Access and operations

service/kubernetes

As soon as the cluster is running, we want to be able to access the Kubernetes API remotely. This can be done by copying /etc/kubernetes/admin.conf from kube1 to your own machine. After installing kubectl locally, execute the following commands:

#  create local config folder
mkdir -p ~/.kube
#  backup old config if required
[ -f ~/.kube/config ] && cp ~/.kube/config ~/.kube/config.backup
#  copy config from master node
scp root@<PUBLIC_IP_KUBE1>:/etc/kubernetes/admin.conf ~/.kube/config
#  change config to use correct IP address
kubectl config set-cluster kubernetes --server=https://<PUBLIC_IP_KUBE1>:6443

You’re now able to remotely access the Kubernetes API. Running kubectl get nodes should show a list of nodes similar to this:

NAME      STATUS    AGE       VERSION
kube1     Ready     1h        v1.9.1
kube2     Ready     1h        v1.9.1
kube3     Ready     1h        v1.9.1

Role-Based Access Control

As of version 1.6, kubeadm configures Kubernetes with RBAC enabled. Because our hobby cluster is typically operated by trusted people, we should enable permissive RBAC permissions to be able to deploy any kind of services using any kind of resources. If you’re in doubt whether this is secure enough for your use case, please refer to the official RBAC documentation.

kubectl create clusterrolebinding permissive-binding \
  --clusterrole=cluster-admin \
  --user=admin \
  --user=kubelet \
  --group=system:serviceaccounts

Deploying services

Services can now be deployed remotely by calling kubectl -f apply <FILE>. It’s also possible to apply multiple files by pointing to a folder, for example:

$ ls dashboard/
deployment.yml  service.yml
$ kubectl apply -f dashboard/
deployment "kubernetes-dashboard" created
service "kubernetes-dashboard" created

This guide will make no further explanations in this regard. Please refer to the official documentation on kubernetes.io.