mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

The chapter 'Generating Kubernetes Configuration Files for Authentication' is updated.

pull/443/head
Pick1a1username 2019-02-16 18:07:37 +09:00
parent 1a6b69f4e2
commit 907165bba8
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/05-kubernetes-configuration-files.md
View File

@ -1,23 +1,23 @@
# Generating Kubernetes Configuration Files for Authentication # Generating Kubernetes Configuration Files for Authentication
In this lab you will generate [Kubernetes configuration files](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers. In this chapter, you will generate [Kubernetes configuration files](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.
## Client Authentication Configs ## Client Authentication Configs
In this section you will generate kubeconfig files for the `controller manager`, `kubelet`, `kube-proxy`, and `scheduler` clients and the `admin` user. In this section you will generate kubeconfig files for the `controller manager`, `kubelet`, `kube-proxy`, and `scheduler` clients and the `admin` user.
### Kubernetes Public IP Address
Each kubeconfig requires a Kubernetes API Server to connect to. To support high availability the IP address assigned to the external load balancer fronting the Kubernetes API Servers will be used. ### Kubernetes IP Address
Retrieve the `kubernetes-the-hard-way` static IP address: Each kubeconfig requires a Kubernetes API Server to connect to. To support high availability the IP address assigned to the load balancer fronting the Kubernetes API Servers will be used.
Set a variable named `KUBERNETES_LB_ADDRESS`:
``` ```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ $ KUBERNETES_LB_ADDRESS=10.240.0.10
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
``` ```
### The kubelet Kubernetes Configuration File ### The kubelet Kubernetes Configuration File
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/). When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/).
@ -25,11 +25,11 @@ When generating kubeconfig files for Kubelets the client certificate matching th
Generate a kubeconfig file for each worker node: Generate a kubeconfig file for each worker node:
``` ```
for instance in worker-0 worker-1 worker-2; do for instance in worker-1 worker-2 worker-3; do
kubectl config set-cluster kubernetes-the-hard-way \ kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \ --server=https://${KUBERNETES_LB_ADDRESS}:6443 \
--kubeconfig=${instance}.kubeconfig --kubeconfig=${instance}.kubeconfig
kubectl config set-credentials system:node:${instance} \ kubectl config set-credentials system:node:${instance} \
@ -50,9 +50,9 @@ done
Results: Results:
``` ```
worker-0.kubeconfig
worker-1.kubeconfig worker-1.kubeconfig
worker-2.kubeconfig worker-2.kubeconfig
worker-3.kubeconfig
``` ```
### The kube-proxy Kubernetes Configuration File ### The kube-proxy Kubernetes Configuration File
@ -64,7 +64,7 @@ Generate a kubeconfig file for the `kube-proxy` service:
kubectl config set-cluster kubernetes-the-hard-way \ kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \ --server=https://${KUBERNETES_LB_ADDRESS}:6443 \
--kubeconfig=kube-proxy.kubeconfig --kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \ kubectl config set-credentials system:kube-proxy \
@ -189,23 +189,23 @@ admin.kubeconfig
``` ```
##
## Distribute the Kubernetes Configuration Files ## Distribute the Kubernetes Configuration Files
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance: Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
``` ```
for instance in worker-0 worker-1 worker-2; do $ USERNAME=<User Name of Virtual Machines>
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/ $ for num in 1 2 3; do
scp -i ~/.ssh/id_rsa-k8s.pub worker-${num}.kubeconfig kube-proxy.kubeconfig ${USERNAME}@10.240.0.2${num}:~/
done done
``` ```
Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance: Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance:
``` ```
for instance in controller-0 controller-1 controller-2; do $ USERNAME=<User Name of Virtual Machines>
gcloud compute scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/ $ for num in 1 2 3; do
scp -i ~/.ssh/id_rsa-k8s.pub admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${USERNAME}@10.240.0.1${num}:~/
done done
``` ```