- 首先需要有一套完整的集群
[root@master ~]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
master Ready master 114d v1.21.0 192.168.59.142 CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://20.10.7
node1 Ready 114d v1.21.0 192.168.59.143 CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://20.10.7
node2 Ready 114d v1.21.0 192.168.59.144 CentOS Linux 7 (Core) 3.10.0-957.el7.x86_64 docker://20.10.7
[root@master ~]#
[root@master ~]# kubectl cluster-info
Kubernetes control plane is running at https://192.168.59.142:6443
CoreDNS is running at https://192.168.59.142:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://192.168.59.142:6443/api/v1/namespaces/kube-system/services/https:metrics-server:/proxy
To further debug and diagnose cluster problems, use ‘kubectl cluster-info dump’.
[root@master ~]#
- 然后单独准备一台同网段的虚机用来当客户端使用
[root@master2 ~]# ip a | grep 59
inet 192.168.59.151/24 brd 192.168.59.255 scope global noprefixroute ens33
[root@master2 ~]#
安装命令
[root@master2 ~]#yum install -y kubelet-1.21.0-0 --disableexcludes=kubernetes
#–disableexcludes=kubernetes 禁掉除了这个之外的别的仓库
启动服务
[root@master2 ~]#systemctl enable kubelet && systemctl start kubelet
#让其kubectl能使用tab
[root@master2 ~]# head -n3 /etc/profile
/etc/profile
source <(kubectl completion bash)
[root@master2 ~]#
现在呢是没有集群信息的,报错内容可能会有不一样
[root@master2 ~]# kubectl get nodes
No resources found
[root@master2 ~]#
====================================================================================
内容过多,分开发布,token验证&&kubeconfig验证去这篇博客:
【Kubernetes】k8s的安全管理详细说明【k8s框架说明、token验证和kubeconfig验证详细说明】
=================================================================
- 配置文件:
/etc/kubernetes/manifests/kube-apiserver.yaml
这个里面配置授权规则,大概在20行,规则有如下几项
修改规则以后需要重启服务生效:systemctl restart kubelet
[root@master sefe]# cat -n /etc/kubernetes/manifests/kube-apiserver.yaml| egrep mode
20 - --authorization-mode=Node,RBAC
[root@master sefe]#
–authorization-mode=Node,RBAC #默认
-
–authorization-mode=AlwaysAllow #允许所有请求,无论是否给权限,都能访问
-
–authorization-mode=AlwaysDeny #拒绝所有请求,无论是否给权限,都不允许访问【不影响admin文件的权限/etc/kubernetes/admin.conf】
-
–authorization-mode=ABAC
Attribute-Based Access Control #不够灵活被放弃使用
- –authorization-mode=RBAC #这个最常用,或者说一般情况都使用这个
Role Based Access Control
- –authorization-mode=Node
Node授权器主要用于各个node上的kubelet访问apiserver时使用的,其他一般均由RBAC授权器来授权
- 这个比较直观,就是允许全部和拒绝全部
我这用一个允许全部做测试
现在有授权,先删除授权
[root@master sefe]# kubectl get clusterrolebindings.rbac.authorization.k8s.io test1
NAME ROLE AGE
test1 ClusterRole/cluster-admin 28m
[root@master sefe]# kubectl delete clusterrolebindings.rbac.authorization.k8s.io test1
clusterrolebinding.rbac.authorization.k8s.io “test1” deleted
[root@master sefe]#
我现在用的是kubeconfig文件继续做测试,先去看看我上面的kubeconfig验证,否则这看不懂啊
[root@master sefe]# ls
ca.crt ccx.crt ccx.csr ccx.key csr.yaml kc1
[root@master sefe]#
[root@master sefe]# kubectl --kubeconfig=kc1 get pods
Error from server (Forbidden): pods is forbidden: User “ccx” cannot list resource “pods” in API group “” in the namespace “default”
[root@master sefe]#
- 配置文件
修改为允许,然后重启服务
[root@master sefe]# vi /etc/kubernetes/manifests/kube-apiserver.yaml
[root@master sefe]# cat -n /etc/kubernetes/manifests/kube-apiserver.yaml| egrep mode
20 #- --authorization-mode=Node,RBAC
21 --authorization-mode=AlwaysAllow
[root@master sefe]#
[root@master sefe]# !sys
systemctl restart kubelet
[root@master sefe]#
[root@master ~]# systemctl restart kubelet
- 测试
重启以后呢,挺久时间都是会这样子的报错,是因为apiserver服务没起来。
[root@master ~]# systemctl restart kubelet
[root@master ~]#
[root@master ~]# kubectl get pods
The connection to the server 192.168.59.142:6443 was refused - did you specify the right host or port?
[root@master ~]#
api状态久久不能up,就离谱。
[root@master kubernetes]# docker ps -a | grep api
525821586ed5 4d217480042e “kube-apiserver --ad…” 15 hours ago Exited (137) 7 minutes ago k8s_kube-apiserver_kube-apiserver-master_kube-system_654a890f23facb6552042e41f67f4aef_1
6b64a8bfc748 registry.aliyuncs.com/google_containers/pause:3.4.1 “/pause” 15 hours ago Up 15 hours k8s_POD_kube-apiserver-master_kube-system_654a890f23facb6552042e41f67f4aef_0
[root@master kubernetes]#
- 做不了测试咯,我改了以后,集群就出问题了,api一直起不来不说,kubelet状态还一直报下面错误,messages看到的一样,没找到原因,算了,不搞了,反正只要知道这个东西就行,平常也不建议用全放开或全拒绝。
[root@master ~]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: active (running) since Thu 2021-11-04 09:55:26 CST; 55s ago
Docs: https://kubernetes.io/docs/
Main PID: 29495 (kubelet)
Tasks: 45
Memory: 64.8M
CGroup: /system.slice/kubelet.service
├─29495 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --network-plugin=cni --pod-infra-container-image=regi…
└─30592 /opt/cni/bin/calico
Nov 04 09:56:19 master kubelet[29495]: I1104 09:56:19.238570 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:19 master kubelet[29495]: I1104 09:56:19.250440 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:19 master kubelet[29495]: I1104 09:56:19.394574 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:19 master kubelet[29495]: I1104 09:56:19.809471 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:20 master kubelet[29495]: I1104 09:56:20.206978 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:20 master kubelet[29495]: I1104 09:56:20.237387 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:20 master kubelet[29495]: I1104 09:56:20.250606 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:20 master kubelet[29495]: I1104 09:56:20.395295 29495 kubelet.go:461] “Kubelet nodes not sync”
Nov 04 09:56:20 master kubelet[29495]: E1104 09:56:20.501094 29495 controller.g
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
