adding commands/scripts for windows
Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>pull/252/head
parent
e8d728d016
commit
4d187fa038
|
@ -44,6 +44,21 @@ sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
|
||||||
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
|
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssl_windows-amd64.exe -OutFile cfssl.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssljson_windows-amd64.exe -OutFile cfssljson.exe
|
||||||
|
```
|
||||||
|
|
||||||
|
Add the current directory to the path (this will not persist between sessions):
|
||||||
|
```
|
||||||
|
$env:Path += ";$(Get-Location)"
|
||||||
|
```
|
||||||
|
|
||||||
### Verification
|
### Verification
|
||||||
|
|
||||||
Verify `cfssl` version 1.2.0 or higher is installed:
|
Verify `cfssl` version 1.2.0 or higher is installed:
|
||||||
|
@ -94,6 +109,12 @@ chmod +x kubectl
|
||||||
sudo mv kubectl /usr/local/bin/
|
sudo mv kubectl /usr/local/bin/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-WebRequest -Uri https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/windows/amd64/kubectl.exe -OutFile kubectl.exe
|
||||||
|
```
|
||||||
|
|
||||||
### Verification
|
### Verification
|
||||||
|
|
||||||
Verify `kubectl` version 1.8.0 or higher is installed:
|
Verify `kubectl` version 1.8.0 or higher is installed:
|
||||||
|
|
|
@ -24,18 +24,29 @@ A [subnet](https://cloud.google.com/compute/docs/vpc/#vpc_networks_and_subnets)
|
||||||
|
|
||||||
Create the `kubernetes` subnet in the `kubernetes-the-hard-way` VPC network:
|
Create the `kubernetes` subnet in the `kubernetes-the-hard-way` VPC network:
|
||||||
|
|
||||||
|
##### Linux & OS X
|
||||||
```
|
```
|
||||||
gcloud compute networks subnets create kubernetes \
|
gcloud compute networks subnets create kubernetes \
|
||||||
--network kubernetes-the-hard-way \
|
--network kubernetes-the-hard-way \
|
||||||
--range 10.240.0.0/24
|
--range 10.240.0.0/24
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
gcloud compute networks subnets create kubernetes `
|
||||||
|
--network kubernetes-the-hard-way `
|
||||||
|
--range 10.240.0.0/24
|
||||||
|
```
|
||||||
|
|
||||||
> The `10.240.0.0/24` IP address range can host up to 254 compute instances.
|
> The `10.240.0.0/24` IP address range can host up to 254 compute instances.
|
||||||
|
|
||||||
### Firewall Rules
|
### Firewall Rules
|
||||||
|
|
||||||
Create a firewall rule that allows internal communication across all protocols:
|
Create a firewall rule that allows internal communication across all protocols:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
|
|
||||||
```
|
```
|
||||||
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
|
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
|
||||||
--allow tcp,udp,icmp \
|
--allow tcp,udp,icmp \
|
||||||
|
@ -43,8 +54,19 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
|
||||||
--source-ranges 10.240.0.0/24,10.200.0.0/16
|
--source-ranges 10.240.0.0/24,10.200.0.0/16
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal `
|
||||||
|
--allow tcp,udp,icmp `
|
||||||
|
--network kubernetes-the-hard-way `
|
||||||
|
--source-ranges 10.240.0.0/24,10.200.0.0/16
|
||||||
|
```
|
||||||
|
|
||||||
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
|
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
|
|
||||||
```
|
```
|
||||||
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
|
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
|
||||||
--allow tcp:22,tcp:6443,icmp \
|
--allow tcp:22,tcp:6443,icmp \
|
||||||
|
@ -52,6 +74,15 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
|
||||||
--source-ranges 0.0.0.0/0
|
--source-ranges 0.0.0.0/0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external `
|
||||||
|
--allow tcp:22,tcp:6443,icmp `
|
||||||
|
--network kubernetes-the-hard-way `
|
||||||
|
--source-ranges 0.0.0.0/0
|
||||||
|
```
|
||||||
|
|
||||||
> An [external load balancer](https://cloud.google.com/compute/docs/load-balancing/network/) will be used to expose the Kubernetes API Servers to remote clients.
|
> An [external load balancer](https://cloud.google.com/compute/docs/load-balancing/network/) will be used to expose the Kubernetes API Servers to remote clients.
|
||||||
|
|
||||||
List the firewall rules in the `kubernetes-the-hard-way` VPC network:
|
List the firewall rules in the `kubernetes-the-hard-way` VPC network:
|
||||||
|
@ -72,11 +103,20 @@ kubernetes-the-hard-way-allow-internal kubernetes-the-hard-way INGRESS
|
||||||
|
|
||||||
Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:
|
Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
|
|
||||||
```
|
```
|
||||||
gcloud compute addresses create kubernetes-the-hard-way \
|
gcloud compute addresses create kubernetes-the-hard-way \
|
||||||
--region $(gcloud config get-value compute/region)
|
--region $(gcloud config get-value compute/region)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
gcloud compute addresses create kubernetes-the-hard-way `
|
||||||
|
--region $(gcloud config get-value compute/region)
|
||||||
|
```
|
||||||
|
|
||||||
Verify the `kubernetes-the-hard-way` static IP address was created in your default compute region:
|
Verify the `kubernetes-the-hard-way` static IP address was created in your default compute region:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -98,6 +138,8 @@ The compute instances in this lab will be provisioned using [Ubuntu Server](http
|
||||||
|
|
||||||
Create three compute instances which will host the Kubernetes control plane:
|
Create three compute instances which will host the Kubernetes control plane:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
|
|
||||||
```
|
```
|
||||||
for i in 0 1 2; do
|
for i in 0 1 2; do
|
||||||
gcloud compute instances create controller-${i} \
|
gcloud compute instances create controller-${i} \
|
||||||
|
@ -114,6 +156,24 @@ for i in 0 1 2; do
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
@(0,1,2) | ForEach-Object {
|
||||||
|
gcloud compute instances create controller-$_ `
|
||||||
|
--async `
|
||||||
|
--boot-disk-size 200GB `
|
||||||
|
--can-ip-forward `
|
||||||
|
--image-family ubuntu-1604-lts `
|
||||||
|
--image-project ubuntu-os-cloud `
|
||||||
|
--machine-type n1-standard-1 `
|
||||||
|
--private-network-ip 10.240.0.1$_ `
|
||||||
|
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring `
|
||||||
|
--subnet kubernetes `
|
||||||
|
--tags kubernetes-the-hard-way,controller
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
### Kubernetes Workers
|
### Kubernetes Workers
|
||||||
|
|
||||||
Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The `pod-cidr` instance metadata will be used to expose pod subnet allocations to compute instances at runtime.
|
Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The `pod-cidr` instance metadata will be used to expose pod subnet allocations to compute instances at runtime.
|
||||||
|
@ -122,6 +182,8 @@ Each worker instance requires a pod subnet allocation from the Kubernetes cluste
|
||||||
|
|
||||||
Create three compute instances which will host the Kubernetes worker nodes:
|
Create three compute instances which will host the Kubernetes worker nodes:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
|
|
||||||
```
|
```
|
||||||
for i in 0 1 2; do
|
for i in 0 1 2; do
|
||||||
gcloud compute instances create worker-${i} \
|
gcloud compute instances create worker-${i} \
|
||||||
|
@ -139,6 +201,25 @@ for i in 0 1 2; do
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
@(0,1,2) | ForEach-Object {
|
||||||
|
gcloud compute instances create worker-$_ \
|
||||||
|
--async \
|
||||||
|
--boot-disk-size 200GB \
|
||||||
|
--can-ip-forward \
|
||||||
|
--image-family ubuntu-1604-lts \
|
||||||
|
--image-project ubuntu-os-cloud \
|
||||||
|
--machine-type n1-standard-1 \
|
||||||
|
--metadata pod-cidr=10.200.$_.0/24 \
|
||||||
|
--private-network-ip 10.240.0.2$_ \
|
||||||
|
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
|
||||||
|
--subnet kubernetes \
|
||||||
|
--tags kubernetes-the-hard-way,worker
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
### Verification
|
### Verification
|
||||||
|
|
||||||
List the compute instances in your default compute zone:
|
List the compute instances in your default compute zone:
|
||||||
|
|
|
@ -8,6 +8,7 @@ In this section you will provision a Certificate Authority that can be used to g
|
||||||
|
|
||||||
Create the CA configuration file:
|
Create the CA configuration file:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > ca-config.json <<EOF
|
cat > ca-config.json <<EOF
|
||||||
{
|
{
|
||||||
|
@ -26,8 +27,28 @@ cat > ca-config.json <<EOF
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item ca-config.json -Value @"
|
||||||
|
{
|
||||||
|
"signing": {
|
||||||
|
"default": {
|
||||||
|
"expiry": "8760h"
|
||||||
|
},
|
||||||
|
"profiles": {
|
||||||
|
"kubernetes": {
|
||||||
|
"usages": ["signing", "key encipherment", "server auth", "client auth"],
|
||||||
|
"expiry": "8760h"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Create the CA certificate signing request:
|
Create the CA certificate signing request:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > ca-csr.json <<EOF
|
cat > ca-csr.json <<EOF
|
||||||
{
|
{
|
||||||
|
@ -49,6 +70,28 @@ cat > ca-csr.json <<EOF
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item ca-csr.json -Value @"
|
||||||
|
{
|
||||||
|
"CN": "Kubernetes",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "Kubernetes",
|
||||||
|
"OU": "CA",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Generate the CA certificate and private key:
|
Generate the CA certificate and private key:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -70,6 +113,7 @@ In this section you will generate client and server certificates for each Kubern
|
||||||
|
|
||||||
Create the `admin` client certificate signing request:
|
Create the `admin` client certificate signing request:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > admin-csr.json <<EOF
|
cat > admin-csr.json <<EOF
|
||||||
{
|
{
|
||||||
|
@ -91,8 +135,31 @@ cat > admin-csr.json <<EOF
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item admin-csr.json -Value @"
|
||||||
|
{
|
||||||
|
"CN": "admin",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "system:masters",
|
||||||
|
"OU": "Kubernetes The Hard Way",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Generate the `admin` client certificate and private key:
|
Generate the `admin` client certificate and private key:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cfssl gencert \
|
cfssl gencert \
|
||||||
-ca=ca.pem \
|
-ca=ca.pem \
|
||||||
|
@ -102,6 +169,16 @@ cfssl gencert \
|
||||||
admin-csr.json | cfssljson -bare admin
|
admin-csr.json | cfssljson -bare admin
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
cfssl gencert `
|
||||||
|
-ca=ca.pem `
|
||||||
|
-ca-key=ca-key.pem `
|
||||||
|
-config=ca-config.json `
|
||||||
|
-profile=kubernetes `
|
||||||
|
admin-csr.json | cfssljson -bare admin
|
||||||
|
```
|
||||||
|
|
||||||
Results:
|
Results:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -115,6 +192,7 @@ Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/doc
|
||||||
|
|
||||||
Generate a certificate and private key for each Kubernetes worker node:
|
Generate a certificate and private key for each Kubernetes worker node:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in worker-0 worker-1 worker-2; do
|
for instance in worker-0 worker-1 worker-2; do
|
||||||
cat > ${instance}-csr.json <<EOF
|
cat > ${instance}-csr.json <<EOF
|
||||||
|
@ -152,6 +230,45 @@ cfssl gencert \
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
|
||||||
|
```
|
||||||
|
@(worker-0 worker-1 worker-2) | ForEach-Object {
|
||||||
|
New-Item $_-csr.json -Value @"
|
||||||
|
{
|
||||||
|
"CN": "system:node:$_",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "system:nodes",
|
||||||
|
"OU": "Kubernetes The Hard Way",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
|
||||||
|
$EXTERNAL_IP=$(gcloud compute instances describe $_ `
|
||||||
|
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
|
||||||
|
|
||||||
|
$INTERNAL_IP=$(gcloud compute instances describe $_ `
|
||||||
|
--format 'value(networkInterfaces[0].networkIP)')
|
||||||
|
|
||||||
|
cfssl gencert `
|
||||||
|
-ca=ca.pem `
|
||||||
|
-ca-key=ca-key.pem `
|
||||||
|
-config=ca-config.json `
|
||||||
|
-hostname=$_,$EXTERNAL_IP,$INTERNAL_IP `
|
||||||
|
-profile=kubernetes `
|
||||||
|
$_-csr.json | cfssljson -bare $_
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Results:
|
Results:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -167,6 +284,7 @@ worker-2.pem
|
||||||
|
|
||||||
Create the `kube-proxy` client certificate signing request:
|
Create the `kube-proxy` client certificate signing request:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > kube-proxy-csr.json <<EOF
|
cat > kube-proxy-csr.json <<EOF
|
||||||
{
|
{
|
||||||
|
@ -188,8 +306,31 @@ cat > kube-proxy-csr.json <<EOF
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item kube-proxy-csr.json -Value @"
|
||||||
|
{
|
||||||
|
"CN": "system:kube-proxy",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "system:node-proxier",
|
||||||
|
"OU": "Kubernetes The Hard Way",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Generate the `kube-proxy` client certificate and private key:
|
Generate the `kube-proxy` client certificate and private key:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cfssl gencert \
|
cfssl gencert \
|
||||||
-ca=ca.pem \
|
-ca=ca.pem \
|
||||||
|
@ -199,6 +340,16 @@ cfssl gencert \
|
||||||
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
cfssl gencert `
|
||||||
|
-ca=ca.pem `
|
||||||
|
-ca-key=ca-key.pem `
|
||||||
|
-config=ca-config.json `
|
||||||
|
-profile=kubernetes `
|
||||||
|
kube-proxy-csr.json | cfssljson -bare kube-proxy
|
||||||
|
```
|
||||||
|
|
||||||
Results:
|
Results:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -212,14 +363,23 @@ The `kubernetes-the-hard-way` static IP address will be included in the list of
|
||||||
|
|
||||||
Retrieve the `kubernetes-the-hard-way` static IP address:
|
Retrieve the `kubernetes-the-hard-way` static IP address:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
||||||
--region $(gcloud config get-value compute/region) \
|
--region $(gcloud config get-value compute/region) \
|
||||||
--format 'value(address)')
|
--format 'value(address)')
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way `
|
||||||
|
--region $(gcloud config get-value compute/region) `
|
||||||
|
--format 'value(address)')
|
||||||
|
```
|
||||||
|
|
||||||
Create the Kubernetes API Server certificate signing request:
|
Create the Kubernetes API Server certificate signing request:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > kubernetes-csr.json <<EOF
|
cat > kubernetes-csr.json <<EOF
|
||||||
{
|
{
|
||||||
|
@ -241,8 +401,31 @@ cat > kubernetes-csr.json <<EOF
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item kubernetes-csr.json -Value @"
|
||||||
|
{
|
||||||
|
"CN": "kubernetes",
|
||||||
|
"key": {
|
||||||
|
"algo": "rsa",
|
||||||
|
"size": 2048
|
||||||
|
},
|
||||||
|
"names": [
|
||||||
|
{
|
||||||
|
"C": "US",
|
||||||
|
"L": "Portland",
|
||||||
|
"O": "Kubernetes",
|
||||||
|
"OU": "Kubernetes The Hard Way",
|
||||||
|
"ST": "Oregon"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Generate the Kubernetes API Server certificate and private key:
|
Generate the Kubernetes API Server certificate and private key:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cfssl gencert \
|
cfssl gencert \
|
||||||
-ca=ca.pem \
|
-ca=ca.pem \
|
||||||
|
@ -253,6 +436,17 @@ cfssl gencert \
|
||||||
kubernetes-csr.json | cfssljson -bare kubernetes
|
kubernetes-csr.json | cfssljson -bare kubernetes
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
cfssl gencert `
|
||||||
|
-ca=ca.pem `
|
||||||
|
-ca-key=ca-key.pem `
|
||||||
|
-config=ca-config.json `
|
||||||
|
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default `
|
||||||
|
-profile=kubernetes `
|
||||||
|
kubernetes-csr.json | cfssljson -bare kubernetes
|
||||||
|
```
|
||||||
|
|
||||||
Results:
|
Results:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -264,20 +458,35 @@ kubernetes.pem
|
||||||
|
|
||||||
Copy the appropriate certificates and private keys to each worker instance:
|
Copy the appropriate certificates and private keys to each worker instance:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in worker-0 worker-1 worker-2; do
|
for instance in worker-0 worker-1 worker-2; do
|
||||||
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
|
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
@('worker-0','worker-1','worker-2') | ForEach-Object {
|
||||||
|
gcloud compute scp ca.pem "$_-key.pem" "$_.pem" ${_}:/home/$env:USERNAME/
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Copy the appropriate certificates and private keys to each controller instance:
|
Copy the appropriate certificates and private keys to each controller instance:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in controller-0 controller-1 controller-2; do
|
for instance in controller-0 controller-1 controller-2; do
|
||||||
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
|
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
@('controller-0', 'controller-1', 'controller-2') | ForEach-Object {
|
||||||
|
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${_}:/home/$env:USERNAME/
|
||||||
|
}
|
||||||
|
```
|
||||||
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
|
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
|
||||||
|
|
||||||
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)
|
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)
|
||||||
|
|
|
@ -14,18 +14,27 @@ Each kubeconfig requires a Kubernetes API Server to connect to. To support high
|
||||||
|
|
||||||
Retrieve the `kubernetes-the-hard-way` static IP address:
|
Retrieve the `kubernetes-the-hard-way` static IP address:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
|
||||||
--region $(gcloud config get-value compute/region) \
|
--region $(gcloud config get-value compute/region) \
|
||||||
--format 'value(address)')
|
--format 'value(address)')
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way `
|
||||||
|
--region $(gcloud config get-value compute/region) `
|
||||||
|
--format 'value(address)')
|
||||||
|
```
|
||||||
|
|
||||||
### The kubelet Kubernetes Configuration File
|
### The kubelet Kubernetes Configuration File
|
||||||
|
|
||||||
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/).
|
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/).
|
||||||
|
|
||||||
Generate a kubeconfig file for each worker node:
|
Generate a kubeconfig file for each worker node:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in worker-0 worker-1 worker-2; do
|
for instance in worker-0 worker-1 worker-2; do
|
||||||
kubectl config set-cluster kubernetes-the-hard-way \
|
kubectl config set-cluster kubernetes-the-hard-way \
|
||||||
|
@ -49,6 +58,30 @@ for instance in worker-0 worker-1 worker-2; do
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
@('worker-0','worker-1','worker-2') | ForEach-Object {
|
||||||
|
kubectl config set-cluster kubernetes-the-hard-way `
|
||||||
|
--certificate-authority=ca.pem `
|
||||||
|
--embed-certs=true `
|
||||||
|
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 `
|
||||||
|
--kubeconfig=$_.kubeconfig
|
||||||
|
|
||||||
|
kubectl config set-credentials system:node:$_ `
|
||||||
|
--client-certificate=$_.pem `
|
||||||
|
--client-key=$_-key.pem `
|
||||||
|
--embed-certs=true `
|
||||||
|
--kubeconfig=$_.kubeconfig
|
||||||
|
|
||||||
|
kubectl config set-context default `
|
||||||
|
--cluster=kubernetes-the-hard-way `
|
||||||
|
--user=system:node:$_ `
|
||||||
|
--kubeconfig=$_.kubeconfig
|
||||||
|
|
||||||
|
kubectl config use-context default --kubeconfig=$_.kubeconfig
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Results:
|
Results:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -61,6 +94,7 @@ worker-2.kubeconfig
|
||||||
|
|
||||||
Generate a kubeconfig file for the `kube-proxy` service:
|
Generate a kubeconfig file for the `kube-proxy` service:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
kubectl config set-cluster kubernetes-the-hard-way \
|
kubectl config set-cluster kubernetes-the-hard-way \
|
||||||
--certificate-authority=ca.pem \
|
--certificate-authority=ca.pem \
|
||||||
|
@ -88,14 +122,50 @@ kubectl config set-context default \
|
||||||
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
|
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
kubectl config set-cluster kubernetes-the-hard-way `
|
||||||
|
--certificate-authority=ca.pem `
|
||||||
|
--embed-certs=true `
|
||||||
|
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 `
|
||||||
|
--kubeconfig=kube-proxy.kubeconfig
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl config set-credentials kube-proxy `
|
||||||
|
--client-certificate=kube-proxy.pem `
|
||||||
|
--client-key=kube-proxy-key.pem `
|
||||||
|
--embed-certs=true `
|
||||||
|
--kubeconfig=kube-proxy.kubeconfig
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl config set-context default `
|
||||||
|
--cluster=kubernetes-the-hard-way `
|
||||||
|
--user=kube-proxy `
|
||||||
|
--kubeconfig=kube-proxy.kubeconfig
|
||||||
|
```
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
|
||||||
|
```
|
||||||
|
|
||||||
## Distribute the Kubernetes Configuration Files
|
## Distribute the Kubernetes Configuration Files
|
||||||
|
|
||||||
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
|
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in worker-0 worker-1 worker-2; do
|
for instance in worker-0 worker-1 worker-2; do
|
||||||
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
|
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
@('worker-0','worker-1','worker-2') | ForEach-Object {
|
||||||
|
gcloud compute scp $_.kubeconfig kube-proxy.kubeconfig $_:/home/$env:USERNAME/
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)
|
Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)
|
||||||
|
|
|
@ -8,14 +8,21 @@ In this lab you will generate an encryption key and an [encryption config](https
|
||||||
|
|
||||||
Generate an encryption key:
|
Generate an encryption key:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
|
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
$ENCRYPTION_KEY=[System.Convert]::ToBase64String($(0..31 | ForEach-Object { Get-Random -Minimum 0 -Maximum 255 } ))
|
||||||
|
```
|
||||||
|
|
||||||
## The Encryption Config File
|
## The Encryption Config File
|
||||||
|
|
||||||
Create the `encryption-config.yaml` encryption config file:
|
Create the `encryption-config.yaml` encryption config file:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
cat > encryption-config.yaml <<EOF
|
cat > encryption-config.yaml <<EOF
|
||||||
kind: EncryptionConfig
|
kind: EncryptionConfig
|
||||||
|
@ -32,12 +39,37 @@ resources:
|
||||||
EOF
|
EOF
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
New-Item encryption-config.yaml -Value @"
|
||||||
|
kind: EncryptionConfig
|
||||||
|
apiVersion: v1
|
||||||
|
resources:
|
||||||
|
- resources:
|
||||||
|
- secrets
|
||||||
|
providers:
|
||||||
|
- aescbc:
|
||||||
|
keys:
|
||||||
|
- name: key1
|
||||||
|
secret: ${ENCRYPTION_KEY}
|
||||||
|
- identity: {}
|
||||||
|
"@
|
||||||
|
```
|
||||||
|
|
||||||
Copy the `encryption-config.yaml` encryption config file to each controller instance:
|
Copy the `encryption-config.yaml` encryption config file to each controller instance:
|
||||||
|
|
||||||
|
#### Linux & OS X
|
||||||
```
|
```
|
||||||
for instance in controller-0 controller-1 controller-2; do
|
for instance in controller-0 controller-1 controller-2; do
|
||||||
gcloud compute scp encryption-config.yaml ${instance}:~/
|
gcloud compute scp encryption-config.yaml ${instance}:~/
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Windows
|
||||||
|
```
|
||||||
|
@('controller-0','controller-1','controller-2') | ForEach-Object {
|
||||||
|
gcloud compute scp encryption-config.yaml ${_}:/home/$env:USERNAME/
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)
|
Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)
|
||||||
|
|
Loading…
Reference in New Issue