Shulou(Shulou.com)06/03 Report--

Original articles, welcome to reprint. Reprint please indicate: reproduced from IT Story Association, thank you!

Original link address: "Advanced article" docker kubernetes to build a cluster to add authentication and authorization (part 1) (38)

The most complicated thing about kubernetes is authentication and authorization. This time another set of kubernetes with 3 virtual machines is built from scratch, or through vagrant. For specific vagrant configuration information, please see the source code: https://github.com/limingios/msA-docker K8s branch.

Pre-environment preparation virtual machine introduction and installation

The three virtual machines are still generated through vagrant. Vagrant has the corresponding docker installed.

System type IP address node role CPUMemoryHostnameCentos7192.168.68.101master24Gserver01Centos7192.168.68.102worker12Gserver02Centos7192.168.68.103worker12Gserver03 three machines mac enable remote login root user # set PasswordAuthentication yesvi / etc/ssh/sshd_configsudo systemctl restart sshd

Three machines accept all ip packets to forward vi / lib/systemd/system/docker.service# to find ExecStart=xxx, and add a line above this line, the content is as follows: (required for K8s network) ExecStartPost=/sbin/iptables-I FORWARD-s 0.0.0.0max 0-j ACCEPT

Three machines start the service systemctl daemon-reloadservice docker restart

System setup (all nodes) turn off, disable firewall (so that connections between all machines can be established through any port) systemctl stop firewalldsystemctl disable firewalld# view status systemctl status firewalld

# set system parameters-allow routing to be forwarded without processing bridge data

# write to configuration file cat / etc/kubernetes/ca/kubernetes/token.csv

Update api-server service

Cp ~ / kubernetes-starter/target/master-node/kube-apiserver.service / lib/systemd/system/systemctl daemon-reloadservice kube-apiserver start# check log journalctl-f-u kube-apiservercat / lib/systemd/system/kube-apiserver.service

Controller-manager

Controller-manager is generally on the same machine as api-server, so you can use a non-secure port to communicate with api-server without generating a certificate and private key.

Controller-manager service

Update controller-manager service

Cd ~ / kubernetes-starter/cp ~ / kubernetes-starter/target/master-node/kube-controller-manager.service / lib/systemd/system/systemctl daemon-reloadservice kube-controller-manager start# check log journalctl-f-u kube-controller-managercat / lib/systemd/system/kube-controller-manager.service

Scheduler

Scheduler is usually on the same machine as apiserver, so you can use a non-secure port to communicate with apiserver. There is no need to generate certificates and private keys.

Scheduler service

View diff

The comparison will find that there is no difference between the two files and there is no need to modify them.

Cd ~ / kubernetes-starter/cp ~ / kubernetes-starter/target/master-node/kube-scheduler.service / lib/systemd/system/systemctl enable kube-scheduler.service

Start the service

Service kube-scheduler start# check log journalctl-f-u kube-schedulercat / lib/systemd/system/kube-scheduler.service

PS: start the authentication and authorization of kubectl,calico,cni,kube-proxy,kube-dns next time.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.