turns out it's super easy to get a functional k8s cluster these days

production

master ansible_user=root ansible_host=1.2.3.4
node-1 ansible_user=root ansible_host=1.2.3.5
node-2 ansible_user=root ansible_host=1.2.3.6

[k8s.master]
master

[k8s.node]
node-1
node-2

[k8s:children]
k8s.master
k8s.node

[k8s:vars]
# k8s version to install, pick one from eg.: https://kubernetes.io/docs/imported/release/notes/
k8s_version=1.10.0

# external hostname you can point kubectl or a web browser at
k8s_ext_hostname=k8s.example.com

# IP on the local network of the master node
k8s_master=10.0.0.2

# this token must be in the form: "[a-z0-9]{6}.[a-z0-9]{16}"
# you can generate a token with: `echo "$(openssl rand -hex 3).$(openssl rand -hex 8)"`
k8s_token=09b7c9.7fe7131bdab66664

roles__k8s.master__tasks__main.yml

# the --apiserver-cert-extra-sans args makes the certificate valid for all IPs known to the node
# if `ip addrs` doesn't list your public IP (it does on DigitalOcean), you may have to add it yourself
# --pod-network-cidr=... is only needed if using flannel; 10.244.0.0/16 is what it defaults to using
- name: init kubernetes master
  command: >
    kubeadm init
    --kubernetes-version={{ k8s_version }}
    --pod-network-cidr=10.244.0.0/16
    --token={{ k8s_token }} --skip-token-print
    --apiserver-cert-extra-sans={{ k8s_ext_hostname }}
    {% for ip in ansible_all_ipv4_addresses %}--apiserver-cert-extra-sans={{ ip }} {% endfor %}
    {% for ip in ansible_all_ipv6_addresses %}--apiserver-cert-extra-sans={{ ip }} {% endfor %}
  args:
    creates: /etc/kubernetes/admin.conf

# these two make it possible to make authenticated `kubectl` calls as root without having to pass
# --kubeconfig=/etc/kubernetes/admin.conf or setting KUBECONF=/etc/kubernetes/admin.conf everywhere
- name: create ~/.kube directory for root
  file:
    path: /root/.kube
    state: directory

- name: symlink /etc/kubernetes/admin.conf -> ~/.kube/config
  file:
    path: /root/.kube/config
    src: /etc/kubernetes/admin.conf
    state: link

# your cluster won't actually work properly without an overlay network, the choice of flannel is arbitrary
- name: install flannel as an overlay network
  command: kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.9.1/Documentation/kube-flannel.yml
  args:
    creates: /etc/cni/net.d/10-flannel.conf

roles__k8s.node__tasks__main.yml

# --discovery-token-unsafe-skip-ca-verification makes this easier, but it makes it possible to impersonate your master!
- name: join kubernetes cluster
  command: >
    kubeadm join {{ k8s_master }}:6443
    --token={{ k8s_token }}
    --discovery-token-unsafe-skip-ca-verification
  args:
    creates: /etc/kubernetes/kubelet.conf

roles__k8s__tasks__main.yml

# this is required for flannel to work
- name: use iptables for bridged ipv4 traffic
  sysctl:
    name: net.bridge.bridge-nf-call-iptables
    value: "1"
    state: present

- name: add kubernetes repo key
  apt_key:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    state: present

- name: add kubernetes repo
  apt_repository:
    repo: deb http://apt.kubernetes.io/ kubernetes-{{ ansible_distribution_release }} main
    state: present

# this will install the version pinned in the kubernetes repository
- name: install docker
  apt:
    package: docker-engine
    state: present

- name: install kubernetes components
  apt:
    package: "{{ item }}"
    state: present
  with_items:
  - kubectl
  - kubelet
  - kubeadm

site.yml

- hosts: k8s
  roles:
  - { role: k8s, tags: [k8s] }

- hosts: k8s.master
  roles:
  - { role: k8s.master, tags: [k8s, master] }

- hosts: k8s.node
  roles:
  - { role: k8s.node, tags: [k8s, node] }