Skip to content

Instantly share code, notes, and snippets.

@BrandonPotter

BrandonPotter/cert-generation-kubernetes-dashboard.md

Last active March 23, 2017 22:02
Show Gist options
  • Save BrandonPotter/62fd14a96603198a7ddbb84ae3f6387f to your computer and use it in GitHub Desktop.
Save BrandonPotter/62fd14a96603198a7ddbb84ae3f6387f to your computer and use it in GitHub Desktop.
Download ZIP
Cert generation for baremetal Kubernetes CentOS cluster and dashboard config
Raw
cert-generation-kubernetes-dashboard.md

Generating and configuring certs to make dashboard work

  1. On master node, download https://github.com/kubernetes/kubernetes/blob/master/cluster/saltbase/salt/generate-cert/make-ca-cert.sh to /srv
  2. Add system account to kube-cert group

groupadd -r kube-cert

  1. Run make-ca-cert.sh. First argument is the IP address of master. Second argument is comma delimited list of IP's and DNS names that will make up the certificate's subject name list.
sudo bash /srv/make-ca-cert.sh 10.0.137.10 IP:10.0.137.10,IP:10.0.137.11,IP:10.0.137.12,DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local

  1. chmod 777 /srv/kubernetes/*

  2. Edit /etc/kubernetes/apiconfig on master w/ following arguments:

KUBE_API_ARGS="--service_account_key_file=/srv/kubernetes/server.key --client-ca-file=/srv/kubernetes/ca.crt --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key"
  1. Edit /etc/kubernetes/controller-manager on master w/ following params:
KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"

KUBE_CONTROLLER_MANAGER_ARGS="--service_account_private_key_file=/srv/kubernetes/server.key --root_ca_file=/srv/kubernetes/ca.crt"

  1. Copy /srv/kubernetes/kubecfg.crt and /srv/kubernetes/kubecfg.key from master to the same path on each node.

  2. On each kubelet (node), edit /etc/kubernetes/kubelet w/ following params to set up client certs:

KUBELET_ARGS="--tls-cert-file=/srv/kubernetes/kubecfg.crt --tls-private-key-file=/srv/kubernetes/kubecfg.key"
  1. Make sure the dashboard YAML points to API server IP/address that has a matching subject name in step 1 of generation script prior to deploy. (See the # - --apiserver-host=http://my-address:port line in sample dashboard yaml)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment