEF2OHNBcm1nZ0RHQ2pFNmhUbkFjKzRhTlNDTTNHeTZTNlE2UkZpRE8rNWFleEhITAoxZXI0UVlLOG1XbnJVaGVVcjBsUTB4eFd4cW1ZYUFsSTBkemRSSkZqNVc5VEl6dFRXcFEyUjNkdzByOGoxMkMwCngyNk52QjJnWjNlVUN6V3NiNzVTS3Y2b3c1TmJMQzlnTTJkRjQyWmpUNWVrenVuWENmZEQyUTdJS0I1empmMTEKUENmNUYwS2VsOGlLdnNxUjkrSGhKZEE1Sk14ZXNXeCtwZFAwRXdJREFRQUJBb0lCQVFDU01GNVdPcHpOZjdregpjYWYyRFcrMkdaZytTL0ZZNW9XcWhKMmdQamR6c0VXUDJQYlBYazk5Z0FvSE5TZUVIZnZIWmt3STE2dnFWcGtuCjFsNDR6TTlaTFFNeVVOdWt3dlJHWWs1NFIzbUlCVEdhaUdGSTA2OGpjYzJIVjR6RVFMWVZRbzlmajRTSDRaM3QKd3pINzlOQm05UGxCSHRaMlJWQ3JTanpBblJkYWN1Nkdid1AwOEpScitCV1krM0RhMlZkWGFZalJtem4xKzNKUApwVXhUeE5rOGQyWTVrQVpac3JURkhrVXNWTHRZN2I4blNlelhBZHB0QkozRVd6SlZWLzNoTUpvOGF4Y3RXdWR6CmFOVndLb1c0a0RhbVBHVWp4R3diMmQzcWZ3Ky9ZT0gwRDdPUlZmUitLdHgranlVR3BGRFppVEtjamtUOWNSYisKZFFweXZMQ3hBb0dCQU9xMHovaWh0NkZrRXhXeS9rN2o5a2x5YXhUcEc1elRSZXNjakpNaHNyZmZEK2hGUHBjNwpzeFBFUEdoS3JTVkZ6U1FVZGN3aUViQlV5blFuMjUvYmhGVit4TzBNeG9wUVYxN1grWDJIZ1lNWTBzZTMxazdRCjZldkhoUVQwUFBFaWtiWW9lNnIrVDZCS1FRbzZnNGhnMFRJWWROWExBbWM4NFZDdGhzRktnaXhmQW9HQkFQMTAKeXcwQ3VTeHc4cmM1S3h5N2psTHgyMm5uWHJKM3J2cU53K1FEZTZvNXAwUmI2Zk45WUJqK0p2Wlh1cGFTRjVBOQpkQUVYYTBrczNjRWl6amZjb0RIcVhXQ0VXYWFEVUxnTlUzS2crRU8vT2hEQlV4M0pZd0VOUEJSRnd4WHQ0NmlYCkczRWx1MmE0aFM3VEpSS0dRQS9OTHZQbCt5WWoxZEVvSHZUMFFSVE5Bb0dBR1FlUlNqV016TFJNYUxyKzdkRFgKdWZ0dXVmc21DN0pvT1d1QS9rdlFzRlVrY0NPNlNneCt5M1BZOFZKTlpyVXI3RllXUGQvQVBTcTlzR2R6djNkOApoRldSa0tvVkhqajFLRk1sOHlJWlNLN0VBN0p5TTFPS0xxL0hXc0RsSXQ0SjVnQXBPQklJMGRJNVgycmdEaEl0CkhRZUlwaWdSS0l0UWgvY0pjT0dPUWtjQ2dZRUFuNVJja0JtSjIyaFYrWFNlSjE0VGt6ZkNMU0RHNTlraEs1SDgKcDJCbUNWeDVhem52eUNYRlRwY2VrdlhUZmlBSGhBS2RPbDZ6WndRL3J1MnFKMVBhN1BLaHpqWW1lQWV2MStKVQpDeFU4bXZNWXJSbjdxZ0oxT21GSjFYM0RBZGloQVRINnpqZXlrVTlXVTVBUGhHVlFpbUptMEp1WmtINzVqZElVCkE2aVNIWFVDZ1lCMndsRWkvQ3pVbnl3eGFvRkY5cUhWbHpOcnpTeFZodGNKeWExWDlya2UrMGROY1hIS1cyN3kKWGo3MFJNNnBZanV6R3J5WGZQc1FlOUlLblRwbytScVJzU3NnZU8wSXdrS0UxUlQvWmlPNzBLd0lieVM0M2RJeQoxd0VqaVN3S3cwVnFZK1hXYWt3UG9HdTU5VUoxQXNZRmRCWGJzNmdpajZUdDdXWjEwVzdjQUE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

验证测试

package main

import (
    "context"
    "fmt"
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/tools/clientcmd"
    "os"
)

func main() {
    projectDir, _ := os.Getwd()
    config, err := clientcmd.BuildConfigFromFlags("https://192.168.202.129:6443", projectDir+"/kubeconfig")
    if err != nil {
       panic(err)
    }

    clientset, err := kubernetes.NewForConfig(config)

    if err != nil {
       panic(err)
    }

    result, err := clientset.CoreV1().Pods("default").List(context.TODO(), metav1.ListOptions{Limit: 500})

    if err != nil {
       panic(err)
    }

    for _, item := range result.Items {
       fmt.Printf("namespace: %vt name: %vt status: %+vn", item.Namespace, item.Name, item.Status.Phase)
    }

}

运行代码后可以看到有结果输出

namespace: default       name: redis-client      status: Failed
namespace: default       name: redis-node-0      status: Running
namespace: default       name: redis-node-1      status: Running
namespace: default       name: redis-node-2      status: Running

image.png

参考链接

  • www.cnblogs.com/zuoyang/p/1…
  • juejin.cn/post/721299…

相关文章

服务器端口转发,带你了解服务器端口转发
服务器开放端口,服务器开放端口的步骤
产品推荐:7月受欢迎AI容器镜像来了,有Qwen系列大模型镜像
如何使用 WinGet 下载 Microsoft Store 应用
百度搜索:蓝易云 – 熟悉ubuntu apt-get命令详解
百度搜索:蓝易云 – 域名解析成功但ping不通解决方案

发布评论