From 07a9ea47f4e98fc4101e947713b6545455aedfb1 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 26 Aug 2017 09:52:00 -0700 Subject: [PATCH 1/5] Added some Google Cloud Platform explanations When I ran through this tutorial I wasn't clear on the reason for some of the commands, so I did some research and fleshed out this section with basic explanations and links to the relevant Google Cloud Platform documentation. --- docs/01-infrastructure-gcp.md | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index ffe0dfe..576d16a 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -36,14 +36,19 @@ gcloud config set compute/zone us-central1-f ## Setup Networking - -Create a custom network: +Create a custom virtual network on GCP: ``` gcloud compute networks create kubernetes-the-hard-way --mode custom ``` -Create a subnet for the Kubernetes cluster: +https://cloud.google.com/compute/docs/vpc/ + +A virtual network allows your machines to talk to each other over a private network, inaccessible from the outside world unless you create firewall rules to allow access. + +The `--mode=custom` flag means you will need to create subnets within this network manually. `--mode=auto` would cause subnets to be created automatically. + +Create a subnet called `kubernetes` for your instances: ``` gcloud compute networks subnets create kubernetes \ @@ -52,8 +57,18 @@ gcloud compute networks subnets create kubernetes \ --region us-central1 ``` +While your virtual network exists across all GCP regions, a subnet is a range of private IP addresses within a single region. Instances are created within a subnet. + +`10.240.0.0/24` means IPs from `10.240.0.0` to `10.240.0.254`. + ### Create Firewall Rules +https://cloud.google.com/compute/docs/vpc/firewalls + +A GCP network also acts as a firewall. By default no connections are allowed from the outside world, and connections between instances are also forbidden. We can add firewall rules to allow our instances to talk to each other within the network. + +This creates a rule called `allow-internal` which allows TCP, UDP and ICMP connections between all machines in your `10.240.0.0/24` subnet, and also enables those machines to talk to the CIDR range `0.200.0.0/16`: + ``` gcloud compute firewall-rules create allow-internal \ --allow tcp,udp,icmp \ @@ -61,6 +76,10 @@ gcloud compute firewall-rules create allow-internal \ --source-ranges 10.240.0.0/24,10.200.0.0/16 ``` +This rule (called `allow-external`) allows traffic on TCP port 22 (SSH), 3389 (unsure why, see [#160](https://github.com/kelseyhightower/kubernetes-the-hard-way/issues/160)) and port 6443 (kubernetes). It also allows ICMP traffic. + +`0.0.0.0/0` means "apply to all ranges", hence this rule allows gives access to external traffic from outside the network. + ``` gcloud compute firewall-rules create allow-external \ --allow tcp:22,tcp:3389,tcp:6443,icmp \ @@ -68,6 +87,12 @@ gcloud compute firewall-rules create allow-external \ --source-ranges 0.0.0.0/0 ``` +Finally we create a rule called `allow-healthz` to allow the Google Cloud Platform's healthcheck mechanism to access the Kubernetes `/_status/healthz` API, which runs on port 8080. + +https://cloud.google.com/compute/docs/load-balancing/health-checks + +GCP health check probes come from addresses in the ranges `130.211.0.0/22` and `35.191.0.0/16`, so we need to provide those as the `--source-ranges`: + ``` gcloud compute firewall-rules create allow-healthz \ --allow tcp:8080 \ @@ -75,6 +100,7 @@ gcloud compute firewall-rules create allow-healthz \ --source-ranges 130.211.0.0/22,35.191.0.0/16 ``` +Our firewall rules should now look like this: ``` gcloud compute firewall-rules list --filter "network=kubernetes-the-hard-way" From bc3adfd63591bbfde5530a9a5effb47c2d6faaf3 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 26 Aug 2017 12:20:43 -0700 Subject: [PATCH 2/5] Fixed typo --- docs/01-infrastructure-gcp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index 576d16a..78dd5f4 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -67,7 +67,7 @@ https://cloud.google.com/compute/docs/vpc/firewalls A GCP network also acts as a firewall. By default no connections are allowed from the outside world, and connections between instances are also forbidden. We can add firewall rules to allow our instances to talk to each other within the network. -This creates a rule called `allow-internal` which allows TCP, UDP and ICMP connections between all machines in your `10.240.0.0/24` subnet, and also enables those machines to talk to the CIDR range `0.200.0.0/16`: +This creates a rule called `allow-internal` which allows TCP, UDP and ICMP connections between all machines in your `10.240.0.0/24` subnet, and also enables those machines to talk to the CIDR range `10.200.0.0/16`: ``` gcloud compute firewall-rules create allow-internal \ From 2de198c0f72d713b90dba2eb73b7868ab98cd27b Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Sat, 26 Aug 2017 12:22:27 -0700 Subject: [PATCH 3/5] Wording --- docs/01-infrastructure-gcp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index 78dd5f4..e255f2b 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -78,7 +78,7 @@ gcloud compute firewall-rules create allow-internal \ This rule (called `allow-external`) allows traffic on TCP port 22 (SSH), 3389 (unsure why, see [#160](https://github.com/kelseyhightower/kubernetes-the-hard-way/issues/160)) and port 6443 (kubernetes). It also allows ICMP traffic. -`0.0.0.0/0` means "apply to all ranges", hence this rule allows gives access to external traffic from outside the network. +`0.0.0.0/0` means "apply to all ranges", hence this rule allows access to external traffic from outside our network. ``` gcloud compute firewall-rules create allow-external \ From 81db106fad8de67bba9a170eca4a5ffb2438eaad Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Mon, 28 Aug 2017 13:42:54 -0700 Subject: [PATCH 4/5] Explained the 10.200.0.0/16 subnet --- docs/01-infrastructure-gcp.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index e255f2b..3df4edf 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -67,7 +67,9 @@ https://cloud.google.com/compute/docs/vpc/firewalls A GCP network also acts as a firewall. By default no connections are allowed from the outside world, and connections between instances are also forbidden. We can add firewall rules to allow our instances to talk to each other within the network. -This creates a rule called `allow-internal` which allows TCP, UDP and ICMP connections between all machines in your `10.240.0.0/24` subnet, and also enables those machines to talk to the CIDR range `10.200.0.0/16`: +Kubernetes pods are assigned their own IP addresses independent of the instances ther are running on. We will be using the CIDR subnet `10.200.0.0/16` for this, configured in chapter 5 as the `--cluster-cidr` argument to `kube-controller-manager`. + +Here we create a firewall rule called `allow-internal` which allows TCP, UDP and ICMP connections between the instances in your `10.240.0.0/24` subnet, and the Kubernetes pods that will live in the `10.200.0.0/16` range. ``` gcloud compute firewall-rules create allow-internal \ From 8291185f0539fade748c7dc4b9e52e3a312baf92 Mon Sep 17 00:00:00 2001 From: Simon Willison Date: Wed, 30 Aug 2017 14:24:44 -0700 Subject: [PATCH 5/5] Fixed typo --- docs/01-infrastructure-gcp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/01-infrastructure-gcp.md b/docs/01-infrastructure-gcp.md index 3df4edf..02eaedc 100644 --- a/docs/01-infrastructure-gcp.md +++ b/docs/01-infrastructure-gcp.md @@ -67,7 +67,7 @@ https://cloud.google.com/compute/docs/vpc/firewalls A GCP network also acts as a firewall. By default no connections are allowed from the outside world, and connections between instances are also forbidden. We can add firewall rules to allow our instances to talk to each other within the network. -Kubernetes pods are assigned their own IP addresses independent of the instances ther are running on. We will be using the CIDR subnet `10.200.0.0/16` for this, configured in chapter 5 as the `--cluster-cidr` argument to `kube-controller-manager`. +Kubernetes pods are assigned their own IP addresses independent of the instances they are running on. We will be using the CIDR subnet `10.200.0.0/16` for this, configured in chapter 5 as the `--cluster-cidr` argument to `kube-controller-manager`. Here we create a firewall rule called `allow-internal` which allows TCP, UDP and ICMP connections between the instances in your `10.240.0.0/24` subnet, and the Kubernetes pods that will live in the `10.200.0.0/16` range.