Open in app

Sign in

Write

Sign in

Kubernetes the hard way on bare metal/VMs — Generate kubeconfig files & encryption key

Part of the Kubernetes the hard way on bare metal/VM. This is designed for beginners.

Drew Viles
3 min readDec 14, 2021
Kubernetes Logo

Introduction

This guide is part of the Kubernetes the hard way on bare metal/VMs series. On its own this may be useful to you however since it’s tailored for the series, it may not be completely suited to your needs.

In this section we’ll create the kubeconfigs that the services will use to communicate across the cluster.

Get a directory created so you can drop all the configuration files in there.

mkdir configs

Generate Worker kubeconfigs

If you’re on a single node you can just remove the first and last line and replace ${instance} with your single node hostname.

for instance in k8s-worker-0 k8s-worker-1 k8s-worker-2; do
kubectl config set-cluster Drewbernetes\
    --certificate-authority=pki/ca/ca.pem \
    --embed-certs=true \
    --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config set-credentials system:node:${instance} \
    --client-certificate=pki/clients/${instance}.pem \
    --client-key=pki/clients/${instance}-key.pem \
    --embed-certs=true \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config set-context default \
    --cluster=Drewbernetes \
    --user=system:node:${instance} \
    --kubeconfig=configs/clients/${instance}.kubeconfigkubectl config use-context default --kubeconfig=configs/clients/${instance}.kubeconfig
done

Generate kube-proxy kubeconfig

kubectl config set-cluster Drewbernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config set-credentials system:kube-proxy \
  --client-certificate=pki/proxy/kube-proxy.pem \
  --client-key=pki/proxy/kube-proxy-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config set-context default \
  --cluster=Drewbernetes \
  --user=system:kube-proxy \
  --kubeconfig=configs/proxy/kube-proxy.kubeconfigkubectl config use-context default --kubeconfig=configs/proxy/kube-proxy.kubeconfig

Generate kube-controller-manager kubeconfig

kubectl config set-cluster Drewbernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config set-credentials system:kube-controller-manager \
  --client-certificate=pki/controller/kube-controller-manager.pem \
  --client-key=pki/controller/kube-controller-manager-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config set-context default \
  --cluster=Drewbernetes \
  --user=system:kube-controller-manager \
  --kubeconfig=configs/controller/kube-controller-manager.kubeconfigkubectl config use-context default --kubeconfig=configs/controller/kube-controller-manager.kubeconfig

Generate kube-scheduler kubeconfig

kubectl config set-cluster Drewbernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config set-credentials system:kube-scheduler \
  --client-certificate=pki/scheduler/kube-scheduler.pem \
  --client-key=pki/scheduler/kube-scheduler-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config set-context default \
  --cluster=Drewbernetes \
  --user=system:kube-scheduler \
  --kubeconfig=configs/scheduler/kube-scheduler.kubeconfigkubectl config use-context default --kubeconfig=configs/scheduler/kube-scheduler.kubeconfig

Generate admin user kubeconfig

kubectl config set-cluster Drewbernetes \
  --certificate-authority=pki/ca/ca.pem \
  --embed-certs=true \
  --server=https://127.0.0.1:6443 \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config set-credentials admin \
  --client-certificate=pki/admin/admin.pem \
  --client-key=pki/admin/admin-key.pem \
  --embed-certs=true \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config set-context default \
  --cluster=Drewbernetes \
  --user=admin \
  --kubeconfig=configs/admin/admin.kubeconfigkubectl config use-context default --kubeconfig=configs/admin/admin.kubeconfig

Finally, let’s move the kubeconfigs

Now push them as you did with the TLS certs and configs.

for instance in k8s-worker-0 k8s-worker-1 k8s-worker-2; do
  scp configs/clients/${instance}.kubeconfig configs/proxy/kube-proxy.kubeconfig USER@${instance}:~/
donefor instance in k8s-controller-0 k8s-controller-1 k8s-controller-2; do
  scp configs/admin/admin.kubeconfig configs/controller/kube-controller-manager.kubeconfig configs/scheduler/kube-scheduler.kubeconfig USER@${instance}:~/
done

Generating the data encryption key and config

This will be used for encrypting data between nodes.

mkdir data-encryptionENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)cat > data-encryption/encryption-config.yaml <<EOF
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
    - aescbc:
        keys:
        - name: key1
          secret: ${ENCRYPTION_KEY}
    - identity: {}
EOF

Now push them to the controller(s) or the single node if that’s what you’re using.

for instance in k8s-controller-0 k8s-controller-1 k8s-controller-2; do
  scp data-encryption/encryption-config.yaml USER@${instance}:~/
done

Conclusion

You’ve generated all of the kubeconfigs and the encryption key required.

Next: Setting up the controllers

Unlisted

--

--

Drew Viles
Drew Viles

Written by Drew Viles

81 Followers
6 Following

Kubernetes Admin & pretend Golang developer. Come find me on YouTube too: https://www.youtube.com/@Drewbernetes

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams