How to Configure the Kubernetes Aggregation Layer

What

Aggregation layer 和 CustomResourceDefinition 都是 Kubernetes为扩展API的方式,两者的对比:Comparing Aggregation and CRD

### kubernetes最新的一个系统监控组件metrics-server(用来代替heapster)在部署的过程中需要api-server提前配置好 Aggregation Layer,但是配置相关的官方文档很简短,并没有详细的步骤,现在这里介绍下怎么配置,证书生成和其他一些细节.

Configure the Kubernetes Aggregation Layer

在kubernetes核心代码里有一个组件 kube-aggregator,实现了以下3个功能: - Provide an API for registering API servers. - Summarize discovery information from all the servers. - Proxy client requests to individual servers.

最后可能的request path如下

    client ----> proxy(kube-aggregator) ----> kube-apiserver
                                        ----> (ex. metrics-server)

生成生证书

proxy-client certs就是提供与后端apiserver双向TLS验证过程中的凭证,其中证书的CN属性 需要和apiserver的–requestheader-allowed-names值一致.

Install cfssl.

[cfssl](https://github.com/cloudflare/cfssl)
生成 Kubernetes-front-proxy CA 证书

kubernetes-front-proxy-ca-csr.json:

{
    "CN": "Kubernetes-front-proxy CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BJ",
            "ST": "BJ",
            "O": "Kubernetes-front-proxy CA",
            "OU": "Kubernetes-front-proxy CA"
        }
    ]
}

使用下面的证书生成CA的证书

$ cfssl gencert -initca ./kubernetes-front-proxy-CA-csr.json | cfssljson -bare kubernetes-front-proxy-ca
生成 front-proxy-client 证书

ca-config.json:

{
    "signing": {
        "default": {
            "expiry": "876000h"
        },
        "profiles": {
            "kubernetes-front-proxy": {
                "expiry": "876000h",
                "usages": [
                    "signing",
                    "key encipherment",
		            "client auth"
                ]
            }
        }
    }
}

kubernetes-front-proxy.csr:

{
  "CN": "front-proxy-client",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
        {
            "C": "CN",
            "L": "BJ",
            "ST": "BJ",
            "O": "front-proxy-client",
            "OU": "front-proxy-client"
        }
    ]
}

使用以下命令生成 front-proxy-client 证书:

$ cfssl gencert -ca=kubernetes-front-proxy-ca.pem -ca-key=kubernetes-front-proxy-ca-key.pem  --config=ca-config.json -profile=kubernetes-front-proxy ./kubernetes-front-proxy.csr | cfssljson -bare kubernetes-front-proxy

kube-apiserver 添加启动参数

 --requestheader-client-ca-file=<path to aggregator CA cert>
 --requestheader-allowed-names=front-proxy-client
 --requestheader-extra-headers-prefix=X-Remote-Extra-
 --requestheader-group-headers=X-Remote-Group
 --requestheader-username-headers=X-Remote-User
 --proxy-client-cert-file=<path to aggregator proxy cert>
 --proxy-client-key-file=<path to aggregator proxy key>

Tips:如果你的api-server节点上没有kube-proxy,额外添加参数

--enable-aggregator-routing=true

参考