Create kubeconfig for Windows nodes


Big picture

Create kubeconfig for Windows nodes.

How to

Because Kubernetes on Windows cannot run Calico in a pod with an auto-provisioned service account, Calico requires a kubeconfig file to access the API server. This section describes how to find an existing calico-node service account used by Calico on Linux side, and then to export the service account token as a kubeconfig file for Calico to use.

Note: In general, the node kubeconfig as used by kubelet does not have enough permissions to access Calico-specific resources.

Export calico-node service account token as a kubeconfig file

To make the kubeconfig file, you’ll need the URL of your Kubernetes API server.

Note: Kubernetes for Windows does not support access to services from the host so you must use the address of your server, not the Kubernetes service IP.

Set a variable to the URL of your API server:

$ server=https://<server>:<port>

Then, find the secret containing the service account token for the calico-node service account:

$ kubectl get secret -n kube-system | grep calico-node

Inspect the output and find the name of the token, store it in a variable:

$ name=calico-node-token-xxxxx

Extract the parts of the secret, storing them in variables:

$ ca=$(kubectl get secret/$name -o jsonpath='{\.crt}' -n kube-system)

$ token=$(kubectl get secret/$name -o jsonpath='{.data.token}' -n kube-system | base64 --decode)

$ namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' -n kube-system | base64 --decode)

Then, output the file:

cat <<EOF > calico-config
apiVersion: v1
kind: Config
- name: kubernetes
    certificate-authority-data: ${ca}
    server: ${server}
- name: calico-windows@kubernetes
    cluster: kubernetes
    namespace: kube-system
    user: calico-windows
current-context: calico-windows@kubernetes
- name: calico-windows
    token: ${token}

Copy this config file to the windows node C:\CalicoWindows\calico-kube-config and set the KUBECONFIG environment variable in config.ps1 to point to it.