llhuii
commented
2 years ago bootstrap 启动引导
首先以insecure方式system:anonymous访问apiserver,获取到ca证书, 再加上bootstrap-token生成/etc/kubernetes/bootstrap-kubelet.conf
# kubectl get -n kube-public cm cluster-info -o json | jq .data.kubeconfig -r
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <base64 encoded ca public data>==
server: https://sedna-mini-control-plane:6443
name: ""
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null$ kubectl get -n kube-public rolebinding kubeadm:bootstrap-signer-clusterinfo -oyaml
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeadm:bootstrap-signer-clusterinfo
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: system:anonymous# kubectl get -n kube-public role kubeadm:bootstrap-signer-clusterinfo -o yaml | yq eval .rules -
- apiGroups:
- ""
resourceNames:
- cluster-info
resources:
- configmaps
verbs:
- get/etc/kubernetes/bootstrap-kubelet.conf文件内容为:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS<根证书base64>==
server: https://kind-external-load-balancer:6443
name: kind
contexts:
- context:
cluster: kind
user: tls-bootstrap-token-user
name: tls-bootstrap-token-user@kubernetes
current-context: tls-bootstrap-token-user@kubernetes
kind: Config
preferences: {}
users:
- name: tls-bootstrap-token-user
user:
token: qxsijr.4jr8f6o6e41whvu5其次将bootstrap token访问apiserver,被识别group为system:bootstrappers:kubeadm:default-node-token的用户
# kubectl get secret -n kube-system bootstrap-token-abcdef -o json | jq .data | tr -d '",' | while read k v; do echo $k $(echo $v | base64 -d); done
{
auth-extra-groups: system:bootstrappers:kubeadm:default-node-token
expiration: 2021-10-10T06:46:30Z
token-id: abcdef
token-secret: 0123456789abcdef
usage-bootstrap-authentication: true
usage-bootstrap-signing: true
}第三,创建csr请求,为公钥+标识名称签名生成公钥证书。
csr: 允许group为system:bootstrappers:kubeadm:default-node-token创建csr请求
$ kubectl get clusterrole system:certificates.k8s.io:certificatesigningrequests:nodeclient -o yaml
rules:
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/nodeclient
verbs:
- create$ kubectl get clusterrolebinding kubeadm:node-autoapprove-bootstrap -o yaml
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:kubeadm:default-node-tokencsr样例:
spec:
groups:
- system:nodes
- system:authenticated
request: LS0t<omit>S0tLQo=
signerName: kubernetes.io/kube-apiserver-client-kubelet
usages:
- digital signature
- key encipherment
- client auth
username: system:node:sedna-mini-control-plane
status:
certificate: LS0tLS1CR<omit>EUtLS0tLQo=
conditions:
- lastTransitionTime: "2021-10-09T15:37:34Z"
lastUpdateTime: "2021-10-09T15:37:34Z"
message: Auto approving self kubelet client certificate after SubjectAccessReview.
reason: AutoApproved
status: "True"
type: Approvedstatus字段由csrapprover controller-manager监听csr并更新。见https://code.k8s.io/pkg/controller/certificates/approver/sarapprove.go#L126
upload-certs
$ kubectl get -n kube-system rolebinding kubeadm:kubeadm-certs -o yaml
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubeadm:kubeadm-certs
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:bootstrappers:kubeadm:default-node-token
$ kubectl get -n kube-system role kubeadm:kubeadm-certs -o yaml
rules:
- apiGroups:
- ""
resourceNames:
- kubeadm-certs
resources:
- secrets
verbs:
- get
kubeadm init phase
https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#kubeadm-init-workflow-internal-design
preflight 检查
certs 生成证书
kubeconfig 生成kubeconfig配置文件
kubelet-start: 生成kubelet配置和启动kubelet
control-plane: 生成控制面的static pod manifest
etcd: 生成etcd的pod manifest
upload-config: 将kubeadm/kubelet 配置写成configmap
upload-certs: 将ca/etcd-ca/sa 私钥和公钥写到secret
kubeadm-certsmark-control-plane
bootstrap-token
addon 安装格外插件