Open in app

Sign in

Write

Sign in

Kubernetes the hard way on bare metal/VMs — Generate kubeconfig files & encryption key

Part of the Kubernetes the hard way on bare metal/VM

Drew Viles
3 min readDec 14, 2018
Kubernetes Logo

Introduction

This guide is part of the Kubernetes the hard way on bare metal/VMs series. On its own this may be useful to you however since it’s tailored for the series, it may not be completely suited to your needs.

Get a directory created so you can drop all the configuration files in there.

mkdir configs

Generate Worker kubeconfigs

If you’re on a single node you can just remove the first and last line and replace ${instance} with your single node hostname.

for instance in worker-0 worker-1 worker-2; do
  kubectl config set-cluster DeeToTheVee-kubernetes \
    --certificate-authority=pki/ca/ca.pem \
    --embed-certs=true \
    --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config set-credentials system:node:${instance} \
    --client-certificate=pki/clients/${instance}.pem \
    --client-key=pki/clients/${instance}-key.pem \
    --embed-certs=true \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config set-context default \
    --cluster=DeeToTheVee-kubernetes \
    --user=system:node:${instance} \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config use-context default --kubeconfig=configs/clients/${instance}.kubeconfig
done

Generate kube-proxy kubeconfig

kubectl config set-cluster DeeToTheVee-kubernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config set-credentials system:kube-proxy \
  --client-certificate=pki/proxy/kube-proxy.pem \
  --client-key=pki/proxy/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config set-context default \
  --cluster=DeeToTheVee-kubernetes \
  --user=system:kube-proxy \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config use-context default --kubeconfig=configs/proxy/kube-proxy.kubeconfig

Generate kube-controller-manager kubeconfig

kubectl config set-cluster DeeToTheVee-kubernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config set-credentials system:kube-controller-manager \
  --client-certificate=pki/controller/kube-controller-manager.pem \
  --client-key=pki/controller/kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config set-context default \
  --cluster=DeeToTheVee-kubernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config use-context default --kubeconfig=configs/controller/kube-controller-manager.kubeconfig

Generate kube-scheduler kubeconfig

kubectl config set-cluster DeeToTheVee-kubernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config set-credentials system:kube-scheduler \
  --client-certificate=pki/scheduler/kube-scheduler.pem \
  --client-key=pki/scheduler/kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config set-context default \
  --cluster=DeeToTheVee-kubernetes \
  --user=system:kube-scheduler \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config use-context default --kubeconfig=configs/scheduler/kube-scheduler.kubeconfig

Generate admin user kubeconfig

kubectl config set-cluster DeeToTheVee-kubernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config set-credentials admin \
  --client-certificate=pki/admin/admin.pem \
  --client-key=pki/admin/admin-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config set-context default \
  --cluster=DeeToTheVee-kubernetes \
  --user=admin \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config use-context default --kubeconfig=admin.kubeconfig

Finally, let’s move the kubeconfigs

Now push them as you did with the TLS certs and configs.

for instance in worker-0 worker-1 worker-2; do
  scp configs/clients/${instance}.kubeconfig configs/proxy/kube-proxy.kubeconfig ${instance}:~/
donefor instance in controller-0 controller-1 controller-2; do
  scp configs/admin/admin.kubeconfig configs/controller/kube-controller-manager.kubeconfig configs/scheduler/kube-scheduler.kubeconfig ${instance}:~/
done

Generating the data encryption key and config

This will be used for encrypting data between nodes.

mkdir data-encryptionENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)cat > data-encryption/encryption-config.yaml <<EOF
apiVersion: v1
kind: EncryptionConfig
resources:
  - resources:
      - secrets
    providers:
    - identity: {}
    - aescbc:
        keys:
        - name: key1
          secret: ${ENCRYPTION_KEY}
EOF

Now push them to the controller(s) or the single node if that’s what you’re using.

for instance in controller-0 controller-1 controller-2; do
  scp data-encryption/encryption-config.yaml ${instance}:~/
done

Conclusion

You’ve generated all of the kubeconfigs and the encryption key required.

Next: Setting up the controllers

Kubernetes
Linux
Ubuntu
Unlisted

--

--

Drew Viles
Drew Viles

Written by Drew Viles

81 Followers
6 Following

Kubernetes Admin & pretend Golang developer. Come find me on YouTube too: https://www.youtube.com/@Drewbernetes

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams