Create kubeconfig for manually installed Calico for Windows nodes

Create kubeconfig for manually installed Calico for Windows nodes - 图1note

The manual method for installing Calico for Windows is deprecated in favor of using the Operator and Windows HostProcess containers (HPC). Support for this method will be dropped in a future Calico version.

Big picture

Create kubeconfig for Windows nodes for manual installations of Calico for Windows.

How to

In a manual installation of Calico for Windows, Calico requires a kubeconfig file to access the API server. This section describes how to find an existing calico-node service account used by Calico on Linux side, and then to export the service account token as a kubeconfig file for Calico to use.

Create kubeconfig for manually installed Calico for Windows nodes - 图2note

In general, the node kubeconfig as used by kubelet does not have enough permissions to access Calico-specific resources.

Export calico-node service account token as a kubeconfig file

Create kubeconfig for manually installed Calico for Windows nodes - 图3note

If your Kubernetes version is v1.24.0 or higher, service account token secrets are no longer automatically created. Before continuing, manually create the calico-node service account token:

  1. kubectl apply -f - <<EOF
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5.   name: calico-node-token
  6.   namespace: calico-system
  7.   annotations:
  8.     kubernetes.io/service-account.name: calico-node
  9. type: kubernetes.io/service-account-token
  10. EOF

Create kubeconfig for manually installed Calico for Windows nodes - 图4note

Note: if Calico is installed in kube-system, update the namespace in the above command.

To make the kubeconfig file, you’ll need the URL of your Kubernetes API server.

Create kubeconfig for manually installed Calico for Windows nodes - 图5note

Kubernetes for Windows does not support access to services from the host so you must use the address of your server, not the Kubernetes service IP.

Create kubeconfig for manually installed Calico for Windows nodes - 图6note

Use namespace kube-system instead of calico-system if your Calico installation is non operator-managed.

Set a variable to the URL of your API server:

  1. $ server=https://<server>:<port>

Then, find the secret containing the service account token for the calico-node service account:

  1. kubectl get secret -n calico-system | grep calico-node

Inspect the output and find the name of the token, store it in a variable:

  1. $ name=calico-node-token-xxxxx

Extract the parts of the secret, storing them in variables:

  1. $ ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}' -n calico-system)
  3. $ token=$(kubectl get secret/$name -o jsonpath='{.data.token}' -n calico-system | base64 --decode)
  5. $ namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' -n calico-system | base64 --decode)

Then, output the file:

  1. cat <<EOF > calico-config
  2. apiVersion: v1
  3. kind: Config
  4. clusters:
  5. - name: kubernetes
  6.   cluster:
  7.     certificate-authority-data: ${ca}
  8.     server: ${server}
  9. contexts:
  10. - name: calico-windows@kubernetes
  11.   context:
  12.     cluster: kubernetes
  13.     namespace: calico-system
  14.     user: calico-windows
  15. current-context: calico-windows@kubernetes
  16. users:
  17. - name: calico-windows
  18.   user:
  19.     token: ${token}
  20. EOF

Copy this config file to the windows node C:\CalicoWindows\calico-kube-config and set the KUBECONFIG environment variable in config.ps1 to point to it.