In this demo we look at TLS bootstrapping a worker node. The worker-2 node in our case.
To enable TLS bootstrapping feature you must meet two pre-requisites. The first is to have the “enable bootstrap token auth” option set to true on the kube-api server. We can check this by running ps aux command and looking at the kube-api server process. We see that it is enabled in our case.

The next is for the controller manager to have the cluster signing certificate and key. Again we use the ps command to list the controller-manager and we see its working. Once done, proceed with the bootstrapping process.

On the worker node, download the required binaries for kubelet, kube-proxy and kubectl utility.

Then create the rquired directory structures and then move the binaries to the bin directory. Finally move the CA certificate in place. Note that we do not have the kubelet certificate generated in this case.

As discussed in the previous lecture, we must create bootstrap token to be used by the kubelet. Do this by creating a bootstrap token secret object.

Then authorize the bearer of that token , the worker nodes, permission to create CSR. For this we create a cluster role binding object. We can do this in two ways, either by create a YAML definition file, the declarative way or with a single command, the imperative way. We will follow the imperative approach.

#bootstrap #css #html