Generate a kubeconfig for kubectl which can be taken off the masterA

/etc/kubernetes/kuectl.kubeconfig
2025-08-14 22:33:34 +00:00 · 2015-07-01 13:19:06 -04:00 · 2015-07-01 13:19:06 -04:00 · c66bafaa18
commit c66bafaa18
parent 88087decb4
4 changed files with 29 additions and 2 deletions
--- a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
@ -10,7 +10,7 @@
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
-    - [ "system:controller_manager", "system:scheduler" ]
+    - [ "system:controller_manager", "system:scheduler", "system:kubectl" ]
    - "{{ groups['masters'] }}"
  register: gentoken
  changed_when: "'Added' in gentoken.stdout"
--- a/contrib/ansible/roles/kubernetes/tasks/secrets.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/secrets.yml
@ -35,8 +35,12 @@
  run_once: true
  delegate_to: "{{ groups['masters'][0] }}"

+- name: Register the CA certificate as a fact so it can be used later
+  set_fact:
+    kube_ca_cert: "{{ ca_cert.content|b64decode }}"
+
 - name: Place CA certificate everywhere
-  copy: content="{{ ca_cert.content|b64decode }}" dest="{{ kube_cert_dir }}/ca.crt"
+  copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"
  notify:
    - restart daemons

--- a/contrib/ansible/roles/master/tasks/main.yml
+++ b/contrib/ansible/roles/master/tasks/main.yml
@ -27,6 +27,7 @@
  with_items:
    - "system:controller_manager"
    - "system:scheduler"
+    - "system:kubectl"
  register: tokens
  delegate_to: "{{ groups['masters'][0] }}"

@ -34,6 +35,7 @@
  set_fact:
    controller_manager_token: "{{ tokens.results[0].content|b64decode }}"
    scheduler_token: "{{ tokens.results[1].content|b64decode }}"
+    kubectl_token: "{{ tokens.results[2].content|b64decode }}"

 - name: write the config file for the controller-manager
  template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager
@ -61,6 +63,9 @@
 - name: Enable scheduler
  service: name=kube-scheduler enabled=yes state=started

+- name: write the kubecfg (auth) file for kubectl
+  template: src=kubectl.kubeconfig.j2 dest={{ kube_config_dir }}/kubectl.kubeconfig
+
 - include: firewalld.yml
  when: has_firewalld

--- a/contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2
+++ b/contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: kubectl-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority-data: {{ kube_ca_cert|b64encode }}
+    server: https://{{ groups['masters'][0] }}:443
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: kubectl
+  name: kubectl-to-{{ cluster_name }}
+users:
+- name: kubectl
+  user:
+    token: {{ kubectl_token }}