1.結合kubectl部署,加強了解kubectl config命令
kubectl config命令,生成集羣信息,集羣用戶和用戶權限並把這些內容寫入kubectl讀取的配置文件
部署kubectl時執行的kubectl config命令,見下
[root@k8s-master admin]# source /opt/k8s/bin/environment.sh
# 設置集羣參數
[root@k8s-master admin]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kubectl.kubeconfig
#設置客戶端認證參數
[root@k8s-master admin]# kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kubectl.kubeconfig
#設置上下文參數,包含集羣名稱和訪問集羣的用戶名字
[root@k8s-master admin]# kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kubectl.kubeconfig
#使用默認上下文
[root@k8s-master admin]# kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
Switched to context "kubernetes".
2.
kubectl config set-cluster
參考命令,見下:
kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=kubectl.kubeconfig
命令幫助,見下:
kubectl config set-cluster -h
Sets a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing
values for those fields.
Examples:
# Set only the server field on the e2e cluster entry without touching other
values.
kubectl config set-cluster e2e --server=https://1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e
--certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the dev cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
Options:
--embed-certs=false: embed-certs for the cluster entry in kubeconfig
Usage:
kubectl config set-cluster NAME [--server=server]
[--certificate-authority=path/to/certificate/authority]
[--insecure-skip-tls-verify=true] [options]
Use "kubectl options" for a list of global command-line options (applies to all
commands).
參數說明:
kubernetes ##集羣名字
--certificate-authority=/etc/kubernetes/cert/ca.pem ##集羣證書頒發ca
--embed-certs=true --server=${KUBE_APISERVER} ##集羣服務ip
--kubeconfig=kubectl.kubeconfig ##把命令生成的信息內容寫入kubeconfig,並且同時寫入kubectl.kubeconfig文件
3.
kubectl config set-credentials
參考命令,見下:
kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kubectl.kubeconfig
命令幫助,見下:
[root@k8s-master1 admin]# kubectl config set-credentials -h
Sets a user entry in kubeconfig
Specifying a name that already exists will merge new fields on top of existing
values.
Client-certificate flags:
--client-certificate=certfile --client-key=keyfile
Bearer token flags:
--token=bearer_token
Basic auth flags:
--username=basic_user --password=basic_password
Bearer token and basic auth are mutually exclusive.
Examples:
# Set only the "client-key" field on the "cluster-admin"
# entry, without touching other values:
kubectl config set-credentials cluster-admin --client-key=~/.kube/admin.key
# Set basic auth for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --username=admin
--password=uXFGweU9l35qcif
# Embed client certificate data in the "cluster-admin" entry
kubectl config set-credentials cluster-admin
--client-certificate=~/.kube/admin.crt --embed-certs=true
# Enable the Google Compute Platform auth provider for the "cluster-admin"
entry
kubectl config set-credentials cluster-admin --auth-provider=gcp
# Enable the OpenID Connect auth provider for the "cluster-admin" entry with
additional args
kubectl config set-credentials cluster-admin --auth-provider=oidc
--auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar
# Remove the "client-secret" config value for the OpenID Connect auth provider
for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --auth-provider=oidc
--auth-provider-arg=client-secret-
Options:
--auth-provider='': Auth provider for the user entry in kubeconfig
--auth-provider-arg=[]: 'key=value' arguments for the auth provider
--embed-certs=false: Embed client cert/key for the user entry in
kubeconfig
Usage:
kubectl config set-credentials NAME [--client-certificate=path/to/certfile]
[--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user]
[--password=basic_password] [--auth-provider=provider_name]
[--auth-provider-arg=key=value] [options]
Use "kubectl options" for a list of global command-line options (applies to all
commands).
參數說明:
admin ##用戶名
--client-certificate=admin.pem ##用到的證書
--client-key=admin-key.pem ##用到的私鑰
--embed-certs=true ##把client端的證書和私鑰寫入kubeconfig文件
4.
kubectl config set-context
參考命令,見下:
kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kubectl.kubeconfig
命令幫助,見下:
[root@k8s-master1 admin]# kubectl config set-context -h
Sets a context entry in kubeconfig
Specifying a name that already exists will merge new fields on top of existing
values for those fields.
Examples:
# Set the user field on the gce context entry without touching other values
kubectl config set-context gce --user=cluster-admin
Usage:
kubectl config set-context NAME [--cluster=cluster_nickname]
[--user=user_nickname] [--namespace=namespace] [options]
Use "kubectl options" for a list of global command-line options (applies to all
commands).
參數說明:
kubernetes ##context名字
--cluster=kubernetes ##集羣名字
--user=admin ##訪問集羣的用戶名字
5.
kubectl config use-context
參考命令見下:
kubectl config use-context kubernetes --kubeconfig=kubectl.kubeconfig
命令幫助,見下:
[root@k8s-master1 admin]# kubectl config use-context -h
Sets the current-context in a kubeconfig file
Aliases:
use-context, use
Examples:
# Use the context for the minikube cluster
kubectl config use-context minikube
Usage:
kubectl config use-context CONTEXT_NAME [options]
Use "kubectl options" for a list of global command-line options (applies to all
commands).
參數說明:
kubernetes ##使用的context名字
6.清空以前的配置
清空前的情況:
[root@k8s-master1 admin]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.32.127:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 admin]#
清空:
[root@k8s-master1 admin]# kubectl config delete-context kubernetes
warning: this removed your active context, use "kubectl config use-context" to select a different one
deleted context kubernetes from /root/.kube/config
[root@k8s-master1 admin]# kubectl config delete-cluster kubernetes
deleted cluster kubernetes from /root/.kube/config
[root@k8s-master1 admin]#
[root@k8s-master1 admin]# kubectl config unset current-context
Property "current-context" unset.
[root@k8s-master1 .kube]# rm -rf config
再執行kubectl config view
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master1 .kube]#
7.重新執行命令
# 設置集羣參數
[root@k8s-master1 .kube]# kubectl config set-cluster kubernetes --certificate-authority=/etc/kubernetes/cert/ca.pem --embed-certs=true --server=https://192.168.32.127:8443 --kubeconfig=config
Cluster "kubernetes" set.
注意:
--server=https=//192.168.32.127:8443 ##這裏我使用了真實地址
--kubeconfig=config ##我就是.kube目錄下,所以直接生成config文件
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https=//192.168.32.127:8443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
[root@k8s-master1 .kube]#
#對比:執行完成這條命令後,集羣信息和用到的證書已經寫入
#設置客戶端認證參數
[root@k8s-master1 .kube]# kubectl config set-credentials admin --client-certificate=/root/k8s/key/admin/admin.pem --client-key=/root/k8s/key/admin/admin-key.pem --embed-certs=true --kubeconfig=config
User "admin" set.
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https=//192.168.32.127:8443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 .kube]#
#對比:執行完成這條命令後,用戶信息和所用的證書和私鑰已經寫入
#設置上下文參數
[root@k8s-master1 .kube]# kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=config
Context "kubernetes" created.
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https=//192.168.32.127:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: ""
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 .kube]# kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
kubernetes kubernetes admin
[root@k8s-master1 .kube]#
#對比:context已經寫入
#使用上下文參數
[root@k8s-master1 .kube]# kubectl config use-context kubernetes --kubeconfig=config
Switched to context "kubernetes".
[root@k8s-master1 .kube]# kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https=//192.168.32.127:8443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: admin
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
[root@k8s-master1 .kube]# kubectl config current-context
kubernetes
#對比:注意current-context: kubernetes,已經使用.