一旦装好了kubernetes,登录master之后就有了足够的权限
如果想在worker节点上运行并查看集群状态怎么办?
[root@vms62 ~]# kubectl --kubeconfig=kcfile get nodes
NAME STATUS ROLES AGE VERSION
vms61 Ready master 45d v1.19.0
vms62 Ready <none> 45d v1.19.0
vms63 Ready <none> 45d v1.19.0
[root@vms62 ~]# export KUBECONFIG=./kcfile
[root@vms62 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
vms61 Ready master 45d v1.19.0
vms62 Ready <none> 45d v1.19.0
vms63 Ready <none> 45d v1.19.0
如何申请证书呢?
[root@vms61 xx]# openssl genrsa -out john.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
.+++
e is 65537 (0x10001)
[root@vms61 xx]# ls
john.key
[root@vms61 xx]# openssl req -new -key john.key -out john.csr -subj "/CN=john/O=cka2020"
[root@vms61 xx]# ls
john.csr john.key
[root@vms61 xx]# cat john.csr | base64 |tr -d "\n"
[root@vms61 xx]# cat csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: john
spec:
groups:
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1pqQ0NBVTRDQVFBd0lURU5NQXNHQTFVRUF3d0VhbTlvYmpFUU1BNEdBMVVFQ2d3SFkydGhNakF5TURDQwpBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1ZeEpvQmdWYUtoSlI2U1VUMDFwZStyCk9kS0Zpc1VUNWJlaElkSXpyYlBpaDBKeVgzZy9sYlFraWE4M1VDS3Rjb09iNjMzbVdPVEEvcWg3andqMFBLeFkKaER4NEw5cDhXV1h3bmJ3RnZMczhCUnhFc3R4OWpQR016L3hJRE1senhTVGlzbkx1QzhSLzJ5blhCMHBvMTVpVQpmYnQ5QzBwbHZTeHJjZjQyelVmMzVTcVYydzdDaHVkbThkWnVGb1JUTlJWR3V5WWdkYTVPR3ZWc21LWkJZVnN5CmtLMUxvbDNFWHUzcUNvTVFRWEhzY08rT1VvdWtVd0JnL2pJRXFQQTgydkF3azltS2FieGFXRGlvRUl6MFZTQVkKb3J2UlNESWtPYmNuZ1F5elRtWEI3V1NCMlVpK2FwVC9aQllsaVBGUkpDbnRhV0V2bE9wcDRJd2lFWVUyR3VVQwpBd0VBQWFBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3FiT2ZGNDhIVERETGZKb3hzRS9jbUN0bXVxSk1YCi9HUklpdWoxYUN4SnRDbC9LQUhTdGU0ZFphR0g3TVFrd3czbzkzbWNOOTdiVUNWNE05MlloRGl1YW0vYjlQcWoKbFNqc3NSdFozaFZmQ2JHalhyeE5ZaVNidTNBMmtIWEVCVG9valUydkZkMmxrcFUweno3b2FTWTQ2UW56R0c2QQovblQyS3A4M1FyM2VrS3VDdTVla3VTY3Y3WlFGNTNDeGxyaG1JUFJXa0ZIQUFIRnJqaW4xRGp1KzFiS3NmRTh0CmpkZUlmbEJTdWhLY09YUGNuVEQ2SWFRMG1iSHVDSURPNlhoR3BpZDhDTEwvdW5UMTFHSW9zV1pHNmhKN05IczQKQW8vOWJReElONnY4bm5US3B5OTZpWU9NcDV0c0tFdDU2OFFEMkltOXhTYUhoOForNXd1MGRuRGEKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
usages:
- client auth
[root@vms61 xx]# kubectl apply -f csr.yaml
Warning: certificates.k8s.io/v1beta1 CertificateSigningRequest is deprecated in v1.19+, unavailable in v1.22+; use certificates.k8s.io/v1 CertificateSigningRequest
certificatesigningrequest.certificates.k8s.io/john created
[root@vms61 xx]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
john 27s kubernetes.io/legacy-unknown kubernetes-admin Pending
[root@vms61 xx]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
john 37s kubernetes.io/legacy-unknown kubernetes-admin Pending
[root@vms61 xx]# kubectl certificate approve john
certificatesigningrequest.certificates.k8s.io/john approved
[root@vms61 xx]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
john 94s kubernetes.io/legacy-unknown kubernetes-admin Approved,Issued
一旦审批之后,k8s暂且还没有提供任何撤销这个功能
[root@vms61 xx]# kubectl get csr john -o jsonpath="{.status.certificate}" | base64 -d > john.crt
[root@vms61 xx]# cat john.crt
-----BEGIN CERTIFICATE-----
MIIDBjCCAe6gAwIBAgIQT2IhO/DFNuWrVgRIft9dgDANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIwMTAyMDA0NDAxM1oXDTIxMTAyMDA0
NDAxM1owITEQMA4GA1UEChMHY2thMjAyMDENMAsGA1UEAxMEam9objCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMYxJoBgVaKhJR6SUT01pe+rOdKFisUT
5behIdIzrbPih0JyX3g/lbQkia83UCKtcoOb633mWOTA/qh7jwj0PKxYhDx4L9p8
WWXwnbwFvLs8BRxEstx9jPGMz/xIDMlzxSTisnLuC8R/2ynXB0po15iUfbt9C0pl
vSxrcf42zUf35SqV2w7Chudm8dZuFoRTNRVGuyYgda5OGvVsmKZBYVsykK1Lol3E
Xu3qCoMQQXHscO+OUoukUwBg/jIEqPA82vAwk9mKabxaWDioEIz0VSAYorvRSDIk
ObcngQyzTmXB7WSB2Ui+apT/ZBYliPFRJCntaWEvlOpp4IwiEYU2GuUCAwEAAaNG
MEQwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBTHuWzego7xTGC/vldhgNjmdHtY2jANBgkqhkiG9w0BAQsFAAOCAQEAVFLSYQbi
jKR00Q1Mokvd2bvV3Wp38Zs5ZuE31v0hqW/QDznSgyJW7v4oqNOBavPVe+yN2A2s
YL5pOQ5KUpBGGrjsGVTvg8WVI3a+VMTvdVMqbEmeVgUBJgtP4jeJpJF/y0YnMtPB
2YHdqHYo4FdT7CI5/qaPcdyboB2UbtL7WKn2qhLRfV/ekRf+FP2rEqCEqtUaB6Fc
ZyuLucZAaTbm2l5cog5v+ihGe5CKscVnaE8kTrOfdlUaoygXAaoxYAeZXXb6bg41
XkjQ0v4CC4cv3sz+GL5QrfJVFnqfeSp9MHLsfLncckGbmuTyN6zEUi3fkZpCSMVS
iZtg5W+JbFhDDw==
-----END CERTIFICATE-----
正文完