K
Q

TLS bootstraping nodes in k8s

11/3/2019

As per the k8s official docs link-

The kubelet requires the following configuration to bootstrap:

A path to store the key and certificate it generates (optional, can use default)

What's the default path and where and how can I change the path where keys and certs generated for the kubelet are stored?

-- Naxi
kubernetes

Similar Questions

Not able to get GOOGLE_APPLICATION_CREDENTIALS from GKE for Google Calendar API
Can't see results of cat command in container
Adding the --command flag vs not adding
How does Elasticseach's model translate into these High-Availability patterns?

1 Answer

11/3/2019

It is in /var/run/secrets/kubernetes.io/serviceaccount by default.

You can run

kubectl exec POD_NAME -it -- ls /var/run/secrets/kubernetes.io/serviceaccount

And you will get :

ca.crt  namespace  token

It is defined in spec.volumeMounts.mountPath

Example :

    apiVersion: v1
    kind: Pod
    ...
    spec:
      containers:
     ...
        volumeMounts:
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: my-pod-token-ctmvg
          readOnly: true
  ...
      volumes:
      - name: my-pod-token-ctmvg
        secret:
          defaultMode: 420
          secretName: my-pod-token-ctmvg

In other words it's mounted to Pod's volume.

-- fg78nc
Source: StackOverflow