k8s集群部署v1.15实践3: 部署kubectl命令工具行

参考文档

部署kubectl命令工具行

1.下载和分发kubectl二进制执行文件

官方地址 kubectl文件下载地址

[root@k8s-node1 k8s_software]# pwd
/opt/k8s/k8s_software

[root@k8s-node1 k8s_software]# wget https://dl.k8s.io/v1.15.5/kubernetes-client-linux-amd64.tar.gz
--2019-10-30 00:38:35--  https://dl.k8s.io/v1.15.5/kubernetes-client-linux-amd64.tar.gz
Resolving dl.k8s.io (dl.k8s.io)... 35.201.71.162
Connecting to dl.k8s.io (dl.k8s.io)|35.201.71.162|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://storage.googleapis.com/kubernetes-release/release/v1.15.5/kubernetes-client-linux-amd64.tar.gz [following]
--2019-10-30 00:38:36--  https://storage.googleapis.com/kubernetes-release/release/v1.15.5/kubernetes-client-linux-amd64.tar.gz
Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.25.16, 2404:6800:4005:809::2010
Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.25.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13338368 (13M) [application/x-tar]
Saving to: ‘kubernetes-client-linux-amd64.tar.gz’

100%[==============================================================================================>] 13,338,368   641KB/s   in 16s    

2019-10-30 00:38:53 (802 KB/s) - ‘kubernetes-client-linux-amd64.tar.gz’ saved [13338368/13338368]

[root@k8s-node1 k8s_software]#

[root@k8s-node1 k8s_software]# ls
kubernetes-client-linux-amd64.tar.gz
[root@k8s-node1 k8s_software]# tar -zxvf kubernetes-client-linux-amd64.tar.gz 
kubernetes/
kubernetes/client/
kubernetes/client/bin/
kubernetes/client/bin/kubectl
[root@k8s-node1 k8s_software]# ls
kubernetes  kubernetes-client-linux-amd64.tar.gz
[root@k8s-node1 k8s_software]# cd kubernetes
[root@k8s-node1 kubernetes]# ls
client
[root@k8s-node1 kubernetes]# cd client/
[root@k8s-node1 client]# ls
bin
[root@k8s-node1 client]# cd bin
[root@k8s-node1 bin]# ls
kubectl
[root@k8s-node1 bin]# pwd
/opt/k8s/k8s_software/kubernetes/client/bin
[root@k8s-node1 bin]#

2.分发到所有节点,确保有执行权限

[root@k8s-node1 k8s_software]# cp kubernetes/client/bin/kubectl /opt/k8s/bin/
[root@k8s-node1 k8s_software]# chmod +x /opt/k8s/bin
[root@k8s-node1 k8s_software]# scp kubernetes/client/bin/kubectl root@k8s-node2:/opt/k8s/bin/
kubectl  
[root@k8s-node1 k8s_software]# ssh k8s-node2 "chmod +x /opt/k8s/bin/*"
[root@k8s-node1 k8s_software]# scp kubernetes/client/bin/kubectl root@k8s-node3:/opt/k8s/bin/
kubectl                                                                                               100%   41MB 103.8MB/s   00:00    
[root@k8s-node1 k8s_software]# ssh k8s-node3 "chmod +x /opt/k8s/bin/*"
[root@k8s-node1 k8s_software]#

3.创建admin证书和密钥

kubectl 与 apiserver https 安全端口通信,apiserver 对提供的证书进行认证和授权.

kubectl 作为集群的管理工具,需要被授予最高权限.这里创建具有最高权限的 admin证书.

创建证书签名请求

O为system:masters,kube-apiserver.收到该证书后将请求的 Group 设置为system:masters；

预定义的 ClusterRoleBinding cluster-admin 将 Group system:masters 与Role cluster-admin 绑定,该 Role 授予所有 API的权限.

该证书只会被 kubectl 当做 client 证书使用,所以 hosts 字段为空.

[root@k8s-node1 kubectl]# pwd
/opt/k8s/k8s_software/kubectl
[root@k8s-node1 kubectl]# cat admin-csr.json 
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "SZ",
"L": "SZ",
"O": "system:masters",
"OU": "4Paradigm"
}
]
}
[root@k8s-node1 kubectl]# 

生成证书和密钥

[root@k8s-node1 kubectl]# cfssl gencert -ca=/etc/kubernetes/cert/ca.pem -ca-key=/etc/kubernetes/cert/ca-key.pem -config=/etc/kubernetes/cert/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
2019/10/30 02:06:24 [INFO] generate received request
2019/10/30 02:06:24 [INFO] received CSR
2019/10/30 02:06:24 [INFO] generating key: rsa-2048
2019/10/30 02:06:24 [INFO] encoded CSR
2019/10/30 02:06:24 [INFO] signed certificate with serial number 368978383376795956608149123600782369631080400831
2019/10/30 02:06:24 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@k8s-node1 kubectl]# ls
admin.csr  admin-csr.json  admin-key.pem  admin.pem

4.创建kubeconfig文件

kubeconfig为kubectl读取使用的配置文件,包含访问 apiserver 的所有信息,如 apiserver 地址,CA 证书和自身使用的证书.

使用kubectl config命令创建生成

读取环境变量
[root@k8s-node1 kubectl]# source /opt/k8s/bin/environment.sh
设置集群参数,集群名字为kubernetes,认证证书为ca.pem(注意路径),集群的地址为$(KUBE_APISERVER).这个地址是从集群变量读取的.
[root@k8s-node1 kubectl]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kubectl.kubeconfig
Cluster "kubernetes" set.
设置客户端认证参数,admin为用户名,
[root@k8s-node1 kubectl]# kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kubectl.kubeconfig
User "admin" set.
设置上下文参数,指定集群,用户
[root@k8s-node1 kubectl]# kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kubectl.kubeconfig
Context "kubernetes" created.
设置默认上下文,
[root@k8s-node1 kubectl]# kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
Switched to context "kubernetes".
[root@k8s-node1 kubectl]#

--certificate-authority:验证 kube-apiserver 证书的根证书.

--client-certificate --client-key:刚生成的 admin 证书和私钥,连接 kube-apiserver 时使用.

--embed-certs=true:将 ca.pem 和 admin.pem 证书内容嵌入到生成的kubectl.kubeconfig 文件中(不加时写入的是证书文件路径).

5.分发kubectl.kubeconfig文件

kubectl 默认从 ~/.kube/config 文件读取 kube-apiserver 地址,证书,用户名等信息

~/.kube/config路径和名字必须是这个

注意分发的路径,必须是这个路径,如果没有手动创建这个路径.

[root@k8s-node1 kubectl]# cp kubectl.kubeconfig ~/.kube
[root@k8s-node1 kubectl]# ssh k8s-node2 "mkdir .kube"
[root@k8s-node1 kubectl]# scp kubectl.kubeconfig root@k8s-node2:~/.kube
kubectl.kubeconfig                                                                                    100% 6211     5.6MB/s   00:00   
[root@k8s-node1 kubectl]# ssh k8s-node3 "mkdir .kube" 
[root@k8s-node1 kubectl]# scp kubectl.kubeconfig root@k8s-node3:~/.kube
kubectl.kubeconfig                                                                                    100% 6211     4.1MB/s   00:00    
[root@k8s-node1 kubectl]#

名字也需要修改.

[root@k8s-node1 .kube]# pwd
/root/.kube
[root@k8s-node1 .kube]# ls
kubectl.kubeconfig
[root@k8s-node1 .kube]# mv kubectl.kubeconfig config
[root@k8s-node1 .kube]# ls
config
[root@k8s-node1 .kube]#
[root@k8s-node1 kubectl]# ssh k8s-node2 "mv ~/.kube/kubectl.kubeconfig ~/.kube/config"
[root@k8s-node1 kubectl]# ssh k8s-node3 "mv ~/.kube/kubectl.kubeconfig ~/.kube/config"

6.测试和可能遇到的报错

测试:执行命令,见下:

[root@k8s-node1 kubectl]# kubectl get all
Unable to connect to the server: dial tcp 192.168.174.127:8443: connect: no route to host
[root@k8s-node1 kubectl]#

因为集群还没搭建完成,报no route to host是正常的,忽略.

可能报错,如果名字不对或者路径不对,会报下面的错误.

$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

其它两个节点,没有定义永久路径,会报错

[root@k8s-node2 ~]# kubectl get all
-bash: kubectl: command not found

添加路径和加执行权限即可

[root@k8s-node2 ~]# echo "export PATH=/opt/k8s/bin:$PATH" >>.bashrc
[root@k8s-node2 ~]# source .bashrc
[root@k8s-node2 ~]# chmod +x /opt/k8s/bin/*