# Bootstrapping the Kubernetes Worker Nodes In this lab you will bootstrap 2 Kubernetes worker nodes. We already have [Docker](https://www.docker.com) installed on these nodes. We will now install the kubernetes components - [kubelet](https://kubernetes.io/docs/admin/kubelet) - [kube-proxy](https://kubernetes.io/docs/concepts/cluster-administration/proxies). ## Prerequisites The commands in this lab must be run on first worker instance: `worker-1`. Login to first worker instance using SSH Terminal. ### Provisioning Kubelet Client Certificates Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/) called Node Authorizer, that specifically authorizes API requests made by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet). In order to be authorized by the Node Authorizer, Kubelets must use a credential that identifies them as being in the `system:nodes` group, with a username of `system:node:`. In this section you will create a certificate for each Kubernetes worker node that meets the Node Authorizer requirements. Generate a certificate and private key for one worker node: Worker1: ``` master-1$ cat > openssl-worker-1.cnf < The `resolvConf` configuration is used to avoid loops when using CoreDNS for service discovery on systems running `systemd-resolved`. Create the `kubelet.service` systemd unit file: ``` worker-1$ cat < Remember to run the above commands on worker node: `worker-1` ## Verification List the registered Kubernetes nodes from the master node: ``` master-1$ kubectl get nodes --kubeconfig admin.kubeconfig ``` > output ``` NAME STATUS ROLES AGE VERSION worker-1 NotReady 93s v1.13.0 ``` > Note: It is OK for the worker node to be in a NotReady state. That is because we haven't configured Networking yet. Next: [Configuring kubectl for Remote Access](10-configuring-kubectl.md)