Kubernetes, Microservices

Kubernetes The Hard Way Explained - Chapter 2

Kelsey Hightower’s tutorial is the goto place for wannabe Kubernetes administrators who want to learn the ins and outs of the platform. With the CNCF’s official Kubernetes Certified Administrator programme out recently we can only expect this great resource to gain even more attention.

I used KTHW a lot when I was learning K8S and prepping for the CNCF exam. This blog post is about stuff that didn’t fit into the tutorial – explanations of the workings of K8s that give context to the individual steps. Read each section before you start working on that part of the tutorial (or after if you find out you stepped into too deep water). I numbered chapter titles to match chapters in the tutorial, some are skipped because I have nothing to add.

This is the second post in the series. You can find chapter 1 here.

Chapter 2 - Client Tools

In this chapter Kelsey has us install two command line tools we’ll be using in the tutorial. We will use CFSSL to set up our Public Key Infrastructure (PKI), while kubectl is the tool we will use to control our cluster.


As mentioned in the previous chapter, the Kubernetes master and worker components need to establish trust before they can communicate. This is achieved by distributing certificates to each component signed by the same certificate authority (CA).

When you add a certificate for your website to enable TLS secured communication, you go to a certificate authority, prove that you own the domain for which you are requesting the certificate and download the certificate from the CA’s website. Or you do a more automated process with a CA like Let’s Encrypt. This option is not practical for the purposes of setting up a Kubernetes cluster. Our goal is not to verify that a browser is connecting to the right server at the right domain. Rather we want to mutually authenticate components. We also don't need a third party to be involved as we have full control over our components which live in a private network. This new use-case for PKI needs some tooling - enter CFSSL, the PKI tool from CloudFlare.

CFSSL is a CLI tool which can act as a standalone CA, generating the root CA certificate and executing certificate signing requests to produce additional certificates signed by that CA. It’s main design goals were not setting up Kubernetes clusters but it works for this purpose perfectly. Operation of the tool is based on JSON formatted configuration files. Each operation has its corresponding configuration file. I find this approach more convenient than passing tons of parameters on the command line (I’m looking at you kubelet).

CFSSL is written in Go so installation either means compiling or downloading a statically compiled binary. Interestingly the tutorial’s instructions are to download binary release 1.2 while the github repo doesn’t even mention this option in the installation instructions. The 1.2 release used by Kelsey is from March 2016 so it looks like Cloudflare stopped bothering with releasing after that point. The project otherwise seems to be getting a healthy amount of attention. I would advise to stick to the 1.2 version for the tutorial but upgrade build the latest source for production usage.


Kubectl is the CLI control tool of Kubernetes - you will use it for starting pods, creating deployments and services, and checking the cluster state. You will be spending a lot of time using this tool so find the time to familiarise yourself with it. I’m using the gcloud, aws and kubectl tools regularly and I find kubectl to be the most user friendly. It can query different objects at once - kubectl get services, pods, deployments, and is also very forgiving on the names of objects you use, you can say pod, pods in plural or po for short without getting a syntax error.

You can install kubectl in a variety of way including your local package manager. You easily wget or curl the binary too. It’s a statically compiled go app so that one binary is all you need. A third way of installing is using gcloud, which you will have to install anyway for the tutorial. gcloud has it’s built in package manager and it always has an up-to-date version of kubectl. This is the most convenient way to have the latest version of kubectl on hand as gcloud will notify you when an update is available. Use gcloud components install kubectlto install.

Kubectl’s configuration lives in ~/.kube/config. This file is loaded by kubectl on every executed command, so any changes will always take effect immediately. You don’t need to edit the file manually as kubectl has commands to make changes to each part. Later chapters of KTHW will have you even create new kubectl config file using kubectl config … commands. The config file contains several contexts which then hold all the information needed to connect to a cluster. If you are working with different clusters or several users for the same cluster you can create a context for each of these. Switch between contexts using kubectl config use-context somecontext.

You can find an exhaustive list of useful commands here: https://kubernetes.io/docs/user-guide/kubectl-cheatsheet/

How can you get the right credentials? Let’s get back to this once you have successfully set up your cluster.

Up next

You are now ready to generate your certificates and embed them in kubectl config files. These will be used by your worker components as well as your local kubectl. Stay tuned for the next chapter on provisioning compute resources.

Leave your Comment