第9章:Bootstrap Token方式增加Node
生活随笔
收集整理的這篇文章主要介紹了
第9章:Bootstrap Token方式增加Node
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
第9章:K8s集群維護(hù)
Bootstrap Token方式增加Node
TLS Bootstraping:在kubernetes集群中,Node上組件kubelet和kube-proxy都需要與kube-apiserver進(jìn)行通信,為了增加傳輸安全性,采用https方式。這就涉及到Node組件需要具
備kube-apiserver用的證書(shū)頒發(fā)機(jī)構(gòu)(CA)簽發(fā)客戶端證書(shū),當(dāng)規(guī)模較大時(shí),這種客戶端證書(shū)頒發(fā)需要大量工作,同樣也會(huì)增加集群擴(kuò)展復(fù)雜度。
為了簡(jiǎn)化流程,Kubernetes引入了TLS bootstraping機(jī)制來(lái)自動(dòng)頒發(fā)客戶端證書(shū),所以強(qiáng)烈建議在Node上使用這種方式。
1、kube-apiserver啟用Bootstrap Token
--enable-bootstrap-token-auth=true
2、使用Secret存儲(chǔ)Bootstrap Token
3、創(chuàng)建RBAC角色綁定,允許 kubelet tls bootstrap 創(chuàng)建 CSR 請(qǐng)求
4、kubelet配置Bootstrap kubeconfig文件
5、kubectl get csr && kubectl certificate approve xxx
參考資料:
https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping
二進(jìn)制搭建 K8s 詳細(xì)步驟:
https://mp.weixin.qq.com/s/VYtyTU9_Dw9M5oHtvRfseA
Ansible自動(dòng)化部署K8s集群:https://github.com/lizhenliang/ansible-install-k8s/
服務(wù)器規(guī)劃:
角色 IP
Master 192.168.31.61
Node1 192.168.31.62
Node2 192.168.31.63
Node3 192.168.31.64
?1、準(zhǔn)備新節(jié)點(diǎn)環(huán)境 準(zhǔn)備新節(jié)點(diǎn)環(huán)境
提前安裝好 Docker。
scp /tmp/k8s/docker/* root@192.168.31.73:/usr/bin/ scp /usr/lib/systemd/system/docker.service root@192.168.31.73:/usr/lib/systemd/system/scp -r /etc/docker/daemon.json root@192.168.31.73:/etc/docker/
拷貝已部署好的 Node 相關(guān)文件到新節(jié)點(diǎn) Node3:
#復(fù)制 kubernetes 文件 scp -r /opt/kubernetes/ root@192.168.31.73:/opt/ scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.31.73:/usr/lib/systemd/system/#復(fù)制 cni 網(wǎng)絡(luò) scp -r /opt/cni/ root@192.168.31.73:/opt刪除 kubelet 證書(shū)和 kubeconfig 文件:
#刪除復(fù)制過(guò)來(lái)的舊的 kubelet 證書(shū),后面新加入節(jié)點(diǎn),生成新的證書(shū) [root@k8s-node2 ~]# cd /opt/kubernetes/ssl/ [root@k8s-node2 ssl]# ls ca.pem kubelet-client-current.pem kubelet.key kube-proxy.pem kubelet-client-2020-08-23-01-07-26.pem kubelet.crt kube-proxy-key.pem [root@k8s-node2 ssl]# rm -f kubelet* [root@k8s-node2 ssl]# ls ca.pem kube-proxy-key.pem kube-proxy.pem#刪除復(fù)制過(guò)來(lái)舊的bootstrap.kubeconfig 文件,kubelet.kubeconfig (這個(gè)簽發(fā)成功,后面會(huì)自動(dòng)生成)[root@k8s-node2 ssl]# cd ../cfg/ [root@k8s-node2 cfg]# ls bootstrap.kubeconfig kubelet-config.yml kube-proxy.conf kube-proxy.kubeconfig kubelet.conf kubelet.kubeconfig kube-proxy-config.yml [root@k8s-node2 cfg]# rm -f kubelet.kubeconfig bootstrap.kubeconfig?注:這幾個(gè)文件是證書(shū)申請(qǐng)審批后自動(dòng)生成的,每個(gè) Node 不同,必須刪除重新生成。
修改主機(jī)名
對(duì)新加入的node 進(jìn)行改名 node2 和新節(jié)點(diǎn)名字一致 [root@k8s-node2 cfg]# vim kubelet.conf [root@k8s-node2 cfg]# vim kube-proxy-config.yml2 、確認(rèn) 啟用?bootstrap-token
默認(rèn)已經(jīng)啟用。
# cat /opt/kubernetes/cfg/kube-apiserver.conf … --enable-bootstrap-token-auth=true …3、使用 Secret存儲(chǔ) Bootstrap Token
?注:expiration 為 token 過(guò)期時(shí)間,當(dāng)前時(shí)間向后推幾天隨意
[root@k8s-master1 chp9]# cat token-secret.yaml apiVersion: v1 kind: Secret metadata:# Name MUST be of form "bootstrap-token-<token id>"name: bootstrap-token-07401bnamespace: kube-system# Type MUST be 'bootstrap.kubernetes.io/token' type: bootstrap.kubernetes.io/token stringData:# Human readable description. Optional.description: "The default bootstrap token generated by 'kubeadm init'."# Token ID and secret. Required.token-id: 07401btoken-secret: f395accd246ae52d# Expiration. Optional.expiration: 2020-10-10T03:22:11Z# Allowed usages.usage-bootstrap-authentication: "true"usage-bootstrap-signing: "true"# Extra groups to authenticate the token as. Must start with "system:bootstrappers:"auth-extra-groups: system:bootstrappers:worker,system:bootstrappers:ingress[root@k8s-master1 c9]# kubectl apply -f secret-token.yml secret/bootstrap-token-07401b created[root@k8s-master1 chp9]# kubectl get secrets -n kube-system NAME TYPE DATA AGE bootstrap-token-07401b bootstrap.kubernetes.io/token 7 17s
4、創(chuàng)建RBAC角色綁定,允許 kubelet tls bootstrap創(chuàng)建CSR請(qǐng)求
[root@k8s-master1 chp9]# cat rbac.yml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:name: create-csrs-for-bootstrapping subjects: - kind: Groupname: system:bootstrappersapiGroup: rbac.authorization.k8s.io roleRef:kind: ClusterRolename: system:node-bootstrapperapiGroup: rbac.authorization.k8s.io[root@k8s-master1 chp9]# kubectl apply -f bootstrap.yml clusterrolebinding.rbac.authorization.k8s.io/create-csrs-for-bootstrapping created5、 kubelet配置 bootstrap kubeconfig文件
在Node3上操作
apiVersion: v1 kind: Config clusters: - cluster:certificate-authority: /opt/kubernetes/ssl/ca.pemserver: https://192.168.31.71:6443name: bootstrap contexts: - context:cluster: bootstrapuser: kubelet-bootstrapname: bootstrap current-context: bootstrap preferences: {} users: - name: kubelet-bootstrapuser:token: 07401b.f395accd246ae52d配置文件指定 kubeconfig 文件,默認(rèn)已經(jīng)配置:
[root@k8s-node2 ssl]# cat /opt/kubernetes/cfg/kubelet.conf KUBELET_OPTS="--logtostderr=false \ --v=4 \ --log-dir=/opt/kubernetes/logs \ --hostname-override=k8s-node2 \ --network-plugin=cni \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --config=/opt/kubernetes/cfg/kubelet-config.yml \ --cert-dir=/opt/kubernetes/ssl \ --pod-infra-container-image=lizhenliang/pause-amd64:3.0"?啟動(dòng)并設(shè)置開(kāi)機(jī)啟動(dòng) :
systemctl daemon-reload systemctl enable kubelet.service systemctl start kubelet6、在 Master節(jié)點(diǎn)頒發(fā)證書(shū)
[root@k8s-master1 c9]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-Ur8gGqJexjA3yGk5k1wWC8y6Q076x4IKHfQjTkx8k3g 34m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued node-csr-YVpk8Sax7vSJ_R-J_MAQDOY6jbzWtR4q9xzVXKxPCMM 28s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:07401b Pending node-csr-ps3O0TCveqWMEdANu0Psg1qq-WyFR0pWuaFCKAPupXM 34m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued node-csr-ycjy-hf7hO1ZA7fzPIRfUY45htHe_Djh_bY8wgfMqKI 34m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued[root@k8s-master1 c9]# kubectl certificate approve node-csr-YVpk8Sax7vSJ_R-J_MAQDOY6jbzWtR4q9xzVXKxPCMM certificatesigningrequest.certificates.k8s.io/node-csr-YVpk8Sax7vSJ_R-J_MAQDOY6jbzWtR4q9xzVXKxPCMM approved
[root@k8s-master1 c9]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR CONDITION node-csr-Ur8gGqJexjA3yGk5k1wWC8y6Q076x4IKHfQjTkx8k3g 35m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued node-csr-YVpk8Sax7vSJ_R-J_MAQDOY6jbzWtR4q9xzVXKxPCMM 53s kubernetes.io/kube-apiserver-client-kubelet system:bootstrap:07401b Approved,Issued node-csr-ps3O0TCveqWMEdANu0Psg1qq-WyFR0pWuaFCKAPupXM 35m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued node-csr-ycjy-hf7hO1ZA7fzPIRfUY45htHe_Djh_bY8wgfMqKI 35m kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Approved,Issued[root@k8s-master1 c9]# kubectl get node NAME STATUS ROLES AGE VERSION k8s-master1 Ready <none> 37m v1.18.6 k8s-node1 Ready <none> 37m v1.18.6 k8s-node2 Ready <none> 3m48s v1.18.6
K8s集群證書(shū)續(xù)簽,Etcd數(shù)據(jù)庫(kù)備份與恢復(fù)
K8s 集群證書(shū)續(xù)簽(kubeadm)
ETCD證書(shū) 自簽證書(shū)頒發(fā)機(jī)構(gòu)(CA) : ? ca.crt ? ca.key etcd集群中相互通信使用的客戶端證書(shū): ? peer.crt ? peer.key pod中定義Liveness探針使用的客戶端證書(shū): ? healthcheck-client.crt ? healthcheck-client.key etcd節(jié)點(diǎn)服務(wù)端證書(shū): ? server.crt ? server.keyK8S證書(shū): 自簽證書(shū)頒發(fā)機(jī)構(gòu)(CA) : ? ca.crt ? ca.key apiserver組件服務(wù)端證書(shū): ? apiserver.crt ? apiserver.key apiserver連接etcd客戶端證書(shū): ? apiserver-etcd-client.crt ? apiserver-etcd-client.key apiserver訪問(wèn)kubelet 客戶端證書(shū): ? apiserver-kubelet-client.crt ? apiserver-kubelet-client.key 匯聚層(aggregator)證書(shū): ? front-proxy-ca.crt ? front-proxy-ca.key 代理端使用的客戶端證書(shū),用作代理用戶與 kube-apiserver 認(rèn)證: ? front-proxy-client.crt ? front-proxy-client.key kubelet證書(shū):已默認(rèn)啟用自動(dòng)輪轉(zhuǎn)。 檢查客戶端證書(shū)過(guò)期時(shí)間: kubeadm alpha certs check-expiration 續(xù)簽所有證書(shū): kubeadm alpha certs renew all cp /etc/kubernetes/admin.conf /root/.kube/config 查看當(dāng)前目錄所有證書(shū)有效時(shí)間: ls |grep crt |xargs -I {} openssl x509 -text -in {} |grep NotEtcd數(shù)據(jù)庫(kù)備份與恢復(fù)
Kubernetes 使用 Etcd 數(shù)據(jù)庫(kù)實(shí)時(shí)存儲(chǔ)集群中的數(shù)據(jù),安全起見(jiàn),一定要備份!
kubeadm部署方式:
備份: ETCDCTL_API=3 etcdctl \ snapshot save snap.db \ --endpoints=https://127.0.0.1:2379 \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ --cert=/etc/kubernetes/pki/etcd/peer.crt \ --key=/etc/kubernetes/pki/etcd/peer.key 可以不用指定證書(shū),操作的時(shí)候恢復(fù)后起不來(lái) 恢復(fù): 1、先暫停kube-apiserver和etcd容器 mv /etc/kubernetes/manifests /etc/kubernetes/manifests.bak # mv etcd.yaml kube-apiserver.yaml /tmp/ # 移走這兩個(gè)就可以 mv /var/lib/etcd/ /var/lib/etcd.bak 2、恢復(fù) ETCDCTL_API=3 etcdctl \ snapshot restore snap.db \ --data-dir=/var/lib/etcd 3、啟動(dòng)kube-apiserver和etcd容器 mv /etc/kubernetes/manifests.bak /etc/kubernetes/manifests二進(jìn)制部署方式:
備份: ETCDCTL_API=3 etcdctl \ snapshot save snap.db \ --endpoints=https://192.168.31.71:2379 \ --cacert=/opt/etcd/ssl/ca.pem \ --cert=/opt/etcd/ssl/server.pem \ --key=/opt/etcd/ssl/server-key.pem 恢復(fù): 1、先暫停kube-apiserver和etcd systemctl stop kube-apiserver systemctl stop etcd mv /var/lib/etcd/default.etcd /var/lib/etcd/default.etcd.bak 2、在每個(gè)節(jié)點(diǎn)上恢復(fù) ETCDCTL_API=3 etcdctl snapshot restore snap.db \ --name etcd-1 \ --initial-cluster="etcd-1=https://192.168.31.71:2380,etcd- 2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380" \ --initial-cluster-token=etcd-cluster \ --initial-advertise-peer-urls=https://192.168.31.71:2380 \ --data-dir=/var/lib/etcd/default.etcd 3、啟動(dòng)kube-apiserver和etcd systemctl start kube-apiserver systemctl start etcd總結(jié)
以上是生活随笔為你收集整理的第9章:Bootstrap Token方式增加Node的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 第8章:Kubernetes 安全
- 下一篇: 常见的攻击方法