Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to configure kubeconfig in K8s". The content in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought to study and learn "how to configure kubeconfig in K8s".

1. Overview

The kubeconfig file stores the cluster, user, namespace, and authentication information of the k8s cluster. The kubectl command uses the kubeconfig file to get information about the cluster and then communicates with API server.

Note: the file used to configure access to the cluster is called the kubecconfig file. In other words, the content contained in the kubeconfig file is the configuration of the cluster. However, it is not necessary to have a file named kubeconfig

By default, the kubectl command looks for a file called config from the $HOME/.kube directory. You can specify other kubeconfig files through the KUBECONFIG environment variable or the-- kubeconfig parameter.

Kubeconfig is mainly composed of the following parts:

Clusters (Cluster)

Users (user)

Context (context)

2. Kubeconfig supports multi-cluster, multi-user and multi-authentication.

The following scenarios in actual use:

Kubelet uses certificate authentication (kubelet and api server for authentication)

Users use token for authentication

Administrators provide different certificates for different users

You can use kubeconfig to organize information about clusters, users, and namespaces. Similarly, you can use context to switch between clusters and namespaces.

3. The definition of Context

In kubeconfig, parameters that access a cluster are grouped in context. To access the context name is to access the parameter group. Context is an alias for a group of messages. For example, when the home address is used in Gaud, the company address is an alias, which can quickly locate the specific address information.

Each context has three parameters:

Cluster (Cluster)

Namespace (Namespace)

User (user)

By default, the kubectl command takes parameters from current context and communicates with the cluster.

4. View the configuration of kubeconfig

If there is an KUBECONFIG environment variable, the configuration you see is a merged configuration

[root@nccztsjb-node-11 ~] # kubectl config viewapiVersion: v1clusterscluster: certificate-authority-data: DATA+OMITTED server: https://k8s.apiserver.io:6443 name: cluster.localcontexts:- context: cluster: cluster.local user: kubernetes-admin-cluster.local name: kubernetes-admin-cluster.local@cluster.localcurrent-context: kubernetes-admin-cluster.local@cluster.localkind: Configpreferences: {} users:- name: kubernetes-admin-cluster.local user: client- Certificate-data: REDACTED client-key-data: REDACTED [root@nccztsjb-node-11 ~] #

The configuration obtained through kubectl config view may come from a single kubeconfig file, or it may be the result of a merge of multiple kubeconfig files.

5. Set kubeconfig 5.1 and set up cluster

(1) the cluster has CA authentication and embeds the input of the certificate into the configuration file

Kubectl config--kubeconfig=config-demo set-cluster development-server= https://1.2.3.4-embed-certs-certificate-authority=ca.crt

After you specify the-- kubeconfig parameter, all configurations are written to the corresponding file. If you do not specify the-- kubeconfig parameter, the configuration file will be written to the file ~ / .kube / config.

-- certificate-authority is followed by the path to the ca certificate, which you need to make sure exists.

View the contents of the config-demo file

[root@nccztsjb-node-11 config-exercise] # cat config-demo apiVersion: v1clusters cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeE1USXdNakE0TURjMU5sb1lEekl4TVRFeE1URXhNRGd3TnpVMldqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnFaWkVNZDhORHpoek5hTE1ab2tCenlabVUzQWh7R1Z4OW15MzJxaTB3UzkzS3Jib0xMUWhSSUhCYnYzdzZCbCsKZlBYaUdSeCt4OVpKY2lta1BqdmJtQ0ZpKzEvQmsxZkFONlNBSi9ISjJoenQxcExZbW41NXVVclpqdmFCTXNUdAp5U3B4QUlOUWNNU1NJYUFyeHF1VDJ0QjYzWkMvTHloQVFWWG4xL2lYS3hLTmpidjVlS21BdlRRTlQrNlMxaFIxCkJNQXNjSFc0R1lhNXVBTFZBTmZrVlpGaG5GMmt2cVMyRzRDMXV4emZtOFpyUnREOExRUjFmTnk1VnpnVkJLQjMKT2RKQkExNnl4YXk5N2JjaEtqenpqTmxKMFBlVDBOdFZZWVRlZ3F1ZG5iRURRSEdObC91Ym5UcGtWWHpFUGRKNAo3a3FQREdWUzRXYi9DZXpVcm9IQ1hRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVmQldoK3hIdlVSdFdKdUVuUUlYTHRDUzh3MEl3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHeHNvSXJOZkJYRkp1RjZwYmtvSkh4eVdCSkp0Qzlud1VabWNCMmYzT0xTZTN4LwpQQU5oYm9LcHZ6ME5ocm5IQ2VnUk1rWGlmSmhKZW9VU25sYUhJaWpjVlFDZ09sTDVnT0EyeFZkRk01MlZCTk5jCnN1Qmp2MHJoQnZXMWxaYWVEUGJuaGp3dGY5elp2WG4vMUkvZ1RKSVRiNmFVdk55b1U3WHY2c3RmN1NjaExwU3kKZmVwRjNKRFc5TXRvem9yMHhoV0U3M0FrZHE1bnE4OFlSdEcxK3UwRTJXbDJ5U20yR0dzRUkvcU1HOXlvd0NsRgozSnhOQm45MEk3V0xKd0pETGZZMXYwWXdRNDR3QUJteGN4R01qVzNmOHAvL3pxSHNaaXJGdTR3QUlUK003Mmw3CkhDbXAwbm84VXpKMUdMUFcxNzF5TWNsdlJNM3h3SENtZHd0VktBMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://1.2.3.4 name: developmentcontexts: nullcurrent-context: "" kind: Configpreferences: {} users: null [root@nccztsjb-node-11 config-exercise] #

The cluster has been set up.

(2) the cluster does not have a certificate

Kubectl config--kubeconfig=config-demo set-cluster development-- server= https://1.2.3.4

View certificate contents

[root@nccztsjb-node-11 config-exercise] # kubectl config--kubeconfig=config-demo set-cluster development-- server= https://1.2.3.4Cluster "development" set. [root@nccztsjb-node-11 config-exercise] # cat config-demo apiVersion: v1clusters cluster-cluster: server: https://1.2.3.4 name: developmentcontexts: nullcurrent-context: "" kind: Configpreferences: {} users: null [root@nccztsjb-node-11 config-exercise]

(3) the cluster has a certificate, but the certificate is verified

Kubectl config--kubeconfig=config-demo set-cluster scratch-server= https://5.6.7.8-insecure-skip-tls-verify

View the contents of the certificate

[root@nccztsjb-node-11 config-exercise] # cat config-demo apiVersion: v1clusters cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQ0FYRFRJeE1USXdNakE0TURjMU5sb1lEekl4TVRFeE1URXhNRGd3TnpVMldqQVZNUk13RVFZRApWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnFaWkVNZDhORHpoek5hTE1ab2tCenlabVUzQWh7R1Z4OW15MzJxaTB3UzkzS3Jib0xMUWhSSUhCYnYzdzZCbCsKZlBYaUdSeCt4OVpKY2lta1BqdmJtQ0ZpKzEvQmsxZkFONlNBSi9ISjJoenQxcExZbW41NXVVclpqdmFCTXNUdAp5U3B4QUlOUWNNU1NJYUFyeHF1VDJ0QjYzWkMvTHloQVFWWG4xL2lYS3hLTmpidjVlS21BdlRRTlQrNlMxaFIxCkJNQXNjSFc0R1lhNXVBTFZBTmZrVlpGaG5GMmt2cVMyRzRDMXV4emZtOFpyUnREOExRUjFmTnk1VnpnVkJLQjMKT2RKQkExNnl4YXk5N2JjaEtqenpqTmxKMFBlVDBOdFZZWVRlZ3F1ZG5iRURRSEdObC91Ym5UcGtWWHpFUGRKNAo3a3FQREdWUzRXYi9DZXpVcm9IQ1hRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0R3WURWUjBUCkFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVmQldoK3hIdlVSdFdKdUVuUUlYTHRDUzh3MEl3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFHeHNvSXJOZkJYRkp1RjZwYmtvSkh4eVdCSkp0Qzlud1VabWNCMmYzT0xTZTN4LwpQQU5oYm9LcHZ6ME5ocm5IQ2VnUk1rWGlmSmhKZW9VU25sYUhJaWpjVlFDZ09sTDVnT0EyeFZkRk01MlZCTk5jCnN1Qmp2MHJoQnZXMWxaYWVEUGJuaGp3dGY5elp2WG4vMUkvZ1RKSVRiNmFVdk55b1U3WHY2c3RmN1NjaExwU3kKZmVwRjNKRFc5TXRvem9yMHhoV0U3M0FrZHE1bnE4OFlSdEcxK3UwRTJXbDJ5U20yR0dzRUkvcU1HOXlvd0NsRgozSnhOQm45MEk3V0xKd0pETGZZMXYwWXdRNDR3QUJteGN4R01qVzNmOHAvL3pxSHNaaXJGdTR3QUlUK003Mmw3CkhDbXAwbm84VXpKMUdMUFcxNzF5TWNsdlJNM3h3SENtZHd0VktBMD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://1.2.3.4 name: development- cluster: insecure-skip-tls-verify: true server: https://5.6.7.8 name: scratchcontexts: nullcurrent-context: "" kind: Configpreferences: {} users: null [root@nccztsjb-node-11 config-exercise] #

(4) Delete a cluster

Kubectl config--kubeconfig=config-demo unset clusters.development5.2, set user

(1) set up the user, use the client's certificate and client key, and embed the certificate data into the configuration file

Kubectl config--kubeconfig=config-demo set-credentials developer-client-certificate=fake-cert-file-client-key=fake-key-seefile-embed-certs=true

Note: the client certificate and key must exist.

(2) set up users and use usernames and passwords

Kubectl config--kubeconfig=config-demo set-credentials experimenter-username=exp-password=some-password

(3) Delete users

Kubectl config--kubeconfig=config-demo unset users.experimenter

Experimenter is the name after using the set-credentials parameter.

Add context information contextkubectl config--kubeconfig=config-demo set-context dev-frontend-- cluster=development-- namespace=frontend-- user=developer

Set up context to group clusters, namespaces, and users. That is, in dev-fronted, the context accesses the frontend namespace of the developement cluster with the information of developer users.

Kubectl config--kubeconfig=config-demo set-context dev-storage-cluster=development-namespace=storage-user=developer

The context dev-stroage accesses the stroage namespace.

View the kubeconfig file formed by all the above configurations

[root@nccztsjb-node-11 config-exercise] # cat config-demo apiVersion: v1clustersroot@nccztsjb-node-11 config-exercise-cluster: certificate-authority: fake-ca-file server: https://1.2.3.4 name: development- cluster: insecure-skip-tls-verify: true server: https://5.6.7.8 name: scratchcontexts:- context: cluster: development namespace: frontend user: developer name: dev-frontend- context: cluster: development namespace: storage user: Developer name: dev-storage- context: cluster: scratch namespace: default user: experimenter name: exp-scratchcurrent-context: "" kind: Configpreferences: {} users:- name: developer user: client-certificate: fake-cert-file client-key: fake-key-seefile- name: experimenter user: password: some-password. Username: exp5.4, set the current contextkubectl config--kubeconfig=config-demo use-context dev-frontend

View the current context

Kubectl config--kubeconfig=config-demo current-context5.5, Only view the configuration information related to the current context kubectl config--kubeconfig=config-demo view-- minify [root@nccztsjb-node-11 config-exercise] # kubectl config--kubeconfig=config-demo view-- minifyapiVersion: v1clusters fake-ca-file server-cluster: certificate-authority: fake-ca-file server: https://1.2.3.4 name: developmentcontexts:- context: cluster: development namespace: frontend user: developer name: dev-frontendcurrent-context: dev-frontendkind: Configpreferences: {} users:- Name: developer user: client-certificate: fake-cert-file client-key: fake-key-seefile

Then the other information in kubeconfig will not be displayed.

Check all the context [root@nccztsjb-node-11 config-exercise] # kubectl config--kubeconfig=config-demo get-contextsCURRENT NAME CLUSTER AUTHINFO NAMESPACE* dev-frontend development developer frontend dev-storage development developer storage exp-scratch scratch experimenter default in the configuration. Thank you for reading. This is the content of "how to configure kubeconfig in K8s". After the study of this article, I believe you have a deeper understanding of how to configure and use kubeconfig in K8s, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.