kubectl
token
RBAC
客户端-->API server
user: username, uid
group:
extra:
API
Request path
http:/172.20.0.70:6443/apis/apps/v1/namespaces/default/deployments/myapp-deploy/
HTTP request verb:
get, post, put, delete
API requests verb:
get, list, create, update, patch, watch, proxy, redirect, delete, deletecollection
Resource:
Subresource:
Namespace:
API group
kubeconfig
master:
[root@master ~]# kubectl api-versions
admissionregistration.k8s.io/v1beta1
apiextensions.k8s.io/v1beta1
apiregistration.k8s.io/v1
apiregistration.k8s.io/v1beta1
apps/v1
apps/v1beta1
apps/v1beta2
authentication.k8s.io/v1
authentication.k8s.io/v1beta1
authorization.k8s.io/v1
authorization.k8s.io/v1beta1
autoscaling/v1
autoscaling/v2beta1
batch/v1
batch/v1beta1
certificates.k8s.io/v1beta1
events.k8s.io/v1beta1
extensions/v1beta1
networking.k8s.io/v1
policy/v1beta1
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1
scheduling.k8s.io/v1beta1
storage.k8s.io/v1
storage.k8s.io/v1beta1
v1
[root@master ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:*
LISTEN 0 128 127.0.0.1:10249 *:*
LISTEN 0 128 127.0.0.1:10251 *:*
LISTEN 0 128 127.0.0.1:2379 *:*
LISTEN 0 128 127.0.0.1:10252 *:*
LISTEN 0 128 127.0.0.1:2380 *:*
LISTEN 0 128 127.0.0.1:37873 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 172.20.0.70:10010 *:*
LISTEN 0 128 :::30080 :::*
LISTEN 0 128 :::10250 :::*
LISTEN 0 128 :::30443 :::*
LISTEN 0 128 :::6443 :::*
LISTEN 0 128 :::10256 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@master ~]# cat .kube/config
[root@master ~]# kubectl proxy --port=8080
Starting to serve on 127.0.0.1:8080
[root@master ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:10248 *:*
LISTEN 0 128 127.0.0.1:10249 *:*
LISTEN 0 128 127.0.0.1:10251 *:*
LISTEN 0 128 127.0.0.1:2379 *:*
LISTEN 0 128 127.0.0.1:10252 *:*
LISTEN 0 128 127.0.0.1:2380 *:*
LISTEN 0 128 127.0.0.1:8080 *:*
LISTEN 0 128 127.0.0.1:37873 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 172.20.0.70:10010 *:*
LISTEN 0 128 :::30080 :::*
LISTEN 0 128 :::10250 :::*
LISTEN 0 128 :::30443 :::*
LISTEN 0 128 :::6443 :::*
LISTEN 0 128 :::10256 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
[root@master ~]# curl http://localhost:8080/api/v1/namespaces
{
"kind": "NamespaceList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces",
"resourceVersion": "206545"
},
"items": [
{
"metadata": {
"name": "default",
"selfLink": "/api/v1/namespaces/default",
"uid": "f730f8aa-afcf-11ea-9ec2-000c29e18a5b",
"resourceVersion": "30",
"creationTimestamp": "2020-06-16T12:50:32Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "ingress-nginx",
"selfLink": "/api/v1/namespaces/ingress-nginx",
"uid": "a99cf107-b3be-11ea-9ec2-000c29e18a5b",
"resourceVersion": "51233",
"creationTimestamp": "2020-06-21T12:56:45Z",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"name\":\"ingress-nginx\",\"namespace\":\"\"}}\n"
}
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-public",
"selfLink": "/api/v1/namespaces/kube-public",
"uid": "f73504c6-afcf-11ea-9ec2-000c29e18a5b",
"resourceVersion": "37",
"creationTimestamp": "2020-06-16T12:50:32Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-system",
"selfLink": "/api/v1/namespaces/kube-system",
"uid": "f7334138-afcf-11ea-9ec2-000c29e18a5b",
"resourceVersion": "35",
"creationTimestamp": "2020-06-16T12:50:32Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
]
}[root@master ~]#
[root@master ~]# kubectl get deploy
[root@master ~]# kubectl get deploy -n kube-system
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
coredns 2 2 2 2 20d
[root@master ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/
{
"kind": "DeploymentList",
"apiVersion": "apps/v1",
"metadata": {
"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments/",
"resourceVersion": "207769"
},
"items": [
{
"metadata": {
"name": "coredns",
"namespace": "kube-system",
"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments/coredns",
"uid": "f9b0fcfa-afcf-11ea-9ec2-000c29e18a5b",
"resourceVersion": "892",
"generation": 1,
"creationTimestamp": "2020-06-16T12:50:37Z",
"labels": {
"k8s-app": "kube-dns"
},
"annotations": {
"deployment.kubernetes.io/revision": "1"
}
},
"spec": {
"replicas": 2,
"selector": {
"matchLabels": {
"k8s-app": "kube-dns"
}
},
"template": {
"metadata": {
"creationTimestamp": null,
"labels": {
"k8s-app": "kube-dns"
}
},
"spec": {
"volumes": [
{
"name": "config-volume",
"configMap": {
"name": "coredns",
"items": [
{
"key": "Corefile",
"path": "Corefile"
}
],
"defaultMode": 420
}
}
],
"containers": [
{
"name": "coredns",
"image": "k8s.gcr.io/coredns:1.1.3",
"args": [
"-conf",
"/etc/coredns/Corefile"
],
"ports": [
{
"name": "dns",
"containerPort": 53,
"protocol": "UDP"
},
{
"name": "dns-tcp",
"containerPort": 53,
"protocol": "TCP"
},
{
"name": "metrics",
"containerPort": 9153,
"protocol": "TCP"
}
],
"resources": {
"limits": {
"memory": "170Mi"
},
"requests": {
"cpu": "100m",
"memory": "70Mi"
}
},
"volumeMounts": [
{
"name": "config-volume",
"readOnly": true,
"mountPath": "/etc/coredns"
}
],
"livenessProbe": {
"httpGet": {
"path": "/health",
"port": 8080,
"scheme": "HTTP"
},
"initialDelaySeconds": 60,
"timeoutSeconds": 5,
"periodSeconds": 10,
"successThreshold": 1,
"failureThreshold": 5
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "IfNotPresent",
"securityContext": {
"capabilities": {
"add": [
"NET_BIND_SERVICE"
],
"drop": [
"all"
]
},
"readOnlyRootFilesystem": true,
"allowPrivilegeEscalation": false
}
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "Default",
"serviceAccountName": "coredns",
"serviceAccount": "coredns",
"securityContext": {
},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "CriticalAddonsOnly",
"operator": "Exists"
},
{
"key": "node-role.kubernetes.io/master",
"effect": "NoSchedule"
}
]
}
},
"strategy": {
"type": "RollingUpdate",
"rollingUpdate": {
"maxUnavailable": 1,
"maxSurge": "25%"
}
},
"revisionHistoryLimit": 10,
"progressDeadlineSeconds": 600
},
"status": {
"observedGeneration": 1,
"replicas": 2,
"updatedReplicas": 2,
"readyReplicas": 2,
"availableReplicas": 2,
"conditions": [
{
"type": "Available",
"status": "True",
"lastUpdateTime": "2020-06-17T11:59:39Z",
"lastTransitionTime": "2020-06-17T11:59:39Z",
"reason": "MinimumReplicasAvailable",
"message": "Deployment has minimum availability."
},
{
"type": "Progressing",
"status": "True",
"lastUpdateTime": "2020-06-17T11:59:39Z",
"lastTransitionTime": "2020-06-16T12:50:52Z",
"reason": "NewReplicaSetAvailable",
"message": "ReplicaSet \"coredns-78fcdf6894\" has successfully progressed."
}
]
}
}
]
}[root@master ~]#
[root@master ~]# curl http://localhost:8080/apis/apps/v1/namespaces/kube-system/deployments/coredns
{
"kind": "Deployment",
"apiVersion": "apps/v1",
"metadata": {
"name": "coredns",
"namespace": "kube-system",
"selfLink": "/apis/apps/v1/namespaces/kube-system/deployments/coredns",
"uid": "f9b0fcfa-afcf-11ea-9ec2-000c29e18a5b",
"resourceVersion": "892",
"generation": 1,
"creationTimestamp": "2020-06-16T12:50:37Z",
"labels": {
"k8s-app": "kube-dns"
},
"annotations": {
"deployment.kubernetes.io/revision": "1"
}
},
"spec": {
"replicas": 2,
"selector": {
"matchLabels": {
"k8s-app": "kube-dns"
}
},
"template": {
"metadata": {
"creationTimestamp": null,
"labels": {
"k8s-app": "kube-dns"
}
},
"spec": {
"volumes": [
{
"name": "config-volume",
"configMap": {
"name": "coredns",
"items": [
{
"key": "Corefile",
"path": "Corefile"
}
],
"defaultMode": 420
}
}
],
"containers": [
{
"name": "coredns",
"image": "k8s.gcr.io/coredns:1.1.3",
"args": [
"-conf",
"/etc/coredns/Corefile"
],
"ports": [
{
"name": "dns",
"containerPort": 53,
"protocol": "UDP"
},
{
"name": "dns-tcp",
"containerPort": 53,
"protocol": "TCP"
},
{
"name": "metrics",
"containerPort": 9153,
"protocol": "TCP"
}
],
"resources": {
"limits": {
"memory": "170Mi"
},
"requests": {
"cpu": "100m",
"memory": "70Mi"
}
},
"volumeMounts": [
{
"name": "config-volume",
"readOnly": true,
"mountPath": "/etc/coredns"
}
],
"livenessProbe": {
"httpGet": {
"path": "/health",
"port": 8080,
"scheme": "HTTP"
},
"initialDelaySeconds": 60,
"timeoutSeconds": 5,
"periodSeconds": 10,
"successThreshold": 1,
"failureThreshold": 5
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "IfNotPresent",
"securityContext": {
"capabilities": {
"add": [
"NET_BIND_SERVICE"
],
"drop": [
"all"
]
},
"readOnlyRootFilesystem": true,
"allowPrivilegeEscalation": false
}
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "Default",
"serviceAccountName": "coredns",
"serviceAccount": "coredns",
"securityContext": {
},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "CriticalAddonsOnly",
"operator": "Exists"
},
{
"key": "node-role.kubernetes.io/master",
"effect": "NoSchedule"
}
]
}
},
"strategy": {
"type": "RollingUpdate",
"rollingUpdate": {
"maxUnavailable": 1,
"maxSurge": "25%"
}
},
"revisionHistoryLimit": 10,
"progressDeadlineSeconds": 600
},
"status": {
"observedGeneration": 1,
"replicas": 2,
"updatedReplicas": 2,
"readyReplicas": 2,
"availableReplicas": 2,
"conditions": [
{
"type": "Available",
"status": "True",
"lastUpdateTime": "2020-06-17T11:59:39Z",
"lastTransitionTime": "2020-06-17T11:59:39Z",
"reason": "MinimumReplicasAvailable",
"message": "Deployment has minimum availability."
},
{
"type": "Progressing",
"status": "True",
"lastUpdateTime": "2020-06-17T11:59:39Z",
"lastTransitionTime": "2020-06-16T12:50:52Z",
"reason": "NewReplicaSetAvailable",
"message": "ReplicaSet \"coredns-78fcdf6894\" has successfully progressed."
}
]
}
}[root@master ~]#
[root@master ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 20d
myapp ClusterIP None <none> 80/TCP 4d
[root@master ~]# kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 172.20.0.70:6443
Session Affinity: None
Events: <none>
[root@master ~]# kubectl explain pods.spec
[root@master ~]# cd manifests/
[root@master manifests]# kubectl apply -f deploy-demo.yaml ^C
[root@master manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-0 1/1 Running 0 3d
myapp-1 1/1 Running 0 3d
myapp-2 1/1 Running 0 3d
myapp-3 1/1 Running 0 3d
myapp-4 1/1 Running 0 3d
myapp-deploy-67f6f6b4dc-6pgsp 1/1 Running 0 7m
myapp-deploy-67f6f6b4dc-9g7fz 1/1 Running 0 7m
myapp-deploy-67f6f6b4dc-dfsxk 1/1 Running 0 7m
pod-vol-hostpath 1/1 Running 0 12d
[root@master manifests]# kubectl describe pods myapp-deploy-67f6f6b4dc-6pgsp
Volumes:
default-token-jrx89: #使用token到api-server认证
Type: Secret (a volume populated by a Secret)
SecretName: default-token-jrx89
Optional: false
[root@master manifests]# kubectl get secret
NAME TYPE DATA AGE
default-token-jrx89 kubernetes.io/service-account-token 3 20d
mysql-root-password Opaque 1 6d
tomcat-ingress-secret kubernetes.io/tls 2 14d
[root@master manifests]# kubectl get secret -n ingress-nginx
NAME TYPE DATA AGE
default-token-ncpw9 kubernetes.io/service-account-token 3 15d
nginx-ingress-serviceaccount-token-j46fw kubernetes.io/service-account-token 3 15d
[root@master manifests]# kubectl create -h
[root@master manifests]# kubectl create serviceaccount -h
[root@master manifests]# kubectl create serviceaccount mysa --dry-run #--dry-run尝试能否执行
[root@master manifests]# kubectl create serviceaccount mysa -o yaml --dry-run
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: mysa
[root@master manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-0 1/1 Running 0 3d
myapp-1 1/1 Running 0 3d
myapp-2 1/1 Running 0 3d
myapp-3 1/1 Running 0 3d
myapp-4 1/1 Running 0 3d
myapp-deploy-67f6f6b4dc-6pgsp 1/1 Running 0 21m
myapp-deploy-67f6f6b4dc-9g7fz 1/1 Running 0 21m
myapp-deploy-67f6f6b4dc-dfsxk 1/1 Running 0 21m
pod-vol-hostpath 1/1 Running 0 12d
[root@master manifests]# kubectl get pods -o yaml
[root@master manifests]# kubectl get pods myapp-deploy-67f6f6b4dc-6pgsp -o yaml --export
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
generateName: myapp-deploy-67f6f6b4dc-
labels:
app: myapp
pod-template-hash: "2392926087"
release: canary
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: myapp-deploy-67f6f6b4dc
uid: d47f8d1c-c04e-11ea-9ec2-000c29e18a5b
selfLink: /api/v1/namespaces/default/pods/myapp-deploy-67f6f6b4dc-6pgsp
spec:
containers:
- image: ikubernetes/myapp:v2
imagePullPolicy: IfNotPresent
name: myapp
ports:
- containerPort: 80
name: http
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-jrx89
readOnly: true
dnsPolicy: ClusterFirst
nodeName: node02.smoke.com
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-jrx89
secret:
defaultMode: 420
secretName: default-token-jrx89
status:
phase: Pending
qosClass: BestEffort
[root@master manifests]# kubectl get sa
NAME SECRETS AGE
default 1 21d
[root@master manifests]# kubectl create serviceaccount admin
[root@master manifests]# kubectl get sa
NAME SECRETS AGE
admin 1 16s
default 1 21d
[root@master manifests]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: admin-token-zz4lt
Tokens: admin-token-zz4lt
Events: <none>
[root@master manifests]# kubectl get secret
NAME TYPE DATA AGE
admin-token-zz4lt kubernetes.io/service-account-token 3 5m
default-token-jrx89 kubernetes.io/service-account-token 3 21d
mysql-root-password Opaque 1 6d
tomcat-ingress-secret kubernetes.io/tls 2 14d
[root@master manifests]# cp pod-demo.yaml pod-sa-demo.yaml
[root@master manifests]# vim pod-sa-demo.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sa-demo
namespace: default
labels:
app: myapp
tier: frontend
annotations:
smoke.com/created-by: "cluster admin"
spec:
containers:
- name: myapp
image: ikubernetes/myapp:v1
ports:
- name: http
containerPort: 80
serviceAccountName: admin
[root@master manifests]# kubectl apply -f pod-sa-demo.yaml
[root@master manifests]# kubectl describe pods pod-sa-demo
Volumes:
admin-token-zz4lt: #使用admin-token
Type: Secret (a volume populated by a Secret)
SecretName: admin-token-zz4lt
Optional: false
[root@master manifests]# kubectl explain pods.spec
[root@master manifests]# kubectl describe sa admin
Name: admin
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none> #资源镜像认证
Mountable secrets: admin-token-zz4lt
Tokens: admin-token-zz4lt
Events: <none>
[root@master manifests]# kubectl get pods
NAME READY STATUS RESTARTS AGE
myapp-0 1/1 Running 0 3d
myapp-1 1/1 Running 0 3d
myapp-2 1/1 Running 0 3d
myapp-3 1/1 Running 0 3d
myapp-4 1/1 Running 0 3d
myapp-deploy-67f6f6b4dc-6pgsp 1/1 Running 0 47m
myapp-deploy-67f6f6b4dc-9g7fz 1/1 Running 0 47m
myapp-deploy-67f6f6b4dc-dfsxk 1/1 Running 0 47m
pod-sa-demo 1/1 Running 0 11m
pod-vol-hostpath 1/1 Running 0 12d
[root@master manifests]# kubectl config --help
[root@master manifests]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master manifests]# kubectl config --help
[root@master manifests]# cd /etc/kubernetes/
[root@master kubernetes]# ls
admin.conf controller-manager.conf kubelet.conf manifests pki scheduler.conf
[root@master kubernetes]# cd pki/
[root@master pki]# ls
apiserver.crt apiserver.key ca.crt front-proxy-ca.crt front-proxy-client.key
apiserver-etcd-client.crt apiserver-kubelet-client.crt ca.key front-proxy-ca.key sa.key
apiserver-etcd-client.key apiserver-kubelet-client.key etcd front-proxy-client.crt sa.pub
[root@master pki]# (umask 077; openssl genrsa -out smoke.key 2048) #制作私钥
[root@master pki]# ll
总用量 60
-rw-r--r--. 1 root root 1233 6月 16 20:49 apiserver.crt
-rw-r--r--. 1 root root 1094 6月 16 20:49 apiserver-etcd-client.crt
-rw-------. 1 root root 1679 6月 16 20:49 apiserver-etcd-client.key
-rw-------. 1 root root 1675 6月 16 20:49 apiserver.key
-rw-r--r--. 1 root root 1099 6月 16 20:49 apiserver-kubelet-client.crt
-rw-------. 1 root root 1675 6月 16 20:49 apiserver-kubelet-client.key
-rw-r--r--. 1 root root 1025 6月 16 20:49 ca.crt
-rw-------. 1 root root 1679 6月 16 20:49 ca.key
drwxr-xr-x. 2 root root 162 6月 16 20:49 etcd
-rw-r--r--. 1 root root 1025 6月 16 20:49 front-proxy-ca.crt
-rw-------. 1 root root 1679 6月 16 20:49 front-proxy-ca.key
-rw-r--r--. 1 root root 1050 6月 16 20:49 front-proxy-client.crt
-rw-------. 1 root root 1679 6月 16 20:49 front-proxy-client.key
-rw-------. 1 root root 1679 6月 16 20:49 sa.key
-rw-------. 1 root root 451 6月 16 20:49 sa.pub
-rw-------. 1 root root 1675 7月 7 21:53 smoke.key
[root@master pki]# openssl req -new -key smoke.key -out smoke.csr -subj "/CN=smoke" #生成证书签署请求
[root@master pki]# openssl x509 -req -in smoke.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out smoke.crt -days 365 #签署证书
[root@master pki]# openssl x509 -in smoke.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d6:ca:eb:83:5f:0d:7d:ff
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Jul 7 13:58:29 2020 GMT
Not After : Jul 7 13:58:29 2021 GMT
Subject: CN=smoke
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:02:84:39:f5:9f:63:87:8e:e7:e6:31:d3:dd:
96:88:bc:d2:f2:df:0f:3b:29:eb:24:66:3f:88:8f:
b5:3a:b3:46:d9:ce:9b:0c:17:bb:ef:cf:b7:11:ee:
04:4b:0c:13:33:b2:96:86:d1:85:08:98:bf:dc:66:
1a:1c:71:da:18:7c:49:ed:f4:15:56:0a:a4:7e:a4:
5c:96:8c:1b:3e:d7:39:09:01:10:75:cd:76:2f:f5:
f4:81:f4:67:f3:01:b0:36:10:8a:35:9e:2e:3c:a4:
7f:db:40:8e:6b:a0:29:a8:7b:bd:47:76:66:56:77:
de:49:c7:ac:b9:cd:ad:1a:ca:7b:dc:c0:d0:a3:3f:
02:c5:5a:bf:e3:7b:16:06:97:a4:10:1e:f4:1e:b4:
d7:0c:3b:97:b2:e7:74:d7:4a:1c:f0:fc:8e:d5:9d:
28:ed:d4:fa:a2:c9:d0:4b:72:b5:e6:dc:07:d8:15:
06:dc:5c:1b:5a:59:44:e0:b4:dc:09:f4:a8:d2:a3:
6e:cd:9b:2e:20:b2:c6:91:8d:b4:3b:30:12:01:1e:
f6:02:b6:72:c2:8d:be:eb:03:94:5d:27:a7:fc:f7:
00:61:a3:d1:8f:4d:e0:70:d5:99:26:6e:25:2c:49:
15:bd:4a:93:f4:b7:27:a4:b4:a0:a5:ed:ef:16:97:
f8:33
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
5a:c0:66:b1:28:f4:06:a2:db:e2:cd:0e:b6:d6:a3:76:5b:04:
31:3a:25:52:e6:9f:7d:be:e5:dd:a8:77:1f:58:91:19:5d:7d:
b1:fd:66:3f:cd:8c:d8:e5:8f:e1:e1:5b:94:8b:10:42:3c:bf:
62:ab:dd:a3:c3:32:cc:e7:32:ca:11:fa:d0:c6:ff:c8:d9:87:
b9:d6:96:9a:3f:f1:a9:2c:e7:ac:37:90:83:dc:c4:40:fc:99:
15:35:f9:59:4a:37:0f:51:bf:f0:19:ec:50:3a:b6:7a:ab:e1:
34:50:e5:30:2c:08:a9:41:66:2d:d5:e5:8e:b7:e2:b9:af:02:
69:fa:8b:bd:59:81:fe:30:3f:32:4d:6e:62:e8:c6:c3:3a:a1:
80:a5:6b:cf:83:89:dd:2d:84:62:c8:ac:df:57:af:13:be:f8:
a1:e0:20:43:5e:36:f9:28:dc:a0:43:68:c6:64:d1:7f:61:e1:
55:b0:b2:b4:04:17:d9:84:1d:69:d2:97:8b:8f:a2:12:b2:25:
c1:31:90:d0:32:e6:76:3d:aa:fd:bf:44:44:b5:6a:8c:e3:a8:
82:5c:93:52:ea:55:3a:d0:bd:28:af:c6:7e:5b:da:6e:9d:e6:
62:85:8d:77:89:53:c9:0c:52:3d:06:8f:9b:3f:72:d9:69:43:
35:9e:87:39
[root@master pki]# kubectl config --help
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# kubectl config set-credentials --help
[root@master pki]# kubectl config set-credentials smoke --client-certificate=smoke.crt --client-key=smoke.key --embed-certs=true
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: smoke
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# kubectl config set-context --help
[root@master pki]# kubectl config set-context smoke@kubernetes --cluster=kubernetes --user=smoke
[root@master pki]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
- context:
cluster: kubernetes
user: smoke
name: smoke@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
- name: smoke
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@master pki]# kubectl config use-context smoke@kubernetes
[root@master pki]# kubectl get pods #这个账号没有管理员权限
No resources found.
Error from server (Forbidden): pods is forbidden: User "smoke" cannot list pods in the namespace "default"
[root@master pki]# kubectl config set-cluster --help
[root@master pki]# kubectl config use-context kubernetes-admin@kubernetes
[root@master ~]# ls -a
. anaconda-ks.cfg .bash_logout .bashrc image.sh ingress-nginx-nginx-0.17.1 .kube #kubectl默认加载的配置文件是.kube下的config文件 .pki .ssh .viminfo
.. .bash_history .bash_profile .cshrc ingress-nginx ingress-nginx-nginx-0.17.1.tar.gz manifests .rnd .tcshrc
[root@master ~]# kubectl config set-cluster -h
[root@master ~]# kubectl config --help
[root@master ~]# kubectl config set-cluster mycluster --kubeconfig=/tmp/test.conf --server="https://172.20.0.70:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true
[root@master ~]# kubectl config view --kubeconfig=/tmp/test.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://172.20.0.70:6443
name: mycluster
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
浙公网安备 33010602011771号