182 lines
4.5 KiB
Markdown
182 lines
4.5 KiB
Markdown
## Create Bootstrap Token on Master Node
|
|
|
|
This is the solution to the practice test on TLS Bootstrapping hosted [here](https://kodekloud.com/courses/certified-kubernetes-administrator-with-practice-tests/lectures/9833234)
|
|
|
|
```
|
|
cat > bootstrap-token-09426c.yaml <<EOF
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
# Name MUST be of form "bootstrap-token-<token id>"
|
|
name: bootstrap-token-09426c
|
|
namespace: kube-system
|
|
|
|
# Type MUST be 'bootstrap.kubernetes.io/token'
|
|
type: bootstrap.kubernetes.io/token
|
|
stringData:
|
|
# Human readable description. Optional.
|
|
description: "The default bootstrap token generated by 'kubeadm init'."
|
|
|
|
# Token ID and secret. Required.
|
|
token-id: 09426c
|
|
token-secret: g262dkeidk3dx21x
|
|
|
|
# Expiration. Optional.
|
|
expiration: 2020-03-10T03:22:11Z
|
|
|
|
# Allowed usages.
|
|
usage-bootstrap-authentication: "true"
|
|
usage-bootstrap-signing: "true"
|
|
|
|
# Extra groups to authenticate the token as. Must start with "system:bootstrappers:"
|
|
auth-extra-groups: system:bootstrappers:node03
|
|
EOF
|
|
```
|
|
|
|
`master$ kubectl create -f bootstrap-token-09426c.yaml`
|
|
|
|
## Create Cluster Role Binding
|
|
|
|
```
|
|
kubectl create clusterrolebinding crb-to-create-csr --clusterrole=system:node-bootstrapper --group=system:bootstrappers
|
|
```
|
|
|
|
--------------- OR ---------------
|
|
|
|
```
|
|
cat > crb-to-create-csr <<-EOF
|
|
# enable bootstrapping nodes to create CSR
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: crb-to-create-csr
|
|
subjects:
|
|
- kind: Group
|
|
name: system:bootstrappers
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:node-bootstrapper
|
|
apiGroup: rbac.authorization.k8s.io
|
|
EOF
|
|
```
|
|
|
|
`master$ kubectl create -f crb-to-create-csr.yaml`
|
|
|
|
|
|
# Authorize workers(kubelets) to approve CSR
|
|
|
|
```
|
|
kubectl create clusterrolebinding crb-to-approve-csr --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers
|
|
```
|
|
|
|
--------------- OR ---------------
|
|
|
|
```
|
|
cat > crb-to-approve-csr.yaml <<EOF
|
|
# Approve all CSRs for the group "system:bootstrappers"
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: crb-node-autoapprove-csr
|
|
subjects:
|
|
- kind: Group
|
|
name: system:bootstrappers
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:certificates.k8s.io:certificatesigningrequests:nodeclient
|
|
apiGroup: rbac.authorization.k8s.io
|
|
EOF
|
|
```
|
|
|
|
`master$ kubectl create -f crb-to-approve-csr.yaml`
|
|
|
|
|
|
# Auto rotate/renew certificates
|
|
|
|
```
|
|
kubectl create clusterrolebinding auto-approve-renewals-for-nodes --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes
|
|
```
|
|
|
|
--------------- OR ---------------
|
|
|
|
```
|
|
cat > auto-approve-renewals-for-nodes.yaml <<EOF
|
|
# Approve renewal CSRs for the group "system:nodes"
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: auto-approve-renewals-for-nodes
|
|
subjects:
|
|
- kind: Group
|
|
name: system:nodes
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: system:certificates.k8s.io:certificatesigningrequests:selfnodeclient
|
|
apiGroup: rbac.authorization.k8s.io
|
|
EOF
|
|
```
|
|
|
|
`kubectl create -f auto-approve-renewals-for-nodes.yaml`
|
|
|
|
|
|
# Create bootstrap context on node03
|
|
|
|
```
|
|
kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-cluster bootstrap --server='https://172.17.0.65:6443' --certificate-authority=/etc/kubernetes/pki/ca.crt
|
|
kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-credentials kubelet-bootstrap --token=09426c.g262dkeidk3dx21x
|
|
kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig set-context bootstrap --user=kubelet-bootstrap --cluster=bootstrap
|
|
kubectl config --kubeconfig=/tmp/bootstrap-kubeconfig use-context bootstrap
|
|
```
|
|
|
|
|
|
# Create Kubelet Service
|
|
|
|
Create new service file
|
|
|
|
```
|
|
cat > /etc/systemd/system/kubelet.service <<-EOF
|
|
[Unit]
|
|
Description=Kubernetes Kubelet
|
|
Documentation=https://github.com/kubernetes/kubernetes
|
|
|
|
[Service]
|
|
ExecStart=/usr/bin/kubelet \
|
|
--bootstrap-kubeconfig=/tmp/bootstrap-kubeconfig \
|
|
--kubeconfig=/var/lib/kubelet/kubeconfig \
|
|
--register-node=true \
|
|
--v=2
|
|
Restart=on-failure
|
|
StandardOutput=file:/var/kubeletlog1.log
|
|
StandardError=file:/var/kubeletlog2.log
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
|
|
EOF
|
|
```
|
|
|
|
Reload service and start kubelet
|
|
|
|
```
|
|
node03$ systemctl daemon-reload
|
|
node03$ service kubelet start
|
|
```
|
|
|
|
On master node check csr status and approve:
|
|
|
|
```
|
|
master$ kubectl get csr
|
|
master$ kubectl certificate approve node-csr-oJcfudnewY5mcSDHcLseKQ6Oze5YmP9ZdKNRHHdjfJI
|
|
```
|
|
|
|
Verify node has joined the cluster
|
|
|
|
```
|
|
master$ kubectl get nodes
|
|
|
|
```
|