mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update for 1.6

pull/137/head
Kelsey Hightower 2017-03-25 09:44:23 -07:00
parent 6827ce575e
commit 7e009610b2
3 changed files with 89 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
docs/01-infrastructure-gcp.md
View File

@ -22,9 +22,9 @@ worker2 us-central1-f n1-standard-1 10.240.0.22 XXX.XXX.XXX
To make our Kubernetes control plane remotely accessible, a public IP address will be provisioned and assigned to a Load Balancer that will sit in front of the 3 Kubernetes controllers.
## Networking
## Prerequisites
Set the region and zone to us-central1:
Set the compute region and zone to us-central1:
```
gcloud config set compute/region us-central1
@ -34,106 +34,78 @@ gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-f
```
Create a Kubernetes network:
## Setup Networking
Create a custom network:
```
gcloud compute networks create kubernetes --mode custom
gcloud compute networks create kubernetes-the-hard-way --mode custom
```
Create a subnet for the Kubernetes cluster:
```
gcloud compute networks subnets create kubernetes \
--network kubernetes \
--network kubernetes-the-hard-way \
--range 10.240.0.0/24
```
### Firewall Rules
### Create Firewall Rules
```
gcloud compute firewall-rules create kubernetes-allow-icmp \
--allow icmp \
--network kubernetes \
--source-ranges 0.0.0.0/0
gcloud compute firewall-rules create allow-internal \
--allow tcp,udp,icmp \
--network kubernetes-the-hard-way \
--source-ranges 10.240.0.0/24,10.200.0.0/16
```
```
gcloud compute firewall-rules create kubernetes-allow-internal \
--allow tcp:0-65535,udp:0-65535,icmp \
--network kubernetes \
--source-ranges 10.240.0.0/24
```
```
gcloud compute firewall-rules create kubernetes-allow-internal-podcidr \
--allow tcp:0-65535,udp:0-65535,icmp \
--network kubernetes \
--source-ranges 10.200.0.0/16
```
```
gcloud compute firewall-rules create kubernetes-allow-rdp \
--allow tcp:3389 \
--network kubernetes \
gcloud compute firewall-rules create allow-external \
--allow tcp:22,tcp:3389,tcp:6443,icmp \
--network kubernetes-the-hard-way \
--source-ranges 0.0.0.0/0
```
```
gcloud compute firewall-rules create kubernetes-allow-ssh \
--allow tcp:22 \
--network kubernetes \
--source-ranges 0.0.0.0/0
```
```
gcloud compute firewall-rules create kubernetes-allow-healthz \
gcloud compute firewall-rules create allow-healthz \
--allow tcp:8080 \
--network kubernetes \
--network kubernetes-the-hard-way \
--source-ranges 130.211.0.0/22
```
```
gcloud compute firewall-rules create kubernetes-allow-api-server \
--allow tcp:6443 \
--network kubernetes \
--source-ranges 0.0.0.0/0
```
```
gcloud compute firewall-rules list --filter "network=kubernetes"
gcloud compute firewall-rules list --filter "network=kubernetes-the-hard-way"
```
```
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
kubernetes-allow-api-server kubernetes 0.0.0.0/0 tcp:6443
kubernetes-allow-healthz kubernetes 130.211.0.0/22 tcp:8080
kubernetes-allow-icmp kubernetes 0.0.0.0/0 icmp
kubernetes-allow-internal kubernetes 10.240.0.0/24 tcp:0-65535,udp:0-65535,icmp
kubernetes-allow-internal-podcidr kubernetes 10.200.0.0/16 tcp:0-65535,udp:0-65535,icmp
kubernetes-allow-rdp kubernetes 0.0.0.0/0 tcp:3389
kubernetes-allow-ssh kubernetes 0.0.0.0/0 tcp:22
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
allow-external kubernetes-the-hard-way 0.0.0.0/0 tcp:22,tcp:3389,tcp:6443,icmp
allow-healthz kubernetes-the-hard-way 130.211.0.0/22 tcp:8080
allow-internal kubernetes-the-hard-way 10.240.0.0/24,10.200.0.0/16 tcp,udp,icmp
```
### Kubernetes Public Address
### Create the Kubernetes Public Address
Create a public IP address that will be used by remote clients to connect to the Kubernetes control plane:
```
gcloud compute addresses create kubernetes --region=us-central1
gcloud compute addresses create kubernetes-the-hard-way --region=us-central1
```
```
gcloud compute addresses list kubernetes
gcloud compute addresses list kubernetes-the-hard-way
```
```
NAME REGION ADDRESS STATUS
kubernetes us-central1 XXX.XXX.XXX.XXX RESERVED
NAME REGION ADDRESS STATUS
kubernetes-the-hard-way us-central1 XXX.XXX.XXX.XXX RESERVED
```
## Provision Virtual Machines
All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux Kernel that has good support for Docker.
All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux kernel with good support for Docker.
### Virtual Machines

122
docs/02-certificate-authority.md
View File

@ -2,13 +2,12 @@
In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.
In this lab you will generate a single set of TLS certificates that can be used to secure the following Kubernetes components:
In this lab you will generate a set of TLS certificates that can be used to secure the following Kubernetes components:
* etcd
* Kubernetes API Server
* Kubernetes Kubelet
> In production you should strongly consider generating individual TLS certificates for each component.
* kube-apiserver
* kubelet
* kube-proxy
After completing this lab you should have the following TLS keys and certificates:
@ -42,7 +41,6 @@ chmod +x cfssljson_darwin-amd64
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
```
### Linux
```
@ -57,12 +55,13 @@ chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
```
## Setting up a Certificate Authority
## Set up a Certificate Authority
### Create the CA configuration file
Create a CA configuration file:
```
echo '{
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
@ -74,15 +73,16 @@ echo '{
}
}
}
}' > ca-config.json
}
EOF
```
### Generate the CA certificate and private key
Create a CA certificate signing request:
Create the CA CSR:
```
echo '{
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
@ -97,7 +97,8 @@ echo '{
"ST": "Oregon"
}
]
}' > ca-csr.json
}
EOF
```
Generate the CA certificate and private key:
@ -110,40 +111,17 @@ Results:
```
ca-key.pem
ca.csr
ca.pem
```
### Verification
## Generate client and server TLS certificates
```
openssl x509 -in ca.pem -text -noout
```
In this section we will generate TLS certificates for all each Kubernetes component and a client certificate for an admin client.
## Generate the single Kubernetes TLS Cert
In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component. (But all replicas of a given component must share the same certificate.)
### Create the Admin client certificate
### Set the Kubernetes Public Address
#### GCE
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \
--format 'value(address)')
```
#### AWS
```
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
--load-balancer-name kubernetes | \
jq -r '.LoadBalancerDescriptions[].DNSName')
```
---
Create the `admin-csr.json` file:
Create the admin client certificate signing request:
```
cat > admin-csr.json <<EOF
@ -167,7 +145,7 @@ cat > admin-csr.json <<EOF
EOF
```
Generate the admin certificate and private key:
Generate the admin client certificate and private key:
```
cfssl gencert \
@ -182,11 +160,12 @@ Results:
```
admin-key.pem
admin.csr
admin.pem
```
Create the `kube-proxy-csr.json` file:
### Create the kube-proxy client certificate
Create the kube-proxy client certificate signing request:
```
cat > kube-proxy-csr.json <<EOF
@ -210,7 +189,7 @@ cat > kube-proxy-csr.json <<EOF
EOF
```
Generate the node-proxier certificate and private key:
Generate the kube-proxy client certificate and private key:
```
cfssl gencert \
@ -225,12 +204,34 @@ Results:
```
kube-proxy-key.pem
kube-proxy.csr
kube-proxy.pem
```
### Create the kubernetes server certificate
Create the `kubernetes-csr.json` file:
Set the Kubernetes Public IP Address
The Kubernetes public IP address will be included in the list of subject alternative names for the Kubernetes server certificate. This will ensure the TLS certificate is valid for remote client access.
#### GCE
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region us-central1 \
--format 'value(address)')
```
#### AWS
```
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
--load-balancer-name kubernetes | \
jq -r '.LoadBalancerDescriptions[].DNSName')
```
---
Create the kubernetes server certificate signing request:
```
cat > kubernetes-csr.json <<EOF
@ -241,9 +242,9 @@ cat > kubernetes-csr.json <<EOF
"10.240.0.10",
"10.240.0.11",
"10.240.0.12",
"ip-10-240-0-20",
"ip-10-240-0-21",
"ip-10-240-0-22",
"ip-10-240-0-10",
"ip-10-240-0-11",
"ip-10-240-0-12",
"${KUBERNETES_PUBLIC_ADDRESS}",
"127.0.0.1",
"kubernetes.default"
@ -280,22 +281,15 @@ Results:
```
kubernetes-key.pem
kubernetes.csr
kubernetes.pem
```
### Verification
```
openssl x509 -in kubernetes.pem -text -noout
```
## Copy TLS Certs
## Distribute the TLS certificates
Set the list of Kubernetes hosts where the certs should be copied to:
```
KUBERNETES_HOSTS=(controller0 controller1 controller2 worker0 worker1 worker2)
KUBERNETES_WORKERS=(worker0 worker1 worker2)
```
```
@ -309,8 +303,8 @@ The following command will:
* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.
```
for host in ${KUBERNETES_HOSTS[*]}; do
gcloud compute copy-files ca.pem ${host}:~/
for host in ${KUBERNETES_WORKERS[*]}; do
gcloud compute copy-files ca.pem kube-proxy.pem kube-proxy-key.pem ${host}:~/
done
```
@ -327,17 +321,17 @@ The following command will:
* Copy the TLS certificates and keys to each Kubernetes host using `scp`
```
for host in ${KUBERNETES_HOSTS[*]}; do
for host in ${KUBERNETES_WORKERS[*]}; do
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${host}" | \
jq -r '.Reservations[].Instances[].PublicIpAddress')
scp -o "StrictHostKeyChecking no" ca.pem \
scp -o "StrictHostKeyChecking no" ca.pem kube-proxy.pem kube-proxy-key.pem \
ubuntu@${PUBLIC_IP_ADDRESS}:~/
done
```
```
for host in ${KUBERNETES_HOSTS[*]}; do
for host in ${KUBERNETES_CONTROLLERS[*]}; do
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${host}" | \
jq -r '.Reservations[].Instances[].PublicIpAddress')

2
docs/11-cleanup.md
View File

@ -13,7 +13,7 @@ gcloud -q compute instances delete \
### Networking
```
gcloud -q compute forwarding-rules delete kubernetes-rule
gcloud -q compute forwarding-rules delete kubernetes-rule --region us-central1
```
```