Deploy Kubernetes with Specific Public IP Address for Kube-apiserver
To create a Kubernetes cluster, we use command kubeadm init. By default, if you do not specific any ip address flag, kubeadm will parse your current networking environment and use it for kube-apiserver.
Unless your server has public ip address by default, otherwise, for server hosts on clouds, Kubernetes cluster will us its private ip address for kube-apiserver. For example, my cluster is hosted on AWS EC2.
In this case, if I want to maintain Kubernetes cluster, my device has to be in the same network segment, which is kinda troublesome. Therefore, we can configure kube-apiserver to be public ip address so we can connect it through internet.
Do not forget to deny all public ip addresses to access your cluster besides the ones you allowed on your FW.
To configure specific ip address for kube-apiserver, use command below,
kubeadm init --control-plane-endpoint <endpoint-ip-or-dns>:<port>
This way, Kubernetes will bootstrap with the ip address you specified, shown at the end of initiation. Flag --control-plane is the main part that decides the node to be control plane or work node.
Now, with FW rule properly setup, copy the /etc/kubernetes/admin.conf file into your local computer at $HOME/.kube/ folder as config, with kubectl already installed, now you can access and manage your Kubernetes cluster from your computer!
From image below, my ip address is 210.x.x.243 and yet I can obtain the cluster node information, which is cp-1 and as well as get the cluster info.
As for now, I only have one node for my control plane. If I want to add more nodes for high availability, I could use command below,
kubeadm join <endpoint-ip-or-dns>:<port> \
--token <valid-bootstrap-token> \
--discovery-token-ca-cert-hash sha256:<ca-cert-sha256-hash> \
--control-plane
If for any reason you need to regenerate the command above again, it is not as simple as regenerating work node join command, we have to generate each piece of information and and combine it. We need couple things,
- Your IP or DNS for control plane endpoint
- A valid token
- Your token ca cert
- Copy certificates from CP-1 to CP-2
For a valid token, we can use command below to list all available tokens. Token can be used as long as it is not expired. If all expired, use create command to generate new token.
kubeadm token list
kubeadm token create
For token ca cert, go to your control plane node, in my case, CP-1, execute command below to get the token ca cert,
openssl x509 -in /etc/kubernetes/pki/ca.crt -pubkey -noout |
openssl pkey -pubin -outform DER |
openssl dgst -sha256
And there you go! You have all the information to combine the join command for control plane node, which will be,
kubeadm join 18.x.x.225:6443 \
--token g6ejzo.xxx \
--discovery-token-ca-cert-hash sha256:57fb7bca1e23cd61xxx \
--control-plane
Next we need to copy some certificates from CP-1 to CP-2. CP-2 is the new node that will be added into cluster. Exexute command below on CP-1 to do the job, 18.x.x.210 is CP-2.
You can use command below to configure ssh access to remote server without typing password.
#From CP-1
ssh-keygen -t rsa -b 4096
ssh-copy-id -i ~/.ssh/id_rsa root@18.x.x.210
Lastly, with files copied to CP-2 and kubeadm join command ready, let’s join CP-2 to Kubernetes cluster.
Finish view with command to verify.
Verify from CP-1
That’s it! You have successfully added a new node to Kubernetes control plane for high availability!!
REFERENCE:
Reconstructing the Join Command for Kubeadm
Calculating the CA Certificate Hash for Kubeadm