Generating Kubeconfigs for a New Kubernetes Cluster

1 hour
  • 5 Learning Objectives

About this Hands-on Lab

To set up a new Kubernetes cluster from scratch, we need to provide various components of the cluster with kubeconfig files so that they can locate and authenticate with the Kubernetes API. In this learning activity, you will generate a set of kubeconfigs that can be used to build a Kubernetes cluster.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Generate kubelet kubeconfigs for each worker node.

To complete this task, generate a kubelet kubeconfig for each worker node. You can do so like this:

KUBERNETES_PUBLIC_ADDRESS=172.34.2.0

for instance in worker0.mylabserver.com worker1.mylabserver.com; do
  kubectl config set-cluster kubernetes-the-hard-way 
    --certificate-authority=ca.pem 
    --embed-certs=true 
    --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 
    --kubeconfig=${instance}.kubeconfig

  kubectl config set-credentials system:node:${instance} 
    --client-certificate=${instance}.pem 
    --client-key=${instance}-key.pem 
    --embed-certs=true 
    --kubeconfig=${instance}.kubeconfig

  kubectl config set-context default 
    --cluster=kubernetes-the-hard-way 
    --user=system:node:${instance} 
    --kubeconfig=${instance}.kubeconfig

  kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done
Generate a kube-proxy kubeconfig.

To complete this task, generate a kubeconfig for kube-proxy. You can do so like this:

KUBERNETES_PUBLIC_ADDRESS=172.34.2.0

{
  kubectl config set-cluster kubernetes-the-hard-way 
    --certificate-authority=ca.pem 
    --embed-certs=true 
    --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-credentials system:kube-proxy 
    --client-certificate=kube-proxy.pem 
    --client-key=kube-proxy-key.pem 
    --embed-certs=true 
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config set-context default 
    --cluster=kubernetes-the-hard-way 
    --user=system:kube-proxy 
    --kubeconfig=kube-proxy.kubeconfig

  kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
Generate a kube-controller-manager kubeconfig.

To complete this task, generate a kubeconfig for kube-controller-manager. You can do so like this:

{
  kubectl config set-cluster kubernetes-the-hard-way 
    --certificate-authority=ca.pem 
    --embed-certs=true 
    --server=https://127.0.0.1:6443 
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config set-credentials system:kube-controller-manager 
    --client-certificate=kube-controller-manager.pem 
    --client-key=kube-controller-manager-key.pem 
    --embed-certs=true 
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config set-context default 
    --cluster=kubernetes-the-hard-way 
    --user=system:kube-controller-manager 
    --kubeconfig=kube-controller-manager.kubeconfig

  kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
Generate a kube-scheduler kubeconfig.

To complete this task, generate a kubeconfig for kube-scheduler. You can do so like this:

{
  kubectl config set-cluster kubernetes-the-hard-way 
    --certificate-authority=ca.pem 
    --embed-certs=true 
    --server=https://127.0.0.1:6443 
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config set-credentials system:kube-scheduler 
    --client-certificate=kube-scheduler.pem 
    --client-key=kube-scheduler-key.pem 
    --embed-certs=true 
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config set-context default 
    --cluster=kubernetes-the-hard-way 
    --user=system:kube-scheduler 
    --kubeconfig=kube-scheduler.kubeconfig

  kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
Generate an admin kubeconfig.

To complete this task, generate a kubeconfig for the admin user. You can do so like this:

{
  kubectl config set-cluster kubernetes-the-hard-way 
    --certificate-authority=ca.pem 
    --embed-certs=true 
    --server=https://127.0.0.1:6443 
    --kubeconfig=admin.kubeconfig

  kubectl config set-credentials admin 
    --client-certificate=admin.pem 
    --client-key=admin-key.pem 
    --embed-certs=true 
    --kubeconfig=admin.kubeconfig

  kubectl config set-context default 
    --cluster=kubernetes-the-hard-way 
    --user=admin 
    --kubeconfig=admin.kubeconfig

  kubectl config use-context default --kubeconfig=admin.kubeconfig
}

Additional Resources

Your team is setting up a new Kubernetes cluster with two controllers and two worker nodes. The team has already created a set of client certificates to allow different components of the cluster to authenticate, but they need a set of kubeconfig files to be created using these certificates. Your task is to generate the kubeconfig files that will be used to set up the Kubernetes cluster.

The following kubeconfig files need to be created:

  • Kubelet (one kubeconfig for each worker node)
  • Kube-proxy
  • Kube-controller-manager
  • Kube-scheduler
  • Admin

Here is the cluster architecture. Note that these are not real servers, just values that we will use for the purposes of this activity.

Controllers:

  • Hostname: controller0.mylabserver.com, IP: 172.34.0.0
  • Hostname: controller1.mylabserver.com, IP: 172.34.0.1

Workers:

  • Hostname: worker0.mylabserver.com, IP: 172.34.1.0
  • Hostname: worker1.mylabserver.com, IP: 172.34.1.1

Kubernetes API Load Balancer:

  • Hostname: kubernetes.mylabserver.com, IP: 172.34.2.0

Additional Notes:

  • Client certificates have already been created. They can be found in /home/cloud_user on the workspace server.
  • The kubelet and kube-proxy services will access the Kubernetes API through the Kubernetes API load balancer. All other services can access it locally at https://127.0.0.1:6443.
  • Check the task descriptions and the solution video for more guidance!
What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!
Thanks for reaching out!

You’ll hear from us shortly. In the meantime, why not check out what our customers have to say about ACG?