From 85acf39f84c085d1754a3e874a917a490b57c98d Mon Sep 17 00:00:00 2001
From: Mumshad Mannambeth <mmumshad@gmail.com>
Date: Sat, 13 Apr 2019 12:35:29 +0800
Subject: [PATCH] Create tls-bootstrap-worker-node-2.md

---
 .../tls-bootstrap-worker-node-2.md            | 175 ++++++++++++++++++
 1 file changed, 175 insertions(+)
 create mode 100644 practice-questions-answers/tls-bootstrap-worker-node-2.md

diff --git a/practice-questions-answers/tls-bootstrap-worker-node-2.md b/practice-questions-answers/tls-bootstrap-worker-node-2.md
new file mode 100644
index 0000000..571f86f
--- /dev/null
+++ b/practice-questions-answers/tls-bootstrap-worker-node-2.md
@@ -0,0 +1,175 @@
+## Create Bootstrap Token on Master Node
+
+This is the solution to the practice test on TLS Bootstrapping hosted [here](https://kodekloud.com/courses/certified-kubernetes-administrator-with-practice-tests/lectures/9833234)
+
+```
+cat > bootstrap-token-09426c.yaml <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  # Name MUST be of form "bootstrap-token-<token id>"
+  name: bootstrap-token-09426c
+  namespace: kube-system
+
+# Type MUST be 'bootstrap.kubernetes.io/token'
+type: bootstrap.kubernetes.io/token
+stringData:
+  # Human readable description. Optional.
+  description: "The default bootstrap token generated by 'kubeadm init'."
+
+  # Token ID and secret. Required.
+  token-id: 09426c
+  token-secret: g262dkeidk3dx21x
+
+  # Expiration. Optional.
+  expiration: 2020-03-10T03:22:11Z
+
+  # Allowed usages.
+  usage-bootstrap-authentication: "true"
+  usage-bootstrap-signing: "true"
+
+  # Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
+  auth-extra-groups: system:bootstrappers:node03
+EOF
+```
+
+`master$ kubectl create -f bootstrap-token-09426c.yaml`
+
+## Create Cluster Role Binding
+
+kubectl create clusterrolebinding crb-to-create-csr --clusterrole=system:node-bootstrapper --group=system:bootstrappers
+
+--------------- OR ---------------
+
+```
+cat > crb-to-create-csr <<-EOF
+# enable bootstrapping nodes to create CSR
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: crb-to-create-csr
+subjects:
+- kind: Group
+  name: system:bootstrappers
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:node-bootstrapper
+  apiGroup: rbac.authorization.k8s.io
+EOF
+```
+
+`master$ kubectl create -f crb-to-create-csr.yaml`
+
+
+# Authorize workers(kubelets) to approve CSR
+
+kubectl create clusterrolebinding crb-to-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
+
+--------------- OR ---------------
+
+```
+cat > crb-to-approve-csr.yaml <<EOF
+# Approve all CSRs for the group "system:bootstrappers"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: crb-node-autoapprove-csr
+subjects:
+- kind: Group
+  name: system:bootstrappers
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
+  apiGroup: rbac.authorization.k8s.io
+EOF
+```
+
+`master$ kubectl create -f crb-to-approve-csr.yaml`
+
+
+# Auto rotate certificates
+
+kubectl create clusterrolebinding crb-to-autoapprove-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
+
+--------------- OR ---------------
+
+```
+cat > crb-to-autoapprove-csr.yaml <<EOF
+# Approve renewal CSRs for the group "system:nodes"
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: crb-to-autoapprove-csr
+subjects:
+- kind: Group
+  name: system:nodes
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
+  apiGroup: rbac.authorization.k8s.io
+EOF
+```
+
+`master$ kubectl create -f crb-to-autoapprove-csr.yaml`
+
+
+# Create bootstrap context on node03
+
+```
+kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-cluster bootstrap --server='https://172.17.0.65:6443' --certificate-authority=/etc/kubernetes/pki/ca.crt
+kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-credentials kubelet-bootstrap --token=09426c.g262dkeidk3dx21x
+kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-context bootstrap --user=kubelet-bootstrap --cluster=bootstrap
+kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig use-context bootstrap
+```
+
+
+# Create Kubelet Service
+
+Create new service file
+
+```
+cat > /etc/systemd/system/kubelet.service <<-EOF
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://github.com/kubernetes/kubernetes
+
+[Service]
+ExecStart=/usr/bin/kubelet \
+  --bootstrap-kubeconfig=/tmp/bootstrap-kubeconfig \
+  --kubeconfig=/var/lib/kubelet/kubeconfig \
+  --register-node=true \
+  --v=2
+Restart=on-failure
+StandardOutput=file:/var/kubeletlog1.log
+StandardError=file:/var/kubeletlog2.log
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+
+EOF
+```
+
+Reload service and start kubelet
+
+```
+node03$ systemctl daemon-reload
+node03$ service kubelet start
+```
+
+On master node check csr status and approve:
+
+```
+master$ kubectl get csr
+master$ kubectl certificate approve node-csr-oJcfudnewY5mcSDHcLseKQ6Oze5YmP9ZdKNRHHdjfJI
+```
+
+Verify node has joined the cluster
+
+```
+master$ kubectl get nodes
+
+```