In this lab you will generate Kubernetes configuration files, also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.
In this section you will generate kubeconfig files for the kubelet
and kube-proxy
clients.
The
scheduler
andcontroller manager
access the Kubernetes API Server locally over an insecure API port which does not require authentication. The Kubernetes API Server's insecure port is only enabled for local access.
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer.
Generate a kubeconfig file for each worker node:
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${MASTER_PRIV_IP}:6443 \
--kubeconfig=worker.kubeconfig
kubectl config set-credentials system:node:worker \
--client-certificate=worker.pem \
--client-key=worker-key.pem \
--embed-certs=true \
--kubeconfig=worker.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:node:worker \
--kubeconfig=worker.kubeconfig
kubectl config use-context default --kubeconfig=worker.kubeconfig
Results:
worker.kubeconfig
Generate a kubeconfig file for the kube-proxy
service:
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${MASTER_PRIV_IP}:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Copy kubelet
and kube-proxy
kubeconfig files to worker instance:
scp worker.kubeconfig kube-proxy.kubeconfig ubuntu@${WORKER_EXT_IP}:~/