K8s如何支持公网访问
因为k8s默认启动支持内网ip,下面是三种 让k8s支持公网访问的模式
keadm init添加参数
kubeadm init --apiserver-advertise-address= 内网ip --apiserver-cert-extra-sans 公网ip --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.19.4 --service-cidr=10.96.0.0/12 --pod-network-cidr=10.244.0.0/16
|
重新生成apiserver证书
删除原来的apiserver证书
cd /etc/kubernetes/pki
rm apiserver.*
|
生成新的apiserver证书
kubeadm init phase certs apiserver --apiserver-advertise-address 内网ip --apiserver-cert-extra-sans 公网ip --apiserver-cert-extra-sans 新增ip
|
查看证书
ls apiserver.*
apiserver.crt apiserver.key
|
重启apiserver
查看状态
使用token认证模式
K8s操作支持,允许使用token认证模式
通过绑定Role,生成密钥
apiVersion: v1
kind: Namespace
metadata:
name: dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: dashboard
|
查看secret
kubectl get secret -o yaml -n dashboard
|
base64解码获得token
kubectl get secret dashboard-admin-token-rh7ss -o go-template="{{.data.token|base64decode}}" -n dashboard
|
发送,添加Token认证,使用Bearer:”Bearer {token}”
编程实战
client-go模式
client-go
func ClientWithToken() error {
token, err := ioutil.ReadFile(setting.Conf.K8sConfig.TokenPath)
if err != nil {
return err
}
config := &rest.Config{
Host: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
BearerToken: string(token),
TLSClientConfig: rest.TLSClientConfig{
Insecure: true,
CAData: []byte(""),
},
}
clientSet, err := kubernetes.NewForConfig(config)
}
|
kubernetes-client
kubernetes-client
func ClientWithToken() error {
configuration := &client.Configuration{
BasePath: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
DefaultHeader: map[string]string{
"Authorization": fmt.Sprintf("Bearer %s", string(token)),
},
HTTPClient: &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
},
}
clientAPI = client.NewAPIClient(configuration)
}
|
整合上述可:
func InitK8sClient() error {
var err error
switch setting.Conf.K8sConfig.AuthModel {
case "token":
err = ClientWithToken()
case "config":
err = ClientWithConfig()
default:
return errors.New("目前只支持 token | config")
}
if err!=nil{
return err
}
return nil
}
func ClientWithConfig() error {
kubeconifg := ".kube/config"
flag.Parse()
config, err := clientcmd.BuildConfigFromFlags("", kubeconifg)
if err != nil {
return err
}
clientSet, err = kubernetes.NewForConfig(config)
if err != nil {
return err
}
configLoader, err := cf.NewKubeConfigLoaderFromYAMLFile(kubeconifg, false)
configuration, err := configLoader.LoadAndSet()
ctx = context.Background()
clientAPI = client.NewAPIClient(configuration)
return nil
}
func ClientWithToken() error {
token, err := ioutil.ReadFile(setting.Conf.K8sConfig.TokenPath)
if err != nil {
return err
}
config := &rest.Config{
Host: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
BearerToken: string(token),
TLSClientConfig: rest.TLSClientConfig{
Insecure: true,
CAData: []byte(""),
},
}
clientSet2, err := kubernetes.NewForConfig(config)
clientSet = clientSet2
if err != nil {
return err
}
configuration := &client.Configuration{
BasePath: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
DefaultHeader: map[string]string{
"Authorization": fmt.Sprintf("Bearer %s", string(token)),
},
HTTPClient: &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
},
}
clientAPI = client.NewAPIClient(configuration)
return nil
}
|
alipay
