By Zong

Contents
  1. 1. Kubelet Configuration
  2. 2. kubelet 认证

Kubelet Configuration

kubelet是安装在k8s节点上负责启动销毁容器的重要组件,其启动参数我一直是通过systemctl使用参数形式传入的,但是根据文档和其自身help的说明来看,很多参数标注了DEPRECATED。

例如: –fail-swap-on
Makes the Kubelet fail to start if swap is enabled on the node. (default true) (DEPRECATED: This parameter should be set via the config file specified by the Kubelet’s –config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)

这些参数已经不推荐直接用命令传参的方式使用了,而是引入了Kubelet Configuration。官方说明
以下是一个例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS: 
- 192.168.0.2
clusterDomain: k8s.local
failSwapOn: true
authentication:
  anonymous:
    enabled: false
  x509:
    clientCAFile: /etc/kubernetes/pki/kubelet-ca.pem
staticPodPath: /etc/kubernetes/staticPods
imageGcHighThreshold: 70
imageGcLowThreshold: 50
featureGates: 
  RotateKubeletClientCertificate: true
  RotateKubeletServerCertificate: true
rotateCertificates: true

使用–config参数指定这个kubelet config文件,原本的命令参数变成:

1
2
3
4
5
6
7
8
KUBELET_ARGS="--bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
--kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
--cert-dir=/etc/kubernetes/pki \
--network-plugin=cni \
--node-labels=node.kubernetes.io/role=k8s-node \
--pod-infra-container-image=ccr.ccs.tencentyun.com/google_container/pause-amd64:3.1 \
--config=/etc/kubernetes/kubeletConfig \
--logtostderr=false --log-dir=/var/log/kubernetes --v=2"

可以看到变化比较大,简洁很多。而且KubeletConfiguration还能做成configMap,这样就能重用。

kubelet 认证

通过上面的方式改变成kubelet参数文件后,有个很大的变化是authentication.anonymous,这个参数默认是true也就是允许匿名。在旧的命令行参数方式没什么问题,但是现在在k8s master上运行kubectl logs或者kubectl exec就会出现报错

1
Error from server (Forbidden): Forbidden (user=system:anonymous, verb=get, resource=nodes,subresource=proxy)

明显看出匿名权限问题,网上也有一些解决方法是直接给system:anonymous赋权的,但是毕竟生产环境这样做存在隐患,解决方法是禁用匿名认证,创建一个x509证书认证。
怎么创建证书就不说了,配置x509文件的关键是在kubelet配置ca证书,在apiserver配置client证书,然后给证书用户赋权。官方说明
kubelet配置:

1
2
3
4
5
authentication:
  anonymous:
    enabled: false
  x509:
    clientCAFile: /etc/kubernetes/pki/kubelet-ca.pem

apiserver配置:

1
2
--kubelet-client-certificate=/etc/kubernetes/pki/kubelet-client.pem
--kubelet-client-key=/etc/kubernetes/pki/kubelet-client-key.pem

证书用户是kubeletadmin,rbac赋权:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kubelet-admin
rules:
- apiGroups: [""]
  resources: ["nodes/proxy","nodes/stats","nodes/log","nodes/spec","nodes/metrics"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubelet-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubelet-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kubeletadmin

这样就配置好kubelet认证,然后还有授权,默认是AlwaysAllow,这里不改了。

Contents
  1. 1. Kubelet Configuration
  2. 2. kubelet 认证