Configure kubectl client tools

Posted by guilhenfsu on Thu, 05 Dec 2019 11:22:09 +0100

#(1) generate client certificate and private key file on the springboard; 

#Generate client certificate signing request
cd /temp/ssl 
cat > client-csr.json <<EOF
{
        "CN": "client",
        "hosts": [],
        "key": {
                "algo": "rsa",
                "size": 2048
        },
        "names": [
                {
                        "C": "CN",
                        "ST": "Hangzhou",
                        "L": "Hangzhou",
                        "O": "k8s",
                        "OU": "System"
                }
        ]
}
EOF

#Generate client certificate
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json  -profile=kubernetes client-csr.json | cfssljson -bare client

#(2) the kubeconfig file is generated on the springboard machine, which is used by the client to authenticate with the Kube API server;

#Set cluster information
kubectl config set-cluster k8s --server="https://192.168.19.128:6443" --certificate-authority=ca.pem --embed-certs=true
#Set client information
kubectl config set-credentials client --client-certificate=client.pem --client-key=client-key.pem --embed-certs=true 
#Configure context, associate cluster and client information
kubectl config set-context client@k8s  --cluster=k8s  --user=client
#Set default context
kubectl config use-context client@k8s 
#View the configuration. By default, the config file will be generated in the ~ /. kube / directory. The kubectl tool will use the configuration file information to connect to the apiserver service
kubectl config view

#(3) authorize the kubectl user on the master; all the namespaces of clusterrole specify the specified resource operation permission; the purpose of creating clusterrolebinding is to bind the user's operation permission on the specified resource in all the namespaces; here, cluster admin is the administrator permission

kubectl create clusterrolebinding client-all-k8s1 --clusterrole=cluster-admin --user=client

#(4) verify whether resources can be created on the springboard machine

The conclusion is that resources can be obtained and created;

#(5) if you need to communicate with apiserver on other machines to create resources, you only need to copy the config file under ~ /. kube / on the springboard machine to other machines;
Use the -- kubeconfig option to specify where the configuration file is located;

kubectl get pods --kubeconfig=/root/.kube/config

Topics: Linux JSON SSL Kubernetes

Hot Topics

©2024 Programmer Think