配置microk8s cluster的远程访问

microk8s 是 single node k8s cluster。 可以很方便的安装在单台linux服务器上(如果支持snap， 一句snap install就可以了)， 非常适合开发测试或者学习k8s的时候使用。

要想和在本地用kubectl操作minikube一样，需要配置kube config

无非就三步，设置cluster，user，context

bind apiserver to 0.0.0.0

vi /var/snap/microk8s/current/args/kube-apiserver
change or add --insecure-bind-address=127.0.0.1 to --insecure-bind-address=0.0.0.0
snap stop microk8s
snap start microk8s

Set cluster

kubectl config set-cluster microk8s –server=https://:

ip 和 port, key 之类的可从 ps aux | grep apiserver 得出

Set user

kubectl config set-credentials admin --client-certificate=/tmp/microk8s/server.crt --client-key=/tmp/microk8s/server.key

Set context

kubectl config set-context microk8s --cluster=microk8s --user=admin

kubectl –insecure-skip-tls-verify get pods

可以用编辑器直接打开本地的~/.kube/config，直接编辑

Unable to connect to the server: x509: certificate is valid for 127.0.0.1
如果是测试， 这类错误可以配置--insecure-skip-tls-verify略过
或者重新生成证书
https://github.com/ubuntu/microk8s/issues/376

tip: 想在本地Mac kubectl直接操作远程服务器的microk8s cluster
最简单的办法是: 
可以直接从服务器上运行 microk8s.config 复制内容到本地 ~/.kube/microk8s
删掉 certificate-authority-data
insecure-skip-tls-verify: true
替换IP，防火墙开启16443端口

1. 不安全访问(即不想配置证书，不加密通讯请求)

insecure-skip-tls-verify

kubectl 与 kube-apiserver 的安全端口通信，需要为安全通信提供 TLS 证书和秘钥 也可以删掉kube config配置中的certificate-authority-data 添加 insecure-skip-tls-verify: true

KUBECONFIG=~/.kube/microk8s kubectl get pods

- cluster:
    server: https://120.26.57.96:16443
    insecure-skip-tls-verify: true

3. 配置证书

links:

https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/

https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/

kubernetes certificate-authority-data

https://github.com/kubernetes/kubernetes/issues/61572

https://kubernetes.io/docs/concepts/cluster-administration/certificates/

https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/