remove the need of admin kubeconfig on master nodes

2022-10-09 20:43:19 +08:00 · 2022-10-09 20:43:19 +08:00 · 5f9a266083
parent e75784437f
commit 5f9a266083
4 changed files with 38 additions and 25 deletions
--- a/playbooks/04.kube-master.yml
+++ b/playbooks/04.kube-master.yml
@ -6,10 +6,12 @@
  - kube-node
  tasks:
  - name: Making master nodes SchedulingDisabled
-    shell: "{{ bin_dir }}/kubectl cordon {{ inventory_hostname }} "
+    shell: "{{ base_dir }}/bin/kubectl cordon {{ inventory_hostname }} "
    when: "inventory_hostname not in groups['kube_node']"
    ignore_errors: true
+    connection: local

  - name: Setting master role name 
-    shell: "{{ bin_dir }}/kubectl label node {{ inventory_hostname }} kubernetes.io/role=master --overwrite"
+    shell: "{{ base_dir }}/bin/kubectl label node {{ inventory_hostname }} kubernetes.io/role=master --overwrite"
    ignore_errors: true
+    connection: local
--- a/playbooks/23.addmaster.yml
+++ b/playbooks/23.addmaster.yml
@ -18,10 +18,12 @@
  # 
  tasks:
  - name: Making master nodes SchedulingDisabled
-    shell: "{{ bin_dir }}/kubectl cordon {{ NODE_TO_ADD }} "
+    shell: "{{ base_dir }}/bin/kubectl cordon {{ NODE_TO_ADD }} "
    when: "inventory_hostname not in groups['kube_node']"
    ignore_errors: true
+    connection: local

  - name: Setting master role name
-    shell: "{{ bin_dir }}/kubectl label node {{ NODE_TO_ADD }} kubernetes.io/role=master --overwrite"
+    shell: "{{ base_dir }}/bin/kubectl label node {{ NODE_TO_ADD }} kubernetes.io/role=master --overwrite"
    ignore_errors: true
+    connection: local
--- a/playbooks/90.setup.yml
+++ b/playbooks/90.setup.yml
@ -43,13 +43,15 @@
  - kube-node
  tasks:
  - name: Making master nodes SchedulingDisabled
-    shell: "{{ bin_dir }}/kubectl cordon {{ inventory_hostname }} "
+    shell: "{{ base_dir }}/bin/kubectl cordon {{ inventory_hostname }} "
    when: "inventory_hostname not in groups['kube_node']" 
    ignore_errors: true
+    connection: local

  - name: Setting master role name
-    shell: "{{ bin_dir }}/kubectl label node {{ inventory_hostname }} kubernetes.io/role=master --overwrite"
+    shell: "{{ base_dir }}/bin/kubectl label node {{ inventory_hostname }} kubernetes.io/role=master --overwrite"
    ignore_errors: true
+    connection: local

 # to set up 'kube_node' nodes
 - hosts: kube_node
--- a/roles/kube-master/tasks/main.yml
+++ b/roles/kube-master/tasks/main.yml
@ -7,9 +7,6 @@
  - kubectl
  tags: upgrade_k8s

- name: 分发 kubeconfig配置文件
-  copy: src={{ cluster_dir }}/kubectl.kubeconfig dest=/root/.kube/config mode=0400
-
 - name: 分发controller/scheduler kubeconfig配置文件
  copy: src={{ cluster_dir }}/{{ item }} dest=/etc/kubernetes/{{ item }}
  with_items:
@ -68,7 +65,6 @@
    regexp: "^    server"
    line: "    server: https://127.0.0.1:{{ SECURE_PORT }}"
  with_items:
-  - "/root/.kube/config"
  - "/etc/kubernetes/kube-controller-manager.kubeconfig"
  - "/etc/kubernetes/kube-scheduler.kubeconfig"

@ -116,8 +112,18 @@
  delay: 3
  tags: upgrade_k8s, restart_master

- name: 以轮询的方式等待master服务启动完成
-  command: "{{ bin_dir }}/kubectl get node"
+- block:
+    - name: 复制kubectl.kubeconfig
+      shell: 'cd {{ cluster_dir }} && cp -f kubectl.kubeconfig {{ inventory_hostname }}-kubectl.kubeconfig'
+
+    - name: 替换 kubeconfig 的 apiserver 地址
+      lineinfile:
+        dest: "{{ cluster_dir }}/{{ inventory_hostname }}-kubectl.kubeconfig"
+        regexp: "^    server"
+        line: "    server: https://{{ inventory_hostname }}:{{ SECURE_PORT }}"
+
+    - name: 轮询等待master服务启动完成
+      command: "{{ base_dir }}/bin/kubectl --kubeconfig={{ cluster_dir }}/{{ inventory_hostname }}-kubectl.kubeconfig get node"
      register: result
      until:    result.rc == 0
      retries:  5
@ -125,11 +131,12 @@
      tags: upgrade_k8s, restart_master

    - name: 获取user:kubernetes是否已经绑定对应角色
-  shell: "{{ bin_dir }}/kubectl get clusterrolebindings|grep kubernetes-crb || echo 'notfound'"
+      shell: "{{ base_dir }}/bin/kubectl get clusterrolebindings|grep kubernetes-crb || echo 'notfound'"
      register: crb_info
      run_once: true

    - name: 创建user:kubernetes角色绑定
-  command: "{{ bin_dir }}/kubectl create clusterrolebinding kubernetes-crb --clusterrole=cluster-admin --user=kubernetes"
+      command: "{{ base_dir }}/bin/kubectl create clusterrolebinding kubernetes-crb --clusterrole=cluster-admin --user=kubernetes"
      run_once: true
      when: "'notfound' in crb_info.stdout"
+  connection: local