参数组 | 参数 | 说明 | 可选项 |
基础信息设置 | 集群名称 | 输入自建集群的名称,64字符以内 | - |
| 集群环境 | 选择自建集群的类型 | Kubernetes、Openshift |
| 集群版本 | 选择集群环境的集群版本 | K8s 集群支持1.13以上版本 |
网络信息设置 | 网络类型 | 选择通过公网或通过 VPC 网络接入自建集群 | 公网、VPC |
| 所在地域 | 选择自建集群所在的地域,公网类型无地域限制 | - |
| VPC ID | 当网络类型使用 VPC 时,选择集群所在网络的 VPC 信息 | - |
| API Server地址 | 当网络类型使用 VPC 时,选择集群 API Server 后端服务类型 | 服务器、负载均衡 |
集群检查组件 | 安装检查组件 | 选择自动或者自行手动安装集群检查的组件 | 自动安装检查组件并进行一次集群检查 不安装检查组件,接入后自行安装组件并下发集群安装 |
| 自动检查 | 是否开启集群的自动检查功能 | 开启 关闭 |
# 1. 创建命名空间: tcss# 2. 创建命名空间tcss下的管理角色: tcss-admin# 3. 绑定角色tcss-admin和用户tcss# 4. 创建秘钥并绑定服务账号: tcss-agent-secret,tcss-agent# 5. 创建只读的集群角色: security-clusterrole# 6. 绑定集群角色security-clusterrole到服务账号tcss-agent---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.io
# 创建User私钥 tcss.key。openssl genrsa -out tcss.key 2048# 创建证书签署请求 tcss.csropenssl req -new -key tcss.key -out tcss.csr -subj "/O=K8s/CN=tcss"# 签署证书 生成 tcss.crtopenssl x509 -req -in tcss.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tcss.crt -days 365
# 创建并设置集群配置, 其中需要 API Server 地址必须为公网可访问地址kubectl config set-cluster tcss --server=https://xx.xx.xx.xx:60002 --certificate-authority=/etc/kubernetes/ca.crt --embed-certs=true --kubeconfig=/root/tcss.conf# 创建并设置用户配置kubectl config set-credentials tcss --client-certificate=tcss.crt --client-key=tcss.key --embed-certs=true --kubeconfig=/root/tcss.conf# 设置context配置kubectl config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=/root/tcss.conf# 切换context配置kubectl config use-context tcss@tcss --kubeconfig=/root/tcss.conf
KUBECONFIG=/root/tcss.conf kubectl -n tcss get pod
#!/bin/bashset -e;# API_SERVER 需要设置为公网可访问的地址和端口# API_SERVER=https://xx.xx.xx.xx:xxxx# 以下路径,用户根据集群实际情况设定KUBECONFIG_TARGET=/root/tcss.confCA_FILE=/etc/kubernetes/ca.crtCAKEY_FILE=/etc/kubernetes/ca.keyTCSS_TMPDIR=/tmp/tcss# 如果是OpenShift环境,可以更换为 ocKUBECTL_CMD=kubectlif [ ! $API_SERVER ]; thenecho "API_SERVER does not set.";exit 1;fiif ! which kubectl ; thenecho "kubectl does not exist.";exit 1;fiif [ ! -f "$CA_FILE" ]; thenecho "$CA_FILE does not exist.";exit 1;fiif [ ! -f "$CAKEY_FILE" ]; thenecho "$CAKEY_FILE does not exist.";exit 1;fiif [ ! -d $TCSS_TMPDIR ]; thenmkdir -p $TCSS_TMPDIR;ficat <<EOF > $TCSS_TMPDIR/tcss_res.yaml---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioEOF# echo "generate tcss resource file ($TCSS_TMPDIR/tcss_res.yaml) success."$KUBECTL_CMD apply -f $TCSS_TMPDIR/tcss_res.yaml;# 创建User私钥 tcss.key。openssl genrsa -out $TCSS_TMPDIR/tcss.key 2048# 创建证书签署请求 tcss.csropenssl req -new -key $TCSS_TMPDIR/tcss.key -out $TCSS_TMPDIR/tcss.csr -subj "/O=K8s/CN=tcss"# 签署证书 生成 tcss.crtopenssl x509 -req -in $TCSS_TMPDIR/tcss.csr -CA $CA_FILE -CAkey $CAKEY_FILE -CAcreateserial -out $TCSS_TMPDIR/tcss.crt -days 365# 创建并设置集群配置$KUBECTL_CMD config set-cluster tcss --server=$API_SERVER --certificate-authority=$CA_FILE --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# 创建并设置用户配置$KUBECTL_CMD config set-credentials tcss --client-certificate=$TCSS_TMPDIR/tcss.crt --client-key=$TCSS_TMPDIR/tcss.key --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# 设置context配置$KUBECTL_CMD config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=$KUBECONFIG_TARGET# 切换context配置$KUBECTL_CMD config use-context tcss@tcss --kubeconfig=$KUBECONFIG_TARGETecho "generate KUBECONFIG file success. $KUBECONFIG_TARGET"
# 1. 创建命名空间: tcss# 2. 创建命名空间tcss下的管理角色: tcss-admin# 3. 绑定角色tcss-admin和用户tcss# 4. 创建秘钥并绑定服务账号: tcss-agent-secret,tcss-agent# 5. 创建只读的集群角色: security-clusterrole# 6. 绑定集群角色security-clusterrole到服务账号tcss-agent---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.io
# 创建User私钥 tcss.key。openssl genrsa -out tcss.key 2048# 创建证书签署请求 tcss.csropenssl req -new -key tcss.key -out tcss.csr -subj "/O=K8s/CN=tcss"# 签署证书 生成 tcss.crtopenssl x509 -req -in tcss.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tcss.crt -days 365
# 创建并设置集群配置, 其中需要主要 server 地址必须为公网可访问地址KUBECONFIG=/root/tcss.conf oc config set-cluster tcss --server=https://xx.xx.xx.xx:60002 --certificate-authority=/etc/origin/master/ca.crt --embed-certs=true --kubeconfig=/root/tcss.conf# 创建并设置用户配置KUBECONFIG=/root/tcss.conf oc config set-credentials tcss --client-certificate=tcss.crt --client-key=tcss.key --embed-certs=true --kubeconfig=/root/tcss.conf# 设置context配置KUBECONFIG=/root/tcss.conf oc config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=/root/tcss.conf# 切换context配置KUBECONFIG=/root/tcss.conf oc config use-context tcss@tcss --kubeconfig=/root/tcss.conf
KUBECONFIG=/root/tcss.conf oc -n tcss get pod
#!/bin/bashset -e;# API_SERVER 需要设置为公网可访问的地址和端口# API_SERVER=https://xx.xx.xx.xx:xxxx# 以下路径,用户根据集群实际情况设定KUBECONFIG_TARGET=/root/tcss.confCA_FILE=/etc/kubernetes/ca.crtCAKEY_FILE=/etc/kubernetes/ca.keyTCSS_TMPDIR=/tmp/tcssKUBECTL_CMD=ocif [ ! $API_SERVER ]; thenecho "API_SERVER does not set.";exit 1;fiif ! which $KUBECTL_CMD ; thenecho "$KUBECTL_CMD does not exist.";exit 1;fiif [ ! -f "$CA_FILE" ]; thenecho "$CA_FILE does not exist.";exit 1;fiif [ ! -f "$CAKEY_FILE" ]; thenecho "$CAKEY_FILE does not exist.";exit 1;fiif [ ! -d $TCSS_TMPDIR ]; thenmkdir -p $TCSS_TMPDIR;ficat <<EOF > $TCSS_TMPDIR/tcss_res.yaml---apiVersion: v1kind: Namespacemetadata:name: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: tcssname: tcss-adminrules:- apiGroups: ["extensions", "apps", ""]resources: ["*"]verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:name: tcss-admin-rbnamespace: tcsssubjects:- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioroleRef:kind: Rolename: tcss-adminapiGroup: rbac.authorization.k8s.io---apiVersion: v1kind: Secretmetadata:name: tcss-agent-secretnamespace: tcssannotations:kubernetes.io/service-account.name: tcss-agenttype: kubernetes.io/service-account-token---apiVersion: v1kind: ServiceAccountmetadata:name: tcss-agentnamespace: tcsssecrets:- name: tcss-agent-secretnamespace: tcss---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata:name: security-clusterrolerules:- apiGroups: ["", "v1"]resources: ["namespaces", "pods", "nodes"]verbs: ["get", "list"]- apiGroups: ["apps"]resources: ["replicasets", "daemonsets", "deployments", "statefulsets"]verbs: ["get", "list"]- apiGroups: ["batch"]resources: ["jobs", "cronjobs"]verbs: ["get", "list"]- apiGroups: ["rbac.authorization.k8s.io"]resources: ["clusterroles", "clusterrolebindings"]verbs: ["get"]---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: security-clusterrolebindingroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: security-clusterrolesubjects:- kind: ServiceAccountname: tcss-agentnamespace: tcss- kind: Username: tcssapiGroup: rbac.authorization.k8s.ioEOF# echo "generate tcss resource file ($TCSS_TMPDIR/tcss_res.yaml) success."$KUBECTL_CMD apply -f $TCSS_TMPDIR/tcss_res.yaml;$KUBECTL_CMD adm policy add-scc-to-user privileged -n tcss -z tcss-agent;$KUBECTL_CMD adm policy add-scc-to-user hostaccess -n tcss -z tcss-agent;$KUBECTL_CMD adm policy add-scc-to-user privileged tcss;$KUBECTL_CMD adm policy add-scc-to-user hostaccess tcss;oc adm policy add-cluster-role-to-user cluster-reader tcss;# 创建User私钥 tcss.key。openssl genrsa -out $TCSS_TMPDIR/tcss.key 2048# 创建证书签署请求 tcss.csropenssl req -new -key $TCSS_TMPDIR/tcss.key -out $TCSS_TMPDIR/tcss.csr -subj "/O=K8s/CN=tcss"# 签署证书 生成 tcss.crtopenssl x509 -req -in $TCSS_TMPDIR/tcss.csr -CA $CA_FILE -CAkey $CAKEY_FILE -CAcreateserial -out $TCSS_TMPDIR/tcss.crt -days 365# 创建并设置集群配置KUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-cluster tcss --server=$API_SERVER --certificate-authority=$CA_FILE --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# 创建并设置用户配置KUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-credentials tcss --client-certificate=$TCSS_TMPDIR/tcss.crt --client-key=$TCSS_TMPDIR/tcss.key --embed-certs=true --kubeconfig=$KUBECONFIG_TARGET# 设置context配置KUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config set-context tcss@tcss --cluster=tcss --user=tcss --kubeconfig=$KUBECONFIG_TARGET# 切换context配置KUBECONFIG=$KUBECONFIG_TARGET $KUBECTL_CMD config use-context tcss@tcss --kubeconfig=$KUBECONFIG_TARGETecho "generate KUBECONFIG file success. $KUBECONFIG_TARGET"
本页内容是否解决了您的问题?