Browse Source

Improve connecting to existing k8s cluster guide

Change-Id: I9ea2798546dfa5638c0c849da88ee8a8e0b38a79
changes/18/585718/2
Lingxian Kong 3 years ago
parent
commit
b3c5bfd2ce
1 changed files with 29 additions and 33 deletions
  1. +29
    -33
      doc/source/admin/install/config_kubernetes.rst

+ 29
- 33
doc/source/admin/install/config_kubernetes.rst View File

@ -21,8 +21,8 @@ Qinling. The component which works with Kubernetes cluster in Qinling is the
existing Kubernetes cluster, and make Qinling access the Kubernetes API with
authentication and authorization.
Configurations
~~~~~~~~~~~~~~
Qinling Configurations
~~~~~~~~~~~~~~~~~~~~~~
Below are the options that relate to accessing the Kubernetes API in Qinling's
configuration file, all of them are under the ``kubernetes`` section.
@ -58,10 +58,10 @@ server. Refer to
`Authentication in Kubernetes <https://kubernetes.io/docs/admin/authentication/>`_.
If `RBAC Authorization <https://kubernetes.io/docs/admin/authorization/rbac/>`_
is enabled in the Kubernetes API, we will also have to grant access to resources
in Kubernetes for the specific user that Qinling uses to make requests to the
Kubernetes API. Using RBAC Authorization can ensure that Qinling access the
Kubernetes API with only the permission that it needs.
is enabled in the Kubernetes API, we will also have to grant access to
resources in Kubernetes for the specific user that Qinling uses to make
requests to the Kubernetes API. Using RBAC Authorization can ensure that
Qinling access the Kubernetes API with only the permission that it needs.
Generate Client Certificate for Qinling
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -84,24 +84,29 @@ for how to generate a client cert. We use ``cfssl`` as the example here.
.. code-block:: console
mkdir certs; cd certs
mkdir /tmp/certs; cd /tmp/certs
/tmp/cfssl gencert -ca=/path/to/kubernetes_ca_crt \
-ca-key=/path/to/kubernetes_ca_key \
-config=QINLING_SOURCE/example/kubernetes/cfssl-ca-config.json \
-config=QINLING_SOURCE_FOLDER/example/kubernetes/cfssl-ca-config.json \
-profile=client \
QINLING_SOURCE/example/kubernetes/cfssl-client-csr.json | /tmp/cfssljson -bare client
QINLING_SOURCE_FOLDER/example/kubernetes/cfssl-client-csr.json | /tmp/cfssljson -bare client
#) Copy the needed files to the locations. The command above generates two
files named ``client-key.pem`` and ``client.pem``, the former is the key
file of the client certificate, and the latter is the certificate file
itself.
.. code-block:: console
.. note::
Remember to backup the existing files in /etc/qinling/pki/kubernetes
folder first.
mkdir -p /etc/qinling/pki/kubernetes
cp client-key.pem /etc/qinling/pki/kubernetes/qinling.key
cp client.pem /etc/qinling/pki/kubernetes/qinling.crt
cp /path/to/kubernetes_ca_crt /etc/qinling/pki/kubernetes/ca.crt
.. code-block:: console
mkdir -p /etc/qinling/pki/kubernetes
mv client-key.pem /etc/qinling/pki/kubernetes/qinling.key
mv client.pem /etc/qinling/pki/kubernetes/qinling.crt
mv /path/to/kubernetes_ca_crt /etc/qinling/pki/kubernetes/ca.crt
.. note::
@ -125,30 +130,21 @@ the common name of the subject in the client certificate. The role is defined
within a namespace named ``qinling``, which is the default namespace that
Qinling uses and the name is configurable.
#) Grant access to the resources in the Kubernetes cluster for Qinling. The
following command can be running on any host that kubectl is installed
to interact with Kubernetes.
.. code-block:: console
.. code-block:: console
curl -sSL https://raw.githubusercontent.com/openstack/qinling/master/example/kubernetes/k8s_qinling_role.yaml | kubectl create -f -
curl -sSL https://raw.githubusercontent.com/openstack/qinling/master/example/kubernetes/k8s_qinling_role.yaml | kubectl apply -f -
The command above creates a ``ClusterRole`` named ``qinling`` with the
cluster-wide permissions that Qinling needs and binds it to the ``qinling``
user. It also creates a ``Role`` named ``qinling`` within a newly created
``qinling`` namespace and binds it to the specific user. So the access to
resources within that namespace is also granted.
Start Qinling Engine
~~~~~~~~~~~~~~~~~~~~
Restart Qinling Engine
~~~~~~~~~~~~~~~~~~~~~~
Start the qinling-engine service after the steps above are done. And now
Restart the qinling-engine service after the steps above are done, and now
Qinling is accessing the Kubernetes API with itself authenticated by a client
certificate. And the requests that Qinling makes to the Kubernetes API
are also authorized.
certificate. The requests that Qinling makes to the Kubernetes API are also
authorized.
Access the Kubernetes API Insecurely (For Testing ONLY)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Access the Kubernetes API Insecurely (For testing purpose ONLY)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Qinling can also connect to the Kubernetes API insecurely if the Kubernetes API
server serves for insecure connections. However this is not recommended and
@ -158,4 +154,4 @@ In the configuration file, under the ``kubernetes`` section, set ``kube_host``
to the URI which the Kubernetes API serves for insecure HTTP connections, for
example, ``kube_host = http://localhost:8080``, and set ``use_api_certificate``
to ``False`` to disable Qinling using a client certificate to access the
Kubernetes API.
Kubernetes API.

Loading…
Cancel
Save