mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update for 1.6

pull/137/head
Kelsey Hightower 2017-03-25 09:44:23 -07:00
parent 6827ce575e
commit 7e009610b2
3 changed files with 89 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
docs/01-infrastructure-gcp.md
View File

@ -22,9 +22,9 @@ worker2 us-central1-f n1-standard-1 10.240.0.22 XXX.XXX.XXX
To make our Kubernetes control plane remotely accessible, a public IP address will be provisioned and assigned to a Load Balancer that will sit in front of the 3 Kubernetes controllers. To make our Kubernetes control plane remotely accessible, a public IP address will be provisioned and assigned to a Load Balancer that will sit in front of the 3 Kubernetes controllers.
## Networking ## Prerequisites
Set the region and zone to us-central1: Set the compute region and zone to us-central1:
``` ```
gcloud config set compute/region us-central1 gcloud config set compute/region us-central1
@ -34,106 +34,78 @@ gcloud config set compute/region us-central1
gcloud config set compute/zone us-central1-f gcloud config set compute/zone us-central1-f
``` ```
Create a Kubernetes network: ## Setup Networking
Create a custom network:
``` ```
gcloud compute networks create kubernetes --mode custom gcloud compute networks create kubernetes-the-hard-way --mode custom
``` ```
Create a subnet for the Kubernetes cluster: Create a subnet for the Kubernetes cluster:
``` ```
gcloud compute networks subnets create kubernetes \ gcloud compute networks subnets create kubernetes \
--network kubernetes \ --network kubernetes-the-hard-way \
--range 10.240.0.0/24 --range 10.240.0.0/24
``` ```
### Firewall Rules ### Create Firewall Rules
``` ```
gcloud compute firewall-rules create kubernetes-allow-icmp \ gcloud compute firewall-rules create allow-internal \
--allow icmp \ --allow tcp,udp,icmp \
--network kubernetes \ --network kubernetes-the-hard-way \
--source-ranges 10.240.0.0/24,10.200.0.0/16
```
```
gcloud compute firewall-rules create allow-external \
--allow tcp:22,tcp:3389,tcp:6443,icmp \
--network kubernetes-the-hard-way \
--source-ranges 0.0.0.0/0 --source-ranges 0.0.0.0/0
``` ```
``` ```
gcloud compute firewall-rules create kubernetes-allow-internal \ gcloud compute firewall-rules create allow-healthz \
--allow tcp:0-65535,udp:0-65535,icmp \
--network kubernetes \
--source-ranges 10.240.0.0/24
```
```
gcloud compute firewall-rules create kubernetes-allow-internal-podcidr \
--allow tcp:0-65535,udp:0-65535,icmp \
--network kubernetes \
--source-ranges 10.200.0.0/16
```
```
gcloud compute firewall-rules create kubernetes-allow-rdp \
--allow tcp:3389 \
--network kubernetes \
--source-ranges 0.0.0.0/0
```
```
gcloud compute firewall-rules create kubernetes-allow-ssh \
--allow tcp:22 \
--network kubernetes \
--source-ranges 0.0.0.0/0
```
```
gcloud compute firewall-rules create kubernetes-allow-healthz \
--allow tcp:8080 \ --allow tcp:8080 \
--network kubernetes \ --network kubernetes-the-hard-way \
--source-ranges 130.211.0.0/22 --source-ranges 130.211.0.0/22
``` ```
```
gcloud compute firewall-rules create kubernetes-allow-api-server \
--allow tcp:6443 \
--network kubernetes \
--source-ranges 0.0.0.0/0
```
``` ```
gcloud compute firewall-rules list --filter "network=kubernetes" gcloud compute firewall-rules list --filter "network=kubernetes-the-hard-way"
``` ```
``` ```
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
kubernetes-allow-api-server kubernetes 0.0.0.0/0 tcp:6443 allow-external kubernetes-the-hard-way 0.0.0.0/0 tcp:22,tcp:3389,tcp:6443,icmp
kubernetes-allow-healthz kubernetes 130.211.0.0/22 tcp:8080 allow-healthz kubernetes-the-hard-way 130.211.0.0/22 tcp:8080
kubernetes-allow-icmp kubernetes 0.0.0.0/0 icmp allow-internal kubernetes-the-hard-way 10.240.0.0/24,10.200.0.0/16 tcp,udp,icmp
kubernetes-allow-internal kubernetes 10.240.0.0/24 tcp:0-65535,udp:0-65535,icmp
kubernetes-allow-internal-podcidr kubernetes 10.200.0.0/16 tcp:0-65535,udp:0-65535,icmp
kubernetes-allow-rdp kubernetes 0.0.0.0/0 tcp:3389
kubernetes-allow-ssh kubernetes 0.0.0.0/0 tcp:22
``` ```
### Kubernetes Public Address ### Create the Kubernetes Public Address
Create a public IP address that will be used by remote clients to connect to the Kubernetes control plane: Create a public IP address that will be used by remote clients to connect to the Kubernetes control plane:
``` ```
gcloud compute addresses create kubernetes --region=us-central1 gcloud compute addresses create kubernetes-the-hard-way --region=us-central1
``` ```
``` ```
gcloud compute addresses list kubernetes gcloud compute addresses list kubernetes-the-hard-way
``` ```
``` ```
NAME REGION ADDRESS STATUS NAME REGION ADDRESS STATUS
kubernetes us-central1 XXX.XXX.XXX.XXX RESERVED kubernetes-the-hard-way us-central1 XXX.XXX.XXX.XXX RESERVED
``` ```
## Provision Virtual Machines ## Provision Virtual Machines
All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux Kernel that has good support for Docker. All the VMs in this lab will be provisioned using Ubuntu 16.04 mainly because it runs a newish Linux kernel with good support for Docker.
### Virtual Machines ### Virtual Machines

122
docs/02-certificate-authority.md
View File

@ -2,13 +2,12 @@
In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates. In this lab you will setup the necessary PKI infrastructure to secure the Kubernetes components. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority and generate TLS certificates.
In this lab you will generate a single set of TLS certificates that can be used to secure the following Kubernetes components: In this lab you will generate a set of TLS certificates that can be used to secure the following Kubernetes components:
* etcd * etcd
* Kubernetes API Server * kube-apiserver
* Kubernetes Kubelet * kubelet
* kube-proxy
> In production you should strongly consider generating individual TLS certificates for each component.
After completing this lab you should have the following TLS keys and certificates: After completing this lab you should have the following TLS keys and certificates:
@ -42,7 +41,6 @@ chmod +x cfssljson_darwin-amd64
sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
``` ```
### Linux ### Linux
``` ```
@ -57,12 +55,13 @@ chmod +x cfssljson_linux-amd64
sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
``` ```
## Setting up a Certificate Authority ## Set up a Certificate Authority
### Create the CA configuration file Create a CA configuration file:
``` ```
echo '{ cat > ca-config.json <<EOF
{
"signing": { "signing": {
"default": { "default": {
"expiry": "8760h" "expiry": "8760h"
@ -74,15 +73,16 @@ echo '{
} }
} }
} }
}' > ca-config.json }
EOF
``` ```
### Generate the CA certificate and private key Create a CA certificate signing request:
Create the CA CSR:
``` ```
echo '{ cat > ca-csr.json <<EOF
{
"CN": "Kubernetes", "CN": "Kubernetes",
"key": { "key": {
"algo": "rsa", "algo": "rsa",
@ -97,7 +97,8 @@ echo '{
"ST": "Oregon" "ST": "Oregon"
} }
] ]
}' > ca-csr.json }
EOF
``` ```
Generate the CA certificate and private key: Generate the CA certificate and private key:
@ -110,40 +111,17 @@ Results:
``` ```
ca-key.pem ca-key.pem
ca.csr
ca.pem ca.pem
``` ```
### Verification ## Generate client and server TLS certificates
``` In this section we will generate TLS certificates for all each Kubernetes component and a client certificate for an admin client.
openssl x509 -in ca.pem -text -noout
```
## Generate the single Kubernetes TLS Cert
In this section we will generate a TLS certificate that will be valid for all Kubernetes components. This is being done for ease of use. In production you should strongly consider generating individual TLS certificates for each component. (But all replicas of a given component must share the same certificate.) ### Create the Admin client certificate
### Set the Kubernetes Public Address Create the admin client certificate signing request:
#### GCE
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes \
--format 'value(address)')
```
#### AWS
```
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
--load-balancer-name kubernetes | \
jq -r '.LoadBalancerDescriptions[].DNSName')
```
---
Create the `admin-csr.json` file:
``` ```
cat > admin-csr.json <<EOF cat > admin-csr.json <<EOF
@ -167,7 +145,7 @@ cat > admin-csr.json <<EOF
EOF EOF
``` ```
Generate the admin certificate and private key: Generate the admin client certificate and private key:
``` ```
cfssl gencert \ cfssl gencert \
@ -182,11 +160,12 @@ Results:
``` ```
admin-key.pem admin-key.pem
admin.csr
admin.pem admin.pem
``` ```
Create the `kube-proxy-csr.json` file: ### Create the kube-proxy client certificate
Create the kube-proxy client certificate signing request:
``` ```
cat > kube-proxy-csr.json <<EOF cat > kube-proxy-csr.json <<EOF
@ -210,7 +189,7 @@ cat > kube-proxy-csr.json <<EOF
EOF EOF
``` ```
Generate the node-proxier certificate and private key: Generate the kube-proxy client certificate and private key:
``` ```
cfssl gencert \ cfssl gencert \
@ -225,12 +204,34 @@ Results:
``` ```
kube-proxy-key.pem kube-proxy-key.pem
kube-proxy.csr
kube-proxy.pem kube-proxy.pem
``` ```
### Create the kubernetes server certificate
Create the `kubernetes-csr.json` file: Set the Kubernetes Public IP Address
The Kubernetes public IP address will be included in the list of subject alternative names for the Kubernetes server certificate. This will ensure the TLS certificate is valid for remote client access.
#### GCE
```
KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
--region us-central1 \
--format 'value(address)')
```
#### AWS
```
KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
--load-balancer-name kubernetes | \
jq -r '.LoadBalancerDescriptions[].DNSName')
```
---
Create the kubernetes server certificate signing request:
``` ```
cat > kubernetes-csr.json <<EOF cat > kubernetes-csr.json <<EOF
@ -241,9 +242,9 @@ cat > kubernetes-csr.json <<EOF
"10.240.0.10", "10.240.0.10",
"10.240.0.11", "10.240.0.11",
"10.240.0.12", "10.240.0.12",
"ip-10-240-0-20", "ip-10-240-0-10",
"ip-10-240-0-21", "ip-10-240-0-11",
"ip-10-240-0-22", "ip-10-240-0-12",
"${KUBERNETES_PUBLIC_ADDRESS}", "${KUBERNETES_PUBLIC_ADDRESS}",
"127.0.0.1", "127.0.0.1",
"kubernetes.default" "kubernetes.default"
@ -280,22 +281,15 @@ Results:
``` ```
kubernetes-key.pem kubernetes-key.pem
kubernetes.csr
kubernetes.pem kubernetes.pem
``` ```
### Verification ## Distribute the TLS certificates
```
openssl x509 -in kubernetes.pem -text -noout
```
## Copy TLS Certs
Set the list of Kubernetes hosts where the certs should be copied to: Set the list of Kubernetes hosts where the certs should be copied to:
``` ```
KUBERNETES_HOSTS=(controller0 controller1 controller2 worker0 worker1 worker2) KUBERNETES_WORKERS=(worker0 worker1 worker2)
``` ```
``` ```
@ -309,8 +303,8 @@ The following command will:
* Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command. * Copy the TLS certificates and keys to each Kubernetes host using the `gcloud compute copy-files` command.
``` ```
for host in ${KUBERNETES_HOSTS[*]}; do for host in ${KUBERNETES_WORKERS[*]}; do
gcloud compute copy-files ca.pem ${host}:~/ gcloud compute copy-files ca.pem kube-proxy.pem kube-proxy-key.pem ${host}:~/
done done
``` ```
@ -327,17 +321,17 @@ The following command will:
* Copy the TLS certificates and keys to each Kubernetes host using `scp` * Copy the TLS certificates and keys to each Kubernetes host using `scp`
``` ```
for host in ${KUBERNETES_HOSTS[*]}; do for host in ${KUBERNETES_WORKERS[*]}; do
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \ PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${host}" | \ --filters "Name=tag:Name,Values=${host}" | \
jq -r '.Reservations[].Instances[].PublicIpAddress') jq -r '.Reservations[].Instances[].PublicIpAddress')
scp -o "StrictHostKeyChecking no" ca.pem \ scp -o "StrictHostKeyChecking no" ca.pem kube-proxy.pem kube-proxy-key.pem \
ubuntu@${PUBLIC_IP_ADDRESS}:~/ ubuntu@${PUBLIC_IP_ADDRESS}:~/
done done
``` ```
``` ```
for host in ${KUBERNETES_HOSTS[*]}; do for host in ${KUBERNETES_CONTROLLERS[*]}; do
PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \ PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${host}" | \ --filters "Name=tag:Name,Values=${host}" | \
jq -r '.Reservations[].Instances[].PublicIpAddress') jq -r '.Reservations[].Instances[].PublicIpAddress')

2
docs/11-cleanup.md
View File

@ -13,7 +13,7 @@ gcloud -q compute instances delete \
### Networking ### Networking
``` ```
gcloud -q compute forwarding-rules delete kubernetes-rule gcloud -q compute forwarding-rules delete kubernetes-rule --region us-central1
``` ```
``` ```