2017-08-29 00:19:25 +03:00
# Generating Kubernetes Configuration Files for Authentication
2022-09-20 09:17:00 +03:00
In this lab you will generate [Kubernetes configuration files ](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ ), also known as "kubeconfigs", which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.
Note: It is good practice to use file paths to certificates in kubeconfigs that will be used by the services. When certificates are updated, it is not necessary to regenerate the config files, as you would have to if the certificate data was embedded. Note also that the cert files don't exist in these paths yet - we will place them in later labs.
Adjust markdown formatting (#328)
* Adjust markdown formatting:
* Remove extra capitalization.
* Remove extra curly braces {} inside Bash code blocks.
* Use in-line code block `` for IP-addresses, file names and commands.
* Add a dot at the end of sentences.
* Use list formatting in `differences-to-original.md`. Also add escaping for angle brackets <>.
* No logic changes were made, only formatting improvements.
* 01-prerequisites.md: remove extra capitalization, remove extra space in "Virtual Box"
* 01-prerequisites.md: split text into different lines (before, it was rendered into one line)
* Remove extra capitalization, use inline code blocks, add a dot at the end of sentences.
* 02-compute-resources.md: add escaping for angle brackets <>.
* 03-client-tools.md: remove extra capitalization, use inline code blocks
* 04-certificate-authority.md: remove extra capitalization, use inline code blocks, remove extra curly braces {} inside Bash code blocks
* 04-certificate-authority.md: remove extra curly braces {} inside Bash code blocks
* Revert back: all "remove extra curly braces {} inside Bash code blocks"
As per @fireflycons https://github.com/mmumshad/kubernetes-the-hard-way/pull/328#issuecomment-1926329908 :
> They are there for a reason. If you paste a block of code within braces, then it is not executed immediately by the shell - you have to press ENTER. Quite often when making changes to this repo and I have multiple terminals open, it gives me a chance to check that I have pasted the block into the correct terminal before it executes in the wrong terminal and borks everything.
* Revert back: all "remove extra curly braces {} inside Bash code blocks"
* Revert back all "Remove extra capitalization", as per request @fireflycons
https://github.com/mmumshad/kubernetes-the-hard-way/pull/328#issuecomment-1944388993
2024-02-21 23:50:31 +03:00
User configs, like `admin.kubeconfig` will have the certificate info embedded within them.
2017-08-29 00:19:25 +03:00
## Client Authentication Configs
2019-11-11 07:05:19 +03:00
In this section you will generate kubeconfig files for the `controller manager` , `kube-proxy` , `scheduler` clients and the `admin` user.
2017-08-29 00:19:25 +03:00
### Kubernetes Public IP Address
2022-09-20 09:17:00 +03:00
Each kubeconfig requires a Kubernetes API Server to connect to. To support high availability the IP address assigned to the load balancer will be used, so let's first get the address of the loadbalancer into a shell variable such that we can use it in the kubeconfigs for services that run on worker nodes. The controller manager and scheduler need to talk to the local API server, hence they use the localhost address.
2017-08-29 00:19:25 +03:00
2024-03-18 08:16:56 +03:00
[//]: # (host:controlplane01)
2022-09-20 09:17:00 +03:00
```bash
LOADBALANCER=$(dig +short loadbalancer)
2017-08-29 00:19:25 +03:00
```
### The kube-proxy Kubernetes Configuration File
Generate a kubeconfig file for the `kube-proxy` service:
2022-09-20 09:17:00 +03:00
```bash
2018-05-12 19:54:18 +03:00
{
kubectl config set-cluster kubernetes-the-hard-way \
2022-09-20 09:17:00 +03:00
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://${LOADBALANCER}:6443 \
2018-05-12 19:54:18 +03:00
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
2022-09-20 09:17:00 +03:00
--client-certificate=/var/lib/kubernetes/pki/kube-proxy.crt \
--client-key=/var/lib/kubernetes/pki/kube-proxy.key \
2018-05-12 19:54:18 +03:00
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
```
Results:
```
kube-proxy.kubeconfig
2020-10-27 17:34:06 +03:00
```
2019-11-19 13:22:52 +03:00
Reference docs for kube-proxy [here ](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/ )
2018-05-12 19:54:18 +03:00
### The kube-controller-manager Kubernetes Configuration File
Generate a kubeconfig file for the `kube-controller-manager` service:
2022-09-20 09:17:00 +03:00
```bash
2018-05-12 19:54:18 +03:00
{
kubectl config set-cluster kubernetes-the-hard-way \
2022-09-20 09:17:00 +03:00
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
2018-05-12 19:54:18 +03:00
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
2022-09-20 09:17:00 +03:00
--client-certificate=/var/lib/kubernetes/pki/kube-controller-manager.crt \
--client-key=/var/lib/kubernetes/pki/kube-controller-manager.key \
2018-05-12 19:54:18 +03:00
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
```
Results:
```
kube-controller-manager.kubeconfig
```
2019-11-19 13:22:52 +03:00
Reference docs for kube-controller-manager [here ](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ )
2018-05-12 19:54:18 +03:00
### The kube-scheduler Kubernetes Configuration File
Generate a kubeconfig file for the `kube-scheduler` service:
2022-09-20 09:17:00 +03:00
```bash
2018-05-12 19:54:18 +03:00
{
kubectl config set-cluster kubernetes-the-hard-way \
2022-09-20 09:17:00 +03:00
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
2018-05-12 19:54:18 +03:00
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
2022-09-20 09:17:00 +03:00
--client-certificate=/var/lib/kubernetes/pki/kube-scheduler.crt \
--client-key=/var/lib/kubernetes/pki/kube-scheduler.key \
2018-05-12 19:54:18 +03:00
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
2017-08-29 00:19:25 +03:00
```
2018-05-12 19:54:18 +03:00
Results:
2017-08-29 00:19:25 +03:00
```
2018-05-12 19:54:18 +03:00
kube-scheduler.kubeconfig
2017-08-29 00:19:25 +03:00
```
2019-11-19 13:22:52 +03:00
Reference docs for kube-scheduler [here ](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/ )
2018-05-12 19:54:18 +03:00
### The admin Kubernetes Configuration File
Generate a kubeconfig file for the `admin` user:
2022-09-20 09:17:00 +03:00
```bash
2018-05-12 19:54:18 +03:00
{
kubectl config set-cluster kubernetes-the-hard-way \
2019-03-20 07:34:49 +03:00
--certificate-authority=ca.crt \
2018-05-12 19:54:18 +03:00
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
2019-03-20 07:34:49 +03:00
--client-certificate=admin.crt \
--client-key=admin.key \
2018-05-12 19:54:18 +03:00
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
}
2017-08-29 00:19:25 +03:00
```
2018-05-12 19:54:18 +03:00
Results:
2017-08-29 00:19:25 +03:00
```
2018-05-12 19:54:18 +03:00
admin.kubeconfig
2017-08-29 00:19:25 +03:00
```
2019-11-19 13:22:52 +03:00
Reference docs for kubeconfig [here ](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/ )
2018-05-12 19:54:18 +03:00
2019-03-20 07:34:49 +03:00
##
2018-05-12 19:54:18 +03:00
2017-08-29 00:19:25 +03:00
## Distribute the Kubernetes Configuration Files
2019-06-19 06:07:24 +03:00
Copy the appropriate `kube-proxy` kubeconfig files to each worker instance:
2017-08-29 00:19:25 +03:00
2022-09-20 09:17:00 +03:00
```bash
2024-03-18 08:16:56 +03:00
for instance in node01 node02; do
2019-03-20 07:34:49 +03:00
scp kube-proxy.kubeconfig ${instance}:~/
2017-08-29 00:19:25 +03:00
done
```
2019-11-11 07:05:19 +03:00
Copy the appropriate `admin.kubeconfig` , `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance:
2018-05-12 19:54:18 +03:00
2022-09-20 09:17:00 +03:00
```bash
2024-03-18 08:16:56 +03:00
for instance in controlplane01 controlplane02; do
2019-03-20 07:34:49 +03:00
scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
2018-05-12 19:54:18 +03:00
done
```
2022-09-20 09:17:00 +03:00
## Optional - Check kubeconfigs
2024-03-18 08:16:56 +03:00
At `controlplane01` and `controlplane02` nodes, run the following, selecting option 2
2022-09-20 09:17:00 +03:00
2023-11-23 22:52:14 +03:00
[//]: # (command./cert_verify.sh 2)
2024-03-18 08:16:56 +03:00
[//]: # (command:ssh controlplane02 './cert_verify.sh 2')
2023-11-23 22:52:14 +03:00
```
2022-09-20 09:17:00 +03:00
./cert_verify.sh
```
2024-03-18 08:16:56 +03:00
Next: [Generating the Data Encryption Config and Key ](./06-data-encryption-keys.md )< br >
Prev: [Certificate Authority ](./04-certificate-authority.md )
