# Setting up Authentication In this lab you will setup the necessary authentication configs to enable Kubernetes clients to bootstrap and authenticate using RBAC (Role-Based Access Control). ## Download and Install kubectl The kubectl client will be used to generate kubeconfig files which will be consumed by the kubelet and kube-proxy services. ### OS X ``` wget https://storage.googleapis.com/kubernetes-release/release/v1.7.0/bin/darwin/amd64/kubectl && \ chmod +x kubectl && \ sudo mv kubectl /usr/local/bin ``` ### Linux ``` wget https://storage.googleapis.com/kubernetes-release/release/v1.7.0/bin/linux/amd64/kubectl && \ chmod +x kubectl && \ sudo mv kubectl /usr/local/bin ``` ## Authentication The following components will leverage Kubernetes RBAC: * kubelet (client) * kube-proxy (client) * kubectl (client) The other components, mainly the `scheduler` and `controller manager`, access the Kubernetes API server locally over the insecure API port which does not require authentication. The insecure port is only enabled for local access. ### Create the TLS Bootstrap Token This section will walk you through the creation of a TLS bootstrap token that will be used to [bootstrap TLS client certificates for kubelets](https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/). Generate a token: ``` BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') ``` Generate a token file: ``` cat > token.csv <