Generating Kubernetes Configuration Files for Authentication

In this lab you will generate Kubernetes configuration files, also known as kubeconfigs, which enable Kubernetes clients to locate and authenticate to the Kubernetes API Servers.

Client Authentication Configs

In this section you will generate kubeconfig files for the kubelet and kube-proxy clients.

The scheduler and controller manager access the Kubernetes API Server locally over an insecure API port which does not require authentication. The Kubernetes API Server’s insecure port is only enabled for local access.

Kubernetes Public IP Address

Each kubeconfig requires a Kubernetes API Server to connect to. To support high availability the IP address assigned to the external load balancer fronting the Kubernetes API Servers will be used.

Retrieve the kubernetes-the-hard-way static IP address:

  1. KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  2.   --region $(gcloud config get-value compute/region) \
  3.   --format 'value(address)')

The kubelet Kubernetes Configuration File

When generating kubeconfig files for Kubelets the client certificate matching the Kubelet’s node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes Node Authorizer.

Generate a kubeconfig file for each worker node:

  1. for instance in worker-0 worker-1 worker-2; do
  2.   kubectl config set-cluster kubernetes-the-hard-way \
  3.     --certificate-authority=ca.pem \
  4.     --embed-certs=true \
  5.     --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
  6.     --kubeconfig=${instance}.kubeconfig
  8.   kubectl config set-credentials system:node:${instance} \
  9.     --client-certificate=${instance}.pem \
  10.     --client-key=${instance}-key.pem \
  11.     --embed-certs=true \
  12.     --kubeconfig=${instance}.kubeconfig
  14.   kubectl config set-context default \
  15.     --cluster=kubernetes-the-hard-way \
  16.     --user=system:node:${instance} \
  17.     --kubeconfig=${instance}.kubeconfig
  19.   kubectl config use-context default --kubeconfig=${instance}.kubeconfig
  20. done

Results:

  1. worker-0.kubeconfig
  2. worker-1.kubeconfig
  3. worker-2.kubeconfig

The kube-proxy Kubernetes Configuration File

Generate a kubeconfig file for the kube-proxy service:

  1. kubectl config set-cluster kubernetes-the-hard-way \
  2.   --certificate-authority=ca.pem \
  3.   --embed-certs=true \
  4.   --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
  5.   --kubeconfig=kube-proxy.kubeconfig
  1. kubectl config set-credentials kube-proxy \
  2.   --client-certificate=kube-proxy.pem \
  3.   --client-key=kube-proxy-key.pem \
  4.   --embed-certs=true \
  5.   --kubeconfig=kube-proxy.kubeconfig
  1. kubectl config set-context default \
  2.   --cluster=kubernetes-the-hard-way \
  3.   --user=kube-proxy \
  4.   --kubeconfig=kube-proxy.kubeconfig
  1. kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig

Distribute the Kubernetes Configuration Files

Copy the appropriate kubelet and kube-proxy kubeconfig files to each worker instance:

  1. for instance in worker-0 worker-1 worker-2; do
  2.   gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
  3. done

Next: Generating the Data Encryption Config and Key