Skip to content

Instantly share code, notes, and snippets.

@kairen kairen/kubelet-tls.md Secret
Last active Nov 2, 2017

Embed
What would you like to do?
Kubernetes hard way

Kubelet certificate

下載kubelet-csr.json檔案,並產生 master node certificate 簽證:

$ wget "${PKI_URL}/kubelet-csr.json"
$ sed -i 's/$NODE/master1/g' kubelet-csr.json
$ cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -hostname=master1,172.16.35.12 \
  -profile=kubernetes \
  kubelet-csr.json | cfssljson -bare kubelet

$ ls kubelet*.pem

這邊$NODE需要隨節點名稱不同而改變。

接著透過以下指令產生名稱為 kubelet.conf 的 kubeconfig 檔:

# set-cluster
$ kubectl config set-cluster kubernetes \
    --certificate-authority=/etc/kubernetes/pki/ca.pem \
    --embed-certs=true \
    --server="https://172.16.35.12:6443" \
    --kubeconfig=../kubelet.conf

# set-credentials
$ kubectl config set-credentials system:node:master1 \
    --client-certificate=/etc/kubernetes/pki/kubelet.pem \
    --embed-certs=true \
    --client-key=/etc/kubernetes/pki/kubelet-key.pem \
    --kubeconfig=../kubelet.conf

# set-context
$ kubectl config set-context system:node:master1@kubernetes \
    --cluster=kubernetes \
    --user=system:node:master1 \
    --kubeconfig=../kubelet.conf

# set default context
$ kubectl config use-context system:node:master1@kubernetes --kubeconfig=../kubelet.conf
@kairen

This comment has been minimized.

Copy link
Owner Author

kairen commented Nov 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.