mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

adding commands/scripts for windows 

Signed-off-by: Mike Stevenson <Mike.Stevenson@us.logicalis.com>
pull/252/head
Mike Stevenson 2017-10-10 22:28:21 -07:00
parent e8d728d016
commit 4d187fa038
5 changed files with 413 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/02-client-tools.md
View File

@ -44,6 +44,21 @@ sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
```
### Windows
```
Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssl_windows-amd64.exe -OutFile cfssl.exe
```
```
Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssljson_windows-amd64.exe -OutFile cfssljson.exe
```
Add the current directory to the path (this will not persist between sessions):
```
$env:Path += ";$(Get-Location)"
```
### Verification
Verify `cfssl` version 1.2.0 or higher is installed:
@ -94,6 +109,12 @@ chmod +x kubectl
sudo mv kubectl /usr/local/bin/
```
### Windows
```
Invoke-WebRequest -Uri https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/windows/amd64/kubectl.exe -OutFile kubectl.exe
```
### Verification
Verify `kubectl` version 1.8.0 or higher is installed:

81
docs/03-compute-resources.md
View File

@ -24,18 +24,29 @@ A [subnet](https://cloud.google.com/compute/docs/vpc/#vpc_networks_and_subnets)
Create the `kubernetes` subnet in the `kubernetes-the-hard-way` VPC network:
##### Linux & OS X
```
gcloud compute networks subnets create kubernetes \
--network kubernetes-the-hard-way \
--range 10.240.0.0/24
```
#### Windows
```
gcloud compute networks subnets create kubernetes `
--network kubernetes-the-hard-way `
--range 10.240.0.0/24
```
> The `10.240.0.0/24` IP address range can host up to 254 compute instances.
### Firewall Rules
Create a firewall rule that allows internal communication across all protocols:
#### Linux & OS X
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
--allow tcp,udp,icmp \
@ -43,8 +54,19 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \
--source-ranges 10.240.0.0/24,10.200.0.0/16
```
#### Windows
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal `
--allow tcp,udp,icmp `
--network kubernetes-the-hard-way `
--source-ranges 10.240.0.0/24,10.200.0.0/16
```
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
#### Linux & OS X
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
--allow tcp:22,tcp:6443,icmp \
@ -52,6 +74,15 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \
--source-ranges 0.0.0.0/0
```
#### Windows
```
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external `
--allow tcp:22,tcp:6443,icmp `
--network kubernetes-the-hard-way `
--source-ranges 0.0.0.0/0
```
> An [external load balancer](https://cloud.google.com/compute/docs/load-balancing/network/) will be used to expose the Kubernetes API Servers to remote clients.
List the firewall rules in the `kubernetes-the-hard-way` VPC network:
@ -72,11 +103,20 @@ kubernetes-the-hard-way-allow-internal kubernetes-the-hard-way INGRESS
Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:
#### Linux & OS X
```
gcloud compute addresses create kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region)
```
#### Windows
```
gcloud compute addresses create kubernetes-the-hard-way `
--region $(gcloud config get-value compute/region)
```
Verify the `kubernetes-the-hard-way` static IP address was created in your default compute region:
```
@ -98,6 +138,8 @@ The compute instances in this lab will be provisioned using [Ubuntu Server](http
Create three compute instances which will host the Kubernetes control plane:
#### Linux & OS X
```
for i in 0 1 2; do
gcloud compute instances create controller-${i} \
@ -114,6 +156,24 @@ for i in 0 1 2; do
done
```
#### Windows
```
@(0,1,2) | ForEach-Object {
gcloud compute instances create controller-$_ `
--async `
--boot-disk-size 200GB `
--can-ip-forward `
--image-family ubuntu-1604-lts `
--image-project ubuntu-os-cloud `
--machine-type n1-standard-1 `
--private-network-ip 10.240.0.1$_ `
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring `
--subnet kubernetes `
--tags kubernetes-the-hard-way,controller
}
```
### Kubernetes Workers
Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The `pod-cidr` instance metadata will be used to expose pod subnet allocations to compute instances at runtime.
@ -122,6 +182,8 @@ Each worker instance requires a pod subnet allocation from the Kubernetes cluste
Create three compute instances which will host the Kubernetes worker nodes:
#### Linux & OS X
```
for i in 0 1 2; do
gcloud compute instances create worker-${i} \
@ -139,6 +201,25 @@ for i in 0 1 2; do
done
```
#### Windows
```
@(0,1,2) | ForEach-Object {
gcloud compute instances create worker-$_ \
--async \
--boot-disk-size 200GB \
--can-ip-forward \
--image-family ubuntu-1604-lts \
--image-project ubuntu-os-cloud \
--machine-type n1-standard-1 \
--metadata pod-cidr=10.200.$_.0/24 \
--private-network-ip 10.240.0.2$_ \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet kubernetes \
--tags kubernetes-the-hard-way,worker
}
```
### Verification
List the compute instances in your default compute zone:

209
docs/04-certificate-authority.md
View File

@ -8,6 +8,7 @@ In this section you will provision a Certificate Authority that can be used to g
Create the CA configuration file:
#### Linux & OS X
```
cat > ca-config.json <<EOF
{
@ -26,8 +27,28 @@ cat > ca-config.json <<EOF
EOF
```
#### Windows
```
New-Item ca-config.json -Value @"
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
"@
```
Create the CA certificate signing request:
#### Linux & OS X
```
cat > ca-csr.json <<EOF
{
@ -49,6 +70,28 @@ cat > ca-csr.json <<EOF
EOF
```
#### Windows
```
New-Item ca-csr.json -Value @"
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "CA",
"ST": "Oregon"
}
]
}
"@
```
Generate the CA certificate and private key:
```
@ -70,6 +113,7 @@ In this section you will generate client and server certificates for each Kubern
Create the `admin` client certificate signing request:
#### Linux & OS X
```
cat > admin-csr.json <<EOF
{
@ -91,8 +135,31 @@ cat > admin-csr.json <<EOF
EOF
```
#### Windows
```
New-Item admin-csr.json -Value @"
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:masters",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
"@
```
Generate the `admin` client certificate and private key:
#### Linux & OS X
```
cfssl gencert \
-ca=ca.pem \
@ -102,6 +169,16 @@ cfssl gencert \
admin-csr.json | cfssljson -bare admin
```
#### Windows
```
cfssl gencert `
-ca=ca.pem `
-ca-key=ca-key.pem `
-config=ca-config.json `
-profile=kubernetes `
admin-csr.json | cfssljson -bare admin
```
Results:
```
@ -115,6 +192,7 @@ Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/doc
Generate a certificate and private key for each Kubernetes worker node:
#### Linux & OS X
```
for instance in worker-0 worker-1 worker-2; do
cat > ${instance}-csr.json <<EOF
@ -152,6 +230,45 @@ cfssl gencert \
done
```
#### Windows
```
@(worker-0 worker-1 worker-2) | ForEach-Object {
New-Item $_-csr.json -Value @"
{
"CN": "system:node:$_",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:nodes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
"@
$EXTERNAL_IP=$(gcloud compute instances describe $_ `
--format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
$INTERNAL_IP=$(gcloud compute instances describe $_ `
--format 'value(networkInterfaces[0].networkIP)')
cfssl gencert `
-ca=ca.pem `
-ca-key=ca-key.pem `
-config=ca-config.json `
-hostname=$_,$EXTERNAL_IP,$INTERNAL_IP `
-profile=kubernetes `
$_-csr.json | cfssljson -bare $_
}
```
Results:
```
@ -167,6 +284,7 @@ worker-2.pem
Create the `kube-proxy` client certificate signing request:
#### Linux & OS X
```
cat > kube-proxy-csr.json <<EOF
{
@ -188,8 +306,31 @@ cat > kube-proxy-csr.json <<EOF
EOF
```
#### Windows
```
New-Item kube-proxy-csr.json -Value @"
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "system:node-proxier",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
"@
```
Generate the `kube-proxy` client certificate and private key:
#### Linux & OS X
```
cfssl gencert \
-ca=ca.pem \
@ -199,6 +340,16 @@ cfssl gencert \
kube-proxy-csr.json | cfssljson -bare kube-proxy
```
#### Windows
```
cfssl gencert `
-ca=ca.pem `
-ca-key=ca-key.pem `
-config=ca-config.json `
-profile=kubernetes `
kube-proxy-csr.json | cfssljson -bare kube-proxy
```
Results:
```
@ -212,14 +363,23 @@ The `kubernetes-the-hard-way` static IP address will be included in the list of
Retrieve the `kubernetes-the-hard-way` static IP address:
#### Linux & OS X
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
```
#### Windows
```
$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way `
--region $(gcloud config get-value compute/region) `
--format 'value(address)')
```
Create the Kubernetes API Server certificate signing request:
#### Linux & OS X
```
cat > kubernetes-csr.json <<EOF
{
@ -241,8 +401,31 @@ cat > kubernetes-csr.json <<EOF
EOF
```
#### Windows
```
New-Item kubernetes-csr.json -Value @"
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "Portland",
"O": "Kubernetes",
"OU": "Kubernetes The Hard Way",
"ST": "Oregon"
}
]
}
"@
```
Generate the Kubernetes API Server certificate and private key:
#### Linux & OS X
```
cfssl gencert \
-ca=ca.pem \
@ -253,6 +436,17 @@ cfssl gencert \
kubernetes-csr.json | cfssljson -bare kubernetes
```
#### Windows
```
cfssl gencert `
-ca=ca.pem `
-ca-key=ca-key.pem `
-config=ca-config.json `
-hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default `
-profile=kubernetes `
kubernetes-csr.json | cfssljson -bare kubernetes
```
Results:
```
@ -264,20 +458,35 @@ kubernetes.pem
Copy the appropriate certificates and private keys to each worker instance:
#### Linux & OS X
```
for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
done
```
#### Windows
```
@('worker-0','worker-1','worker-2') | ForEach-Object {
gcloud compute scp ca.pem "$_-key.pem" "$_.pem" ${_}:/home/$env:USERNAME/
}
```
Copy the appropriate certificates and private keys to each controller instance:
#### Linux & OS X
```
for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
done
```
#### Windows
```
@('controller-0', 'controller-1', 'controller-2') | ForEach-Object {
gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${_}:/home/$env:USERNAME/
}
```
> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)

70
docs/05-kubernetes-configuration-files.md
View File

@ -14,18 +14,27 @@ Each kubeconfig requires a Kubernetes API Server to connect to. To support high
Retrieve the `kubernetes-the-hard-way` static IP address:
#### Linux & OS X
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region $(gcloud config get-value compute/region) \
--format 'value(address)')
```
#### Windows
```
$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way `
--region $(gcloud config get-value compute/region) `
--format 'value(address)')
```
### The kubelet Kubernetes Configuration File
When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/).
Generate a kubeconfig file for each worker node:
#### Linux & OS X
```
for instance in worker-0 worker-1 worker-2; do
kubectl config set-cluster kubernetes-the-hard-way \
@ -49,6 +58,30 @@ for instance in worker-0 worker-1 worker-2; do
done
```
#### Windows
```
@('worker-0','worker-1','worker-2') | ForEach-Object {
kubectl config set-cluster kubernetes-the-hard-way `
--certificate-authority=ca.pem `
--embed-certs=true `
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 `
--kubeconfig=$_.kubeconfig
kubectl config set-credentials system:node:$_ `
--client-certificate=$_.pem `
--client-key=$_-key.pem `
--embed-certs=true `
--kubeconfig=$_.kubeconfig
kubectl config set-context default `
--cluster=kubernetes-the-hard-way `
--user=system:node:$_ `
--kubeconfig=$_.kubeconfig
kubectl config use-context default --kubeconfig=$_.kubeconfig
}
```
Results:
```
@ -61,6 +94,7 @@ worker-2.kubeconfig
Generate a kubeconfig file for the `kube-proxy` service:
#### Linux & OS X
```
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
@ -88,14 +122,50 @@ kubectl config set-context default \
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
```
#### Windows
```
kubectl config set-cluster kubernetes-the-hard-way `
--certificate-authority=ca.pem `
--embed-certs=true `
--server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 `
--kubeconfig=kube-proxy.kubeconfig
```
```
kubectl config set-credentials kube-proxy `
--client-certificate=kube-proxy.pem `
--client-key=kube-proxy-key.pem `
--embed-certs=true `
--kubeconfig=kube-proxy.kubeconfig
```
```
kubectl config set-context default `
--cluster=kubernetes-the-hard-way `
--user=kube-proxy `
--kubeconfig=kube-proxy.kubeconfig
```
```
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
```
## Distribute the Kubernetes Configuration Files
Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance:
#### Linux & OS X
```
for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/
done
```
#### Windows
```
@('worker-0','worker-1','worker-2') | ForEach-Object {
gcloud compute scp $_.kubeconfig kube-proxy.kubeconfig $_:/home/$env:USERNAME/
}
```
Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)

32
docs/06-data-encryption-keys.md
View File

@ -8,14 +8,21 @@ In this lab you will generate an encryption key and an [encryption config](https
Generate an encryption key:
#### Linux & OS X
```
ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
```
#### Windows
```
$ENCRYPTION_KEY=[System.Convert]::ToBase64String($(0..31 | ForEach-Object { Get-Random -Minimum 0 -Maximum 255 } ))
```
## The Encryption Config File
Create the `encryption-config.yaml` encryption config file:
#### Linux & OS X
```
cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
@ -32,12 +39,37 @@ resources:
EOF
```
#### Windows
```
New-Item encryption-config.yaml -Value @"
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ENCRYPTION_KEY}
- identity: {}
"@
```
Copy the `encryption-config.yaml` encryption config file to each controller instance:
#### Linux & OS X
```
for instance in controller-0 controller-1 controller-2; do
gcloud compute scp encryption-config.yaml ${instance}:~/
done
```
#### Windows
```
@('controller-0','controller-1','controller-2') | ForEach-Object {
gcloud compute scp encryption-config.yaml ${_}:/home/$env:USERNAME/
}
```
Next: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)