From 94cbe1e683dd523352bcf55cc2d4595f0a8a5c39 Mon Sep 17 00:00:00 2001 From: Kelsey Hightower Date: Fri, 24 Mar 2017 04:08:34 -0700 Subject: [PATCH] add docs on using custom kubeconfigs --- docs/03-auth-configs.md | 75 +++++++++++++++++++++++++++++++++++++---- docs/07-kubectl.md | 12 +++---- 2 files changed, 75 insertions(+), 12 deletions(-) diff --git a/docs/03-auth-configs.md b/docs/03-auth-configs.md index 3d09082..c3f7b0c 100644 --- a/docs/03-auth-configs.md +++ b/docs/03-auth-configs.md @@ -1,17 +1,40 @@ # Setting up Authentication +In this lab you will setup the necessary authentication configs to enable Kubernetes clients to bootstrap and authenticate using RBAC (Role-Based Access Control). + +## Download and Install kubectl + +The kubectl client will be used to generate kubeconfig files which will be consumed by the kubelet and kube-proxy services. + +### OS X + ``` -KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \ - --format 'value(address)') +wget https://storage.googleapis.com/kubernetes-release/release/v1.6.0-beta.4/bin/darwin/amd64/kubectl +chmod +x kubectl +sudo mv kubectl /usr/local/bin +``` + +### Linux + +``` +wget https://storage.googleapis.com/kubernetes-release/release/v1.6.0-beta.4/bin/linux/amd64/kubectl +chmod +x kubectl +sudo mv kubectl /usr/local/bin ``` ## Authentication +The following components will leverge Kubernetes RBAC: + * kubelet (client) * Kubernetes API Server (server) The other components, mainly the `scheduler` and `controller manager`, access the Kubernetes API server locally over the insecure API port which does not require authentication. The insecure port is only enabled for local access. +### TLS Bootstrap Token + +This section will walk you through the creation of a TLS bootstrap token that will be used to [bootstrap TLS client certificates for kubelets](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/). + Generate a token: BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') @@ -24,6 +47,8 @@ ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF ``` +#### Distribute the bootstrap token file + Copy the `token.csv` file to each controller node: ``` @@ -35,9 +60,31 @@ for host in ${KUBERNETES_CONTROLLERS[*]}; do done ``` -## Client Authentication Configs +### Client Authentication Configs -### bootstrap kubeconfig +This section will walk you through creating kubeconfig files that will be used to bootstrap kubelets, which will then generate their own kubeconfigs based on dynamically generated certificates, and a kubeconfig for authenticating kube-proxy clients. + +Each kubeconfig requires a Kubernetes master to connect to. To support H/A the IP address assigned to the load balancer sitting in front of the Kubernetes API servers will be used. + +#### Set the Kubernetes Public Address + +##### GCE + +``` +KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \ + --region us-central1 \ + --format 'value(address)') +``` + +##### AWS + +``` +KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \ + --load-balancer-name kubernetes | \ + jq -r '.LoadBalancerDescriptions[].DNSName') +``` + +--- Generate a bootstrap kubeconfig file: @@ -68,6 +115,8 @@ kubectl config use-context default --kubeconfig=bootstrap.kubeconfig ### kube-proxy kubeconfig +Generate the `kube-proxy` kubeconfig file: + ``` kubectl config set-cluster kubernetes-the-hard-way \ --certificate-authority=ca.pem \ @@ -95,16 +144,30 @@ kubectl config set-context default \ kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig ``` -### Distribute client authentication configs +#### Distribute client kubeconfig files -Copy the bootstrap kubeconfig file to each worker node: +Copy the bootstrap and kube-proxy kubeconfig files to each worker node: ``` KUBERNETES_WORKER_NODES=(worker0 worker1 worker2) ``` +##### GCE + ``` for host in ${KUBERNETES_WORKER_NODES[*]}; do gcloud compute copy-files bootstrap.kubeconfig kube-proxy.kubeconfig ${host}:~/ done ``` + +##### AWS + +``` +for host in ${KUBERNETES_WORKER_NODES[*]}; do + PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \ + --filters "Name=tag:Name,Values=${host}" | \ + jq -r '.Reservations[].Instances[].PublicIpAddress') + scp -o "StrictHostKeyChecking no" bootstrap.kubeconfig kube-proxy.kubeconfig \ + ubuntu@${PUBLIC_IP_ADDRESS}:~/ +done +``` diff --git a/docs/07-kubectl.md b/docs/07-kubectl.md index efdc528..fb16218 100644 --- a/docs/07-kubectl.md +++ b/docs/07-kubectl.md @@ -60,13 +60,13 @@ kubectl config set-credentials admin \ ``` ``` -kubectl config set-context default-context \ +kubectl config set-context default \ --cluster=kubernetes-the-hard-way \ --user=admin ``` ``` -kubectl config use-context default-context +kubectl config use-context default ``` At this point you should be able to connect securly to the remote API server: @@ -88,8 +88,8 @@ etcd-1 Healthy {"health": "true"} kubectl get nodes ``` ``` -NAME STATUS AGE -worker0 Ready 7m -worker1 Ready 5m -worker2 Ready 2m +NAME STATUS AGE VERSION +worker0 Ready 7m v1.6.0-beta.4 +worker1 Ready 5m v1.6.0-beta.4 +worker2 Ready 2m v1.6.0-beta.4 ```