mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #59 from rahulsoni43/patch-6 

Update 10-tls-bootstrapping-kubernetes-workers.md
pull/584/head
vpalazhi 2019-11-19 19:47:25 -05:00 committed by GitHub
parent 33ea383145 afb44965c6
commit dc967fefa1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/10-tls-bootstrapping-kubernetes-workers.md
View File

@ -54,6 +54,8 @@ wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-release/release/v1.13.0/bin/linux/amd64/kubelet
```
Reference: https://kubernetes.io/docs/setup/release/#node-binaries
Create the installation directories:
```
@ -127,6 +129,7 @@ Things to note:
Once this is created the token to be used for authentication is `07401b.f395accd246ae52d`
Reference: https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/#bootstrap-token-secret-format
## Step 2 Authorize workers(kubelets) to create CSR
@ -157,6 +160,7 @@ EOF
kubectl create -f csrs-for-bootstrapping.yaml
```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#authorize-kubelet-to-create-csr
## Step 3 Authorize workers(kubelets) to approve CSR
```
@ -184,6 +188,8 @@ EOF
kubectl create -f auto-approve-csrs-for-group.yaml
```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval
## Step 3 Authorize workers(kubelets) to Auto Renew Certificates on expiration
We now create the Cluster Role Binding required for the nodes to automatically renew the certificates on expiry. Note that we are NOT using the **system:bootstrappers** group here any more. Since by the renewal period, we believe the node would be bootstrapped and part of the cluster already. All nodes are part of the **system:nodes** group.
@ -213,6 +219,8 @@ EOF
kubectl create -f auto-approve-renewals-for-nodes.yaml
```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#approval
## Step 4 Configure Kubelet to TLS Bootstrap
It is now time to configure the second worker to TLS bootstrap using the token we generated
@ -254,6 +262,8 @@ users:
EOF
```
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration
## Step 5 Create Kubelet Config File
Create the `kubelet-config.yaml` configuration file:
@ -383,6 +393,7 @@ Approve
`kubectl certificate approve csr-95bv6`
Reference: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubectl-approval
## Verification