当前位置:网站首页>Kubernetes cluster configuration serviceaccount

Kubernetes cluster configuration serviceaccount

2022-07-28 08:58:00 Brother Xing plays with the clouds

Kubernetes API Other services .Service Account It's not for kubernetes colony Users of , But to pod The process inside uses , It's for pod Provide necessary identity authentication .

Kubernetes Provides Secret To handle sensitive information , at present Secret There are types of 3 Kind of :  Opaque(default): Any string   kubernetes.io/service-account-token: Act on ServiceAccount kubernetes.io/dockercfg: Act on Docker registry, User download docker Image authentication uses .

This article will introduce you to kubernetes colony Middle configuration serviceaccount and secret, It can make kubernetes Use private warehouses , And support nginx basic authentication . Because we use rpm Package installation kubernetes colony , There is no default ca.crt、kubecfg.crt kubecfg.key 、server.cert 、server.key These documents , You need to download the source code to generate .

One 、 Use tools to generate key file

# mkdir git # cd git/ # git clone https://github.com/kubernetes/kubernetes

Download scientifically online easy-rsa.tar.gz, The download address is make-ca-cert.sh You can find... In the script , Put the document in ~/kube Under the table of contents

# ls ~/kube easy-rsa.tar.gz # cd /root/git/kubernetes/ # sh cluster/CentOS/make-ca-cert.sh 192.168.115.5 # ls /srv/kubernetes/ ca.crt  kubecfg.crt  kubecfg.key  server.cert  server.key # chown -R kube:kube /srv/kubernetes/*

Send these files to vm2 The same directory of the host

# chown -R kube:kube /srv/kubernetes/* # scp -rp /srv/ [email protected]:/

Two 、 Modify the configuration file

# grep -v '^#' /etc/kubernetes/apiserver |grep -v '^$' KUBE_API_ADDRESS="--insecure-bind-address=192.168.115.5" KUBE_ETCD_SERVERS="--etcd-servers=http://192.168.115.5:2379" KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16" KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota" KUBE_API_ARGS="--storage-backend=etcd2 --secure-port=6443 --client-ca-file=/srv/kubernetes/ca.crt --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key"# grep -v '^#' /etc/kubernetes/controller-manager |grep -v '^$' KUBE_CONTROLLER_MANAGER_ARGS="--root-ca-file=/srv/kubernetes/ca.crt --service-account-private-key-file=/srv/kubernetes/server.key"

3、 ... and 、 Restart related services

Master: # systemctl restart kube-apiserver # systemctl restart kube-controller-manager # systemctl restart kube-scheduler

Slave: # systemctl restart kubelet # systemctl restart kube-proxy

# kubectl get secret    # kubectl describe secret default-token-6pddn

Four 、 By configuring secret, Give Way kubernetes You can pull images from private warehouses

# kubectl create secret docker-registry regsecret \ --docker-server=registry.fjhb.cn  \ --docker-username=ylw \  --docker-password=123 \  [email protected]

stay yaml file sepc Section added imagePullSecrets, Specify to use the created secret

# kubectl create -f frontend-controller.yaml

By reference kubernetes Official documents of , It doesn't solve the real problem https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

nginx Log still reported 401 Authentication error

We know how to use docker pull There is a warehouse to get the image , You need to use it first docker login Log in to the private warehouse , and login Actions performed , In fact, it is written in the user's home directory .docker/config.json file . Make this file a soft link to /var/lib/kubelet/.docker/ This problem can be solved . When the soft connection is configured, there is no need to yaml The file refers to the previously created secret 了 .

# cat /root/.docker/config.json # ln -s /root/.docker/ /var/lib/kubelet/.docker/

# kubectl create -f frontend-controller.yaml

原网站

版权声明
本文为[Brother Xing plays with the clouds]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/197/202207131400315100.html

边栏推荐

猜你喜欢

随机推荐