Merge "Improve connecting to existing k8s cluster guide"
This commit is contained in:
commit
fffe13519f
|
@ -21,8 +21,8 @@ Qinling. The component which works with Kubernetes cluster in Qinling is the
|
||||||
existing Kubernetes cluster, and make Qinling access the Kubernetes API with
|
existing Kubernetes cluster, and make Qinling access the Kubernetes API with
|
||||||
authentication and authorization.
|
authentication and authorization.
|
||||||
|
|
||||||
Configurations
|
Qinling Configurations
|
||||||
~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Below are the options that relate to accessing the Kubernetes API in Qinling's
|
Below are the options that relate to accessing the Kubernetes API in Qinling's
|
||||||
configuration file, all of them are under the ``kubernetes`` section.
|
configuration file, all of them are under the ``kubernetes`` section.
|
||||||
|
@ -58,10 +58,10 @@ server. Refer to
|
||||||
`Authentication in Kubernetes <https://kubernetes.io/docs/admin/authentication/>`_.
|
`Authentication in Kubernetes <https://kubernetes.io/docs/admin/authentication/>`_.
|
||||||
|
|
||||||
If `RBAC Authorization <https://kubernetes.io/docs/admin/authorization/rbac/>`_
|
If `RBAC Authorization <https://kubernetes.io/docs/admin/authorization/rbac/>`_
|
||||||
is enabled in the Kubernetes API, we will also have to grant access to resources
|
is enabled in the Kubernetes API, we will also have to grant access to
|
||||||
in Kubernetes for the specific user that Qinling uses to make requests to the
|
resources in Kubernetes for the specific user that Qinling uses to make
|
||||||
Kubernetes API. Using RBAC Authorization can ensure that Qinling access the
|
requests to the Kubernetes API. Using RBAC Authorization can ensure that
|
||||||
Kubernetes API with only the permission that it needs.
|
Qinling access the Kubernetes API with only the permission that it needs.
|
||||||
|
|
||||||
Generate Client Certificate for Qinling
|
Generate Client Certificate for Qinling
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
@ -84,24 +84,29 @@ for how to generate a client cert. We use ``cfssl`` as the example here.
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
mkdir certs; cd certs
|
mkdir /tmp/certs; cd /tmp/certs
|
||||||
/tmp/cfssl gencert -ca=/path/to/kubernetes_ca_crt \
|
/tmp/cfssl gencert -ca=/path/to/kubernetes_ca_crt \
|
||||||
-ca-key=/path/to/kubernetes_ca_key \
|
-ca-key=/path/to/kubernetes_ca_key \
|
||||||
-config=QINLING_SOURCE/example/kubernetes/cfssl-ca-config.json \
|
-config=QINLING_SOURCE_FOLDER/example/kubernetes/cfssl-ca-config.json \
|
||||||
-profile=client \
|
-profile=client \
|
||||||
QINLING_SOURCE/example/kubernetes/cfssl-client-csr.json | /tmp/cfssljson -bare client
|
QINLING_SOURCE_FOLDER/example/kubernetes/cfssl-client-csr.json | /tmp/cfssljson -bare client
|
||||||
|
|
||||||
#) Copy the needed files to the locations. The command above generates two
|
#) Copy the needed files to the locations. The command above generates two
|
||||||
files named ``client-key.pem`` and ``client.pem``, the former is the key
|
files named ``client-key.pem`` and ``client.pem``, the former is the key
|
||||||
file of the client certificate, and the latter is the certificate file
|
file of the client certificate, and the latter is the certificate file
|
||||||
itself.
|
itself.
|
||||||
|
|
||||||
.. code-block:: console
|
.. note::
|
||||||
|
|
||||||
mkdir -p /etc/qinling/pki/kubernetes
|
Remember to backup the existing files in /etc/qinling/pki/kubernetes
|
||||||
cp client-key.pem /etc/qinling/pki/kubernetes/qinling.key
|
folder first.
|
||||||
cp client.pem /etc/qinling/pki/kubernetes/qinling.crt
|
|
||||||
cp /path/to/kubernetes_ca_crt /etc/qinling/pki/kubernetes/ca.crt
|
.. code-block:: console
|
||||||
|
|
||||||
|
mkdir -p /etc/qinling/pki/kubernetes
|
||||||
|
mv client-key.pem /etc/qinling/pki/kubernetes/qinling.key
|
||||||
|
mv client.pem /etc/qinling/pki/kubernetes/qinling.crt
|
||||||
|
mv /path/to/kubernetes_ca_crt /etc/qinling/pki/kubernetes/ca.crt
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -125,30 +130,21 @@ the common name of the subject in the client certificate. The role is defined
|
||||||
within a namespace named ``qinling``, which is the default namespace that
|
within a namespace named ``qinling``, which is the default namespace that
|
||||||
Qinling uses and the name is configurable.
|
Qinling uses and the name is configurable.
|
||||||
|
|
||||||
#) Grant access to the resources in the Kubernetes cluster for Qinling. The
|
.. code-block:: console
|
||||||
following command can be running on any host that kubectl is installed
|
|
||||||
to interact with Kubernetes.
|
|
||||||
|
|
||||||
.. code-block:: console
|
curl -sSL https://raw.githubusercontent.com/openstack/qinling/master/example/kubernetes/k8s_qinling_role.yaml | kubectl apply -f -
|
||||||
|
|
||||||
curl -sSL https://raw.githubusercontent.com/openstack/qinling/master/example/kubernetes/k8s_qinling_role.yaml | kubectl create -f -
|
|
||||||
|
|
||||||
The command above creates a ``ClusterRole`` named ``qinling`` with the
|
Restart Qinling Engine
|
||||||
cluster-wide permissions that Qinling needs and binds it to the ``qinling``
|
~~~~~~~~~~~~~~~~~~~~~~
|
||||||
user. It also creates a ``Role`` named ``qinling`` within a newly created
|
|
||||||
``qinling`` namespace and binds it to the specific user. So the access to
|
|
||||||
resources within that namespace is also granted.
|
|
||||||
|
|
||||||
Start Qinling Engine
|
Restart the qinling-engine service after the steps above are done, and now
|
||||||
~~~~~~~~~~~~~~~~~~~~
|
|
||||||
|
|
||||||
Start the qinling-engine service after the steps above are done. And now
|
|
||||||
Qinling is accessing the Kubernetes API with itself authenticated by a client
|
Qinling is accessing the Kubernetes API with itself authenticated by a client
|
||||||
certificate. And the requests that Qinling makes to the Kubernetes API
|
certificate. The requests that Qinling makes to the Kubernetes API are also
|
||||||
are also authorized.
|
authorized.
|
||||||
|
|
||||||
Access the Kubernetes API Insecurely (For Testing ONLY)
|
Access the Kubernetes API Insecurely (For testing purpose ONLY)
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Qinling can also connect to the Kubernetes API insecurely if the Kubernetes API
|
Qinling can also connect to the Kubernetes API insecurely if the Kubernetes API
|
||||||
server serves for insecure connections. However this is not recommended and
|
server serves for insecure connections. However this is not recommended and
|
||||||
|
@ -158,4 +154,4 @@ In the configuration file, under the ``kubernetes`` section, set ``kube_host``
|
||||||
to the URI which the Kubernetes API serves for insecure HTTP connections, for
|
to the URI which the Kubernetes API serves for insecure HTTP connections, for
|
||||||
example, ``kube_host = http://localhost:8080``, and set ``use_api_certificate``
|
example, ``kube_host = http://localhost:8080``, and set ``use_api_certificate``
|
||||||
to ``False`` to disable Qinling using a client certificate to access the
|
to ``False`` to disable Qinling using a client certificate to access the
|
||||||
Kubernetes API.
|
Kubernetes API.
|
||||||
|
|
Loading…
Reference in New Issue