kube-apiserver默认配置
查看一下kube-apiserver的一些启动配置项,确认存放地址。
1
2
3
4
5
6
7
8
| [root@CentOS7-Node1 manifests]# ll
total 16
-rw-------. 1 root root 1759 Dec 10 12:15 etcd.yaml
-rw-------. 1 root root 2602 Dec 10 12:15 kube-apiserver.yaml
-rw-------. 1 root root 2531 Dec 10 12:15 kube-controller-manager.yaml
-rw-------. 1 root root 1119 Dec 10 12:15 kube-scheduler.yaml
[root@CentOS7-Node1 manifests]# pwd
/etc/kubernetes/manifests
|
可以通过查看yaml文件的方式查看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
| [root@CentOS7-Node1 manifests]
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.211.55.7
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: k8s.gcr.io/kube-apiserver:v1.16.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.211.55.7
path: /healthz
port: 6443
scheme: HTTPS
initialDelaySeconds: 15
timeoutSeconds: 15
name: kube-apiserver
resources:
requests:
cpu: 250m
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
status: {}
|
我们注意到有如下三个启动参数:
--client-ca-file: 指定CA根证书文件为/etc/kubernetes/pki/ca.pem,内置CA公钥用于验证某证书是否是CA签发的证书--tls-private-key-file: 指定ApiServer私钥文件为/etc/kubernetes/pki/apiserver-key.pem--tls-cert-file:指定ApiServer证书文件为/etc/kubernetes/pki/apiserver.pem
直接获取nodes节点
用默认的CA认证尝试一下从其他节点查看pods的信息,直接来获取master节点的pods信息。
1
2
| [root@CentOS7-Node2 Workspace]# kubectl --server=https://10.211.55.7:6443 get nodes
Please enter Username: # 这里会提示需要输入用户名,但我们并不知道用户名是什么?
|
通过CA认证方式
然后我们尝试用默认的CA认证,首先把master节点上的CA文件copy到我们的其他节点去。
1
2
3
| scp /etc/kubernetes/pki/ca.crt root@10.211.55.8:/home/parallels/Workspace/
scp /etc/kubernetes/pki/apiserver-kubelet-client.crt root@10.211.55.8:/home/parallels/Workspace/
scp /etc/kubernetes/pki/apiserver-kubelet-client.key root@10.211.55.8:/home/parallels/Workspace/
|
通过设置certificate-authority、client-certificate、client-key来访问。
1
2
3
4
5
6
7
8
| [root@CentOS7-Node2 Workspace]# kubectl --server=https://10.211.55.7:6443 \
--certificate-authority=/home/parallels/Workspace/ca.crt \
--client-certificate=/home/parallels/Workspace/apiserver-kubelet-client.crt \
--client-key=/home/parallels/Workspace/apiserver-kubelet-client.key \
get nodes
NAME STATUS ROLES AGE VERSION
centos7-node1 Ready master 5h28m v1.16.2
centos7-node2 Ready <none> 149m v1.16.2
|
操作成功!
参考地址: