修改kube-controller-manager和kube-scheduler使用证书访问kube-apiserver

roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml

@@ -16,7 +16,7 @@
         --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
 
 - name: 设置认证参数
-  shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-controller-manager \
+  shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-controller-manager \
         --client-certificate={{ base_dir }}/.cluster/ssl/kube-controller-manager.pem \
         --client-key={{ base_dir }}/.cluster/ssl/kube-controller-manager-key.pem \
         --embed-certs=true \
@@ -25,7 +25,7 @@
 - name: 设置上下文参数
   shell: "{{ base_dir }}/bin/kubectl config set-context default \
         --cluster=kubernetes \
-        --user=kube-controller-manager \
+        --user=system:kube-controller-manager \
         --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig"
 
 - name: 选择默认上下文

roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml

@@ -16,7 +16,7 @@
         --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
 
 - name: 设置认证参数
-  shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-scheduler \
+  shell: "{{ base_dir }}/bin/kubectl config set-credentials system:kube-scheduler \
         --client-certificate={{ base_dir }}/.cluster/ssl/kube-scheduler.pem \
         --client-key={{ base_dir }}/.cluster/ssl/kube-scheduler-key.pem \
         --embed-certs=true \
@@ -25,7 +25,7 @@
 - name: 设置上下文参数
   shell: "{{ base_dir }}/bin/kubectl config set-context default \
         --cluster=kubernetes \
-        --user=kube-scheduler \
+        --user=system:kube-scheduler \
         --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig"
 
 - name: 选择默认上下文

roles/deploy/templates/kube-controller-manager-csr.json.j2

@@ -10,7 +10,7 @@
       "C": "CN",
       "ST": "HangZhou",
       "L": "XS",
-      "O": "k8s",
+      "O": "system:kube-controller-manager",
       "OU": "System"
     }
   ]

roles/deploy/templates/kube-scheduler-csr.json.j2

@@ -10,7 +10,7 @@
       "C": "CN",
       "ST": "HangZhou",
       "L": "XS",
-      "O": "k8s",
+      "O": "system:kube-scheduler",
       "OU": "System"
     }
   ]

roles/kube-master/templates/kube-apiserver.service.j2

@@ -19,7 +19,6 @@ ExecStart={{ bin_dir }}/kube-apiserver \
   --etcd-certfile={{ ca_dir }}/kubernetes.pem \
   --etcd-keyfile={{ ca_dir }}/kubernetes-key.pem \
   --etcd-servers={{ ETCD_ENDPOINTS }} \
-  --insecure-bind-address=127.0.0.1 \
   --kubelet-https=true \
   --kubelet-client-certificate={{ ca_dir }}/admin.pem \
   --kubelet-client-key={{ ca_dir }}/admin-key.pem \

roles/kube-master/templates/kube-controller-manager.service.j2

@@ -5,17 +5,18 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart={{ bin_dir }}/kube-controller-manager \
   --address=127.0.0.1 \
-  --master=http://127.0.0.1:8080 \
   --allocate-node-cidrs=true \
-  --service-cluster-ip-range={{ SERVICE_CIDR }} \
   --cluster-cidr={{ CLUSTER_CIDR }} \
   --cluster-name=kubernetes \
   --cluster-signing-cert-file={{ ca_dir }}/ca.pem \
   --cluster-signing-key-file={{ ca_dir }}/ca-key.pem \
-  --node-cidr-mask-size={{ NODE_CIDR_LEN }} \
-  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
-  --root-ca-file={{ ca_dir }}/ca.pem \
+  --kubeconfig=/etc/kubernetes/kube-controller-manager.kubeconfig \
   --leader-elect=true \
+  --node-cidr-mask-size={{ NODE_CIDR_LEN }} \
+  --root-ca-file={{ ca_dir }}/ca.pem \
+  --service-account-private-key-file={{ ca_dir }}/ca-key.pem \
+  --service-cluster-ip-range={{ SERVICE_CIDR }} \
+  --use-service-account-credentials=true \
   --v=2
 Restart=always
 RestartSec=5

roles/kube-master/templates/kube-scheduler.service.j2

@@ -5,7 +5,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart={{ bin_dir }}/kube-scheduler \
   --address=127.0.0.1 \
-  --master=http://127.0.0.1:8080 \
+  --kubeconfig=/etc/kubernetes/kube-scheduler.kubeconfig \
   --leader-elect=true \
   --v=2
 Restart=always

roles/kube-node/tasks/create-kubelet-kubeconfig.yml

@@ -0,0 +1,34 @@
+- name: 准备kubelet 证书签名请求
+  template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
+
+- name: 创建 kubelet 证书与私钥
+  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
+        -ca={{ ca_dir }}/ca.pem \
+        -ca-key={{ ca_dir }}/ca-key.pem \
+        -config={{ ca_dir }}/ca-config.json \
+        -profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
+
+# 创建kubelet.kubeconfig
+- name: 设置集群参数
+  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
+        --certificate-authority={{ ca_dir }}/ca.pem \
+        --embed-certs=true \
+        --server={{ KUBE_APISERVER }} \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 设置客户端认证参数
+  shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
+        --client-certificate={{ ca_dir }}/kubelet.pem \
+        --embed-certs=true \
+        --client-key={{ ca_dir }}/kubelet-key.pem \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 设置上下文参数
+  shell: "{{ bin_dir }}/kubectl config set-context default \
+        --cluster=kubernetes \
+   --user=system:node:{{ inventory_hostname }} \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+
+- name: 选择默认上下文
+  shell: "{{ bin_dir }}/kubectl config use-context default \
+   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"

roles/kube-node/tasks/main.yml

@@ -27,41 +27,8 @@
     line: "    server: {{ KUBE_APISERVER }}"
 
 ##----------kubelet 配置部分--------------
-
-- name: 准备kubelet 证书签名请求
-  template: src=kubelet-csr.json.j2 dest={{ ca_dir }}/kubelet-csr.json
-
-- name: 创建 kubelet 证书与私钥
-  shell: "cd {{ ca_dir }} && {{ bin_dir }}/cfssl gencert \
-        -ca={{ ca_dir }}/ca.pem \
-        -ca-key={{ ca_dir }}/ca-key.pem \
-        -config={{ ca_dir }}/ca-config.json \
-        -profile=kubernetes kubelet-csr.json | {{ bin_dir }}/cfssljson -bare kubelet"
-
-# 创建kubelet.kubeconfig 
-- name: 设置集群参数
-  shell: "{{ bin_dir }}/kubectl config set-cluster kubernetes \
-        --certificate-authority={{ ca_dir }}/ca.pem \
-        --embed-certs=true \
-        --server={{ KUBE_APISERVER }} \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 设置客户端认证参数
-  shell: "{{ bin_dir }}/kubectl config set-credentials system:node:{{ inventory_hostname }} \
-        --client-certificate={{ ca_dir }}/kubelet.pem \
-        --embed-certs=true \
-        --client-key={{ ca_dir }}/kubelet-key.pem \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 设置上下文参数
-  shell: "{{ bin_dir }}/kubectl config set-context default \
-        --cluster=kubernetes \
-	--user=system:node:{{ inventory_hostname }} \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
-
-- name: 选择默认上下文
-  shell: "{{ bin_dir }}/kubectl config use-context default \
-	--kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
+# 创建 kubelet 相关证书及 kubelet.kubeconfig
+- import_tasks: create-kubelet-kubeconfig.yml
 
 - name: 准备 cni配置文件
   template: src=cni-default.conf.j2 dest=/etc/cni/net.d/10-default.conf

roles/prepare/tasks/main.yml

@@ -58,4 +58,12 @@
 
     - name: 分发 kube-proxy.kubeconfig配置文件
       copy: src={{ base_dir }}/.cluster/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
+
+    - name: 分发 kube-controller-manager.kubeconfig配置文件
+      copy: src={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig dest=/etc/kubernetes/kube-controller-manager.kubeconfig
+      when: "inventory_hostname in groups['kube-master']"
+
+    - name: 分发 kube-scheduler.kubeconfig配置文件
+      copy: src={{ base_dir }}/.cluster/kube-scheduler.kubeconfig dest=/etc/kubernetes/kube-scheduler.kubeconfig
+      when: "inventory_hostname in groups['kube-master']"
   when: "inventory_hostname in groups['kube-master'] or inventory_hostname in groups['kube-node']"