In part 2 we have installed etcd clusters on the 3 master machines, which is the foundation of the Kubernetes cluster. In this part, we’re gonna configure and run kubelet on each nodes. kubelet is the primary node agent that manages pods on each nodes and talks to the Kubernetes api server to coordinate the whole system.
Prepare the certs and keys for kubelet
The first thing we do is to prepare the certs and keys required by kubelet for authentication and authorisation and generate a kubeconfig file to be passed in as parameter.
Add the following code in the VagrantFile behind the ETCD part, the full content VagrantFile can be found at here.
# If the tls files for Kubernetes does not exist, create them if !File.directory?("provisioning/roles/kubelet/files/tls") FileUtils::mkdir_p 'provisioning/roles/kubelet/files/tls' recreated_required = true # BEGIN KUBE CA kube_key = OpenSSL::PKey::RSA.new(2048) kube_public_key = kube_key.public_key kube_cert = signTLS(is_ca:true, subject:"/C=SG/ST=Singapore/L=Singapore/O=bootkube/OU=IT/CN=kube-ca", public_key: kube_public_key, ca_private_key: kube_key, key_usage:"digitalSignature,keyEncipherment,keyCertSign")
kube_file_tls = File.new("provisioning/roles/kubelet/files/tls/ca.crt", "wb") kube_file_tls.syswrite(kube_cert.to_pem) kube_file_tls.close kube_key_file= File.new("provisioning/roles/kubelet/files/tls/ca.key", "wb") kube_key_file.syswrite(kube_key.to_pem) kube_key_file.close # END KUBE CA
# START KUBECONFIG data = File.read("provisioning/roles/kubelet/templates/kubeconfig.tmpl") data = data.gsub("{{CA_CERT}}", Base64.strict_encode64(kube_cert.to_pem)) data = data.gsub("{{CLIENT_CERT}}", Base64.strict_encode64(client_cert.to_pem)) data = data.gsub("{{CLIENT_KEY}}", Base64.strict_encode64(client_key.to_pem))
kubeconfig_file = File.new("provisioning/roles/kubelet/templates/kubeconfig.j2", "wb") kubeconfig_file.syswrite(data) kubeconfig_file.close # END KUBECONFIG end
This generates a CA, a client cert and key, and put them into the configuration file. The content of the kubeconfig.tmpl is:
Note: You have to keep the subject and issuer_subject consistent.
Create kubelet as a service
To make sure kubelet runs on all nodes and be able to survive system restarts, we make it as a system service and enable it. Create the following template file containing the service definition for kubelet
Next, we’ll boot up the key components of Kubernetes, the API server, scheduler and controller manager using bootkube as well as running all the add-ons using Kubernetes itself.