kubernetes-the-hard-way/docs/03-compute-resources.md

228 lines
8.5 KiB
Markdown
Raw Normal View History

2017-08-29 00:19:25 +03:00
# Provisioning Compute Resources
2023-08-01 16:48:20 +03:00
Kubernetes requires a set of machines to host the Kubernetes control plane and the worker nodes where containers are ultimately run. In this lab you will provision the compute resources required for running a secure and highly available Kubernetes cluster across a single [compute zone](https://cloud.google.com/compute/docs/regions-zones).
2017-08-29 00:19:25 +03:00
2023-08-01 16:48:20 +03:00
> Ensure a default compute zone and region have been set as described in the [Prerequisites](./01-prerequisites.md#set-a-default-compute-region-and-zone) lab.
2017-08-29 00:19:25 +03:00
## Networking
2023-08-01 16:48:20 +03:00
The Kubernetes [network model](https://kubernetes.io/docs/concepts/services-networking/#the-kubernetes-network-model) assumes a flat network in which containers and nodes can communicate with each other. In cases where this is not desired [network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) can limit how groups of containers are allowed to communicate with each other and external network endpoints.
2017-08-29 00:19:25 +03:00
> Setting up network policies is out of scope for this tutorial.
2023-08-01 16:48:20 +03:00
### Virtual Private Cloud (VPC) Network
2017-08-29 00:19:25 +03:00
2023-08-01 16:48:20 +03:00
In this section a dedicated [VPC network](https://cloud.google.com/vpc/docs/vpc) will be setup to host the Kubernetes cluster.
2017-08-29 00:19:25 +03:00
Create the `kubernetes-the-hard-way` custom VPC network:
```
2017-12-18 17:53:32 +03:00
gcloud compute networks create kubernetes-the-hard-way --subnet-mode custom
2017-08-29 00:19:25 +03:00
```
2023-08-01 16:48:20 +03:00
A [subnet](https://cloud.google.com/vpc/docs/vpc#vpc_networks_and_subnets) must be provisioned with an IP address range large enough to assign a private IP address to each node in the Kubernetes cluster.
2017-08-29 00:19:25 +03:00
Create the `kubernetes` subnet in the `kubernetes-the-hard-way` VPC network:
```
gcloud compute networks subnets create kubernetes \
--network kubernetes-the-hard-way \
--range 10.240.0.0/24
```
> The `10.240.0.0/24` IP address range can host up to 254 compute instances.
### Firewall Rules
Create a firewall rule that allows internal communication across all protocols:
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
--allow tcp,udp,icmp \
--network kubernetes-the-hard-way \
--source-ranges 10.240.0.0/24,10.200.0.0/16
```
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
--allow tcp:22,tcp:6443,icmp \
--network kubernetes-the-hard-way \
--source-ranges 0.0.0.0/0
```
2023-08-01 16:48:20 +03:00
> An [external load balancer](https://cloud.google.com/load-balancing/docs/network) will be used to expose the Kubernetes API Servers to remote clients.
2017-08-29 00:19:25 +03:00
List the firewall rules in the `kubernetes-the-hard-way` VPC network:
```
2023-08-01 16:48:20 +03:00
gcloud compute firewall-rules list --filter network:kubernetes-the-hard-way
2017-08-29 00:19:25 +03:00
```
> output
```
2020-07-18 10:24:55 +03:00
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
kubernetes-the-hard-way-allow-external kubernetes-the-hard-way INGRESS 1000 tcp:22,tcp:6443,icmp False
2023-08-01 16:48:20 +03:00
kubernetes-the-hard-way-allow-internal kubernetes-the-hard-way INGRESS 1000 tcp,udp,icmp False
2017-08-29 00:19:25 +03:00
```
### Kubernetes Public IP Address
Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:
```
2023-08-01 16:48:20 +03:00
gcloud compute addresses create kubernetes-the-hard-way
2017-08-29 00:19:25 +03:00
```
Verify the `kubernetes-the-hard-way` static IP address was created in your default compute region:
```
2023-08-01 16:48:20 +03:00
gcloud compute addresses list --filter name=kubernetes-the-hard-way
2017-08-29 00:19:25 +03:00
```
> output
```
2020-07-18 10:24:55 +03:00
NAME ADDRESS/RANGE TYPE PURPOSE NETWORK REGION SUBNET STATUS
2023-08-01 16:48:20 +03:00
kubernetes-the-hard-way XX.XXX.XXX.XXX EXTERNAL us-east1 RESERVED
2017-08-29 00:19:25 +03:00
```
## Compute Instances
2023-08-01 16:48:20 +03:00
The compute instances in this lab will be provisioned using [Ubuntu Server 22.04 LTS](https://ubuntu.com/server), which has good support for the [containerd](https://github.com/containerd/containerd) container runtime. Each compute instance will be provisioned with a fixed private IP address to simplify the Kubernetes bootstrapping process.
2017-08-29 00:19:25 +03:00
### Kubernetes Controllers
Create three compute instances which will host the Kubernetes control plane:
```
for i in 0 1 2; do
2023-08-01 16:48:20 +03:00
gcloud compute instances create "controller-${i}" \
2017-08-29 00:19:25 +03:00
--async \
--boot-disk-size 200GB \
--can-ip-forward \
2023-08-01 16:48:20 +03:00
--image-family ubuntu-2204-lts \
2017-08-29 00:19:25 +03:00
--image-project ubuntu-os-cloud \
2020-07-18 10:24:55 +03:00
--machine-type e2-standard-2 \
2023-08-01 16:48:20 +03:00
--private-network-ip "10.240.0.1${i}" \
2017-08-29 00:19:25 +03:00
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet kubernetes \
--tags kubernetes-the-hard-way,controller
done
```
### Kubernetes Workers
Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The `pod-cidr` instance metadata will be used to expose pod subnet allocations to compute instances at runtime.
> The Kubernetes cluster CIDR range is defined by the Controller Manager's `--cluster-cidr` flag. In this tutorial the cluster CIDR range will be set to `10.200.0.0/16`, which supports 254 subnets.
Create three compute instances which will host the Kubernetes worker nodes:
```
for i in 0 1 2; do
2023-08-01 16:48:20 +03:00
gcloud compute instances create "worker-${i}" \
2017-08-29 00:19:25 +03:00
--async \
--boot-disk-size 200GB \
--can-ip-forward \
2023-08-01 16:48:20 +03:00
--image-family ubuntu-2204-lts \
2017-08-29 00:19:25 +03:00
--image-project ubuntu-os-cloud \
2020-07-18 10:24:55 +03:00
--machine-type e2-standard-2 \
2023-08-01 16:48:20 +03:00
--metadata "pod-cidr=10.200.${i}.0/24" \
--private-network-ip "10.240.0.2${i}" \
2017-08-29 00:19:25 +03:00
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet kubernetes \
--tags kubernetes-the-hard-way,worker
2017-10-02 06:37:09 +03:00
done
2017-08-29 00:19:25 +03:00
```
### Verification
List the compute instances in your default compute zone:
```
2023-08-01 16:48:20 +03:00
gcloud compute instances list --filter tags.items=kubernetes-the-hard-way
2017-08-29 00:19:25 +03:00
```
> output
```
2023-08-01 16:48:20 +03:00
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS
controller-0 us-east1-d e2-standard-2 10.240.0.10 XX.XXX.XX.XXX RUNNING
controller-1 us-east1-d e2-standard-2 10.240.0.11 XX.XXX.XX.XXX RUNNING
controller-2 us-east1-d e2-standard-2 10.240.0.12 XX.XXX.XX.XX RUNNING
worker-0 us-east1-d e2-standard-2 10.240.0.20 XX.XX.XX.XXX RUNNING
worker-1 us-east1-d e2-standard-2 10.240.0.21 XX.XXX.XXX.XXX RUNNING
worker-2 us-east1-d e2-standard-2 10.240.0.22 XX.XXX.XXX.XX RUNNING
2017-08-29 00:19:25 +03:00
```
## Configuring SSH Access
2023-08-01 16:48:20 +03:00
SSH will be used to configure the controller and worker instances. When connecting to compute instances for the first time SSH keys will be generated for you and stored in the project or instance metadata as described in the [connecting to Linux VMs](https://cloud.google.com/compute/docs/connect/standard-ssh) documentation.
Test SSH access to the `controller-0` compute instances:
```
gcloud compute ssh controller-0
```
If this is your first time connecting to a compute instance SSH keys will be generated for you. Enter a passphrase at the prompt to continue:
```
WARNING: The private SSH key file for gcloud does not exist.
2023-08-01 16:48:20 +03:00
WARNING: The public SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```
At this point the generated SSH keys will be uploaded and stored in your project:
```
2023-08-01 16:48:20 +03:00
Your identification has been saved in "/home/${USER}/.ssh/google_compute_engine"
Your public key has been saved in "/home/${USER}/.ssh/google_compute_engine.pub"
The key fingerprint is:
2023-08-01 16:48:20 +03:00
SHA256:OvopaMrkGOrbB0u2JMdwDvH6wGQBieKUC+XRAAm07RI "${USER}@${HOSTNAME}"
The key's randomart image is:
2023-08-01 16:48:20 +03:00
+---[RSA 3072]----+
|O*=o |
|**o.. |
|=E*. |
| Boo |
|+.B. S |
| =.O . |
|..O.+ o |
|*.++.o o |
|=B..ooo |
+----[SHA256]-----+
2023-08-01 16:48:20 +03:00
Updating project ssh metadata...Updated ["https://www.googleapis.com/compute/v1/projects/${PROJECT_ID}"].
Updating project ssh metadata...done.
Waiting for SSH key to propagate.
```
After the SSH keys have been updated you'll be logged into the `controller-0` instance:
```
2023-08-01 16:48:20 +03:00
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.19.0-1027-gcp x86_64)
...
```
Type `exit` at the prompt to exit the `controller-0` compute instance:
```
2023-08-01 16:48:20 +03:00
exit
```
2023-08-01 16:48:20 +03:00
> output
```
logout
2023-08-01 16:48:20 +03:00
Connection to XX.XXX.XX.XXX closed.
```
2023-08-01 16:48:20 +03:00
Next: [Provisioning a CA and Generating TLS Certificates](./04-certificate-authority.md)