commit f8bdee0054668f1ac7b30679e5ce6f5b95f160ee · pyrox.dev/nixpkgs

+1 -1

nixos/doc/manual/configuration/configuration.xml

···

       26
       26
        
        <xi:include href="../from_md/configuration/subversion.chapter.xml" />

     

       27
       27
        
        <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />

     

       28
       28
        
        <xi:include href="profiles.xml" />

     

       29
       29
       -
        <xi:include href="kubernetes.xml" />

     

       29
       29
       +
        <xi:include href="../from_md/configuration/kubernetes.chapter.xml" />

     

       30
       30
        
       <!-- Apache; libvirtd virtualisation -->

     

       31
       31
        
       </part>

+104

nixos/doc/manual/configuration/kubernetes.chapter.md

···

       1
       1
       +
       # Kubernetes {#sec-kubernetes}

     

       2
       2
       +
       

     

       3
       3
       +
       The NixOS Kubernetes module is a collective term for a handful of

     

       4
       4
       +
       individual submodules implementing the Kubernetes cluster components.

     

       5
       5
       +
       

     

       6
       6
       +
       There are generally two ways of enabling Kubernetes on NixOS. One way is

     

       7
       7
       +
       to enable and configure cluster components appropriately by hand:

     

       8
       8
       +
       

     

       9
       9
       +
       ```nix

     

       10
       10
       +
       services.kubernetes = {

     

       11
       11
       +
         apiserver.enable = true;

     

       12
       12
       +
         controllerManager.enable = true;

     

       13
       13
       +
         scheduler.enable = true;

     

       14
       14
       +
         addonManager.enable = true;

     

       15
       15
       +
         proxy.enable = true;

     

       16
       16
       +
         flannel.enable = true;

     

       17
       17
       +
       };

     

       18
       18
       +
       ```

     

       19
       19
       +
       

     

       20
       20
       +
       Another way is to assign cluster roles (\"master\" and/or \"node\") to

     

       21
       21
       +
       the host. This enables apiserver, controllerManager, scheduler,

     

       22
       22
       +
       addonManager, kube-proxy and etcd:

     

       23
       23
       +
       

     

       24
       24
       +
       ```nix

     

       25
       25
       +
       services.kubernetes.roles = [ "master" ];

     

       26
       26
       +
       ```

     

       27
       27
       +
       

     

       28
       28
       +
       While this will enable the kubelet and kube-proxy only:

     

       29
       29
       +
       

     

       30
       30
       +
       ```nix

     

       31
       31
       +
       services.kubernetes.roles = [ "node" ];

     

       32
       32
       +
       ```

     

       33
       33
       +
       

     

       34
       34
       +
       Assigning both the master and node roles is usable if you want a single

     

       35
       35
       +
       node Kubernetes cluster for dev or testing purposes:

     

       36
       36
       +
       

     

       37
       37
       +
       ```nix

     

       38
       38
       +
       services.kubernetes.roles = [ "master" "node" ];

     

       39
       39
       +
       ```

     

       40
       40
       +
       

     

       41
       41
       +
       Note: Assigning either role will also default both

     

       42
       42
       +
       [`services.kubernetes.flannel.enable`](options.html#opt-services.kubernetes.flannel.enable)

     

       43
       43
       +
       and [`services.kubernetes.easyCerts`](options.html#opt-services.kubernetes.easyCerts)

     

       44
       44
       +
       to true. This sets up flannel as CNI and activates automatic PKI bootstrapping.

     

       45
       45
       +
       

     

       46
       46
       +
       As of kubernetes 1.10.X it has been deprecated to open non-tls-enabled

     

       47
       47
       +
       ports on kubernetes components. Thus, from NixOS 19.03 all plain HTTP

     

       48
       48
       +
       ports have been disabled by default. While opening insecure ports is

     

       49
       49
       +
       still possible, it is recommended not to bind these to other interfaces

     

       50
       50
       +
       than loopback. To re-enable the insecure port on the apiserver, see options:

     

       51
       51
       +
       [`services.kubernetes.apiserver.insecurePort`](options.html#opt-services.kubernetes.apiserver.insecurePort) and

     

       52
       52
       +
       [`services.kubernetes.apiserver.insecureBindAddress`](options.html#opt-services.kubernetes.apiserver.insecureBindAddress)

     

       53
       53
       +
       

     

       54
       54
       +
       ::: {.note}

     

       55
       55
       +
       As of NixOS 19.03, it is mandatory to configure:

     

       56
       56
       +
       [`services.kubernetes.masterAddress`](options.html#opt-services.kubernetes.masterAddress).

     

       57
       57
       +
       The masterAddress must be resolveable and routeable by all cluster nodes.

     

       58
       58
       +
       In single node clusters, this can be set to `localhost`.

     

       59
       59
       +
       :::

     

       60
       60
       +
       

     

       61
       61
       +
       Role-based access control (RBAC) authorization mode is enabled by

     

       62
       62
       +
       default. This means that anonymous requests to the apiserver secure port

     

       63
       63
       +
       will expectedly cause a permission denied error. All cluster components

     

       64
       64
       +
       must therefore be configured with x509 certificates for two-way tls

     

       65
       65
       +
       communication. The x509 certificate subject section determines the roles

     

       66
       66
       +
       and permissions granted by the apiserver to perform clusterwide or

     

       67
       67
       +
       namespaced operations. See also: [ Using RBAC

     

       68
       68
       +
       Authorization](https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

     

       69
       69
       +
       

     

       70
       70
       +
       The NixOS kubernetes module provides an option for automatic certificate

     

       71
       71
       +
       bootstrapping and configuration,

     

       72
       72
       +
       [`services.kubernetes.easyCerts`](options.html#opt-services.kubernetes.easyCerts).

     

       73
       73
       +
       The PKI bootstrapping process involves setting up a certificate authority (CA)

     

       74
       74
       +
       daemon (cfssl) on the kubernetes master node. cfssl generates a CA-cert

     

       75
       75
       +
       for the cluster, and uses the CA-cert for signing subordinate certs issued

     

       76
       76
       +
       to each of the cluster components. Subsequently, the certmgr daemon monitors

     

       77
       77
       +
       active certificates and renews them when needed. For single node Kubernetes

     

       78
       78
       +
       clusters, setting [`services.kubernetes.easyCerts`](options.html#opt-services.kubernetes.easyCerts)

     

       79
       79
       +
       = true is sufficient and no further action is required. For joining extra node

     

       80
       80
       +
       machines to an existing cluster on the other hand, establishing initial

     

       81
       81
       +
       trust is mandatory.

     

       82
       82
       +
       

     

       83
       83
       +
       To add new nodes to the cluster: On any (non-master) cluster node where

     

       84
       84
       +
       [`services.kubernetes.easyCerts`](options.html#opt-services.kubernetes.easyCerts)

     

       85
       85
       +
       is enabled, the helper script `nixos-kubernetes-node-join` is available on PATH.

     

       86
       86
       +
       Given a token on stdin, it will copy the token to the kubernetes secrets directory

     

       87
       87
       +
       and restart the certmgr service. As requested certificates are issued, the

     

       88
       88
       +
       script will restart kubernetes cluster components as needed for them to

     

       89
       89
       +
       pick up new keypairs.

     

       90
       90
       +
       

     

       91
       91
       +
       ::: {.note}

     

       92
       92
       +
       Multi-master (HA) clusters are not supported by the easyCerts module.

     

       93
       93
       +
       :::

     

       94
       94
       +
       

     

       95
       95
       +
       In order to interact with an RBAC-enabled cluster as an administrator,

     

       96
       96
       +
       one needs to have cluster-admin privileges. By default, when easyCerts

     

       97
       97
       +
       is enabled, a cluster-admin kubeconfig file is generated and linked into

     

       98
       98
       +
       `/etc/kubernetes/cluster-admin.kubeconfig` as determined by

     

       99
       99
       +
       [`services.kubernetes.pki.etcClusterAdminKubeconfig`](options.html#opt-services.kubernetes.pki.etcClusterAdminKubeconfig).

     

       100
       100
       +
       `export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig` will make

     

       101
       101
       +
       kubectl use this kubeconfig to access and authenticate the cluster. The

     

       102
       102
       +
       cluster-admin kubeconfig references an auto-generated keypair owned by

     

       103
       103
       +
       root. Thus, only root on the kubernetes master may obtain cluster-admin

     

       104
       104
       +
       rights by means of this file.

-112

nixos/doc/manual/configuration/kubernetes.xml

···

       1
       1
       -
       <chapter xmlns="http://docbook.org/ns/docbook"

     

       2
       2
       -
                xmlns:xlink="http://www.w3.org/1999/xlink"

     

       3
       3
       -
                xmlns:xi="http://www.w3.org/2001/XInclude"

     

       4
       4
       -
                version="5.0"

     

       5
       5
       -
                xml:id="sec-kubernetes">

     

       6
       6
       -
        <title>Kubernetes</title>

     

       7
       7
       -
        <para>

     

       8
       8
       -
         The NixOS Kubernetes module is a collective term for a handful of individual

     

       9
       9
       -
         submodules implementing the Kubernetes cluster components.

     

       10
       10
       -
        </para>

     

       11
       11
       -
        <para>

     

       12
       12
       -
         There are generally two ways of enabling Kubernetes on NixOS. One way is to

     

       13
       13
       -
         enable and configure cluster components appropriately by hand:

     

       14
       14
       -
       <programlisting>

     

       15
       15
       -
       services.kubernetes = {

     

       16
       16
       -
         apiserver.enable = true;

     

       17
       17
       -
         controllerManager.enable = true;

     

       18
       18
       -
         scheduler.enable = true;

     

       19
       19
       -
         addonManager.enable = true;

     

       20
       20
       -
         proxy.enable = true;

     

       21
       21
       -
         flannel.enable = true;

     

       22
       22
       -
       };

     

       23
       23
       -
       </programlisting>

     

       24
       24
       -
         Another way is to assign cluster roles ("master" and/or "node") to the host.

     

       25
       25
       -
         This enables apiserver, controllerManager, scheduler, addonManager,

     

       26
       26
       -
         kube-proxy and etcd:

     

       27
       27
       -
       <programlisting>

     

       28
       28
       -
       <xref linkend="opt-services.kubernetes.roles"/> = [ "master" ];

     

       29
       29
       -
       </programlisting>

     

       30
       30
       -
         While this will enable the kubelet and kube-proxy only:

     

       31
       31
       -
       <programlisting>

     

       32
       32
       -
       <xref linkend="opt-services.kubernetes.roles"/> = [ "node" ];

     

       33
       33
       -
       </programlisting>

     

       34
       34
       -
         Assigning both the master and node roles is usable if you want a single node

     

       35
       35
       -
         Kubernetes cluster for dev or testing purposes:

     

       36
       36
       -
       <programlisting>

     

       37
       37
       -
       <xref linkend="opt-services.kubernetes.roles"/> = [ "master" "node" ];

     

       38
       38
       -
       </programlisting>

     

       39
       39
       -
         Note: Assigning either role will also default both

     

       40
       40
       -
         <xref linkend="opt-services.kubernetes.flannel.enable"/> and

     

       41
       41
       -
         <xref linkend="opt-services.kubernetes.easyCerts"/> to true. This sets up

     

       42
       42
       -
         flannel as CNI and activates automatic PKI bootstrapping.

     

       43
       43
       -
        </para>

     

       44
       44
       -
        <para>

     

       45
       45
       -
         As of kubernetes 1.10.X it has been deprecated to open non-tls-enabled ports

     

       46
       46
       -
         on kubernetes components. Thus, from NixOS 19.03 all plain HTTP ports have

     

       47
       47
       -
         been disabled by default. While opening insecure ports is still possible, it

     

       48
       48
       -
         is recommended not to bind these to other interfaces than loopback. To

     

       49
       49
       -
         re-enable the insecure port on the apiserver, see options:

     

       50
       50
       -
         <xref linkend="opt-services.kubernetes.apiserver.insecurePort"/> and

     

       51
       51
       -
         <xref linkend="opt-services.kubernetes.apiserver.insecureBindAddress"/>

     

       52
       52
       -
        </para>

     

       53
       53
       -
        <note>

     

       54
       54
       -
         <para>

     

       55
       55
       -
          As of NixOS 19.03, it is mandatory to configure:

     

       56
       56
       -
          <xref linkend="opt-services.kubernetes.masterAddress"/>. The masterAddress

     

       57
       57
       -
          must be resolveable and routeable by all cluster nodes. In single node

     

       58
       58
       -
          clusters, this can be set to <literal>localhost</literal>.

     

       59
       59
       -
         </para>

     

       60
       60
       -
        </note>

     

       61
       61
       -
        <para>

     

       62
       62
       -
         Role-based access control (RBAC) authorization mode is enabled by default.

     

       63
       63
       -
         This means that anonymous requests to the apiserver secure port will

     

       64
       64
       -
         expectedly cause a permission denied error. All cluster components must

     

       65
       65
       -
         therefore be configured with x509 certificates for two-way tls communication.

     

       66
       66
       -
         The x509 certificate subject section determines the roles and permissions

     

       67
       67
       -
         granted by the apiserver to perform clusterwide or namespaced operations. See

     

       68
       68
       -
         also:

     

       69
       69
       -
         <link

     

       70
       70
       -
            xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">

     

       71
       71
       -
         Using RBAC Authorization</link>.

     

       72
       72
       -
        </para>

     

       73
       73
       -
        <para>

     

       74
       74
       -
         The NixOS kubernetes module provides an option for automatic certificate

     

       75
       75
       -
         bootstrapping and configuration,

     

       76
       76
       -
         <xref linkend="opt-services.kubernetes.easyCerts"/>. The PKI bootstrapping

     

       77
       77
       -
         process involves setting up a certificate authority (CA) daemon (cfssl) on

     

       78
       78
       -
         the kubernetes master node. cfssl generates a CA-cert for the cluster, and

     

       79
       79
       -
         uses the CA-cert for signing subordinate certs issued to each of the cluster

     

       80
       80
       -
         components. Subsequently, the certmgr daemon monitors active certificates and

     

       81
       81
       -
         renews them when needed. For single node Kubernetes clusters, setting

     

       82
       82
       -
         <xref linkend="opt-services.kubernetes.easyCerts"/> = true is sufficient and

     

       83
       83
       -
         no further action is required. For joining extra node machines to an existing

     

       84
       84
       -
         cluster on the other hand, establishing initial trust is mandatory.

     

       85
       85
       -
        </para>

     

       86
       86
       -
        <para>

     

       87
       87
       -
         To add new nodes to the cluster: On any (non-master) cluster node where

     

       88
       88
       -
         <xref linkend="opt-services.kubernetes.easyCerts"/> is enabled, the helper

     

       89
       89
       -
         script <literal>nixos-kubernetes-node-join</literal> is available on PATH.

     

       90
       90
       -
         Given a token on stdin, it will copy the token to the kubernetes secrets

     

       91
       91
       -
         directory and restart the certmgr service. As requested certificates are

     

       92
       92
       -
         issued, the script will restart kubernetes cluster components as needed for

     

       93
       93
       -
         them to pick up new keypairs.

     

       94
       94
       -
        </para>

     

       95
       95
       -
        <note>

     

       96
       96
       -
         <para>

     

       97
       97
       -
          Multi-master (HA) clusters are not supported by the easyCerts module.

     

       98
       98
       -
         </para>

     

       99
       99
       -
        </note>

     

       100
       100
       -
        <para>

     

       101
       101
       -
         In order to interact with an RBAC-enabled cluster as an administrator, one

     

       102
       102
       -
         needs to have cluster-admin privileges. By default, when easyCerts is

     

       103
       103
       -
         enabled, a cluster-admin kubeconfig file is generated and linked into

     

       104
       104
       -
         <literal>/etc/kubernetes/cluster-admin.kubeconfig</literal> as determined by

     

       105
       105
       -
         <xref linkend="opt-services.kubernetes.pki.etcClusterAdminKubeconfig"/>.

     

       106
       106
       -
         <literal>export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig</literal>

     

       107
       107
       -
         will make kubectl use this kubeconfig to access and authenticate the cluster.

     

       108
       108
       -
         The cluster-admin kubeconfig references an auto-generated keypair owned by

     

       109
       109
       -
         root. Thus, only root on the kubernetes master may obtain cluster-admin

     

       110
       110
       -
         rights by means of this file.

     

       111
       111
       -
        </para>

     

       112
       112
       -
       </chapter>

+130

nixos/doc/manual/from_md/configuration/kubernetes.chapter.xml

···

       1
       1
       +
       <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-kubernetes">

     

       2
       2
       +
         <title>Kubernetes</title>

     

       3
       3
       +
         <para>

     

       4
       4
       +
           The NixOS Kubernetes module is a collective term for a handful of

     

       5
       5
       +
           individual submodules implementing the Kubernetes cluster

     

       6
       6
       +
           components.

     

       7
       7
       +
         </para>

     

       8
       8
       +
         <para>

     

       9
       9
       +
           There are generally two ways of enabling Kubernetes on NixOS. One

     

       10
       10
       +
           way is to enable and configure cluster components appropriately by

     

       11
       11
       +
           hand:

     

       12
       12
       +
         </para>

     

       13
       13
       +
         <programlisting language="bash">

     

       14
       14
       +
       services.kubernetes = {

     

       15
       15
       +
         apiserver.enable = true;

     

       16
       16
       +
         controllerManager.enable = true;

     

       17
       17
       +
         scheduler.enable = true;

     

       18
       18
       +
         addonManager.enable = true;

     

       19
       19
       +
         proxy.enable = true;

     

       20
       20
       +
         flannel.enable = true;

     

       21
       21
       +
       };

     

       22
       22
       +
       </programlisting>

     

       23
       23
       +
         <para>

     

       24
       24
       +
           Another way is to assign cluster roles (&quot;master&quot; and/or

     

       25
       25
       +
           &quot;node&quot;) to the host. This enables apiserver,

     

       26
       26
       +
           controllerManager, scheduler, addonManager, kube-proxy and etcd:

     

       27
       27
       +
         </para>

     

       28
       28
       +
         <programlisting language="bash">

     

       29
       29
       +
       services.kubernetes.roles = [ &quot;master&quot; ];

     

       30
       30
       +
       </programlisting>

     

       31
       31
       +
         <para>

     

       32
       32
       +
           While this will enable the kubelet and kube-proxy only:

     

       33
       33
       +
         </para>

     

       34
       34
       +
         <programlisting language="bash">

     

       35
       35
       +
       services.kubernetes.roles = [ &quot;node&quot; ];

     

       36
       36
       +
       </programlisting>

     

       37
       37
       +
         <para>

     

       38
       38
       +
           Assigning both the master and node roles is usable if you want a

     

       39
       39
       +
           single node Kubernetes cluster for dev or testing purposes:

     

       40
       40
       +
         </para>

     

       41
       41
       +
         <programlisting language="bash">

     

       42
       42
       +
       services.kubernetes.roles = [ &quot;master&quot; &quot;node&quot; ];

     

       43
       43
       +
       </programlisting>

     

       44
       44
       +
         <para>

     

       45
       45
       +
           Note: Assigning either role will also default both

     

       46
       46
       +
           <link xlink:href="options.html#opt-services.kubernetes.flannel.enable"><literal>services.kubernetes.flannel.enable</literal></link>

     

       47
       47
       +
           and

     

       48
       48
       +
           <link xlink:href="options.html#opt-services.kubernetes.easyCerts"><literal>services.kubernetes.easyCerts</literal></link>

     

       49
       49
       +
           to true. This sets up flannel as CNI and activates automatic PKI

     

       50
       50
       +
           bootstrapping.

     

       51
       51
       +
         </para>

     

       52
       52
       +
         <para>

     

       53
       53
       +
           As of kubernetes 1.10.X it has been deprecated to open

     

       54
       54
       +
           non-tls-enabled ports on kubernetes components. Thus, from NixOS

     

       55
       55
       +
           19.03 all plain HTTP ports have been disabled by default. While

     

       56
       56
       +
           opening insecure ports is still possible, it is recommended not to

     

       57
       57
       +
           bind these to other interfaces than loopback. To re-enable the

     

       58
       58
       +
           insecure port on the apiserver, see options:

     

       59
       59
       +
           <link xlink:href="options.html#opt-services.kubernetes.apiserver.insecurePort"><literal>services.kubernetes.apiserver.insecurePort</literal></link>

     

       60
       60
       +
           and

     

       61
       61
       +
           <link xlink:href="options.html#opt-services.kubernetes.apiserver.insecureBindAddress"><literal>services.kubernetes.apiserver.insecureBindAddress</literal></link>

     

       62
       62
       +
         </para>

     

       63
       63
       +
         <note>

     

       64
       64
       +
           <para>

     

       65
       65
       +
             As of NixOS 19.03, it is mandatory to configure:

     

       66
       66
       +
             <link xlink:href="options.html#opt-services.kubernetes.masterAddress"><literal>services.kubernetes.masterAddress</literal></link>.

     

       67
       67
       +
             The masterAddress must be resolveable and routeable by all cluster

     

       68
       68
       +
             nodes. In single node clusters, this can be set to

     

       69
       69
       +
             <literal>localhost</literal>.

     

       70
       70
       +
           </para>

     

       71
       71
       +
         </note>

     

       72
       72
       +
         <para>

     

       73
       73
       +
           Role-based access control (RBAC) authorization mode is enabled by

     

       74
       74
       +
           default. This means that anonymous requests to the apiserver secure

     

       75
       75
       +
           port will expectedly cause a permission denied error. All cluster

     

       76
       76
       +
           components must therefore be configured with x509 certificates for

     

       77
       77
       +
           two-way tls communication. The x509 certificate subject section

     

       78
       78
       +
           determines the roles and permissions granted by the apiserver to

     

       79
       79
       +
           perform clusterwide or namespaced operations. See also:

     

       80
       80
       +
           <link xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">

     

       81
       81
       +
           Using RBAC Authorization</link>.

     

       82
       82
       +
         </para>

     

       83
       83
       +
         <para>

     

       84
       84
       +
           The NixOS kubernetes module provides an option for automatic

     

       85
       85
       +
           certificate bootstrapping and configuration,

     

       86
       86
       +
           <link xlink:href="options.html#opt-services.kubernetes.easyCerts"><literal>services.kubernetes.easyCerts</literal></link>.

     

       87
       87
       +
           The PKI bootstrapping process involves setting up a certificate

     

       88
       88
       +
           authority (CA) daemon (cfssl) on the kubernetes master node. cfssl

     

       89
       89
       +
           generates a CA-cert for the cluster, and uses the CA-cert for

     

       90
       90
       +
           signing subordinate certs issued to each of the cluster components.

     

       91
       91
       +
           Subsequently, the certmgr daemon monitors active certificates and

     

       92
       92
       +
           renews them when needed. For single node Kubernetes clusters,

     

       93
       93
       +
           setting

     

       94
       94
       +
           <link xlink:href="options.html#opt-services.kubernetes.easyCerts"><literal>services.kubernetes.easyCerts</literal></link>

     

       95
       95
       +
           = true is sufficient and no further action is required. For joining

     

       96
       96
       +
           extra node machines to an existing cluster on the other hand,

     

       97
       97
       +
           establishing initial trust is mandatory.

     

       98
       98
       +
         </para>

     

       99
       99
       +
         <para>

     

       100
       100
       +
           To add new nodes to the cluster: On any (non-master) cluster node

     

       101
       101
       +
           where

     

       102
       102
       +
           <link xlink:href="options.html#opt-services.kubernetes.easyCerts"><literal>services.kubernetes.easyCerts</literal></link>

     

       103
       103
       +
           is enabled, the helper script

     

       104
       104
       +
           <literal>nixos-kubernetes-node-join</literal> is available on PATH.

     

       105
       105
       +
           Given a token on stdin, it will copy the token to the kubernetes

     

       106
       106
       +
           secrets directory and restart the certmgr service. As requested

     

       107
       107
       +
           certificates are issued, the script will restart kubernetes cluster

     

       108
       108
       +
           components as needed for them to pick up new keypairs.

     

       109
       109
       +
         </para>

     

       110
       110
       +
         <note>

     

       111
       111
       +
           <para>

     

       112
       112
       +
             Multi-master (HA) clusters are not supported by the easyCerts

     

       113
       113
       +
             module.

     

       114
       114
       +
           </para>

     

       115
       115
       +
         </note>

     

       116
       116
       +
         <para>

     

       117
       117
       +
           In order to interact with an RBAC-enabled cluster as an

     

       118
       118
       +
           administrator, one needs to have cluster-admin privileges. By

     

       119
       119
       +
           default, when easyCerts is enabled, a cluster-admin kubeconfig file

     

       120
       120
       +
           is generated and linked into

     

       121
       121
       +
           <literal>/etc/kubernetes/cluster-admin.kubeconfig</literal> as

     

       122
       122
       +
           determined by

     

       123
       123
       +
           <link xlink:href="options.html#opt-services.kubernetes.pki.etcClusterAdminKubeconfig"><literal>services.kubernetes.pki.etcClusterAdminKubeconfig</literal></link>.

     

       124
       124
       +
           <literal>export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig</literal>

     

       125
       125
       +
           will make kubectl use this kubeconfig to access and authenticate the

     

       126
       126
       +
           cluster. The cluster-admin kubeconfig references an auto-generated

     

       127
       127
       +
           keypair owned by root. Thus, only root on the kubernetes master may

     

       128
       128
       +
           obtain cluster-admin rights by means of this file.

     

       129
       129
       +
         </para>

     

       130
       130
       +
       </chapter>