Kubernetes - kubelet
kubelet files:
/var/lib/kubelet/config.yaml
/var/lib/kubelet/pki/
/etc/kubernetes/kubelet.conf
kubelet.conf
has this
users:
- name: default-auth
user:
client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
/var/lib/kubelet/pki/kubelet-client-current.pem
is used when talking to the api server. The cert has Subject: O = system:nodes, CN = system:node:<node_name>
kubelet
is deployed as a systemd
service; check status: $ systemctl status kubelet
.
kubelet
needs a kubeconfig to authenticate itself to the API server.
kubelet talks to containerd through a unix socket: unix:///run/containerd/containerd.sock
.
Configs:
- if you start kubelet with
--register-node=false
, you need to manually createNode
object; if true it will createNode
object on the api server. - if set the kubelet
--authorization-mode
flag toWebhook
, it will use theSubjectAccessReview
API to determine authorization. --network-plugin=cni
: enables CNI (Container Network Interface).
kubelet service
This configuration file installed by the kubeadm
package is written to /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
and is used by systemd
.
Input for kubelet
The kubelet
works in terms of a PodSpec
. A PodSpec
is a YAML or JSON object that describes a pod.
Auth
The kubelet
calls the TokenReview
API on the configured API server to determine user information from bearer tokens.