kubectl 远程访问内网中的 kubernetes 集群

Catalogue
  1. 1. 拷贝 config
  2. 2. 修改服务器地址
  3. 3. 重新生成证书
    1. 3.1. 保存kubeadm 配置
    2. 3.2. 增加可信地址
    3. 3.3. 生成新的证书

拷贝 config

将服务器的 /etc/kubernetes/admin.conf 拷贝至本地的 ~/.kube/config

修改服务器地址

1
2
3
4
5
6
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN
server: https://172.17.43.150:6443
name: kubernetes

server 改成你的远程地址

重新生成证书

保存kubeadm 配置

1
kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml

增加可信地址

1
2
3
4
5
6
7
8
apiServer:
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}

修改为

1
2
3
4
5
6
7
8
9
10
apiServer:
certSANs:
- "<YOUR_IP>"
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}

生成新的证书

1
2
3
4
5
6
7
8
9
10
11
12
13

# 删除 crt
mv /etc/kubernetes/pki/apiserver.{crt,key} ~


# 生成证书
kubeadm init phase certs apiserver --config kubeadm.yaml

# 重启 api server
docker kill $(docker ps | grep kube-apiserver | grep -v pause | awk '{print $1}')

# 更新配置
kubeadm config migrate --old-config kubeadm.yaml