From 4d187fa03814a71bebc27349df71fc875080f2cf Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 10 Oct 2017 22:28:21 -0700 Subject: [PATCH 01/17] adding commands/scripts for windows Signed-off-by: Mike Stevenson --- docs/02-client-tools.md | 21 +++ docs/03-compute-resources.md | 81 +++++++++ docs/04-certificate-authority.md | 209 ++++++++++++++++++++++ docs/05-kubernetes-configuration-files.md | 70 ++++++++ docs/06-data-encryption-keys.md | 32 ++++ 5 files changed, 413 insertions(+) diff --git a/docs/02-client-tools.md b/docs/02-client-tools.md index 738b879..25ef8a1 100644 --- a/docs/02-client-tools.md +++ b/docs/02-client-tools.md @@ -44,6 +44,21 @@ sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson ``` +### Windows + +``` +Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssl_windows-amd64.exe -OutFile cfssl.exe +``` + +``` +Invoke-WebRequest -Uri https://pkg.cfssl.org/R1.2/cfssljson_windows-amd64.exe -OutFile cfssljson.exe +``` + +Add the current directory to the path (this will not persist between sessions): +``` +$env:Path += ";$(Get-Location)" +``` + ### Verification Verify `cfssl` version 1.2.0 or higher is installed: @@ -94,6 +109,12 @@ chmod +x kubectl sudo mv kubectl /usr/local/bin/ ``` +### Windows + +``` +Invoke-WebRequest -Uri https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/windows/amd64/kubectl.exe -OutFile kubectl.exe +``` + ### Verification Verify `kubectl` version 1.8.0 or higher is installed: diff --git a/docs/03-compute-resources.md b/docs/03-compute-resources.md index d81202d..16801a5 100644 --- a/docs/03-compute-resources.md +++ b/docs/03-compute-resources.md @@ -24,18 +24,29 @@ A [subnet](https://cloud.google.com/compute/docs/vpc/#vpc_networks_and_subnets) Create the `kubernetes` subnet in the `kubernetes-the-hard-way` VPC network: +##### Linux & OS X ``` gcloud compute networks subnets create kubernetes \ --network kubernetes-the-hard-way \ --range 10.240.0.0/24 ``` +#### Windows + +``` +gcloud compute networks subnets create kubernetes ` + --network kubernetes-the-hard-way ` + --range 10.240.0.0/24 +``` + > The `10.240.0.0/24` IP address range can host up to 254 compute instances. ### Firewall Rules Create a firewall rule that allows internal communication across all protocols: +#### Linux & OS X + ``` gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \ --allow tcp,udp,icmp \ @@ -43,8 +54,19 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \ --source-ranges 10.240.0.0/24,10.200.0.0/16 ``` +#### Windows + +``` +gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal ` + --allow tcp,udp,icmp ` + --network kubernetes-the-hard-way ` + --source-ranges 10.240.0.0/24,10.200.0.0/16 +``` + Create a firewall rule that allows external SSH, ICMP, and HTTPS: +#### Linux & OS X + ``` gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \ --allow tcp:22,tcp:6443,icmp \ @@ -52,6 +74,15 @@ gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \ --source-ranges 0.0.0.0/0 ``` +#### Windows + +``` +gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external ` + --allow tcp:22,tcp:6443,icmp ` + --network kubernetes-the-hard-way ` + --source-ranges 0.0.0.0/0 +``` + > An [external load balancer](https://cloud.google.com/compute/docs/load-balancing/network/) will be used to expose the Kubernetes API Servers to remote clients. List the firewall rules in the `kubernetes-the-hard-way` VPC network: @@ -72,11 +103,20 @@ kubernetes-the-hard-way-allow-internal kubernetes-the-hard-way INGRESS Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers: +#### Linux & OS X + ``` gcloud compute addresses create kubernetes-the-hard-way \ --region $(gcloud config get-value compute/region) ``` +#### Windows + +``` +gcloud compute addresses create kubernetes-the-hard-way ` + --region $(gcloud config get-value compute/region) +``` + Verify the `kubernetes-the-hard-way` static IP address was created in your default compute region: ``` @@ -98,6 +138,8 @@ The compute instances in this lab will be provisioned using [Ubuntu Server](http Create three compute instances which will host the Kubernetes control plane: +#### Linux & OS X + ``` for i in 0 1 2; do gcloud compute instances create controller-${i} \ @@ -114,6 +156,24 @@ for i in 0 1 2; do done ``` +#### Windows + +``` +@(0,1,2) | ForEach-Object { + gcloud compute instances create controller-$_ ` + --async ` + --boot-disk-size 200GB ` + --can-ip-forward ` + --image-family ubuntu-1604-lts ` + --image-project ubuntu-os-cloud ` + --machine-type n1-standard-1 ` + --private-network-ip 10.240.0.1$_ ` + --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring ` + --subnet kubernetes ` + --tags kubernetes-the-hard-way,controller +} +``` + ### Kubernetes Workers Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The `pod-cidr` instance metadata will be used to expose pod subnet allocations to compute instances at runtime. @@ -122,6 +182,8 @@ Each worker instance requires a pod subnet allocation from the Kubernetes cluste Create three compute instances which will host the Kubernetes worker nodes: +#### Linux & OS X + ``` for i in 0 1 2; do gcloud compute instances create worker-${i} \ @@ -139,6 +201,25 @@ for i in 0 1 2; do done ``` +#### Windows + +``` +@(0,1,2) | ForEach-Object { + gcloud compute instances create worker-$_ \ + --async \ + --boot-disk-size 200GB \ + --can-ip-forward \ + --image-family ubuntu-1604-lts \ + --image-project ubuntu-os-cloud \ + --machine-type n1-standard-1 \ + --metadata pod-cidr=10.200.$_.0/24 \ + --private-network-ip 10.240.0.2$_ \ + --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \ + --subnet kubernetes \ + --tags kubernetes-the-hard-way,worker +} +``` + ### Verification List the compute instances in your default compute zone: diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 7229356..48c3c80 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -8,6 +8,7 @@ In this section you will provision a Certificate Authority that can be used to g Create the CA configuration file: +#### Linux & OS X ``` cat > ca-config.json < ca-config.json < ca-csr.json < ca-csr.json < admin-csr.json < admin-csr.json < ${instance}-csr.json < kube-proxy-csr.json < kube-proxy-csr.json < kubernetes-csr.json < kubernetes-csr.json < The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab. Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md) diff --git a/docs/05-kubernetes-configuration-files.md b/docs/05-kubernetes-configuration-files.md index 0b8974b..53743bf 100644 --- a/docs/05-kubernetes-configuration-files.md +++ b/docs/05-kubernetes-configuration-files.md @@ -14,18 +14,27 @@ Each kubeconfig requires a Kubernetes API Server to connect to. To support high Retrieve the `kubernetes-the-hard-way` static IP address: +#### Linux & OS X ``` KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ --region $(gcloud config get-value compute/region) \ --format 'value(address)') ``` +#### Windows +``` +$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way ` + --region $(gcloud config get-value compute/region) ` + --format 'value(address)') +``` + ### The kubelet Kubernetes Configuration File When generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/admin/authorization/node/). Generate a kubeconfig file for each worker node: +#### Linux & OS X ``` for instance in worker-0 worker-1 worker-2; do kubectl config set-cluster kubernetes-the-hard-way \ @@ -49,6 +58,30 @@ for instance in worker-0 worker-1 worker-2; do done ``` +#### Windows +``` +@('worker-0','worker-1','worker-2') | ForEach-Object { + kubectl config set-cluster kubernetes-the-hard-way ` + --certificate-authority=ca.pem ` + --embed-certs=true ` + --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 ` + --kubeconfig=$_.kubeconfig + + kubectl config set-credentials system:node:$_ ` + --client-certificate=$_.pem ` + --client-key=$_-key.pem ` + --embed-certs=true ` + --kubeconfig=$_.kubeconfig + + kubectl config set-context default ` + --cluster=kubernetes-the-hard-way ` + --user=system:node:$_ ` + --kubeconfig=$_.kubeconfig + + kubectl config use-context default --kubeconfig=$_.kubeconfig +} +``` + Results: ``` @@ -61,6 +94,7 @@ worker-2.kubeconfig Generate a kubeconfig file for the `kube-proxy` service: +#### Linux & OS X ``` kubectl config set-cluster kubernetes-the-hard-way \ --certificate-authority=ca.pem \ @@ -88,14 +122,50 @@ kubectl config set-context default \ kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig ``` +#### Windows +``` +kubectl config set-cluster kubernetes-the-hard-way ` + --certificate-authority=ca.pem ` + --embed-certs=true ` + --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 ` + --kubeconfig=kube-proxy.kubeconfig +``` + +``` +kubectl config set-credentials kube-proxy ` + --client-certificate=kube-proxy.pem ` + --client-key=kube-proxy-key.pem ` + --embed-certs=true ` + --kubeconfig=kube-proxy.kubeconfig +``` + +``` +kubectl config set-context default ` + --cluster=kubernetes-the-hard-way ` + --user=kube-proxy ` + --kubeconfig=kube-proxy.kubeconfig +``` + +``` +kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig +``` + ## Distribute the Kubernetes Configuration Files Copy the appropriate `kubelet` and `kube-proxy` kubeconfig files to each worker instance: +#### Linux & OS X ``` for instance in worker-0 worker-1 worker-2; do gcloud compute scp ${instance}.kubeconfig kube-proxy.kubeconfig ${instance}:~/ done ``` +#### Windows +``` +@('worker-0','worker-1','worker-2') | ForEach-Object { + gcloud compute scp $_.kubeconfig kube-proxy.kubeconfig $_:/home/$env:USERNAME/ +} +``` + Next: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md) diff --git a/docs/06-data-encryption-keys.md b/docs/06-data-encryption-keys.md index 233bce2..db2a040 100644 --- a/docs/06-data-encryption-keys.md +++ b/docs/06-data-encryption-keys.md @@ -8,14 +8,21 @@ In this lab you will generate an encryption key and an [encryption config](https Generate an encryption key: +#### Linux & OS X ``` ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64) ``` +#### Windows +``` +$ENCRYPTION_KEY=[System.Convert]::ToBase64String($(0..31 | ForEach-Object { Get-Random -Minimum 0 -Maximum 255 } )) +``` + ## The Encryption Config File Create the `encryption-config.yaml` encryption config file: +#### Linux & OS X ``` cat > encryption-config.yaml < Date: Tue, 24 Oct 2017 12:48:32 -0700 Subject: [PATCH 02/17] arglebargle --- docs/04-certificate-authority.md | 80 ++++++++++++++++---------------- 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 48c3c80..28dc781 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -233,40 +233,40 @@ done #### Windows ``` -@(worker-0 worker-1 worker-2) | ForEach-Object { -New-Item $_-csr.json -Value @" -{ - "CN": "system:node:$_", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:nodes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] -} -"@ + @('worker-0', 'worker-1', 'worker-2') | ForEach-Object { + New-Item $_-csr.json -Value @" + { + "CN": "system:node:$_", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "Portland", + "O": "system:nodes", + "OU": "Kubernetes The Hard Way", + "ST": "Oregon" + } + ] + } + "@ -$EXTERNAL_IP=$(gcloud compute instances describe $_ ` - --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') + $EXTERNAL_IP=$(gcloud compute instances describe $_ ` + --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') -$INTERNAL_IP=$(gcloud compute instances describe $_ ` - --format 'value(networkInterfaces[0].networkIP)') + $INTERNAL_IP=$(gcloud compute instances describe $_ ` + --format 'value(networkInterfaces[0].networkIP)') -cfssl gencert ` - -ca=ca.pem ` - -ca-key=ca-key.pem ` - -config=ca-config.json ` - -hostname=$_,$EXTERNAL_IP,$INTERNAL_IP ` - -profile=kubernetes ` - $_-csr.json | cfssljson -bare $_ -} + cfssl gencert ` + -ca ca.pem ` + -ca-key ca-key.pem ` + -config ca-config.json ` + -hostname $_,$EXTERNAL_IP,$INTERNAL_IP ` + -profile kubernetes ` + $_-csr.json | cfssljson -bare $_ + } ``` Results: @@ -343,10 +343,10 @@ cfssl gencert \ #### Windows ``` cfssl gencert ` - -ca=ca.pem ` - -ca-key=ca-key.pem ` - -config=ca-config.json ` - -profile=kubernetes ` + -ca ca.pem ` + -ca-key ca-key.pem ` + -config ca-config.json ` + -profile kubernetes ` kube-proxy-csr.json | cfssljson -bare kube-proxy ``` @@ -439,11 +439,11 @@ cfssl gencert \ #### Windows ``` cfssl gencert ` - -ca=ca.pem ` - -ca-key=ca-key.pem ` - -config=ca-config.json ` - -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default ` - -profile=kubernetes ` + -ca ca.pem ` + -ca-key ca-key.pem ` + -config ca-config.json ` + -hostname 10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default ` + -profile kubernetes ` kubernetes-csr.json | cfssljson -bare kubernetes ``` From a7be480b2cd5ac61a40bb7b5c1803d45e816786d Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 12:59:05 -0700 Subject: [PATCH 03/17] fixing windows line continuations --- docs/03-compute-resources.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/03-compute-resources.md b/docs/03-compute-resources.md index 16801a5..8fc518d 100644 --- a/docs/03-compute-resources.md +++ b/docs/03-compute-resources.md @@ -205,17 +205,17 @@ done ``` @(0,1,2) | ForEach-Object { - gcloud compute instances create worker-$_ \ - --async \ - --boot-disk-size 200GB \ - --can-ip-forward \ - --image-family ubuntu-1604-lts \ - --image-project ubuntu-os-cloud \ - --machine-type n1-standard-1 \ - --metadata pod-cidr=10.200.$_.0/24 \ - --private-network-ip 10.240.0.2$_ \ - --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \ - --subnet kubernetes \ + gcloud compute instances create worker-$_ ` + --async ` + --boot-disk-size 200GB ` + --can-ip-forward ` + --image-family ubuntu-1604-lts ` + --image-project ubuntu-os-cloud ` + --machine-type n1-standard-1 ` + --metadata pod-cidr=10.200.$_.0/24 ` + --private-network-ip 10.240.0.2$_ ` + --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring ` + --subnet kubernetes ` --tags kubernetes-the-hard-way,worker } ``` From 31f985a30d27c2744e4c1d05b654ff705333644f Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 13:22:27 -0700 Subject: [PATCH 04/17] fix windows parm values and herestring --- docs/04-certificate-authority.md | 70 ++++++++++++++++---------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 28dc781..01ad29b 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -172,10 +172,10 @@ cfssl gencert \ #### Windows ``` cfssl gencert ` - -ca=ca.pem ` - -ca-key=ca-key.pem ` - -config=ca-config.json ` - -profile=kubernetes ` + -ca ca.pem ` + -ca-key ca-key.pem ` + -config ca-config.json ` + -profile kubernetes ` admin-csr.json | cfssljson -bare admin ``` @@ -233,40 +233,40 @@ done #### Windows ``` - @('worker-0', 'worker-1', 'worker-2') | ForEach-Object { - New-Item $_-csr.json -Value @" - { - "CN": "system:node:$_", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "Portland", - "O": "system:nodes", - "OU": "Kubernetes The Hard Way", - "ST": "Oregon" - } - ] - } - "@ +@('worker-0', 'worker-1', 'worker-2') | ForEach-Object { +New-Item $_-csr.json -Value @" +{ + "CN": "system:node:$_", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "Portland", + "O": "system:nodes", + "OU": "Kubernetes The Hard Way", + "ST": "Oregon" + } + ] +} +"@ - $EXTERNAL_IP=$(gcloud compute instances describe $_ ` - --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') +$EXTERNAL_IP=$(gcloud compute instances describe $_ ` + --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') - $INTERNAL_IP=$(gcloud compute instances describe $_ ` - --format 'value(networkInterfaces[0].networkIP)') +$INTERNAL_IP=$(gcloud compute instances describe $_ ` + --format 'value(networkInterfaces[0].networkIP)') - cfssl gencert ` - -ca ca.pem ` - -ca-key ca-key.pem ` - -config ca-config.json ` - -hostname $_,$EXTERNAL_IP,$INTERNAL_IP ` - -profile kubernetes ` - $_-csr.json | cfssljson -bare $_ - } +cfssl gencert ` + -ca ca.pem ` + -ca-key ca-key.pem ` + -config ca-config.json ` + -hostname $_,$EXTERNAL_IP,$INTERNAL_IP ` + -profile kubernetes ` + $_-csr.json | cfssljson -bare $_ +} ``` Results: From 51b8ea85b539e56fad9f0f04dbf762f912f91a57 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 13:29:27 -0700 Subject: [PATCH 05/17] posh gets confused about variable names somtimes Signed-off-by: Mike Stevenson --- docs/05-kubernetes-configuration-files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/05-kubernetes-configuration-files.md b/docs/05-kubernetes-configuration-files.md index 53743bf..8d8f8eb 100644 --- a/docs/05-kubernetes-configuration-files.md +++ b/docs/05-kubernetes-configuration-files.md @@ -164,7 +164,7 @@ done #### Windows ``` @('worker-0','worker-1','worker-2') | ForEach-Object { - gcloud compute scp $_.kubeconfig kube-proxy.kubeconfig $_:/home/$env:USERNAME/ + gcloud compute scp "$_.kubeconfig" kube-proxy.kubeconfig ${_}:/home/$env:USERNAME/ } ``` From 8fd590bbba5914ddab6478723755bd49ac96ce3f Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 15:02:49 -0700 Subject: [PATCH 06/17] adding windows commands Signed-off-by: Mike Stevenson --- ...08-bootstrapping-kubernetes-controllers.md | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index b526bbc..da3610e 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -257,6 +257,7 @@ In this section you will provision an external load balancer to front the Kubern Create the external load balancer network resources: +#### Linux & OS X ``` gcloud compute target-pools create kubernetes-target-pool ``` @@ -280,22 +281,68 @@ gcloud compute forwarding-rules create kubernetes-forwarding-rule \ --target-pool kubernetes-target-pool ``` +#### Windows +``` +gcloud compute target-pools create kubernetes-target-pool +``` + +``` +gcloud compute target-pools add-instances kubernetes-target-pool ` + --instances controller-0,controller-1,controller-2 +``` + +``` +$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way ` + --region $(gcloud config get-value compute/region) ` + --format 'value(address)') +``` + +``` +gcloud compute forwarding-rules create kubernetes-forwarding-rule ` + --address ${KUBERNETES_PUBLIC_ADDRESS} ` + --ports 6443 ` + --region $(gcloud config get-value compute/region) ` + --target-pool kubernetes-target-pool +``` + ### Verification Retrieve the `kubernetes-the-hard-way` static IP address: +#### Linux & OS X ``` KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ --region $(gcloud config get-value compute/region) \ --format 'value(address)') ``` +#### Windows +``` +$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way ` + --region $(gcloud config get-value compute/region) ` + --format 'value(address)') +``` + Make a HTTP request for the Kubernetes version info: +#### Linux & OS X ``` curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version ``` +#### Windows +``` +Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath ca.pem +``` +This command will generate a warning making sure you want to install this certificate. Click Yes to install. +``` +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +``` + +``` +(Invoke-WebRequest https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version).Content +``` + > output ``` From b2921f5be923ad1d7d55a7c3500ff29809198465 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 15:53:00 -0700 Subject: [PATCH 07/17] adding windows commands Signed-off-by: Mike Stevenson --- docs/10-configuring-kubectl.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/docs/10-configuring-kubectl.md b/docs/10-configuring-kubectl.md index d7258fa..2597757 100644 --- a/docs/10-configuring-kubectl.md +++ b/docs/10-configuring-kubectl.md @@ -10,14 +10,23 @@ Each kubeconfig requires a Kubernetes API Server to connect to. To support high Retrieve the `kubernetes-the-hard-way` static IP address: +#### Linux & OS X ``` KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \ --region $(gcloud config get-value compute/region) \ --format 'value(address)') ``` +#### Windows +``` +$KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way ` + --region $(gcloud config get-value compute/region) ` + --format 'value(address)') +``` + Generate a kubeconfig file suitable for authenticating as the `admin` user: +#### Linux & OS X ``` kubectl config set-cluster kubernetes-the-hard-way \ --certificate-authority=ca.pem \ @@ -41,6 +50,30 @@ kubectl config set-context kubernetes-the-hard-way \ kubectl config use-context kubernetes-the-hard-way ``` +#### Windows +``` +kubectl config set-cluster kubernetes-the-hard-way ` + --certificate-authority=ca.pem ` + --embed-certs=true ` + --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 +``` + +``` +kubectl config set-credentials admin ` + --client-certificate=admin.pem ` + --client-key=admin-key.pem +``` + +``` +kubectl config set-context kubernetes-the-hard-way ` + --cluster=kubernetes-the-hard-way ` + --user=admin +``` + +``` +kubectl config use-context kubernetes-the-hard-way +``` + ## Verification Check the health of the remote Kubernetes cluster: From 197fc5029cd11d70c2bfa2d333c88c6bae725dfe Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 16:29:42 -0700 Subject: [PATCH 08/17] adding windows commands Signed-off-by: Mike Stevenson --- docs/11-pod-network-routes.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/11-pod-network-routes.md b/docs/11-pod-network-routes.md index 96db243..c262d61 100644 --- a/docs/11-pod-network-routes.md +++ b/docs/11-pod-network-routes.md @@ -12,6 +12,7 @@ In this section you will gather the information required to create routes in the Print the internal IP address and Pod CIDR range for each worker instance: +#### Linux & OS X ``` for instance in worker-0 worker-1 worker-2; do gcloud compute instances describe ${instance} \ @@ -19,6 +20,13 @@ for instance in worker-0 worker-1 worker-2; do done ``` +#### Windows +``` +@('worker-0','worker-1','worker-2') | ForEach-Object { + gcloud compute instances describe $_ ` + --format 'value[separator=" "](networkInterfaces[0].networkIP,metadata.items[0].value)' +} +``` > output ``` @@ -31,6 +39,7 @@ done Create network routes for each worker instance: +#### Linux & OS X ``` for i in 0 1 2; do gcloud compute routes create kubernetes-route-10-200-${i}-0-24 \ @@ -40,6 +49,16 @@ for i in 0 1 2; do done ``` +#### Windows +``` +@(0, 1, 2) | ForEach-Object { + gcloud compute routes create kubernetes-route-10-200-${_}-0-24 ` + --network kubernetes-the-hard-way ` + --next-hop-address 10.240.0.2${_} ` + --destination-range 10.200.${_}.0/24 +} +``` + List the routes in the `kubernetes-the-hard-way` VPC network: ``` From 2ca33ac451744917d8b7316cd5b5d87ecc10100f Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 16:33:07 -0700 Subject: [PATCH 09/17] adding windows commands Signed-off-by: Mike Stevenson --- docs/12-dns-addon.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/12-dns-addon.md b/docs/12-dns-addon.md index b7ad32a..59285e5 100644 --- a/docs/12-dns-addon.md +++ b/docs/12-dns-addon.md @@ -56,10 +56,16 @@ busybox-2125412808-mt2vb 1/1 Running 0 15s Retrieve the full name of the `busybox` pod: +#### Linux & OS X ``` POD_NAME=$(kubectl get pods -l run=busybox -o jsonpath="{.items[0].metadata.name}") ``` +#### Windows +``` +$POD_NAME=$(kubectl get pods -l run=busybox -o jsonpath="{.items[0].metadata.name}") +``` + Execute a DNS lookup for the `kubernetes` service inside the `busybox` pod: ``` From 1def1264e6ff7126b44e02e64191505a502efa3f Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Tue, 24 Oct 2017 17:02:03 -0700 Subject: [PATCH 10/17] adding windows commands Signed-off-by: Mike Stevenson --- docs/13-smoke-test.md | 55 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/13-smoke-test.md b/docs/13-smoke-test.md index df6644e..355b029 100644 --- a/docs/13-smoke-test.md +++ b/docs/13-smoke-test.md @@ -8,18 +8,32 @@ In this section you will verify the ability to [encrypt secret data at rest](htt Create a generic secret: +### Linux & OS X ``` kubectl create secret generic kubernetes-the-hard-way \ --from-literal="mykey=mydata" ``` +#### Windows +``` +kubectl create secret generic kubernetes-the-hard-way ` + --from-literal="mykey=mydata" +``` + Print a hexdump of the `kubernetes-the-hard-way` secret stored in etcd: +#### Linux & OS X ``` gcloud compute ssh controller-0 \ --command "ETCDCTL_API=3 etcdctl get /registry/secrets/default/kubernetes-the-hard-way | hexdump -C" ``` +#### Windows +``` +gcloud compute ssh controller-0 ` + --command "ETCDCTL_API=3 etcdctl get /registry/secrets/default/kubernetes-the-hard-way" | Format-Hex +``` + > output ``` @@ -73,10 +87,16 @@ In this section you will verify the ability to access applications remotely usin Retrieve the full name of the `nginx` pod: +#### Linux & OS X ``` POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}") ``` +#### Windows +``` +$POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}") +``` + Forward port `8080` on your local machine to port `80` of the `nginx` pod: ``` @@ -92,10 +112,16 @@ Forwarding from [::1]:8080 -> 80 In a new terminal make an HTTP request using the forwarding address: +#### Linux & OS X ``` curl --head http://127.0.0.1:8080 ``` +#### Windows +``` +(Invoke-WebRequest -Method HEAD http://127.0.0.1:8080).RawContent +``` + > output ``` @@ -165,32 +191,61 @@ kubectl expose deployment nginx --port 80 --type NodePort Retrieve the node port assigned to the `nginx` service: +#### Linux & OS X ``` NODE_PORT=$(kubectl get svc nginx \ --output=jsonpath='{range .spec.ports[0]}{.nodePort}') ``` +#### Windows +``` +$NODE_PORT=$(kubectl get svc nginx ` + --output=jsonpath='{range .spec.ports[0]}{.nodePort}') +``` + Create a firewall rule that allows remote access to the `nginx` node port: +#### Linux & OS X ``` gcloud compute firewall-rules create kubernetes-the-hard-way-allow-nginx-service \ --allow=tcp:${NODE_PORT} \ --network kubernetes-the-hard-way ``` +#### Windows +``` +gcloud compute firewall-rules create kubernetes-the-hard-way-allow-nginx-service ` + --allow=tcp:${NODE_PORT} ` + --network kubernetes-the-hard-way +``` + Retrieve the external IP address of a worker instance: +#### Linux & OS X ``` EXTERNAL_IP=$(gcloud compute instances describe worker-0 \ --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') ``` +#### Windows +``` +$EXTERNAL_IP=$(gcloud compute instances describe worker-0 ` + --format 'value(networkInterfaces[0].accessConfigs[0].natIP)') +``` + + Make an HTTP request using the external IP address and the `nginx` node port: +#### Linux & OS X ``` curl -I http://${EXTERNAL_IP}:${NODE_PORT} ``` +#### Windows +``` +(Invoke-WebRequest -Method HEAD http://${EXTERNAL_IP}:${NODE_PORT}).RawContent +``` + > output ``` From 905485f57cb6ab644ff518541e647c2fa5f300ac Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Wed, 25 Oct 2017 15:37:54 -0700 Subject: [PATCH 11/17] spaces as separators don't work right in windows, changing both for consistency Signed-off-by: Mike Stevenson --- docs/11-pod-network-routes.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/11-pod-network-routes.md b/docs/11-pod-network-routes.md index c262d61..c7f5eba 100644 --- a/docs/11-pod-network-routes.md +++ b/docs/11-pod-network-routes.md @@ -16,7 +16,7 @@ Print the internal IP address and Pod CIDR range for each worker instance: ``` for instance in worker-0 worker-1 worker-2; do gcloud compute instances describe ${instance} \ - --format 'value[separator=" "](networkInterfaces[0].networkIP,metadata.items[0].value)' + --format '(networkInterfaces[0].networkIP,metadata.items[0].value)' done ``` @@ -24,15 +24,15 @@ done ``` @('worker-0','worker-1','worker-2') | ForEach-Object { gcloud compute instances describe $_ ` - --format 'value[separator=" "](networkInterfaces[0].networkIP,metadata.items[0].value)' + --format '(networkInterfaces[0].networkIP,metadata.items[0].value)' } ``` > output ``` -10.240.0.20 10.200.0.0/24 -10.240.0.21 10.200.1.0/24 -10.240.0.22 10.200.2.0/24 +10.240.0.20 10.200.0.0/24 +10.240.0.21 10.200.1.0/24 +10.240.0.22 10.200.2.0/24 ``` ## Routes From e36064e4dc89506555af40f58e2928c85dedb829 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Wed, 25 Oct 2017 15:38:16 -0700 Subject: [PATCH 12/17] adding windows commands --- docs/14-cleanup.md | 49 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/14-cleanup.md b/docs/14-cleanup.md index d9084c8..8b8bcb0 100644 --- a/docs/14-cleanup.md +++ b/docs/14-cleanup.md @@ -6,16 +6,25 @@ In this labs you will delete the compute resources created during this tutorial. Delete the controller and worker compute instances: +#### Linux & OS X ``` gcloud -q compute instances delete \ controller-0 controller-1 controller-2 \ worker-0 worker-1 worker-2 ``` +#### Windows +``` +gcloud -q compute instances delete ` + controller-0 controller-1 controller-2 ` + worker-0 worker-1 worker-2 +``` + ## Networking Delete the external load balancer network resources: +#### Linux & OS X ``` gcloud -q compute forwarding-rules delete kubernetes-forwarding-rule \ --region $(gcloud config get-value compute/region) @@ -25,6 +34,16 @@ gcloud -q compute forwarding-rules delete kubernetes-forwarding-rule \ gcloud -q compute target-pools delete kubernetes-target-pool ``` +#### Windows +``` +gcloud -q compute forwarding-rules delete kubernetes-forwarding-rule ` + --region $(gcloud config get-value compute/region) +``` + +``` +gcloud -q compute target-pools delete kubernetes-target-pool +``` + Delete the `kubernetes-the-hard-way` static IP address: ``` @@ -33,6 +52,7 @@ gcloud -q compute addresses delete kubernetes-the-hard-way Delete the `kubernetes-the-hard-way` firewall rules: +#### Linux & OS X ``` gcloud -q compute firewall-rules delete \ kubernetes-the-hard-way-allow-nginx-service \ @@ -40,8 +60,17 @@ gcloud -q compute firewall-rules delete \ kubernetes-the-hard-way-allow-external ``` +#### Windows +``` +gcloud -q compute firewall-rules delete ` + kubernetes-the-hard-way-allow-nginx-service ` + kubernetes-the-hard-way-allow-internal ` + kubernetes-the-hard-way-allow-external +``` + Delete the Pod network routes: +#### Linux & OS X ``` gcloud -q compute routes delete \ kubernetes-route-10-200-0-0-24 \ @@ -49,6 +78,14 @@ gcloud -q compute routes delete \ kubernetes-route-10-200-2-0-24 ``` +#### Windows +``` +gcloud -q compute routes delete ` + kubernetes-route-10-200-0-0-24 ` + kubernetes-route-10-200-1-0-24 ` + kubernetes-route-10-200-2-0-24 +``` + Delete the `kubernetes` subnet: ``` @@ -60,3 +97,15 @@ Delete the `kubernetes-the-hard-way` network VPC: ``` gcloud -q compute networks delete kubernetes-the-hard-way ``` + +## CA Certificate + +#### Windows + +Remove the CA certificate from the Root Certificates keystore: + +``` +Get-ChildTtem -Path Cert:\CurrentUser\Root\ | Where-Object { + $_.Thumbprint -eq (Get-PfxCertificate .\ca.pem).Thumbprint } | Remove-Item +``` +Confirm the certificate details in the confirmation dialog box, and click Yes to continue. From c595d09a8464be2007cc1fd8ca131e23c5fb9042 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Wed, 25 Oct 2017 17:15:12 -0700 Subject: [PATCH 13/17] fix typo Signed-off-by: Mike Stevenson --- docs/14-cleanup.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/14-cleanup.md b/docs/14-cleanup.md index 8b8bcb0..690437a 100644 --- a/docs/14-cleanup.md +++ b/docs/14-cleanup.md @@ -105,7 +105,7 @@ gcloud -q compute networks delete kubernetes-the-hard-way Remove the CA certificate from the Root Certificates keystore: ``` -Get-ChildTtem -Path Cert:\CurrentUser\Root\ | Where-Object { +Get-ChildItem -Path Cert:\CurrentUser\Root\ | Where-Object { $_.Thumbprint -eq (Get-PfxCertificate .\ca.pem).Thumbprint } | Remove-Item ``` -Confirm the certificate details in the confirmation dialog box, and click Yes to continue. +Confirm the certificate details in the confirmation dialog box, and click Yes to continue. From af2fae2be47d7d7b0ba12d95bb9e9fcd43432bc1 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Wed, 25 Oct 2017 17:15:58 -0700 Subject: [PATCH 14/17] added note about needing to use powershell on windows Signed-off-by: Mike Stevenson --- docs/01-prerequisites.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/01-prerequisites.md b/docs/01-prerequisites.md index fd419e4..79023f5 100644 --- a/docs/01-prerequisites.md +++ b/docs/01-prerequisites.md @@ -44,4 +44,14 @@ gcloud config set compute/zone us-west1-c > Use the `gcloud compute zones list` command to view additional regions and zones. +## Important note for Windows users + +The commands for Windows in this tutorial are intended to be run using PowerShell and will +not work as intended using cmd. If you are at all unsure about what shell you're using +execute the following command: +``` +(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell +``` +If it outputs `CMD` then execute `powershell.exe` before continuing. + Next: [Installing the Client Tools](02-client-tools.md) From d086652bd61bc6f7d220435cc728989afe1a963d Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Wed, 25 Oct 2017 17:16:31 -0700 Subject: [PATCH 15/17] adding more info to cert import Signed-off-by: Mike Stevenson --- docs/08-bootstrapping-kubernetes-controllers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index da3610e..06251f7 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -334,7 +334,7 @@ curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version ``` Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath ca.pem ``` -This command will generate a warning making sure you want to install this certificate. Click Yes to install. +This command will generate a warning making sure you want to install this certificate. Verify the information, and click Yes to install. ``` [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ``` From 3c21ed5d09a80ff010325434b9b706a9506ef11a Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Mon, 30 Oct 2017 14:43:03 -0700 Subject: [PATCH 16/17] swapping quotes because linux doesn't care and windows does --- docs/11-pod-network-routes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/11-pod-network-routes.md b/docs/11-pod-network-routes.md index c7f5eba..ccb456b 100644 --- a/docs/11-pod-network-routes.md +++ b/docs/11-pod-network-routes.md @@ -24,15 +24,15 @@ done ``` @('worker-0','worker-1','worker-2') | ForEach-Object { gcloud compute instances describe $_ ` - --format '(networkInterfaces[0].networkIP,metadata.items[0].value)' + --format "value[separator=' '](networkInterfaces[0].networkIP,metadata.items[0].value)" } ``` > output ``` -10.240.0.20 10.200.0.0/24 -10.240.0.21 10.200.1.0/24 -10.240.0.22 10.200.2.0/24 +10.240.0.20 10.200.0.0/24 +10.240.0.21 10.200.1.0/24 +10.240.0.22 10.200.2.0/24 ``` ## Routes From d8816ce68b53ceade3c6de1f6eba361b09d84fe9 Mon Sep 17 00:00:00 2001 From: Mike Stevenson Date: Mon, 30 Oct 2017 14:43:03 -0700 Subject: [PATCH 17/17] swapping quotes because linux doesn't care and windows does Signed-off-by: Mike Stevenson --- docs/11-pod-network-routes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/11-pod-network-routes.md b/docs/11-pod-network-routes.md index c7f5eba..ccb456b 100644 --- a/docs/11-pod-network-routes.md +++ b/docs/11-pod-network-routes.md @@ -24,15 +24,15 @@ done ``` @('worker-0','worker-1','worker-2') | ForEach-Object { gcloud compute instances describe $_ ` - --format '(networkInterfaces[0].networkIP,metadata.items[0].value)' + --format "value[separator=' '](networkInterfaces[0].networkIP,metadata.items[0].value)" } ``` > output ``` -10.240.0.20 10.200.0.0/24 -10.240.0.21 10.200.1.0/24 -10.240.0.22 10.200.2.0/24 +10.240.0.20 10.200.0.0/24 +10.240.0.21 10.200.1.0/24 +10.240.0.22 10.200.2.0/24 ``` ## Routes