mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #190 from trmatthe/patch-1 

Update 10-tls-bootstrapping-kubernetes-workers.md
pull/634/head
Mohamed Ayman 2021-04-18 23:24:49 +02:00 committed by GitHub
parent faa86b954b 0f726f12df
commit 526f0d1e57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/10-tls-bootstrapping-kubernetes-workers.md
View File

@ -14,7 +14,11 @@ This is not a practical approach when you have 1000s of nodes in the cluster, an
- The Nodes can retrieve the signed certificate from the Kubernetes CA - The Nodes can retrieve the signed certificate from the Kubernetes CA
- The Nodes can generate a kube-config file using this certificate by themselves - The Nodes can generate a kube-config file using this certificate by themselves
- The Nodes can start and join the cluster by themselves - The Nodes can start and join the cluster by themselves
- The Nodes can renew certificates when they expire by themselves - The Nodes can request new certificates via a CSR, but the CSR must be manually approved by a cluster administrator
In Kubernetes 1.11 a patch was merged to require administrator or Controller approval of node serving CSRs for security reasons.
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#certificate-rotation
So let's get started! So let's get started!
@ -312,7 +316,6 @@ ExecStart=/usr/local/bin/kubelet \\
--kubeconfig=/var/lib/kubelet/kubeconfig \\ --kubeconfig=/var/lib/kubelet/kubeconfig \\
--cert-dir=/var/lib/kubelet/pki/ \\ --cert-dir=/var/lib/kubelet/pki/ \\
--rotate-certificates=true \\ --rotate-certificates=true \\
--rotate-server-certificates=true \\
--network-plugin=cni \\ --network-plugin=cni \\
--register-node=true \\ --register-node=true \\
--v=2 --v=2
@ -328,7 +331,6 @@ Things to note here:
- **bootstrap-kubeconfig**: Location of the bootstrap-kubeconfig file. - **bootstrap-kubeconfig**: Location of the bootstrap-kubeconfig file.
- **cert-dir**: The directory where the generated certificates are stored. - **cert-dir**: The directory where the generated certificates are stored.
- **rotate-certificates**: Rotates client certificates when they expire. - **rotate-certificates**: Rotates client certificates when they expire.
- **rotate-server-certificates**: Requests for server certificates on bootstrap and rotates them when they expire.
## Step 7 Configure the Kubernetes Proxy ## Step 7 Configure the Kubernetes Proxy
@ -396,6 +398,8 @@ Approve
`kubectl certificate approve csr-95bv6` `kubectl certificate approve csr-95bv6`
Note: In the event your cluster persists for longer than 365 days, you will need to manually approve the replacement CSR.
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubectl-approval Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubectl-approval
## Verification ## Verification