From b16520704a9acfba29ec4a078ffcbf37093153a6 Mon Sep 17 00:00:00 2001 From: gjmzj Date: Wed, 29 Jan 2020 10:40:27 +0800 Subject: [PATCH] =?UTF-8?q?=E5=88=9B=E5=BB=BAkube-controller-manager.kubec?= =?UTF-8?q?onfig=E5=92=8Ckube-scheduler.kubeconfig?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/op/readonly_kubectl.md | 2 +- ...ate-kube-controller-manager-kubeconfig.yml | 33 ++++++++ .../tasks/create-kube-proxy-kubeconfig.yml | 33 ++++++++ .../create-kube-scheduler-kubeconfig.yml | 33 ++++++++ .../tasks/create-kubectl-kubeconfig.yml | 32 ++++++++ ...g.yml => create-kubectl-ro-kubeconfig.yml} | 0 roles/deploy/tasks/main.yml | 81 +++---------------- .../kube-controller-manager-csr.json.j2 | 17 ++++ .../templates/kube-scheduler-csr.json.j2 | 17 ++++ 9 files changed, 179 insertions(+), 69 deletions(-) create mode 100644 roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml create mode 100644 roles/deploy/tasks/create-kube-proxy-kubeconfig.yml create mode 100644 roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml create mode 100644 roles/deploy/tasks/create-kubectl-kubeconfig.yml rename roles/deploy/tasks/{create-ro-kubeconfig.yml => create-kubectl-ro-kubeconfig.yml} (100%) create mode 100644 roles/deploy/templates/kube-controller-manager-csr.json.j2 create mode 100644 roles/deploy/templates/kube-scheduler-csr.json.j2 diff --git a/docs/op/readonly_kubectl.md b/docs/op/readonly_kubectl.md index f3c08b2..38690d1 100644 --- a/docs/op/readonly_kubectl.md +++ b/docs/op/readonly_kubectl.md @@ -26,7 +26,7 @@ Error from server (Forbidden): deployments.apps "kubernetes-dashboard" is forbid ## 讲解 -对照文件`/etc/ansible/roles/deploy/tasks/create-ro-kubeconfig.yml`,创建主要包括三个步骤: +对照文件`/etc/ansible/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml`,创建主要包括三个步骤: - 创建 group:read rbac 权限 - 创建 read 用户证书和私钥 diff --git a/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml b/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml new file mode 100644 index 0000000..b68a616 --- /dev/null +++ b/roles/deploy/tasks/create-kube-controller-manager-kubeconfig.yml @@ -0,0 +1,33 @@ +- name: 准备kube-controller-manager 证书签名请求 + template: src=kube-controller-manager-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-controller-manager-csr.json + +- name: 创建 kube-controller-manager证书与私钥 + shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -profile=kubernetes kube-controller-manager-csr.json | {{ base_dir }}/bin/cfssljson -bare kube-controller-manager" + +- name: 设置集群参数 + shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \ + --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ + --embed-certs=true \ + --server={{ KUBE_APISERVER }} \ + --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" + +- name: 设置认证参数 + shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-controller-manager \ + --client-certificate={{ base_dir }}/.cluster/ssl/kube-controller-manager.pem \ + --client-key={{ base_dir }}/.cluster/ssl/kube-controller-manager-key.pem \ + --embed-certs=true \ + --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" + +- name: 设置上下文参数 + shell: "{{ base_dir }}/bin/kubectl config set-context default \ + --cluster=kubernetes \ + --user=kube-controller-manager \ + --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" + +- name: 选择默认上下文 + shell: "{{ base_dir }}/bin/kubectl config use-context default \ + --kubeconfig={{ base_dir }}/.cluster/kube-controller-manager.kubeconfig" diff --git a/roles/deploy/tasks/create-kube-proxy-kubeconfig.yml b/roles/deploy/tasks/create-kube-proxy-kubeconfig.yml new file mode 100644 index 0000000..41547b1 --- /dev/null +++ b/roles/deploy/tasks/create-kube-proxy-kubeconfig.yml @@ -0,0 +1,33 @@ +- name: 准备kube-proxy 证书签名请求 + template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json + +- name: 创建 kube-proxy证书与私钥 + shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -profile=kubernetes kube-proxy-csr.json | {{ base_dir }}/bin/cfssljson -bare kube-proxy" + +- name: 设置集群参数 + shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \ + --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ + --embed-certs=true \ + --server={{ KUBE_APISERVER }} \ + --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" + +- name: 设置客户端认证参数 + shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-proxy \ + --client-certificate={{ base_dir }}/.cluster/ssl/kube-proxy.pem \ + --client-key={{ base_dir }}/.cluster/ssl/kube-proxy-key.pem \ + --embed-certs=true \ + --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" + +- name: 设置上下文参数 + shell: "{{ base_dir }}/bin/kubectl config set-context default \ + --cluster=kubernetes \ + --user=kube-proxy \ + --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" + +- name: 选择默认上下文 + shell: "{{ base_dir }}/bin/kubectl config use-context default \ + --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" diff --git a/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml b/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml new file mode 100644 index 0000000..56115dc --- /dev/null +++ b/roles/deploy/tasks/create-kube-scheduler-kubeconfig.yml @@ -0,0 +1,33 @@ +- name: 准备kube-scheduler 证书签名请求 + template: src=kube-scheduler-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-scheduler-csr.json + +- name: 创建 kube-scheduler证书与私钥 + shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -profile=kubernetes kube-scheduler-csr.json | {{ base_dir }}/bin/cfssljson -bare kube-scheduler" + +- name: 设置集群参数 + shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \ + --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ + --embed-certs=true \ + --server={{ KUBE_APISERVER }} \ + --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" + +- name: 设置认证参数 + shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-scheduler \ + --client-certificate={{ base_dir }}/.cluster/ssl/kube-scheduler.pem \ + --client-key={{ base_dir }}/.cluster/ssl/kube-scheduler-key.pem \ + --embed-certs=true \ + --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" + +- name: 设置上下文参数 + shell: "{{ base_dir }}/bin/kubectl config set-context default \ + --cluster=kubernetes \ + --user=kube-scheduler \ + --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" + +- name: 选择默认上下文 + shell: "{{ base_dir }}/bin/kubectl config use-context default \ + --kubeconfig={{ base_dir }}/.cluster/kube-scheduler.kubeconfig" diff --git a/roles/deploy/tasks/create-kubectl-kubeconfig.yml b/roles/deploy/tasks/create-kubectl-kubeconfig.yml new file mode 100644 index 0000000..7192d7e --- /dev/null +++ b/roles/deploy/tasks/create-kubectl-kubeconfig.yml @@ -0,0 +1,32 @@ +- name: 删除原有kubeconfig + file: path=/root/.kube/config state=absent + ignore_errors: true + +- name: 准备kubectl使用的admin证书签名请求 + template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json + +- name: 创建admin证书与私钥 + shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ + -ca=ca.pem \ + -ca-key=ca-key.pem \ + -config=ca-config.json \ + -profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin" + +- name: 设置集群参数 + shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ + --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ + --embed-certs=true \ + --server={{ KUBE_APISERVER }}" + +- name: 设置客户端认证参数 + shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \ + --client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \ + --embed-certs=true \ + --client-key={{ base_dir }}/.cluster/ssl/admin-key.pem" + +- name: 设置上下文参数 + shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ + --cluster={{ CLUSTER_NAME }} --user=admin" + +- name: 选择默认上下文 + shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}" diff --git a/roles/deploy/tasks/create-ro-kubeconfig.yml b/roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml similarity index 100% rename from roles/deploy/tasks/create-ro-kubeconfig.yml rename to roles/deploy/tasks/create-kubectl-ro-kubeconfig.yml diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 1ac2fa6..8c75c56 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -26,81 +26,30 @@ {{ base_dir }}/bin/cfssl gencert -initca ca-csr.json | {{ base_dir }}/bin/cfssljson -bare ca" #----------- 创建admin kubectl kubeconfig文件: /root/.kube/config -- block: - - name: 删除原有kubeconfig - file: path=/root/.kube/config state=absent - ignore_errors: true - - - name: 准备kubectl使用的admin证书签名请求 - template: src=admin-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/admin-csr.json - - - name: 创建admin证书与私钥 - shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ - -ca=ca.pem \ - -ca-key=ca-key.pem \ - -config=ca-config.json \ - -profile=kubernetes admin-csr.json | {{ base_dir }}/bin/cfssljson -bare admin" - - - name: 设置集群参数 - shell: "{{ base_dir }}/bin/kubectl config set-cluster {{ CLUSTER_NAME }} \ - --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ - --embed-certs=true \ - --server={{ KUBE_APISERVER }}" - - - name: 设置客户端认证参数 - shell: "{{ base_dir }}/bin/kubectl config set-credentials admin \ - --client-certificate={{ base_dir }}/.cluster/ssl/admin.pem \ - --embed-certs=true \ - --client-key={{ base_dir }}/.cluster/ssl/admin-key.pem" - - - name: 设置上下文参数 - shell: "{{ base_dir }}/bin/kubectl config set-context {{ CLUSTER_NAME }} \ - --cluster={{ CLUSTER_NAME }} --user=admin" - - - name: 选择默认上下文 - shell: "{{ base_dir }}/bin/kubectl config use-context {{ CLUSTER_NAME }}" +- import_tasks: create-kubectl-kubeconfig.yml tags: create_kctl_cfg #-----------可选创建只读kubeconfig文件: /root/.kube/read.config -- import_tasks: create-ro-kubeconfig.yml +- import_tasks: create-kubectl-ro-kubeconfig.yml when: "CREATE_READONLY_KUBECONFIG" -#------------创建kube-proxy配置文件: kube-proxy.kubeconfig -- name: 准备kube-proxy 证书签名请求 - template: src=kube-proxy-csr.json.j2 dest={{ base_dir }}/.cluster/ssl/kube-proxy-csr.json +#------------创建配置文件: kube-proxy.kubeconfig +- import_tasks: create-kube-proxy-kubeconfig.yml -- name: 创建 kube-proxy证书与私钥 - shell: "cd {{ base_dir }}/.cluster/ssl && {{ base_dir }}/bin/cfssl gencert \ - -ca=ca.pem \ - -ca-key=ca-key.pem \ - -config=ca-config.json \ - -profile=kubernetes kube-proxy-csr.json | {{ base_dir }}/bin/cfssljson -bare kube-proxy" +#------------创建配置文件: kube-controller-manager.kubeconfig +- import_tasks: create-kube-controller-manager-kubeconfig.yml -- name: 设置集群参数 - shell: "{{ base_dir }}/bin/kubectl config set-cluster kubernetes \ - --certificate-authority={{ base_dir }}/.cluster/ssl/ca.pem \ - --embed-certs=true \ - --server={{ KUBE_APISERVER }} \ - --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" -- name: 设置客户端认证参数 - shell: "{{ base_dir }}/bin/kubectl config set-credentials kube-proxy \ - --client-certificate={{ base_dir }}/.cluster/ssl/kube-proxy.pem \ - --client-key={{ base_dir }}/.cluster/ssl/kube-proxy-key.pem \ - --embed-certs=true \ - --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" -- name: 设置上下文参数 - shell: "{{ base_dir }}/bin/kubectl config set-context default \ - --cluster=kubernetes \ - --user=kube-proxy \ - --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" -- name: 选择默认上下文 - shell: "{{ base_dir }}/bin/kubectl config use-context default \ - --kubeconfig={{ base_dir }}/.cluster/kube-proxy.kubeconfig" +#------------创建配置文件: kube-scheduler.kubeconfig +- import_tasks: create-kube-scheduler-kubeconfig.yml +# ansible 控制端一些易用性配置 - name: 本地创建 easzctl 工具的软连接 file: src={{ base_dir }}/tools/easzctl dest=/usr/bin/easzctl state=link -# ansible 控制端一些易用性配置 +- name: ansible 控制端创建 kubectl 软链接 + file: src={{ base_dir }}/bin/kubectl dest=/usr/bin/kubectl state=link + ignore_errors: true + # 注册变量以判断是否容器化运行ansible控制端,如果容器化运行那么进程数小于50 - name: 注册变量以判断是否容器化运行ansible控制端 shell: "ps aux|wc -l" @@ -124,10 +73,6 @@ when: "procs.stdout|int > 50" ignore_errors: true -- name: ansible 控制端创建 kubectl 软链接 - file: src={{ base_dir }}/bin/kubectl dest=/usr/bin/kubectl state=link - ignore_errors: true - - name: pip install netaddr pip: name: netaddr diff --git a/roles/deploy/templates/kube-controller-manager-csr.json.j2 b/roles/deploy/templates/kube-controller-manager-csr.json.j2 new file mode 100644 index 0000000..86d6587 --- /dev/null +++ b/roles/deploy/templates/kube-controller-manager-csr.json.j2 @@ -0,0 +1,17 @@ +{ + "CN": "system:kube-controller-manager", + "hosts": [], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "ST": "HangZhou", + "L": "XS", + "O": "k8s", + "OU": "System" + } + ] +} diff --git a/roles/deploy/templates/kube-scheduler-csr.json.j2 b/roles/deploy/templates/kube-scheduler-csr.json.j2 new file mode 100644 index 0000000..e341062 --- /dev/null +++ b/roles/deploy/templates/kube-scheduler-csr.json.j2 @@ -0,0 +1,17 @@ +{ + "CN": "system:kube-scheduler", + "hosts": [], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "CN", + "ST": "HangZhou", + "L": "XS", + "O": "k8s", + "OU": "System" + } + ] +}