tls-bootstrap配置
使用tls-bootstrap自动签发kubelet证书
配置rbac
首先需要配置rbac,允许system:bootstrappers用户组创建并且自动批准CSR、允许system:nodes用户组自动更新CSR
在其中一个master执行
cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: create-csrs-for-bootstrapping
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:node-bootstrapper
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-approve-csrs-for-group
subjects:
- kind: Group
name: system:bootstrappers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auto-approve-renewals-for-nodes
subjects:
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
apiGroup: rbac.authorization.k8s.io
EOF
配置bootstrap token
我们需要配置一个bootstrap token,kubelet使用这个低权限token向apiserver发起CSR请求,apiserver批准后controller为kubelet生成证书,kubelet获取证书到本地之后,自动配置kubeconf文件,将证书写入kubeconf文件中,之后kubelet使用证书与apiserver进行通信。
在master中创建bootstrap token
在其中一个master执行token_id=$(openssl rand -hex 3) token_secret=$(openssl rand -hex 8) # 配置token有效期为一天 token_expiration=$(date -u -d '1 day' +'%FT%TZ') kubectl -n kube-system create secret generic bootstrap-token-${token_id} \ --type "bootstrap.kubernetes.io/token" \ --from-literal description="tls bootstrap token" \ --from-literal token-id=${token_id} \ --from-literal token-secret=${token_secret} \ --from-literal expiration=${token_expiration} \ --from-literal usage-bootstrap-authentication=true \ --from-literal usage-bootstrap-signing=true配置bootstrap-kubelet.conf文件
kubelet启动的时候,如果没有给kubelet配置证书,kubelet会去读取bootstrap-kubelet.conf中从信息,使用里面的token向apiserver发起CSR请求
将下面生成的bootstrap-kubelet.conf 分发到所有节点(master和worker节点)的/etc/kubernetes目录cat > bootstrap-kubelet.conf.j2 <<EOF apiVersion: v1 kind: Config preferences: {} clusters: - cluster: certificate-authority-data: /etc/kubernetes/pki/ca.crt server: https://127.0.0.1:6443 name: kubernetes contexts: - context: cluster: kubernetes user: tls-bootstrap-token-user name: tls-bootstrap-token-user@kubernetes current-context: tls-bootstrap-token-user@kubernetes users: - name: tls-bootstrap-token-user user: token: ${token_id}.${token_secret} EOF