mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update to Kubernetes 1.32.3

pull/855/head
Kelsey Hightower 2025-04-06 10:33:17 -07:00
parent 0191f7f7c3
commit 0a6733ff25
14 changed files with 88 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ca.conf
View File

@ -124,7 +124,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Kube Controller Manager Certificate"
subjectAltName = DNS:kube-proxy, IP:127.0.0.1
subjectAltName = DNS:kube-controller-manager, IP:127.0.0.1
subjectKeyIdentifier = hash
[kube-controller-manager_distinguished_name]
@ -175,7 +175,7 @@ basicConstraints = CA:FALSE
extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Kube Scheduler Certificate"
nsComment = "Kube API Server Certificate"
subjectAltName = @kube-api-server_alt_names
subjectKeyIdentifier = hash
@ -203,4 +203,4 @@ extendedKeyUsage = clientAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "Admin Client Certificate"
subjectKeyIdentifier = hash
subjectKeyIdentifier = hash

4
configs/encryption-config.yaml
View File

@ -1,5 +1,5 @@
kind: EncryptionConfig
apiVersion: v1
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets

6
configs/kubelet-config.yaml
View File

@ -10,17 +10,13 @@ authentication:
clientCAFile: "/var/lib/kubelet/ca.crt"
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "10.32.0.10"
cgroupDriver: systemd
containerRuntimeEndpoint: "unix:///var/run/containerd/containerd.sock"
enableServer: true
failSwapOn: false
maxPods: 16
memorySwap:
swapBehavior: LimitedSwap
podCIDR: "SUBNET"
swapBehavior: NoSwap
port: 10250
resolvConf: "/etc/resolv.conf"
registerNode: true

4
docs/01-prerequisites.md
View File

@ -4,7 +4,7 @@ In this lab you will review the machine requirements necessary to follow this tu
## Virtual or Physical Machines
This tutorial requires four (4) virtual or physical ARM64 machines running Debian 12 (bookworm). The following table list the four machines and their CPU, memory, and storage requirements.
This tutorial requires four (4) virtual or physical ARM64 machines running Debian 12 (bookworm). The following table lists the four machines and their CPU, memory, and storage requirements.
| Name | Description | CPU | RAM | Storage |
|---------|------------------------|-----|-------|---------|
@ -25,6 +25,6 @@ After running the `uname` command you should see the following output:
#1 SMP Debian 6.1.115-1 (2024-11-01) aarch64 GNU/Linux
```
You maybe surprised to see `aarch64` here, but that is the official name for the Arm Architecture 64-bit instruction set. You will often see `arm64` used by Apple, and the maintainers of the Linux kernel, when referring to support for `aarch64`. This tutorial will use `arm64` consistently throughout to avoid confusion.
You may be surprised to see `aarch64` here, but that is the official name for the Arm Architecture 64-bit instruction set. You will often see `arm64` used by Apple, and the maintainers of the Linux kernel, when referring to support for `aarch64`. This tutorial will use `arm64` consistently throughout to avoid confusion.
Next: [setting-up-the-jumpbox](02-jumpbox.md)

7
docs/02-jumpbox.md
View File

@ -17,7 +17,10 @@ All commands will be run as the `root` user. This is being done for the sake of
Now that you are logged into the `jumpbox` machine as the `root` user, you will install the command line utilities that will be used to preform various tasks throughout the tutorial.
```bash
apt-get -y install wget curl vim openssl git
{
apt-get update
apt-get -y install wget curl vim openssl git
}
```
### Sync GitHub Repository
@ -68,7 +71,7 @@ wget -q --show-progress \
Depending on your internet connection speed it may take a while to download over `500` megabytes of binaries, and once the download is complete, you can list them using the `ls` command:
```bash
ls -loh downloads
ls -oh downloads
```
```text

6
docs/03-compute-resources.md
View File

@ -44,7 +44,7 @@ Edit the `/etc/ssh/sshd_config` SSH daemon configuration file and set the `Permi
```bash
sed -i \
's/^#PermitRootLogin.*/PermitRootLogin yes/' \
's/^#*PermitRootLogin.*/PermitRootLogin yes/' \
/etc/ssh/sshd_config
```
@ -105,7 +105,7 @@ Set the hostname on each machine listed in the `machines.txt` file:
```bash
while read IP FQDN HOST SUBNET; do
CMD="sed -i 's/^127.0.1.1.*/127.0.1.1\t${FQDN} ${HOST}/' /etc/hosts"
CMD="sed -i 's/^127.0.0.1.*/127.0.0.1\t${FQDN} ${HOST} localhost/' /etc/hosts"
ssh -n root@${IP} "$CMD"
ssh -n root@${IP} hostnamectl hostname ${HOST}
done < machines.txt
@ -218,6 +218,6 @@ while read IP FQDN HOST SUBNET; do
done < machines.txt
```
At this point hostnames can be used when connecting to machines from your `jumpbox` machine, or any of the three machines in the Kubernetes cluster. Instead of using IP addresses you can now connect to machines using a hostname such as `server`, `node-0`, or `node-1`.
At this point, hostnames can be used when connecting to machines from your `jumpbox` machine, or any of the three machines in the Kubernetes cluster. Instead of using IP addresses you can now connect to machines using a hostname such as `server`, `node-0`, or `node-1`.
Next: [Provisioning a CA and Generating TLS Certificates](04-certificate-authority.md)

22
docs/04-certificate-authority.md
View File

@ -4,7 +4,7 @@ In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/w
## Certificate Authority
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates for the other Kubernetes components. Setting up CA and generating certificates using `openssl` can be time-consuming, especially when doing it for the first time. To streamline this lab, I've included an openssl configuration file `ca.conf`, which defines all the details needed to generate certificates for each Kubernetes component.
In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates for the other Kubernetes components. Setting up CA and generating certificates using `openssl` can be time-consuming, especially when doing it for the first time. To streamline this lab, I've included an openssl configuration file `ca.conf`, which defines all the details needed to generate certificates for each Kubernetes component.
Take a moment to review the `ca.conf` configuration file:
@ -57,7 +57,7 @@ for i in ${certs[*]}; do
openssl req -new -key "${i}.key" -sha256 \
-config "ca.conf" -section ${i} \
-out "${i}.csr"
openssl x509 -req -days 3653 -in "${i}.csr" \
-copy_extensions copyall \
-sha256 -CA "ca.crt" \
@ -81,15 +81,15 @@ Copy the appropriate certificates and private keys to the `node-0` and `node-1`
```bash
for host in node-0 node-1; do
ssh root@$host mkdir /var/lib/kubelet/
scp ca.crt root@$host:/var/lib/kubelet/
scp $host.crt \
root@$host:/var/lib/kubelet/kubelet.crt
scp $host.key \
root@$host:/var/lib/kubelet/kubelet.key
ssh root@${host} mkdir /var/lib/kubelet/
scp ca.crt root@${host}:/var/lib/kubelet/
scp ${host}.crt \
root@${host}:/var/lib/kubelet/kubelet.crt
scp ${host}.key \
root@${host}:/var/lib/kubelet/kubelet.key
done
```

14
docs/05-kubernetes-configuration-files.md
View File

@ -8,11 +8,11 @@ In this section you will generate kubeconfig files for the `kubelet` and the `ad
### The kubelet Kubernetes Configuration File
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/).
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/reference/access-authn-authz/node/).
> The following commands must be run in the same directory used to generate the SSL certificates during the [Generating TLS Certificates](04-certificate-authority.md) lab.
Generate a kubeconfig file for the node-0 worker node:
Generate a kubeconfig file for the `node-0` and `node-1` worker nodes:
```bash
for host in node-0 node-1; do
@ -184,21 +184,21 @@ admin.kubeconfig
## Distribute the Kubernetes Configuration Files
Copy the `kubelet` and `kube-proxy` kubeconfig files to the node-0 instance:
Copy the `kubelet` and `kube-proxy` kubeconfig files to the `node-0` and `node-1` machines:
```bash
for host in node-0 node-1; do
ssh root@$host "mkdir -p /var/lib/{kube-proxy,kubelet}"
ssh root@${host} "mkdir -p /var/lib/{kube-proxy,kubelet}"
scp kube-proxy.kubeconfig \
root@$host:/var/lib/kube-proxy/kubeconfig \
root@${host}:/var/lib/kube-proxy/kubeconfig \
scp ${host}.kubeconfig \
root@$host:/var/lib/kubelet/kubeconfig
root@${host}:/var/lib/kubelet/kubeconfig
done
```
Copy the `kube-controller-manager` and `kube-scheduler` kubeconfig files to the controller instance:
Copy the `kube-controller-manager` and `kube-scheduler` kubeconfig files to the `server` machine:
```bash
scp admin.kubeconfig \

2
docs/07-bootstrapping-etcd.md
View File

@ -4,7 +4,7 @@ Kubernetes components are stateless and store cluster state in [etcd](https://gi
## Prerequisites
Copy `etcd` binaries and systemd unit files to the `server` instance:
Copy `etcd` binaries and systemd unit files to the `server` machine:
```bash
scp \

6
docs/08-bootstrapping-kubernetes-controllers.md
View File

@ -138,7 +138,7 @@ Kubernetes control plane is running at https://127.0.0.1:6443
In this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.
> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/admin/authorization/#checking-api-access) API to determine authorization.
> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access) API to determine authorization.
The commands in this section will affect the entire cluster and only need to be run on the `server` machine.
@ -146,7 +146,7 @@ The commands in this section will affect the entire cluster and only need to be
ssh root@server
```
Create the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
Create the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
```bash
kubectl apply -f kube-apiserver-to-kubelet.yaml \
@ -160,7 +160,7 @@ At this point the Kubernetes control plane is up and running. Run the following
Make a HTTP request for the Kubernetes version info:
```bash
curl -k --cacert ca.crt https://server.kubernetes.local:6443/version
curl -k https://server.kubernetes.local:6443/version
```
```text

25
docs/09-bootstrapping-kubernetes-workers.md
View File

@ -1,6 +1,6 @@
# Bootstrapping the Kubernetes Worker Nodes
In this lab you will bootstrap two Kubernetes worker nodes. The following components will be installed: [runc](https://github.com/opencontainers/runc), [container networking plugins](https://github.com/containernetworking/cni), [containerd](https://github.com/containerd/containerd), [kubelet](https://kubernetes.io/docs/admin/kubelet), and [kube-proxy](https://kubernetes.io/docs/concepts/cluster-administration/proxies).
In this lab you will bootstrap two Kubernetes worker nodes. The following components will be installed: [runc](https://github.com/opencontainers/runc), [container networking plugins](https://github.com/containernetworking/cni), [containerd](https://github.com/containerd/containerd), [kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet), and [kube-proxy](https://kubernetes.io/docs/concepts/cluster-administration/proxies).
## Prerequisites
@ -34,7 +34,6 @@ for host in node-0 node-1; do
downloads/kube-proxy \
configs/99-loopback.conf \
configs/containerd-config.toml \
configs/kubelet-config.yaml \
configs/kube-proxy-config.yaml \
units/containerd.service \
units/kubelet.service \
@ -56,12 +55,30 @@ Install the OS dependencies:
```bash
{
apt-get update
apt-get -y install socat conntrack ipset
apt-get -y install socat conntrack ipset kmod
}
```
> The socat binary enables support for the `kubectl port-forward` command.
Disable Swap
Kubernetes has limited support for the use of swap memory, as it is difficult to provide guarantees and account for pod memory utilization when swap is involved.
Verify if swap is disabled:
```bash
swapon --show
```
If output is empty then swap is disabled. If swap is enabled run the following command to disable swap immediately:
```bash
swapoff -a
```
> To ensure swap remains off after reboot consult your Linux distro documentation.
Create the installation directories:
```bash
@ -143,7 +160,7 @@ Be sure to complete the steps in this section on each worker node, `node-0` and
## Verification
The compute instances created in this tutorial will not have permission to complete this section. Run the following commands from the `jumpbox` machine.
Run the following commands from the `jumpbox` machine.
List the registered Kubernetes nodes:

8
docs/10-configuring-kubectl.md
View File

@ -8,10 +8,10 @@ In this lab you will generate a kubeconfig file for the `kubectl` command line u
Each kubeconfig requires a Kubernetes API Server to connect to.
You should be able to ping `server.kubernetes.local` based on the `/etc/hosts` DNS entry from a previous lap.
You should be able to ping `server.kubernetes.local` based on the `/etc/hosts` DNS entry from a previous lab.
```bash
curl -k --cacert ca.crt \
curl -k \
https://server.kubernetes.local:6443/version
```
@ -74,8 +74,8 @@ kubectl get nodes
```
NAME STATUS ROLES AGE VERSION
node-0 Ready <none> 30m v1.32.3
node-1 Ready <none> 30m v1.32.3
node-0 Ready <none> 10m v1.32.3
node-1 Ready <none> 10m v1.32.3
```
Next: [Provisioning Pod Network Routes](11-pod-network-routes.md)

44
docs/12-smoke-test.md
View File

@ -25,24 +25,24 @@ ssh root@server \
00000010 73 2f 64 65 66 61 75 6c 74 2f 6b 75 62 65 72 6e |s/default/kubern|
00000020 65 74 65 73 2d 74 68 65 2d 68 61 72 64 2d 77 61 |etes-the-hard-wa|
00000030 79 0a 6b 38 73 3a 65 6e 63 3a 61 65 73 63 62 63 |y.k8s:enc:aescbc|
00000040 3a 76 31 3a 6b 65 79 31 3a 5e 47 79 cf 90 88 5c |:v1:key1:^Gy...\|
00000050 29 69 62 5c ad 76 07 ce 6e 9a 60 8c 7c 5b c9 8d |)ib\.v..n.`.|[..|
00000060 8c 29 5f dc b1 71 0f 3b b4 db d0 92 47 9e ea 64 |.)_..q.;....G..d|
00000070 78 12 03 f8 b1 21 9c f9 21 19 0b d0 03 9c ca 09 |x....!..!.......|
00000080 94 54 50 2f 0e d2 99 bd 38 fa d1 88 c0 0a 93 84 |.TP/....8.......|
00000090 f0 5b c3 ce ca 8c b9 23 4a 49 52 37 20 30 55 71 |.[.....#JIR7 0Uq|
000000a0 4d 9b 58 dd 95 83 34 7c 03 fa 66 f5 e7 24 26 99 |M.X...4|..f..$&.|
000000b0 ba f5 f3 6c 5f f7 19 5f 0e 60 8d 68 9e d3 f0 ca |...l_.._.`.h....|
000000c0 4e cc 11 2e 45 ae 9e 41 3d f1 4b 2e 89 e5 05 81 |N...E..A=.K.....|
000000d0 8e 2e 40 78 72 d5 f9 63 9c e8 cc 65 a8 34 9a 41 |..@xr..c...e.4.A|
000000e0 f4 5b f6 9a ba b2 c2 8c 7b b5 d6 04 2a ad 79 c1 |.[......{...*.y.|
000000f0 71 9c e8 34 17 90 07 70 f4 18 a9 fd 80 3d 18 30 |q..4...p.....=.0|
00000100 1d 07 cb 35 e9 fd 44 ba cb 28 15 1e 51 3b 29 75 |...5..D..(..Q;)u|
00000110 b9 ff 16 df d1 7b 91 b9 75 4d f8 c4 26 2e 0c f9 |.....{..uM..&...|
00000120 84 02 5e 52 a3 f5 da bd d5 22 0e 9c 1a 87 47 89 |..^R....."....G.|
00000130 20 11 ac ce d0 c6 98 2a 96 e9 33 c5 26 b3 ec 55 | ......*..3.&..U|
00000140 f6 30 d5 5c 73 29 ca c8 8d af ab 4b fc 73 fc 11 |.0.\s).....K.s..|
00000150 c0 71 eb 20 3c 95 f9 74 61 0a |.q. <..ta.|
00000040 3a 76 31 3a 6b 65 79 31 3a 4f 1b 80 d8 89 72 f4 |:v1:key1:O....r.|
00000050 60 8a 2c a0 76 1a e1 dc 98 d6 00 7a a4 2f f3 92 |`.,.v......z./..|
00000060 87 63 c9 22 f4 58 c8 27 b9 ff 2c 2e 1a b6 55 be |.c.".X.'..,...U.|
00000070 d5 5c 4d 69 82 2f b7 e4 b3 b0 12 e1 58 c4 9c 77 |.\Mi./......X..w|
00000080 78 0c 1a 90 c9 c1 23 6c 73 8e 6e fd 8e 9c 3d 84 |x.....#ls.n...=.|
00000090 7d bf 69 81 ce c9 aa 38 be 3b dd 66 aa a3 33 27 |}.i....8.;.f..3'|
000000a0 df be 6d ac 1c 6d 8a 82 df b3 19 da 0f 93 94 1e |..m..m..........|
000000b0 e0 7d 46 8d b5 14 d0 c5 97 e2 94 76 26 a8 cb 33 |.}F........v&..3|
000000c0 57 2a d0 27 a6 5a e1 76 a7 3f f0 b7 0a 7b ff 53 |W*.'.Z.v.?...{.S|
000000d0 cf c9 1a 18 5b 45 f8 b1 06 3b a9 45 02 76 23 61 |....[E...;.E.v#a|
000000e0 5e dc 86 cf 8e a4 d3 c9 5c 6a 6f e6 33 7b 5b 8f |^.......\jo.3{[.|
000000f0 fb 8a 14 74 58 f9 49 2f 97 98 cc 5c d4 4a 10 1a |...tX.I/...\.J..|
00000100 64 0a 79 21 68 a0 9e 7a 03 b7 19 e6 20 e4 1b ce |d.y!h..z.... ...|
00000110 91 64 ce 90 d9 4f 86 ca fb 45 2f d6 56 93 68 e1 |.d...O...E/.V.h.|
00000120 0b aa 8c a0 20 a6 97 fa a1 de 07 6d 5b 4c 02 96 |.... ......m[L..|
00000130 31 70 20 83 16 f9 0a 22 5c 63 ad f1 ea 41 a7 1e |1p ...."\c...A..|
00000140 29 1a d4 a4 e9 d7 0c 04 74 66 04 6d 73 d8 2e 3f |).......tf.ms..?|
00000150 f0 b9 2f 77 bd 07 d7 7c 42 0a |../w...|B.|
0000015a
```
@ -168,12 +168,18 @@ NODE_PORT=$(kubectl get svc nginx \
--output=jsonpath='{range .spec.ports[0]}{.nodePort}')
```
Retrieve the hostname of the node running the `nginx` pod:
```bash
NODE_NAME=$(kubectl get pods \
-l app=nginx \
-o jsonpath="{.items[0].spec.nodeName}")
```
Make an HTTP request using the IP address and the `nginx` node port:
```bash
curl -I http://node-0:${NODE_PORT}
curl -I http://${NODE_NAME}:${NODE_PORT}
```
```text

2
units/kube-apiserver.service
View File

@ -5,7 +5,6 @@ Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--allow-privileged=true \
--apiserver-count=1 \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
@ -24,7 +23,6 @@ ExecStart=/usr/local/bin/kube-apiserver \
--service-account-key-file=/var/lib/kubernetes/service-accounts.crt \
--service-account-signing-key-file=/var/lib/kubernetes/service-accounts.key \
--service-account-issuer=https://server.kubernetes.local:6443 \
--service-cluster-ip-range=10.32.0.0/24 \
--service-node-port-range=30000-32767 \
--tls-cert-file=/var/lib/kubernetes/kube-api-server.crt \
--tls-private-key-file=/var/lib/kubernetes/kube-api-server.key \