During research and development, it is necessary to directly connect the remote Kubernetes cluster. The usual approach is to add / etc / Kubernetes / Admin Copy conf to local ~ / kube/kubeconfig.
But the server address of kubeconfig is kubernetes default. svc. Therefore, we need to configure a host:
1.1.1.1 kubernetes.default.svc
If you need to switch between different clusters, you not only need to change kubeconfig, but also need to modify hosts. The following describes a method that can directly add the remote access address to the cluster certificate, save the steps of modifying hosts, and make it easier to distinguish different clusters.
1 check which addresses are included in the Apiserver certificate
- Enter certificate directory
cd /etc/kubernetes/pki
- View Certificate
$ openssl x509 -in apiserver.crt -noout -text|grep -A 2 'Alternative' X509v3 Subject Alternative Name: DNS:1-1-1-1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-apiserver.kubernetes.local, DNS:localhost, IP Address:1.1.1.1
Here, if only 1.1.1.1 is allowed to access the Apiserver of the cluster. If you need to use a domain name, kubernetes, kubernetes default,kubernetes.default.svc, you need to configure hosts to point to 1.1.1.1.
2 add a new domain name or IP address to the certificate
- Backup certificate
$ cd /etc/kubernetes/pki $ mv apiserver.crt apiserver.crt.bak $ mv apiserver.key apiserver.key.bak
- Modify / etc / kubernetes / kubedm config yaml
Under the apiServer field of ClusterConfiguration, find certSANs.
apiVersion: kubeadm.k8s.io/v1beta2 kind: ClusterConfiguration ... certSANs: - kubernetes - kubernetes.default - kubernetes.default.svc - kubernetes.default.svc.cluster.local - 10.233.0.1
Add a domain name or IP address for remote access to certSANs:
certSANs: - remote.doamin.com - 1.2.3.4 - kubernetes - kubernetes.default - kubernetes.default.svc - kubernetes.default.svc.cluster.local - 10.233.0.1
If you don't find kubedm config in the / etc/kubernetes / directory Yaml file. Don't be nervous. You can generate a configuration file of the current cluster in the following way:
$ kubectl get cm kubeadm-config -n kube-system -o yaml > /etc/kubernetes/kubeadm-config.yaml perhaps $ kubeadm config view | tee /etc/kubernetes/kubeadm-config.yaml
Of course, there may be no certSANs configuration section in the configuration file of your cluster. You can directly add it to the following location:
apiServer: certSANs: - remote.doamin.com - 1.2.3.4 - kubernetes - kubernetes.default - kubernetes.default.svc - kubernetes.default.svc.cluster.local - 10.233.0.1 extraArgs: authorization-mode: Node,RBAC timeoutForControlPlane: 4m0s apiVersion: kubeadm.k8s.io/v1beta2 ....
- Regenerate certificate
$ kubeadm init phase certs apiserver --config /etc/kubernetes/kubeadm-config.yaml
- View certificate again
Check whether the output result includes the previously added public IP. If so, it proves that the operation is successful.
$ openssl x509 -in pki/apiserver.crt -noout -text | grep 1.2.3.4 IP Address:192.168.0.8, IP Address: 1.2.3.4
- Restart Kube apiserver
- If it is a highly available cluster
Directly kill the Kube apiserver process of the current node and wait for kubelet to pull up the Kube apiserver. You need to perform steps 1 to 4 at three nodes to update one by one.
- If it is a non highly available cluster
Killing Kube apiserver may lead to service interruption, which needs to be operated at low peak.
Enter / etc / kubernetes / manifest directory and move Kube apiserver Yaml file to another location, and then move back.
$ mv /etc/kubernetes/manifests/kube-apiserver.yaml /root/ $ mv /root/kube-apiserver.yaml /etc/kubernetes/manifests
- Modify the server ip in kubeconfig
Finally, you only need to change the server address in kubeconfig file to 1.2.3.4.
apiVersion: v1 clusters: - cluster: ... server: https://1.2.3.4:6443 ...
After saving, you can directly access the Kubernetes cluster through the public IP.
$ kubectl get node
3 reference
- https://www.chenshaowen.com/blog/how-to-add-entrance-to-kubernetes-apiserver.html
- https://kubesphereio.com/post/add-public-ip-to-kubernetes-apiserver-operation-guide/
- https://stackoverflow.com/questions/61023319/where-i-can-find-kubeadm-config-yaml-on-my-kubernetes-cluster
- https://help.hcltechsw.com/connections/v6/admin/install/cp_prereqs_upgrade_latest_implementation.html