kubernetes-the-hard-way/docs/05-kubernetes-configuration...

# Generating Kubernetes Configuration Files for Authentication

In this lab you will generate [Kubernetes client configuration files],
typically called kubeconfigs, which configure Kubernetes clients to connect
and authenticate to Kubernetes API Servers.

## Client Authentication Configs

In this section you will generate kubeconfig files for the `kubelet` and the
`admin` user.

### The kubelet Kubernetes Configuration File

When generating kubeconfig files for Kubelets the client certificate matching
the Kubelet's node name must be used. This will ensure Kubelets are properly
authorized by the Kubernetes [Node Authorizer].

> The following commands must be run in the same directory used to generate
> the SSL certificates during the [Generating TLS Certificates] lab.

Generate a kubeconfig file for the `node01` and `node02` worker nodes:

```bash
for host in node01 node02; do
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://controlplane.kubernetes.local:6443 \
    --kubeconfig=${host}.kubeconfig

  kubectl config set-credentials system:node:${host} \
    --client-certificate=${host}.crt \
    --client-key=${host}.key \
    --embed-certs=true \
    --kubeconfig=${host}.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:node:${host} \
    --kubeconfig=${host}.kubeconfig

  kubectl config use-context default \
    --kubeconfig=${host}.kubeconfig
done
```

Results:

```text
node01.kubeconfig
node02.kubeconfig
```

### The kube-proxy Kubernetes Configuration File

Generate a kubeconfig file for the `kube-proxy` service:

```bash
{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://controlplane.kubernetes.local:6443 \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-credentials system:kube-proxy \
    --client-certificate=kube-proxy.crt \
    --client-key=kube-proxy.key \
    --embed-certs=true \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-proxy \
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config use-context default \
    --kubeconfig=kube-proxy.kubeconfig
}
```

Results:

```text
kube-proxy.kubeconfig
```

### The kube-controller-manager Kubernetes Configuration File

Generate a kubeconfig file for the `kube-controller-manager` service:

```bash
{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://controlplane.kubernetes.local:6443 \
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config set-credentials system:kube-controller-manager \
    --client-certificate=kube-controller-manager.crt \
    --client-key=kube-controller-manager.key \
    --embed-certs=true \
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-controller-manager \
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config use-context default \
    --kubeconfig=kube-controller-manager.kubeconfig
}
```

Results:

```text
kube-controller-manager.kubeconfig
```


### The kube-scheduler Kubernetes Configuration File

Generate a kubeconfig file for the `kube-scheduler` service:

```bash
{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://controlplane.kubernetes.local:6443 \
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config set-credentials system:kube-scheduler \
    --client-certificate=kube-scheduler.crt \
    --client-key=kube-scheduler.key \
    --embed-certs=true \
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=system:kube-scheduler \
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config use-context default \
    --kubeconfig=kube-scheduler.kubeconfig
}
```

Results:

```text
kube-scheduler.kubeconfig
```

### The admin Kubernetes Configuration File

Generate a kubeconfig file for the `admin` user:

```bash
{
  kubectl config set-cluster kubernetes-the-hard-way \
    --certificate-authority=ca.crt \
    --embed-certs=true \
    --server=https://127.0.0.1:6443 \
    --kubeconfig=admin.kubeconfig

  kubectl config set-credentials admin \
    --client-certificate=admin.crt \
    --client-key=admin.key \
    --embed-certs=true \
    --kubeconfig=admin.kubeconfig

  kubectl config set-context default \
    --cluster=kubernetes-the-hard-way \
    --user=admin \
    --kubeconfig=admin.kubeconfig

  kubectl config use-context default \
    --kubeconfig=admin.kubeconfig
}
```

Results:

```text
admin.kubeconfig
```

## Distribute the Kubernetes Configuration Files

Copy the `kubelet` and `kube-proxy` kubeconfig files to the `node01` and
`node02` machines:

```bash
for host in node01 node02; do
  ssh vagrant@${host} "sudo mkdir -p /var/lib/{kube-proxy,kubelet}"

  scp kube-proxy.kubeconfig vagrant@${host}:~/
  ssh vagrant@${host} "sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig"

  scp ${host}.kubeconfig vagrant@${host}:~/
  ssh vagrant@${host} "sudo mv ${host}.kubeconfig /var/lib/kubelet/kubeconfig"
done
```

Copy the `kube-controller-manager` and `kube-scheduler` kubeconfig files to
the `controlplane` machine:

```bash
scp admin.kubeconfig \
  kube-controller-manager.kubeconfig \
  kube-scheduler.kubeconfig \
  vagrant@controlplane:~/
```

Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)

---

[Kubernetes client configuration files]: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
[Node Authorizer]: https://kubernetes.io/docs/reference/access-authn-authz/node/
[Generating TLS Certificates]: 04-certificate-authority.md
update docs 2017-08-29 00:19:25 +03:00			`# Generating Kubernetes Configuration Files for Authentication`

chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`In this lab you will generate [Kubernetes client configuration files],`
chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			`typically called kubeconfigs, which configure Kubernetes clients to connect`
			`and authenticate to Kubernetes API Servers.`
update docs 2017-08-29 00:19:25 +03:00
			`## Client Authentication Configs`

chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			In this section you will generate kubeconfig files for the `kubelet` and the
			`admin` user.
update docs 2017-08-29 00:19:25 +03:00
			`### The kubelet Kubernetes Configuration File`

chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			`When generating kubeconfig files for Kubelets the client certificate matching`
			`the Kubelet's node name must be used. This will ensure Kubelets are properly`
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`authorized by the Kubernetes [Node Authorizer].`
update docs 2017-08-29 00:19:25 +03:00
chg: Hostnames In Documentation Continued Updated more references to old hostnames in the documentation to reflect the new naming convention. 2025-06-02 06:37:55 +03:00			`> The following commands must be run in the same directory used to generate`
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`> the SSL certificates during the [Generating TLS Certificates] lab.`
Update to Kubernetes 1.15.3 2019-09-14 21:41:56 +03:00
chg: Hostnames In Documentation Changed server to controlplane and node-0 to node01, and node-1 to node02 in the documentation. Also started reformatting to limit lines to 80 characters. Added a section on how to enable to root account for login. 2025-06-02 05:33:01 +03:00			Generate a kubeconfig file for the `node01` and `node02` worker nodes:
update docs 2017-08-29 00:19:25 +03:00
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
chg: Hostnames In Documentation Changed server to controlplane and node-0 to node01, and node-1 to node02 in the documentation. Also started reformatting to limit lines to 80 characters. Added a section on how to enable to root account for login. 2025-06-02 05:33:01 +03:00			`for host in node01 node02; do`
update docs 2017-08-29 00:19:25 +03:00			`kubectl config set-cluster kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--certificate-authority=ca.crt \`
update docs 2017-08-29 00:19:25 +03:00			`--embed-certs=true \`
chg: Hostnames In Documentation Continued Updated more places where the hostnames were not updated to reflect the new hostnames for the jumpbox, controller, and worker nodes. 2025-06-02 05:59:11 +03:00			`--server=https://controlplane.kubernetes.local:6443 \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--kubeconfig=${host}.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config set-credentials system:node:${host} \`
			`--client-certificate=${host}.crt \`
			`--client-key=${host}.key \`
update docs 2017-08-29 00:19:25 +03:00			`--embed-certs=true \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--kubeconfig=${host}.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00
			`kubectl config set-context default \`
			`--cluster=kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--user=system:node:${host} \`
			`--kubeconfig=${host}.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config use-context default \`
			`--kubeconfig=${host}.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00			`done`
			```

			`Results:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```text
chg: Hostnames In Documentation Changed server to controlplane and node-0 to node01, and node-1 to node02 in the documentation. Also started reformatting to limit lines to 80 characters. Added a section on how to enable to root account for login. 2025-06-02 05:33:01 +03:00			`node01.kubeconfig`
			`node02.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00			```

			`### The kube-proxy Kubernetes Configuration File`

			Generate a kubeconfig file for the `kube-proxy` service:

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`
			`kubectl config set-cluster kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--certificate-authority=ca.crt \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
chg: Hostnames In Documentation Continued Updated more places where the hostnames were not updated to reflect the new hostnames for the jumpbox, controller, and worker nodes. 2025-06-02 05:59:11 +03:00			`--server=https://controlplane.kubernetes.local:6443 \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--kubeconfig=kube-proxy.kubeconfig`

			`kubectl config set-credentials system:kube-proxy \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--client-certificate=kube-proxy.crt \`
			`--client-key=kube-proxy.key \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
			`--kubeconfig=kube-proxy.kubeconfig`

			`kubectl config set-context default \`
			`--cluster=kubernetes-the-hard-way \`
			`--user=system:kube-proxy \`
			`--kubeconfig=kube-proxy.kubeconfig`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config use-context default \`
			`--kubeconfig=kube-proxy.kubeconfig`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`}`
			```

			`Results:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```text
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`kube-proxy.kubeconfig`
			```

			`### The kube-controller-manager Kubernetes Configuration File`

			Generate a kubeconfig file for the `kube-controller-manager` service:

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`
			`kubectl config set-cluster kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--certificate-authority=ca.crt \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
chg: Hostnames In Documentation Continued Updated more places where the hostnames were not updated to reflect the new hostnames for the jumpbox, controller, and worker nodes. 2025-06-02 05:59:11 +03:00			`--server=https://controlplane.kubernetes.local:6443 \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--kubeconfig=kube-controller-manager.kubeconfig`

			`kubectl config set-credentials system:kube-controller-manager \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--client-certificate=kube-controller-manager.crt \`
			`--client-key=kube-controller-manager.key \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
			`--kubeconfig=kube-controller-manager.kubeconfig`

			`kubectl config set-context default \`
			`--cluster=kubernetes-the-hard-way \`
			`--user=system:kube-controller-manager \`
			`--kubeconfig=kube-controller-manager.kubeconfig`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config use-context default \`
			`--kubeconfig=kube-controller-manager.kubeconfig`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`}`
			```

			`Results:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```text
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`kube-controller-manager.kubeconfig`
			```


			`### The kube-scheduler Kubernetes Configuration File`

			Generate a kubeconfig file for the `kube-scheduler` service:

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`
			`kubectl config set-cluster kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--certificate-authority=ca.crt \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
chg: Hostnames In Documentation Continued Updated more places where the hostnames were not updated to reflect the new hostnames for the jumpbox, controller, and worker nodes. 2025-06-02 05:59:11 +03:00			`--server=https://controlplane.kubernetes.local:6443 \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--kubeconfig=kube-scheduler.kubeconfig`

			`kubectl config set-credentials system:kube-scheduler \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--client-certificate=kube-scheduler.crt \`
			`--client-key=kube-scheduler.key \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
			`--kubeconfig=kube-scheduler.kubeconfig`

			`kubectl config set-context default \`
			`--cluster=kubernetes-the-hard-way \`
			`--user=system:kube-scheduler \`
			`--kubeconfig=kube-scheduler.kubeconfig`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config use-context default \`
			`--kubeconfig=kube-scheduler.kubeconfig`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`}`
update docs 2017-08-29 00:19:25 +03:00			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`Results:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```text
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`kube-scheduler.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`### The admin Kubernetes Configuration File`

			Generate a kubeconfig file for the `admin` user:

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`{`
			`kubectl config set-cluster kubernetes-the-hard-way \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--certificate-authority=ca.crt \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
			`--server=https://127.0.0.1:6443 \`
			`--kubeconfig=admin.kubeconfig`

			`kubectl config set-credentials admin \`
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`--client-certificate=admin.crt \`
			`--client-key=admin.key \`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`--embed-certs=true \`
			`--kubeconfig=admin.kubeconfig`

			`kubectl config set-context default \`
			`--cluster=kubernetes-the-hard-way \`
			`--user=admin \`
			`--kubeconfig=admin.kubeconfig`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			`kubectl config use-context default \`
			`--kubeconfig=admin.kubeconfig`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`}`
update docs 2017-08-29 00:19:25 +03:00			```

Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`Results:`

Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```text
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			`admin.kubeconfig`
update docs 2017-08-29 00:19:25 +03:00			```

			`## Distribute the Kubernetes Configuration Files`

chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			Copy the `kubelet` and `kube-proxy` kubeconfig files to the `node01` and
			`node02` machines:
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00
			```bash
chg: Hostnames In Documentation Changed server to controlplane and node-0 to node01, and node-1 to node02 in the documentation. Also started reformatting to limit lines to 80 characters. Added a section on how to enable to root account for login. 2025-06-02 05:33:01 +03:00			`for host in node01 node02; do`
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`ssh vagrant@${host} "sudo mkdir -p /var/lib/{kube-proxy,kubelet}"`
Update to Kubernetes 1.32.3 2025-04-07 04:32:30 +03:00
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`scp kube-proxy.kubeconfig vagrant@${host}:~/`
			`ssh vagrant@${host} "sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig"`
Update to Kubernetes 1.32.3 2025-04-07 04:32:30 +03:00
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`scp ${host}.kubeconfig vagrant@${host}:~/`
			`ssh vagrant@${host} "sudo mv ${host}.kubeconfig /var/lib/kubelet/kubeconfig"`
update docs 2017-08-29 00:19:25 +03:00			`done`
			```

chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			Copy the `kube-controller-manager` and `kube-scheduler` kubeconfig files to
			the `controlplane` machine:
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00
Remove cloud provider and move to ARM64 2023-11-01 09:16:49 +03:00			```bash
			`scp admin.kubeconfig \`
			`kube-controller-manager.kubeconfig \`
			`kube-scheduler.kubeconfig \`
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00			`vagrant@controlplane:~/`
Update to Kubernetes 1.10.2 and add gVisor support 2018-05-12 19:54:18 +03:00			```

update docs 2017-08-29 00:19:25 +03:00			`Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)`
chg: User from root To vagrant This commit modifies the instruactions so that they use the vagrant user instead of root. Also sudo is now requierd for a significant amount of the commands. 2025-06-03 05:13:21 +03:00
			`---`

			`[Kubernetes client configuration files]: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/`
			`[Node Authorizer]: https://kubernetes.io/docs/reference/access-authn-authz/node/`
			`[Generating TLS Certificates]: 04-certificate-authority.md`