前提条件:
1、创建一个阿里云kubernetes集群。
2、拥有登陆到master的ssh权限。
阿里云集群证书使用cfssl安装部署。
制作经过集群ca证书签署的客户端证书:test.crt
然后,先登陆到master上,在/etc/kubernetes/pki/目录下找到集群的ca证书:ca.crt。使用命令:openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout 获取制作签署证书的请求文件的相关配置信息
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 763442 (0xba632)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba, OU=ACS, CN=root
Validity
Not Before: Nov 5 09:07:00 2018 GMT
Not After : Oct 31 09:12:25 2038 GMT
Subject: O=xxx, OU=default, CN=xxx
签发Client Certificate:
cfssl print-defaults csr > admin-csr.json 获取模版
cat admin-csr.json
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
修改成对应的json文件
{
"CN": "test", #kubeconfig访问时的name,这里设置为test
"hosts": [],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN", #跟上面从ca.crt中获取的保持一致。
"L": "HangZhou",
"ST": "ZheJiang"
}
]
}
生成集群签署的客户端证书
命令:cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes admin-csr.json | cfssljson -bare test
结果:
2018/11/08 11:38:37 [INFO] generate received request
2018/11/08 11:38:37 [INFO] received CSR
2018/11/08 11:38:37 [INFO] generating key: ecdsa-256
2018/11/08 11:38:37 [INFO] encoded CSR
2018/11/08 11:38:37 [INFO] signed certificate with serial number 304546120737391319875079966613142481233317700840
2018/11/08 11:38:37 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@iZuf6d10hr1jufgj6yy9o5Z test]# ls
admin-csr.json test.csr test-key.pem test.pem
test.pem和test-key.pem就是CA授权的客户端证书
制作kubeconfig,参考文档:k8s官网 新建一个config文件,内容如下:
apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
name: example
users:
- name: example
contexts:
- context:
name: example
执行命令:
kubectl config --kubeconfig=config set-cluster test-cluster --server=https://1.2.3.4 --certificate-authority=ca.crt
kubectl config --kubeconfig=config set-credentials test --client-certificate=test.pem --client-key=test-key.pem
kubectl config --kubeconfig=config set-context test-context --cluster=test-cluster --user=test
查看config
将kubeconfig需要的证书拷贝到自己的ecs上,放在 $HOME/.kube/目录下 。或者将证书转换成base64编码,将config中certificate-authority、client-certificate、client-key修改成certificate-authority-data、client-certificate-data、client-key-data然后配置
base64后的证书信息
直接访问集群结果:
#kubectl get node
Error from server (Forbidden): nodes is forbidden: User "test" cannot list nodes at the cluster scope
需要将给test用户绑定clusterrolebinding,然后再访问集群。
命令:kubectl create clusterrolebinding test-clusterrolebinding --clusterrole=cs:admin --user=test
然后再访问集群就可以了。