mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #59 from rahulsoni43/patch-6 

Update 10-tls-bootstrapping-kubernetes-workers.md
pull/584/head
vpalazhi 2019-11-19 19:47:25 -05:00 committed by GitHub
parent 33ea383145 afb44965c6
commit dc967fefa1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/10-tls-bootstrapping-kubernetes-workers.md
View File

@ -54,6 +54,8 @@ wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubelet https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubelet
``` ```
Reference: https://kubernetes.io/docs/setup/release/#node-binaries
Create the installation directories: Create the installation directories:
``` ```
@ -127,6 +129,7 @@ Things to note:
Once this is created the token to be used for authentication is `07401b.f395accd246ae52d` Once this is created the token to be used for authentication is `07401b.f395accd246ae52d`
Reference: https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#bootstrap-token-secret-format
## Step 2 Authorize workers(kubelets) to create CSR ## Step 2 Authorize workers(kubelets) to create CSR
@ -157,6 +160,7 @@ EOF
kubectl create -f csrs-for-bootstrapping.yaml kubectl create -f csrs-for-bootstrapping.yaml
``` ```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#authorize-kubelet-to-create-csr
## Step 3 Authorize workers(kubelets) to approve CSR ## Step 3 Authorize workers(kubelets) to approve CSR
``` ```
@ -184,6 +188,8 @@ EOF
kubectl create -f auto-approve-csrs-for-group.yaml kubectl create -f auto-approve-csrs-for-group.yaml
``` ```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval
## Step 3 Authorize workers(kubelets) to Auto Renew Certificates on expiration ## Step 3 Authorize workers(kubelets) to Auto Renew Certificates on expiration
We now create the Cluster Role Binding required for the nodes to automatically renew the certificates on expiry. Note that we are NOT using the **system:bootstrappers** group here any more. Since by the renewal period, we believe the node would be bootstrapped and part of the cluster already. All nodes are part of the **system:nodes** group. We now create the Cluster Role Binding required for the nodes to automatically renew the certificates on expiry. Note that we are NOT using the **system:bootstrappers** group here any more. Since by the renewal period, we believe the node would be bootstrapped and part of the cluster already. All nodes are part of the **system:nodes** group.
@ -213,6 +219,8 @@ EOF
kubectl create -f auto-approve-renewals-for-nodes.yaml kubectl create -f auto-approve-renewals-for-nodes.yaml
``` ```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval
## Step 4 Configure Kubelet to TLS Bootstrap ## Step 4 Configure Kubelet to TLS Bootstrap
It is now time to configure the second worker to TLS bootstrap using the token we generated It is now time to configure the second worker to TLS bootstrap using the token we generated
@ -254,6 +262,8 @@ users:
EOF EOF
``` ```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration
## Step 5 Create Kubelet Config File ## Step 5 Create Kubelet Config File
Create the `kubelet-config.yaml` configuration file: Create the `kubelet-config.yaml` configuration file:
@ -383,6 +393,7 @@ Approve
`kubectl certificate approve csr-95bv6` `kubectl certificate approve csr-95bv6`
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubectl-approval
## Verification ## Verification