Create kubeconfig for Windows nodes

2 MINUTE READ

Big picture

Create kubeconfig for Windows nodes for manual installations of Calico for Windows.

How to

In a manual installation of Calico for Windows, Calico requires a kubeconfig file to access the API server. This section describes how to find an existing calico-node service account used by Calico on Linux side, and then to export the service account token as a kubeconfig file for Calico to use.

Note: In general, the node kubeconfig as used by kubelet does not have enough permissions to access Calico-specific resources.

Export calico-node service account token as a kubeconfig file

Note: If your Kubernetes version is v1.24.0 or higher, service account token secrets are no longer automatically created. Before continuing, manually create the calico-node service account token:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: calico-node-token
  namespace: calico-system
  annotations:
    kubernetes.io/service-account.name: calico-node
type: kubernetes.io/service-account-token
EOF

Note: if Calico is installed in kube-system, update the namespace in the above command.

To make the kubeconfig file, you’ll need the URL of your Kubernetes API server.

Note: Kubernetes for Windows does not support access to services from the host so you must use the address of your server, not the Kubernetes service IP.

Note: Use namespace kube-system instead of calico-system if your Calico installation is non operator-managed.

Set a variable to the URL of your API server:

$ server=https://<server>:<port>

Then, find the secret containing the service account token for the calico-node service account:

$ kubectl get secret -n calico-system | grep calico-node

Inspect the output and find the name of the token, store it in a variable:

$ name=calico-node-token-xxxxx

Extract the parts of the secret, storing them in variables:

$ ca=$(kubectl get secret/$name -o jsonpath='{.data.ca\.crt}' -n calico-system)

$ token=$(kubectl get secret/$name -o jsonpath='{.data.token}' -n calico-system | base64 --decode)

$ namespace=$(kubectl get secret/$name -o jsonpath='{.data.namespace}' -n calico-system | base64 --decode)

Then, output the file:

cat <<EOF > calico-config
apiVersion: v1
kind: Config
clusters:
- name: kubernetes
  cluster:
    certificate-authority-data: ${ca}
    server: ${server}
contexts:
- name: calico-windows@kubernetes
  context:
    cluster: kubernetes
    namespace: calico-system
    user: calico-windows
current-context: calico-windows@kubernetes
users:
- name: calico-windows
  user:
    token: ${token}
EOF

Copy this config file to the windows node C:\CalicoWindows\calico-kube-config and set the KUBECONFIG environment variable in config.ps1 to point to it.