Closed SnowerWkh closed 5 years ago
kubernetes版本:v1.9.7 docker版本:17.06.2-ce-2, build 1d9dde5 网络插件:flannel 存储类型:未设置 linux版本:centos_7_04_64_20G kubernetes集群节点:master 3 worker 5
创建 CA 配置文件 ca-config.json
{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } }
创建ca-csr.json文件
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ], "ca": { "expiry": "87600h" } }
3 生成 CA 证书和私钥
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
创建edas-csr.json文件
{ "CN": "edas", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
创建 edas 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes edas-csr.json | cfssljson -bare edas
生成 kubeconfig 文件
export KUBE_APISERVER="https://139.224.5.111:6443" kubectl config set-cluster kubernetes --certificate-authority=/root/cert/ca.pem --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=edas.kubeconfig kubectl config set-credentials edas --client-certificate=/root/cert/edas.pem --client-key=/root/cert/edas-key.pem --embed-certs=true --kubeconfig=edas.kubeconfig kubectl config set-context kubernetes --cluster=kubernetes --user=edas --namespace=default --kubeconfig=edas.kubeconfig
kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: # "namespace" omitted since ClusterRoles are not namespaced name: cluster-node-reader rules: - apiGroups: [""] resources: ["pods","nodes"] verbs: ["get", "watch", "list"]
kubectl create -f clusterrole.yaml
kubectl create clusterrolebinding edas-admin-binding --clusterrole=cluster-node-reader --user=edas --namespace=default
报错信息 :
Unable to connect to the server: x509: certificate signed by unknown authority
这是个跟 #264 类似的 issue
环境
kubernetes版本:v1.9.7 docker版本:17.06.2-ce-2, build 1d9dde5 网络插件:flannel 存储类型:未设置 linux版本:centos_7_04_64_20G kubernetes集群节点:master 3 worker 5
操作步骤
创建 CA 配置文件 ca-config.json
创建ca-csr.json文件
3 生成 CA 证书和私钥
创建edas-csr.json文件
创建 edas 证书
生成 kubeconfig 文件
利用上面过程生成的kubeconfig,用kubectl操作集群报错
报错信息 :
Unable to connect to the server: x509: certificate signed by unknown authority