mirrors
/
kubernetes-the-hard-way
mirror of https://github.com/kelseyhightower/kubernetes-the-hard-way
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update md files

pull/863/head
Ruslan Savchuk 2025-04-03 23:07:22 +02:00
parent 7a786179c6
commit af20d996ed
8 changed files with 91 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/02-kubelet.md
View File

@ -23,8 +23,7 @@ So, let's begin.
First of all, we need to download kubelet.
```bash
wget -q --show-progress --https-only --timestamping \
https://dl.k8s.io/v1.32.3/kubernetes-node-linux-amd64.tar.gz
https://dl.k8s.io/v1.32.3/bin/linux/amd64/kubelet
tar -xvzf kubernetes-node-linux-amd64.tar.gz
```

6
docs/04-etcd.md
View File

@ -38,7 +38,7 @@ After the tools are installed successfully, we need to generate ca certificate.
A ca (Certificate Authority) certificate, also known as a root certificate or a trusted root certificate, is a digital certificate that is used to verify the authenticity of other certificates.
```bash
{
cat > ca-config.json <<EOF
cat <<EOF | tee ca-config.json
{
"signing": {
"default": {
@ -54,7 +54,7 @@ cat > ca-config.json <<EOF
}
EOF
cat > ca-csr.json <<EOF
cat <<EOF | tee ca-csr.json
{
"CN": "Kubernetes",
"key": {
@ -92,7 +92,7 @@ Now, we can create certificate files signed by our ca file.
HOST_NAME=$(hostname -a)
KUBERNETES_HOSTNAMES=kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.svc.cluster.local
cat > kubernetes-csr.json <<EOF
cat <<EOF | tee kubernetes-csr.json
{
"CN": "kubernetes",
"key": {

44
docs/05-apiserver.md
View File

@ -13,7 +13,7 @@ As you can see from the description, api server is a central (not the main) comp
Before we begin with the configuration of the api server, we need to create certificates for kubernetes that will be used to sign service account tokens.
```bash
{
cat > service-account-csr.json <<EOF
cat <<EOF | tee service-account-csr.json
{
"CN": "service-accounts",
"key": {
@ -43,14 +43,11 @@ cfssl gencert \
Now, we need to distribute certificates to the api server configuration folder
```bash
{
mkdir /var/lib/kubernetes/
sudo cp \
ca.pem \
kubernetes.pem kubernetes-key.pem \
mkdir -p /var/lib/kubernetes/ \
&& cp \
ca.pem kubernetes.pem kubernetes-key.pem \
service-account-key.pem service-account.pem \
/var/lib/kubernetes/
}
```
As you can see, in addition to the generated service-account certificate file, we also distributed the certificate generated in the [previous](./04-etcd.md) section. We will use that certificate for communication between
@ -89,19 +86,21 @@ Now, when all required configuration/certificate files are created and distribut
First of all, we need to download and install api server binaries
https://kubernetes.io/releases/download/
```bash
{
wget -q --show-progress --https-only --timestamping \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-apiserver"
chmod +x kube-apiserver
sudo mv kube-apiserver /usr/local/bin/
}
wget -q --show-progress --https-only --timestamping \
"https://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-apiserver"
```
```bash
chmod +x kube-apiserver \
&& mv kube-apiserver /usr/local/bin/
```
And create the service configuration file
```bash
cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service
cat <<EOF | tee /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
@ -149,16 +148,14 @@ Configuration options I want to highlight:
Now, when api-server service is configured, we can start it
```bash
{
sudo systemctl daemon-reload
sudo systemctl enable kube-apiserver
sudo systemctl start kube-apiserver
}
systemctl daemon-reload \
&& systemctl enable kube-apiserver \
&& systemctl start kube-apiserver
```
And check the service status
```bash
sudo systemctl status kube-apiserver
systemctl status kube-apiserver
```
Output:
@ -180,9 +177,9 @@ Now, when our server is up and running, we want to communicate with it. To do th
```bash
wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl \
https://dl.k8s.io/v1.32.3/bin/linux/386/kubectl \
&& chmod +x kubectl \
&& sudo mv kubectl /usr/local/bin/
&& mv kubectl /usr/local/bin/
```
As the api server is configured in more or less secure mode, we need to provide some credentials when accessing it. We will use certificate files as the credentials. That is why we need to generate a proper certificate file that will allow us to access api server with administrator privileges
@ -252,7 +249,7 @@ As already mentioned, api-server is the central kubernetes component, that store
It means that we can create a pod, even when other components (kubelet, scheduler, controller manager) are not configured
```bash
{
HOST_NAME=$(hostname -a)
HOST_NAME=$(cat /etc/hostname)
cat <<EOF> pod.yaml
apiVersion: v1
@ -261,6 +258,7 @@ metadata:
name: hello-world
spec:
serviceAccountName: hello-world
terminationGracePeriodSeconds: 1
containers:
- name: hello-world-container
image: busybox

56
docs/06-apiserver-kubelet.md
View File

@ -10,8 +10,8 @@ Again we will start this part with the creation of the certificates which will b
```bash
{
HOST_NAME=$(hostname -a)
cat > kubelet-csr.json <<EOF
HOST_NAME=$(cat /etc/hostname)
cat <<EOF | tee kubelet-csr.json
{
"CN": "system:node:${HOST_NAME}",
"key": {
@ -56,10 +56,8 @@ We specified "system:nodes" in the organization. It says api server that the cli
Now we need to distribute certificates generated.
```bash
{
sudo cp kubelet-key.pem kubelet.pem /var/lib/kubelet/
sudo cp ca.pem /var/lib/kubernetes/
}
cp kubelet-key.pem kubelet.pem /var/lib/kubelet/ \
&& cp ca.pem /var/lib/kubernetes/
```
## service configuration
@ -68,7 +66,7 @@ After certificates configured and distributed, we need to prepare configuration
```bash
{
HOST_NAME=$(hostname -a)
HOST_NAME=$(cat /etc/hostname)
kubectl config set-cluster kubernetes-the-hard-way \
--certificate-authority=ca.pem \
--embed-certs=true \
@ -95,29 +93,24 @@ We created kubernetes configuration file, which says kubelet where api server is
And now, move all our configuration settings to the proper folders
```bash
sudo cp kubelet.kubeconfig /var/lib/kubelet/kubeconfig
cp kubelet.kubeconfig /var/lib/kubelet/kubeconfig
```
Also, we need to create KubeletConfiguration
```bash
cat <<EOF | sudo tee /var/lib/kubelet/kubelet-config.yaml
kind: KubeletConfiguration
cat <<EOF | tee /var/lib/kubelet/kubelet-config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.pem"
webhook:
enabled: false
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "10.32.0.10"
podCIDR: "10.240.1.0/24"
resolvConf: "/run/systemd/resolve/resolv.conf"
runtimeRequestTimeout: "15m"
mode: AlwaysAllow
networkPlugin: "cni"
cniConfDir: "/etc/cni/net.d"
cniBinDir: "/opt/cni/bin"
tlsCertFile: "/var/lib/kubelet/kubelet.pem"
tlsPrivateKeyFile: "/var/lib/kubelet/kubelet-key.pem"
EOF
@ -131,7 +124,7 @@ Configuration options I want to highlight:
And the last step - we need to update service configuration file
```bash
cat <<EOF | sudo tee /etc/systemd/system/kubelet.service
cat <<EOF | tee /etc/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
@ -140,14 +133,13 @@ Requires=containerd.service
[Service]
ExecStart=/usr/local/bin/kubelet \\
--config=/var/lib/kubelet/kubelet-config.yaml \\
--container-runtime=remote \\
--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
--image-pull-progress-deadline=2m \\
--file-check-frequency=10s \\
--config=/var/lib/kubelet/kubelet-config.yaml \\
--pod-manifest-path='/etc/kubernetes/manifests/' \\
--kubeconfig=/var/lib/kubelet/kubeconfig \\
--network-plugin=cni \\
--register-node=true \\
--v=2
--v=10
Restart=on-failure
RestartSec=5
@ -159,18 +151,16 @@ EOF
And reload it
```bash
{
sudo systemctl daemon-reload
sudo systemctl enable kubelet
sudo systemctl restart kubelet
}
systemctl daemon-reload \
&& systemctl enable kubelet \
&& systemctl restart kubelet
```
## verification
And check service status
```bash
sudo systemctl status kubelet
systemctl status kubelet
```
Output:

33
docs/07-scheduler.md
View File

@ -23,6 +23,7 @@ metadata:
name: hello-world
spec:
serviceAccountName: hello-world
terminationGracePeriodSeconds: 1
containers:
- name: hello-world-container
image: busybox
@ -121,16 +122,16 @@ We created kubernetes configuration file, which says scheduler where api server
Now, we can distribute created configuration file.
```bash
sudo mv kube-scheduler.kubeconfig /var/lib/kubernetes/
mv kube-scheduler.kubeconfig /var/lib/kubernetes/
```
In addition to this file, we will create one more configuration file for scheduler
```bash
{
mkdir /etc/kubernetes/config
cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml
apiVersion: kubescheduler.config.k8s.io/v1beta1
mkdir -p /etc/kubernetes/config
cat <<EOF | tee /etc/kubernetes/config/kube-scheduler.yaml
apiVersion: kubescheduler.config.k8s.io/v1
kind: KubeSchedulerConfiguration
clientConnection:
kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig"
@ -144,21 +145,19 @@ After all configuration files created, we need to download scheduler binaries.
```bash
wget -q --show-progress --https-only --timestamping \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-scheduler"
"https://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-scheduler"
```
And install it
```bash
{
chmod +x kube-scheduler
sudo mv kube-scheduler /usr/local/bin/
}
chmod +x kube-scheduler \
&& mv kube-scheduler /usr/local/bin/
```
Now, we can create configuration file for scheduler service
```bash
cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service
cat <<EOF | tee /etc/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
@ -178,17 +177,15 @@ EOF
After configuration file created, we need to run it
```bash
{
sudo systemctl daemon-reload
sudo systemctl enable kube-scheduler
sudo systemctl start kube-scheduler
}
systemctl daemon-reload \
&& systemctl enable kube-scheduler \
&& systemctl start kube-scheduler
```
And finally we check scheduler status
```bash
sudo systemctl status kube-scheduler
systemctl status kube-scheduler
```
Output:
@ -235,7 +232,7 @@ May 21 20:52:25 example-server kube-scheduler[91664]: I0521 20:52:25.471604 91
As we can see our pod wasn't assigned to the node because node has some taint, lets check our node taints.
```bash
kubectl get nodes $(hostname -a) -o jsonpath='{.spec.taints}'
kubectl get nodes $(cat /etc/hostname) -o jsonpath='{.spec.taints}'
```
Output:
@ -246,7 +243,7 @@ Output:
As you can see, our node has taint with efect no schedule.
Lets fix this.
```bash
kubectl taint nodes $(hostname -a) node.kubernetes.io/not-ready:NoSchedule-
kubectl taint nodes $(cat /etc/hostname) node.kubernetes.io/not-ready:NoSchedule-
```
And check our pods list again

24
docs/08-controller-manager.md
View File

@ -102,7 +102,7 @@ We specified "system:kube-controller-manager" in the organization. It says api s
Now, we will distribute ca certificate, this ????
```bash
sudo cp ca-key.pem /var/lib/kubernetes/
cp ca-key.pem /var/lib/kubernetes/
```
## configuration
@ -136,26 +136,24 @@ We created kubernetes configuration file, which says controller manager where ap
Now, we can distribute created configuration file.
```bash
sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/
mv kube-controller-manager.kubeconfig /var/lib/kubernetes/
```
After all required configuration file created, we need to download controller manager binaries.
```bash
wget -q --show-progress --https-only --timestamping \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-controller-manager"
"https://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-controller-manager"
```
And install it
```bash
{
chmod +x kube-controller-manager
sudo mv kube-controller-manager /usr/local/bin/
}
chmod +x kube-controller-manager \
&& mv kube-controller-manager /usr/local/bin/
```
Now, we can create configuration file for controller manager service
```bash
cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service
cat <<EOF | tee /etc/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
@ -184,16 +182,14 @@ EOF
After configuration file created, we can start controller manager
```bash
{
sudo systemctl daemon-reload
sudo systemctl enable kube-controller-manager
sudo systemctl start kube-controller-manager
}
systemctl daemon-reload \
&& systemctl enable kube-controller-manager \
&& systemctl start kube-controller-manager
```
And finaly we can check controller manadger status
```bash
sudo systemctl status kube-controller-manager
systemctl status kube-controller-manager
```
Output:

38
docs/09-kubeproxy.md
View File

@ -9,7 +9,7 @@ In this section we will configure kupe-proxy.
Before we will start, lets clarify the reason why do we need it. To do that, we will create deployment with nginx.
```bash
{
cat <<EOF> nginx-deployment.yml
cat <<EOF | tee nginx-deployment.yml
apiVersion: v1
kind: ConfigMap
metadata:
@ -71,7 +71,7 @@ nginx-deployment-db9778f94-twx78 1/1 Running 0 63s 10.240.1.1
As you an see, we created 3 pods (each has its own ip address). Now, we will run busybox container and will try to access our pods from other container
```bash
{
cat <<EOF> pod.yaml
cat <<EOF | tee pod.yaml
apiVersion: v1
kind: Pod
metadata:
@ -100,7 +100,7 @@ error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, re
This error occured, because api server has no access to execute commands. We will fix this issue, by creating cluster role and assigning it role to kubernetes user.
```bash
{
cat <<EOF> rbac-create.yml
cat <<EOF | tee rbac-create.yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -149,7 +149,7 @@ Note: it take some time to apply user permission. During this you can steel see
As you can see, we successfully received the response from the nginx. But to do that we used the IP address of the pod. To solve service discovery issue, kubernetes has special component - service. Now we will create it.
```bash
{
cat <<EOF> nginx-service.yml
cat <<EOF | tee nginx-service.yml
apiVersion: v1
kind: Service
metadata:
@ -192,7 +192,7 @@ As you remeber we configured our API server to use client certificate to authent
So, lets create proper certificate for the kube-proxy
```bash
{
cat > kube-proxy-csr.json <<EOF
cat <<EOF | tee kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"key": {
@ -257,30 +257,26 @@ We created kubernetes configuration file, which says kube-proxy where api server
Now, we can distribute created configuration file.
```bash
{
sudo mkdir -p /var/lib/kube-proxy
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
}
mkdir -p /var/lib/kube-proxy \
&& mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
```
After all required configuration file created, we need to download kube-proxy binaries.
```bash
wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-proxy
https://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-proxy
```
And install it
```bash
{
chmod +x kube-proxy
sudo mv kube-proxy /usr/local/bin/
}
chmod +x kube-proxy \
&& mv kube-proxy /usr/local/bin/
```
Now, we can create configuration file for kube-proxy
```bash
cat <<EOF | sudo tee /var/lib/kube-proxy/kube-proxy-config.yaml
cat <<EOF | tee /var/lib/kube-proxy/kube-proxy-config.yaml
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
@ -292,7 +288,7 @@ EOF
Service configuration file
```bash
cat <<EOF | sudo tee /etc/systemd/system/kube-proxy.service
cat <<EOF | tee /etc/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
@ -310,16 +306,14 @@ EOF
Start service
```bash
{
sudo systemctl daemon-reload
sudo systemctl enable kube-proxy
sudo systemctl start kube-proxy
}
systemctl daemon-reload \
&& systemctl enable kube-proxy \
&& systemctl start kube-proxy
```
And check its status
```bash
sudo systemctl status kube-proxy
systemctl status kube-proxy
```
Output:

4
docs/10-dns.md
View File

@ -11,7 +11,7 @@ If you remember, in previous section we accessed service by using its IP address
Befire we will configure it, we can check if we can access our service (created in previuos section) by its name.
```bash
kubectl exec busy-box -- wget -O - nginx-service
kubectl exec busy-box -- wget -O - nginx-service.default.svc.cluster.local.
```
And nothing happen. The reason of this befaviour - pod can't resolve IP address of the domain name requested as DNS server is not configured in our cluster.
@ -31,7 +31,7 @@ kubectl apply -f https://raw.githubusercontent.com/ruslansavchuk/kubernetes-the-
After our DNS server is up and running, we can try to repeat the call once again
```bash
kubectl exec busy-box -- wget -O - nginx-service
kubectl exec busy-box -- wget -O - nginx-service.default.svc.cluster.local.
```
Output: