Update to Kubernetes 1.10.2 and add gVisor support

2025-08-09 04:12:41 +03:00 · 2018-05-12 16:54:18 +00:00
parent 4f5cecb5ed
commit b974042d95
15 changed files with 902 additions and 305 deletions
--- a/docs/04-certificate-authority.md
+++ b/docs/04-certificate-authority.md
@@ -1,14 +1,16 @@
 # Provisioning a CA and Generating TLS Certificates

-In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kubelet, and kube-proxy.
+In this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), then use it to bootstrap a Certificate Authority, and generate TLS certificates for the following components: etcd, kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy.

 ## Certificate Authority

 In this section you will provision a Certificate Authority that can be used to generate additional TLS certificates.

-Create the CA configuration file:
+Generate the CA configuration file, certificate, and private key:

 ```
+{
+
 cat > ca-config.json <<EOF
 {
  "signing": {
@@ -24,11 +26,7 @@ cat > ca-config.json <<EOF
  }
 }
 EOF
-```

-Create the CA certificate signing request:
-
-```
 cat > ca-csr.json <<EOF
 {
  "CN": "Kubernetes",
@@ -47,12 +45,10 @@ cat > ca-csr.json <<EOF
  ]
 }
 EOF
-```

-Generate the CA certificate and private key:
-
-```
 cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+
+}
 ```

 Results:
@@ -68,9 +64,11 @@ In this section you will generate client and server certificates for each Kubern

 ### The Admin Client Certificate

-Create the `admin` client certificate signing request:
+Generate the `admin` client certificate and private key:

 ```
+{
+
 cat > admin-csr.json <<EOF
 {
  "CN": "admin",
@@ -89,17 +87,15 @@ cat > admin-csr.json <<EOF
  ]
 }
 EOF
-```

-Generate the `admin` client certificate and private key:
-
-```
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  admin-csr.json | cfssljson -bare admin
+
+}
 ```

 Results:
@@ -163,11 +159,57 @@ worker-2-key.pem
 worker-2.pem
 ```

-### The kube-proxy Client Certificate
+### The Controller Manager Client Certificate

-Create the `kube-proxy` client certificate signing request:
+Generate the `kube-controller-manager` client certificate and private key:

 ```
+{
+
+cat > kube-controller-manager-csr.json <<EOF
+{
+  "CN": "system:kube-controller-manager",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-controller-manager",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
+
+}
+```
+
+Results:
+
+```
+kube-controller-manager-key.pem
+kube-controller-manager.pem
+```
+
+
+### The Kube Proxy Client Certificate
+
+Generate the `kube-proxy` client certificate and private key:
+
+```
+{
+
 cat > kube-proxy-csr.json <<EOF
 {
  "CN": "system:kube-proxy",
@@ -186,17 +228,15 @@ cat > kube-proxy-csr.json <<EOF
  ]
 }
 EOF
-```

-Generate the `kube-proxy` client certificate and private key:
-
-```
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=kubernetes \
  kube-proxy-csr.json | cfssljson -bare kube-proxy
+
+}
 ```

 Results:
@@ -206,21 +246,63 @@ kube-proxy-key.pem
 kube-proxy.pem
 ```

+### The Scheduler Client Certificate
+
+Generate the `kube-scheduler` client certificate and private key:
+
+```
+{
+
+cat > kube-scheduler-csr.json <<EOF
+{
+  "CN": "system:kube-scheduler",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:kube-scheduler",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  kube-scheduler-csr.json | cfssljson -bare kube-scheduler
+
+}
+```
+
+Results:
+
+```
+kube-scheduler-key.pem
+kube-scheduler.pem
+```
+
+
 ### The Kubernetes API Server Certificate

 The `kubernetes-the-hard-way` static IP address will be included in the list of subject alternative names for the Kubernetes API Server certificate. This will ensure the certificate can be validated by remote clients.

-Retrieve the `kubernetes-the-hard-way` static IP address:
+Generate the Kubernetes API Server certificate and private key:

 ```
+{
+
 KUBERNETES_PUBLIC_ADDRESS=$(gcloud compute addresses describe kubernetes-the-hard-way \
  --region $(gcloud config get-value compute/region) \
  --format 'value(address)')
-```

-Create the Kubernetes API Server certificate signing request:
-
-```
 cat > kubernetes-csr.json <<EOF
 {
  "CN": "kubernetes",
@@ -239,11 +321,7 @@ cat > kubernetes-csr.json <<EOF
  ]
 }
 EOF
-```

-Generate the Kubernetes API Server certificate and private key:
-
-```
 cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
@@ -251,6 +329,8 @@ cfssl gencert \
  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \
  -profile=kubernetes \
  kubernetes-csr.json | cfssljson -bare kubernetes
+
+}
 ```

 Results:
@@ -260,6 +340,52 @@ kubernetes-key.pem
 kubernetes.pem
 ```

+## The Service Account Key Pair
+
+The Kubernetes Controller Manager leverages a key pair to generate and sign service account tokens as describe in the [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/) documentation.
+
+Generate the `service-account` certificate and private key:
+
+```
+{
+
+cat > service-account-csr.json <<EOF
+{
+  "CN": "service-accounts",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Kubernetes The Hard Way",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  service-account-csr.json | cfssljson -bare service-account
+
+}
+```
+
+Results:
+
+```
+service-account-key.pem
+service-account.pem
+```
+
+
 ## Distribute the Client and Server Certificates

 Copy the appropriate certificates and private keys to each worker instance:
@@ -274,10 +400,11 @@ Copy the appropriate certificates and private keys to each controller instance:

 ```
 for instance in controller-0 controller-1 controller-2; do
-  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${instance}:~/
+  gcloud compute scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
+    service-account-key.pem service-account.pem ${instance}:~/
 done
 ```

-> The `kube-proxy` and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.
+> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.

 Next: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)