修改kube-controller-manager和kube-scheduler使用证书访问kube-apiserver

pull/804/head
gjmzj 2020-01-29 18:05:58 +08:00
parent b16520704a
commit 4a56116b19
10 changed files with 57 additions and 48 deletions

View File

@ -16,7 +16,7 @@
--kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
- name: 设置认证参数 - name: 设置认证参数
shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-controller-manager \ shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-controller-manager \
--client-certificate={{ base_dir }}/.cluster/ssl/kube-controller-manager.pem \ --client-certificate={{ base_dir }}/.cluster/ssl/kube-controller-manager.pem \
--client-key={{ base_dir }}/.cluster/ssl/kube-controller-manager-key.pem \ --client-key={{ base_dir }}/.cluster/ssl/kube-controller-manager-key.pem \
--embed-certs=true \ --embed-certs=true \
@ -25,7 +25,7 @@
- name: 设置上下文参数 - name: 设置上下文参数
shell: "{{ base_dir }}/bin/kubectl config set-context default \ shell: "{{ base_dir }}/bin/kubectl config set-context default \
--cluster=kubernetes \ --cluster=kubernetes \
--user=kube-controller-manager \ --user=system:kube-controller-manager \
--kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
- name: 选择默认上下文 - name: 选择默认上下文

View File

@ -16,7 +16,7 @@
--kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
- name: 设置认证参数 - name: 设置认证参数
shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-scheduler \ shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-scheduler \
--client-certificate={{ base_dir }}/.cluster/ssl/kube-scheduler.pem \ --client-certificate={{ base_dir }}/.cluster/ssl/kube-scheduler.pem \
--client-key={{ base_dir }}/.cluster/ssl/kube-scheduler-key.pem \ --client-key={{ base_dir }}/.cluster/ssl/kube-scheduler-key.pem \
--embed-certs=true \ --embed-certs=true \
@ -25,7 +25,7 @@
- name: 设置上下文参数 - name: 设置上下文参数
shell: "{{ base_dir }}/bin/kubectl config set-context default \ shell: "{{ base_dir }}/bin/kubectl config set-context default \
--cluster=kubernetes \ --cluster=kubernetes \
--user=kube-scheduler \ --user=system:kube-scheduler \
--kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
- name: 选择默认上下文 - name: 选择默认上下文

View File

@ -10,7 +10,7 @@
"C": "CN", "C": "CN",
"ST": "HangZhou", "ST": "HangZhou",
"L": "XS", "L": "XS",
"O": "k8s", "O": "system:kube-controller-manager",
"OU": "System" "OU": "System"
} }
] ]

View File

@ -10,7 +10,7 @@
"C": "CN", "C": "CN",
"ST": "HangZhou", "ST": "HangZhou",
"L": "XS", "L": "XS",
"O": "k8s", "O": "system:kube-scheduler",
"OU": "System" "OU": "System"
} }
] ]

View File

@ -19,7 +19,6 @@ ExecStart={{ bin_dir }}/kube-apiserver \
--etcd-certfile={{ ca_dir }}/kubernetes.pem \ --etcd-certfile={{ ca_dir }}/kubernetes.pem \
--etcd-keyfile={{ ca_dir }}/kubernetes-key.pem \ --etcd-keyfile={{ ca_dir }}/kubernetes-key.pem \
--etcd-servers={{ ETCD_ENDPOINTS }} \ --etcd-servers={{ ETCD_ENDPOINTS }} \
--insecure-bind-address=127.0.0.1 \
--kubelet-https=true \ --kubelet-https=true \
--kubelet-client-certificate={{ ca_dir }}/admin.pem \ --kubelet-client-certificate={{ ca_dir }}/admin.pem \
--kubelet-client-key={{ ca_dir }}/admin-key.pem \ --kubelet-client-key={{ ca_dir }}/admin-key.pem \

View File

@ -5,17 +5,18 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service] [Service]
ExecStart={{ bin_dir }}/kube-controller-manager \ ExecStart={{ bin_dir }}/kube-controller-manager \
--address=127.0.0.1 \ --address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--allocate-node-cidrs=true \ --allocate-node-cidrs=true \
--service-cluster-ip-range={{ SERVICE_CIDR }} \
--cluster-cidr={{ CLUSTER_CIDR }} \ --cluster-cidr={{ CLUSTER_CIDR }} \
--cluster-name=kubernetes \ --cluster-name=kubernetes \
--cluster-signing-cert-file={{ ca_dir }}/ca.pem \ --cluster-signing-cert-file={{ ca_dir }}/ca.pem \
--cluster-signing-key-file={{ ca_dir }}/ca-key.pem \ --cluster-signing-key-file={{ ca_dir }}/ca-key.pem \
--node-cidr-mask-size={{ NODE_CIDR_LEN }} \ --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
--service-account-private-key-file={{ ca_dir }}/ca-key.pem \
--root-ca-file={{ ca_dir }}/ca.pem \
--leader-elect=true \ --leader-elect=true \
--node-cidr-mask-size={{ NODE_CIDR_LEN }} \
--root-ca-file={{ ca_dir }}/ca.pem \
--service-account-private-key-file={{ ca_dir }}/ca-key.pem \
--service-cluster-ip-range={{ SERVICE_CIDR }} \
--use-service-account-credentials=true \
--v=2 --v=2
Restart=always Restart=always
RestartSec=5 RestartSec=5

View File

@ -5,7 +5,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service] [Service]
ExecStart={{ bin_dir }}/kube-scheduler \ ExecStart={{ bin_dir }}/kube-scheduler \
--address=127.0.0.1 \ --address=127.0.0.1 \
--master=http://127.0.0.1:8080 \ --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
--leader-elect=true \ --leader-elect=true \
--v=2 --v=2
Restart=always Restart=always

View File

@ -0,0 +1,34 @@
- name: 准备kubelet 证书签名请求
template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
- name: 创建 kubelet 证书与私钥
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-ca={{ ca_dir }}/ca.pem \
-ca-key={{ ca_dir }}/ca-key.pem \
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
# 创建kubelet.kubeconfig
- name: 设置集群参数
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
--certificate-authority={{ ca_dir }}/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 设置客户端认证参数
shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
--client-certificate={{ ca_dir }}/kubelet.pem \
--embed-certs=true \
--client-key={{ ca_dir }}/kubelet-key.pem \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 设置上下文参数
shell: "{{ bin_dir }}/kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:{{ inventory_hostname }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 选择默认上下文
shell: "{{ bin_dir }}/kubectl config use-context default \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"

View File

@ -27,41 +27,8 @@
line: " server: {{ KUBE_APISERVER }}" line: " server: {{ KUBE_APISERVER }}"
##----------kubelet 配置部分-------------- ##----------kubelet 配置部分--------------
# 创建 kubelet 相关证书及 kubelet.kubeconfig
- name: 准备kubelet 证书签名请求 - import_tasks: create-kubelet-kubeconfig.yml
template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
- name: 创建 kubelet 证书与私钥
shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-ca={{ ca_dir }}/ca.pem \
-ca-key={{ ca_dir }}/ca-key.pem \
-config={{ ca_dir }}/ca-config.json \
-profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
# 创建kubelet.kubeconfig
- name: 设置集群参数
shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
--certificate-authority={{ ca_dir }}/ca.pem \
--embed-certs=true \
--server={{ KUBE_APISERVER }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 设置客户端认证参数
shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
--client-certificate={{ ca_dir }}/kubelet.pem \
--embed-certs=true \
--client-key={{ ca_dir }}/kubelet-key.pem \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 设置上下文参数
shell: "{{ bin_dir }}/kubectl config set-context default \
--cluster=kubernetes \
--user=system:node:{{ inventory_hostname }} \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 选择默认上下文
shell: "{{ bin_dir }}/kubectl config use-context default \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
- name: 准备 cni配置文件 - name: 准备 cni配置文件
template: src=cni-default.conf.j2 dest=/etc/cni/net.d/10-default.conf template: src=cni-default.conf.j2 dest=/etc/cni/net.d/10-default.conf

View File

@ -58,4 +58,12 @@
- name: 分发 kube-proxy.kubeconfig配置文件 - name: 分发 kube-proxy.kubeconfig配置文件
copy: src={{ base_dir }}/.cluster/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig copy: src={{ base_dir }}/.cluster/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
- name: 分发 kube-controller-manager.kubeconfig配置文件
copy: src={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig dest=/etc/kubernetes/kube-controller-manager.kubeconfig
when: "inventory_hostname in groups['kube-master']"
- name: 分发 kube-scheduler.kubeconfig配置文件
copy: src={{ base_dir }}/.cluster/kube-scheduler.kubeconfig dest=/etc/kubernetes/kube-scheduler.kubeconfig
when: "inventory_hostname in groups['kube-master']"
when: "inventory_hostname in groups['kube-master'] or inventory_hostname in groups['kube-node']" when: "inventory_hostname in groups['kube-master'] or inventory_hostname in groups['kube-node']"