需求说明

在eks集群里面,kubeconfig配置都是系统自动生成.其中master的api节点会是一个nlb地址.且没有办法修改. 有的时候客户需要自定义域名去访问
比如https://D7B1A4E11DEB9761DC71556910455476.gr7.us-east-1.eks.amazonaws.com更换成eks.dreamrui.com.请问应该如何操作

kubeconfig配置参考(原始)

[root@ip-192-168-20-233 ~]# cat .kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJZGhiT25xb0Jtb2t3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRFeE1qQXdNVFV5TVRaYUZ3MHpOREV4TVRnd01UVTNNVFphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURDeVR4cnVOSWlHeVBGNHBZdk8xQUh5d2ZuL0pFYWcrRkhPMEsrV0FuK3pqdTFHSU5JTGt0dEZPMzQKREhzWFRVVHZTQVM1aEhCTTJia1N1OFZ0WWpxU1pjMHh4aFpOdG82a2FVK1VzdWkzZTloc1BISmg3K2V6K3hFLwpRTkdWbXNVU3RSd0NQUDdMMitSNVl4REF3VlpvTmFwOVZpano5ZlRYb1pvQVYyUUFHd09zSmFHR0ZXRUdlYjJwCmg4ZDBFRG40WC9VN2dsaFZIQ3dTd0JKYmJnVUdZT2pkb3dkY2NWQWtyTWdBRk1BTGsvRzVYSUMzRDdQT1ZUalUKdVlYelV3RElld3dPbm5rMHo4OW1QREc2SXVpNGpJUk9laW1HcXgvTWthTHlSbFBVRnQ0QmdjNG9Lb3pIc0pCMQpTemZTTW1qZjJJNWpiOVJEM1BoaUNqU3JEVldkQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJTQUUzdDlTN3d0SWRXYWw3VVB1MXlMcXpBa2R6QVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQVNJTWRYVldheApCSkk0d1ZuSFJNVEZqMkNIeEdvK0FmanhnOEN3QzhGdkd4NFJOaXpNY2FLbTFBbXJEdEN4R3F2clU1TUFxSkVTCldqZWR3QmFmcFBmdTlhbzZtOUwyWlJiL2dMNHh5VXpCdUFtdjRIUlNXT3lPZ2xIdjE1K2lDSm5qc0xnQnBuclIKeXhHdG9VMGRFQ1pBbUFkeUJpTmJMOHJpeHROL1NPdDY3MW10eUZjWHhHcGoyejZvY0ZQMjlYMnJTdzkraEw5aQpSTHhPWlVzSlZCVzF5cmZ2cmpGOUFKZlRnbXpnY3h5RWVidkZQbXRmKzFNNWJwSEtaNzZRWnVXK21EeDJSMjcyCkRvRGdlZ0N0cTY4Y1k0REsvUDNBMSthQXN3U0haVnd6RlN3aVhzZUl2V1pTd3ZLNG1KYThwRlFDcnhZRFdwVjAKb0lmanpkQ2tSMDZZCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: https://D7B1A4E11DEB9761DC71556910455476.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:893420598334:cluster/raymond
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:893420598334:cluster/raymond
    user: arn:aws:eks:us-east-1:893420598334:cluster/raymond
  name: arn:aws:eks:us-east-1:893420598334:cluster/raymond
current-context: arn:aws:eks:us-east-1:893420598334:cluster/raymond
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:893420598334:cluster/raymond
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - raymond
      - --output
      - json
      command: aws

实现思路

  1. 使用一个nginx作为代理,nginx使用https证书
  2. 让nginx去反向代理,代理到后面的eks的api
  3. 最后进行服务验证

安装nginx并配置服务

###安装nginx

yum -y install nginx
###启动nginxsystemctl start nginx && systemctl enable nginx

配置config

这里需要提前配置好对应的证书

[root@ip-192-168-34-106 nginx]# cat nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
		server {
    	listen       80;
    	server_name  eks.dreamrui.com;
    # 将所有 HTTP 请求重定向到 HTTPS
    	return 301 https://$host$request_uri;
		}

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        http2        on;
        server_name  eks.dreamrui.com;
        root         /usr/share/nginx/html;
				# 证书路径
        ssl_certificate "/etc/nginx/ssl/eks.dreamrui.com_bundle.crt";
        ssl_certificate_key "/etc/nginx/ssl/eks.dreamrui.com.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        include /etc/nginx/default.d/*.conf;
				
        location / {
        		# eks的api地址
            proxy_pass         https://D7B1A4E11DEB9761DC71556910455476.gr7.us-east-1.eks.amazonaws.com;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;

            # 如果后端是 HTTPS,需要下面两行
            proxy_ssl_server_name on;
            proxy_ssl_name          D7B1A4E11DEB9761DC71556910455476.gr7.us-east-1.eks.amazonaws.com;

            # 可选:超时设定
            proxy_connect_timeout   5s;
            proxy_send_timeout      30s;
            proxy_read_timeout      30s;

            # 可选:WebSocket 支持
            proxy_http_version      1.1;
            proxy_set_header        Upgrade $http_upgrade;
            proxy_set_header        Connection "upgrade";
        }

    }
}


Token生成

cat > token.yaml<<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: super-admin
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: super-admin-binding
subjects:
  - kind: ServiceAccount
    name: admin-user
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: super-admin
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-user-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: "admin-user"
type: kubernetes.io/service-account-token
EOF

获取Token

kubectl -n kube-system get secret admin-user-token -o jsonpath='{.data.token}' | base64 -d

kubeconfig配置(管理节点生成)

TOKEN=$(kubectl -n kube-system get secret admin-user-token -o jsonpath='{.data.token}' | base64 -d)


1. 手动构建kubeconfig的cluster配置(集群名字任意,自己区分就行.这里取的是集群的arn)
kubectl config set-cluster raymond-eks --kubeconfig=kubeconfig --server=https://eks.dreamrui.com --insecure-skip-tls-verify=true


2. 生成用户访问凭据
kubectl config set-credentials raymond --kubeconfig=kubeconfig --token=$TOKEN



3. 配置上下文
kubectl config set-context internal --cluster=raymond-eks --user=raymond --kubeconfig=kubeconfig



4. 切换配置
kubectl config use-context internal --kubeconfig=kubeconfig


查看config配置

注意事项

需要在12行添加一个信息

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://eks.dreamrui.com
  name: raymond-eks
contexts:
- context:
    cluster: raymond-eks
    user: raymond
  name: internal
current-context: "internal"  #这里一定要添加
kind: Config
preferences: {}
users:
- name: raymond
  user:
    token: xxxxxxxxxxxxxxxx


总结

利用serviceaccount的token信息,我们就可以忽略aws的iam权限与策略.而实现直接调用.
但是需要注意风险

















  • No labels