创建工作目录
[root@node1 ~]# mkdir kubeconfig
[root@node1 ~]# cd kubeconfig/
[root@node1 kubeconfig]#
下载创建证书使用的工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
创建客户端证书请求文件
test-csr.json
{
"CN": "test",
"hosts": [
"192.168.202.129"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "system:masters",
"OU": "system"
}
]
}
说明:
- CN表示用户名,
- hosts表示使用该证书的域名,
- key为加密方式,
- names中的O指定该证书的 Group 为 system:masters,kubelet 使用该证书访问 kube-apiserver 时 ,由于证书被 CA 签名,所以认证通过,所以被授予访问所有 API 的权限
生成证书
cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key test-csr.json |cfssljson -bare test
# 执行上述命令后生成的文件如下
[root@node1 kubeconfig]# ls
test.csr test-csr.json test-key.pem test.pem
往配置文件中写入集群信息
[root@node1 kubeconfig]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true --server=https://192.168.202.129:6443 --kubeconfig=kube.config
Cluster "kubernetes" set.
说明:
- --certificate-authority 指定ca证书的路径
- --server 指定apiServer的地址
- --embed-certs 这个参数如果是true的话,生成的kubeconfig将会内嵌证书
- --kubeconfig参数指定配置文件
往配置文件中写入用户信息
[root@node1 kubeconfig]# kubectl config set-credentials test --client-certificate=test.pem --client-key=test-key.pem --embed-certs=true --kubeconfig=kube.config
User "test" set.
根据前面创建的集群信息和用户信息创建context
[root@node1 kubeconfig]# kubectl config set-context mycontext --cluster=kubernetes --user=test --kubeconfig=kube.config
Context "mycontext" created.
使用创建的context
[root@node1 config]# kubectl config use-context mycontext --kubeconfig=kube.config
Switched to context "mycontext".
查看生成的kube.config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJVHBFMVBraGs2MnN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBNU1qZ3lNekEzTXpaYUZ3MHpNekE1TWpVeU16RXlNelphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNnRmxJNGVncmw3cDkyekNyY1NnVnRyeHI0ZGZmT1JhcW5Od1JRNWdrOVA4RUVCSnp3bU5VZm9tcXkKWVA3ZUMySTA1UmpJYWwxbFVEN3hlRURvRzAxUmEyNG1WcmZodzNVMlUyM3p4YWVPVnZvc0dsdmVXK084djJtQQp6SzZydWU3T3k2My9WWUw0akQ0OEFpRW1LN0E2RlY0RFBuMG5FN3lMQnd5UXZ0WHo2ZXZrc1hFVWhraUJFeTlTCmxkTHg5MXY1UEZxTnJTVFV2NGo0U0NOYkQ3c0x6SUE1UjdvZ09JUWxQVmpFMmh3dkNaNzEzeHV2RFdIWlE3MlEKYzc3a0dIUG5oSFN3RWZBaHZBODFTTU9KVytJOTZ5b25QTjZ0YXdZTlM2SXRlMkZvM0hxVzEwUHVXUW14LzFDSApFRzBMUW1teDl4WktjMzhLdXorTzRnVVFpdlhMQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJRNm5MejNUbDgxSXBrR3J5T2RTS2hyNmpRQXF6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQUxhOUZDVVYzUwo3WGNFRFBXeVhSa2dQOUdSRk41QnRuYjFyUHFnblJxaEtxV3R4NHVrZWxRU2FFVnNGdUdJbUcwOS8yMUlwdFQvCnNCQVJsbFd1WUZNTTRhYWtNekEzaSttRldXdUVJajFkQmdzbE4xTkZwQXJHeUZRY2Zqclhha1RkUElqQUpoY3YKTlk5Y1psTFNFb3JLQytEUjFHUlJPR0VHS0lmTU0zbnJSUGFOcFFwbnJiVmRIbkgvaTlWK3ljcTZraUdUakdOeApPR3piMTNjcnJ3T01TcTVSMEpnZHUyRExiVXlNWFh0Tm5CMENlcGZtOXpVUEJiVktoaUIvNXpqNmpZVU9KS1dHCmRKWm11aldCRlBFU2JVRUUzM2djMlJMVUtrTjF1cjZXc0phWEM2UEhleW1wa0tOUlpmVEYvSmdMYm9UaTBVbUwKTVdJSVJZc20vWHBpCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.202.129:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: test
name: mycontext
current-context: mycontext
kind: Config
preferences: {}
users:
- name: test
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURuekNDQW9lZ0F3SUJBZ0lVVkhZZ2tmN0tIS2kvTVpUSjVzYVJyNGRKR2FFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZURVRNQkVHQTFVRUF4TUthM1ZpWlhKdVpYUmxjekFlRncweU16RXdNRFV3TmpBMk1EQmFGdzB5TkRFdwpNRFF3TmpBMk1EQmFNR294Q3pBSkJnTlZCQVlUQWtOT01SQXdEZ1lEVlFRSUV3ZENaV2xxYVc1bk1SQXdEZ1lEClZRUUhFd2RDWldscWFXNW5NUmN3RlFZRFZRUUtFdzV6ZVhOMFpXMDZiV0Z6ZEdWeWN6RVBNQTBHQTFVRUN4TUcKYzNsemRHVnRNUTB3Q3dZRFZRUURFd1IwWlhOME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQgpDZ0tDQVFFQTZGL0ZvRU1UcUpxNDA1SzkwbWpGT05pUDVwZjRsRVdWRmhUSjh2d2NlV1htQy95ZEtvT21haEttCkxNWlZxeEc0Vk1FWlBhRWhUalp3SUVqQ0hYL2UyeHVoOXpWU3dJd0lqVTlGTXBEN0NzSTBlalR6SjV1REhpVUoKZFJLUTJBOWRBdjhzQXJtZ2dER0NqRTZoVG5BYys0YU5TQ00zR3k2UzZRNlJGaURPKzVhZXhISEwxZXI0UVlLOAptV25yVWhlVXIwbFEweHhXeHFtWWFBbEkwZHpkUkpGajVXOVRJenRUV3BRMlIzZHcwcjhqMTJDMHgyNk52QjJnClozZVVDeldzYjc1U0t2Nm93NU5iTEM5Z00yZEY0MlpqVDVla3p1blhDZmREMlE3SUtCNXpqZjExUENmNUYwS2UKbDhpS3ZzcVI5K0hoSmRBNUpNeGVzV3grcGRQMEV3SURBUUFCbzRHUk1JR09NQTRHQTFVZER3RUIvd1FFQXdJRgpvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFIL0JBSXdBREFkCkJnTlZIUTRFRmdRVXZhNDBSZUJ2ZUw0QVEwQUdEK2NPODVNWDdFY3dId1lEVlIwakJCZ3dGb0FVT3B5ODkwNWYKTlNLWkJxOGpuVWlvYStvMEFLc3dEd1lEVlIwUkJBZ3dCb2NFd0tqS2dUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBYWx2VmJpU3gyQUp5QlVoMVFJQkhzd0g0ZmFOWnJzQjU4UGJYMTZVMW9wVFAwUFdYOFE2MWJMWVZWNGxzClMyNCtYYnZUU0RzL2tpSlFDK3pxNXBPSXA4ZW55UHVXbFQvZmVpaGcyeE1PNFlYUFk4ZmlQM2NjS0pkRDFOMGMKQUJzcWdvV1JvQXNiWUxDNkx3VWlzTXg2VEZxVHR0eWlDbVozd1lIbEZuQmkyVUxjemxpRGdlQ0RpRTltc3Q1YgpzdHBxUlNrV2VBcEIza3JxZ3ZOTjZwa24rSnJkZUJoZE5NOHhRWEl2dFRacmhnUkxVaEZvYlVQM1IrYmdQN3UyCkROWVVVRFQvUVFBZkgrUXkvM09QSlNKSll3OWdGeDVMY3hpbzJoMWJ6OWV0QlEwMkc2MUg3dUQ0aEVEc1NXc2IKV2FZRWpyRlNhQzArcCt3RnNrdFdrbFNTcUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBNkYvRm9FTVRxSnE0MDVLOTBtakZPTmlQNXBmNGxFV1ZGaFRKOHZ3Y2VXWG1DL3lkCktvT21haEttTE1aVnF4RzRWTUVaUGFFaFRqWndJRWpDSFgvZTJ4dWg5elZTd0l3SWpVOUZNcEQ3Q3NJMGVqVHoKSjV1REhpVUpkUktRMkE5ZEF2OHNBcm1nZ0RHQ2pFNmhUbkFjKzRhTlNDTTNHeTZTNlE2UkZpRE8rNWFleEhITAoxZXI0UVlLOG1XbnJVaGVVcjBsUTB4eFd4cW1ZYUFsSTBkemRSSkZqNVc5VEl6dFRXcFEyUjNkdzByOGoxMkMwCngyNk52QjJnWjNlVUN6V3NiNzVTS3Y2b3c1TmJMQzlnTTJkRjQyWmpUNWVrenVuWENmZEQyUTdJS0I1empmMTEKUENmNUYwS2VsOGlLdnNxUjkrSGhKZEE1Sk14ZXNXeCtwZFAwRXdJREFRQUJBb0lCQVFDU01GNVdPcHpOZjdregpjYWYyRFcrMkdaZytTL0ZZNW9XcWhKMmdQamR6c0VXUDJQYlBYazk5Z0FvSE5TZUVIZnZIWmt3STE2dnFWcGtuCjFsNDR6TTlaTFFNeVVOdWt3dlJHWWs1NFIzbUlCVEdhaUdGSTA2OGpjYzJIVjR6RVFMWVZRbzlmajRTSDRaM3QKd3pINzlOQm05UGxCSHRaMlJWQ3JTanpBblJkYWN1Nkdid1AwOEpScitCV1krM0RhMlZkWGFZalJtem4xKzNKUApwVXhUeE5rOGQyWTVrQVpac3JURkhrVXNWTHRZN2I4blNlelhBZHB0QkozRVd6SlZWLzNoTUpvOGF4Y3RXdWR6CmFOVndLb1c0a0RhbVBHVWp4R3diMmQzcWZ3Ky9ZT0gwRDdPUlZmUitLdHgranlVR3BGRFppVEtjamtUOWNSYisKZFFweXZMQ3hBb0dCQU9xMHovaWh0NkZrRXhXeS9rN2o5a2x5YXhUcEc1elRSZXNjakpNaHNyZmZEK2hGUHBjNwpzeFBFUEdoS3JTVkZ6U1FVZGN3aUViQlV5blFuMjUvYmhGVit4TzBNeG9wUVYxN1grWDJIZ1lNWTBzZTMxazdRCjZldkhoUVQwUFBFaWtiWW9lNnIrVDZCS1FRbzZnNGhnMFRJWWROWExBbWM4NFZDdGhzRktnaXhmQW9HQkFQMTAKeXcwQ3VTeHc4cmM1S3h5N2psTHgyMm5uWHJKM3J2cU53K1FEZTZvNXAwUmI2Zk45WUJqK0p2Wlh1cGFTRjVBOQpkQUVYYTBrczNjRWl6amZjb0RIcVhXQ0VXYWFEVUxnTlUzS2crRU8vT2hEQlV4M0pZd0VOUEJSRnd4WHQ0NmlYCkczRWx1MmE0aFM3VEpSS0dRQS9OTHZQbCt5WWoxZEVvSHZUMFFSVE5Bb0dBR1FlUlNqV016TFJNYUxyKzdkRFgKdWZ0dXVmc21DN0pvT1d1QS9rdlFzRlVrY0NPNlNneCt5M1BZOFZKTlpyVXI3RllXUGQvQVBTcTlzR2R6djNkOApoRldSa0tvVkhqajFLRk1sOHlJWlNLN0VBN0p5TTFPS0xxL0hXc0RsSXQ0SjVnQXBPQklJMGRJNVgycmdEaEl0CkhRZUlwaWdSS0l0UWgvY0pjT0dPUWtjQ2dZRUFuNVJja0JtSjIyaFYrWFNlSjE0VGt6ZkNMU0RHNTlraEs1SDgKcDJCbUNWeDVhem52eUNYRlRwY2VrdlhUZmlBSGhBS2RPbDZ6WndRL3J1MnFKMVBhN1BLaHpqWW1lQWV2MStKVQpDeFU4bXZNWXJSbjdxZ0oxT21GSjFYM0RBZGloQVRINnpqZXlrVTlXVTVBUGhHVlFpbUptMEp1WmtINzVqZElVCkE2aVNIWFVDZ1lCMndsRWkvQ3pVbnl3eGFvRkY5cUhWbHpOcnpTeFZodGNKeWExWDlya2UrMGROY1hIS1cyN3kKWGo3MFJNNnBZanV6R3J5WGZQc1FlOUlLblRwbytScVJzU3NnZU8wSXdrS0UxUlQvWmlPNzBLd0lieVM0M2RJeQoxd0VqaVN3S3cwVnFZK1hXYWt3UG9HdTU5VUoxQXNZRmRCWGJzNmdpajZUdDdXWjEwVzdjQUE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
验证测试
package main
import (
"context"
"fmt"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
"os"
)
func main() {
projectDir, _ := os.Getwd()
config, err := clientcmd.BuildConfigFromFlags("https://192.168.202.129:6443", projectDir+"/kubeconfig")
if err != nil {
panic(err)
}
clientset, err := kubernetes.NewForConfig(config)
if err != nil {
panic(err)
}
result, err := clientset.CoreV1().Pods("default").List(context.TODO(), metav1.ListOptions{Limit: 500})
if err != nil {
panic(err)
}
for _, item := range result.Items {
fmt.Printf("namespace: %vt name: %vt status: %+vn", item.Namespace, item.Name, item.Status.Phase)
}
}
运行代码后可以看到有结果输出
namespace: default name: redis-client status: Failed
namespace: default name: redis-node-0 status: Running
namespace: default name: redis-node-1 status: Running
namespace: default name: redis-node-2 status: Running
参考链接
- www.cnblogs.com/zuoyang/p/1…
- juejin.cn/post/721299…
