码迷,mamicode.com
首页 > 其他好文 > 详细

metrics-server 使用ssl外部证书

时间:2019-06-27 14:45:59      阅读:154      评论:0      收藏:0      [点我收藏+]

标签:space   cto   alt   vat   create   scratch   kubectl   safe   account   

1、说明
简单部署参考https://blog.51cto.com/juestnow/2409880

2、创建metrics-server 证书

cat << EOF | tee /apps/work/k8s/cfssl/k8s/metrics-server.json
{
  "CN": "metrics-server",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "GuangDong",
      "L": "GuangZhou",
      "O": "niuke",
      "OU": "niuke"
    }
  ]
}
EOF
### 生成证书
cfssl gencert -ca=/apps/work/k8s/cfssl/pki/k8s/k8s-ca.pem -ca-key=/apps/work/k8s/cfssl/pki/k8s/k8s-ca-key.pem     -config=/apps/work/k8s/cfssl/ca-config.json     -profile=kubernetes /apps/work/k8s/cfssl/k8s/metrics-server.json | cfssljson -bare ./metrics-server
        ### 创建secret
kubectl -n kube-system create secret generic metrics-server-certs --from-file=metrics-server-key.pem --from-file=metrics-server.pem
kubectl get secret -n kube-system | grep metrics-server-certs
kubectl get secret metrics-server-certs -n kube-system  -o yaml

3、修改metrics-server-deployment

 vi metrics-server-deployment.yaml
 ---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-server
  namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: metrics-server
  namespace: kube-system
  labels:
    k8s-app: metrics-server
spec:
  selector:
    matchLabels:
      k8s-app: metrics-server
  template:
    metadata:
      name: metrics-server
      labels:
        k8s-app: metrics-server
    spec:
      serviceAccountName: metrics-server
      tolerations:
        - effect: NoSchedule
          key: node.kubernetes.io/unschedulable
          operator: Exists
        - key: NoSchedule
          operator: Exists
          effect: NoSchedule
      volumes:
      # mount in tmp so we can safely use from-scratch images and/or read-only containers
      - name: tmp-dir
        emptyDir: {}
      - name: metrics-server-certs
        secret:
          secretName: metrics-server-certs
      containers:
      - name: metrics-server
        image: juestnow/metrics-server-amd64:v0.3.3
        imagePullPolicy: Always
        command:
        - /metrics-server
        - --tls-cert-file=/certs/metrics-server.pem
        - --tls-private-key-file=/certs/metrics-server-key.pem
        - --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
        volumeMounts:
        - name: tmp-dir
          mountPath: /tmp
        - name: metrics-server-certs
          mountPath: /certs
      nodeSelector:
        metrics: "yes"

4、执行yaml

kubectl apply -f metrics-server-deployment.yaml

5、查看metrics-server 状态

[root@jenkins vpa]# kubectl get pod  -n  kube-system | grep metrics-server
metrics-server-658bb99b66-z6xg4             1/1     Running   0          22h
kubectl get pod metrics-server-658bb99b66-z6xg4  -n  kube-system -o yaml
查看内容是否改变或者打开dashboard

技术图片

查看services
[root@jenkins vpa]# kubectl get service  -n  kube-system | grep metrics-server                     
metrics-server         ClusterIP   10.64.53.220    <none>        443/TCP                  45d
https://10.64.53.220 

技术图片
技术图片
正常打开获取api地址
metrics-server 自签名证书部署完成 建议在生产环境使用

metrics-server 使用ssl外部证书

标签:space   cto   alt   vat   create   scratch   kubectl   safe   account   

原文地址:https://blog.51cto.com/juestnow/2414189

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!