KubeConfig配置文件介绍

94 views

k8s在部署完毕以后一定会复制一个配置文件/etc/kubernetes/admin.conf,此文件中保存了当前API-Server中一个管理员账号的用户名、密码等相关信息。此文件有特定组织格式的文件。

/etc/kubernetes目录下的所有conf文件都有类似的格式,只不过他们都是被k8s上不同的组件所使用的。

root@k8s-master01:~# ls /etc/kubernetes/
admin.conf  controller-manager.conf  kubelet.conf  manifests  pki  scheduler.conf

这些文件是为了让客户端便于访问API-Server所使用的。

在k8s上认证时,需要使用token或账号密码或证书之类,而每一次使用kubectl去联系API-Server时都需要带上这些信息。

# 使用kubectl options可以看到添加哪些选项。
root@k8s-master01:~# kubectl options
The following options can be passed to any command:

      --add-dir-header=false: If true, adds the file directory to the header of the log messages
      --alsologtostderr=false: log to standard error as well as files
      --as='': Username to impersonate for the operation
      --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify
multiple groups.
      --cache-dir='/root/.kube/cache': Default cache directory
      --certificate-authority='': Path to a cert file for the certificate authority
      --client-certificate='': Path to a client certificate file for TLS
      --client-key='': Path to a client key file for TLS
      --cluster='': The name of the kubeconfig cluster to use
      --context='': The name of the kubeconfig context to use
      --insecure-skip-tls-verify=false: If true, the server's certificate will not be checked for
validity. This will make your HTTPS connections insecure
      --kubeconfig='': Path to the kubeconfig file to use for CLI requests.
      --log-backtrace-at=:0: when logging hits line file:N, emit a stack trace
      --log-dir='': If non-empty, write log files in this directory
      --log-file='': If non-empty, use this log file
      --log-file-max-size=1800: Defines the maximum size a log file can grow to. Unit is megabytes.
If the value is 0, the maximum file size is unlimited.
      --log-flush-frequency=5s: Maximum number of seconds between log flushes
      --logtostderr=true: log to standard error instead of files
      --match-server-version=false: Require server version to match client version
  -n, --namespace='': If present, the namespace scope for this CLI request
      --one-output=false: If true, only write logs to their native severity level (vs also writing
to each lower severity level)
      --password='': Password for basic authentication to the API server
      --profile='none': Name of profile to capture. One of
(none|cpu|heap|goroutine|threadcreate|block|mutex)
      --profile-output='profile.pprof': Name of the file to write the profile to
      --request-timeout='0': The length of time to wait before giving up on a single server request.
Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means
don't timeout requests.
  -s, --server='': The address and port of the Kubernetes API server
      --skip-headers=false: If true, avoid header prefixes in the log messages
      --skip-log-headers=false: If true, avoid headers when opening log files
      --stderrthreshold=2: logs at or above this threshold go to stderr
      --tls-server-name='': Server name to use for server certificate validation. If it is not
provided, the hostname used to contact the server is used
      --token='': Bearer token for authentication to the API server
      --user='': The name of the kubeconfig user to use
      --username='': Username for basic authentication to the API server
  -v, --v=0: number for the log level verbosity
      --vmodule=: comma-separated list of pattern=N settings for file-filtered logging
      --warnings-as-errors=false: Treat warnings received from the server as errors and exit with a
non-zero exit code

kubeconfig简介

为了简化所有客户端认证的过程,API Server专门定义了一种能够更便捷的管理认证信息的配置文件,叫做kubeconfig配置文件。

将用户名、认证信息等组织一起,便于认证到API Server上的认证信息文件。

此文件还支持一个文件中保存m个集群的n个认证信息,用于让用户使用一个文件中的不同的认证信息去访问不同的集群。

kubeconfig文件组织格式

users:
- user1         # 定义了账号,账号中保存了用户名和认证信息
- user2
- ...

clusers:
- cluster1      # 定义了集群
- cluster2
- ...

contexts:                 # 用来指定用户和集群的对应关系
- context1
    user1
    cluster1
  name: user1@cluster1
- context2
    user2
    cluster2
  name: user2@cluster2
- ...

current-context:      # 当前生效的。
  context1

kubeconfig的加载方式

kubectl执行时默认会去~/.kube/目录下加载kubeconfig文件,所以集群配置完毕后需要将其复制到此目录下。

如果不复制此文件,有两种加载方式:

1.需要在运行kubectl命令时指定kubeconfig文件的路径

root@k8s-master01:~# kubectl get nodes --kubeconfig=/etc/kubernetes/admin.conf
NAME           STATUS   ROLES                  AGE   VERSION
k8s-master01   Ready    control-plane,master   13d   v1.21.2
k8s-node01     Ready    <none>                 13d   v1.21.2
k8s-node02     Ready    <none>                 13d   v1.21.2
k8s-node03     Ready    <none>                 13d   v1.21.2

2.使用环境变量申明

root@k8s-master01:~# export KUBECONFIG=/etc/kubernetes/admin.conf

kubeconfig文件管理

对于kubeconfig文件的管理可以使用kubectl config

root@k8s-master01:~# kubectl config --help
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context"

 The loading order follows these rules:

  1.  If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once
and no merging takes place.
  2.  If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path
delimiting rules for your system). These paths are merged. When a value is modified, it is modified
in the file that defines the stanza. When a value is created, it is created in the first file that
exists. If no files in the chain exist, then it creates the last file in the list.
  3.  Otherwise, ${HOME}/.kube/config is used and no merging takes place.

Available Commands:
  current-context Displays the current-context
  delete-cluster  Delete the specified cluster from the kubeconfig
  delete-context  Delete the specified context from the kubeconfig
  delete-user     Delete the specified user from the kubeconfig
  get-clusters    Display clusters defined in the kubeconfig
  get-contexts    Describe one or many contexts
  get-users       Display users defined in the kubeconfig
  rename-context  Renames a context from the kubeconfig file.
  set             Sets an individual value in a kubeconfig file
  set-cluster     Sets a cluster entry in kubeconfig
  set-context     Sets a context entry in kubeconfig
  set-credentials Sets a user entry in kubeconfig
  unset           Unsets an individual value in a kubeconfig file
  use-context     Sets the current-context in a kubeconfig file
  view            Display merged kubeconfig settings or a specified kubeconfig file

Usage:
  kubectl config SUBCOMMAND [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).

查看当前集群上的kubeconfig信息

root@k8s-master01:~# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://kube-api:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

获取当前kubeconfig上的生效信息

root@k8s-master01:~# kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin

# 如果要查看其他的配置文件信息,则需要指定其kubeconfig文件
root@k8s-master01:~# kubectl config get-contexts --kubeconfig=/etc/kubernetes/scheduler.conf
CURRENT   NAME                               CLUSTER      AUTHINFO                NAMESPACE
*         system:kube-scheduler@kubernetes   kubernetes   system:kube-scheduler