{"id":316,"date":"2026-01-26T06:26:57","date_gmt":"2026-01-26T06:26:57","guid":{"rendered":"https:\/\/blog.gpst.net.cn:4008\/?p=316"},"modified":"2026-01-28T06:24:13","modified_gmt":"2026-01-28T06:24:13","slug":"kubernetes%e4%bd%bf%e7%94%a8%e4%ba%8c%e8%bf%9b%e5%88%b6%e9%83%a8%e7%bd%b2","status":"publish","type":"post","link":"https:\/\/opshub.com.cn\/?p=316","title":{"rendered":"kubernetes\u4f7f\u7528\u4e8c\u8fdb\u5236\u90e8\u7f72"},"content":{"rendered":"\n

debian11\u64cd\u4f5c\u7cfb\u7edf<\/p>\n\n\n\n

master1&etcd1<\/td>192.168.2.135<\/td><\/tr>
master2&etcd2<\/td>192.168.2.136<\/td><\/tr>
node1<\/td>192.168.2.137<\/td><\/tr>
node2<\/td>192.168.2.138<\/td><\/tr>
vip<\/td>192.168.2.139<\/td><\/tr>
etcd3<\/td>192.168.2.140<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

\u914d\u7f6e\u4e3b\u673a\u540d\uff1a<\/p>\n\n\n\n

192.168.2.135\u3001136\u3001137\u3001138\u3001140\u4e0a\u5206\u522b\u6267\u884c\u5982\u4e0b\uff1a<\/p>\n\n\n\n

hostnamectl set-hostname k8s-master1\nhostnamectl set-hostname k8s-master2\nhostnamectl set-hostname node1\nhostnamectl set-hostname node2\nhostnamectl set-hostname etcd3<\/code><\/pre>\n\n\n\n
\u914d\u7f6ehosts\u6587\u4ef6\uff1a<\/p>\n\n\n\n
cat >>\/etc\/hosts <<EOF\n192.168.2.135 k8s-master1 master1\n192.168.2.136 k8s-master2 master2\n192.168.2.137 k8s-node1 node1\n192.168.2.138 k8s-node2 node2\n192.168.2.140 etcd3\nEOF<\/code><\/pre>\n\n\n\n
\u914d\u7f6e\u4e3b\u673a\u4e4b\u95f4\u65e0\u5bc6\u7801\u767b\u5f55\uff0c\u6bcf\u53f0\u673a\u5668\u90fd\u6309\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n\n\n\n
ssh-kegen -t rsa (\u4e00\u8def\u56de\u8f66\uff0c\u4e0d\u8f93\u5165\u5bc6\u7801)\nfor i in master1 master2 node1 node2 etcd3;do ssh-copy-id $i;done (\u4f9d\u6b21\u8f93\u5165\u4e3b\u673a\u7684root\u5bc6\u7801)<\/code><\/pre>\n\n\n\n
\u5173\u95edfirewalld\u9632\u706b\u5899\u3001selinux\uff08\u53ef\u9009\uff09\uff1a<\/p>\n\n\n\n
systemctl stop firewalld && systemctl disable firewalld\nsed -i 's\/SELINUX=enforcing\/SELINUX=disabled\/g' \/etc\/selinux\/config\nsetenforce 0<\/code><\/pre>\n\n\n\n
\u5173\u95ed\u4ea4\u6362\u5206\u533aswap\uff1a<\/p>\n\n\n\n
\u4e34\u65f6\u5173\u95ed: swapoff -a\n\u6c38\u4e45\u5173\u95ed\uff1a\u6ce8\u91caswap\u6302\u8f7d\uff0c\u6253\u5f00\/etc\/fstab\u7ed9swap\u8fd9\u884c\u5f00\u5934\u52a0\u4e00\u4e0b\u6ce8\u91ca\n#\/dev\/mapper\/debian--vg-swap_1 none            swap    sw              0       0<\/code><\/pre>\n\n\n\n
\u4fee\u6539\u5185\u6838\u53c2\u6570\uff1a<\/p>\n\n\n\n
modprobe br_netfilter (\u52a0\u8f7d br_netfilter \u6a21\u5757)\necho \"br_netfilter\" >>\/etc\/modules (\u5f00\u673a\u81ea\u52a8\u52a0\u8f7d)\n(\u5982\u4e0d\u6267\u884c\u4e0a\u9762\u6b65\u9aa4\u5219\u5728\u4fee\u6539\/etc\/sysctl.d\/k8s.conf \u6587\u4ef6\u540e\u518d\u6267\u884c sysctl -p \/etc\/sysctl.d\/k8s.conf \u4f1a\u51fa\u73b0\u5982\u4e0b\u62a5\u9519\uff1a\nsysctl: cannot stat \/proc\/sys\/net\/bridge\/bridge-nf-call-ip6tables: No such file or directory\nsysctl: cannot stat \/proc\/sys\/net\/bridge\/bridge-nf-call-iptables: No such file or directory)\nlsmod |grep br_netfilter (\u9a8c\u8bc1\u6a21\u5757\u662f\u5426\u52a0\u8f7d\u6210\u529f)\n(net.ipv4.ip_forward \u662f\u6570\u636e\u5305\u8f6c\u53d1\uff1a\n\u51fa\u4e8e\u5b89\u5168\u8003\u8651\uff0cLinux \u7cfb\u7edf\u9ed8\u8ba4\u662f\u7981\u6b62\u6570\u636e\u5305\u8f6c\u53d1\u7684\u3002\u6240\u8c13\u8f6c\u53d1\u5373\u5f53\u4e3b\u673a\u62e5\u6709\u591a\u4e8e\u4e00\u5757\u7684\u7f51\u5361\u65f6\uff0c\u5176\u4e2d\u4e00\u5757\u6536\u5230\u6570\u636e\u5305\uff0c\u6839\u636e\u6570\u636e\u5305\u7684\u76ee\u7684 ip \u5730\u5740\u5c06\u6570\u636e\u5305\u53d1\u5f80\u672c\u673a\u53e6\u4e00\u5757\u7f51\u5361\uff0c\u8be5\u7f51\u5361\u6839\u636e\u8def\u7531\u8868\u7ee7\u7eed\u53d1\u9001\u6570\u636e\u5305\u3002\u8fd9\u901a\u5e38\u662f\u8def\u7531\u5668\u6240\u8981\u5b9e\u73b0\u7684\u529f\u80fd\u3002\n\u8981\u8ba9 Linux \u7cfb\u7edf\u5177\u6709\u8def\u7531\u8f6c\u53d1\u529f\u80fd\uff0c\u9700\u8981\u914d\u7f6e\u4e00\u4e2a Linux \u7684\u5185\u6838\u53c2\u6570 net.ipv4.ip_forward\u3002\u8fd9\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86 Linux \u7cfb\u7edf\u5f53\u524d\u5bf9\u8def\u7531\u8f6c\u53d1\u529f\u80fd\u7684\u652f\u6301\u60c5\u51b5\uff1b\u5176\u503c\u4e3a 0 \u65f6\u8868\u793a\u7981\u6b62\u8fdb\u884c IP \u8f6c\u53d1\uff1b\u5982\u679c\u662f 1,\u5219\u8bf4\u660e IP \u8f6c\u53d1\u529f\u80fd\u5df2\u7ecf\u6253\u5f00\u3002)\ncat > \/etc\/sysctl.d\/k8s.conf <<EOF (\u4fee\u6539\u5185\u6838\u53c2\u6570)\nnet.bridge.bridge-nf-call-ip6tables = 1\nnet.bridge.bridge-nf-call-iptables = 1\nnet.ipv4.ip_forward = 1\nEOF\nsysctl -p \/etc\/sysctl.d\/k8s.conf (\u4f7f\u521a\u624d\u4fee\u6539\u7684\u5185\u6838\u53c2\u6570\u751f\u6548)<\/code><\/pre>\n\n\n\n
\u914d\u7f6e\u65f6\u95f4\u540c\u6b65\uff08\u53ef\u9009\uff09\uff1a<\/p>\n\n\n\n
cat >\/etc\/chrony\/chrony.conf <<EOF\npool ntp.iftop.top iburst minpoll 3 maxpoll 3 maxsources 1 prefer\npool ntp.ubuntu.com        iburst maxsources 4\npool 0.ubuntu.pool.ntp.org iburst maxsources 1\npool 1.ubuntu.pool.ntp.org iburst maxsources 1\npool 2.ubuntu.pool.ntp.org iburst maxsources 2\nstratumweight 0.05\ndriftfile \/var\/lib\/chrony\/drift\nrtcsync\nmakestep 0.5 3\nbindcmdaddress 127.0.0.1\nbindcmdaddress ::1\nnoclientlog\nlogchange 0.5\nlogdir \/var\/log\/chrony\nEOF<\/code><\/pre>\n\n\n\n
\u5b89\u88c5iptables\uff1a<\/p>\n\n\n\n
apt-get install iptables<\/code><\/pre>\n\n\n\n
docker\u73af\u5883\u5b89\u88c5\uff08\u79bb\u7ebf\u90e8\u7f72\uff0c\u6240\u6709\u673a\u5668\u90fd\u9700\u8981\u90e8\u7f72\uff09\uff1a<\/p>\n\n\n\n
\u4fee\u6539 docker \u6587\u4ef6\u9a71\u52a8\u4e3a systemd\uff0c\u9ed8\u8ba4\u4e3a cgroupfs\uff0ckubelet \u9ed8\u8ba4\u4f7f\u7528 systemd\uff0c\u4e24\u8005\u5fc5\u987b\u4e00\u81f4\u624d\u53ef\u4ee5<\/p>\n\n\n\n
1.\u4e0b\u8f7d\u5b89\u88c5\u5305\uff0c\u4e0a\u4f20\u670d\u52a1\u5668\nhttps://download.docker.com\/linux\/static\/stable\/x86_64\/docker-24.0.6.tgz\n2.\u5b89\u88c5\ncp docker\/* \/usr\/bin\n3.\u6ce8\u518c\u7cfb\u7edf\u670d\u52a1\ncat >\/lib\/systemd\/system\/docker.service\n[Unit]\nDescription=Docker Application Container Engine\nDocumentation=https:\/\/docs.docker.com\nAfter=network-online.target firewalld.service\nWants=network-online.target\n[Service]\nType=notify\nExecStart=\/usr\/bin\/dockerd\nExecReload=\/bin\/kill -s HUP $MAINPID\nLimitNOFILE=65535\nLimitNPROC=65535\nLimitCORE=65535\nTimeoutStartSec=0\nDelegate=yes\nKillMode=process\nRestart=on-failure\nStartLimitBurst=3\nStartLimitInterval=60s\n[Install]\nWantedBy=multi-user.target\n4.\u8bbe\u7f6edaemon.json\nmkdir \/etc\/docker\ncat >\/etc\/docker\/daemon.json\n{\n  \"insecure-registries\":[\"210.14.75.1:5000\"],\n  \"registry-mirrors\" :[\n    \"https:\/\/hub.docker.com\",\n    \"https:\/\/dockerproxy.com\",\n    \"https:\/\/docker.nju.edu.cn\",\n    \"https:\/\/mirror.baidubce.com\",\n    \"https:\/\/docker.mirrors.sjtug.sjtu.edu.cn\",\n    \"https:\/\/mirror.iscas.ac.cn\"\n  ],\n  \"proxies\": {\n    \"http-proxy\": \"http:\/\/relay-acting.iftop.top:11969\",\n    \"https-proxy\": \"http:\/\/relay-acting.iftop.top:11969\",\n    \"no-proxy\": \"*.cn,127.0.0.0\/8,192.168.0.0\/16,172.16.0.0\/12,10.0.0.0\/8\"\n  },  \n  \"data-root\": \"\/var\/lib\/docker\",\n  \"exec-opts\": [\"native.cgroupdriver=systemd\"]\n}\n\n\n\n\n5.\u542f\u52a8\u548c\u5f00\u673a\u81ea\u542f\u52a8\napt-get install iptables \uff08\u89e3\u51b3\u62a5\u9519\uff1adockerd[7870]: failed to start daemon: Error initializing network controller: error obtaining controller instance: failed\uff09\nsystemctl daemon-reload\nsystemctl enable --now docker\ndocker info<\/code><\/pre>\n\n\n\n
k8s\u73af\u5883\u90e8\u7f72<\/p>\n\n\n\n
\u642d\u5efaetcd\u96c6\u7fa4<\/p>\n\n\n\n
\u914d\u7f6eetcd\u5de5\u4f5c\u76ee\u5f55\uff08master1\u30012\u3001etcd3\u540c\u65f6\u64cd\u4f5c\uff09<\/p>\n\n\n\n
mkdir -p \/etc\/etcd\/ssl<\/code><\/pre>\n\n\n\n
\u4e0a\u4f20etcd\u3001etcdctl\u3001etcdutl\u5230\/usr\/local\/bin\u76ee\u5f55<\/p>\n\n\n\n
scp \/usr\/local\/bin\/etcd* master2:\/usr\/local\/bin\nscp \/usr\/local\/bin\/etcd* etcd3:\/usr\/local\/bin<\/code><\/pre>\n\n\n\n
\u5b89\u88c5\u7b7e\u53d1\u8bc1\u4e66\u5de5\u5177cfssl<\/p>\n\n\n\n
\u5de5\u5177\u4e0b\u8f7d\u5730\u5740\uff1ahttps:\/\/github.com\/cloudflare\/cfssl\/releases\/tag\/v1.6.5<\/a><\/p>\n\n\n\n
\u5728master1\u4e0a\u64cd\u4f5c\uff1a<\/p>\n\n\n\n
mkdir \/data\/work -p\ncd \/data\/work\/\n\u4e0a\u4f20\uff1acfssl_1.6.5_linux_amd64  cfssl-certinfo_1.6.5_linux_amd64  cfssljson_1.6.5_linux_amd64\nmv cfssl_1.6.5_linux_amd64 \/usr\/local\/bin\/cfssl\nmv cfssljson_1.6.5_linux_amd64 \/usr\/local\/bin\/cfssljson\nmv cfssl-certinfo_1.6.5_linux_amd64 \/usr\/local\/bin\/cfssl-certinfo\nchmod +x \/usr\/local\/bin\/cfssl*<\/code><\/pre>\n\n\n\n
\u914d\u7f6eca\u8bc1\u4e66<\/p>\n\n\n\n
\u751f\u6210ca\u8bc1\u4e66\u8bf7\u6c42\u6587\u4ef6\uff1a<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat ca-csr.json\n{\n  \"CN\": \"kubernetes\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"k8s\",\n      \"OU\": \"system\"\n    }\n  ],\n  \"ca\": {\n    \"expiry\": \"87600h\"\n  }\n}<\/code><\/pre>\n\n\n\n
[root@k8s-master1 work]# cfssl gencert -initca ca-csr.json  | cfssljson -bare ca<\/code><\/pre>\n\n\n\n
\u6ce8\uff1a<\/p>\n\n\n\n
CN\uff1aCommon Name\uff08\u516c\u7528\u540d\u79f0\uff09\uff0ckube-apiserver \u4ece\u8bc1\u4e66\u4e2d\u63d0\u53d6\u8be5\u5b57\u6bb5\u4f5c\u4e3a\u8bf7\u6c42\u7684\u7528\u6237\u540d (User Name)\uff1b\u6d4f\u89c8\u5668\u4f7f\u7528\u8be5\u5b57\u6bb5\u9a8c\u8bc1\u7f51\u7ad9\u662f\u5426\u5408\u6cd5\uff1b\u5bf9\u4e8e SSL \u8bc1\u4e66\uff0c\u4e00\u822c\u4e3a\u7f51\u7ad9\u57df\u540d\uff1b\u800c\u5bf9\u4e8e\u4ee3\u7801\u7b7e\u540d\u8bc1\u4e66\u5219\u4e3a\u7533\u8bf7\u5355\u4f4d\u540d\u79f0\uff1b\u800c\u5bf9\u4e8e\u5ba2\u6237\u7aef\u8bc1\u4e66\u5219\u4e3a\u8bc1\u4e66\u7533\u8bf7\u8005\u7684\u59d3\u540d\u3002<\/p>\n\n\n\n
O\uff1aOrganization\uff08\u5355\u4f4d\u540d\u79f0\uff09\uff0ckube-apiserver \u4ece\u8bc1\u4e66\u4e2d\u63d0\u53d6\u8be5\u5b57\u6bb5\u4f5c\u4e3a\u8bf7\u6c42\u7528\u6237\u6240\u5c5e\u7684\u7ec4<\/p>\n\n\n\n
(Group)\uff1b\u5bf9\u4e8e SSL \u8bc1\u4e66\uff0c\u4e00\u822c\u4e3a\u7f51\u7ad9\u57df\u540d\uff1b\u800c\u5bf9\u4e8e\u4ee3\u7801\u7b7e\u540d\u8bc1\u4e66\u5219\u4e3a\u7533\u8bf7\u5355\u4f4d\u540d\u79f0\uff1b\u800c\u5bf9\u4e8e\u5ba2\u6237\u7aef\u5355\u4f4d\u8bc1\u4e66\u5219\u4e3a\u8bc1\u4e66\u7533\u8bf7\u8005\u6240\u5728\u5355\u4f4d\u540d\u79f0\u3002<\/p>\n\n\n\n
L \u5b57\u6bb5\uff1a\u6240\u5728\u57ce\u5e02<\/p>\n\n\n\n
S \u5b57\u6bb5\uff1a\u6240\u5728\u7701\u4efd<\/p>\n\n\n\n
C \u5b57\u6bb5\uff1a\u53ea\u80fd\u662f\u56fd\u5bb6\u5b57\u6bcd\u7f29\u5199\uff0c\u5982\u4e2d\u56fd\uff1aCN<\/p>\n\n\n\n
\u751f\u6210ca\u8bc1\u4e66\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat ca-config.json\n{\n  \"signing\": {\n    \"default\": {\n      \"expiry\": \"87600h\"\n    },\n    \"profiles\": {\n      \"kubernetes\": {\n        \"usages\": [\n          \"signing\",\n          \"key encipherment\",\n          \"server auth\",\n          \"client auth\"\n        ],\n        \"expiry\": \"87600h\"\n      }\n    }\n  }\n}<\/code><\/pre>\n\n\n\n
\u751f\u6210etcd\u8bc1\u4e66<\/p>\n\n\n\n
\u914d\u7f6eetcd\u8bc1\u4e66\u8bf7\u6c42\uff0chosts\u7684IP\u53d8\u6210\u81ea\u5df1etcd\u6240\u5728\u8282\u70b9\u7684IP\uff0chosts \u5b57\u6bb5\u4e2d IP \u4e3a\u6240\u6709 etcd \u8282\u70b9\u7684\u96c6\u7fa4\u5185\u90e8\u901a\u4fe1 IP\uff0c\u53ef\u4ee5\u9884\u7559\u51e0\u4e2a\uff0c\u505a\u6269\u5bb9\u7528<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat etcd-csr.json\n{\n  \"CN\": \"etcd\",\n  \"hosts\": [\n    \"127.0.0.1\",\n    \"192.168.2.135\",\n    \"192.168.2.136\",\n    \"192.168.2.137\",\n    \"192.168.2.138\",\n    \"192.168.2.139\",\n    \"192.168.2.140\"\n  ],\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"k8s\",\n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
[root@k8s-master1 work]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes etcd-csr.json | cfssljson  -bare etcd\nroot@k8s-master1:\/data\/work# ls etcd*.pem\netcd-key.pem  etcd.pem<\/code><\/pre>\n\n\n\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat etcd.conf\n#[Member]\nETCD_NAME=\"etcd1\"\nETCD_DATA_DIR=\"\/var\/lib\/etcd\/default.etcd\"\nETCD_LISTEN_PEER_URLS=\"https:\/\/192.168.2.135:2380\"\nETCD_LISTEN_CLIENT_URLS=\"https:\/\/192.168.2.135:2379,http:\/\/127.0.0.1:2379\"\n#[Clustering]\nETCD_INITIAL_ADVERTISE_PEER_URLS=\"https:\/\/192.168.2.135:2380\"\nETCD_ADVERTISE_CLIENT_URLS=\"https:\/\/192.168.2.135:2379\"\nETCD_INITIAL_CLUSTER=\"etcd1=https:\/\/192.168.2.135:2380,etcd2=https:\/\/192.168.2.136:2380\"\nETCD_INITIAL_CLUSTER_TOKEN=\"etcd-cluster\"\nETCD_INITIAL_CLUSTER_STATE=\"new\"<\/code><\/pre>\n\n\n\n
ETCD_NAME\uff1a\u8282\u70b9\u540d\u79f0\uff0c\u96c6\u7fa4\u4e2d\u552f\u4e00<\/p>\n\n\n\n
ETCD_DATA_DIR\uff1a\u6570\u636e\u76ee\u5f55<\/p>\n\n\n\n
ETCD_LISTEN_PEER_URLS\uff1a\u96c6\u7fa4\u901a\u4fe1\u76d1\u542c\u5730\u5740<\/p>\n\n\n\n
ETCD_LISTEN_CLIENT_URLS\uff1a\u5ba2\u6237\u7aef\u8bbf\u95ee\u76d1\u542c\u5730\u5740<\/p>\n\n\n\n
ETCD_INITIAL_ADVERTISE_PEER_URLS\uff1a\u96c6\u7fa4\u901a\u544a\u5730\u5740<\/p>\n\n\n\n
ETCD_ADVERTISE_CLIENT_URLS\uff1a\u5ba2\u6237\u7aef\u901a\u544a\u5730\u5740<\/p>\n\n\n\n
ETCD_INITIAL_CLUSTER\uff1a\u96c6\u7fa4\u8282\u70b9\u5730\u5740<\/p>\n\n\n\n
ETCD_INITIAL_CLUSTER_TOKEN\uff1a\u96c6\u7fa4 TokenETCD_INITIAL_CLUSTER_STATE\uff1a\u52a0\u5165\u96c6\u7fa4\u7684\u5f53\u524d\u72b6\u6001\uff0cnew \u662f\u65b0\u96c6\u7fa4\uff0cexisting \u8868\u793a\u52a0\u5165\u5df2\u6709\u96c6\u7fa4<\/p>\n\n\n\n
\u521b\u5efa\u542f\u52a8\u670d\u52a1\u6587\u4ef6\uff1a<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat etcd.service\n[Unit]\nDescription=Etcd Server\nAfter=network.target\nAfter=network-online.target\nWants=network-online.target\n[Service]\nType=notify\nEnvironmentFile=-\/etc\/etcd\/etcd.conf\nWorkingDirectory=\/var\/lib\/etcd\/\nExecStart=\/usr\/local\/bin\/etcd \\\n  --cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\n  --key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\n  --trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\n  --peer-cert-file=\/etc\/etcd\/ssl\/etcd.pem \\\n  --peer-key-file=\/etc\/etcd\/ssl\/etcd-key.pem \\\n  --peer-trusted-ca-file=\/etc\/etcd\/ssl\/ca.pem \\\n  --peer-client-cert-auth \\\n  --client-cert-auth\nRestart=on-failure\nRestartSec=5\nLimitNOFILE=65536\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u628aetcd\u7684\u8bc1\u4e66\u90fd\u5230\u62f7\u8d1d\u5230\/etc\/etcd\/ssl\u76ee\u5f55\u4e0b, \u5e76\u540c\u6b65\u62f7\u8d1d\u5230master2<\/p>\n\n\n\n
cp ca*.pem etcd*.pem \/etc\/etcd\/ssl\/\ncp etcd.conf \/etc\/etcd\/\ncp etcd.service \/usr\/lib\/systemd\/system\/\nscp -r \/etc\/etcd master2:\/etc\/\nscp -r \/usr\/lib\/systemd\/system\/etcd.service master2:\/usr\/lib\/systemd\/system\/<\/code><\/pre>\n\n\n\n
\u542f\u52a8etcd\u96c6\u7fa4<\/p>\n\n\n\n
[root@k8s-master1 work]# mkdir -p \/var\/lib\/etcd\/default.etcd\n[root@k8s-master2 work]# mkdir -p \/var\/lib\/etcd\/default.etcd\n\n\n\u4fee\u6539master2\u7684etcd\u914d\u7f6e\u6587\u4ef6\uff1a\nroot@k8s-master2:~# cat \/etc\/etcd\/etcd.conf\n#[Member]\nETCD_NAME=\"etcd2\"\nETCD_DATA_DIR=\"\/var\/lib\/etcd\/default.etcd\"\nETCD_LISTEN_PEER_URLS=\"https:\/\/192.168.2.136:2380\"\nETCD_LISTEN_CLIENT_URLS=\"https:\/\/192.168.2.136:2379,http:\/\/127.0.0.1:2379\"\n#[Clustering]\nETCD_INITIAL_ADVERTISE_PEER_URLS=\"https:\/\/192.168.2.136:2380\"\nETCD_ADVERTISE_CLIENT_URLS=\"https:\/\/192.168.2.136:2379\"\nETCD_INITIAL_CLUSTER=\"etcd1=https:\/\/192.168.2.135:2380,etcd2=https:\/\/192.168.2.136:2380\"\nETCD_INITIAL_CLUSTER_TOKEN=\"etcd-cluster\"\nETCD_INITIAL_CLUSTER_STATE=\"new\"\n\n\n\u542f\u52a8etcd\u670d\u52a1\uff08\u542f\u52a8 etcd \u7684\u65f6\u5019\uff0c\u5148\u542f\u52a8 k8s-master1 \u7684 etcd \u670d\u52a1\uff0c\u4f1a\u4e00\u76f4\u5361\u4f4f\u5728\u542f\u52a8\u7684\u72b6\u6001\uff0c\u7136\u540e\u63a5\u7740\u518d\u542f\u52a8k8s-master2 \u7684 etcd\uff0c\u8fd9\u6837 k8s-master1 \u8fd9\u4e2a\u8282\u70b9 etcd \u624d\u4f1a\u6b63\u5e38\u8d77\u6765\uff09\n[root@k8s-master1 work]#systemctl daemon-reload && systemctl enable --now etcd.service\n[root@k8s-master2 work]#systemctl daemon-reload && systemctl enable --now etcd.service<\/code><\/pre>\n\n\n\n
\u542f\u52a8\u6b63\u5e38<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u67e5\u770betcd\u96c6\u7fa4<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# ETCDCTL_API=3 && \/usr\/local\/bin\/etcdctl --write-out=table --cacert=\/etc\/etcd\/ssl\/ca.pem --cert=\/etc\/etcd\/ssl\/etcd.pem --key=\/etc\/etcd\/ssl\/etcd-key.pem --endpoints=https:\/\/192.168.2.135:2379,https:\/\/192.168.2.136:2379 endpoint health\n+----------------------------+--------+-------------+-------+\n|          ENDPOINT          | HEALTH |    TOOK     | ERROR |\n+----------------------------+--------+-------------+-------+\n| https:\/\/192.168.2.135:2379 |   true | 15.279648ms |       |\n| https:\/\/192.168.2.136:2379 |   true |  22.56428ms |       |\n+----------------------------+--------+-------------+-------+\nroot@k8s-master1:\/data\/work#\nroot@k8s-master1:\/data\/work# ETCDCTL_API=3 etcdctl --endpoints=https:\/\/192.168.2.135:2379,https:\/\/192.168.2.136:2379 --cacert=ca.pem --cert=etcd.pem --key=etcd-key.pem member list --write-out=table\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n|        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n| 1f07f058a7c8ed46 | started | etcd1 | https:\/\/192.168.2.135:2380 | https:\/\/192.168.2.135:2379 |      false |\n| bcc3f105d45e0ff7 | started | etcd2 | https:\/\/192.168.2.136:2380 | https:\/\/192.168.2.136:2379 |      false |\n+------------------+---------+-------+----------------------------+----------------------------+------------+<\/code><\/pre>\n\n\n\n
\u6269\u5bb9etcd<\/p>\n\n\n\n
etcd\u9700\u89813\u4e2a\u8282\u70b9\u624d\u80fd\u5b9e\u73b0\u5bb9\u95191\u4e2a\u8282\u70b9\u7684\u5197\u4f59<\/p>\n\n\n\n
\u5728master1:<\/p>\n\n\n\n
scp -r \/etc\/etcd etcd3:\/etc\/\nscp -r \/usr\/lib\/systemd\/system\/etcd.service etcd3:\/usr\/lib\/systemd\/system\/\nscp \/usr\/local\/bin\/etcd* etcd3:\/usr\/local\/bin\/<\/code><\/pre>\n\n\n\n
\u4fee\u6539etcd3\u7684\/etc\/etcd\/etcd.conf:<\/p>\n\n\n\n
root@etcd3:~# cat \/etc\/etcd\/etcd.conf\n#[Member]\nETCD_NAME=\"etcd3\"\nETCD_DATA_DIR=\"\/var\/lib\/etcd\/default.etcd\"\nETCD_LISTEN_PEER_URLS=\"https:\/\/192.168.2.140:2380\"\nETCD_LISTEN_CLIENT_URLS=\"https:\/\/192.168.2.140:2379,http:\/\/127.0.0.1:2379\"\n#[Clustering]\nETCD_INITIAL_ADVERTISE_PEER_URLS=\"https:\/\/192.168.2.140:2380\"\nETCD_ADVERTISE_CLIENT_URLS=\"https:\/\/192.168.2.140:2379\"\nETCD_INITIAL_CLUSTER=\"etcd1=https:\/\/192.168.2.135:2380,etcd2=https:\/\/192.168.2.136:2380,etcd3=https:\/\/192.168.2.140:2380\"\nETCD_INITIAL_CLUSTER_TOKEN=\"etcd-cluster\"\nETCD_INITIAL_CLUSTER_STATE=\"existing\"<\/code><\/pre>\n\n\n\n
[root@etcd3 ~]# mkdir -p \/var\/lib\/etcd\/default.etcd<\/code><\/pre>\n\n\n\n
\u5148\u522b\u6025\u7740\u542f\u52a8etcd\u670d\u52a1\uff01\uff01\uff01<\/p>\n\n\n\n
\u5728master1\u4e0a\uff1aAdds a member into the cluster<\/p>\n\n\n\n
cd \/data\/work\netcdctl member add etcd3 --cacert=ca.pem --cert=etcd.pem --key=etcd-key.pem --peer-urls=\"https:\/\/192.168.2.140:2380\"\nroot@k8s-master1:\/data\/work# ETCDCTL_API=3 etcdctl --endpoints=https:\/\/192.168.2.135:2379 --cacert=ca.pem --cert=etcd.pem --key=etcd-key.pem member list -w table\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n|        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n| 1f07f058a7c8ed46 | started | etcd1 | https:\/\/192.168.2.135:2380 | https:\/\/192.168.2.135:2379 |      false |\n| 6caf8b3ebfbf22e3 | started | etcd3 | https:\/\/192.168.2.140:2380 |  |      false |\n| bcc3f105d45e0ff7 | started | etcd2 | https:\/\/192.168.2.136:2380 | https:\/\/192.168.2.136:2379 |      false |\n+------------------+---------+-------+----------------------------+----------------------------+------------+<\/code><\/pre>\n\n\n\n
\u7136\u540e\uff0c\u4fee\u6539etcd1\u30012\u7684etcd.conf\u6587\u4ef6\u4e2d\u7684ETCD_INITIAL_CLUSTER\u4e3a\uff1a<\/p>\n\n\n\n
ETCD_INITIAL_CLUSTER=\"etcd1=https:\/\/192.168.2.135:2380,etcd2=https:\/\/192.168.2.136:2380,etcd3=https:\/\/192.168.2.140:2380\"<\/code><\/pre>\n\n\n\n
etcd1\u30012\uff1a<\/p>\n\n\n\n
systemctl restart etcd<\/code><\/pre>\n\n\n\n
etcd3:<\/p>\n\n\n\n
systemctl daemon-reload && systemctl enable --now etcd<\/code><\/pre>\n\n\n\n
root@k8s-master1:\/data\/work# ETCDCTL_API=3 etcdctl --endpoints=https:\/\/192.168.2.135:2379 --cacert=ca.pem --cert=etcd.pem --key=etcd-key.pem member list -w table\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n|        ID        | STATUS  | NAME  |         PEER ADDRS         |        CLIENT ADDRS        | IS LEARNER |\n+------------------+---------+-------+----------------------------+----------------------------+------------+\n| 1f07f058a7c8ed46 | started | etcd1 | https:\/\/192.168.2.135:2380 | https:\/\/192.168.2.135:2379 |      false |\n| 6caf8b3ebfbf22e3 | started | etcd3 | https:\/\/192.168.2.140:2380 | https:\/\/192.168.2.140:2379 |      false |\n| bcc3f105d45e0ff7 | started | etcd2 | https:\/\/192.168.2.136:2380 | https:\/\/192.168.2.136:2379 |      false |\n+------------------+---------+-------+----------------------------+----------------------------+------------+<\/code><\/pre>\n\n\n\n
\u4e0b\u8f7dk8s\u4e8c\u8fdb\u5236\u5305\uff1a<\/p>\n\n\n\n
1.\u4e0b\u8f7d\u6e90\u4ee3\u7801\u5305\uff1ahttps:\/\/github.com\/kubernetes\/kubernetes\/releases\/tag\/v1.23.14<\/a><\/p>\n\n\n\n
https:\/\/github.com\/kubernetes\/kubernetes\/archive\/refs\/tags\/v1.23.14.tar.gz<\/a><\/p>\n\n\n\n
2.\u63d0\u53d6\u4e8c\u8fdb\u5236\u5305<\/p>\n\n\n\n
tar zxf kubernetes-1.23.14.tar.gz\ncd kubernetes-1.23.14\/\necho \"v1.23.14\" >.\/version\ncd cluster\/\nvi get-kube-binaries.sh (\u5934\u90e8\u52a0\u5165export https_proxy=http:\/\/relay-acting.iftop.top:11969;export http_proxy=http:\/\/relay-acting.iftop.top:11969)\nbash .\/get-kube-binaries.sh\ncd ..\/server\/\nsz kubernetes-server-linux-amd64.tar.gz<\/code><\/pre>\n\n\n\n
\u628akubernetes-server-linux-amd64.tar.gz \u4e0a\u4f20\u5230master1\u4e0a\u7684\/data\/work\u76ee\u5f55\u4e0b\uff1a<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# rz\nrz waiting to receive.\nStarting zmodem transfer.  Press Ctrl+C to cancel.\n\n\n\n\nroot@k8s-master1:\/data\/work# rz -bye\nrz waiting to receive.\nStarting zmodem transfer.  Press Ctrl+C to cancel.\nTransferring kubernetes-server-linux-amd64.tar.gz...\n  100%  333979 KB    6957 KB\/sec    00:00:48       0 Errors   \n\n\n\n\nroot@k8s-master1:\/data\/work# tar zxf kubernetes-server-linux-amd64.tar.gz\nroot@k8s-master1:\/data\/work# cd kubernetes\/server\/bin\/\nroot@k8s-master1:\/data\/work\/kubernetes\/server\/bin# cp kube-apiserver kube-controller-manager kube-scheduler kubectl \/usr\/local\/bin\/\nroot@k8s-master1:\/data\/work\/kubernetes\/server\/bin# scp kube-apiserver kube-controller-manager kube-scheduler kubectl master2:\/usr\/local\/bin\/\nkube-apiserver                                                                                                       100%  125MB  99.3MB\/s   00:01    \nkube-controller-manager                                                                                              100%  116MB 125.0MB\/s   00:00    \nkube-scheduler                                                                                                       100%   47MB 112.8MB\/s   00:00    \nkubectl                                                                                                              100%   44MB 115.1MB\/s   00:00    \nroot@k8s-master1:\/data\/work\/kubernetes\/server\/bin# cd \/data\/work\/\nroot@k8s-master1:\/data\/work# mkdir -p \/etc\/kubernetes\/ssl\nroot@k8s-master1:\/data\/work# mkdir \/var\/log\/kubernetes\nroot@k8s-master1:\/data\/work#<\/code><\/pre>\n\n\n\n
\u90e8\u7f72apiserver\u7ec4\u4ef6<\/p>\n\n\n\n
\u542f\u52a8TLS Bootstrapping\u673a\u5236Master apiserver \u542f\u7528 TLS \u8ba4\u8bc1\u540e\uff0c\u6bcf\u4e2a\u8282\u70b9\u7684 kubelet \u7ec4\u4ef6\u90fd\u8981\u4f7f\u7528\u7531 apiserver \u4f7f\u7528\u7684CA \u7b7e\u53d1\u7684\u6709\u6548\u8bc1\u4e66\u624d\u80fd\u4e0e apiserver \u901a\u8baf\uff0c\u5f53 Node \u8282\u70b9\u5f88\u591a\u65f6\uff0c\u8fd9\u79cd\u5ba2\u6237\u7aef\u8bc1\u4e66\u9881\u53d1\u9700\u8981\u5927\u91cf\u5de5\u4f5c\uff0c\u540c\u6837\u4e5f\u4f1a\u589e\u52a0\u96c6\u7fa4\u6269\u5c55\u590d\u6742\u5ea6\u3002\u4e3a\u4e86\u7b80\u5316\u6d41\u7a0b\uff0cKubernetes \u5f15\u5165\u4e86 TLS bootstraping \u673a\u5236\u6765\u81ea\u52a8\u9881\u53d1\u5ba2\u6237\u7aef\u8bc1\u4e66\uff0ckubelet \u4f1a\u4ee5\u4e00\u4e2a\u4f4e\u6743\u9650\u7528\u6237\u81ea\u52a8\u5411 apiserver \u7533\u8bf7\u8bc1\u4e66\uff0ckubelet \u7684\u8bc1\u4e66\u7531 apiserver \u52a8\u6001\u7b7e\u7f72\u3002<\/p>\n\n\n\n
TLS bootstrapping \u5177\u4f53\u5f15\u5bfc\u8fc7\u7a0b<\/h3>\n\n\n\n
1.TLS \u4f5c\u7528<\/p>\n\n\n\n
TLS \u7684\u4f5c\u7528\u5c31\u662f\u5bf9\u901a\u8baf\u52a0\u5bc6\uff0c\u9632\u6b62\u4e2d\u95f4\u4eba\u7a83\u542c\uff1b\u540c\u65f6\u5982\u679c\u8bc1\u4e66\u4e0d\u4fe1\u4efb\u7684\u8bdd\u6839\u672c\u5c31\u65e0\u6cd5\u4e0e apiserver\u5efa\u7acb\u8fde\u63a5\uff0c\u66f4\u4e0d\u7528\u63d0\u6709\u6ca1\u6709\u6743\u9650\u5411 apiserver \u8bf7\u6c42\u6307\u5b9a\u5185\u5bb9\u3002<\/p>\n\n\n\n
2.RBAC\u4f5c\u7528<\/p>\n\n\n\n
\u5f53 TLS \u89e3\u51b3\u4e86\u901a\u8baf\u95ee\u9898\u540e\uff0c\u90a3\u4e48\u6743\u9650\u95ee\u9898\u5c31\u5e94\u7531 RBAC \u89e3\u51b3(\u53ef\u4ee5\u4f7f\u7528\u5176\u4ed6\u6743\u9650\u6a21\u578b\uff0c\u5982ABAC)\uff1bRBAC \u4e2d\u89c4\u5b9a\u4e86\u4e00\u4e2a\u7528\u6237\u6216\u8005\u7528\u6237\u7ec4(subject)\u5177\u6709\u8bf7\u6c42\u54ea\u4e9b api \u7684\u6743\u9650\uff1b\u5728\u914d\u5408 TLS \u52a0\u5bc6\u7684\u65f6\u5019\uff0c\u5b9e\u9645\u4e0a apiserver \u8bfb\u53d6\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684 CN \u5b57\u6bb5\u4f5c\u4e3a\u7528\u6237\u540d\uff0c\u8bfb\u53d6 O \u5b57\u6bb5\u4f5c\u4e3a\u7528\u6237\u7ec4\u3002<\/p>\n\n\n\n
\u4ee5\u4e0a\u8bf4\u660e\uff1a\u7b2c\u4e00\uff0c\u60f3\u8981\u4e0e apiserver \u901a\u8baf\u5c31\u5fc5\u987b\u91c7\u7528\u7531 apiserver CA \u7b7e\u53d1\u7684\u8bc1\u4e66\uff0c\u8fd9\u6837\u624d\u80fd\u5f62\u6210\u4fe1\u4efb\u5173\u7cfb\uff0c\u5efa\u7acb TLS \u8fde\u63a5\uff1b\u7b2c\u4e8c\uff0c\u53ef\u4ee5\u901a\u8fc7\u8bc1\u4e66\u7684 CN\u3001O \u5b57\u6bb5\u6765\u63d0\u4f9b RBAC \u6240\u9700\u7684\u7528\u6237\u4e0e\u7528\u6237\u7ec4\u3002<\/p>\n\n\n\n
kubelet \u9996\u6b21\u542f\u52a8\u6d41\u7a0b<\/p>\n\n\n\n
TLS bootstrapping \u529f\u80fd\u662f\u8ba9 kubelet \u7ec4\u4ef6\u53bb apiserver \u7533\u8bf7\u8bc1\u4e66\uff0c\u7136\u540e\u7528\u4e8e\u8fde\u63a5apiserver\uff1b\u90a3\u4e48\u7b2c\u4e00\u6b21\u542f\u52a8\u65f6\u6ca1\u6709\u8bc1\u4e66\u5982\u4f55\u8fde\u63a5 apiserver ?<\/p>\n\n\n\n
\u5728 apiserver \u914d\u7f6e\u4e2d\u6307\u5b9a\u4e86\u4e00\u4e2a token.csv \u6587\u4ef6\uff0c\u8be5\u6587\u4ef6\u4e2d\u662f\u4e00\u4e2a\u9884\u8bbe\u7684\u7528\u6237\u914d\u7f6e\uff1b\u540c\u65f6\u8be5\u7528\u6237\u7684Token \u548c \u7531 apiserver \u7684 CA \u7b7e\u53d1\u7684\u7528\u6237\u88ab\u5199\u5165\u4e86 kubelet \u6240\u4f7f\u7528\u7684 bootstrap.kubeconfig \u914d\u7f6e\u6587\u4ef6\u4e2d\uff1b\u8fd9\u6837\u5728\u9996\u6b21\u8bf7\u6c42\u65f6\uff0ckubelet \u4f7f\u7528 bootstrap.kubeconfig \u4e2d\u88ab apiserver CA \u7b7e\u53d1\u8bc1\u4e66\u65f6\u4fe1\u4efb\u7684\u7528\u6237\u6765\u4e0e apiserver \u5efa\u7acb TLS \u901a\u8baf\uff0c\u4f7f\u7528 bootstrap.kubeconfig \u4e2d\u7684\u7528\u6237 Token \u6765\u5411apiserver \u58f0\u660e\u81ea\u5df1\u7684 RBAC \u6388\u6743\u8eab\u4efd.<\/p>\n\n\n\n
token.csv \u683c\u5f0f:<\/p>\n\n\n\n
3940fd7fbb391d1b4d861ad17a1f0613,kubelet-bootstrap,10001,”system:kubelet-bootstrap”<\/p>\n\n\n\n
\u9996\u6b21\u542f\u52a8\u65f6\uff0c\u53ef\u80fd\u4e0e\u9047\u5230 kubelet \u62a5 401 \u65e0\u6743\u8bbf\u95ee apiserver \u7684\u9519\u8bef\uff1b\u8fd9\u662f\u56e0\u4e3a\u5728\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0ckubelet \u901a\u8fc7 bootstrap.kubeconfig \u4e2d\u7684\u9884\u8bbe\u7528\u6237 Token \u58f0\u660e\u4e86\u81ea\u5df1\u7684\u8eab\u4efd\uff0c\u7136\u540e\u521b\u5efa CSR\u8bf7\u6c42\uff1b\u4f46\u662f\u4e0d\u8981\u5fd8\u8bb0\u8fd9\u4e2a\u7528\u6237\u5728\u6211\u4eec\u4e0d\u5904\u7406\u7684\u60c5\u51b5\u4e0b\u4ed6\u6ca1\u4efb\u4f55\u6743\u9650\u7684\uff0c\u5305\u62ec\u521b\u5efa CSR \u8bf7\u6c42\uff1b\u6240\u4ee5\u9700\u8981\u521b\u5efa\u4e00\u4e2aClusterRoleBinding\uff0c\u5c06\u9884\u8bbe\u7528\u6237 kubelet-bootstrap \u4e0e\u5185\u7f6e\u7684 ClusterRole system:node-bootstrapper \u7ed1\u5b9a\u5230\u4e00\u8d77\uff0c\u4f7f\u5176\u80fd\u591f\u53d1\u8d77 CSR \u8bf7\u6c42\u3002<\/p>\n\n\n\n
\u521b\u5efatoken.csv\u6587\u4ef6\uff0c\u683c\u5f0f\uff1atoken\uff0c\u7528\u6237\u540d\uff0cUID\uff0c\u7528\u6237\u7ec4<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >token.csv <<EOF\n>$(head -c 16 \/dev\/urandom | od -An -t x | tr -d ' '),kubelet-bootstrap,10001,\"system:kubelet-bootstrap\"\n>EOF\nroot@k8s-master1:\/data\/work# cat token.csv\n8c06cbc832b6ca19f349cebc82fc74b0,kubelet-bootstrap,10001,\"system:kubelet-bootstrap\"\nroot@k8s-master1:\/data\/work#<\/code><\/pre>\n\n\n\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6\uff0c\u66ff\u6362\u4e3a\u81ea\u5df1\u673a\u5668\u7684IP<\/p>\n\n\n\n
\u5982\u679c hosts \u5b57\u6bb5\u4e0d\u4e3a\u7a7a\u5219\u9700\u8981\u6307\u5b9a\u6388\u6743\u4f7f\u7528\u8be5\u8bc1\u4e66\u7684 IP \u6216\u57df\u540d\u5217\u8868\u3002 \u7531\u4e8e\u8be5\u8bc1\u4e66\u540e\u7eed\u88ab kubernetes master \u96c6\u7fa4\u4f7f\u7528\uff0c\u9700\u8981\u5c06 master \u8282\u70b9\u7684 IP \u90fd\u586b\u4e0a\uff0c\u540c\u65f6\u8fd8\u9700\u8981\u586b\u5199 service \u7f51\u7edc\u7684\u9996\u4e2a IP\u3002(\u4e00\u822c\u662f kube-apiserver \u6307\u5b9a\u7684 service-cluster-ip-range \u7f51\u6bb5\u7684\u7b2c\u4e00\u4e2a IP\uff0c\u5982 10.255.0.1)<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-apiserver-csr.json  \n{\n  \"CN\": \"kubernetes\",\n  \"hosts\": [\n    \"127.0.0.1\",\n    \"192.168.2.135\",\n    \"192.168.2.136\",\n    \"192.168.2.138\",\n    \"192.168.2.139\",\n    \"192.168.2.140\",\n    \"10.255.0.1\",\n    \"kubernetes\",\n    \"kubernetes.default\",\n    \"kubernetes.default.svc\",\n    \"kubernetes.default.svc.cluster\",\n    \"kubernetes.default.svc.cluster.local\"\n  ],\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"k8s\",\n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
\u751f\u6210\u8bc1\u4e66<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-apiserver-csr.json |cfssljson -bare kube-apiserver\n2024\/08\/07 14:51:10 [INFO] generate received request\n2024\/08\/07 14:51:10 [INFO] received CSR\n2024\/08\/07 14:51:10 [INFO] generating key: rsa-2048\n2024\/08\/07 14:51:10 [INFO] encoded CSR\n2024\/08\/07 14:51:10 [INFO] signed certificate with serial number 695892646101567378378411579612735881419826252228\nroot@k8s-master1:\/data\/work# ls kube-apiserver*.pem\nkube-apiserver-key.pem  kube-apiserver.pem<\/code><\/pre>\n\n\n\n
\u521b\u5efaapi-server\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u66ff\u6362\u6210\u81ea\u5df1\u7684IP<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-apiserver.conf\nKUBE_APISERVER_OPTS=\"--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\\n  --anonymous-auth=false \\\n  --bind-address=0.0.0.0 \\\n  --secure-port=6443 \\\n  --advertise-address=192.168.2.135 \\\n  --insecure-port=0 \\\n  --authorization-mode=Node,RBAC \\\n  --runtime-config=api\/all=true \\\n  --enable-bootstrap-token-auth \\\n  --service-cluster-ip-range=10.255.0.0\/16 \\\n  --token-auth-file=\/etc\/kubernetes\/token.csv \\\n  --service-node-port-range=30000-50000 \\\n  --tls-cert-file=\/etc\/kubernetes\/ssl\/kube-apiserver.pem  \\\n  --tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\n  --client-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --kubelet-client-certificate=\/etc\/kubernetes\/ssl\/kube-apiserver.pem \\\n  --kubelet-client-key=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\n  --service-account-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\n  --service-account-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem  \\\n  --service-account-issuer=https:\/\/kubernetes.default.svc.cluster.local \\\n  --etcd-cafile=\/etc\/etcd\/ssl\/ca.pem \\\n  --etcd-certfile=\/etc\/etcd\/ssl\/etcd.pem \\\n  --etcd-keyfile=\/etc\/etcd\/ssl\/etcd-key.pem \\\n  --etcd-servers=https:\/\/192.168.2.135:2379,https:\/\/192.168.2.136:2379,https:\/\/192.168.2.140:2379 \\\n  --enable-swagger-ui=true \\\n  --allow-privileged=true \\\n  --apiserver-count=3 \\\n  --audit-log-maxage=30 \\\n  --audit-log-maxbackup=3 \\\n  --audit-log-maxsize=100 \\\n  --audit-log-path=\/var\/log\/kube-apiserver-audit.log \\\n  --event-ttl=1h \\\n  --alsologtostderr=true \\\n  --logtostderr=false \\\n  --log-dir=\/var\/log\/kubernetes \\\n  --v=4\"<\/code><\/pre>\n\n\n\n
\u6ce8\u89e3<\/p>\n\n\n\n
–logtostderr\uff1a\u542f\u7528\u65e5\u5fd7<\/p>\n\n\n\n
–v\uff1a\u65e5\u5fd7\u7b49\u7ea7<\/p>\n\n\n\n
–log-dir\uff1a\u65e5\u5fd7\u76ee\u5f55<\/p>\n\n\n\n
–etcd-servers\uff1aetcd \u96c6\u7fa4\u5730\u5740<\/p>\n\n\n\n
–bind-address\uff1a\u76d1\u542c\u5730\u5740\uff08\u7528keepalived\u9ad8\u53ef\u7528\u65b9\u6848\uff0c\u8fd9\u91cc\u586b\u51990.0.0.0\uff0c\u53ef\u4ee5\u901a\u8fc7vip\u8fde\u63a5\uff09<\/p>\n\n\n\n
–secure-port\uff1ahttps \u5b89\u5168\u7aef\u53e3<\/p>\n\n\n\n
–advertise-address\uff1a\u96c6\u7fa4\u901a\u544a\u5730\u5740<\/p>\n\n\n\n
–allow-privileged\uff1a\u542f\u7528\u6388\u6743<\/p>\n\n\n\n
–service-cluster-ip-range\uff1aService \u865a\u62df IP \u5730\u5740\u6bb5<\/p>\n\n\n\n
–enable-admission-plugins\uff1a\u51c6\u5165\u63a7\u5236\u6a21\u5757<\/p>\n\n\n\n
–authorization-mode\uff1a\u8ba4\u8bc1\u6388\u6743\uff0c\u542f\u7528 RBAC \u6388\u6743\u548c\u8282\u70b9\u81ea\u7ba1\u7406<\/p>\n\n\n\n
–enable-bootstrap-token-auth\uff1a\u542f\u7528 TLS bootstrap \u673a\u5236<\/p>\n\n\n\n
–token-auth-file\uff1abootstrap token \u6587\u4ef6<\/p>\n\n\n\n
–service-node-port-range\uff1aService nodeport \u7c7b\u578b\u9ed8\u8ba4\u5206\u914d\u7aef\u53e3\u8303\u56f4<\/p>\n\n\n\n
–kubelet-client-xxx\uff1aapiserver \u8bbf\u95ee kubelet \u5ba2\u6237\u7aef\u8bc1\u4e66<\/p>\n\n\n\n
–tls-xxx-file\uff1aapiserver https \u8bc1\u4e66<\/p>\n\n\n\n
–etcd-xxxfile\uff1a\u8fde\u63a5 Etcd \u96c6\u7fa4\u8bc1\u4e66<\/p>\n\n\n\n
\u2013-audit-log-xxx\uff1a\u5ba1\u8ba1\u65e5\u5fd7<\/p>\n\n\n\n
\u521b\u5efa\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-apiserver.service\n[Unit]\nDescription=Kubernetes API Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=etcd.service\nWants=etcd.service\n[Service]\nEnvironmentFile=-\/etc\/kubernetes\/kube-apiserver.conf\nExecStart=\/usr\/local\/bin\/kube-apiserver $KUBE_APISERVER_OPTS\nRestart=on-failure\nRestartSec=5\nType=notify\nLimitNOFILE=65536\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u62f7\u8d1d\u8bc1\u4e66\u6587\u4ef6\u5230\u76f8\u5e94\u7684\u76ee\u5f55\uff0c\u540c\u65f6\u4e5f\u62f7\u8d1d\u5230master2\u8282\u70b9<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cp ca*.pem kube-apiserver*.pem \/etc\/kubernetes\/ssl\/\nroot@k8s-master1:\/data\/work# cp token.csv \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-apiserver.conf \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-apiserver.service \/usr\/lib\/systemd\/system\/\nroot@k8s-master1:\/data\/work# scp -r \/etc\/kubernetes master2:\/etc\/\ntoken.csv                                                                                                            100%   84    44.3KB\/s   00:00    \nkube-apiserver.conf                                                                                                  100% 1584   885.2KB\/s   00:00    \nkube-apiserver.pem                                                                                                   100% 1590     1.5MB\/s   00:00    \nca-key.pem                                                                                                           100% 1679     2.0MB\/s   00:00    \nca.pem                                                                                                               100% 1298     1.9MB\/s   00:00    \nkube-apiserver-key.pem                                                                                               100% 1675     2.4MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp \/usr\/lib\/systemd\/system\/kube-apiserver.service master2:\/usr\/lib\/systemd\/system\/\nkube-apiserver.service                   <\/code><\/pre>\n\n\n\n
\u6ce8\u610f\uff01\uff01\uff01\uff01k8s-master2 \u914d\u7f6e\u6587\u4ef6 kube-apiserver.conf \u7684 IP \u5730\u5740\u4fee\u6539\u4e3a\u5b9e\u9645\u7684\u672c\u673a IP<\/p>\n\n\n\n
root@k8s-master2:\/etc\/kubernetes# cat kube-apiserver.conf    \nKUBE_APISERVER_OPTS=\"--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\\n  --anonymous-auth=false \\\n  --bind-address=0.0.0.0 \\\n  --secure-port=6443 \\\n  --advertise-address=192.168.2.136 \\\n  --insecure-port=0 \\\n  --authorization-mode=Node,RBAC \\\n  --runtime-config=api\/all=true \\\n  --enable-bootstrap-token-auth \\\n  --service-cluster-ip-range=10.255.0.0\/16 \\\n  --token-auth-file=\/etc\/kubernetes\/token.csv \\\n  --service-node-port-range=30000-50000 \\\n  --tls-cert-file=\/etc\/kubernetes\/ssl\/kube-apiserver.pem  \\\n  --tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\n  --client-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --kubelet-client-certificate=\/etc\/kubernetes\/ssl\/kube-apiserver.pem \\\n  --kubelet-client-key=\/etc\/kubernetes\/ssl\/kube-apiserver-key.pem \\\n  --service-account-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\n  --service-account-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem  \\\n  --service-account-issuer=https:\/\/kubernetes.default.svc.cluster.local \\\n  --etcd-cafile=\/etc\/etcd\/ssl\/ca.pem \\\n  --etcd-certfile=\/etc\/etcd\/ssl\/etcd.pem \\\n  --etcd-keyfile=\/etc\/etcd\/ssl\/etcd-key.pem \\\n  --etcd-servers=https:\/\/192.168.2.135:2379,https:\/\/192.168.2.136:2379,https:\/\/192.168.2.140:2379 \\\n  --enable-swagger-ui=true \\\n  --allow-privileged=true \\\n  --apiserver-count=3 \\\n  --audit-log-maxage=30 \\\n  --audit-log-maxbackup=3 \\\n  --audit-log-maxsize=100 \\\n  --audit-log-path=\/var\/log\/kube-apiserver-audit.log \\\n  --event-ttl=1h \\\n  --alsologtostderr=true \\\n  --logtostderr=false \\\n  --log-dir=\/var\/log\/kubernetes \\\n  --v=4\"<\/code><\/pre>\n\n\n\n
\u542f\u52a8kube-apiserver<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# systemctl daemon-reload && systemctl enable --now kube-apiserver\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/kube-apiserver.service \u2192 \/lib\/systemd\/system\/kube-apiserver.service.\nroot@k8s-master1:\/data\/work# systemctl status kube-apiserver      \n\u25cf kube-apiserver.service - Kubernetes API Server\n     Loaded: loaded (\/lib\/systemd\/system\/kube-apiserver.service; enabled; vendor preset: enabled)\n     Active: active (running) since Wed 2024-08-07 15:11:14 CST; 14s ago\nroot@k8s-master2:~# systemctl daemon-reload && systemctl enable --now kube-apiserver\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/kube-apiserver.service \u2192 \/lib\/systemd\/system\/kube-apiserver.service.\nroot@k8s-master2:~# systemctl status kube-apiserver\n\u25cf kube-apiserver.service - Kubernetes API Server\n     Loaded: loaded (\/lib\/systemd\/system\/kube-apiserver.service; enabled; vendor preset: enabled)\n     Active: active (running) since Wed 2024-08-07 15:13:45 CST; 11s ago<\/code><\/pre>\n\n\n\n
root@k8s-master1:\/data\/work# curl -k https:\/\/192.168.2.135:6443\/\n{\n  \"kind\": \"Status\",\n  \"apiVersion\": \"v1\",\n  \"metadata\": {},\n  \"status\": \"Failure\",\n  \"message\": \"Unauthorized\",\n  \"reason\": \"Unauthorized\",\n  \"code\": 401\n}<\/code><\/pre>\n\n\n\n
\u4e0a\u9762\u770b\u5230 401\uff0c\u8fd9\u4e2a\u662f\u6b63\u5e38\u7684\u7684\u72b6\u6001\uff0c\u8fd8\u6ca1\u8ba4\u8bc1<\/p>\n\n\n\n
\u90e8\u7f72kubectl\u7ec4\u4ef6<\/p>\n\n\n\n
kubectl\u7ec4\u4ef6\u4ecb\u7ecd<\/p>\n\n\n\n
Kubectl \u662f\u5ba2\u6237\u7aef\u5de5\u5177\uff0c\u64cd\u4f5ck8s \u8d44\u6e90\u7684\uff0c\u5982\u589e\u5220\u6539\u67e5\u7b49\u3002<\/p>\n\n\n\n
Kubectl \u64cd\u4f5c\u8d44\u6e90\u7684\u65f6\u5019\uff0c\u600e\u4e48\u77e5\u9053\u8fde\u63a5\u5230\u54ea\u4e2a\u96c6\u7fa4\uff0c\u9700\u8981\u4e00\u4e2a\u6587\u4ef6\/etc\/kubernetes\/admin.conf\uff0ckubectl \u4f1a\u6839\u636e\u8fd9\u4e2a\u6587\u4ef6\u7684\u914d\u7f6e\uff0c\u53bb\u8bbf\u95ee k8s \u8d44\u6e90\u3002<\/p>\n\n\n\n
\/etc\/kubernetes\/admin.conf \u6587\u4ef6\u8bb0\u5f55\u4e86\u8bbf\u95ee\u7684 k8s \u96c6\u7fa4\uff0c\u548c\u7528\u5230\u7684\u8bc1\u4e66\u3002\u53ef\u4ee5\u8bbe\u7f6e\u4e00\u4e2a\u73af\u5883\u53d8\u91cf KUBECONFIG<\/p>\n\n\n\n
[root@ k8s-master1 ~]# export KUBECONFIG=\/etc\/kubernetes\/admin.conf<\/code><\/pre>\n\n\n\n
\u8fd9\u6837\u5728\u64cd\u4f5c kubectl\uff0c\u5c31\u4f1a\u81ea\u52a8\u52a0\u8f7d KUBECONFIG \u6765\u64cd\u4f5c\u8981\u7ba1\u7406\u54ea\u4e2a\u96c6\u7fa4\u7684 k8s \u8d44\u6e90\u4e86<\/p>\n\n\n\n
\u4e5f\u53ef\u4ee5\u6309\u7167\u4e0b\u9762\u65b9\u6cd5\uff0c\u8fd9\u4e2a\u662f\u5728 kubeadm \u521d\u59cb\u5316 k8s \u7684\u65f6\u5019\u4f1a\u63d0\u793a\u6211\u4eec\u8981\u7528\u7684\u4e00\u4e2a\u65b9\u6cd5<\/p>\n\n\n\n
[root@ k8s-master1 ~]# cp \/etc\/kubernetes\/admin.conf \/root\/.kube\/config<\/code><\/pre>\n\n\n\n
\u8fd9\u6837\u6211\u4eec\u5728\u6267\u884c kubectl\uff0c\u5c31\u4f1a\u52a0\u8f7d\/root\/.kube\/config \u6587\u4ef6\uff0c\u53bb\u64cd\u4f5c k8s \u8d44\u6e90\u4e86<\/p>\n\n\n\n
\u5982\u679c\u8bbe\u7f6e\u4e86 KUBECONFIG\uff0c\u90a3\u5c31\u4f1a\u5148\u627e\u5230 KUBECONFIG \u53bb\u64cd\u4f5c k8s\uff0c\u5982\u679c\u6ca1\u6709 KUBECONFIG\u53d8\u91cf\uff0c\u90a3\u5c31\u4f1a\u4f7f\u7528\/root\/.kube\/config \u6587\u4ef6\u51b3\u5b9a\u7ba1\u7406\u54ea\u4e2a k8s \u96c6\u7fa4\u7684\u8d44\u6e90\u6ce8\u610f\uff1aadmin.conf \u8fd8\u6ca1\u521b\u5efa\uff0c\u4e0b\u9762\u6b65\u9aa4\u521b\u5efa<\/p>\n\n\n\n
\u521b\u5efacsr\u8bf7\u6c42\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat admin-csr.json\n{\n  \"CN\": \"admin\",\n  \"hosts\": [],\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"system:masters\", \n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
\u540e\u7eed kube-apiserver \u4f7f\u7528 RBAC \u5bf9\u5ba2\u6237\u7aef(\u5982 kubelet\u3001kube-proxy\u3001Pod)\u8bf7\u6c42\u8fdb\u884c\u6388\u6743\uff1b kube-apiserver \u9884\u5b9a\u4e49\u4e86\u4e00\u4e9b RBAC \u4f7f\u7528\u7684 RoleBindings\uff0c\u5982 cluster-admin \u5c06 Group system:masters \u4e0e Role cluster-admin \u7ed1\u5b9a\uff0c\u8be5 Role \u6388\u4e88\u4e86\u8c03\u7528 kube-apiserver \u7684\u6240\u6709 API \u7684\u6743\u9650\uff1b O \u6307\u5b9a\u8be5\u8bc1\u4e66\u7684 Group \u4e3a system:masters\uff0ckubelet \u4f7f\u7528\u8be5\u8bc1\u4e66\u8bbf\u95ee kube-apiserver \u65f6 \uff0c\u7531\u4e8e\u8bc1\u4e66\u88ab CA \u7b7e\u540d\uff0c\u6240\u4ee5\u8ba4\u8bc1\u901a\u8fc7\uff0c\u540c\u65f6\u7531\u4e8e\u8bc1\u4e66\u7528\u6237\u7ec4\u4e3a\u7ecf\u8fc7\u9884\u6388\u6743\u7684system:masters\uff0c\u6240\u4ee5\u88ab\u6388\u4e88\u8bbf\u95ee\u6240\u6709 API \u7684\u6743\u9650\uff1b<\/p>\n\n\n\n
\u6ce8\uff1a \u8fd9\u4e2a admin \u8bc1\u4e66\uff0c\u662f\u5c06\u6765\u751f\u6210\u7ba1\u7406\u5458\u7528\u7684 kube config \u914d\u7f6e\u6587\u4ef6\u7528\u7684\uff0c\u73b0\u5728\u6211\u4eec\u4e00\u822c\u5efa\u8bae\u4f7f\u7528 RBAC \u6765\u5bf9 kubernetes \u8fdb\u884c\u89d2\u8272\u6743\u9650\u63a7\u5236\uff0c kubernetes \u5c06\u8bc1\u4e66\u4e2d\u7684 CN \u5b57\u6bb5 \u4f5c\u4e3a User\uff0c<\/p>\n\n\n\n
O \u5b57\u6bb5\u4f5c\u4e3a Group\uff1b “O”: “system:masters”, \u5fc5\u987b\u662f system:masters\uff0c\u5426\u5219\u540e\u9762 kubectl create<\/p>\n\n\n\n
clusterrolebinding \u62a5\u9519\u3002<\/p>\n\n\n\n
\u8bc1\u4e66 O \u914d\u7f6e\u4e3a system:masters \u5728\u96c6\u7fa4\u5185\u90e8 cluster-admin \u7684 clusterrolebinding \u5c06system:masters \u7ec4\u548ccluster-admin clusterrole \u7ed1\u5b9a\u5728\u4e00\u8d77<\/p>\n\n\n\n
\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json |cfssljson -bare admin\n2024\/08\/07 15:28:54 [INFO] generate received request\n2024\/08\/07 15:28:54 [INFO] received CSR\n2024\/08\/07 15:28:54 [INFO] generating key: rsa-2048\n2024\/08\/07 15:28:54 [INFO] encoded CSR\n2024\/08\/07 15:28:54 [INFO] signed certificate with serial number 202934663019094511269755251183590216779451529437\n2024\/08\/07 15:28:54 [WARNING] This certificate lacks a \"hosts\" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 (\"Information Requirements\").\nroot@k8s-master1:\/data\/work# ls admin*.pem\nadmin-key.pem  admin.pem\nroot@k8s-master1:\/data\/work# cp admin*.pem \/etc\/kubernetes\/ssl\/\nroot@k8s-master1:\/data\/work#<\/code><\/pre>\n\n\n\n
\u914d\u7f6e\u5b89\u5168\u4e0a\u4e0b\u6587<\/p>\n\n\n\n
\u521b\u5efakubeconfig\u914d\u7f6e\u6587\u4ef6,\u6bd4\u8f83\u91cd\u8981<\/p>\n\n\n\n
kubeconfig \u4e3a kubectl \u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u5305\u542b\u8bbf\u95ee apiserver \u7684\u6240\u6709\u4fe1\u606f\uff0c\u5982 apiserver \u5730\u5740\u3001 CA \u8bc1\u4e66\u548c\u81ea\u8eab\u4f7f\u7528\u7684\u8bc1\u4e66<\/p>\n\n\n\n
1.\u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/192.168.2.135:6443 --kubeconfig=kube.config\nCluster \"kubernetes\" set.<\/code><\/pre>\n\n\n\n
\u67e5\u770bkube.config\u5185\u5bb9<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube.config\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts: null\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers: null<\/code><\/pre>\n\n\n\n
2.\u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-credentials admin --client-certificate=admin.pem --client-key=admin-key.pem --embed-certs=true --kubeconfig=kube.config\nUser \"admin\" set.\nroot@k8s-master1:\/data\/work# cat kube.config\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts: null\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers:\n- name: admin\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxVENDQXIyZ0F3SUJBZ0lVSTR2bnJ1bVV0c3NmeTdydUVFdzdPZklLK04wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURjeU5EQXdXaGNOTXpRd09EQTFNRGN5TkRBd1dqQm5NUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVJjd0ZRWURWUVFLRXc1egplWE4wWlcwNmJXRnpkR1Z5Y3pFUE1BMEdBMVVFQ3hNR2MzbHpkR1Z0TVE0d0RBWURWUVFERXdWaFpHMXBiakNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3dGL0dWdGlLNTdHYTgxRURaOWhEbzAKRGxpcVlWUHFxQlRmbENOcmZUS1YrNnNNMnJaZWNzRFlHb01kK3orbTNoNmlDNEtTVGlIaGpUbHd6RVNEVWdHWApWazBUYmUxdTZQRHlGK2FWeXoyVlFhaURTOVN4Y002RStyMWszVkdXbURJV2VjM3NhZGRGZ1ZKa2V4VVFqN2E2CmljRC94WjNoUERMUEdoaUYxSVZPK3BPSExXS1BKeDVhR3hlUFZCdUdrQnloTTIrMkl5UmMzZ3JRWjlGRkYwbTQKWXhtT1VET2lWbE5VVlp1ek1wZnY3VmUzRUdMbHZ6NkY3NStLdXlxREFmbDFIZS9USm0zRmtubDlkSU1rSW9kcgovUkE0aWZSSnZhQzVBa2ZQbDYrNWExZTJGWmhmdWlRVGxkTjF3aFRFTzhoNmpQQWo4T0pnNS9oa2RRVktKeUVDCkF3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCUkhQSEFhUytUUGZyL1I4NkVQVE82SQpkSDJTeERBZkJnTlZIU01FR0RBV2dCUkNTSnU4OUtCbGpoaHZjdUNhRzlnVmM3eHJ0REFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQWg5RHlONFFjQXUveWVBRDM5NjE4OVVlVzBnZ0dsQk1rYlNhbFJ4N0EvR0VxNkp6RVNpMVMKM2FpZWhtS0JndlFHRHZYbFQvQjI3ZjZqaUw4RSthSzVGMTdiZDhnUWtQeGovSnRvUll0bWRnTkNENnN6REozaQorS2twVlY0d0NjSTRpTHkzTS9UcHNmbGJ1OXRjQjNCZEdyY2FQTEZ4SEk4emFWU0xMQ2JmcWJIcTNoMnNKNWZZCnBuN0hTV21jbWhsMDRESy9sT2dydS9EcGkvdnhoclRSdWZHTmdrQ2w3REVSZ2RIS3pWUmhwS3Q1VGJuV2ZoNEgKU29kWkx4OG5sbjJJZDRnL01XTkRJQjJHT3NKMS93YTdFVndjWWFFUkw4NndWNDRiNkVVQzJkL2k1aDY3YjF1MQpNZ1Q3T0RldURTVVNwT2JubmtHd3AwVzVnVCtIeU9WbTZ3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckFYOFpXMklybnNacnpVUU5uMkVPalFPV0twaFUrcW9GTitVSTJ0OU1wWDdxd3phCnRsNXl3TmdhZ3gzN1A2YmVIcUlMZ3BKT0llR05PWERNUklOU0FaZFdUUk50N1c3bzhQSVg1cFhMUFpWQnFJTkwKMUxGd3pvVDZ2V1RkVVphWU1oWjV6ZXhwMTBXQlVtUjdGUkNQdHJxSndQL0ZuZUU4TXM4YUdJWFVoVTc2azRjdApZbzhuSGxvYkY0OVVHNGFRSEtFemI3WWpKRnplQ3RCbjBVVVhTYmhqR1k1UU02SldVMVJWbTdNeWwrL3RWN2NRCll1Vy9Qb1h2bjRxN0tvTUIrWFVkNzlNbWJjV1NlWDEwZ3lRaWgydjlFRGlKOUVtOW9Ma0NSOCtYcjdsclY3WVYKbUYrNkpCT1YwM1hDRk1RN3lIcU04Q1B3NG1EbitHUjFCVW9uSVFJREFRQUJBb0lCQUdwcnlabDJDZmpuYnh4VgpWNUplVkU4dHBUSjFOWUVVeXFjZktpWS9lVlN5Tk4rOU5CRmVuTjl3MGZZTHRrUEtsOStib0VORy84ODJHb2hPCm9CQkNyWmtPWnZXSDc1blQ0NGdzUFYwSmpwS3FvOVA4WmcxUE9OcUtxaFJCTWlvbllFQ2NadjVlSTV4cUEzZFYKY2srMXp6TGNkQnhTSDQ5c3FERkdybjQ5VFJ5cW0vRHV6aDdJUFBFY2QvZloyZXFPMGg5S3NZK0JERG9ObFV6bwpMcFIvZ2xMeGIxN3M0M05lZEYvMUFFM2hRQmdrVCtQVHEyTDQyNlFtRTZWalN5QUpJYUt4R3pDRUxGUklrTjRlCmplMVV5WWdPczUyUU01SGtndERKYi9lZEpKWVpIZWR1dFBFSHpheFg2Vlp4L3ZkZkNBMUlyTUZPTjF6T2NWL3MKbUFOZGNZRUNnWUVBMDhZcCtHVmwzVy92a1MvM3lxR3F3QlVjcUpyLzBTWUVEYWdJRDhQUkJ0UVdQYXRmVzlINApFVVRNQTdRRElpSUxFNEFXcnhsSWUzanZwOFdvMmYvOHNCZ08wSStrOU4vNnJYNmc2Zlh1MWp5QmExOUxKY2lBClA0eHhxMWNRSjlGNXVxc2VHQ1VPSGxlc2dSbDhNZDFuOFkvU283a2hqWmp6dUNzWjNRMDdwRThDZ1lFQXovS3QKQmdicnNGMmpEbEtSS1VWNDAvczJjWnhzbVNXVmlPVHJoNDVHRGVzYVdrUEdya1NPdmVUWnZzcjhqY1pJYVhNdgpJb0lwZjJWbVBudjhQbjQvbDAvTnhDd09GbE1ReFo2ZzNCc0lHSlpVckh5U1hCTmpod2wrRjBtUlpLSkErbXQwCkRET3hZN1ByU2NhSUU3RnBvUWFrdHo2NEZEY0F6Qmw2VkM1RjhZOENnWUExU1FWQ2RQRCttSzJrMEhiK3kxTFYKWmZxQ0NnNFlLQUtaRlJDQ052a2ZTTG9YNWtqbUo1ek5hNHdSMm5kM1hTMkFTSmhza21ZRWUxZUIxV0E1Q2dvZwpuTTBOZVRjK1RpVWJCbU9pdXJqUHV3V3RhSnJWOU84Z0RreURtako4Y2w2NHMxbXRKWlc1Mk1HVThqNm5wVmdFCkZmWWdML0xiV0FMcThoMWQyM2lJVFFLQmdENnhIUFRLTlZnd2dxNFl1bWJFNlE2UGwvUmNnbWtSYWFtaHlsaE4KemxUMzRqUUFadSsyLzRuRWF0a1lmVmVJeGQvMHQrc2hicjFYcHFHRDQ2STdrWlJlbk54ZG84bWJOVjArMjZSQQpDZ3JQbDZ1QXl1Y3plVGdHNXByQ3RUQ3ZzZ05OVGVrMzFHMElteERjNTcxNEtTNUF3SHYyVHF6WmdFWUlFRmM4CnRCMkZBb0dCQU1TRC9wbkN0RTRISEhXWkRGZXNFRmZXZGFnMTJrOFlwOFFGcFQvZWpjazcyL3YvN3IwS0hVeFIKd2JySGdZbHZONnNlSXVNNUlZS1dJbElFVUc4ZWVEZjd3SFRxT3pWc292QnhSeFZQSU5EQTlxNno4b2ZtM1JkegpRSDhITksveTZWMjFFTm5XN0hYZGYyVHEvWHJCR01CaFlGbnVkVm41Z0ZPMjVWQ0xRdW1pCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==<\/code><\/pre>\n\n\n\n
3.\u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-context kubernetes --cluster=kubernetes --user=admin --kubeconfig=kube.config  \nContext \"kubernetes\" created.\nroot@k8s-master1:\/data\/work# cat kube.config\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts:\n- context:\n    cluster: kubernetes\n    user: admin\n  name: kubernetes\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers:\n- name: admin\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxVENDQXIyZ0F3SUJBZ0lVSTR2bnJ1bVV0c3NmeTdydUVFdzdPZklLK04wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURjeU5EQXdXaGNOTXpRd09EQTFNRGN5TkRBd1dqQm5NUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVJjd0ZRWURWUVFLRXc1egplWE4wWlcwNmJXRnpkR1Z5Y3pFUE1BMEdBMVVFQ3hNR2MzbHpkR1Z0TVE0d0RBWURWUVFERXdWaFpHMXBiakNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3dGL0dWdGlLNTdHYTgxRURaOWhEbzAKRGxpcVlWUHFxQlRmbENOcmZUS1YrNnNNMnJaZWNzRFlHb01kK3orbTNoNmlDNEtTVGlIaGpUbHd6RVNEVWdHWApWazBUYmUxdTZQRHlGK2FWeXoyVlFhaURTOVN4Y002RStyMWszVkdXbURJV2VjM3NhZGRGZ1ZKa2V4VVFqN2E2CmljRC94WjNoUERMUEdoaUYxSVZPK3BPSExXS1BKeDVhR3hlUFZCdUdrQnloTTIrMkl5UmMzZ3JRWjlGRkYwbTQKWXhtT1VET2lWbE5VVlp1ek1wZnY3VmUzRUdMbHZ6NkY3NStLdXlxREFmbDFIZS9USm0zRmtubDlkSU1rSW9kcgovUkE0aWZSSnZhQzVBa2ZQbDYrNWExZTJGWmhmdWlRVGxkTjF3aFRFTzhoNmpQQWo4T0pnNS9oa2RRVktKeUVDCkF3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCUkhQSEFhUytUUGZyL1I4NkVQVE82SQpkSDJTeERBZkJnTlZIU01FR0RBV2dCUkNTSnU4OUtCbGpoaHZjdUNhRzlnVmM3eHJ0REFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQWg5RHlONFFjQXUveWVBRDM5NjE4OVVlVzBnZ0dsQk1rYlNhbFJ4N0EvR0VxNkp6RVNpMVMKM2FpZWhtS0JndlFHRHZYbFQvQjI3ZjZqaUw4RSthSzVGMTdiZDhnUWtQeGovSnRvUll0bWRnTkNENnN6REozaQorS2twVlY0d0NjSTRpTHkzTS9UcHNmbGJ1OXRjQjNCZEdyY2FQTEZ4SEk4emFWU0xMQ2JmcWJIcTNoMnNKNWZZCnBuN0hTV21jbWhsMDRESy9sT2dydS9EcGkvdnhoclRSdWZHTmdrQ2w3REVSZ2RIS3pWUmhwS3Q1VGJuV2ZoNEgKU29kWkx4OG5sbjJJZDRnL01XTkRJQjJHT3NKMS93YTdFVndjWWFFUkw4NndWNDRiNkVVQzJkL2k1aDY3YjF1MQpNZ1Q3T0RldURTVVNwT2JubmtHd3AwVzVnVCtIeU9WbTZ3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckFYOFpXMklybnNacnpVUU5uMkVPalFPV0twaFUrcW9GTitVSTJ0OU1wWDdxd3phCnRsNXl3TmdhZ3gzN1A2YmVIcUlMZ3BKT0llR05PWERNUklOU0FaZFdUUk50N1c3bzhQSVg1cFhMUFpWQnFJTkwKMUxGd3pvVDZ2V1RkVVphWU1oWjV6ZXhwMTBXQlVtUjdGUkNQdHJxSndQL0ZuZUU4TXM4YUdJWFVoVTc2azRjdApZbzhuSGxvYkY0OVVHNGFRSEtFemI3WWpKRnplQ3RCbjBVVVhTYmhqR1k1UU02SldVMVJWbTdNeWwrL3RWN2NRCll1Vy9Qb1h2bjRxN0tvTUIrWFVkNzlNbWJjV1NlWDEwZ3lRaWgydjlFRGlKOUVtOW9Ma0NSOCtYcjdsclY3WVYKbUYrNkpCT1YwM1hDRk1RN3lIcU04Q1B3NG1EbitHUjFCVW9uSVFJREFRQUJBb0lCQUdwcnlabDJDZmpuYnh4VgpWNUplVkU4dHBUSjFOWUVVeXFjZktpWS9lVlN5Tk4rOU5CRmVuTjl3MGZZTHRrUEtsOStib0VORy84ODJHb2hPCm9CQkNyWmtPWnZXSDc1blQ0NGdzUFYwSmpwS3FvOVA4WmcxUE9OcUtxaFJCTWlvbllFQ2NadjVlSTV4cUEzZFYKY2srMXp6TGNkQnhTSDQ5c3FERkdybjQ5VFJ5cW0vRHV6aDdJUFBFY2QvZloyZXFPMGg5S3NZK0JERG9ObFV6bwpMcFIvZ2xMeGIxN3M0M05lZEYvMUFFM2hRQmdrVCtQVHEyTDQyNlFtRTZWalN5QUpJYUt4R3pDRUxGUklrTjRlCmplMVV5WWdPczUyUU01SGtndERKYi9lZEpKWVpIZWR1dFBFSHpheFg2Vlp4L3ZkZkNBMUlyTUZPTjF6T2NWL3MKbUFOZGNZRUNnWUVBMDhZcCtHVmwzVy92a1MvM3lxR3F3QlVjcUpyLzBTWUVEYWdJRDhQUkJ0UVdQYXRmVzlINApFVVRNQTdRRElpSUxFNEFXcnhsSWUzanZwOFdvMmYvOHNCZ08wSStrOU4vNnJYNmc2Zlh1MWp5QmExOUxKY2lBClA0eHhxMWNRSjlGNXVxc2VHQ1VPSGxlc2dSbDhNZDFuOFkvU283a2hqWmp6dUNzWjNRMDdwRThDZ1lFQXovS3QKQmdicnNGMmpEbEtSS1VWNDAvczJjWnhzbVNXVmlPVHJoNDVHRGVzYVdrUEdya1NPdmVUWnZzcjhqY1pJYVhNdgpJb0lwZjJWbVBudjhQbjQvbDAvTnhDd09GbE1ReFo2ZzNCc0lHSlpVckh5U1hCTmpod2wrRjBtUlpLSkErbXQwCkRET3hZN1ByU2NhSUU3RnBvUWFrdHo2NEZEY0F6Qmw2VkM1RjhZOENnWUExU1FWQ2RQRCttSzJrMEhiK3kxTFYKWmZxQ0NnNFlLQUtaRlJDQ052a2ZTTG9YNWtqbUo1ek5hNHdSMm5kM1hTMkFTSmhza21ZRWUxZUIxV0E1Q2dvZwpuTTBOZVRjK1RpVWJCbU9pdXJqUHV3V3RhSnJWOU84Z0RreURtako4Y2w2NHMxbXRKWlc1Mk1HVThqNm5wVmdFCkZmWWdML0xiV0FMcThoMWQyM2lJVFFLQmdENnhIUFRLTlZnd2dxNFl1bWJFNlE2UGwvUmNnbWtSYWFtaHlsaE4KemxUMzRqUUFadSsyLzRuRWF0a1lmVmVJeGQvMHQrc2hicjFYcHFHRDQ2STdrWlJlbk54ZG84bWJOVjArMjZSQQpDZ3JQbDZ1QXl1Y3plVGdHNXByQ3RUQ3ZzZ05OVGVrMzFHMElteERjNTcxNEtTNUF3SHYyVHF6WmdFWUlFRmM4CnRCMkZBb0dCQU1TRC9wbkN0RTRISEhXWkRGZXNFRmZXZGFnMTJrOFlwOFFGcFQvZWpjazcyL3YvN3IwS0hVeFIKd2JySGdZbHZONnNlSXVNNUlZS1dJbElFVUc4ZWVEZjd3SFRxT3pWc292QnhSeFZQSU5EQTlxNno4b2ZtM1JkegpRSDhITksveTZWMjFFTm5XN0hYZGYyVHEvWHJCR01CaFlGbnVkVm41Z0ZPMjVWQ0xRdW1pCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==<\/code><\/pre>\n\n\n\n
4.\u8bbe\u7f6e\u5f53\u524d\u4e0a\u4e0b\u6587<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config use-context kubernetes --kubeconfig=kube.config  \nSwitched to context \"kubernetes\".\nroot@k8s-master1:\/data\/work# cat kube.config\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts:\n- context:\n    cluster: kubernetes\n    user: admin\n  name: kubernetes\ncurrent-context: kubernetes\nkind: Config\npreferences: {}\nusers:\n- name: admin\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxVENDQXIyZ0F3SUJBZ0lVSTR2bnJ1bVV0c3NmeTdydUVFdzdPZklLK04wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURjeU5EQXdXaGNOTXpRd09EQTFNRGN5TkRBd1dqQm5NUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVJjd0ZRWURWUVFLRXc1egplWE4wWlcwNmJXRnpkR1Z5Y3pFUE1BMEdBMVVFQ3hNR2MzbHpkR1Z0TVE0d0RBWURWUVFERXdWaFpHMXBiakNDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3dGL0dWdGlLNTdHYTgxRURaOWhEbzAKRGxpcVlWUHFxQlRmbENOcmZUS1YrNnNNMnJaZWNzRFlHb01kK3orbTNoNmlDNEtTVGlIaGpUbHd6RVNEVWdHWApWazBUYmUxdTZQRHlGK2FWeXoyVlFhaURTOVN4Y002RStyMWszVkdXbURJV2VjM3NhZGRGZ1ZKa2V4VVFqN2E2CmljRC94WjNoUERMUEdoaUYxSVZPK3BPSExXS1BKeDVhR3hlUFZCdUdrQnloTTIrMkl5UmMzZ3JRWjlGRkYwbTQKWXhtT1VET2lWbE5VVlp1ek1wZnY3VmUzRUdMbHZ6NkY3NStLdXlxREFmbDFIZS9USm0zRmtubDlkSU1rSW9kcgovUkE0aWZSSnZhQzVBa2ZQbDYrNWExZTJGWmhmdWlRVGxkTjF3aFRFTzhoNmpQQWo4T0pnNS9oa2RRVktKeUVDCkF3RUFBYU4vTUgwd0RnWURWUjBQQVFIL0JBUURBZ1dnTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3IKQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQU1CMEdBMVVkRGdRV0JCUkhQSEFhUytUUGZyL1I4NkVQVE82SQpkSDJTeERBZkJnTlZIU01FR0RBV2dCUkNTSnU4OUtCbGpoaHZjdUNhRzlnVmM3eHJ0REFOQmdrcWhraUc5dzBCCkFRc0ZBQU9DQVFFQWg5RHlONFFjQXUveWVBRDM5NjE4OVVlVzBnZ0dsQk1rYlNhbFJ4N0EvR0VxNkp6RVNpMVMKM2FpZWhtS0JndlFHRHZYbFQvQjI3ZjZqaUw4RSthSzVGMTdiZDhnUWtQeGovSnRvUll0bWRnTkNENnN6REozaQorS2twVlY0d0NjSTRpTHkzTS9UcHNmbGJ1OXRjQjNCZEdyY2FQTEZ4SEk4emFWU0xMQ2JmcWJIcTNoMnNKNWZZCnBuN0hTV21jbWhsMDRESy9sT2dydS9EcGkvdnhoclRSdWZHTmdrQ2w3REVSZ2RIS3pWUmhwS3Q1VGJuV2ZoNEgKU29kWkx4OG5sbjJJZDRnL01XTkRJQjJHT3NKMS93YTdFVndjWWFFUkw4NndWNDRiNkVVQzJkL2k1aDY3YjF1MQpNZ1Q3T0RldURTVVNwT2JubmtHd3AwVzVnVCtIeU9WbTZ3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBckFYOFpXMklybnNacnpVUU5uMkVPalFPV0twaFUrcW9GTitVSTJ0OU1wWDdxd3phCnRsNXl3TmdhZ3gzN1A2YmVIcUlMZ3BKT0llR05PWERNUklOU0FaZFdUUk50N1c3bzhQSVg1cFhMUFpWQnFJTkwKMUxGd3pvVDZ2V1RkVVphWU1oWjV6ZXhwMTBXQlVtUjdGUkNQdHJxSndQL0ZuZUU4TXM4YUdJWFVoVTc2azRjdApZbzhuSGxvYkY0OVVHNGFRSEtFemI3WWpKRnplQ3RCbjBVVVhTYmhqR1k1UU02SldVMVJWbTdNeWwrL3RWN2NRCll1Vy9Qb1h2bjRxN0tvTUIrWFVkNzlNbWJjV1NlWDEwZ3lRaWgydjlFRGlKOUVtOW9Ma0NSOCtYcjdsclY3WVYKbUYrNkpCT1YwM1hDRk1RN3lIcU04Q1B3NG1EbitHUjFCVW9uSVFJREFRQUJBb0lCQUdwcnlabDJDZmpuYnh4VgpWNUplVkU4dHBUSjFOWUVVeXFjZktpWS9lVlN5Tk4rOU5CRmVuTjl3MGZZTHRrUEtsOStib0VORy84ODJHb2hPCm9CQkNyWmtPWnZXSDc1blQ0NGdzUFYwSmpwS3FvOVA4WmcxUE9OcUtxaFJCTWlvbllFQ2NadjVlSTV4cUEzZFYKY2srMXp6TGNkQnhTSDQ5c3FERkdybjQ5VFJ5cW0vRHV6aDdJUFBFY2QvZloyZXFPMGg5S3NZK0JERG9ObFV6bwpMcFIvZ2xMeGIxN3M0M05lZEYvMUFFM2hRQmdrVCtQVHEyTDQyNlFtRTZWalN5QUpJYUt4R3pDRUxGUklrTjRlCmplMVV5WWdPczUyUU01SGtndERKYi9lZEpKWVpIZWR1dFBFSHpheFg2Vlp4L3ZkZkNBMUlyTUZPTjF6T2NWL3MKbUFOZGNZRUNnWUVBMDhZcCtHVmwzVy92a1MvM3lxR3F3QlVjcUpyLzBTWUVEYWdJRDhQUkJ0UVdQYXRmVzlINApFVVRNQTdRRElpSUxFNEFXcnhsSWUzanZwOFdvMmYvOHNCZ08wSStrOU4vNnJYNmc2Zlh1MWp5QmExOUxKY2lBClA0eHhxMWNRSjlGNXVxc2VHQ1VPSGxlc2dSbDhNZDFuOFkvU283a2hqWmp6dUNzWjNRMDdwRThDZ1lFQXovS3QKQmdicnNGMmpEbEtSS1VWNDAvczJjWnhzbVNXVmlPVHJoNDVHRGVzYVdrUEdya1NPdmVUWnZzcjhqY1pJYVhNdgpJb0lwZjJWbVBudjhQbjQvbDAvTnhDd09GbE1ReFo2ZzNCc0lHSlpVckh5U1hCTmpod2wrRjBtUlpLSkErbXQwCkRET3hZN1ByU2NhSUU3RnBvUWFrdHo2NEZEY0F6Qmw2VkM1RjhZOENnWUExU1FWQ2RQRCttSzJrMEhiK3kxTFYKWmZxQ0NnNFlLQUtaRlJDQ052a2ZTTG9YNWtqbUo1ek5hNHdSMm5kM1hTMkFTSmhza21ZRWUxZUIxV0E1Q2dvZwpuTTBOZVRjK1RpVWJCbU9pdXJqUHV3V3RhSnJWOU84Z0RreURtako4Y2w2NHMxbXRKWlc1Mk1HVThqNm5wVmdFCkZmWWdML0xiV0FMcThoMWQyM2lJVFFLQmdENnhIUFRLTlZnd2dxNFl1bWJFNlE2UGwvUmNnbWtSYWFtaHlsaE4KemxUMzRqUUFadSsyLzRuRWF0a1lmVmVJeGQvMHQrc2hicjFYcHFHRDQ2STdrWlJlbk54ZG84bWJOVjArMjZSQQpDZ3JQbDZ1QXl1Y3plVGdHNXByQ3RUQ3ZzZ05OVGVrMzFHMElteERjNTcxNEtTNUF3SHYyVHF6WmdFWUlFRmM4CnRCMkZBb0dCQU1TRC9wbkN0RTRISEhXWkRGZXNFRmZXZGFnMTJrOFlwOFFGcFQvZWpjazcyL3YvN3IwS0hVeFIKd2JySGdZbHZONnNlSXVNNUlZS1dJbElFVUc4ZWVEZjd3SFRxT3pWc292QnhSeFZQSU5EQTlxNno4b2ZtM1JkegpRSDhITksveTZWMjFFTm5XN0hYZGYyVHEvWHJCR01CaFlGbnVkVm41Z0ZPMjVWQ0xRdW1pCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==\n\n\n\n\nroot@k8s-master1:\/data\/work# mkdir ~\/.kube -p\nroot@k8s-master1:\/data\/work# cp kube.config \/root\/.kube\/config\nroot@k8s-master1:\/data\/work# cp kube.config \/etc\/kubernetes\/admin.conf<\/code><\/pre>\n\n\n\n
5.\u6388\u6743kubernetes\u8bc1\u4e66\u8bbf\u95eekubelet api\u6743\u9650<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes\nclusterrolebinding.rbac.authorization.k8s.io\/kube-apiserver:kubelet-apis created\nroot@k8s-master1:\/data\/work# kubectl cluster-info\nKubernetes control plane is running at https:\/\/192.168.2.135:6443\n\n\n\u67e5\u8be2\u96c6\u7fa4\u4fe1\u606f\nroot@k8s-master1:\/data\/work# kubectl get componentstatuses\nWarning: v1 ComponentStatus is deprecated in v1.19+\nNAME                 STATUS      MESSAGE                                                                                        ERROR\ncontroller-manager   Unhealthy   Get \"https:\/\/127.0.0.1:10257\/healthz\": dial tcp 127.0.0.1:10257: connect: connection refused   \nscheduler            Unhealthy   Get \"https:\/\/127.0.0.1:10259\/healthz\": dial tcp 127.0.0.1:10259: connect: connection refused   \netcd-0               Healthy     {\"health\":\"true\",\"reason\":\"\"}                                                                  \netcd-1               Healthy     {\"health\":\"true\",\"reason\":\"\"}                                                                  \nroot@k8s-master1:\/data\/work# kubectl get all --all-namespaces\nNAMESPACE   NAME                 TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE\ndefault     service\/kubernetes   ClusterIP   10.255.0.1   <none>        443\/TCP   144m<\/code><\/pre>\n\n\n\n
\u540c\u6b65kubectl\u6587\u4ef6\u5230\u5176\u4ed6\u8282\u70b9<\/p>\n\n\n\n
root@k8s-master2:~# mkdir -p \/root\/.kube\nroot@k8s-master1:~# scp -r  \/root\/.kube\/config  master2:\/root\/.kube\/<\/code><\/pre>\n\n\n\n
\u914d\u7f6ekubectl\u5b50\u547d\u4ee4\u8865\u5168\uff08master1\u30012\uff09<\/p>\n\n\n\n
root@k8s-master1:~# apt-get install bash-completion\nroot@k8s-master1:~# source \/usr\/share\/bash-completion\/bash_completion\nroot@k8s-master1:~# source <(kubectl completion bash)\nroot@k8s-master1:~# kubectl completion bash > ~\/.kube\/completion.bash.inc\nroot@k8s-master1:~# source '\/root\/.kube\/completion.bash.inc'<\/code><\/pre>\n\n\n\n
\u90e8\u7f72kube-controller-manager\u7ec4\u4ef6<\/p>\n\n\n\n
\u521b\u5efakube-controller-manager csr\u8bf7\u6c42\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-controller-manager-csr.json\n{\n  \"CN\": \"system:kube-controller-manager\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"hosts\": [\n    \"127.0.0.1\",\n    \"192.168.2.135\",\n    \"192.168.2.136\",\n    \"192.168.2.137\",\n    \"192.168.2.138\",\n    \"192.168.2.139\",\n    \"192.168.2.140\"\n  ],\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"system:kube-controller-manager\",\n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
hosts \u5217\u8868\u5305\u542b\u6240\u6709 kube-controller-manager \u8282\u70b9 IP\uff1b<\/p>\n\n\n\n
CN \u4e3a system:kube-controller-manager<\/p>\n\n\n\n
O \u4e3a system:kube-controller-manager\uff0c<\/p>\n\n\n\n
kubernetes \u5185\u7f6e\u7684 ClusterRoleBindings system:kube-controller-manager \u8d4b\u4e88 kube-controller-manager \u5de5\u4f5c\u6240\u9700\u7684\u6743\u9650<\/p>\n\n\n\n
\u751f\u6210kube-controller-manager\u8bc1\u4e66<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager\n2024\/08\/08 09:20:54 [INFO] generate received request\n2024\/08\/08 09:20:54 [INFO] received CSR\n2024\/08\/08 09:20:54 [INFO] generating key: rsa-2048\n2024\/08\/08 09:20:54 [INFO] encoded CSR\n2024\/08\/08 09:20:54 [INFO] signed certificate with serial number 647757414703145155970563093502545002451022037613<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-controller-manager\u7684kubeconfig<\/p>\n\n\n\n
1.\u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/192.168.2.135:6443 --kubeconfig=kube-controller-manager.kubeconfig\nCluster \"kubernetes\" set.\nroot@k8s-master1:\/data\/work# cat kube-controller-manager.kubeconfig\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts: null\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers: null<\/code><\/pre>\n\n\n\n
2.\u8bbe\u7f6e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-credentials system:kube-controller-manager --client-certificate=kube-controller-manager.pem --client-key=kube-controller-manager-key.pem --embed-certs=true --kubeconfig=kube-controller-manager.kubeconfig\nUser \"system:kube-controller-manager\" set.\n\n\nroot@k8s-master1:\/data\/work# cat kube-controller-manager.kubeconfig\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts: null\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers:\n- name: system:kube-controller-manager\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLakNDQXhLZ0F3SUJBZ0lVY1haeWNqZU16Vnh4WVFxUmxQc1kwbmdhd20wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREE0TURFeE5qQXdXaGNOTXpRd09EQTJNREV4TmpBd1dqQ0JrREVMTUFrR0ExVUUKQmhNQ1EwNHhEakFNQmdOVkJBZ1RCVWgxWW1WcE1RNHdEQVlEVlFRSEV3VlhkV2hoYmpFbk1DVUdBMVVFQ2hNZQpjM2x6ZEdWdE9tdDFZbVV0WTI5dWRISnZiR3hsY2kxdFlXNWhaMlZ5TVE4d0RRWURWUVFMRXdaemVYTjBaVzB4Ckp6QWxCZ05WQkFNVEhuTjVjM1JsYlRwcmRXSmxMV052Ym5SeWIyeHNaWEl0YldGdVlXZGxjakNDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnhJL3lPUGpBQThrWFQvbytLWEpVMUZHZzNmMVM0SQpRV3BXMGVVODdtTCtHVG01SGVxekppcjRUb1lUQnR6T09rKzZXSFFGVjlJOVdvZVNHa0h6VjJGUGhOam5SODRoCjJpc3liQ05tZTZLdHMxRGxMNW83THYyeVg2d0JRQ3NhSG1HeERhdUZINkdDSmxqVEhrblAwbVlRTXlabVl0aWIKbHEvUnd6OVZsVm1MYWd5K3lkV0M3Q0lSNnlQbXdPNWIwUkRoZjQ4S0VVbWpZWlp4QWJBYmVCakhiL1NFYnFsaApqYkVLS3IyeEtpZnhITG8waVlDbnArdk1GcUVNNWJWQnBNY1BrU2kyME85d1hPN0JSK25rV2NaUHRlUkZ1aWltCjh0OEpFYTNTQk5jZHE4bXBnUnI5bU0vWDJQMG94VE51V2JlbFdLdlVEcUJEVVBaZFhSR0FiUmtDQXdFQUFhT0IKcVRDQnBqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRgpCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUVGRm1ZUGVsUXRWTHlUUzc2cERXb1U5QzNNMFlZCk1COEdBMVVkSXdRWU1CYUFGRUpJbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUNjR0ExVWRFUVFnTUI2SEJIOEEKQUFHSEJNQ29Cd3FIQk1Db0J3dUhCTUNvQncySEJNQ29CMk13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNuNApGQ1d2SDBHN3V6YnJMcXd1ZklIenhSZ1M4UlJjZXdiWEhVOHFYVEtQZVBYZXFub3h2L1NaLzhIN2lKM2hOa2FNCk5Bbmc3VGF5RVdHRGtHeitibVMxemJGb2k5Y0R0TngyNTk1bWcxcnFWL2xmZWJLTThJTm5wcUxkN2ZSMkNPSWEKMTJVNVdXOVhBa0xXeUp4TXBZUytlRjc3UU52NTYvU3pidHpFbzA4VnFIVG1ydDVSUXRDTGNoajI1RDNodW53UgpEUGlzei9jcXluWGR3bC9TQjlnNUEwWWRveXloKzhqMko0eDNaSTU1UURkeDZieFAyQTEyR0FqRGYwY0diN0lSCjJIRlhlUDl6azRnWXUzWHVRRkxlb1MwL3Z3V3pkMTFjOEpLeEs4UE16TndsckpzR1VMOTk5eUZBakY5Y3RNcnQKdFFuc0FBbjY1Um43cS9jdXlzST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0VqL0k0K01BRHlSZFArajRwY2xUVVVhRGQvVkxnaEJhbGJSNVR6dVl2NFpPYmtkCjZyTW1LdmhPaGhNRzNNNDZUN3BZZEFWWDBqMWFoNUlhUWZOWFlVK0UyT2RIemlIYUt6SnNJMlo3b3EyelVPVXYKbWpzdS9iSmZyQUZBS3hvZVliRU5xNFVmb1lJbVdOTWVTYy9TWmhBekptWmkySnVXcjlIRFAxV1ZXWXRxREw3SgoxWUxzSWhIckkrYkE3bHZSRU9GL2p3b1JTYU5obG5FQnNCdDRHTWR2OUlSdXFXR05zUW9xdmJFcUovRWN1alNKCmdLZW42OHdXb1F6bHRVR2t4dytSS0xiUTczQmM3c0ZINmVSWnhrKzE1RVc2S0tieTN3a1JyZElFMXgycnlhbUIKR3YyWXo5ZlkvU2pGTTI1WnQ2VllxOVFPb0VOUTlsMWRFWUJ0R1FJREFRQUJBb0lCQUhITi9KSWduUkdhT1FPYQo5czRmakJQcGVWWmxwenNLNU5ETlhjN3l0YTNLM0xsbm03OGZJcjdjWGFVQ3UyN2oxRmhRUzFaVlZGTzNnc2U3CmdYbEZBSVd6a1V5RjRDRHNlRXdNMXJWTFF1QitvTDlRU0ZHRDlmajNhRm55bzNZaEhrVVdOWnZCUU9BdDN5WFEKbkR0QjlNN3AyNk1oRGp3ZDFiR3J5eFV6WDk5TUkvSTJaREZZakwvMkpQMDNsb0JaRWltbG94cGRaQ1UzWHhnUQp5NFFDdHp1ZWV5RFVvVzFJTm5DM0VIeHcyalZKWmp4d29PNmUvMHpUTTBxeGN2Vm85bDhkUlk1dk5BSnhydVh6CitES3Z6MDA0b2Q4b3loNXF0MGEyS2l4dWdqRnJuOVNLVnI3anJlNDc4VFNkSllBeGp0SFJQVVRZRmVEQUNOM0cKMTJSZEF3RUNnWUVBNzVkemVFMmVLamlkaUY3Rk9PMXlhMVpudEJQQkRLamRPOTZYV1JpVmw0dU85UGhGdkZnVwpMQ3pJelhXa05Ic1V1N1YybDhnanh2MTZ0SzlQL2ZiN1NVMEJxRmpQOGY3aXVESWRWSHJVNVZLUm9qRWJOYUlJCk95KzMyVzMwaTkvRkRkSDFBM0J3bUt1MXNVMXlPVHU1cVpUQUZIczdveTZrUWc0ZzcrR2U4bkVDZ1lFQTYxOFAKOWk1U0N4VlU5SVZBV2h2Y3dHVDJaUEI5OE85Q3dBYndZOXM4eUlGU1lQTlRJN2ZMUVNZSXRWY3BtSVhWZ0lpdwptS1NSM2ZmbXhaR1dOZktZOUlwMjRaSW5MbWlJaldnS29NV3A5TXk0Z1BrT0RHY2hOUmlDamxsNkFyS2VQb3Z4CnpRQ0FPejBPTHVGWE8yY1dHSjVwVldJRTFyNDYzT1owTUFKdnFTa0NnWUVBaGpWNU9pK0laTEE0RmxhMzlXNlYKQkdsdlIrRTA1NG1EKy9CeEtUaHJPMnV5bGFpcEw1ck1PTXlSWXYzK0VHUE50bVFzM1ZNQUw0eDMrdFNsWTJiQgpWa3NybllpNld4MWpGTGtGMHZmSFgvb0RtQzRYeHRCUCtnOTkxZThRNkhWZHBhTXhzMDU5MUJlRGZLRWNWZEVOCjdGOWx4Vk5Pa2RjanJkaktQSFZQR3hFQ2dZRUFyaFpVdnZnSnRLcmxlQ25xcS9zNXJvKytjbkF5Sm5kQS9yamoKS21ob3I4Qi9CcmhTUVBQYkFPZTV2eTZsMUdzQXZCM2R5RGpJcnMyQndaVnA3YUx1b01pZEgwQXpmSzdTZVF4Lwo5K1BiVGZYeGJXdElpY0hwbk5UeEU0cDRwUEFwL1FjVEpGWi9nZEVwNFdESVhXWmt3SGJDWCtXc3dJeFpDelBrCnNmSExWdWtDZ1lBVTIycVNncjUxdFd0TnFIT0d6MVdPTHRwYllNSEo2QWR1OG9oUUhORU9yMHhJU3VHWGdRRnAKZm9TZ3BEcXVTRWZQVUt2cGI2ZkIxQVUra1F3NUJNTGJpOFEzbVRFM3lRYnRPZ3dhODZjL3lURWhZZGJDNGVJOQpqVlBDR3NJcWtaL0NQZU84cGhKTEI0VjFIK1ljSGJPU1I2VTJPS01BSFdob1NrNm5iaHMxWmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=<\/code><\/pre>\n\n\n\n
3.\u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-context system:kube-controller-manager --cluster=kubernetes --user=system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig\nContext \"system:kube-controller-manager\" created.\nroot@k8s-master1:\/data\/work# cat kube-controller-manager.kubeconfig\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts:\n- context:\n    cluster: kubernetes\n    user: system:kube-controller-manager\n  name: system:kube-controller-manager\ncurrent-context: \"\"\nkind: Config\npreferences: {}\nusers:\n- name: system:kube-controller-manager\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLakNDQXhLZ0F3SUJBZ0lVY1haeWNqZU16Vnh4WVFxUmxQc1kwbmdhd20wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREE0TURFeE5qQXdXaGNOTXpRd09EQTJNREV4TmpBd1dqQ0JrREVMTUFrR0ExVUUKQmhNQ1EwNHhEakFNQmdOVkJBZ1RCVWgxWW1WcE1RNHdEQVlEVlFRSEV3VlhkV2hoYmpFbk1DVUdBMVVFQ2hNZQpjM2x6ZEdWdE9tdDFZbVV0WTI5dWRISnZiR3hsY2kxdFlXNWhaMlZ5TVE4d0RRWURWUVFMRXdaemVYTjBaVzB4Ckp6QWxCZ05WQkFNVEhuTjVjM1JsYlRwcmRXSmxMV052Ym5SeWIyeHNaWEl0YldGdVlXZGxjakNDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnhJL3lPUGpBQThrWFQvbytLWEpVMUZHZzNmMVM0SQpRV3BXMGVVODdtTCtHVG01SGVxekppcjRUb1lUQnR6T09rKzZXSFFGVjlJOVdvZVNHa0h6VjJGUGhOam5SODRoCjJpc3liQ05tZTZLdHMxRGxMNW83THYyeVg2d0JRQ3NhSG1HeERhdUZINkdDSmxqVEhrblAwbVlRTXlabVl0aWIKbHEvUnd6OVZsVm1MYWd5K3lkV0M3Q0lSNnlQbXdPNWIwUkRoZjQ4S0VVbWpZWlp4QWJBYmVCakhiL1NFYnFsaApqYkVLS3IyeEtpZnhITG8waVlDbnArdk1GcUVNNWJWQnBNY1BrU2kyME85d1hPN0JSK25rV2NaUHRlUkZ1aWltCjh0OEpFYTNTQk5jZHE4bXBnUnI5bU0vWDJQMG94VE51V2JlbFdLdlVEcUJEVVBaZFhSR0FiUmtDQXdFQUFhT0IKcVRDQnBqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRgpCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUVGRm1ZUGVsUXRWTHlUUzc2cERXb1U5QzNNMFlZCk1COEdBMVVkSXdRWU1CYUFGRUpJbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUNjR0ExVWRFUVFnTUI2SEJIOEEKQUFHSEJNQ29Cd3FIQk1Db0J3dUhCTUNvQncySEJNQ29CMk13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNuNApGQ1d2SDBHN3V6YnJMcXd1ZklIenhSZ1M4UlJjZXdiWEhVOHFYVEtQZVBYZXFub3h2L1NaLzhIN2lKM2hOa2FNCk5Bbmc3VGF5RVdHRGtHeitibVMxemJGb2k5Y0R0TngyNTk1bWcxcnFWL2xmZWJLTThJTm5wcUxkN2ZSMkNPSWEKMTJVNVdXOVhBa0xXeUp4TXBZUytlRjc3UU52NTYvU3pidHpFbzA4VnFIVG1ydDVSUXRDTGNoajI1RDNodW53UgpEUGlzei9jcXluWGR3bC9TQjlnNUEwWWRveXloKzhqMko0eDNaSTU1UURkeDZieFAyQTEyR0FqRGYwY0diN0lSCjJIRlhlUDl6azRnWXUzWHVRRkxlb1MwL3Z3V3pkMTFjOEpLeEs4UE16TndsckpzR1VMOTk5eUZBakY5Y3RNcnQKdFFuc0FBbjY1Um43cS9jdXlzST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0VqL0k0K01BRHlSZFArajRwY2xUVVVhRGQvVkxnaEJhbGJSNVR6dVl2NFpPYmtkCjZyTW1LdmhPaGhNRzNNNDZUN3BZZEFWWDBqMWFoNUlhUWZOWFlVK0UyT2RIemlIYUt6SnNJMlo3b3EyelVPVXYKbWpzdS9iSmZyQUZBS3hvZVliRU5xNFVmb1lJbVdOTWVTYy9TWmhBekptWmkySnVXcjlIRFAxV1ZXWXRxREw3SgoxWUxzSWhIckkrYkE3bHZSRU9GL2p3b1JTYU5obG5FQnNCdDRHTWR2OUlSdXFXR05zUW9xdmJFcUovRWN1alNKCmdLZW42OHdXb1F6bHRVR2t4dytSS0xiUTczQmM3c0ZINmVSWnhrKzE1RVc2S0tieTN3a1JyZElFMXgycnlhbUIKR3YyWXo5ZlkvU2pGTTI1WnQ2VllxOVFPb0VOUTlsMWRFWUJ0R1FJREFRQUJBb0lCQUhITi9KSWduUkdhT1FPYQo5czRmakJQcGVWWmxwenNLNU5ETlhjN3l0YTNLM0xsbm03OGZJcjdjWGFVQ3UyN2oxRmhRUzFaVlZGTzNnc2U3CmdYbEZBSVd6a1V5RjRDRHNlRXdNMXJWTFF1QitvTDlRU0ZHRDlmajNhRm55bzNZaEhrVVdOWnZCUU9BdDN5WFEKbkR0QjlNN3AyNk1oRGp3ZDFiR3J5eFV6WDk5TUkvSTJaREZZakwvMkpQMDNsb0JaRWltbG94cGRaQ1UzWHhnUQp5NFFDdHp1ZWV5RFVvVzFJTm5DM0VIeHcyalZKWmp4d29PNmUvMHpUTTBxeGN2Vm85bDhkUlk1dk5BSnhydVh6CitES3Z6MDA0b2Q4b3loNXF0MGEyS2l4dWdqRnJuOVNLVnI3anJlNDc4VFNkSllBeGp0SFJQVVRZRmVEQUNOM0cKMTJSZEF3RUNnWUVBNzVkemVFMmVLamlkaUY3Rk9PMXlhMVpudEJQQkRLamRPOTZYV1JpVmw0dU85UGhGdkZnVwpMQ3pJelhXa05Ic1V1N1YybDhnanh2MTZ0SzlQL2ZiN1NVMEJxRmpQOGY3aXVESWRWSHJVNVZLUm9qRWJOYUlJCk95KzMyVzMwaTkvRkRkSDFBM0J3bUt1MXNVMXlPVHU1cVpUQUZIczdveTZrUWc0ZzcrR2U4bkVDZ1lFQTYxOFAKOWk1U0N4VlU5SVZBV2h2Y3dHVDJaUEI5OE85Q3dBYndZOXM4eUlGU1lQTlRJN2ZMUVNZSXRWY3BtSVhWZ0lpdwptS1NSM2ZmbXhaR1dOZktZOUlwMjRaSW5MbWlJaldnS29NV3A5TXk0Z1BrT0RHY2hOUmlDamxsNkFyS2VQb3Z4CnpRQ0FPejBPTHVGWE8yY1dHSjVwVldJRTFyNDYzT1owTUFKdnFTa0NnWUVBaGpWNU9pK0laTEE0RmxhMzlXNlYKQkdsdlIrRTA1NG1EKy9CeEtUaHJPMnV5bGFpcEw1ck1PTXlSWXYzK0VHUE50bVFzM1ZNQUw0eDMrdFNsWTJiQgpWa3NybllpNld4MWpGTGtGMHZmSFgvb0RtQzRYeHRCUCtnOTkxZThRNkhWZHBhTXhzMDU5MUJlRGZLRWNWZEVOCjdGOWx4Vk5Pa2RjanJkaktQSFZQR3hFQ2dZRUFyaFpVdnZnSnRLcmxlQ25xcS9zNXJvKytjbkF5Sm5kQS9yamoKS21ob3I4Qi9CcmhTUVBQYkFPZTV2eTZsMUdzQXZCM2R5RGpJcnMyQndaVnA3YUx1b01pZEgwQXpmSzdTZVF4Lwo5K1BiVGZYeGJXdElpY0hwbk5UeEU0cDRwUEFwL1FjVEpGWi9nZEVwNFdESVhXWmt3SGJDWCtXc3dJeFpDelBrCnNmSExWdWtDZ1lBVTIycVNncjUxdFd0TnFIT0d6MVdPTHRwYllNSEo2QWR1OG9oUUhORU9yMHhJU3VHWGdRRnAKZm9TZ3BEcXVTRWZQVUt2cGI2ZkIxQVUra1F3NUJNTGJpOFEzbVRFM3lRYnRPZ3dhODZjL3lURWhZZGJDNGVJOQpqVlBDR3NJcWtaL0NQZU84cGhKTEI0VjFIK1ljSGJPU1I2VTJPS01BSFdob1NrNm5iaHMxWmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=<\/code><\/pre>\n\n\n\n
4.\u8bbe\u7f6e\u5f53\u524d\u4e0a\u4e0b\u6587<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config use-context system:kube-controller-manager --kubeconfig=kube-controller-manager.kubeconfig\nSwitched to context \"system:kube-controller-manager\".\nroot@k8s-master1:\/data\/work# cat kube-controller-manager.kubeconfig                                                                   \napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURrakNDQW5xZ0F3SUJBZ0lVWk1XQ2lJT3NGVGVKYm9WR2VQOG8vOTYyb1Y0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREEzTURFeE5EQXdXaGNOTXpRd09EQTFNREV4TkRBd1dqQmhNUXN3Q1FZRFZRUUcKRXdKRFRqRU9NQXdHQTFVRUNCTUZTSFZpWldreERqQU1CZ05WQkFjVEJWZDFhR0Z1TVF3d0NnWURWUVFLRXdOcgpPSE14RHpBTkJnTlZCQXNUQm5ONWMzUmxiVEVUTUJFR0ExVUVBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1VN2FTanJQOExsT2FLcjRCdUIrRVlLSDA4Q3lrOHAKUTc1WUJHWUVINWxrVVpRVkFBSG9wM3p3SUxuMVczL2dRNVdURXY1dmpzbVAzY3JBRk5EVWU0U0pTNTZPQjlMRApsVjdNWVNpeGRHMERLeGdQZjVVNVNBQTFrbWg1L2h3R25TK0FnSTBlZzhnWHMrTms3Ym5rSFNFazZHRlZGczVEClk5NmlmTVMrOFFaVWhMOHpKcmlQYUc3NjZ1MXZRRTZUVjcyUytOVnNVNlB1SmlGTnorbC9YeHNNV21VV3R0SDYKM1ZxWTZrSTBUUDdwZ3BDV3VabkoyYTEzLzdGWVlVNE5sd1A2MDlvZnBkMHNndjV3NitwZGptdnNnNWFSRWk4VgpMUUM3N3IrSHgxVER5L1QzQ2J4Y3E3UytwY29LV25ndXNLUDRTMmt4U283VUE4L0dzak9vS2o4Q0F3RUFBYU5DCk1FQXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZFSkkKbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBOGhNVXAyemsva1h1UQpzR0Q5b3VLOEwvVEZWTWJlK2oyOXBtUmpkcThVUjJ0Q3VEa3A1QUhVMFZjbHlyQmd5U282UW5TY2t3bG9oMTN0CmFiMDNKYi9VNit6clR3U3VBdG9oeGlObWI3NXluZjJmanZ4djhGS0RYZnZvZ3R0aVBHNzNuWXlPcEcwODdqZCsKaHRzcERDYmRTYlJ4eGUrejZsb2lZZ1F0TExSOW10WnhjWTZhSXdsVkZ5MmQyekpZdFNJSnNLeHFCMk4zT0t1MgpsNUlBTGYyaGhjNENya3RrTnR5ZHRIUitrdll2Ny95UjloTWF3MTBPWVUxcUpaQnU3UEdlTXc4emtUWXRka0NjCmo3UlEwRjN5RSs4RVVqdmZ2RGVsUERZUWRqWkJwTlNjUmc1MHdzYXRwN0krRXhvVjFiUGtvM2ZsQkZ0N1lWYzkKVEloZWVndWEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    server: https:\/\/192.168.2.135:6443\n  name: kubernetes\ncontexts:\n- context:\n    cluster: kubernetes\n    user: system:kube-controller-manager\n  name: system:kube-controller-manager\ncurrent-context: system:kube-controller-manager\nkind: Config\npreferences: {}\nusers:\n- name: system:kube-controller-manager\n  user:\n    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVLakNDQXhLZ0F3SUJBZ0lVY1haeWNqZU16Vnh4WVFxUmxQc1kwbmdhd20wd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RGpBTUJnTlZCQWdUQlVoMVltVnBNUTR3REFZRFZRUUhFd1ZYZFdoaApiakVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WnplWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SGhjTk1qUXdPREE0TURFeE5qQXdXaGNOTXpRd09EQTJNREV4TmpBd1dqQ0JrREVMTUFrR0ExVUUKQmhNQ1EwNHhEakFNQmdOVkJBZ1RCVWgxWW1WcE1RNHdEQVlEVlFRSEV3VlhkV2hoYmpFbk1DVUdBMVVFQ2hNZQpjM2x6ZEdWdE9tdDFZbVV0WTI5dWRISnZiR3hsY2kxdFlXNWhaMlZ5TVE4d0RRWURWUVFMRXdaemVYTjBaVzB4Ckp6QWxCZ05WQkFNVEhuTjVjM1JsYlRwcmRXSmxMV052Ym5SeWIyeHNaWEl0YldGdVlXZGxjakNDQVNJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnhJL3lPUGpBQThrWFQvbytLWEpVMUZHZzNmMVM0SQpRV3BXMGVVODdtTCtHVG01SGVxekppcjRUb1lUQnR6T09rKzZXSFFGVjlJOVdvZVNHa0h6VjJGUGhOam5SODRoCjJpc3liQ05tZTZLdHMxRGxMNW83THYyeVg2d0JRQ3NhSG1HeERhdUZINkdDSmxqVEhrblAwbVlRTXlabVl0aWIKbHEvUnd6OVZsVm1MYWd5K3lkV0M3Q0lSNnlQbXdPNWIwUkRoZjQ4S0VVbWpZWlp4QWJBYmVCakhiL1NFYnFsaApqYkVLS3IyeEtpZnhITG8waVlDbnArdk1GcUVNNWJWQnBNY1BrU2kyME85d1hPN0JSK25rV2NaUHRlUkZ1aWltCjh0OEpFYTNTQk5jZHE4bXBnUnI5bU0vWDJQMG94VE51V2JlbFdLdlVEcUJEVVBaZFhSR0FiUmtDQXdFQUFhT0IKcVRDQnBqQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUdDQ3NHQVFVRgpCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUVGRm1ZUGVsUXRWTHlUUzc2cERXb1U5QzNNMFlZCk1COEdBMVVkSXdRWU1CYUFGRUpJbTd6MG9HV09HRzl5NEpvYjJCVnp2R3UwTUNjR0ExVWRFUVFnTUI2SEJIOEEKQUFHSEJNQ29Cd3FIQk1Db0J3dUhCTUNvQncySEJNQ29CMk13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUNuNApGQ1d2SDBHN3V6YnJMcXd1ZklIenhSZ1M4UlJjZXdiWEhVOHFYVEtQZVBYZXFub3h2L1NaLzhIN2lKM2hOa2FNCk5Bbmc3VGF5RVdHRGtHeitibVMxemJGb2k5Y0R0TngyNTk1bWcxcnFWL2xmZWJLTThJTm5wcUxkN2ZSMkNPSWEKMTJVNVdXOVhBa0xXeUp4TXBZUytlRjc3UU52NTYvU3pidHpFbzA4VnFIVG1ydDVSUXRDTGNoajI1RDNodW53UgpEUGlzei9jcXluWGR3bC9TQjlnNUEwWWRveXloKzhqMko0eDNaSTU1UURkeDZieFAyQTEyR0FqRGYwY0diN0lSCjJIRlhlUDl6azRnWXUzWHVRRkxlb1MwL3Z3V3pkMTFjOEpLeEs4UE16TndsckpzR1VMOTk5eUZBakY5Y3RNcnQKdFFuc0FBbjY1Um43cS9jdXlzST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=\n    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0VqL0k0K01BRHlSZFArajRwY2xUVVVhRGQvVkxnaEJhbGJSNVR6dVl2NFpPYmtkCjZyTW1LdmhPaGhNRzNNNDZUN3BZZEFWWDBqMWFoNUlhUWZOWFlVK0UyT2RIemlIYUt6SnNJMlo3b3EyelVPVXYKbWpzdS9iSmZyQUZBS3hvZVliRU5xNFVmb1lJbVdOTWVTYy9TWmhBekptWmkySnVXcjlIRFAxV1ZXWXRxREw3SgoxWUxzSWhIckkrYkE3bHZSRU9GL2p3b1JTYU5obG5FQnNCdDRHTWR2OUlSdXFXR05zUW9xdmJFcUovRWN1alNKCmdLZW42OHdXb1F6bHRVR2t4dytSS0xiUTczQmM3c0ZINmVSWnhrKzE1RVc2S0tieTN3a1JyZElFMXgycnlhbUIKR3YyWXo5ZlkvU2pGTTI1WnQ2VllxOVFPb0VOUTlsMWRFWUJ0R1FJREFRQUJBb0lCQUhITi9KSWduUkdhT1FPYQo5czRmakJQcGVWWmxwenNLNU5ETlhjN3l0YTNLM0xsbm03OGZJcjdjWGFVQ3UyN2oxRmhRUzFaVlZGTzNnc2U3CmdYbEZBSVd6a1V5RjRDRHNlRXdNMXJWTFF1QitvTDlRU0ZHRDlmajNhRm55bzNZaEhrVVdOWnZCUU9BdDN5WFEKbkR0QjlNN3AyNk1oRGp3ZDFiR3J5eFV6WDk5TUkvSTJaREZZakwvMkpQMDNsb0JaRWltbG94cGRaQ1UzWHhnUQp5NFFDdHp1ZWV5RFVvVzFJTm5DM0VIeHcyalZKWmp4d29PNmUvMHpUTTBxeGN2Vm85bDhkUlk1dk5BSnhydVh6CitES3Z6MDA0b2Q4b3loNXF0MGEyS2l4dWdqRnJuOVNLVnI3anJlNDc4VFNkSllBeGp0SFJQVVRZRmVEQUNOM0cKMTJSZEF3RUNnWUVBNzVkemVFMmVLamlkaUY3Rk9PMXlhMVpudEJQQkRLamRPOTZYV1JpVmw0dU85UGhGdkZnVwpMQ3pJelhXa05Ic1V1N1YybDhnanh2MTZ0SzlQL2ZiN1NVMEJxRmpQOGY3aXVESWRWSHJVNVZLUm9qRWJOYUlJCk95KzMyVzMwaTkvRkRkSDFBM0J3bUt1MXNVMXlPVHU1cVpUQUZIczdveTZrUWc0ZzcrR2U4bkVDZ1lFQTYxOFAKOWk1U0N4VlU5SVZBV2h2Y3dHVDJaUEI5OE85Q3dBYndZOXM4eUlGU1lQTlRJN2ZMUVNZSXRWY3BtSVhWZ0lpdwptS1NSM2ZmbXhaR1dOZktZOUlwMjRaSW5MbWlJaldnS29NV3A5TXk0Z1BrT0RHY2hOUmlDamxsNkFyS2VQb3Z4CnpRQ0FPejBPTHVGWE8yY1dHSjVwVldJRTFyNDYzT1owTUFKdnFTa0NnWUVBaGpWNU9pK0laTEE0RmxhMzlXNlYKQkdsdlIrRTA1NG1EKy9CeEtUaHJPMnV5bGFpcEw1ck1PTXlSWXYzK0VHUE50bVFzM1ZNQUw0eDMrdFNsWTJiQgpWa3NybllpNld4MWpGTGtGMHZmSFgvb0RtQzRYeHRCUCtnOTkxZThRNkhWZHBhTXhzMDU5MUJlRGZLRWNWZEVOCjdGOWx4Vk5Pa2RjanJkaktQSFZQR3hFQ2dZRUFyaFpVdnZnSnRLcmxlQ25xcS9zNXJvKytjbkF5Sm5kQS9yamoKS21ob3I4Qi9CcmhTUVBQYkFPZTV2eTZsMUdzQXZCM2R5RGpJcnMyQndaVnA3YUx1b01pZEgwQXpmSzdTZVF4Lwo5K1BiVGZYeGJXdElpY0hwbk5UeEU0cDRwUEFwL1FjVEpGWi9nZEVwNFdESVhXWmt3SGJDWCtXc3dJeFpDelBrCnNmSExWdWtDZ1lBVTIycVNncjUxdFd0TnFIT0d6MVdPTHRwYllNSEo2QWR1OG9oUUhORU9yMHhJU3VHWGdRRnAKZm9TZ3BEcXVTRWZQVUt2cGI2ZkIxQVUra1F3NUJNTGJpOFEzbVRFM3lRYnRPZ3dhODZjL3lURWhZZGJDNGVJOQpqVlBDR3NJcWtaL0NQZU84cGhKTEI0VjFIK1ljSGJPU1I2VTJPS01BSFdob1NrNm5iaHMxWmc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-controller-manager\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-controller-manager.conf\nKUBE_CONTROLLER_MANAGER_OPTS=\"--port=0 \\\n  --secure-port=10257 \\\n  --bind-address=127.0.0.1 \\\n  --kubeconfig=\/etc\/kubernetes\/kube-controller-manager.kubeconfig \\\n  --service-cluster-ip-range=10.255.0.0\/16 \\\n  --cluster-name=kubernetes \\\n  --cluster-signing-cert-file=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --cluster-signing-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\n  --allocate-node-cidrs=true \\\n  --cluster-cidr=10.0.0.0\/16 \\\n  --experimental-cluster-signing-duration=87600h \\\n  --root-ca-file=\/etc\/kubernetes\/ssl\/ca.pem \\\n  --service-account-private-key-file=\/etc\/kubernetes\/ssl\/ca-key.pem \\\n  --leader-elect=true \\\n  --feature-gates=RotateKubeletServerCertificate=true \\\n  --controllers=*,bootstrapsigner,tokencleaner \\\n  --horizontal-pod-autoscaler-sync-period=10s \\\n  --tls-cert-file=\/etc\/kubernetes\/ssl\/kube-controller-manager.pem \\\n  --tls-private-key-file=\/etc\/kubernetes\/ssl\/kube-controller-manager-key.pem \\\n  --use-service-account-credentials=true \\\n  --alsologtostderr=true \\\n  --logtostderr=false \\\n  --log-dir=\/var\/log\/kubernetes \\\n  --v=2\"<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-controller-manager\u542f\u52a8\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-controller-manager.service\n[Unit]\nDescription=Kubernetes Controller Manager\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\n[Service]\nEnvironmentFile=-\/etc\/kubernetes\/kube-controller-manager.conf\nExecStart=\/usr\/local\/bin\/kube-controller-manager $KUBE_CONTROLLER_MANAGER_OPTS\nRestart=on-failure\nRestartSec=5\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u542f\u52a8kube-controller-manager\u670d\u52a1<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cp kube-controller-manager*.pem \/etc\/kubernetes\/ssl\/\nroot@k8s-master1:\/data\/work# cp kube-controller-manager.kubeconfig \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-controller-manager.conf \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-controller-manager.service \/usr\/lib\/systemd\/system\/\nroot@k8s-master1:\/data\/work# scp -r kube-controller-manager*.pem master2:\/etc\/kubernetes\/ssl\/\nkube-controller-manager-key.pem                                                                                      100% 1679     3.0MB\/s   00:00    \nkube-controller-manager.pem                                                                                          100% 1505     1.8MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp -r kube-controller-manager.kubeconfig master2:\/etc\/kubernetes\/\nkube-controller-manager.kubeconfig                                                                                   100% 6415     3.7MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp -r kube-controller-manager.conf master2:\/etc\/kubernetes\/\nkube-controller-manager.conf                                                                                         100% 1048   721.8KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp -r kube-controller-manager.service master2:\/usr\/lib\/systemd\/system\/\nkube-controller-manager.service                                                                                      100%  324   288.2KB\/s   00:00\n\n\nroot@k8s-master1:\/data\/work# systemctl daemon-reload && systemctl enable --now kube-controller-manager && systemctl status kube-controller-manager\nroot@k8s-master2:~# systemctl daemon-reload && systemctl enable --now kube-controller-manager && systemctl status kube-controller-manager<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u90e8\u7f72kube-scheduler\u7ec4\u4ef6<\/p>\n\n\n\n
\u521b\u5efakube-scheduler\u7684csr\u8bf7\u6c42<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-scheduler-csr.json\n{\n  \"CN\": \"system:kube-scheduler\",\n  \"hosts\": [\n    \"127.0.0.1\",\n    \"192.168.2.135\",\n    \"192.168.2.136\",\n    \"192.168.2.137\",\n    \"192.168.2.138\",\n    \"192.168.2.139\",\n    \"192.168.2.140\"\n  ],\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"system:kube-scheduler\",\n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
hosts \u5217\u8868\u5305\u542b\u6240\u6709 kube-scheduler \u8282\u70b9 IP\uff1b CN \u4e3a system:kube-scheduler\u3001O \u4e3a system:kube-scheduler\uff0ckubernetes \u5185\u7f6e\u7684 ClusterRoleBindings system:kube-scheduler \u5c06\u8d4b\u4e88 kube-scheduler \u5de5\u4f5c\u6240\u9700\u7684\u6743\u9650\u3002<\/p>\n\n\n\n
\u751f\u6210kube-scheduler\u8bc1\u4e66<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-scheduler-csr.json | cfssljson -bare kube-scheduler\n2024\/08\/08 10:02:11 [INFO] generate received request\n2024\/08\/08 10:02:11 [INFO] received CSR\n2024\/08\/08 10:02:11 [INFO] generating key: rsa-2048\n2024\/08\/08 10:02:11 [INFO] encoded CSR\n2024\/08\/08 10:02:11 [INFO] signed certificate with serial number 512402351679637476564588241239497857472370192274<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-scheduler\u7684kubeconfig\u6587\u4ef6<\/p>\n\n\n\n
1.\u8bbe\u7f6e\u96c6\u7fa4\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/192.168.2.135:6443 --kubeconfig=kube-scheduler.kubeconfig\nCluster \"kubernetes\" set.<\/code><\/pre>\n\n\n\n
2.\u8bbe\u7f6e\u5ba2\u6237\u7aef\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-credentials system:kube-scheduler --client-certificate=kube-scheduler.pem --client-key=kube-scheduler-key.pem --embed-certs=true --kubeconfig=kube-scheduler.kubeconfig\nUser \"system:kube-scheduler\" set.<\/code><\/pre>\n\n\n\n
3.\u8bbe\u7f6e\u4e0a\u4e0b\u6587\u53c2\u6570<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-context system:kube-scheduler --cluster=kubernetes --user=system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig\nContext \"system:kube-scheduler\" created.<\/code><\/pre>\n\n\n\n
4.\u8bbe\u7f6e\u5f53\u524d\u4e0a\u4e0b\u6587<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config use-context system:kube-scheduler --kubeconfig=kube-scheduler.kubeconfig\nSwitched to context \"system:kube-scheduler\".<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-scheduler\u7684\u914d\u7f6e\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-scheduler.conf\nKUBE_SCHEDULER_OPTS=\"--address=127.0.0.1 \\\n--kubeconfig=\/etc\/kubernetes\/kube-scheduler.kubeconfig \\\n--leader-elect=true \\\n--alsologtostderr=true \\\n--logtostderr=false \\\n--log-dir=\/var\/log\/kubernetes \\\n--v=2\"<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-scheduler\u7684\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-scheduler.service\n[Unit]\nDescription=Kubernetes Scheduler\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\n[Service]\nEnvironmentFile=-\/etc\/kubernetes\/kube-scheduler.conf\nExecStart=\/usr\/local\/bin\/kube-scheduler $KUBE_SCHEDULER_OPTS\nRestart=on-failure\nRestartSec=5\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u62f7\u8d1d\u6587\u4ef6\u5230master2\u8282\u70b9\u5e76\u542f\u52a8\u670d\u52a1<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cp kube-scheduler*.pem \/etc\/kubernetes\/ssl\/\nroot@k8s-master1:\/data\/work# cp kube-scheduler.kubeconfig \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-scheduler.conf \/etc\/kubernetes\/\nroot@k8s-master1:\/data\/work# cp kube-scheduler.service \/usr\/lib\/systemd\/system\/\nroot@k8s-master1:\/data\/work# scp kube-scheduler*.pem master2:\/etc\/kubernetes\/ssl\/\nkube-scheduler-key.pem                                                                                               100% 1679   890.1KB\/s   00:00    \nkube-scheduler.pem                                                                                                   100% 1497   977.8KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kube-scheduler.kubeconfig kube-scheduler.conf master2:\/etc\/kubernetes\/\nkube-scheduler.kubeconfig                                                                                            100% 6367     4.4MB\/s   00:00    \nkube-scheduler.conf                                                                                                  100%  208   287.6KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kube-scheduler.service master2:\/usr\/lib\/systemd\/system\/\nkube-scheduler.service \n\n\n                                                                                              100%  292   225.7KB\/s   00:00\n\n\nroot@k8s-master1:\/data\/work# systemctl daemon-reload && systemctl enable --now kube-scheduler && systemctl status kube-scheduler\nroot@k8s-master2:~# systemctl daemon-reload && systemctl enable --now kube-scheduler && systemctl status kube-scheduler<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u90e8\u7f72kubelet\u7ec4\u4ef6<\/p>\n\n\n\n
kubelet\uff1a \u6bcf\u4e2a Node \u8282\u70b9\u4e0a\u7684 kubelet \u5b9a\u671f\u5c31\u4f1a\u8c03\u7528 API Server \u7684 REST \u63a5\u53e3\u62a5\u544a\u81ea\u8eab\u72b6\u6001\uff0c API Server \u63a5\u6536\u8fd9\u4e9b\u4fe1\u606f\u540e\uff0c\u5c06\u8282\u70b9\u72b6\u6001\u4fe1\u606f\u66f4\u65b0\u5230 etcd \u4e2d\u3002kubelet \u4e5f\u901a\u8fc7 API Server \u76d1\u542c Pod\u4fe1\u606f\uff0c\u4ece\u800c\u5bf9 Node \u673a\u5668\u4e0a\u7684 POD \u8fdb\u884c\u7ba1\u7406\uff0c\u5982\u521b\u5efa\u3001\u5220\u9664\u3001\u66f4\u65b0 Pod<\/p>\n\n\n\n
\u4ee5\u4e0b\u64cd\u4f5c\u5728k8s-master1\u4e0a\u64cd\u4f5c<\/p>\n\n\n\n
\u521b\u5efakubelet-bootstrap.kubeconfig<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# BOOTSTRAP_TOKEN=$(awk -F \",\" '{print $1}' \/etc\/kubernetes\/token.csv)\nroot@k8s-master1:\/data\/work# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/192.168.2.135:6443 --kubeconfig=kubelet-bootstrap.kubeconfig\nCluster \"kubernetes\" set.\nroot@k8s-master1:\/data\/work# kubectl config set-credentials kubelet-bootstrap --token=${BOOTSTRAP_TOKEN} --kubeconfig=kubelet-bootstrap.kubeconfig\nUser \"kubelet-bootstrap\" set.\nroot@k8s-master1:\/data\/work# kubectl config set-context default --cluster=kubernetes --user=kubelet-bootstrap --kubeconfig=kubelet-bootstrap.kubeconfig\nContext \"default\" created.\nroot@k8s-master1:\/data\/work# kubectl config use-context default --kubeconfig=kubelet-bootstrap.kubeconfig\nSwitched to context \"default\".\nroot@k8s-master1:\/data\/work# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap\nclusterrolebinding.rbac.authorization.k8s.io\/kubelet-bootstrap created<\/code><\/pre>\n\n\n\n
\u65e0\u9700\u624b\u52a8\u521b\u5efakubelet.kubeconfig\uff0c\u8be5\u6587\u4ef6\u81ea\u52a8\u751f\u6210\u3002<\/p>\n\n\n\n
\u521b\u5efa\u914d\u7f6e\u6587\u4ef6kubelet.json( “cgroupDriver”: “systemd”\u8981\u548c docker \u7684\u9a71\u52a8\u4e00\u81f4, address \u66ff\u6362\u4e3a\u81ea\u5df1 k8s-node1 \u7684 IP \u5730\u5740 )<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kubelet.json\n{\n  \"kind\": \"KubeletConfiguration\",\n  \"apiVersion\": \"kubelet.config.k8s.io\/v1beta1\",\n  \"authentication\": {\n    \"x509\": {\n      \"clientCAFile\": \"\/etc\/kubernetes\/ssl\/ca.pem\"\n    },\n    \"webhook\": {\n      \"enabled\": true,\n      \"cacheTTL\": \"2m0s\"\n    },\n    \"anonymous\": {\n      \"enabled\": false\n    }\n  },\n  \"authorization\": {\n    \"mode\": \"Webhook\",\n    \"webhook\": {\n      \"cacheAuthorizedTTL\": \"5m0s\",\n      \"cacheUnauthorizedTTL\": \"30s\"\n    }\n  },\n  \"address\": \"192.168.2.135\",\n  \"port\": 10250,\n  \"readOnlyPort\": 10255,\n  \"cgroupDriver\": \"systemd\",\n  \"hairpinMode\": \"promiscuous-bridge\",\n  \"serializeImagePulls\": false,\n  \"featureGates\": {\n    \"RotateKubeletServerCertificate\": true\n  },\n  \"clusterDomain\": \"cluster.local.\",\n  \"clusterDNS\": [\n    \"10.255.0.2\"\n  ]\n}<\/code><\/pre>\n\n\n\n
\u521b\u5efakubelet\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kubelet.service\n[Unit]\nDescription=Kubernetes Kubelet\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=docker.service\nRequires=docker.service\n[Service]\nWorkingDirectory=\/var\/lib\/kubelet\nExecStart=\/usr\/local\/bin\/kubelet \\\n--bootstrap-kubeconfig=\/etc\/kubernetes\/kubelet-bootstrap.kubeconfig \\\n--cert-dir=\/etc\/kubernetes\/ssl \\\n--kubeconfig=\/etc\/kubernetes\/kubelet.kubeconfig \\\n--config=\/etc\/kubernetes\/kubelet.json \\\n--network-plugin=cni \\\n--pod-infra-container-image=k8s.gcr.io\/pause:3.2 \\\n--alsologtostderr=true \\\n--logtostderr=false \\\n--log-dir=\/var\/log\/kubernetes \\\n--v=2\nRestart=on-failure\nRestartSec=5\n\n\n\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u2013hostname-override\uff1a\u663e\u793a\u540d\u79f0\uff0c\u96c6\u7fa4\u4e2d\u552f\u4e00<\/p>\n\n\n\n
\u2013network-plugin\uff1a\u542f\u7528 CNI<\/p>\n\n\n\n
\u2013kubeconfig\uff1a\u7a7a\u8def\u5f84\uff0c\u4f1a\u81ea\u52a8\u751f\u6210\uff0c\u540e\u9762\u7528\u4e8e\u8fde\u63a5 apiserver<\/p>\n\n\n\n
\u2013bootstrap-kubeconfig\uff1a\u9996\u6b21\u542f\u52a8\u5411 apiserver \u7533\u8bf7\u8bc1\u4e66<\/p>\n\n\n\n
\u2013config\uff1a\u914d\u7f6e\u53c2\u6570\u6587\u4ef6<\/p>\n\n\n\n
\u2013cert-dir\uff1akubelet \u8bc1\u4e66\u751f\u6210\u76ee\u5f55<\/p>\n\n\n\n
\u2013pod-infra-container-image\uff1a\u7ba1\u7406 Pod \u7f51\u7edc\u5bb9\u5668\u7684\u955c\u50cf<\/p>\n\n\n\n
kubelete.json \u914d\u7f6e\u6587\u4ef6 address \u6539\u4e3a\u5404\u4e2a\u8282\u70b9\u7684 ip \u5730\u5740\uff0c\u5728\u5404\u4e2a work \u8282\u70b9\u4e0a\u542f\u52a8\u670d\u52a1<\/p>\n\n\n\n
\u4e0a\u4f20pause-3.2.tar\u3001\u5bfc\u5165\u955c\u50cf\uff08k8s.gcr.io\/pause:3.2\uff09<\/p>\n\n\n\n
docker load -i pause-3.2.tar<\/code><\/pre>\n\n\n\n
\u62f7\u8d1dkubelet\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3001\u8bc1\u4e66\u4ee5\u53ca\u914d\u7f6e\u6587\u4ef6\u5230node\u8282\u70b9<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# scp -r kubernetes\/server\/bin\/kubelet node1:\/usr\/local\/bin\/\nkubelet                                                                                                              100%  118MB  69.1MB\/s   00:01    \nroot@k8s-master1:\/data\/work# scp -r kubernetes\/server\/bin\/kubelet node2:\/usr\/local\/bin\/\nkubelet                                                                                                              100%  118MB  69.2MB\/s   00:01    \nroot@k8s-node1:~# mkdir \/etc\/kubernetes\/ssl -p\nroot@k8s-node2:~# mkdir \/etc\/kubernetes\/ssl -p\nroot@k8s-master1:\/data\/work# scp -r kubelet-bootstrap.kubeconfig kubelet.kubeconfig kubelet.json node1:\/etc\/kubernetes\/\nkubelet-bootstrap.kubeconfig                                                                                         100% 2087     1.5MB\/s   00:00    \nkubelet.kubeconfig                                                                                                   100% 2087     1.3MB\/s   00:00    \nkubelet.json                                                                                                         100%  766   396.4KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp -r kubelet-bootstrap.kubeconfig kubelet.kubeconfig kubelet.json node2:\/etc\/kubernetes\/\nkubelet-bootstrap.kubeconfig                                                                                         100% 2087     3.4MB\/s   00:00    \nkubelet.kubeconfig                                                                                                   100% 2087     3.0MB\/s   00:00    \nkubelet.json                                                                                                         100%  766   992.3KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp ca.pem node1:\/etc\/kubernetes\/ssl\/\nca.pem                                                                                                               100% 1298     1.2MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp ca.pem node2:\/etc\/kubernetes\/ssl\/\nca.pem                                                                                                               100% 1298   759.7KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kubelet.service node1:\/usr\/lib\/systemd\/system\/\nkubelet.service                                                                                                      100%  649     1.1MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kubelet.service node2:\/usr\/lib\/systemd\/system\/\nkubelet.service                                                                                                      100%  649   502.4KB\/s   00:00    <\/code><\/pre>\n\n\n\n
\u5728node\u8282\u70b9\u4e0a\u542f\u52a8kubelet\u670d\u52a1\uff08\u542f\u52a8\u670d\u52a1\u62a5\u95198\u6708 08 14:21:22 k8s-node2 systemd[1733]: kubelet.service: Failed at step CHDIR spawning \/usr\/local\/bin\/kubelet: No such file or directory\u5c31\u662f\u6ca1\u6709\u5efa\u7acb\u8fd9\u4e24\u4e2a\u76ee\u5f55\uff09<\/p>\n\n\n\n
root@k8s-node1:~# mkdir \/var\/lib\/kubelet \/var\/log\/kubernetes -p\nroot@k8s-node2:~# mkdir \/var\/lib\/kubelet \/var\/log\/kubernetes -p<\/code><\/pre>\n\n\n\n
\/etc\/kubernetes\/kubelet.json\u4e2daddress\u66ff\u6362\u4e3anode\u81ea\u5df1\u7684ip\u5730\u5740<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
root@k8s-node1:~# systemctl daemon-reload && systemctl enable --now kubelet && systemctl status kubelet\nroot@k8s-node2:~# systemctl daemon-reload && systemctl enable --now kubelet && systemctl status kubelet<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u786e\u8ba4 kubelet \u670d\u52a1\u542f\u52a8\u6210\u529f\u540e\uff0c\u63a5\u7740\u5230 k8s-master1 \u8282\u70b9\u4e0a Approve \u4e00\u4e0b bootstrap \u8bf7\u6c42\u3002<\/p>\n\n\n\n
\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u53ef\u4ee5\u770b\u5230\u4e00\u4e2a worker \u8282\u70b9\u53d1\u9001\u4e86\u4e00\u4e2a CSR \u8bf7\u6c42\uff1a<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl get csr\nNAME                                                   AGE     SIGNERNAME                                    REQUESTOR           REQUESTEDDURATION   CONDITION\nnode-csr-AqEx4L9s5zC2wg1nJkrWAouj3aRX2mEYENhnC6x-gko   16m     kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Pending\nnode-csr-ge83doNA568ZQMe03QJOTXfeC-sqL6-G41AFSAqwwJQ   3m59s   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Pending<\/code><\/pre>\n\n\n\n
\u5728master\u8282\u70b9\u5ba1\u6279node\u8282\u70b9\u7684\u8bf7\u6c42<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl certificate approve node-csr-AqEx4L9s5zC2wg1nJkrWAouj3aRX2mEYENhnC6x-gko\ncertificatesigningrequest.certificates.k8s.io\/node-csr-AqEx4L9s5zC2wg1nJkrWAouj3aRX2mEYENhnC6x-gko approved\nroot@k8s-master1:\/data\/work# kubectl certificate approve node-csr-ge83doNA568ZQMe03QJOTXfeC-sqL6-G41AFSAqwwJQ\ncertificatesigningrequest.certificates.k8s.io\/node-csr-ge83doNA568ZQMe03QJOTXfeC-sqL6-G41AFSAqwwJQ approved<\/code><\/pre>\n\n\n\n
\u518d\u6b21\u67e5\u770b\u7533\u8bf7<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl get csr\nNAME                                                   AGE     SIGNERNAME                                    REQUESTOR           REQUESTEDDURATION   CONDITION\nnode-csr-AqEx4L9s5zC2wg1nJkrWAouj3aRX2mEYENhnC6x-gko   20m     kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Approved,Issued\nnode-csr-ge83doNA568ZQMe03QJOTXfeC-sqL6-G41AFSAqwwJQ   8m11s   kubernetes.io\/kube-apiserver-client-kubelet   kubelet-bootstrap   <none>              Approved,Issued<\/code><\/pre>\n\n\n\n
\u95ee\u9898\uff1aCONDITION\u53ea\u6709Approved\uff0c\u6ca1\u6709Issued<\/p>\n\n\n\n
\u539f\u56e0\uff1a\u6709approved \u4f46\u6ca1\u6709issued\uff0c\u662f\u56e0\u4e3a\u7533\u8bf7\u901a\u8fc7\u8ba4\u8bc1\u4f46\u662f\u6ca1\u6709\u6b63\u5e38\u9881\u53d1\u8bc1\u4e66\u3002<\/p>\n\n\n\n
\u9a8c\u8bc1\uff1akubectl get csr node-csr-H_RP_EgvacATe0bfEhlr_rPLTS4EVRjEr-0XukFgg3A -o yaml\uff0cstatus:certificate: \u6ca1\u6709\u8f93\u51fa\u8bc1\u4e66<\/p>\n\n\n\n
\u6392\u67e5\uff1a\u67e5\u770b\u4e00\u4e0bkube-controller-manager\u7684\u65e5\u5fd7\u662f\u4e0d\u662f\u62a5\u9519\u4e86\uff0c\u67e5\u770bkube-controller-manager\u65e5\u5fd7: systemctl status kube-controller-manager\u6709\u6ca1\u6709\u9519\u8bef\u62a5\u51fa\uff0c<\/p>\n\n\n\n
\u4f8b\u5982\uff1aJan 25 21:14:50 k8s-master1 kube-controller-manager[315]: E0125 21:14:50.897855     315 leaderelection.go:330] error retrieving resource lock kube-system\/kube-controller-manager: Get “https:\/\/192.168.2.135:6443\/apis\/coordination.k8s.io\/v1\/namespaces\/kube-system\/leases\/kube-controller-manager?timeout=5s<\/a>“: net\/http: request canceled while waiting for connectio\uff0c\u8fde\u4e0d\u4e0aapi-server\uff0c\u68c0\u67e5\u53d1\u73b0\u662fkube-controller-manager.kubeconfig\u4e2dapi\u5730\u5740\u5199\u9519<\/p>\n\n\n\n
\u95ee\u9898\u89e3\u51b3\u540e\u91cd\u542fcontroller-manager\uff0cIssued\u81ea\u52a8\u51fa\u6765\u4e86\u3002<\/p>\n\n\n\n
\u5728master\u4e0a\u770b\u4e00\u4e0bnode\u8282\u70b9\u662f\u5426\u5df2\u7ecf\u6b63\u5e38\u52a0\u8fdb\u6765\u4e86<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl get node\nNAME        STATUS     ROLES    AGE     VERSION\nk8s-node1   NotReady   <none>   2m16s   v1.23.14\nk8s-node2   NotReady   <none>   95s     v1.23.14<\/code><\/pre>\n\n\n\n
STATUS \u662fNotReady \u8868\u793a\u8fd8\u6ca1\u5b89\u88c5\u7f51\u7edc\u63d2\u4ef6<\/p>\n\n\n\n
\u90e8\u7f72kube-proxy\u7ec4\u4ef6<\/p>\n\n\n\n
\u521b\u5efakube-proxy\u7684csr\u8bf7\u6c42<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-proxy-csr.json\n{\n  \"CN\": \"system:kube-proxy\",\n  \"key\": {\n    \"algo\": \"rsa\",\n    \"size\": 2048\n  },\n  \"names\": [\n    {\n      \"C\": \"CN\",\n      \"ST\": \"Hubei\",\n      \"L\": \"Wuhan\",\n      \"O\": \"k8s\",\n      \"OU\": \"system\"\n    }\n  ]\n}<\/code><\/pre>\n\n\n\n
\u751f\u6210\u8bc1\u4e66<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy\n2024\/08\/08 14:46:42 [INFO] generate received request\n2024\/08\/08 14:46:42 [INFO] received CSR\n2024\/08\/08 14:46:42 [INFO] generating key: rsa-2048\n2024\/08\/08 14:46:42 [INFO] encoded CSR\n2024\/08\/08 14:46:42 [INFO] signed certificate with serial number 99906890704076854292872130320716163640275398132\n2024\/08\/08 14:46:42 [WARNING] This certificate lacks a \"hosts\" field. This makes it unsuitable for\nwebsites. For more information see the Baseline Requirements for the Issuance and Management\nof Publicly-Trusted Certificates, v.1.1.6, from the CA\/Browser Forum (https:\/\/cabforum.org);\nspecifically, section 10.2.3 (\"Information Requirements\").<\/code><\/pre>\n\n\n\n
\u521b\u5efakubeconfig\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl config set-cluster kubernetes --certificate-authority=ca.pem --embed-certs=true --server=https:\/\/192.168.2.135:6443 --kubeconfig=kube-proxy.kubeconfig\nCluster \"kubernetes\" set.\nroot@k8s-master1:\/data\/work# kubectl config set-credentials kube-proxy --client-certificate=kube-proxy.pem --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig\nUser \"kube-proxy\" set.\nroot@k8s-master1:\/data\/work# kubectl config set-context default --cluster=kubernetes --user=kube-proxy --kubeconfig=kube-proxy.kubeconfig\nContext \"default\" created.\nroot@k8s-master1:\/data\/work# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig\nSwitched to context \"default\".<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-proxy\u914d\u7f6e\u6587\u4ef6\uff082.138\u4e0a\u8bb0\u5f97\u628aip\u5730\u5740\u6362\u6210\u81ea\u5df1\u7684\uff09<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat kube-proxy.yaml\napiVersion: kubeproxy.config.k8s.io\/v1alpha1\nbindAddress: 192.168.2.137\nclientConnection:\n  kubeconfig: \/etc\/kubernetes\/kube-proxy.kubeconfig\nclusterCIDR: 10.0.0.0\/16\nhealthzBindAddress: 192.168.2.137:10256\nkind: KubeProxyConfiguration\nmetricsBindAddress: 192.168.2.137:10249\nmode: \"ipvs\"<\/code><\/pre>\n\n\n\n
\u521b\u5efakube-proxy\u670d\u52a1\u542f\u52a8\u6587\u4ef6<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# cat >kube-proxy.service\n[Unit]\nDescription=Kubernetes Kube-Proxy Server\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\nAfter=network.target\n[Service]\nWorkingDirectory=\/var\/lib\/kube-proxy\nExecStart=\/usr\/local\/bin\/kube-proxy \\\n  --config=\/etc\/kubernetes\/kube-proxy.yaml \\\n  --alsologtostderr=true \\\n  --logtostderr=false \\\n  --log-dir=\/var\/log\/kubernetes \\\n  --v=2\nRestart=on-failure\nRestartSec=5\nLimitNOFILE=65536\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
\u62f7\u8d1dkube-proxy\u6587\u4ef6\u5230node\u8282\u70b9\u4e0a<\/p>\n\n\n\n
root@k8s-master1:\/data\/work# scp kube-proxy.kubeconfig kube-proxy.yaml node1:\/etc\/kubernetes\/\nkube-proxy.kubeconfig                                                                                                100% 6173     4.6MB\/s   00:00    \nkube-proxy.yaml                                                                                                      100%  292   228.4KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kube-proxy.service node1:\/usr\/lib\/systemd\/system\/\nkube-proxy.service                                                                                                   100%  438   143.6KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kube-proxy.kubeconfig kube-proxy.yaml node2:\/etc\/kubernetes\/\nkube-proxy.kubeconfig                                                                                                100% 6173     5.0MB\/s   00:00    \nkube-proxy.yaml                                                                                                      100%  292   199.8KB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kube-proxy.service node2:\/usr\/lib\/systemd\/system\/           \nkube-proxy.service                                                                                                   100%  438   378.8KB\/s   00:00\nroot@k8s-master1:\/data\/work# scp kubernetes\/server\/bin\/kube-proxy node1:\/usr\/local\/bin\/\nkube-proxy                                                                                                           100%   42MB  72.7MB\/s   00:00    \nroot@k8s-master1:\/data\/work# scp kubernetes\/server\/bin\/kube-proxy node2:\/usr\/local\/bin\/\nkube-proxy                                                                                                           100%   42MB  61.2MB\/s   00:0<\/code><\/pre>\n\n\n\n
\u542f\u52a8kube-proxy\u670d\u52a1<\/p>\n\n\n\n
root@k8s-node1:\/etc\/kubernetes# mkdir -p \/var\/lib\/kube-proxy \uff08\u4e0d\u5efa\u7acb\u4f1a\u62a5\u9519\uff1aOct 18 11:05:43 m2 (be-proxy)[14064]: kube-proxy.service: Failed at step CHDIR spawning \/usr\/local\/bin\/kube-proxy: No such file or directory\uff09\nroot@k8s-node1:\/etc\/kubernetes# systemctl daemon-reload && systemctl enable --now kube-proxy && systemctl status kube-proxy\nroot@k8s-node2:\/etc\/kubernetes# mkdir -p \/var\/lib\/kube-proxy\nroot@k8s-node2:\/etc\/kubernetes# systemctl daemon-reload && systemctl enable --now kube-proxy && systemctl status kube-proxy<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u90e8\u7f72calico\u7ec4\u4ef6(curl -sLk -o calico.yamlhttps:\/\/calico-v3-25.netlify.app\/archive\/v3.25\/manifests\/calico.yaml<\/a>)<\/p>\n\n\n\n
\u4e0a\u4f20\u5230node\u5e76\u5bfc\u5165\u79bb\u7ebf\u955c\u50cf\u5305calico.tar\uff08node1\u30012\uff09<\/p>\n\n\n\n
docker load -i .\/calico.tar<\/code><\/pre>\n\n\n\n
\u628acalico.yaml\u6587\u4ef6\u4e0a\u4f20\u5230master1\u7684\/data\/work\u76ee\u5f55\uff08\u4fee\u6539 Pod IP \u5730\u5740\u6bb5\uff0c\u627e\u5230 CALICO_IPV4POOL_CIDR \u53d8\u91cf\uff0c\u53d6\u6d88\u6ce8\u91ca\u5e76\u4fee\u6539\u5982\u4e0b\uff09<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
root@k8s-master1:\/data\/work# kubectl apply -f calico.yaml<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
*\u5947\u602a\u7684\u95ee\u9898\uff1a\u5982\u679c\u72b6\u6001\u4e00\u76f4\u662fpending\uff0c\u4e14\u7528kubectl describe pod calico-node-gwlzz -n kube-system\u67e5\u770bevent\u4e3a<none>\uff0cnode\u8282\u70b9\u4e0adocker ps -a \u67e5\u770b\u4e0d\u5230\u4e0ecalico\u76f8\u5173\u7684\u5bb9\u5668\uff0c<\/p>\n\n\n\n
*\u6392\u67e5\u601d\u8def\uff1a\u90a3\u4e48\u5c31\u8981\u68c0\u67e5master1\u4e0a\u7684\/var\/log\/kubernetes\u91cc\u9762\u7684kube-scheduler.ERROR\u65e5\u5fd7\uff0c<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5f88\u660e\u663e\u662f\u8bbf\u95ee192.168.2.135\u76846443\u7aef\u53e3\uff08kube-apiserver\uff09\u51fa\u9519\u3002\u68c0\u67e5\u901a\u8def\u3001\u670d\u52a1\u3001ip\u5730\u5740\u662f\u5426\u6b63\u786e\uff08kube-scheduler.kubeconfig\u91cc\u9762\u7684server:\uff09<\/p>\n\n\n\n
kubectl config set-cluster kubernetes –certificate-authority=ca.pem –embed-certs=true –server=https:\/\/<\u6b63\u786e\u7684ip>:6443<\/a>–kubeconfig=kube-scheduler.kubeconfig<\/p>\n\n\n\n
\u7136\u540e\u5c06kube-scheduler.kubeconfig\u62f7\u8d1d\u5230master1\u30012\u7684\/etc\/kubernetes\u4e0b\uff0c\u91cd\u542fkube-scheduler\u670d\u52a1\u3002<\/p>\n\n\n\n
\u95ee\u98982\uff1a<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
root@node1:~# docker logs -f a1\uff0c\u62a5\u9519\uff1a<\/p>\n\n\n\n
2025-01-25 15:20:07.201 [ERROR][1] cni-installer\/<nil> <nil>: Unable to create token for CNI kubeconfig error=Post “https:\/\/10.255.0.1:443\/api\/v1\/namespaces\/kube-system\/serviceaccounts\/calico-node\/token<\/a>“: dial tcp 10.255.0.1:443: connect: connection refused<\/p>\n\n\n\n
2025-01-25 15:20:07.201 [FATAL][1] cni-installer\/<nil> <nil>: Unable to create token for CNI kubeconfig error=Post “https:\/\/10.255.0.1:443\/api\/v1\/namespaces\/kube-system\/serviceaccounts\/calico-node\/token<\/a>“: dial tcp 10.255.0.1:443: connect: connection refused<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u68c0\u67e5:kube-proxy<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u539f\u6765\u662fapiserver\u7684\u5730\u5740\u5199\u9519\u4e86\uff0c\u7ea0\u6b63kube-proxy.kubeconfig\u91cc\u7684\u5730\u5740\uff0c\u91cd\u542f\u670d\u52a1\u3002<\/p>\n\n\n\n
\u95ee\u9898\u89e3\u51b3\u4e86\uff1a<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u90e8\u7f72coredns\uff08https:\/\/github.com\/coredns\/deployment\/blob\/master\/kubernetes\/coredns.yaml.sed<\/a>\uff09<\/p>\n\n\n\n