Running Krustlet on MicroK8s
These are steps for running Krustlet node(s) and MicroK8s on the same machine.
You will require a running MicroK8s cluster for this guide. The steps below
assume you will run MicroK8s and the Krustlet, on a single machine.
required but is installed with MicroK8s as
microk8s.kubectl. The following
microk8s.kubectl for simplicity. You may use a standlone
kubectl if you prefer.
In order for the bootstrap authentication token to work, your kube-apiserver
needs to have the
--enable-bootstrap-token-auth feature flag enabled. See
for more information.
To verify you have the bootstrap authentication feature enabled, check the process args:
$ ps -ef | grep kube-apiserver | grep "enable-bootstrap-token-auth"
If it doesn’t show up and you installed using
snap, you can find the startup
/var/snap/microk8s/current/args/kube-apiserver and add the flag.
Now you need to restart the kube-apiserver with the command:
$ systemctl restart snap.microk8s.daemon-apiserver
Step 1: Get a bootstrap config
Krustlet requires a bootstrap token and config the first time it runs. Follow
the guide here to generate a bootstrap config and then
return to this document. This will If you already have a kubeconfig available
that you generated through another process, you can proceed to the next step.
However, the credentials Krustlet uses must be part of the
in order for things to function properly.
NOTE You should now have a file
Step 2: Install and configure Krustlet
Install the latest release of Krustlet following the install guide.
Let’s use the built in
$ KUBECONFIG=~/.krustlet/config/kubeconfig \
NOTE: To avoid the Krustlet using your default Kubernetes credentials (
~/.kube/config), it is a good idea to override the default value here using
KUBECONFIG. For bootstrapping,
KUBECONFIGmust point to a non-existent file (!). Bootstrapping will write a new configuration file to this location for you. NOTE: If you receive an error that the CSR already exists, you may safely delete the existing CSR (
kubectl delete csr <hostname>-tls) and try again.
Step 2a: Approving the serving CSR
Once you have started Krustlet, there is one more manual step (though this could
be automated depending on your setup) to perform. The client certs Krustlet
needs are generally approved automatically by the API. However, the serving
certs require manual approval. To do this, you’ll need the hostname you
specified for the
--hostname flag or the output of
hostname if you didn’t
specify anything. From another terminal that’s configured to access the cluster,
$ microk8s.kubectl certificate approve <hostname>-tls
NOTE: You will only need to do this approval step the first time Krustlet starts. It will generate and save all of the needed credentials to your machine
Step 3: Test that things work
Now you can see things work! Feel free to give any of the demos a try in another terminal like so:
$ microk8s.kubectl apply --filename=https://raw.githubusercontent.com/krustlet/krustlet/main/demos/wasi/hello-world-rust/k8s.yaml
$ microk8s.kubectl logs pod/hello-world-wasi-rust
hello from stdout!
hello from stderr!
Args are: 
Bacon ipsum dolor amet chuck turducken porchetta, tri-tip spare ribs t-bone ham hock. Meatloaf
pork belly leberkas, ham beef pig corned beef boudin ground round meatball alcatra jerky.
Pancetta brisket pastrami, flank pork chop ball tip short loin burgdoggen. Tri-tip kevin
shoulder cow andouille. Prosciutto chislic cupim, short ribs venison jerky beef ribs ham hock
short loin fatback. Bresaola meatloaf capicola pancetta, prosciutto chicken landjaeger andouille
swine kielbasa drumstick cupim tenderloin chuck shank. Flank jowl leberkas turducken ham tongue
beef ribs shankle meatloaf drumstick pork t-bone frankfurter tri-tip.