kubectl从头开始与远程集群连接 [英] kubectl connect with remote cluster from scratch

问题描述

我已经使用ansible创建了本地Kubernetes集群. 一切都在运行，但现在我尝试将kubectl与群集(在VM中)连接.

I've created a local Kubernetes cluster using ansible. Everything is running but now I try to connect my kubectl with the cluster (in the VM's).

我的集群在https://IP:6443

首先我得到:

$ kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

所以我尝试了此解决方案:

kubectl config set-credentials kubeuser/IP --username=kubeuser --password=kubepassword
kubectl config set-cluster IP --insecure-skip-tls-verify=true --server=https://IP:6443
kubectl config set-context default/IP/kubeuser --user=kubeuser/IP --namespace=default --cluster=IP
kubectl config use-context default/IP/kubeuser

，然后重试:

$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list pods in the namespace "default"

我了解我需要创建clusterrolebinding，但是我仍然需要初始的管理员所有权"吗?我错过了什么步骤或做错了什么步骤，以便可以使用kubectl访问群集并获取吊舱?

I understand I need to create a clusterrolebinding but I still need an initial "admin-ownership" for that? What step am I missing or doing wrong so I can access my cluster with kubectl and get my pods?

推荐答案

Kubectl是用于Kubernetes集群远程管理的命令行工具.

Kubectl is a command line tool for remote management of Kubernetes cluster.

Kubectl使用的配置文件必须连接到集群.由于许多主要或次要更改，您的配置文件可能不一致.如果对该问题进行进一步的分析仍未得出满意的结果，请尝试rm -f〜/.kube/config并从头开始.

Kubectl is using a config file you must have to connect to the cluster. It is possible that your config file is inconsistent due to a lot of major or minor changes. If further analyses of the issues does not show good results, try to rm -f ~/.kube/config and start it from scratch.

如我所见，您怀疑问题出在自签名证书上.可能需要更新客户端上的群集根证书颁发机构(CA)，然后刷新本地列表以获取有效证书.

As I see, you suspect that the problem is with the self signed certificates. It may require updating cluster root Certificate Authority (CA) on clients, then refreshing the local list for valid certificates.

转到本地CA目录，检查ca.crt文件是否存在，然后将其复制到客户端. 对于客户端，请执行以下操作:

Go to your local CA directory, check if ca.crt file exists, then copy it to the clients. For clients, perform the following operations:

sudo cp ca.crt /usr/local/share/ca-certificates/kubernetes.crt
sudo update-ca-certificates

我同意Matthew L. Daniel提供的建议:

I agree with the suggestion provided by Matthew L. Daniel:

集群:标记接受CA证书的文件名或 PEM的内联" base64版本的PEM可以通过以下方式查看:

cluster: tag accepts either the filename of the CA certificate or an "inline" base64-ed version of the PEM you can see it with:

kubectl config set-cluster $foo --certificate-authority=... --embed-certs=true

或者您可以作弊并使用--insecure-skip-tls-verify=true进行切换 进行测试的CA验证

or you can cheat and use --insecure-skip-tls-verify=true to switch off the CA verification for testing things

如果在Kubernetes安装过程中没有生成证书，建议从

If you do not have a certificate generated during the instalation of Kubernetes, I suggest starting with Kubernetes TLS documentation. You may have a look at Kubernetes cloud providers like GKE or AKS - they give a possibility to create Kubernetes config file remotely with all certificates included, and then download it to a local ~/.kube directory. Maybe this will solve some issues with the config if you adopt it to local installation. It works like a charm and saves a lot of time. If you’re still undecided, please provide here the output of kubectl config view for us to help you with your trouble. (Please remove sensitive data from it before posting here).

这篇关于kubectl从头开始与远程集群连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！