Install Kubernetes from Scratch [13] – TLS Bootstrap Kubelet

Checkout the full Kubernetes Certified Administrator course at:

All the instructions required to deploy this cluster is recorded in the github repository here.


In this demo we look at TLS bootstrapping a worker node. The worker-2 node in our case.

To enable TLS bootstrapping feature you must meet two pre-requisites. The first is to have the “enable bootstrap token auth” option set to true on the kube-api server. We can check this by running ps aux command and looking at the kube-api server process. We see that it is enabled in our case.

The next is for the controller manager to have the cluster signing certificate and key. Again we use the ps command to list the controller-manager and we see its working. Once done, proceed with the bootstrapping process.

On the worker node, download the required binaries for kubelet, kube-proxy and kubectl utility.

Then create the rquired directory structures and then move the binaries to the bin directory. Finally move the CA certificate in place. Note that we do not have the kubelet certificate generated in this case.

As discussed in the previous lecture, we must create bootstrap token to be used by the kubelet. Do this by creating a bootstrap token secret object.

Then authorize the bearer of that token , the worker nodes, permission to create CSR. For this we create a cluster role binding object. We can do this in two ways, either by create a YAML definition file, the declarative way or with a single command, the imperative way. We will follow the imperative approach.

Next Authorize the worker to approve the CSR by creating another cluster role binding.

And finally authorize the worker to renew CSR by itself.

We then configure the kubelet to bootstrap. Earlier for worker-1 remember we created a kubeconfig file with the certificates we created? Well, we don’t have certificates for worker-2. So we don’t create a kubeconfig file. Instead we create a bootstrap kubeconfig file with the bootstrap token we created. Again you can do this with 4 individual commands, the commands that we saw earlier in this course, or you can just create the bootstrap kubeconfig file maually. It’s the same thing. We then create the kubelet config file which has information about the environment.

And finally we configure the kubelet service itself. We specify the bootstrap kubeconfig instead of kubeconfig.

Before starting the service remember to configure kube-proxy as well. Kube-proxy is configured as usual.

Once done, reload, enable and start the services. Verify the state of the kubelet service. Ensure its active.

Let us now check the status of CSRs on the mater. The client certificates used by kubelet to access the api server gets approved automatically. However you can see the one for the kubelet-server is in a pending state.

Run the kubectl certificate approve command to approve it.

Verify the state of the nodes by running the kubectl get nodes command.

We have successfully joined the worker node to the cluster.

Original source

2 thoughts on “Install Kubernetes from Scratch [13] – TLS Bootstrap Kubelet

Leave a Reply