Skip to content

Latest commit

 

History

History
83 lines (60 loc) · 2.6 KB

05-kubernetes-configuration-files.md

File metadata and controls

83 lines (60 loc) · 2.6 KB
Raw

Generating Kubernetes Configuration Files for Authentication

In this lab you will generate Kubernetes configuration files, also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.

Client Authentication Configs

In this section you will generate kubeconfig files for the kubelet and kube-proxy clients.

The scheduler and controller manager access the Kubernetes API Server locally over an insecure API port which does not require authentication. The Kubernetes API Server's insecure port is only enabled for local access.

The kubelet Kubernetes Configuration File

When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer.

Generate a kubeconfig file for each worker node:

kubectl config set-cluster kubernetes-the-hard-way \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://${MASTER_PRIV_IP}:6443 \
  --kubeconfig=worker.kubeconfig

kubectl config set-credentials system:node:worker \
  --client-certificate=worker.pem \
  --client-key=worker-key.pem \
  --embed-certs=true \
  --kubeconfig=worker.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes-the-hard-way \
  --user=system:node:worker \
  --kubeconfig=worker.kubeconfig

kubectl config use-context default --kubeconfig=worker.kubeconfig

Results:

worker.kubeconfig

The kube-proxy Kubernetes Configuration File

Generate a kubeconfig file for the kube-proxy service:

kubectl config set-cluster kubernetes-the-hard-way \
  --certificate-authority=ca.pem \
  --embed-certs=true \
  --server=https://${MASTER_PRIV_IP}:6443 \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-credentials kube-proxy \
  --client-certificate=kube-proxy.pem \
  --client-key=kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config set-context default \
  --cluster=kubernetes-the-hard-way \
  --user=kube-proxy \
  --kubeconfig=kube-proxy.kubeconfig

kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

Distribute the Kubernetes Configuration Files

Copy kubelet and kube-proxy kubeconfig files to worker instance:

scp worker.kubeconfig kube-proxy.kubeconfig ubuntu@${WORKER_EXT_IP}:~/

Next: Generating the Data Encryption Config and Key