From 7e009610b2af4f1eec02569e3c60f5d135b442e1 Mon Sep 17 00:00:00 2001 From: Kelsey Hightower Date: Sat, 25 Mar 2017 09:44:23 -0700 Subject: [PATCH] update for 1.6 --- docs/01-infrastructure-gcp.md | 88 ++++++++-------------- docs/02-certificate-authority.md | 122 +++++++++++++++---------------- docs/11-cleanup.md | 2 +- 3 files changed, 89 insertions(+), 123 deletions(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index e813f79..367c622 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -22,9 +22,9 @@ worker2 us-central1-f n1-standard-1 10.240.0.22 XXX.XXX.XXX To make our Kubernetes control plane remotely accessible, a public IP address will be provisioned and assigned to a Load Balancer that will sit in front of the 3 Kubernetes controllers. -## Networking +## Prerequisites -Set the region and zone to us-central1: +Set the compute region and zone to us-central1: ``` gcloud config set compute/region us-central1 @@ -34,106 +34,78 @@ gcloud config set compute/region us-central1 gcloud config set compute/zone us-central1-f ``` -Create a Kubernetes network: +## Setup Networking + + +Create a custom network: ``` -gcloud compute networks create kubernetes --mode custom +gcloud compute networks create kubernetes-the-hard-way --mode custom ``` Create a subnet for the Kubernetes cluster: ``` gcloud compute networks subnets create kubernetes \ - --network kubernetes \ + --network kubernetes-the-hard-way \ --range 10.240.0.0/24 ``` -### Firewall Rules +### Create Firewall Rules ``` -gcloud compute firewall-rules create kubernetes-allow-icmp \ - --allow icmp \ - --network kubernetes \ - --source-ranges 0.0.0.0/0 +gcloud compute firewall-rules create allow-internal \ + --allow tcp,udp,icmp \ + --network kubernetes-the-hard-way \ + --source-ranges 10.240.0.0/24,10.200.0.0/16 ``` ``` -gcloud compute firewall-rules create kubernetes-allow-internal \ - --allow tcp:0-65535,udp:0-65535,icmp \ - --network kubernetes \ - --source-ranges 10.240.0.0/24 -``` - -``` -gcloud compute firewall-rules create kubernetes-allow-internal-podcidr \ - --allow tcp:0-65535,udp:0-65535,icmp \ - --network kubernetes \ - --source-ranges 10.200.0.0/16 -``` - -``` -gcloud compute firewall-rules create kubernetes-allow-rdp \ - --allow tcp:3389 \ - --network kubernetes \ +gcloud compute firewall-rules create allow-external \ + --allow tcp:22,tcp:3389,tcp:6443,icmp \ + --network kubernetes-the-hard-way \ --source-ranges 0.0.0.0/0 ``` ``` -gcloud compute firewall-rules create kubernetes-allow-ssh \ - --allow tcp:22 \ - --network kubernetes \ - --source-ranges 0.0.0.0/0 -``` - -``` -gcloud compute firewall-rules create kubernetes-allow-healthz \ +gcloud compute firewall-rules create allow-healthz \ --allow tcp:8080 \ - --network kubernetes \ + --network kubernetes-the-hard-way \ --source-ranges 130.211.0.0/22 ``` -``` -gcloud compute firewall-rules create kubernetes-allow-api-server \ - --allow tcp:6443 \ - --network kubernetes \ - --source-ranges 0.0.0.0/0 -``` - ``` -gcloud compute firewall-rules list --filter "network=kubernetes" +gcloud compute firewall-rules list --filter "network=kubernetes-the-hard-way" ``` ``` -NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS -kubernetes-allow-api-server kubernetes 0.0.0.0/0 tcp:6443 -kubernetes-allow-healthz kubernetes 130.211.0.0/22 tcp:8080 -kubernetes-allow-icmp kubernetes 0.0.0.0/0 icmp -kubernetes-allow-internal kubernetes 10.240.0.0/24 tcp:0-65535,udp:0-65535,icmp -kubernetes-allow-internal-podcidr kubernetes 10.200.0.0/16 tcp:0-65535,udp:0-65535,icmp -kubernetes-allow-rdp kubernetes 0.0.0.0/0 tcp:3389 -kubernetes-allow-ssh kubernetes 0.0.0.0/0 tcp:22 +NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS +allow-external kubernetes-the-hard-way 0.0.0.0/0 tcp:22,tcp:3389,tcp:6443,icmp +allow-healthz kubernetes-the-hard-way 130.211.0.0/22 tcp:8080 +allow-internal kubernetes-the-hard-way 10.240.0.0/24,10.200.0.0/16 tcp,udp,icmp ``` -### Kubernetes Public Address +### Create the Kubernetes Public Address Create a public IP address that will be used by remote clients to connect to the Kubernetes control plane: ``` -gcloud compute addresses create kubernetes --region=us-central1 +gcloud compute addresses create kubernetes-the-hard-way --region=us-central1 ``` ``` -gcloud compute addresses list kubernetes +gcloud compute addresses list kubernetes-the-hard-way ``` + ``` -NAME REGION ADDRESS STATUS -kubernetes us-central1 XXX.XXX.XXX.XXX RESERVED +NAME REGION ADDRESS STATUS +kubernetes-the-hard-way us-central1 XXX.XXX.XXX.XXX RESERVED ``` ## Provision Virtual Machines -All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux Kernel that has good support for Docker. +All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux kernel with good support for Docker. ### Virtual Machines diff --git a/docs/02-certificate-authority.md b/docs/02-certificate-authority.md index ac0b73d..0665d57 100644 --- a/docs/02-certificate-authority.md +++ b/docs/02-certificate-authority.md @@ -2,13 +2,12 @@ In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates. -In this lab you will generate a single set of TLS certificates that can be used to secure the following Kubernetes components: +In this lab you will generate a set of TLS certificates that can be used to secure the following Kubernetes components: * etcd -* Kubernetes API Server -* Kubernetes Kubelet - -> In production you should strongly consider generating individual TLS certificates for each component. +* kube-apiserver +* kubelet +* kube-proxy After completing this lab you should have the following TLS keys and certificates: @@ -42,7 +41,6 @@ chmod +x cfssljson_darwin-amd64 sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson ``` - ### Linux ``` @@ -57,12 +55,13 @@ chmod +x cfssljson_linux-amd64 sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson ``` -## Setting up a Certificate Authority +## Set up a Certificate Authority -### Create the CA configuration file +Create a CA configuration file: ``` -echo '{ +cat > ca-config.json < ca-config.json +} +EOF ``` -### Generate the CA certificate and private key +Create a CA certificate signing request: -Create the CA CSR: ``` -echo '{ +cat > ca-csr.json < ca-csr.json +} +EOF ``` Generate the CA certificate and private key: @@ -110,40 +111,17 @@ Results: ``` ca-key.pem -ca.csr ca.pem ``` -### Verification +## Generate client and server TLS certificates -``` -openssl x509 -in ca.pem -text -noout -``` +In this section we will generate TLS certificates for all each Kubernetes component and a client certificate for an admin client. -## Generate the single Kubernetes TLS Cert -In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component. (But all replicas of a given component must share the same certificate.) +### Create the Admin client certificate -### Set the Kubernetes Public Address - -#### GCE - -``` -KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \ - --format 'value(address)') -``` - -#### AWS - -``` -KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \ - --load-balancer-name kubernetes | \ - jq -r '.LoadBalancerDescriptions[].DNSName') -``` - ---- - -Create the `admin-csr.json` file: +Create the admin client certificate signing request: ``` cat > admin-csr.json < admin-csr.json < kube-proxy-csr.json < kube-proxy-csr.json < kubernetes-csr.json < kubernetes-csr.json <