The kubeconfig
files are used in Kubernetes to store cluster authentication information and configuration details such as API server endpoint, client certificates, and API access tokens. They allow you to easily switch between different clusters and authentication contexts, making it easier to manage multiple Kubernetes clusters and control access to resources within those clusters.
The kubeconfig
file is used by the kubectl
command line tool, as well as other Kubernetes tools, to communicate with a specific cluster and perform operations on the resources in that cluster.
Pre-Requisite
kubectl
Generating Kubernetes Configuration Files for Authentication
It's always a good practice to use exact file paths for certificates in kubeconfigs
that will be used later on by other services. When the certificates are updated, it's not necessary to generate the config files again. But if the certificate data was embedded in the config, it would have to be regenerated with the new certificate data.
kubeconfig
generation.User configs, like admin.kubeconfig
will have the certificate info embedded within them.
Generating kubeconfig
files
We will now generate kubeconfig
files for the different components in our cluster, like the controller manager
, cluster-admin
, kube-proxy
and kube-scheduler
.
For thekubeconfig
to work correctly, it requires a Kubernetes API Server to connect to, without which it's unusable. We'll provide the public IP of our master node
into a shell variable so that it can be used later during the generation of kubeconfigs
for the services that run on worker nodes. The controller manager and scheduler need to talk to the local API server; hence they use the localhost
address in their respective configs.
MASTER="192.168.1.22"
Let's work on generating the Kubernetes configuration files one by one.
1. kube-proxy
To generate a kubeconfig
file for the kube-proxy
service, follow the commands below:
#Commands to generate kubeconfig for kube-proxy service
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://${MASTER}:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=/var/lib/kubernetes/pki/kube-proxy.crt \
--client-key=/var/lib/kubernetes/pki/kube-proxy.key \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
kubeconfig
for kube-proxy
service2. kube-controller-manager
To generate a kubeconfig
file for the kube-controller-manager
service, follow the commands below:
#Commands to generate kubeconfig for kube-controller-manager service
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/var/lib/kubernetes/pki/kube-controller-manager.crt \
--client-key=/var/lib/kubernetes/pki/kube-controller-manager.key \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
kubeconfig
for kube-controller-manager
service3. kube-scheduler
To generate a kubeconfig
file for the kube-scheduler
service, follow the commands below:
#Commands to generate kubeconfig file for kube-scheduler service
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=/var/lib/kubernetes/pki/kube-scheduler.crt \
--client-key=/var/lib/kubernetes/pki/kube-scheduler.key \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
kubeconfig
for kube-scheduler
service4. cluster-admin
To generate a kubeconfig
file for the admin
user, follow the commands below:
#Commands to generate kubeconfig for admin user
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=kubernetes-the-hard-way \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
kubeconfig
for admin
userNow, we need to copy the generated kubeconfig
files to the worker node. To do so, we'll run the command below:
scp kube-proxy.kubeconfig kube-scheduler.kubeconfig kube-controller-manager.kubeconfig admin.kubeconfig username@192.168.1.5:~/
Conclusion
In this article, we learned to generate configuration files for our Kubernetes components. We also learned the purpose of using kubeconfig
files and took another step towards building an entire Kubernetes cluster from scratch.
For more, subscribe! Leave a comment below if you have any queries or find any discrepancies in the article.