Skip to content

Latest commit

 

History

History
196 lines (139 loc) · 5.14 KB

08-bootstrapping-kubernetes-controllers.md

File metadata and controls

196 lines (139 loc) · 5.14 KB

Bootstrapping the Kubernetes Control Plane

In this lab you will bootstrap the Kubernetes control plane. The following components will be installed on the server machine: Kubernetes API Server, Scheduler, and Controller Manager.

Prerequisites

Connect to the jumpbox and copy Kubernetes binaries and systemd unit files to the server machine:

scp \
  downloads/controller/kube-apiserver \
  downloads/controller/kube-controller-manager \
  downloads/controller/kube-scheduler \
  downloads/client/kubectl \
  units/kube-apiserver.service \
  units/kube-controller-manager.service \
  units/kube-scheduler.service \
  configs/kube-scheduler.yaml \
  configs/kube-apiserver-to-kubelet.yaml \
  root@server:~/

The commands in this lab must be run on the server machine. Login to the server machine using the ssh command. Example:

ssh root@server

Provision the Kubernetes Control Plane

Create the Kubernetes configuration directory:

mkdir -p /etc/kubernetes/config

Install the Kubernetes Controller Binaries

Install the Kubernetes binaries:

{
  mv kube-apiserver \
    kube-controller-manager \
    kube-scheduler kubectl \
    /usr/local/bin/
}

Configure the Kubernetes API Server

{
  mkdir -p /var/lib/kubernetes/

  mv ca.crt ca.key \
    kube-api-server.key kube-api-server.crt \
    service-accounts.key service-accounts.crt \
    encryption-config.yaml \
    /var/lib/kubernetes/
}

Create the kube-apiserver.service systemd unit file:

mv kube-apiserver.service \
  /etc/systemd/system/kube-apiserver.service

Configure the Kubernetes Controller Manager

Move the kube-controller-manager kubeconfig into place:

mv kube-controller-manager.kubeconfig /var/lib/kubernetes/

Create the kube-controller-manager.service systemd unit file:

mv kube-controller-manager.service /etc/systemd/system/

Configure the Kubernetes Scheduler

Move the kube-scheduler kubeconfig into place:

mv kube-scheduler.kubeconfig /var/lib/kubernetes/

Create the kube-scheduler.yaml configuration file:

mv kube-scheduler.yaml /etc/kubernetes/config/

Create the kube-scheduler.service systemd unit file:

mv kube-scheduler.service /etc/systemd/system/

Start the Controller Services

{
  systemctl daemon-reload

  systemctl enable kube-apiserver \
    kube-controller-manager kube-scheduler

  systemctl start kube-apiserver \
    kube-controller-manager kube-scheduler
}

Allow up to 10 seconds for the Kubernetes API Server to fully initialize.

You can check if any of the control plane components are active using the systemctl command. For example, to check if the kube-apiserver fully initialized, and active, run the following command:

systemctl is-active kube-apiserver

For a more detailed status check, which includes additional process information and log messages, use the systemctl status command:

systemctl status kube-apiserver

If you run into any errors, or want to view the logs for any of the control plane components, use the journalctl command. For example, to view the logs for the kube-apiserver run the following command:

journalctl -u kube-apiserver

Verification

At this point the Kubernetes control plane components should be up and running. Verify this using the kubectl command line tool:

kubectl cluster-info \
  --kubeconfig admin.kubeconfig
Kubernetes control plane is running at https://127.0.0.1:6443

RBAC for Kubelet Authorization

In this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.

This tutorial sets the Kubelet --authorization-mode flag to Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization.

The commands in this section will affect the entire cluster and only need to be run on the server machine.

ssh root@server

Create the system:kube-apiserver-to-kubelet ClusterRole with permissions to access the Kubelet API and perform most common tasks associated with managing pods:

kubectl apply -f kube-apiserver-to-kubelet.yaml \
  --kubeconfig admin.kubeconfig

Verification

At this point the Kubernetes control plane is up and running. Run the following commands from the jumpbox machine to verify it's working:

Make a HTTP request for the Kubernetes version info:

curl --cacert ca.crt \
  https://server.kubernetes.local:6443/version
{
  "major": "1",
  "minor": "32",
  "gitVersion": "v1.32.3",
  "gitCommit": "32cc146f75aad04beaaa245a7157eb35063a9f99",
  "gitTreeState": "clean",
  "buildDate": "2025-03-11T19:52:21Z",
  "goVersion": "go1.23.6",
  "compiler": "gc",
  "platform": "linux/arm64"
}

Next: Bootstrapping the Kubernetes Worker Nodes