#!/bin/bash # Kubernetes is delivered in a non-functional state on Fedora and similar operating systems # The following commands are needed to get it running. cd /etc/kubernetes/ cat < openssl.conf oid_section = new_oids [new_oids] [req] encrypt_key = no string_mask = nombstr req_extensions = v3_req distinguished_name = v3_name [v3_name] commonName = kubernetes [v3_req] basicConstraints = CA:FALSE subjectAltName = @alt_names [alt_names] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster.local IP.1 = 127.0.0.1 IP.2 = 10.254.0.1 EOF openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -days 3072 -out ca.crt -subj '/CN=kubernetes' openssl genrsa -out server.key 2048 openssl req -config openssl.conf -new -key server.key -out server.csr -subj '/CN=kubernetes' openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3072 -extensions v3_req -extfile openssl.conf # make keys readable for "kube" group and thus for kube-apiserver.service on newer OSes if getent group kube >/dev/null; then chgrp kube ca.key server.key chmod 640 ca.key server.key fi echo -e '{"user":"admin"}\n{"user":"scruffy","readonly": true}' > /etc/kubernetes/authorization echo -e 'fubar,admin,10101\nscruffy,scruffy,10102' > /etc/kubernetes/passwd echo 'KUBE_API_ARGS="--service_account_key_file=/etc/kubernetes/server.key --client-ca-file=/etc/kubernetes/ca.crt --tls-cert-file=/etc/kubernetes/server.crt --tls-private-key-file=/etc/kubernetes/server.key --basic_auth_file=/etc/kubernetes/passwd --authorization_mode=ABAC --authorization_policy_file=/etc/kubernetes/authorization"' >> apiserver echo 'KUBE_CONTROLLER_MANAGER_ARGS="--root-ca-file=/etc/kubernetes/ca.crt --service-account-private-key-file=/etc/kubernetes/server.key"' >> controller-manager