Setting Up A New Client
Assuming the client machine hasn't connected to this cluster before you'll need to setup the configuration from scratch. You really only need kubectl which you can download and install from https://kubernetes.io/docs/tasks/tools/install-kubectl/. It's just a single binary, so in my example, I've downloaded it onto a windows host and added that folder to my $env:PATH variable.PS C:\Users\mengland> kubectl config set-cluster kubernetes --server=https://10.9.176.25:6443 --certificate-authority=fake-ca-file
This should create a .kube folder and a config file with the basics if they didn't already exist. After that command the file should look like this:
PS C:\Users\mengland\.kube> Get-Content config
apiVersion: v1
clusters:
- cluster:
certificate-authority: fake-ca-file
server: https://10.9.176.25:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users: []
I've grabbed the crt and key file created in the previous post. Let's add our user credentials:
PS C:\Users\mengland.EACANADA\.kube> kubectl config set-credentials mengland@kubernetes --client-certificate="$HOME\kubernetes\mengland.crt" --client-key="$HOME\kubernetes\mengland.key" --embed-certs=true
User "mengland@kubernetes" set.
PS C:\Users\mengland.EACANADA\.kube> Get-Content config
apiVersion: v1
clusters:
- cluster:
certificate-authority: fake-ca-file
server: https://10.9.176.25:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
user:
client-certificate-data: ...<long_encoded_cert>...
client-key-data: ...<long_encoded_cert>...
You can see how this has updated the user section of the configuration file. Now we've got one last problem, our fake-ca-file certificate. You can point it to the actual cert file, which is available on the master server under /etc/kubernetes/pki/ca.crt but I like to keep the cert within the file. To do that we need to base64 encode the cert and place the contents in our config file:
[root@k8s-master ~]# cat /etc/kubernetes/pki/ca.crt | base64 -w 0
...<long_encoded_cert>...
PS C:\Users\mengland> notepad .kube/config
Modify the file with the following:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ...<long_encoded_cert>...
server: https://10.9.176.25:6443
name: kubernetes
contexts: []
current-context: ""
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
user:
client-certificate-data: ...<long_encoded_cert>...
client-key-data: ...<long_encoded_cert>...
Note the addition of -data as that allows us to use the base64 encoded key. You can find out more from https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/
Our last step is to set a context for the cluster and use it:
PS C:\Users\mengland.EACANADA> kubectl config set-context mengland@kubernetes --cluster=kubernetes --user=mengland@kubernetes
PS C:\Users\mengland.EACANADA> kubectl config use-context mengland@kubernetes
Switched to context "mengland@kubernetes"
The final result is a file that looks like this:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ...<long_encoded_cert>...
server: https://10.9.176.25:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: mengland@kubernetes
name: mengland@kubernetes
current-context: mengland@kubernetes
kind: Config
preferences: {}
users:
- name: mengland@kubernetes
user:
client-certificate-data: ...<long_encoded_cert>...
client-key-data: ...<long_encoded_cert>...
You should be able to perform operations against the cluster now. A quick kubectl get pods or kubectl get pods -n monitoring, depending on the role you assigned, should succeed.
No comments:
Post a Comment