我已经安装了Kubernetes与docker-for-desktop。现在我想创建一个用户(遵循RBAC原则)。我正在使用私有证书,并希望对集群的ca.crt签署它们。对于minikube这个ca.crt是在.minikube/ca.crt,但我找不到它在安装与docker?
ca.crt
.minikube/ca.crt
x33g5p2x1#
默认情况下,您的HyperKit VM不会在docker-for-desktop中本地挂载卷。最好的办法是使用kubectl cp手动将ca.crt复制到您的机器上。示例:
kubectl cp
kubectl cp kube-apiserver-docker-desktop:run/config/pki/ca.crt -n kube-system /tmp/ca.crt
iszxjhcz2#
我尝试了jaxxstorm的命令,但错误返回。
~ kubectl -n kube-system get pod NAME READY STATUS RESTARTS AGE coredns-565d847f94-cpvvn 1/1 Running 6 (2d18h ago) 91d coredns-565d847f94-pg5z2 1/1 Running 6 (2d18h ago) 91d etcd-docker-desktop 1/1 Running 6 (2d18h ago) 91d kube-apiserver-docker-desktop 1/1 Running 6 (2d18h ago) 91d kube-controller-manager-docker-desktop 1/1 Running 6 (2d18h ago) 91d kube-proxy-gc9k6 1/1 Running 6 (2d18h ago) 91d kube-scheduler-docker-desktop 1/1 Running 6 (2d18h ago) 91d storage-provisioner 1/1 Running 10 (2d18h ago) 91d vpnkit-controller 1/1 Running 190 (2d18h ago) 15d ~ kubectl -n kube-system cp kube-apiserver-docker-desktop:/run/config/pki/ca.crt /tmp/ca.crt command terminated with exit code 126
可能kube-apiserver镜像中没有tar命令,所以我尝试将cat和exec放入容器,失败。
kube-apiserver
cat
exec
~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- cat /run/config/pki/ca.crt OCI runtime exec failed: exec failed: unable to start container process: exec: "cat": executable file not found in $PATH: unknown command terminated with exit code 126 ~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- sh OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown command terminated with exit code 126 ~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- bash OCI runtime exec failed: exec failed: unable to start container process: exec: "bash": executable file not found in $PATH: unknown command terminated with exit code 126 ~ kubectl -n kube-system exec -it kube-apiserver-docker-desktop -- tar OCI runtime exec failed: exec failed: unable to start container process: exec: "tar": executable file not found in $PATH: unknown command terminated with exit code 126
无论如何,kube-apiserver的基本映像不包含上面的命令。所以我查找kube-apiserver的pod定义,从主机路径找到卷,其中包含ca.crt和ca.key。
k8s-certs: Type: HostPath (bare host directory volume) Path: /run/config/pki HostPathType: DirectoryOrCreate
进入Docker Desktop VM的两个步骤:1.打开一个终端,粘贴$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer,记住tty设备从输出像PTY is /dev/ttys<XXX>1.打开另一个终端,粘贴$ screen /dev/ttys<XXX>。现在你在虚拟机中,只是cat文件位于/run/config/pki中。文件如下
$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer
PTY is /dev/ttys<XXX>
$ screen /dev/ttys<XXX>
/run/config/pki
/ # ls /run/config/pki apiserver-etcd-client.crt etcd apiserver-etcd-client.key front-proxy-ca.crt apiserver-kubelet-client.crt front-proxy-ca.key apiserver-kubelet-client.key front-proxy-client.crt apiserver.crt front-proxy-client.key apiserver.key sa.key ca.crt sa.pub
2条答案
按热度按时间x33g5p2x1#
默认情况下,您的HyperKit VM不会在docker-for-desktop中本地挂载卷。
最好的办法是使用
kubectl cp手动将ca.crt复制到您的机器上。示例:
iszxjhcz2#
我尝试了jaxxstorm的命令,但错误返回。
可能
kube-apiserver镜像中没有tar命令,所以我尝试将cat和exec放入容器,失败。无论如何,
kube-apiserver的基本映像不包含上面的命令。所以我查找kube-apiserver的pod定义,从主机路径找到卷,其中包含ca.crt和ca.key。进入Docker Desktop VM的两个步骤:
1.打开一个终端,粘贴
$ socat -d -d ~/Library/Containers/com.docker.docker/Data/debug-shell.sock pty,rawer,记住tty设备从输出像PTY is /dev/ttys<XXX>1.打开另一个终端,粘贴
$ screen /dev/ttys<XXX>。现在你在虚拟机中,只是cat文件位于/run/config/pki中。文件如下