K8s如何支持公网访问

因为k8s默认启动支持内网ip,下面是三种 让k8s支持公网访问的模式

keadm init添加参数

1
2
# 未实践
kubeadm init --apiserver-advertise-address= 内网ip  --apiserver-cert-extra-sans 公网ip --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.19.4 --service-cidr=10.96.0.0/12 --pod-network-cidr=10.244.0.0/16

重新生成apiserver证书

  1. 删除原来的apiserver证书

    1
    2
    cd /etc/kubernetes/pki
    rm apiserver.*

  2. 生成新的apiserver证书

    1
    kubeadm init phase certs apiserver --apiserver-advertise-address 内网ip --apiserver-cert-extra-sans 公网ip --apiserver-cert-extra-sans 新增ip

  3. 查看证书

    1
    2
    ls apiserver.*
    apiserver.crt  apiserver.key

  4. 重启apiserver

    1
    docker ps|grep apiserver

  5. 查看状态

    1
    kubectl cluster-info

使用token认证模式

K8s操作支持,允许使用token认证模式

  1. 通过绑定Role,生成密钥

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    apiVersion: v1
    kind: Namespace
    metadata:
      name: dashboard
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: dashboard-admin
      namespace: dashboard

    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: dashboard-admin-crb
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
      - kind: ServiceAccount
        name: dashboard-admin
        namespace: dashboard

  2. 查看secret

    1
    kubectl get secret  -o yaml  -n dashboard

  3. base64解码获得token

    1
    kubectl get secret  dashboard-admin-token-rh7ss -o go-template="{{.data.token|base64decode}}"  -n dashboard

  4. 发送,添加Token认证,使用Bearer:”Bearer {token}”

    20230610170111

编程实战

client-go模式

client-go

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
func ClientWithToken() error {
	token, err := ioutil.ReadFile(setting.Conf.K8sConfig.TokenPath)
	if err != nil {
		return err
	}

	config := &rest.Config{
		Host:        fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
		BearerToken: string(token),
		TLSClientConfig: rest.TLSClientConfig{
			Insecure: true, // 设置为true时 不需要CA
			CAData:   []byte(""),
		},
	}
	clientSet, err := kubernetes.NewForConfig(config)
}

kubernetes-client

kubernetes-client

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
func ClientWithToken() error {
	configuration := &client.Configuration{
		BasePath: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
		DefaultHeader: map[string]string{
			"Authorization": fmt.Sprintf("Bearer %s", string(token)),
		},
		HTTPClient: &http.Client{
			Transport: &http.Transport{
				TLSClientConfig: &tls.Config{
					InsecureSkipVerify: true,
				},
			},
		},
	}
	clientAPI = client.NewAPIClient(configuration)
}

整合上述可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
func InitK8sClient() error {
	var err error
	switch setting.Conf.K8sConfig.AuthModel {
	case "token":
		err = ClientWithToken()
	case "config":
		err = ClientWithConfig()
	default:
		return errors.New("目前只支持 token | config")
	}
	if err!=nil{
		return err
	}
	return nil
}
func ClientWithConfig() error {
	kubeconifg := ".kube/config"
	flag.Parse()

	// use the current context in kubeconfig
	config, err := clientcmd.BuildConfigFromFlags("", kubeconifg)
	if err != nil {
		return err
	}

	// create the clientset
	clientSet, err = kubernetes.NewForConfig(config)
	if err != nil {
		return err
	}

	configLoader, err := cf.NewKubeConfigLoaderFromYAMLFile(kubeconifg, false)

	configuration, err := configLoader.LoadAndSet()

	ctx = context.Background()
	//ctx = context.WithValue(ctx, client.ContextAPIKey, client.APIKey{Key: "Bearer " + string(token), Prefix: ""})
	clientAPI = client.NewAPIClient(configuration)
	return nil
}

func ClientWithToken() error {
	token, err := ioutil.ReadFile(setting.Conf.K8sConfig.TokenPath)
	if err != nil {
		return err
	}

	config := &rest.Config{
		Host:        fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
		BearerToken: string(token),
		TLSClientConfig: rest.TLSClientConfig{
			Insecure: true, // 设置为true时 不需要CA
			CAData:   []byte(""),
		},
	}
	clientSet2, err := kubernetes.NewForConfig(config)
	clientSet = clientSet2
	if err != nil {
		return err
	}
	configuration := &client.Configuration{
		BasePath: fmt.Sprintf("https://%s:6443", setting.Conf.K8sConfig.Host),
		DefaultHeader: map[string]string{
			"Authorization": fmt.Sprintf("Bearer %s", string(token)),
		},
		HTTPClient: &http.Client{
			Transport: &http.Transport{
				TLSClientConfig: &tls.Config{
					InsecureSkipVerify: true,
				},
			},
		},
	}
	clientAPI = client.NewAPIClient(configuration)
	return nil
}