Create kubeconfig files

pull/758/head
Tom English 2023-12-21 16:20:03 -05:00
parent 17ddcfbbcd
commit b1b692b0b2
1 changed files with 88 additions and 69 deletions

View File

@ -12,15 +12,21 @@ Each kubeconfig requires a Kubernetes API Server to connect to. To support high
Retrieve the `kubernetes-the-hard-way` static IP address: Retrieve the `kubernetes-the-hard-way` static IP address:
```gcloud```
``` ```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \ --region $(gcloud config get-value compute/region) \
--format 'value(address)') --format 'value(address)')
``` ```
```az```
```
KUBERNETES_PUBLIC_ADDRESS=$(az network public-ip show --name kubernetes-the-hard-way --query ipAddress -o tsv)
```
### The kubelet Kubernetes Configuration File ### The kubelet Kubernetes Configuration File
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/). When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/reference/access-authn-authz/node/).
> The following commands must be run in the same directory used to generate the SSL certificates during the [Generating TLS Certificates](04-certificate-authority.md) lab. > The following commands must be run in the same directory used to generate the SSL certificates during the [Generating TLS Certificates](04-certificate-authority.md) lab.
@ -62,26 +68,24 @@ worker-2.kubeconfig
Generate a kubeconfig file for the `kube-proxy` service: Generate a kubeconfig file for the `kube-proxy` service:
``` ```
{ kubectl config set-cluster kubernetes-the-hard-way \
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \ --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
--kubeconfig=kube-proxy.kubeconfig --kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \ kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \ --client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \ --client-key=kube-proxy-key.pem \
--embed-certs=true \ --embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig --kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \ kubectl config set-context default \
--cluster=kubernetes-the-hard-way \ --cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \ --user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig --kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
``` ```
Results: Results:
@ -95,26 +99,24 @@ kube-proxy.kubeconfig
Generate a kubeconfig file for the `kube-controller-manager` service: Generate a kubeconfig file for the `kube-controller-manager` service:
``` ```
{ kubectl config set-cluster kubernetes-the-hard-way \
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://127.0.0.1:6443 \ --server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \ kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \ --client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \ --client-key=kube-controller-manager-key.pem \
--embed-certs=true \ --embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig --kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \ kubectl config set-context default \
--cluster=kubernetes-the-hard-way \ --cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \ --user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig --kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
``` ```
Results: Results:
@ -129,26 +131,24 @@ kube-controller-manager.kubeconfig
Generate a kubeconfig file for the `kube-scheduler` service: Generate a kubeconfig file for the `kube-scheduler` service:
``` ```
{ kubectl config set-cluster kubernetes-the-hard-way \
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://127.0.0.1:6443 \ --server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \ kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \ --client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \ --client-key=kube-scheduler-key.pem \
--embed-certs=true \ --embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig --kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \ kubectl config set-context default \
--cluster=kubernetes-the-hard-way \ --cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \ --user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig --kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
``` ```
Results: Results:
@ -162,26 +162,24 @@ kube-scheduler.kubeconfig
Generate a kubeconfig file for the `admin` user: Generate a kubeconfig file for the `admin` user:
``` ```
{ kubectl config set-cluster kubernetes-the-hard-way \
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \ --certificate-authority=ca.pem \
--embed-certs=true \ --embed-certs=true \
--server=https://127.0.0.1:6443 \ --server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig --kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \ kubectl config set-credentials admin \
--client-certificate=admin.pem \ --client-certificate=admin.pem \
--client-key=admin-key.pem \ --client-key=admin-key.pem \
--embed-certs=true \ --embed-certs=true \
--kubeconfig=admin.kubeconfig --kubeconfig=admin.kubeconfig
kubectl config set-context default \ kubectl config set-context default \
--cluster=kubernetes-the-hard-way \ --cluster=kubernetes-the-hard-way \
--user=admin \ --user=admin \
--kubeconfig=admin.kubeconfig --kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig kubectl config use-context default --kubeconfig=admin.kubeconfig
}
``` ```
Results: Results:
@ -197,18 +195,39 @@ admin.kubeconfig
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance: Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
```gcloud```
``` ```
for instance in worker-0 worker-1 worker-2; do for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/ gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
done done
``` ```
```az```
```
for instance in worker-0 worker-1 worker-2; do
IP=$(az vm show -d --name ${instance} --query "publicIps" -o tsv)
scp ${instance}.kubeconfig azureuser@${IP}:/home/azureuser
scp kube-proxy.kubeconfig azureuser@${IP}:/home/azureuser
done
```
Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance: Copy the appropriate `kube-controller-manager` and `kube-scheduler` kubeconfig files to each controller instance:
```gcloud```
``` ```
for instance in controller-0 controller-1 controller-2; do for instance in controller-0 controller-1 controller-2; do
gcloud compute scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/ gcloud compute scp admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ${instance}:~/
done done
``` ```
```az```
```
for instance in controller-0 controller-1 controller-2; do
IP=$(az vm show -d --name ${instance} --query "publicIps" -o tsv)
scp admin.kubeconfig azureuser@${IP}:/home/azureuser
scp kube-controller-manager.kubeconfig azureuser@${IP}:/home/azureuser
scp kube-scheduler.kubeconfig azureuser@${IP}:/home/azureuser
done
```
Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md) Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)