05-kubernetes-configuration-files

Dante·2024년 6월 2일
kubernetes-hard-way
0

kubernetes-hard-way

목록 보기
6/13

Generating Kubernetes configuration Files for Authentication

이번 랩에서는 Kubernetes 클라이언트가 kuberenetes API 서버를 찾고 인증할 수 있도록 kubeconfig로 알려진 Kubernetes 설정 파일을 생성합니다.

Client Authentication configs

이 섹션은 kubeletadmin 사용자를 위한 kubeconfig 파일을 생성합니다.

The kubelet Kubernetes Configuration File

kubelet용 kubeconfig 파일을 생성할 때 kubelet의 node 이름과 일치하는 클라이언트 인증서를 사용해야 합니다. 이 작업은 kubelet이 Kubernetes Node Authorizer에 의해 승인되도록 합니다.

아래 명령어들은 04-certificate-authority 실습 중에 SSL 인증서를 생성한 동일한 디렉터리에서 실행해야 합니다.

for host in node-1 node-2; do
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=/k8s-hardway/tls/ca.crt \
    --embed-certs=true \
    --server=https://controlplane-1.kubernetes.local:6443 \
    --kubeconfig=/k8s-hardway/tls/${host}.kubeconfig

  kubectl config set-credentials system:node:${host} \
    --client-certificate=/k8s-hardway/tls/${host}.crt \
    --client-key=/k8s-hardway/tls/${host}.key \
    --embed-certs=true \
    --kubeconfig=/k8s-hardway/tls/${host}.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:node:${host} \
    --kubeconfig=/k8s-hardway/tls/${host}.kubeconfig

  kubectl config use-context default \
    --kubeconfig=/k8s-hardway/tls/${host}.kubeconfig
done
Cluster "kubernetes-the-hard-way" set.
User "system:node:node-1" set.
Context "default" created.
Switched to context "default".
Cluster "kubernetes-the-hard-way" set.
User "system:node:node-2" set.
Context "default" created.
Switched to context "default".
ls -1 /k8s-hardway/tls/node-1.kubeconfig /k8s-hardway/tls/node-2.kubeconfig
# /k8s-hardway/tls/node-1.kubeconfig
# /k8s-hardway/tls/node-2.kubeconfig

The kube-proxy Kubernetes configuration File

이 섹션에서는 kube-proxy 서비스의 kubeconfig 파일을 생성합니다.

{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=/k8s-hardway/tls/ca.crt \
    --embed-certs=true \
    --server=https://controlplane-1.kubernetes.local:6443 \
    --kubeconfig=/k8s-hardway/tls/kube-proxy.kubeconfig

  kubectl config set-credentials system:kube-proxy \
    --client-certificate=/k8s-hardway/tls/kube-proxy.crt \
    --client-key=/k8s-hardway/tls/kube-proxy.key \
    --embed-certs=true \
    --kubeconfig=/k8s-hardway/tls/kube-proxy.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-proxy \
    --kubeconfig=/k8s-hardway/tls/kube-proxy.kubeconfig

  kubectl config use-context default \
    --kubeconfig=/k8s-hardway/tls/kube-proxy.kubeconfig
}
Cluster "kubernetes-the-hard-way" set.
User "system:kube-proxy" set.
Context "default" created.
Switched to context "default".
ls -1 /k8s-hardway/tls/kube-proxy.kubeconfig
# /k8s-hardway/tls/kube-proxy.kubeconfig

The kube-controller-manager Kubernetes Configuration File

kube-controller-manager 서비스를 위한 kubeconfig 파일을 생성합니다.

{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=/k8s-hardway/tls/ca.crt \
    --embed-certs=true \
    --server=https://controlplane-1.kubernetes.local:6443 \
    --kubeconfig=/k8s-hardway/tls/kube-controller-manager.kubeconfig

  kubectl config set-credentials system:kube-controller-manager \
    --client-certificate=/k8s-hardway/tls/kube-controller-manager.crt \
    --client-key=/k8s-hardway/tls/kube-controller-manager.key \
    --embed-certs=true \
    --kubeconfig=/k8s-hardway/tls/kube-controller-manager.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-controller-manager \
    --kubeconfig=/k8s-hardway/tls/kube-controller-manager.kubeconfig

  kubectl config use-context default \
    --kubeconfig=/k8s-hardway/tls/kube-controller-manager.kubeconfig
}

Cluster "kubernetes-the-hard-way" set.
User "system:kube-controller-manager" set.
Context "default" created.
Switched to context "default".
ls -1 /k8s-hardway/tls/kube-controller-manager.kubeconfig
# /k8s-hardway/tls/kube-controller-manager.kubeconfig

The kube-scheduler Kubernetes Configuration File

kube-scheduler 서비스를 위한 kubeconfig 파일을 생성합니다.

{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=/k8s-hardway/tls/ca.crt \
    --embed-certs=true \
    --server=https://controlplane-1.kubernetes.local:6443 \
    --kubeconfig=/k8s-hardway/tls/kube-scheduler.kubeconfig

  kubectl config set-credentials system:kube-scheduler \
    --client-certificate=/k8s-hardway/tls/kube-scheduler.crt \
    --client-key=/k8s-hardway/tls/kube-scheduler.key \
    --embed-certs=true \
    --kubeconfig=/k8s-hardway/tls/kube-scheduler.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-scheduler \
    --kubeconfig=/k8s-hardway/tls/kube-scheduler.kubeconfig

  kubectl config use-context default \
    --kubeconfig=/k8s-hardway/tls/kube-scheduler.kubeconfig
}
Cluster "kubernetes-the-hard-way" set.
User "system:kube-scheduler" set.
Context "default" created.
Switched to context "default".
ls -1 /k8s-hardway/tls/kube-scheduler.kubeconfig
# /k8s-hardway/tls/kube-scheduler.kubeconfig

The admin Kubernetes Configuration File

admin 사용자를 위한 kubeconfig 파일을 생성합니다.

{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=/k8s-hardway/tls/ca.crt \
    --embed-certs=true \
    --server=https://127.0.0.1:6443 \
    --kubeconfig=/k8s-hardway/tls/admin.kubeconfig

  kubectl config set-credentials admin \
    --client-certificate=/k8s-hardway/tls/admin.crt \
    --client-key=/k8s-hardway/tls/admin.key \
    --embed-certs=true \
    --kubeconfig=/k8s-hardway/tls/admin.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=admin \
    --kubeconfig=/k8s-hardway/tls/admin.kubeconfig

  kubectl config use-context default \
    --kubeconfig=/k8s-hardway/tls/admin.kubeconfig
}
Cluster "kubernetes-the-hard-way" set.
User "admin" set.
Context "default" created.
Switched to context "default".
ls -1 /k8s-hardway/tls/admin.kubeconfig
# /k8s-hardway/tls/admin.kubeconfig

Distribute the Kubernetes Configuration Files

node-1, node-2 서버로 kubelet , kube-proxy kubeconfig 파일을 복사합니다.

for host in node-1 node-2; do
  ssh root@$host "mkdir /var/lib/{kube-proxy,kubelet}"
  
  scp /k8s-hardway/tls/kube-proxy.kubeconfig \
    root@$host:/var/lib/kube-proxy/kubeconfig \
  
  scp /k8s-hardway/tls/${host}.kubeconfig \
    root@$host:/var/lib/kubelet/kubeconfig
done

controlplane-1 서버로 kube-controller-manager, kube-scheduler kubeconfig 파일을 복사합니다.

scp /k8s-hardway/tls/admin.kubeconfig \
  /k8s-hardway/tls/kube-controller-manager.kubeconfig \
  /k8s-hardway/tls/kube-scheduler.kubeconfig \
  root@controlplane-1:~/

Next: Generating the Data Encryption Config and Key

profile
Dante
it's me.
이전 포스트

04-certificate-authority

다음 포스트

06-data-encryption-keys

0개의 댓글

관련 채용 정보