一、Kubeconfig基础
kubeconfg是YAML格式的文件,用于存储身份认证信息,以便于客户端加载并认证到API Server
kubeconfig保存有认证到一至多个Kubernetes集群的相关配置信息,并允许管理员按需在各配置间灵活切换
clusters: Kubernetes集群访问端点(API Server) 列表
users: 认证到API Server的身份凭据列表
contexts:将每一个user同可认证到的cluster建立关联的上下文列表
current-context:当前默认使用的context
客户端程序加载的kubeconfg文件的途径及次序
--kubeconfig选项
KUBECONFIG环境变量: 其值是包含有kubeconfig文件的列表
默认路径: $HOME/.kube/config
![]()
二、设定kubeconfig文件 命令总结
命令:kubectl config SUBCOMMAND options
#打印加载的kubeconfig
view
#cluster相关的子命令
get-clusters
set-cluster
delete-cluster
#user相关的子命令
get-users
set-credentials
delete-user
#context相关的子命令
get-contexts
set-context
delete-context
rename-context
#current-context相关的子命令
current-context
use-context
三、实战
3.1 添加集群 set-cluster
#将ca.crt 证书放到node02上
[root@k8s-master01 x509cert]# scp /etc/kubernetes/pki/ca.crt 192.168.40.112:/root
#node02上创建kubeconfig文件
[root@k8s-node02 ~]# mkdir .kube
[root@k8s-node02 ~]# kubectl config set-cluster --help
Set a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
Examples:
# Set only the server field on the e2e cluster entry without touching other values
kubectl config set-cluster e2e --server=https://1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the e2e cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
# Set the custom TLS server name to use for validation for the e2e cluster entry
kubectl config set-cluster e2e --tls-server-name=my-cluster-name
# Set the proxy URL for the e2e cluster entry
kubectl config set-cluster e2e --proxy-url=https://1.2.3.4
Options:
--certificate-authority='':
Path to certificate-authority file for the cluster entry in kubeconfig
--embed-certs=false:
embed-certs for the cluster entry in kubeconfig
--insecure-skip-tls-verify=false:
insecure-skip-tls-verify for the cluster entry in kubeconfig
--proxy-url='':
proxy-url for the cluster entry in kubeconfig
--server='':
server for the cluster entry in kubeconfig
--tls-server-name='':
tls-server-name for the cluster entry in kubeconfig
Usage:
kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority]
[--insecure-skip-tls-verify=true] [--tls-server-name=example.com] [options]
Use "kubectl options" for a list of global command-line options (applies to all commands).
[root@k8s-node02 ~]# kubectl config set-cluster CA-K8S --server='https://192.168.40.101:6443' --embed-certs=true --certificate-authority='/root/ca.crt'
Cluster "CA-K8S" set.
[root@k8s-node02 ~]# cat .kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJZDJpZHp4M0pZNFV3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBeE1EVXdNekE0TlRKYUZ3MHpOREF4TURJd016RXpOVEphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURPY2dEUlB2YnhSTkhUeXp0N0M4MTIwYlZUVElyU01JNVE3RkZwOTE4SU5tS2lvUHR4SXRMbFdiNCsKVkl2S0JUWmgvVVFPNjhIZmFNRnIxb2FIRTZrYUdDM05qSHIxU3pmSGd0T3hNSGhXQWt0aGd0TjRnNHNrYUY4aApxeEZyOVN6Z2JYeXhmdG9VM3VFVFhYUDllWE9nSDBjckRydkc4dmczZnVpeFErNEJsTUY3NFZJV0RBR3QyQkl6CmJHK2NMaGVvRlFBamFKOUdZaXpsMkJkZTBIanorelM4T3YyRFI4TDFhY3ZKQWRnTVZzMTR6ZlJYL0k0RUVKQlkKWHdCNWNEVUZ5OUpQZDVTd0hyVmRxQktUbnlyanN3QzVZVDhzRWtPYlh6dkhKcThRVHR0RyswV0twRlBUUjhsYgpNZFdkSHBnVzY4YVUxRit3akdQdkx5NXU5UUREQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTVHltOE1HSVViTkJsbTJYWGFkUXZnNG84dFdEQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQXJNYTFPMmNhaAp3enFZUDBGWE5MdWlqZmlYVitiR3Ywb2J0aUFCMzlDNXdzMkVlWUg0TGVXS0RwNzJxN091R2o3MlJLbEFVYXdrCnlOOTFObms2NGlQcWJuK2p5Kyt6RUJjWTJBN25FT3R3YStUNG9sYWEyWnJmZTlZMlVmTkJKd294dVN2T1pPSisKYXFLWWFCQkg4SDN1d2FDa1dCRm9IN2dHdUZMUXE3S1MybUtzd1RqVE1EYm5YNzRLN1ZQaytoTE1ablpBS2FzNQp2c0lCTEZSUHV6aElpTFoxMjUrN0ptbzFDOXBPTVhabDdra1doT2JKejVnUUVlWFJJWDZhakFOejJLRHVhREZ0CkJKODdqMkQzbW1LWXhlN2xneFV4QVBwK2NURkY5YUlYU1NQU3dpTlRTVVF0TVV0eTRjMHFrSGl0K1Q2STM2ZWkKajFZYmVtQXc0dGg5Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.40.101:6443
name: CA-K8S
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
[root@k8s-node02 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.40.101:6443
name: CA-K8S
- cluster:
proxy-url: https://1.2.3.4
server: https://1.2.3.4
tls-server-name: my-cluster-name
name: e2e
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
3.2 添加用户 set-credentials
#把生成的证书 复制到 node02上
[root@k8s-master01 x509cert]# scp birkhoff.* superadmin.* 192.168.40.112:/root
#node02上添加
[root@k8s-node02 ~]# kubectl config set-credentials birkhoff --client-certificate=birkhoff.crt --client-key=birkhoff.key --embed-certs=true
User "birkhoff" set.
[root@k8s-node02 ~]# kubectl config set-credentials superadmin --client-certificate=superadmin.crt --client-key=superadmin.key --embed-certs=true
User "superadmin" set.
[root@k8s-node02 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.40.101:6443
name: CA-K8S
- cluster:
proxy-url: https://1.2.3.4
server: https://1.2.3.4
tls-server-name: my-cluster-name
name: e2e
contexts: null
current-context: ""
kind: Config
preferences: {}
users:
- name: birkhoff
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
- name: superadmin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
3.3 关联上下文 用户和集群绑定 set-context
[root@k8s-node02 ~]# kubectl config set-context birkhoff@CA-K8S --cluster=CA-K8S --user=birkhoff
Context "birkhoff@CA-K8S" created.
[root@k8s-node02 ~]# kubectl config set-context superadmin@CA-K8S --cluster=CA-K8S --user=superadmin
Context "superadmin@CA-K8S" created.
[root@k8s-node02 ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://192.168.40.101:6443
name: CA-K8S
- cluster:
proxy-url: https://1.2.3.4
server: https://1.2.3.4
tls-server-name: my-cluster-name
name: e2e
contexts:
- context:
cluster: CA-K8S
user: birkhoff
name: birkhoff@CA-K8S
- context:
cluster: CA-K8s
user: superadmin
name: superadmin@CA-K8S
current-context: ""
kind: Config
preferences: {}
users:
- name: birkhoff
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
- name: superadmin
user:
client-certificate-data: DATA+OMITTED
client-key-data: DATA+OMITTED
3.4 设置使用上下文
#birkhoff 是普通用户 无法获取数据
[root@k8s-node02 ~]# kubectl config use-context birkhoff@CA-K8S
Switched to context "birkhoff@CA-K8S".
[root@k8s-node02 ~]# kubectl get pods
Error from server (Forbidden): pods is forbidden: User "birkhoff" cannot list resource "pods" in API group "" in the namespace defaul
#superadmin 是system:masters 组的 所以可以查看数据
[root@k8s-node02 ~]# kubectl config use-context superadmin@CA-K8S
Switched to context "superadmin@CA-K8S".
[root@k8s-node02 ~]# kubectl get pods
NAME READY STATUS RESTARTS AGE
adminbox-5ccff58646-vclm2 0/1 CrashLoopBackOff 560 (71s ago) 47h
client-10961 0/1 Error 0 43h
client-2933 0/1 Error 0 2d20h
dowardapi-pod 1/1 Running 2 (2d ago) 4d18h
nginx-test-566dbd78d4-dk2h9 1/1 Running 1 (2d ago) 3d14h
nginx-test-566dbd78d4-ht5sf 1/1 Running 1 (2d ago) 3d14h
nginx-test-566dbd78d4-jb5zx 1/1 Running 1 (2d ago) 3d14h
#或者查询的时候直接指定使用的context 配置 即可查看
kubectl get pods --context=superadmin@CA-K8S
kubectl get pods --context=birkhoff@CA-K8S
浙公网安备 33010602011771号