#Create CA/key for master.
###Use https://github.com/coreos/coreos-baremetal/blob/master/scripts/tls/root-ca
$ ./root-ca /tmp
Generating RSA private key, 2048 bit long modulus
.....................................................................+++
...........+++
e is 65537 (0x10001)#Launch local cluster
# Clean up certs, keys.
$ sudo rm /var/run/kubernetes/*
# Modify the local-up-cluster.sh to enable bootstrap token.
$ git diff hack/local-up-cluster.sh
diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index b8c81e5..ae3b60e 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -309,6 +309,8 @@ function start_controller_manager {
--v=${LOG_LEVEL} \
--service-account-private-key-file="${SERVICE_ACCOUNT_KEY}" \
--root-ca-file="${ROOT_CA_FILE}" \
+ --cluster-signing-cert-file="/tmp/ca.pem" \
+ --cluster-signing-key-file="/tmp/ca-key.pem" \
--enable-hostpath-provisioner="${ENABLE_HOSTPATH_PROVISIONER}" \
${node_cidr_args} \
--pvclaimbinder-sync-period="${CLAIM_BINDER_SYNC_PERIOD}" \
@@ -370,6 +372,7 @@ function start_kubelet {
--address="${KUBELET_HOST}" \
--api-servers="${API_HOST}:${API_PORT}" \
--cpu-cfs-quota=${CPU_CFS_QUOTA} \
+ --bootstrap-auth-token="abcdef012345689" \
${dns_args} \
${net_plugin_dir_args} \
${net_plugin_args} \
$ hack/local-up-cluster.sh
...
# It's now waiting certs from the control plane.
#Approve(or deny the request) ###Use https://github.com/gtank/csrctl
$ ./csrctl.sh get
{
"kind": "CertificateSigningRequestList",
"apiVersion": "certificates/v1alpha1",
"metadata": {
"selfLink": "/apis/certificates/v1alpha1/certificatesigningrequests/",
"resourceVersion": "17"
},
"items": [
{
"metadata": {
"name": "csr-d3kn4",
"generateName": "csr-",
"selfLink": "/apis/certificates/v1alpha1/certificatesigningrequests/csr-d3kn4",
"uid": "d75c754d-5b41-11e6-a485-28d244b00276",
"resourceVersion": "17",
"creationTimestamp": "2016-08-05T19:21:42Z"
},
"spec": {
"request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIek1JR2JBZ0VBTUJJeEVEQU9CZ05WQkFNVEIydDFZbVZzWlhRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqTwpQUU1CQndOQ0FBVFlaSVN1TlB4ekRVc0dULzdlSHVYYVVlM1RiSTVvZEVaR3cxQUxEYUw1Rzd3anhLTm5OOTBNCjdMa3RiRVJTNXRyRDBZS0NxZGVOd21tSW0zYm9PZnIvb0Njd0pRWUpLb1pJaHZjTkFRa09NUmd3RmpBVUJnTlYKSFJFRURUQUxnZ2t4TWpjdU1DNHdMakV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnSXVpMXh2Rnh1QjcrVmJaSQo1cE1ZaHhGb2RkOENyUW0zMjhxdk1mUHd6THNDSUNFTXZQclU3clBTNnYwbDd3YkZ4RWRRSUxjQTI5c1J0NnBvCkVMckxJenh5Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo="
},
"status": {}
}
]
}
$ ./csrctl.sh approve csr-d3kn4
{
"kind": "CertificateSigningRequest",
"apiVersion": "certificates/v1alpha1",
"metadata": {
"name": "csr-d3kn4",
"generateName": "csr-",
"selfLink": "/apis/certificates/v1alpha1/certificatesigningrequests/csr-d3kn4/approval",
"uid": "d75c754d-5b41-11e6-a485-28d244b00276",
"resourceVersion": "57",
"creationTimestamp": "2016-08-05T19:21:42Z"
},
"spec": {
"request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIek1JR2JBZ0VBTUJJeEVEQU9CZ05WQkFNVEIydDFZbVZzWlhRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqTwpQUU1CQndOQ0FBVFlaSVN1TlB4ekRVc0dULzdlSHVYYVVlM1RiSTVvZEVaR3cxQUxEYUw1Rzd3anhLTm5OOTBNCjdMa3RiRVJTNXRyRDBZS0NxZGVOd21tSW0zYm9PZnIvb0Njd0pRWUpLb1pJaHZjTkFRa09NUmd3RmpBVUJnTlYKSFJFRURUQUxnZ2t4TWpjdU1DNHdMakV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnSXVpMXh2Rnh1QjcrVmJaSQo1cE1ZaHhGb2RkOENyUW0zMjhxdk1mUHd6THNDSUNFTXZQclU3clBTNnYwbDd3YkZ4RWRRSUxjQTI5c1J0NnBvCkVMckxJenh5Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo="
},
"status": {
"conditions": [
{
"type": "Approved",
"lastUpdateTime": null
}
]
}
}
# After approve
$ ./csrctl.sh get
{
"kind": "CertificateSigningRequestList",
"apiVersion": "certificates/v1alpha1",
"metadata": {
"selfLink": "/apis/certificates/v1alpha1/certificatesigningrequests/",
"resourceVersion": "89"
},
"items": [
{
"metadata": {
"name": "csr-d3kn4",
"generateName": "csr-",
"selfLink": "/apis/certificates/v1alpha1/certificatesigningrequests/csr-d3kn4",
"uid": "d75c754d-5b41-11e6-a485-28d244b00276",
"resourceVersion": "58",
"creationTimestamp": "2016-08-05T19:21:42Z"
},
"spec": {
"request": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlIek1JR2JBZ0VBTUJJeEVEQU9CZ05WQkFNVEIydDFZbVZzWlhRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqTwpQUU1CQndOQ0FBVFlaSVN1TlB4ekRVc0dULzdlSHVYYVVlM1RiSTVvZEVaR3cxQUxEYUw1Rzd3anhLTm5OOTBNCjdMa3RiRVJTNXRyRDBZS0NxZGVOd21tSW0zYm9PZnIvb0Njd0pRWUpLb1pJaHZjTkFRa09NUmd3RmpBVUJnTlYKSFJFRURUQUxnZ2t4TWpjdU1DNHdMakV3Q2dZSUtvWkl6ajBFQXdJRFJ3QXdSQUlnSXVpMXh2Rnh1QjcrVmJaSQo1cE1ZaHhGb2RkOENyUW0zMjhxdk1mUHd6THNDSUNFTXZQclU3clBTNnYwbDd3YkZ4RWRRSUxjQTI5c1J0NnBvCkVMckxJenh5Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo="
},
"status": {
"conditions": [
{
"type": "Approved",
"lastUpdateTime": null
}
],
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNmakNDQVdhZ0F3SUJBZ0lVTE5nWVBmMERIbXV4UDVNd21FcktpSGpmdS9Bd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0VqRVFNQTRHQTFVRUF3d0hhM1ZpWlMxallUQWVGdzB4TmpBNE1EVXhPVEUzTURCYUZ3MHhOekE0TURVeApPVEUzTURCYU1CSXhFREFPQmdOVkJBTVRCMnQxWW1Wc1pYUXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVRZWklTdU5QeHpEVXNHVC83ZUh1WGFVZTNUYkk1b2RFWkd3MUFMRGFMNUc3d2p4S05uTjkwTTdMa3QKYkVSUzV0ckQwWUtDcWRlTndtbUltM2JvT2ZyL280R1dNSUdUTUE0R0ExVWREd0VCL3dRRUF3SUZvREFkQmdOVgpIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVEFRSC9CQUl3QURBZEJnTlZIUTRFCkZnUVVNNVhXdHcrMFJsSnhOTzRVTE9IQStSM2xXcGd3SHdZRFZSMGpCQmd3Rm9BVVl6TzVtUStxOHg1cXRTR1AKV1VHYnJ2NlJ2d0V3RkFZRFZSMFJCQTB3QzRJSk1USTNMakF1TUM0eE1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQgpBUUNlVWN4OEVhL20yZlQ0MXZiUjZrb1NJUWQ1WU5WU3JheW9KOE1HTDlQY2h4alRuQ0hxazhMYkovelVFV2lJCmVlbXBQMlEzRDhKNFRueWJCTkxpSWxza1RjQ1N6dk1BbDlDL0VFaC9mMnk4L0Q3TXhyeHMxY3gwLzhrZ0t3UE4KcEpWZEZPSjVRRlUvZU5idTBpSFQrbThOZEo5RjNQQXNXSDRoRWYzNEhMM0RZajVVK2NjYW5QM0FtWnFHRmVaRQpsN09kRmZwNEZ6dUp5aEd3bnZNMUxwdlU0VjdZTUFUcThaVEQ1VVczdklYdVBvV1lVS0wzUlNxTGpnRGJqWDNaClpIWWZKRDI2NkRzVzJIMjQzU0N2NFhMNVpqVjRKdmJ5alVGZHpsbXJ1M2YzVlNTejRBZEtOcDkxZDRVYmJ5d2sKbkYzOFREODg0Q3pUNjJvL0ZLQ2hKOGNFCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
}
]
}
# And kubelet is ready
$ kubectl get nodes
NAME STATUS AGE
127.0.0.1 Ready 1m