How to access Kubernetes cluster remotely through API server gracefully

During research and development, it is necessary to directly connect the remote Kubernetes cluster. The usual approach is to add / etc / Kubernetes / Admin Copy conf to local ~ / kube/kubeconfig.

But the server address of kubeconfig is kubernetes default. svc. Therefore, we need to configure a host:

1.1.1.1 kubernetes.default.svc

If you need to switch between different clusters, you not only need to change kubeconfig, but also need to modify hosts. The following describes a method that can directly add the remote access address to the cluster certificate, save the steps of modifying hosts, and make it easier to distinguish different clusters.

1 check which addresses are included in the Apiserver certificate

  1. Enter certificate directory
cd /etc/kubernetes/pki
  1. View Certificate
$ openssl x509 -in apiserver.crt -noout -text|grep -A  2 'Alternative'

X509v3 Subject Alternative Name:
                DNS:1-1-1-1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb-apiserver.kubernetes.local, DNS:localhost, IP Address:1.1.1.1

Here, if only 1.1.1.1 is allowed to access the Apiserver of the cluster. If you need to use a domain name, kubernetes, kubernetes default,kubernetes.default.svc, you need to configure hosts to point to 1.1.1.1.

2 add a new domain name or IP address to the certificate

  1. Backup certificate
$ cd /etc/kubernetes/pki
$ mv apiserver.crt apiserver.crt.bak
$ mv apiserver.key apiserver.key.bak
  1. Modify / etc / kubernetes / kubedm config yaml

Under the apiServer field of ClusterConfiguration, find certSANs.

apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
...
  certSANs:
    - kubernetes
    - kubernetes.default
    - kubernetes.default.svc
    - kubernetes.default.svc.cluster.local
    - 10.233.0.1

Add a domain name or IP address for remote access to certSANs:

  certSANs:
    - remote.doamin.com
    - 1.2.3.4
    - kubernetes
    - kubernetes.default
    - kubernetes.default.svc
    - kubernetes.default.svc.cluster.local
    - 10.233.0.1

If you don't find kubedm config in the / etc/kubernetes / directory Yaml file. Don't be nervous. You can generate a configuration file of the current cluster in the following way:

$ kubectl get cm kubeadm-config  -n kube-system -o yaml > /etc/kubernetes/kubeadm-config.yaml
 perhaps
$ kubeadm config view | tee /etc/kubernetes/kubeadm-config.yaml

Of course, there may be no certSANs configuration section in the configuration file of your cluster. You can directly add it to the following location:

apiServer:
  certSANs:
    - remote.doamin.com
    - 1.2.3.4
    - kubernetes
    - kubernetes.default
    - kubernetes.default.svc
    - kubernetes.default.svc.cluster.local
    - 10.233.0.1
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
....
  1. Regenerate certificate
$ kubeadm init phase certs apiserver --config /etc/kubernetes/kubeadm-config.yaml
  1. View certificate again

Check whether the output result includes the previously added public IP. If so, it proves that the operation is successful.

$ openssl x509 -in pki/apiserver.crt -noout -text | grep 1.2.3.4
                IP Address:192.168.0.8, IP Address: 1.2.3.4
  1. Restart Kube apiserver
  • If it is a highly available cluster

Directly kill the Kube apiserver process of the current node and wait for kubelet to pull up the Kube apiserver. You need to perform steps 1 to 4 at three nodes to update one by one.

  • If it is a non highly available cluster

Killing Kube apiserver may lead to service interruption, which needs to be operated at low peak.

Enter / etc / kubernetes / manifest directory and move Kube apiserver Yaml file to another location, and then move back.

$ mv /etc/kubernetes/manifests/kube-apiserver.yaml /root/
$ mv /root/kube-apiserver.yaml /etc/kubernetes/manifests
  1. Modify the server ip in kubeconfig

Finally, you only need to change the server address in kubeconfig file to 1.2.3.4.

apiVersion: v1
clusters:
- cluster:
...
    server: https://1.2.3.4:6443
...

After saving, you can directly access the Kubernetes cluster through the public IP.

$ kubectl get node

3 reference

  1. https://www.chenshaowen.com/blog/how-to-add-entrance-to-kubernetes-apiserver.html
  2. https://kubesphereio.com/post/add-public-ip-to-kubernetes-apiserver-operation-guide/
  3. https://stackoverflow.com/questions/61023319/where-i-can-find-kubeadm-config-yaml-on-my-kubernetes-cluster
  4. https://help.hcltechsw.com/connections/v6/admin/install/cp_prereqs_upgrade_latest_implementation.html

Added by djbuddhi on Fri, 04 Mar 2022 05:43:09 +0200