Deploy Kubernetes with Specific Public IP Address for Kube-apiserver

Yst@IT
4 min readApr 8, 2021

--

To create a Kubernetes cluster, we use command kubeadm init. By default, if you do not specific any ip address flag, kubeadm will parse your current networking environment and use it for kube-apiserver.

Unless your server has public ip address by default, otherwise, for server hosts on clouds, Kubernetes cluster will us its private ip address for kube-apiserver. For example, my cluster is hosted on AWS EC2.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

In this case, if I want to maintain Kubernetes cluster, my device has to be in the same network segment, which is kinda troublesome. Therefore, we can configure kube-apiserver to be public ip address so we can connect it through internet.

Do not forget to deny all public ip addresses to access your cluster besides the ones you allowed on your FW.

To configure specific ip address for kube-apiserver, use command below,

kubeadm init --control-plane-endpoint <endpoint-ip-or-dns>:<port>
Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

This way, Kubernetes will bootstrap with the ip address you specified, shown at the end of initiation. Flag --control-plane is the main part that decides the node to be control plane or work node.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

Now, with FW rule properly setup, copy the /etc/kubernetes/admin.conf file into your local computer at $HOME/.kube/ folder as config, with kubectl already installed, now you can access and manage your Kubernetes cluster from your computer!

From image below, my ip address is 210.x.x.243 and yet I can obtain the cluster node information, which is cp-1 and as well as get the cluster info.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

As for now, I only have one node for my control plane. If I want to add more nodes for high availability, I could use command below,

kubeadm join <endpoint-ip-or-dns>:<port> \
--token <valid-bootstrap-token> \
--discovery-token-ca-cert-hash sha256:<ca-cert-sha256-hash> \
--control-plane

If for any reason you need to regenerate the command above again, it is not as simple as regenerating work node join command, we have to generate each piece of information and and combine it. We need couple things,

  1. Your IP or DNS for control plane endpoint
  2. A valid token
  3. Your token ca cert
  4. Copy certificates from CP-1 to CP-2

For a valid token, we can use command below to list all available tokens. Token can be used as long as it is not expired. If all expired, use create command to generate new token.

kubeadm token list
kubeadm token create
Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

For token ca cert, go to your control plane node, in my case, CP-1, execute command below to get the token ca cert,

openssl x509 -in /etc/kubernetes/pki/ca.crt -pubkey -noout |
openssl pkey -pubin -outform DER |
openssl dgst -sha256
Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

And there you go! You have all the information to combine the join command for control plane node, which will be,

kubeadm join 18.x.x.225:6443 \
--token g6ejzo.xxx \
--discovery-token-ca-cert-hash sha256:57fb7bca1e23cd61xxx \
--control-plane

Next we need to copy some certificates from CP-1 to CP-2. CP-2 is the new node that will be added into cluster. Exexute command below on CP-1 to do the job, 18.x.x.210 is CP-2.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

You can use command below to configure ssh access to remote server without typing password.

#From CP-1
ssh-keygen -t rsa -b 4096
ssh-copy-id -i ~/.ssh/id_rsa root@18.x.x.210

Lastly, with files copied to CP-2 and kubeadm join command ready, let’s join CP-2 to Kubernetes cluster.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

Finish view with command to verify.

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint
Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

Verify from CP-1

Deploy Kubernetes with Specific Public IP Address for Control Plane Endpoint

That’s it! You have successfully added a new node to Kubernetes control plane for high availability!!

REFERENCE:

Reconstructing the Join Command for Kubeadm

Calculating the CA Certificate Hash for Kubeadm

Discovering what cluster CA to trust

Joining your nodes

Manual certificate distribution

--

--

Yst@IT

Cloud Solution Architect, focusing on Oracle Cloud Infrastructure currently.