Skip to content

Week 22 - Control Plane and Worker Nodes

22.1 Conceptual Core

  • The control plane: kube-apiserver, kube-scheduler, kube-controller-manager. Run all three as systemd-managed binaries on each control-plane node, behind a load balancer (HAProxy or cloud LB) for HA.
  • The worker plane: containerd + kubelet + kube-proxy (or Cilium replacement). Joins the cluster via a kubelet kubeconfig signed by the cluster CA.

22.2 Mechanical Detail

  • kube-apiserver flags:
    • -etcd-servers=https://etcd-{1,2,3}:2379` with mTLS.
    • -encryption-provider-config=...` for secret encryption-at-rest.
    • -audit-policy-file=...and - -audit-log-path=....
    • -authorization-mode=Node,RBAC`.
    • -enable-admission-plugins=NodeRestriction,PodSecurity,ResourceQuota,...`.
    • -service-account-issuer, - -service-account-signing-key-file for ServiceAccount tokens (projected, OIDC-compatible).
  • kubelet bootstrap: TLS bootstrap using a bootstrap token; kubelet auto-rotates its cert via kubelet-csr-approver.
  • CNI: install Cilium first (DaemonSet); only after Cilium is healthy do worker-node Pods become ready.
  • DNS: install CoreDNS as a Deployment; the kubelet's cluster-DNS arg points at its Service IP.

22.3 Lab-"Cluster Live"

  1. Bring up 3 control-plane nodes; HAProxy in front.
  2. Bring up 3 workers; join via bootstrap tokens.
  3. Install Cilium; verify Pod-to-Pod connectivity.
  4. Install CoreDNS; verify Service DNS works.
  5. Smoke test: deploy a sample app + Service + Ingress; verify end-to-end.

22.4 Hardening Drill

  • Apply CIS Kubernetes Benchmark v1.8 (or current). Use kube-bench to score. Address all FAILs; document WARNs.

22.5 Operations Slice

  • Wire control-plane components to Prometheus. Define SLOs: apiserver request p99 < 1s, etcd-leader-changes per hour < 1, scheduler queue depth < 100.

Comments