update docs
Kelsey Hightower
parent
2958e721cd
commit
997d905b3d
|
|
@ -8,6 +8,16 @@ ca-key.pem
|
|||
ca.csr
|
||||
ca.pem
|
||||
encryption-config.yaml
|
||||
kube-controller-manager-csr.json
|
||||
kube-controller-manager-key.pem
|
||||
kube-controller-manager.csr
|
||||
kube-controller-manager.kubeconfig
|
||||
kube-controller-manager.pem
|
||||
kube-scheduler-csr.json
|
||||
kube-scheduler-key.pem
|
||||
kube-scheduler.csr
|
||||
kube-scheduler.kubeconfig
|
||||
kube-scheduler.pem
|
||||
kube-proxy-csr.json
|
||||
kube-proxy-key.pem
|
||||
kube-proxy.csr
|
||||
|
|
|
|||
|
|
@ -163,6 +163,50 @@ worker-2-key.pem
|
|||
worker-2.pem
|
||||
```
|
||||
|
||||
### The kube-controller-manager Client Certificate
|
||||
|
||||
Create the `kube-controller-manager` client certificate signing request:
|
||||
|
||||
```
|
||||
cat > kube-controller-manager-csr.json <<EOF
|
||||
{
|
||||
"CN": "system:kube-controller-manager",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 2048
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "Portland",
|
||||
"O": "system:kube-controller-manager",
|
||||
"OU": "Kubernetes The Hard Way",
|
||||
"ST": "Oregon"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
Generate the `kube-controller-manager` client certificate and private key:
|
||||
|
||||
```
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-profile=kubernetes \
|
||||
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
|
||||
```
|
||||
|
||||
Results:
|
||||
|
||||
```
|
||||
kube-controller-manager-key.pem
|
||||
kube-controller-manager.pem
|
||||
```
|
||||
|
||||
|
||||
### The kube-proxy Client Certificate
|
||||
|
||||
Create the `kube-proxy` client certificate signing request:
|
||||
|
|
@ -206,6 +250,50 @@ kube-proxy-key.pem
|
|||
kube-proxy.pem
|
||||
```
|
||||
|
||||
### The kube-scheduler Client Certificate
|
||||
|
||||
Create the `kube-scheduler` client certificate signing request:
|
||||
|
||||
```
|
||||
cat > kube-scheduler-csr.json <<EOF
|
||||
{
|
||||
"CN": "system:kube-scheduler",
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 2048
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"C": "US",
|
||||
"L": "Portland",
|
||||
"O": "system:kube-scheduler",
|
||||
"OU": "Kubernetes The Hard Way",
|
||||
"ST": "Oregon"
|
||||
}
|
||||
]
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
Generate the `kube-scheduler` client certificate and private key:
|
||||
|
||||
```
|
||||
cfssl gencert \
|
||||
-ca=ca.pem \
|
||||
-ca-key=ca-key.pem \
|
||||
-config=ca-config.json \
|
||||
-profile=kubernetes \
|
||||
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
|
||||
```
|
||||
|
||||
Results:
|
||||
|
||||
```
|
||||
kube-scheduler-key.pem
|
||||
kube-scheduler.pem
|
||||
```
|
||||
|
||||
|
||||
### The Kubernetes API Server Certificate
|
||||
|
||||
The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.
|
||||
|
|
@ -278,6 +366,6 @@ for instance in controller-0 controller-1 controller-2; do
|
|||
done
|
||||
```
|
||||
|
||||
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
|
||||
> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
|
||||
|
||||
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)
|
||||
|
|
|
|||
|
|
@ -94,6 +94,82 @@ Results:
|
|||
kube-proxy.kubeconfig
|
||||
```
|
||||
|
||||
### The kube-controller-manager Kubernetes Configuration File
|
||||
|
||||
Generate a kubeconfig file for the `kube-controller-manager` service:
|
||||
|
||||
```
|
||||
kubectl config set-cluster kubernetes-the-hard-way \
|
||||
--certificate-authority=ca.pem \
|
||||
--embed-certs=true \
|
||||
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
|
||||
--kubeconfig=kube-controller-manager.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config set-credentials kube-controller-manager \
|
||||
--client-certificate=kube-controller-manager.pem \
|
||||
--client-key=kube-controller-manager-key.pem \
|
||||
--embed-certs=true \
|
||||
--kubeconfig=kube-controller-manager.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config set-context default \
|
||||
--cluster=kubernetes-the-hard-way \
|
||||
--user=kube-controller-manager \
|
||||
--kubeconfig=kube-controller-manager.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
|
||||
```
|
||||
|
||||
Results:
|
||||
|
||||
```
|
||||
kube-controller-manager.kubeconfig
|
||||
```
|
||||
|
||||
|
||||
### The kube-scheduler Kubernetes Configuration File
|
||||
|
||||
Generate a kubeconfig file for the `kube-scheduler` service:
|
||||
|
||||
```
|
||||
kubectl config set-cluster kubernetes-the-hard-way \
|
||||
--certificate-authority=ca.pem \
|
||||
--embed-certs=true \
|
||||
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
|
||||
--kubeconfig=kube-scheduler.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config set-credentials kube-scheduler \
|
||||
--client-certificate=kube-scheduler.pem \
|
||||
--client-key=kube-scheduler-key.pem \
|
||||
--embed-certs=true \
|
||||
--kubeconfig=kube-scheduler.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config set-context default \
|
||||
--cluster=kubernetes-the-hard-way \
|
||||
--user=kube-scheduler \
|
||||
--kubeconfig=kube-scheduler.kubeconfig
|
||||
```
|
||||
|
||||
```
|
||||
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
|
||||
```
|
||||
|
||||
Results:
|
||||
|
||||
```
|
||||
kube-scheduler.kubeconfig
|
||||
```
|
||||
|
||||
|
||||
## Distribute the Kubernetes Configuration Files
|
||||
|
||||
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
|
||||
|
|
@ -104,4 +180,12 @@ for instance in worker-0 worker-1 worker-2; do
|
|||
done
|
||||
```
|
||||
|
||||
Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance:
|
||||
|
||||
```
|
||||
for instance in controller-0 controller-1 controller-2; do
|
||||
gcloud compute scp kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
|
||||
done
|
||||
```
|
||||
|
||||
Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)
|
||||
|
|
|
|||
|
|
@ -106,6 +106,12 @@ EOF
|
|||
|
||||
### Configure the Kubernetes Controller Manager
|
||||
|
||||
Move the `kube-controller-manager` kubeconfig into place:
|
||||
|
||||
```
|
||||
sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/
|
||||
```
|
||||
|
||||
Create the `kube-controller-manager.service` systemd unit file:
|
||||
|
||||
```
|
||||
|
|
@ -121,8 +127,8 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
|
|||
--cluster-name=kubernetes \\
|
||||
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
|
||||
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
|
||||
--kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
|
||||
--leader-elect=true \\
|
||||
--master=http://127.0.0.1:8080 \\
|
||||
--root-ca-file=/var/lib/kubernetes/ca.pem \\
|
||||
--service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
|
||||
--service-cluster-ip-range=10.32.0.0/24 \\
|
||||
|
|
@ -138,6 +144,8 @@ EOF
|
|||
### Configure the Kubernetes Scheduler
|
||||
|
||||
|
||||
Create the `kube-scheduler.yaml` configuration file:
|
||||
|
||||
```
|
||||
cat > kube-scheduler.yaml <<EOF
|
||||
apiVersion: componentconfig/v1alpha1
|
||||
|
|
|
|||
Loading…
Reference in New Issue