{"id":128,"date":"2017-03-30T15:56:24","date_gmt":"2017-03-30T07:56:24","guid":{"rendered":"http:\/\/www.jsjs.org\/?p=128"},"modified":"2017-03-30T15:56:24","modified_gmt":"2017-03-30T07:56:24","slug":"kubernetes%e9%9b%86%e7%be%a4%e7%9a%84%e5%ae%89%e5%85%a8%e9%85%8d%e7%bd%ae","status":"publish","type":"post","link":"https:\/\/blog.jsjs.org\/?p=128","title":{"rendered":"Kubernetes\u96c6\u7fa4\u7684\u5b89\u5168\u914d\u7f6e"},"content":{"rendered":"

\u4f7f\u7528kubernetes\/cluster\/kube-up.sh\u811a\u672c\u5728\u88c5\u6709Ubuntu<\/a>\u64cd\u4f5c\u7cfb\u7edf\u7684bare metal\u4e0a\u642d\u5efa\u7684Kubernetes\u96c6\u7fa4<\/a>\u5e76\u4e0d\u5b89\u5168\uff0c\u751a\u81f3\u53ef\u4ee5\u8bf4\u662f\u201c\u5b8c\u5168\u4e0d\u8bbe\u9632\u7684\u201d\uff0c\u8fd9\u662f\u56e0\u4e3aKubernetes\u96c6\u7fa4\u7684\u6838\u5fc3\u7ec4\u4ef6\uff1akube-apiserver<\/a>\u542f\u7528\u4e86insecure-port\u3002insecure-port\u80cc\u540e\u7684api server\u9ed8\u8ba4\u5b8c\u5168\u4fe1\u4efb\u8bbf\u95ee\u8be5\u7aef\u53e3\u7684\u6d41\u91cf\uff0c\u5185\u90e8\u65e0\u4efb\u4f55\u5b89\u5168\u673a\u5236\u3002\u5e76\u4e14\u76d1\u542cinsecure-port\u7684api server bind\u7684insecure-address\u4e3a0.0.0.0\u3002\u4e5f\u5c31\u662f\u8bf4\u4efb\u4f55\u5185\u5916\u90e8\u8bf7\u6c42\uff0c\u90fd\u53ef\u4ee5\u901a\u8fc7insecure-port\u7aef\u53e3\u4efb\u610f\u64cd\u4f5cKubernetes\u96c6\u7fa4\u3002\u6211\u4eec\u7684\u5e73\u53f0\u867d\u5c0f\uff0c\u4f46\u201c\u88f8\u5954\u201d\u7684k8s\u96c6\u7fa4\u4e5f\u5e76\u4e0d\u662f\u6211\u4eec\u60f3\u770b\u5230\u7684\uff0c\u9002\u5f53\u7684\u5b89\u5168\u914d\u7f6e\u662f\u9700\u8981\u7684\u3002<\/p>\n

\u5728\u672c\u6587\u4e2d\uff0c\u6211\u5c06\u548c\u5927\u5bb6\u4e00\u8d77\u5b66\u4e60\u4e00\u4e0bKubernetes\u63d0\u4f9b\u7684\u5b89\u5168\u673a\u5236\uff0c\u5e76\u901a\u8fc7\u5b89\u5168\u914d\u7f6e\u8c03\u6574\uff0c\u5b9e\u73b0K8s\u96c6\u7fa4\u7684\u201c\u6709\u9650\u201d\u5b89\u5168\u3002<\/p>\n

\u4e00\u3001\u96c6\u7fa4\u73b0\u72b6<\/h4>\n

\u6211\u4eec\u5148\u6765\u201c\u56de\u987e\u201d\u4e00\u4e0b\u96c6\u7fa4\u73b0\u72b6\uff0c\u4e3a\u540e\u7eed\u914d\u7f6e\u8c03\u6574\u63d0\u4f9b\u4e00\u4e2a\u53ef\u56de\u6eaf\u548c\u53ef\u6bd4\u5bf9\u7684\u201c\u57fa\u7ebf\u201d\u3002<\/p>\n

1\u3001Nodes<\/h5>\n

\u96c6\u7fa4\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n

# kubectl cluster-info\nKubernetes master is running at http:\/\/10.47.136.60:8080\nKubeDNS is running at http:\/\/10.47.136.60:8080\/api\/v1\/proxy\/namespaces\/kube-system\/services\/kube-dns\n\nTo further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.\n<\/code><\/pre>\n
\u5f53\u524d\u96c6\u7fa4\u903b\u8f91\u4e0a\u7531\u4e00\u4e2amaster node\u548c\u4e24\u4e2aworker nodes\u7ec4\u6210\uff1a<\/p>\n
\u5355master\uff1a 10.47.136.60\nworker nodes\uff1a 10.47.136.60\u548c10.46.181.146\n\n# kubectl get node --show-labels=true\nNAME            STATUS    AGE       LABELS\n10.46.181.146   Ready     41d       beta.kubernetes.io\/arch=amd64,beta.kubernetes.io\/os=linux,kubernetes.io\/hostname=10.46.181.146\n10.47.136.60    Ready     41d       beta.kubernetes.io\/arch=amd64,beta.kubernetes.io\/os=linux,kubernetes.io\/hostname=10.47.136.60\n<\/code><\/pre>\n
2\u3001kubernetes\u6838\u5fc3\u7ec4\u4ef6\u7684\u542f\u52a8\u53c2\u6570<\/h5>\n
\u6211\u4eec\u518d\u6765\u660e\u786e\u4e00\u4e0b\u5f53\u524d\u96c6\u7fa4\u4e2d\u5404k8s\u6838\u5fc3\u7ec4\u4ef6\u7684\u542f\u52a8\u53c2\u6570\uff0c\u8fd9\u4e9b\u53c2\u6570\u51b3\u5b9a\u7740\u7ec4\u4ef6\u80cc\u540e\u7684\u884c\u4e3a\uff1a<\/p>\n
master node & worker node1 \u2013 10.47.136.60\u4e0a\uff1a<\/p>\n
root       22000       1  0 Oct17 ?        03:52:55 \/opt\/bin\/kube-controller-manager --master=127.0.0.1:8080 --root-ca-file=\/srv\/kubernetes\/ca.crt --service-account-private-key-file=\/srv\/kubernetes\/server.key --logtostderr=true\n\nroot       22021       1  1 Oct17 ?        17:11:15 \/opt\/bin\/kube-apiserver --insecure-bind-address=0.0.0.0 --insecure-port=8080 --etcd-servers=http:\/\/127.0.0.1:4001 --logtostderr=true --service-cluster-ip-range=192.168.3.0\/24 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota --service-node-port-range=30000-32767 --advertise-address=10.47.136.60 --client-ca-file=\/srv\/kubernetes\/ca.crt --tls-cert-file=\/srv\/kubernetes\/server.cert --tls-private-key-file=\/srv\/kubernetes\/server.key\n\nroot       22121       1  0 Oct17 ?        00:22:30 \/opt\/bin\/kube-scheduler --logtostderr=true --master=127.0.0.1:8080\n\nroot     2140405       1  0 Nov15 ?        00:05:26 \/opt\/bin\/kube-proxy --hostname-override=10.47.136.60 --master=http:\/\/10.47.136.60:8080 --logtostderr=true\n\nroot     1912455       1  1 Nov15 ?        03:43:09 \/opt\/bin\/kubelet --hostname-override=10.47.136.60 --api-servers=http:\/\/10.47.136.60:8080 --logtostderr=true --cluster-dns=192.168.3.10 --cluster-domain=cluster.local --config=\n<\/code><\/pre>\n
worker node2 \u2013 10.46.181.146\u4e0a:<\/p>\n
root      7934     1  1 Nov15 ?        03:06:00 \/opt\/bin\/kubelet --hostname-override=10.46.181.146 --api-servers=http:\/\/10.47.136.60:8080 --logtostderr=true --cluster-dns=192.168.3.10 --cluster-domain=cluster.local --config=\nroot     23026     1  0 Nov15 ?        00:04:49 \/opt\/bin\/kube-proxy --hostname-override=10.46.181.146 --master=http:\/\/10.47.136.60:8080 --logtostderr=true\n<\/code><\/pre>\n
\u4ecemaster node\u7684\u6838\u5fc3\u7ec4\u4ef6kube-apiserver \u7684\u542f\u52a8\u547d\u4ee4\u884c\u53c2\u6570\u4e5f\u53ef\u4ee5\u770b\u51fa\u6211\u4eec\u5728\u5f00\u7bc7\u5904\u6240\u63d0\u5230\u7684\u90a3\u6837\uff1aapiserver insecure-port\u5f00\u542f\uff0c\u4e14bind 0.0.0.0:8080\uff0c\u53ef\u4ee5\u4efb\u610f\u8bbf\u95ee\uff0c\u8fdebasic_auth\u90fd\u6ca1\u6709\u3002\u5f53\u7136api server\u4e0d\u53ea\u662f\u76d1\u542c\u8fd9\u4e00\u4e2a\u7aef\u53e3\uff0c\u5728api server\u6e90\u7801<\/a>\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0capiserver\u8fd8\u76d1\u542c\u4e86\u53e6\u5916\u4e00\u4e2asecure port\uff0c\u8be5\u7aef\u53e3\u7684\u9ed8\u8ba4\u503c\u662f6443\uff0c\u901a\u8fc7lsof\u547d\u4ee4\u67e5\u770b6443\u7aef\u53e3\u7684\u76d1\u542c\u8fdb\u7a0b\u4e5f\u53ef\u4ee5\u5370\u8bc1\u8fd9\u4e00\u70b9\uff1a<\/p>\n
\/\/master node\u4e0a\n\n# lsof -i tcp:6443\nCOMMAND     PID USER   FD   TYPE DEVICE SIZE\/OFF NODE NAME\nkube-apis 22021 root   46u  IPv6 921529      0t0  TCP *:6443 (LISTEN)\n<\/code><\/pre>\n
3\u3001\u79c1\u94a5\u6587\u4ef6\u548c\u516c\u94a5\u8bc1\u4e66<\/h5>\n
\u901a\u8fc7\u5b89\u88c5\u811a\u672c\u5728bare-metal\u4e0a\u5b89\u88c5\u7684k8s\u96c6\u7fa4<\/a>\uff0c\u5728master node\u4e0a\u4f60\u4f1a\u53d1\u73b0\u5982\u4e0b\u6587\u4ef6\uff1a<\/p>\n
root@node1:\/srv\/kubernetes# ls\nca.crt  kubecfg.crt  kubecfg.key  server.cert  server.key\n<\/code><\/pre>\n
\u8fd9\u4e9b\u79c1\u94a5\u6587\u4ef6\u548c\u516c\u94a5\u8bc1\u4e66\u662f\u5728k8s(1.3.7)\u96c6\u7fa4\u5b89\u88c5\u8fc7\u7a0b\u7531\u5b89\u88c5\u811a\u672c\u521b\u5efa\u7684\uff0c\u5728kubernetes\/cluster\/common.sh\u4e2d\u4f60\u53ef\u4ee5\u53d1\u73b0function create-certs\u8fd9\u6837\u4e00\u4e2a\u51fd\u6570\uff0c\u8fd9\u4e9b\u6587\u4ef6\u5c31\u662f\u5b83\u521b\u5efa\u7684\u3002<\/p>\n
# Create certificate pairs for the cluster.\n# $1: The public IP for the master.\n#\n# These are used for static cert distribution (e.g. static clustering) at\n# cluster creation time. This will be obsoleted once we implement dynamic\n# clustering.\n#\n# The following certificate pairs are created:\n#\n#  - ca (the cluster's certificate authority)\n#  - server\n#  - kubelet\n#  - kubecfg (for kubectl)\n#\n# TODO(roberthbailey): Replace easyrsa with a simple Go program to generate\n# the certs that we need.\n#\n# Assumed vars\n#   KUBE_TEMP\n#\n# Vars set:\n#   CERT_DIR\n#   CA_CERT_BASE64\n#   MASTER_CERT_BASE64\n#   MASTER_KEY_BASE64\n#   KUBELET_CERT_BASE64\n#   KUBELET_KEY_BASE64\n#   KUBECFG_CERT_BASE64\n#   KUBECFG_KEY_BASE64\nfunction create-certs {\n  local -r primary_cn=\"${1}\"\n  ... ...\n\n}\n<\/code><\/pre>\n
\u7b80\u5355\u63cf\u8ff0\u4e00\u4e0b\u8fd9\u4e9b\u6587\u4ef6\u7684\u7528\u9014\uff1a<\/p>\n
- ca.crt\uff1athe cluster's certificate authority\uff0cCA\u8bc1\u4e66\uff0c\u5373\u6839\u8bc1\u4e66\uff0c\u5185\u7f6eCA\u516c\u94a5\uff0c\u7528\u4e8e\u9a8c\u8bc1\u67d0.crt\u6587\u4ef6\uff0c\u662f\u5426\u662fCA\u7b7e\u53d1\u7684\u8bc1\u4e66\uff1b\n- server.cert\uff1akube-apiserver\u670d\u52a1\u7aef\u516c\u94a5\u6570\u5b57\u8bc1\u4e66\uff1b\n- server.key\uff1akube-apiserver\u670d\u52a1\u7aef\u79c1\u94a5\u6587\u4ef6\uff1b\n- kubecfg.crt \u548ckubecfg.key\uff1a\u6309\u7167 create-certs\u51fd\u6570\u6ce8\u91ca\u4e2d\u7684\u8bf4\u6cd5\uff1a\u8fd9\u4e24\u4e2a\u6587\u4ef6\u662f\u4e3akubectl\u8bbf\u95eeapiserver[\u53cc\u5411\u8bc1\u4e66\u9a8c\u8bc1](http:\/\/tonybai.com\/2015\/04\/30\/go-and-https\/)\u65f6\u4f7f\u7528\u7684\u3002\n<\/code><\/pre>\n
\u4e0d\u8fc7\uff0c\u8fd9\u91cc\u6211\u4eec\u6ca1\u6709CA\u7684key\uff0c\u65e0\u6cd5\u7b7e\u53d1\u65b0\u8bc1\u4e66\uff0c\u5982\u679c\u8981\u7528\u8fd9\u51e0\u4e2a\u6587\u4ef6\uff0c\u90a3\u4e48\u5c31\u4ec5\u80fd\u9650\u4e8e\u8fd9\u51e0\u4e2a\u6587\u4ef6\u3002\u6211\u4eec\u53ef\u4ee5\u5229\u7528kubecfg.crt \u548ckubecfg.key \u4f5c\u4e3a\u8bbf\u95eeapi server\u7684client\u7aef\u7684key\u548ccrt\u4f7f\u7528\u3002\u6211\u4eec\u6765\u67e5\u770b\u4e00\u4e0b\u8fd9\u51e0\u4e2a\u6587\u4ef6\uff1a<\/p>\n
\u67e5\u770bca.crt\uff1a<\/p>\n
#openssl x509 -noout -text -in ca.crt\n... ...\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number: 16946557986148168970 (0xeb2e44b3a1ebb50a)\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: CN=10.47.136.60@1476362758\n        Validity\n            Not Before: Oct 13 12:45:58 2016 GMT\n            Not After : Oct 11 12:45:58 2026 GMT\n        Subject: CN=10.47.136.60@1476362758\n... ..\n<\/code><\/pre>\n
\u67e5\u770bserver.cert\uff1a<\/p>\n
...\n Data:\n        Version: 3 (0x2)\n        Serial Number: 1 (0x1)\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: CN=10.47.136.60@1476362758\n        Validity\n            Not Before: Oct 13 12:45:59 2016 GMT\n            Not After : Oct 11 12:45:59 2026 GMT\n        Subject: CN=kubernetes-master\n...\n<\/code><\/pre>\n
\u67e5\u770bkubecfg.crt\uff1a<\/p>\n
...\nCertificate:\n    Data:\n        Version: 3 (0x2)\n        Serial Number: 2 (0x2)\n    Signature Algorithm: sha256WithRSAEncryption\n        Issuer: CN=10.47.136.60@1476362758\n        Validity\n            Not Before: Oct 13 12:45:59 2016 GMT\n            Not After : Oct 11 12:45:59 2026 GMT\n        Subject: CN=kubecfg\n...\n<\/code><\/pre>\n
\u518d\u6765\u9a8c\u8bc1\u4e00\u4e0bserver.cert\u548ckubecfg.crt\u662f\u5426\u662fca.crt\u7b7e\u53d1\u7684\uff1a<\/p>\n
# openssl verify -CAfile ca.crt kubecfg.crt\nkubecfg.crt: OK\n\n# openssl verify -CAfile ca.crt server.cert\nserver.cert: OK\n\n<\/code><\/pre>\n
\u5728\u524d\u9762\u7684apiserver\u7684\u542f\u52a8\u53c2\u6570\u5c55\u793a\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u770b\u5230kube-apiserver\u4f7f\u7528\u4e86ca.crt, server.cert\u548cserver.key\uff1a<\/p>\n
\/opt\/bin\/kube-apiserver --insecure-bind-address=0.0.0.0 --insecure-port=8080 --etcd-servers=http:\/\/127.0.0.1:4001 --logtostderr=true --service-cluster-ip-range=192.168.3.0\/24 --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,SecurityContextDeny,ResourceQuota --service-node-port-range=30000-32767 --advertise-address=10.47.136.60 --client-ca-file=\/srv\/kubernetes\/ca.crt --tls-cert-file=\/srv\/kubernetes\/server.cert --tls-private-key-file=\/srv\/kubernetes\/server.key\n<\/code><\/pre>\n
\u5728\u540e\u7eed\u7ae0\u8282\u4e2d\uff0c\u6211\u4eec\u8fd8\u4f1a\u8be6\u7ec6\u8bf4\u660e\u8fd9\u4e9b\u5bc6\u94a5\u548c\u516c\u94a5\u8bc1\u4e66\u5728K8s\u96c6\u7fa4\u5b89\u5168\u4e2d\u6240\u8d77\u5230\u7684\u4f5c\u7528\u3002<\/p>\n
\u4e8c\u3001\u96c6\u7fa4\u73af\u5883<\/h4>\n
\u8fd8\u662f\u90a3\u53e5\u8bdd\uff0cKubernetes\u5728active development\u4e2d\uff0c\u8001\u7248\u672c\u548c\u65b0\u7248\u672c\u7684\u5b89\u5168\u673a\u5236\u53ef\u80fd\u6709\u8f83\u5927\u53d8\u52a8\uff0c\u672c\u7bc7\u4e2d\u7684\u914d\u7f6e\u65b9\u6848\u548c\u6b65\u9aa4\u90fd\u662f\u9488\u5bf9\u4e00\u5b9a\u73af\u5883\u6709\u6548\u7684\uff0c\u6211\u4eec\u7684\u73af\u5883\u5982\u4e0b\uff1a<\/p>\n
OS\uff1a\nUbuntu 14.04.4 LTS Kernel\uff1a3.19.0-70-generic #78~14.04.1-Ubuntu SMP Fri Sep 23 17:39:18 UTC 2016 x86_64 x86_64 x86_64 GNU\/Linux\n\nDocker\uff1a\n# docker version\nClient:\n Version:      1.12.2\n API version:  1.24\n Go version:   go1.6.3\n Git commit:   bb80604\n Built:        Tue Oct 11 17:00:50 2016\n OS\/Arch:      linux\/amd64\n\nServer:\n Version:      1.12.2\n API version:  1.24\n Go version:   go1.6.3\n Git commit:   bb80604\n Built:        Tue Oct 11 17:00:50 2016\n OS\/Arch:      linux\/amd64\n\nKubernetes\u96c6\u7fa4\uff1a1.3.7\n\n\u79c1\u6709\u955c\u50cf\u4ed3\u5e93\uff1a\u963f\u91cc\u4e91\u955c\u50cf\u4ed3\u5e93\n<\/code><\/pre>\n
\u4e09\u3001\u76ee\u6807<\/h4>\n
\u76ee\u524d\uff0c\u6211\u4eec\u5c1a\u4e0d\u5177\u5907\u4e00\u6b65\u8fc8\u5411\u201c\u7edd\u5bf9\u5b89\u5168\u201d\u7684\u80fd\u529b\uff0c\u5728\u76ee\u6807\u8bbe\u5b9a\u65f6\uff0c\u6211\u4eec\u7684\u4e00\u81f4\u60f3\u6cd5\u662f\u5728\u5f53\u524d\u9636\u6bb5\u201c\u6709\u9650\u5b89\u5168\u201d\u7684K8s\u96c6\u7fa4\u66f4\u9002\u5408\u6211\u4eec\u3002\u5728\u8fd9\u4e00\u539f\u5219\u4e0b\uff0c\u6211\u4eec\u9488\u5bf9\u4e0d\u540c\u60c5\u51b5\u63d0\u51fa\u4e0d\u540c\u7684\u76ee\u6807\u8bbe\u5b9a\u3002<\/p>\n
\u524d\u9762\u8bf4\u8fc7\uff0ck8s\u9488\u5bf9insecure port(\u2013insecure-bind-address=0.0.0.0 \u2013insecure-port=8080)\u7684\u6d41\u91cf\u6ca1\u6709\u4efb\u4f55\u5b89\u5168\u673a\u5236\u9650\u5236\uff0c\u76f8\u5f53\u4e8ek8s\u201c\u88f8\u5954\u201d\u3002\u4f46\u662f\u8d70k8s apiserver secure port(\u2013bind-address=0.0.0.0 \u2013secure-port=6443)\u7684\u6d41\u91cf\uff0c\u5c06\u4f1a\u9047\u5230\u9a8c\u8bc1\u3001\u6388\u6743\u7b49\u5b89\u5168\u673a\u5236<\/a>\u7684\u9650\u5236\u3002\u5177\u4f53\u4f7f\u7528\u54ea\u4e2a\u7aef\u53e3\u4e0eAPI server\u7684\u4ea4\u4e92\u65b9\u5f0f\uff0c\u8981\u89c6\u60c5\u51b5\u800c\u5b9a\u3002<\/p>\n
\u5728\u5206\u60c5\u51b5\u8bf4\u660e\u4e4b\u524d\uff0c\u5c06api server\u7684insecure port\u7684bind address\u75310.0.0.0\u6539\u4e3alocal address\u662f\u5fc5\u987b\u8981\u505a\u7684\u3002<\/p>\n
1\u3001Cluster -> Master(apiserver)<\/h5>\n
\u4ece\u96c6\u7fa4\u5230Apiserver\u7684\u6d41\u91cf\u4e5f\u53ef\u4ee5\u7ec6\u5206\u4e3a\u51e0\u79cd\u60c5\u51b5\uff1a<\/p>\n
a) kubernetes component on master node -> apiserver<\/h6>\n
\u7531\u4e8emaster node\u4e0a\u7684components\u4e0eapiserver\u8fd0\u884c\u5728\u4e00\u53f0\u673a\u5668\u4e0a\uff0c\u56e0\u6b64\u53ef\u4ee5\u901a\u8fc7local address\u7684insecure-port\u8bbf\u95eeapiserver\uff0c\u65e0\u9700\u8d70insecure port\u3002\u4ece\u73b0\u72b6\u4e2d\u5f53\u524dmaster\u4e0a\u7684component\u7ec4\u4ef6\u7684\u542f\u52a8\u53c2\u6570\u6765\u770b\uff0c\u76ee\u524d\u5df2\u7ecf\u7b26\u5408\u8981\u6c42\uff0c\u4e8e\u662f\u9488\u5bf9\u8fd9\u4e9bcomponents\uff0c\u6211\u4eec\u65e0\u9700\u518d\u505a\u914d\u7f6e\u4e0a\u7684\u8c03\u6574\u3002<\/p>\n
b) kubernetes component on worker node -> apiserver<\/h6>\n
\u76ee\u6807\u662f\u5b9e\u73b0kubernetes components on worker node\u548c\u8fd0\u884c\u4e8emaster\u4e0a\u7684apiserver\u4e4b\u95f4\u7684\u57fa\u4e8ehttps\u7684\u53cc\u5411\u8ba4\u8bc1\u3002kubernetes\u7684\u5404\u4e2a\u7ec4\u4ef6\u5747\u652f\u6301\u5728\u547d\u4ee4\u884c\u53c2\u6570\u4e2d\u4f20\u5165tls\u76f8\u5173\u53c2\u6570\uff0c\u6bd4\u5982ca\u6587\u4ef6\u8def\u5f84\uff0c\u6bd4\u5982client\u7aef\u7684cert\u6587\u4ef6\u548ckey\u7b49\u3002<\/p>\n
c) componet in pod for kubernetes -> apiserver<\/h6>\n
\u50cfkube dns\u548ckube dashboard\u8fd9\u4e9b\u8fd0\u884c\u4e8epod\u4e2d\u7684k8s \u7ec4\u4ef6\u4e5f\u662f\u5728k8s cluster\u8303\u56f4\u5185\u8c03\u5ea6\u7684\uff0c\u5b83\u4eec\u53ef\u80fd\u8fd0\u884c\u5728\u4efb\u4f55\u4e00\u4e2aworker node\u4e0a\u3002\u7406\u60f3\u60c5\u51b5\u4e0b\uff0c\u5b83\u4eec\u4e0emaster\u4e0aapi server\u7684\u901a\u4fe1\u4e5f\u5e94\u8be5\u662f\u57fa\u4e8e\u4e00\u5b9a\u5b89\u5168\u673a\u5236\u7684\u3002\u4e0d\u8fc7\u5728\u672c\u7bc7\u4e2d\uff0c\u6211\u4eec\u6682\u65f6\u4e0d\u52a8\u5b83\u4eec\u7684\u8bbe\u7f6e\uff0c\u4ee5\u514d\u5bf9\u5176\u4ed6\u76ee\u6807\u7684\u5b9e\u73b0\u9020\u6210\u4e00\u5b9a\u969c\u788d\u548c\u66f4\u591a\u7684\u5de5\u4f5c\u91cf\uff0c\u5728\u540e\u7eed\u6587\u7ae0\u4e2d\uff0c\u53ef\u80fd\u4f1a\u4e13\u95e8\u5c06dns\u548cdashboard\u62ff\u51fa\u6765\u505a\u5b89\u5168\u52a0\u56fa\u8bf4\u660e\u3002\u56e0\u6b64\uff0cdns\u548cdashboard\u5728\u8fd9\u91cc\u4ecd\u7136\u4f7f\u7528\u7684\u662finsecure-port\uff1a<\/p>\n
root     10531 10515  0 Nov15 ?        00:03:02 \/dashboard --port=9090 --apiserver-host=http:\/\/10.47.136.60:8080\nroot     2018255 2018240  0 Nov15 ?        00:03:50 \/kube-dns --domain=cluster.local. --dns-port=10053 --kube-master-url=http:\/\/10.47.136.60:8080\n<\/code><\/pre>\n
d) user service in pod -> apiserver<\/h6>\n
\u6211\u4eec\u7684\u96c6\u7fa4\u7ba1\u7406\u7a0b\u5e8f\u4e5f\u662f\u4ee5service\u7684\u5f62\u5f0f\u8fd0\u884c\u5728k8s cluster\u4e2d\u7684\uff0c\u8fd9\u4e9b\u7a0b\u5e8f\u5982\u4f55\u8bbf\u95eeapiserver\u624d\u662f\u6211\u4eec\u5173\u5fc3\u7684\u91cd\u70b9\uff0c\u6211\u4eec\u5e0c\u671b\u7ba1\u7406\u7a0b\u5e8f\u901a\u8fc7secure-port\uff0c\u5728\u4e00\u5b9a\u7684\u5b89\u5168\u673a\u5236\u4e0b\u4e0eapiserver\u4ea4\u4e92\u3002<\/p>\n
2\u3001Master(apiserver) -> Cluster<\/h5>\n
apiserver\u4f5c\u4e3aclient\u7aef\u8bbf\u95eeCluster\uff0c\u5728k8s\u6587\u6863\u4e2d\uff0c\u8fd9\u4e2a\u8bbf\u95ee\u8def\u5f84\u4e3b\u8981\u5305\u542b\u4e24\u79cd\u60c5\u51b5\uff1a<\/p>\n
a) apiserver\u4e0e\u5404\u4e2anode\u4e0akubelet\u4ea4\u4e92\uff0c\u91c7\u96c6Pod\u7684log\uff1b
\nb) apiserver\u901a\u8fc7\u81ea\u8eab\u7684proxy\u529f\u80fd\u8bbf\u95eenode\u3001pod\u4ee5\u53ca\u96c6\u7fa4\u4e2d\u7684\u5404\u79cdservice\u3002<\/p>\n
\u5728\u201c\u6709\u9650\u5b89\u5168\u201d\u7684\u539f\u5219\u4e0b\uff0c\u6211\u4eec\u6682\u4e0d\u8003\u8651\u8fd9\u79cd\u60c5\u51b5\u4e0b\u7684\u5b89\u5168\u673a\u5236\u3002<\/p>\n
\u56db\u3001Kubernetes\u7684\u5b89\u5168\u673a\u5236<\/h4>\n
kube-apiserver\u662f\u6574\u4e2akubernetes\u96c6\u7fa4\u7684\u6838\u5fc3\uff0c\u65e0\u8bba\u662fkubectl\u8fd8\u662f\u901a\u8fc7api\u7ba1\u7406\u96c6\u7fa4\uff0c\u6700\u7ec8\u90fd\u4f1a\u843d\u5230\u4e0ekube-apiserver\u7684\u4ea4\u4e92\uff0capiserver\u662f\u96c6\u7fa4\u7ba1\u7406\u547d\u4ee4\u7684\u5165\u53e3\u3002kube-apiserver\u540c\u65f6\u76d1\u542c\u4e24\u4e2a\u7aef\u53e3\uff1ainsecure-port\u548csecure-port\u3002\u4e4b\u524d\u63d0\u5230\u8fc7\uff1a\u901a\u8fc7insecure-port\u8fdb\u5165apiserver\u7684\u6d41\u91cf\u53ef\u4ee5\u6709\u63a7\u5236\u6574\u4e2a\u96c6\u7fa4\u7684\u5168\u90e8\u6743\u9650\uff1b\u800c\u901a\u8fc7secure-port\u7684\u6d41\u91cf\u5c06\u7ecf\u8fc7k8s\u7684\u5b89\u5168\u673a\u5236\u7684\u91cd\u91cd\u8003\u9a8c\uff0c\u8fd9\u4e5f\u662f\u8fd9\u4e00\u8282\u6211\u4eec\u91cd\u8981\u8981\u8bf4\u660e\u7684\u3002insecure-port\u7684\u5b58\u5728\u4e00\u822c\u662f\u4e3a\u4e86\u96c6\u7fa4bootstrap\u6216\u96c6\u7fa4\u5f00\u53d1\u8c03\u8bd5\u4f7f\u7528\u7684\u3002\u5b98\u65b9\u6587\u6863\u5efa\u8bae\uff1a\u96c6\u7fa4\u5916\u90e8\u6d41\u91cf\u90fd\u5e94\u8be5\u8d70secure port\u3002insecure-port\u53ef\u901a\u8fc7firewall rule\u4f7f\u5916\u90e8\u6d41\u91cfunreachable\u3002<\/p>\n
\u4e0b\u9762\u8fd9\u5e45\u5b98\u65b9\u56fe\u793a\u51c6\u786e\u89e3\u91ca\u4e86\u901a\u8fc7secure port\u7684\u6d41\u91cf\u5c06\u8981\u901a\u8fc7\u7684\u201c\u5b89\u5168\u5173\u5361\u201d\uff1a<\/p>\n
\"img{512x368}\"<\/p>\n
\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u5916\u754c\u5230APIServer\u7684\u8bf7\u6c42\u5148\u540e\u7ecf\u8fc7\u4e86\uff1a<\/p>\n
\u5b89\u5168\u901a\u9053(tls) -> Authentication(\u8eab\u4efd\u9a8c\u8bc1) -> Authorization\uff08\u6388\u6743\uff09-> Admission Control(\u5165\u53e3\u6761\u4ef6\u63a7\u5236)\n<\/code><\/pre>\n