腾讯云k8s集群kubectl集群外操作
k8s中创建deploy k8s-envoy
k8s-envoy镜像
envoyproxy/envoy-alpine:v1.14.1
配置文件
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 8080 # k8s-envoy监听端口
filter_chains:
- filters:
- name: envoy.tcp_proxy
config:
stat_prefix: ingress_tcp
cluster: k8s_server
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
clusters:
- name: k8s_server
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 10.1.184.1 # kubernestes service ip
port_value: 443
修改上述k8s-envoy对应的service为NodePort
客户端使用
复制腾讯云或自己创建的sa账号对应的ca config等
将config中的ip调整为k8s-envoy某个node的ip,端口为k8s-envoy监听端口
执行kubectl报错
Unable to connect to the server: x509: certificate is valid for 1.1.1.1, 10.53.228.19, 169.254.128.13, 10.5.1.1, 127.0.0.1, 0.0.0.0, not 10.1.1.10
原因为https证书,只能上述几个ip使用,并且其中存在127.0.0.1
在本地启动k8s-envoy-client
envoy配置文件k8s-envoy-client.yaml
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 6002 # k8s-envoy-client监听端口
filter_chains:
- filters:
- name: envoy.tcp_proxy
config:
stat_prefix: ingress_tcp
cluster: k8s_server
access_log:
- name: envoy.file_access_log
config:
path: /dev/stdout
clusters:
- name: k8s_server
connect_timeout: 0.25s
type: strict_dns
lb_policy: round_robin
hosts:
- socket_address:
address: 10.1.1.10 # k8s-envoy所有任意nodeip
port_value: 30272 # k8s-envoy service node port
启动k8s-envoy-client
docker run -d -p 6002:6002 -v `pwd`/k8s-envoy-client.yaml:/etc/envoy/envoy.yaml --name k8s-envoy-client envoyproxy/envoy-alpine:v1.14.1
修改config中的ip及端口
修改config中 ip及端口为 127.0.0.1、6002