BestHub
Sign in
Cloud Native 9 min read

Step‑by‑Step Kubernetes Cluster Initialization: Host Configuration, CA Certificate Generation, etcd Deployment, and kubectl Setup

This tutorial walks through preparing the hostnames and /etc/hosts entries, generating a root CA and node certificates with cfssl, distributing those certificates, installing and configuring kubectl, creating admin credentials and kubeconfig, and finally deploying an etcd cluster with systemd units on a multi‑node Kubernetes environment.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Step‑by‑Step Kubernetes Cluster Initialization: Host Configuration, CA Certificate Generation, etcd Deployment, and kubectl Setup

1. Initialize system environment – Define IP addresses, hostnames and roles for master and worker nodes (e.g., 192.168.20.40 k8s‑master1, 192.168.20.42 k8s‑node1, etc.). All operations start on k8s-master1 and are later distributed via SSH.

2. Hostname configuration – Change the hostname: hostnamectl set-hostname k8s-master1 If DNS does not resolve the name, append the mappings to /etc/hosts using a heredoc:

cat >> /etc/hosts <

3. Prepare variable script – Create /k8s/all.sh (contents omitted for brevity) to hold common paths and variables.

4. Create CA certificates and keys – Install cfssl tools, then generate the CA configuration ( ca-config.json ) and CSR ( ca-csr.json ) files. Example snippets:

{
  "signing": {
    "default": { "expiry": "87600h" },
    "profiles": {
      "kubernetes": {
        "usages": ["signing","key encipherment","server auth","client auth"],
        "expiry": "87600h"
      }
    }
  }
}

Generate the CA certificate and key:

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

5. Distribute CA files – Copy ca*.pem and ca-config.json to /etc/kubernetes/cert on every node using a loop over ${NODE_ALL_IPS[@]} with scp and ssh to create the target directory.

6. Deploy kubectl – Download the Kubernetes client archive, extract it, and copy the kubectl binary to /opt/k8s/bin on all master nodes.

7. Create admin certificate – Write admin-csr.json , then generate the admin cert and key:

cfssl gencert -ca=/opt/k8s/work/ca.pem \
  -ca-key=/opt/k8s/work/ca-key.pem \
  -config=/opt/k8s/work/ca-config.json \
  -profile=kubernetes admin-csr.json | cfssljson -bare admin

8. Build kubeconfig – Set cluster, user, and context information with kubectl config commands, embedding the CA and admin certificates, and select the context as default.

9. Distribute kubeconfig – Copy the generated kubectl.kubeconfig to ~/.kube/config on each master node.

10. Deploy etcd cluster – Download and extract the etcd binaries, distribute them to all etcd nodes, generate etcd certificates (illustrated in the original images), create a systemd unit template for each node (e.g., etcd-192.168.20.42.service ), copy the unit files to /etc/systemd/system/etcd.service , and start the services.

Finally, verify etcd status, check the leader node, and confirm listening ports using systemctl status etcd and netstat -tlnp commands.

cloud nativeKubernetesCA CertificatesETCDCluster Setupkubectl
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment