Hello Guys , I am a bit confused between the 2 files here : cant get the role o . . .

cristiano ronaldoo:
Hello Guys , I am a bit confused between the 2 files here : cant get the role of kubeconfig for each core component pod
like the what is the diff between :
-kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml

Hasan Alsaedi:
Maybe this k8s docs can help https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/#workflow-when-using-kubeadm-init

Aneek Bera:
config.yaml file sets kubelet parameters. e.g.

apiVersion: <http://kubelet.config.k8s.io/v1beta1|kubelet.config.k8s.io/v1beta1>
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: cgroupfs
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

Once the cluster info are known, the file bootstrap-kubelet.conf is written, thus allowing kubelet to do TLS Bootstrapping.
The TLS bootstrap mechanism uses the shared token to temporarily authenticate with the Kubernetes API server to submit a certificate signing request (CSR) for a locally created key pair.
The request is then automatically approved and the operation completes saving ca.crt file and kubelet.conf file to be used by kubelet for joining the cluster, whilebootstrap-kubelet.conf is deleted.
The file contents:

wQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1ERXhNekF3TXprMU5Wb1hEVE15TURFeE1UQXdNemsxTlZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTXR0CmZWSWxnUlRtUzJrcHdRWFRXMWZqNlNEeVVnL0dQZzFkWW5OejBWREZYRERYcnZWR0dXVHZWUG5HSXk3WVVhVDcKOUdUWjdUUGJKRkdNcTViMzVMeHk5dDV5REVmN3hyYWJvSlYvK2hUcncrMW1kNGJHZlZhenRtM3RLM0V1NHZsTwo5Q01jTmlLdm05WDA4Tk5xZ1hkaGY2MkJyRkVKSFpEa0oyeXdsNTBMUDdZNFJ1RnF5Tm9pNWpWMS8wbi9FNDhwCmJJMWkxQ0cyWXRxTGZMNVU1Ly9ZV3ZMR2twMkFXTUFIVDF0Y05kQWM2blpVdENyUVF1TGUydGlvOW5sQjRmUUwKUWRPSzVjUVNKamU0UFdkRWVBSkY2QVREREJrVzc1QWxvcDF4amxzZ0RXL2lZaDN6TEQyM0x0NFVuS2Z0aXNlawpOUms0UHI1aVBPWk1NMFlSY2s4Q0F3RUFBYU5DTUVBd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZPUldkQ210emh6S25BcmZzVlVXWUoyZWNyejFNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCQVFBTnNORUlUcFE4ZkVyL2VpMTd1RUV6U1N6MjVOenBrNzNWakZSMVNJdXQxS2FvZmYwQQo2TmNDdEdmQUdQOWxFVWhzdHljWk9adm5rczlnRHd1NkxscDFiRzk3SW5UZFV4bzRYdFErQjNxVTJJZlZnVy9RCkpSQThKSXk2c0NrU1MyNlZzRkxSeXhzTGlXUHZIZnlYR1hPNnJHa1Z0ZHlTanY1V1JONTNVaEpUN1J2VXFtUmoKSHJ4Q0FMbjFtYiswUVhGUDd0Y0RzOU44OTBxSXJwaW5YRFJjVk01SmFlbXNyMGJ3SUYvcmxXakdvdXZvYTJmUgp4UmZCRFVING4zcEFwRE5oam52VUJ4SDZPcVViR1hJZE1oZTFzTFJsQVQzeVpoMVdDUG1YQjRlb0VHelRHYTNUCmlkb05ZbFJFMjhCbHNOanc5UEVtVnRLUHF4UlF0YXdGSXRxRwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
    server: <https://controlplane:6443>
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:node:controlplane
  name: system:node:controlplane@kubernetes
current-context: system:node:controlplane@kubernetes
kind: Config
preferences: {}
users:
- name: system:node:controlplane
  user:
    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem
    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

unnivkn:
Hi @cristiano ronaldoo good question. This give me an opportunity to revisit the concepts/architecture.

–kubeconfig=/etc/kubernetes/kubelet.conf

In simple terms,
kubeconfig is used to authenticate(token, nothing but user/pwd in k8s terms) any client to kube-apiserver. In this case kubelet is the client communicates our server: kube-apiserver. Let’s say you need to do some activities on k8s cluster, then you act as client(as an admin user, so your kubeconfig may be: --kubeconfig=~/.kube/config) to kube-api server. And your authentication to kube-apiserver will be there in ~/.kube/config (refer the image).

–config=/var/lib/kubelet/config.yaml

This file is related to kubelet internal, you can see the below image of this file.
Eg: How kubelet locate the static pod yaml’s to do it’s operation, cgroupDriver, clusterDNS informations etc needed for it’s normal functionality.
hope this helps. :blush:





gopi m:
@cristiano ronaldoo Kubeconfig is like the office ID card you show to get inside (here you show it to kube-api server). And once you are in, you use your laptop/toolkit to do the actual work - and that laptop is the second config (it defines what parms you use and how you will perform the activities)

cristiano ronaldoo:
Thanks All , your answers were great , specially @unnivkn - Thank you