Kubernetes Cookbook 编程指南 中文版教程
创建时间:2018-12-07  访问量:3730  7  0

Kubernetes Cookbook 编程指南 中文版教程

kubeconfig一个用于在Kubernetes中管理集群、上下文和认证设置的配置文件。使用kubeconfig文件,我们能够设置不同的集群凭证、用户和命名空间来在一个集群中切换集群或上下文。它要以通过命令行配置,如使用kubectl config 子命令或直接使用一个配置文件。在本节,我们将描述如何使用kubectl config来操作kubeconfig和如何直接输入一个kubeconfig文件。

开始

在你开始修改kubeconfig之前,你应该清楚的知道你的安全策略是什么。你可以使用kubectl config view来查看当前的设置:

// check current kubeconfig file
# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

我们可以看到在kubeconfig中当前我们没有任何的指定设置。

如何去做...

假设我们有两个集群,一个是localhost在本地http://localhost:8080 ,另一个是remotehost在远程 http://remotehost:8080 。在这个例子中,我们将使用localhost作为主控制台来通过改变上下文件来切换集群。然后在这两个集群中运行不同数量的nginx应用,并保证所有Pod都在运行:

// in localhost cluster
# kubectl run localnginx --image=nginx --replicas=2 --port=80
replicationcontroller "localnginx" created
// check pods are running
# kubectl get pods
NAME READY STATUS RESTARTS AGE
localnginx-1blru 1/1 Running 0 1m
localnginx-p6cyo 1/1 Running 0 1m
// in remotehost cluster
# kubectl run remotenginx --image=nginx --replicas=4 --port=80
replicationcontroller "remotenginx" created

// check pods are running
# kubectl get pods
NAME READY STATUS RESTARTS AGE
remotenginx-6wz5c 1/1 Running 0 1m
remotenginx-7v5in 1/1 Running 0 1m
remotenginx-c7go6 1/1 Running 0 1m
remotenginx-r1mf6 1/1 Running 0 1m

设置一个新凭证

首先,我们将为生个集群设置两个凭证。使用kubectl config set-credentials <nickname>命令将凭证添加到kubeconfig中。Kubernetes中支持一些不同的认证方法。我们可以使用密码,客户端证书或Token。在这个例子中,我们将为这种简单的情形使用HTTP基本认证。Kubernetes也支持客户端证书和Token认证。更多信息,请参考kubeconfig set credential页面:http://kubernetes.io/docs/userguide/kubectl/kubectl_config_set-credentials

// in localhost cluster, add a user `userlocal` with nickname localhost/
myself
# kubectl config set-credentials localhost/myself --username=userlocal
--password=passwordlocal
user "localhost/myself" set.

// in localhost cluster, add a user `userremote` with nickname
remotehost/myself
# kubectl config set-credentials remotehost/myself --username=userremote
--password=passwordremote
user "remotehost/myself" set.

看看当前的配置视图:

# kubectl config view
apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: localhost/myself
    user:
        password: passwordlocal
        username: userlocal
- name: remotehost/myself
    user:
        password: passwordremote
        username: userremote

我们可以发现当前有两组凭证,昵称分别是localhost/myself和remotehost/myself。下面,我们将设置集群的管理。

设置一个新集群

为了设置一个新集群,我们需要kubectl config set-cluster <nickname>命令。为了访问集群还需要--server参数。使用-insecure-skip-tls-verify可以不检查服务器证书。如果你使用HTTPS来设置信任的服务,那么你就需要将 -insecure-skip-tls-verify 改为 --certificate-authority=$PATH_OF_CERT --embed-certs=true。更多信息,可以查看kubeconfig set-cluster页面:http://kubernetes.io/docs/user-guide/kubectl/kubectl_config_set-cluster

// in localhost cluster: add http://localhost:8080 as localhost
# kubectl config set-cluster localhost --insecure-skip-tls-verify=true
--server=http://localhost:8080
cluster "localhost" set.

// in localhost cluster: add http://remote:8080 as localhost
# kubectl config set-cluster remotehost --insecure-skip-tls-verify=true
--server=http://remotehost:8080
cluster "remotehost" set.

我们再看看现在的视图。这个设置准确反应了我们之前的设置:

// check current view
# kubectl config view
apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: http://localhost:8080
  name: localhost
- cluster:
    insecure-skip-tls-verify: true
    server: http://remotehost:8080
  name: remotehost
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: localhost/myself
    user:
        password: passwordlocal
        username: userlocal
- name: remotehost/myself
    user:
        password: passwordremote
        username: userremote

注意,我们还没有将用户与集群相关联。下面我们将通过上下文(context)来将它们链接在一起。

设置并改变当前上下文

一个上下文包含一个集群、一个命名空间和一个用户。kubectl将使用指定的用户信息和命名空间将请求发送致集群。为了设置一个上下文,我们使用kubectl config set-contxt <context nickname> --user=<user nickname> --namespace=<namespace> --cluster=<cluster nickname>来创建它:

// in localhost cluster: set a context named default/localhost/myself for
localhost cluster
# kubectl config set-context default/localhost/myself --user=localhost/
myself --namespace=default --cluster=localhost
context "default/localhost/myself" set.

// in localhost cluster: set a context named default/remotehost/myself
for remotehost cluster
# kubectl config set-context default/remotehost/myself --user=remotehost/
myself --namespace=default --cluster=remotehost
context "default/remotehost/myself" set.

我们来看一下当前视图。现在可以看到在contexts部分中有一个contexts列表:

# kubectl config view
apiVersion: v1
clusters:
- cluster:
	insecure-skip-tls-verify: true
	server: http://localhost:8080
  name: localhost
- cluster:
	insecure-skip-tls-verify: true
	server: http://remotehost:8080
  name: remotehost
contexts:
- context:
	cluster: localhost
	namespace: default
	user: localhost/myself
  name: default/localhost/myself
- context:
	cluster: remotehost
	namespace: default
	user: remotehost/myself
  name: default/remotehost/myself
current-context: ""
kind: Config
preferences: {}
users:
- name: localhost/myself
	user:
		password: passwordlocal
		username: userlocal
- name: remotehost/myself
    user:
        password: passwordremote
        username: userremote

在创建了上下文之后,我们开始切换上下文来管理不同的集群。这里,我们将使用kubectl config use-context <context nickname>命令。我们首先从localhost这个集群开始:

// in localhost cluster: use the context default/localhost/myself
# kubectl config use-context default/localhost/myself
switched to context "default/localhost/myself".

列出Pod来看一下是否是一个localhost集群:

// list the pods
# kubectl get pods
NAME READY STATUS RESTARTS AGE
localnginx-1blru 1/1 Running 0 1m
localnginx-p6cyo 1/1 Running 0 1m

是的,看起来很好。如果我们将上下文切换到remotehost设置会怎么样呢?

// in localhost cluster: switch to the context default/remotehost/myself
# kubectl config use-context default/remotehost/myself
switched to context "default/remotehost/myself".
Let's list the pods to make sure it's under the remotehost context:
# kubectl get pods
NAME READY STATUS RESTARTS AGE
remotenginx-6wz5c 1/1 Running 0 1m
remotenginx-7v5in 1/1 Running 0 1m
remotenginx-c7go6 1/1 Running 0 1m
remotenginx-r1mf6 1/1 Running 0 1m

我们要做的所有操作都是在localhost集群中完成的。kubeconfig使切换多用户多集群变得很容易。

清除kubeconfig

kubeconfig文件是存储在$HOME/.kube/config目录中如果这个文件删除了,那么配置也就没有了;如果文件又恢复到这个目录,配置也会被恢复:

// clean up kubeconfig file
# rm -f ~/.kube/config
// check out current view
# kubectl config view

apiVersion: v1
clusters: []
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []

还可以参考

kubeconfig管理集群、凭证和命令空间的设置。查看以下章节:

  • 第2章理解Kubernetes相关概念,命名空间的使用这一节

  • 认证与授权