-
-
Save mascot6699/6eeadd855c41843001fe7f352c8d14b0 to your computer and use it in GitHub Desktop.
Kubernetes The Hard Way
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -euox pipefail | |
| IFS=$'\n\t' | |
| curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o cfssl | |
| curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o cfssljson | |
| curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o cfssl-certinfo | |
| chmod +x cfss* | |
| mv cfssl* /usr/local/bin/ | |
| cfssl version | |
| wget https://storage.googleapis.com/kubernetes-release/release/v1.14.3/bin/linux/amd64/kubectl | |
| chmod +x kubectl | |
| sudo mv kubectl /usr/local/bin/ | |
| # VPC 10.240.0.0/24 | |
| mkdir cert && cd cert | |
| cat << EOF > ca-config.json | |
| { | |
| "signing": { | |
| "default": { | |
| "expiry": "8760h" | |
| }, | |
| "profiles": { | |
| "kubernetes": { | |
| "usages": ["signing", "key encipherment", "server auth", "client auth"], | |
| "expiry": "8760h" | |
| } | |
| } | |
| } | |
| } | |
| EOF | |
| cat << EOF > ca-csr.json | |
| { | |
| "CN": "Kubernetes", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| } | |
| } | |
| EOF | |
| cfssl gencert -initca ca-csr.json | cfssljson -bare ca | |
| openssl x509 -in ca.pem -text -noout | |
| cat > admin-csr.json <<EOF | |
| { | |
| "CN": "admin", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "system:masters" | |
| } | |
| ] | |
| } | |
| EOF | |
| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin | |
| openssl x509 -in admin.pem -text -noout | |
| cat > kube-controller-manager-csr.json <<EOF | |
| { | |
| "CN": "system:kube-controller-manager", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "system:kube-controller-manager" | |
| } | |
| ] | |
| } | |
| EOF | |
| cfssl gencert \ | |
| -ca=ca.pem \ | |
| -ca-key=ca-key.pem \ | |
| -config=ca-config.json \ | |
| -profile=kubernetes \ | |
| kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager | |
| openssl x509 -in kube-controller-manager.pem -text -noout | |
| cat > kube-proxy-csr.json <<EOF | |
| { | |
| "CN": "system:kube-proxy", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "system:node-proxier" | |
| } | |
| ] | |
| } | |
| EOF | |
| cfssl gencert \ | |
| -ca=ca.pem \ | |
| -ca-key=ca-key.pem \ | |
| -config=ca-config.json \ | |
| -profile=kubernetes \ | |
| kube-proxy-csr.json | cfssljson -bare kube-proxy | |
| openssl x509 -in kube-proxy.pem -text -noout | |
| cat > kube-scheduler-csr.json <<EOF | |
| { | |
| "CN": "system:kube-scheduler", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "system:kube-scheduler" | |
| } | |
| ] | |
| } | |
| EOF | |
| cfssl gencert \ | |
| -ca=ca.pem \ | |
| -ca-key=ca-key.pem \ | |
| -config=ca-config.json \ | |
| -profile=kubernetes \ | |
| kube-scheduler-csr.json | cfssljson -bare kube-scheduler | |
| openssl x509 -in kube-scheduler.pem -text -noout | |
| cat > kubernetes-csr.json <<EOF | |
| { | |
| "CN": "kubernetes", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "Kubernetes" | |
| } | |
| ] | |
| } | |
| EOF | |
| export INTERNAL_IP=$(ifconfig eth1 | grep 'inet ' | awk '{print $2}') | |
| cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname=`hostname`,${INTERNAL_IP} -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes | |
| openssl x509 -in kubernetes.pem -text -noout | |
| cat > service-account-csr.json <<EOF | |
| { | |
| "CN": "service-accounts", | |
| "key": { | |
| "algo": "rsa", | |
| "size": 2048 | |
| }, | |
| "names": [ | |
| { | |
| "O": "Kubernetes" | |
| } | |
| ] | |
| } | |
| EOF | |
| cfssl gencert \ | |
| -ca=ca.pem \ | |
| -ca-key=ca-key.pem \ | |
| -config=ca-config.json \ | |
| -profile=kubernetes \ | |
| service-account-csr.json | cfssljson -bare service-account | |
| openssl x509 -in service-account.pem -text -noout | |
| # kube-proxy | |
| kubectl config \ | |
| set-cluster kubernetes-the-hard-way --certificate-authority=ca.pem --embed-certs=true \ | |
| --server=https://${INTERNAL_IP}:6443 --kubeconfig=kube-proxy.kubeconfig | |
| kubectl config \ | |
| set-credentials system:kube-proxy --client-certificate=kube-proxy.pem \ | |
| --client-key=kube-proxy-key.pem --embed-certs=true --kubeconfig=kube-proxy.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kubernetes-the-hard-way --user=system:kube-proxy --kubeconfig=kube-proxy.kubeconfig | |
| kubectl config set-cluster kubernetes-the-hard-way \ | |
| --certificate-authority=ca.pem \ | |
| --embed-certs=true \ | |
| --server=https://127.0.0.1:6443 \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-credentials system:kube-controller-manager \ | |
| --client-certificate=kube-controller-manager.pem \ | |
| --client-key=kube-controller-manager-key.pem \ | |
| --embed-certs=true \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kubernetes-the-hard-way \ | |
| --user=system:kube-controller-manager \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-cluster kubernetes-the-hard-way \ | |
| --certificate-authority=ca.pem \ | |
| --embed-certs=true \ | |
| --server=https://127.0.0.1:6443 \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-credentials system:kube-controller-manager \ | |
| --client-certificate=kube-controller-manager.pem \ | |
| --client-key=kube-controller-manager-key.pem \ | |
| --embed-certs=true \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kubernetes-the-hard-way \ | |
| --user=system:kube-controller-manager \ | |
| --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig | |
| kubectl config set-cluster kubernetes-the-hard-way \ | |
| --certificate-authority=ca.pem \ | |
| --embed-certs=true \ | |
| --server=https://127.0.0.1:6443 \ | |
| --kubeconfig=kube-scheduler.kubeconfig | |
| kubectl config set-credentials system:kube-scheduler \ | |
| --client-certificate=kube-scheduler.pem \ | |
| --client-key=kube-scheduler-key.pem \ | |
| --embed-certs=true \ | |
| --kubeconfig=kube-scheduler.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kubernetes-the-hard-way \ | |
| --user=system:kube-scheduler \ | |
| --kubeconfig=kube-scheduler.kubeconfig | |
| kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig | |
| kubectl config set-cluster kubernetes-the-hard-way \ | |
| --certificate-authority=ca.pem \ | |
| --embed-certs=true \ | |
| --server=https://${INTERNAL_IP}:6443 \ | |
| --kubeconfig=admin.kubeconfig | |
| kubectl config set-credentials admin \ | |
| --client-certificate=admin.pem \ | |
| --client-key=admin-key.pem \ | |
| --embed-certs=true \ | |
| --kubeconfig=admin.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kubernetes-the-hard-way \ | |
| --user=admin \ | |
| --kubeconfig=admin.kubeconfig | |
| kubectl config use-context default --kubeconfig=admin.kubeconfig | |
| export ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64) | |
| cat > encryption-config.yaml <<EOF | |
| kind: EncryptionConfig | |
| apiVersion: v1 | |
| resources: | |
| - resources: | |
| - secrets | |
| providers: | |
| - aescbc: | |
| keys: | |
| - name: key1 | |
| secret: ${ENCRYPTION_KEY} | |
| - identity: {} | |
| EOF | |
| ETCD_VER=v3.3.13 | |
| # choose either URL | |
| GOOGLE_URL=https://storage.googleapis.com/etcd | |
| GITHUB_URL=https://github.com/etcd-io/etcd/releases/download | |
| DOWNLOAD_URL=${GOOGLE_URL} | |
| curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o etcd-${ETCD_VER}-linux-amd64.tar.gz | |
| tar xzvf etcd-${ETCD_VER}-linux-amd64.tar.gz | |
| rm -f etcd-${ETCD_VER}-linux-amd64.tar.gz | |
| mv etcd-${ETCD_VER}-linux-amd64/etcd* /usr/local/bin/ | |
| /usr/local/bin/etcd --version | |
| sudo mkdir -p /etc/etcd /var/lib/etcd | |
| sudo cp ca.pem kubernetes-key.pem kubernetes.pem /etc/etcd/ | |
| ETCD_NAME=$(hostname -s) | |
| cat <<EOF | sudo tee /etc/systemd/system/etcd.service | |
| [Unit] | |
| Description=etcd | |
| Documentation=https://github.com/coreos | |
| [Service] | |
| ExecStart=/usr/local/bin/etcd \ | |
| --name ${ETCD_NAME} \ | |
| --cert-file=/etc/etcd/kubernetes.pem \\ | |
| --key-file=/etc/etcd/kubernetes-key.pem \\ | |
| --peer-cert-file=/etc/etcd/kubernetes.pem \\ | |
| --peer-key-file=/etc/etcd/kubernetes-key.pem \\ | |
| --trusted-ca-file=/etc/etcd/ca.pem \\ | |
| --peer-trusted-ca-file=/etc/etcd/ca.pem \\ | |
| --peer-client-cert-auth \\ | |
| --client-cert-auth \\ | |
| --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\ | |
| --listen-peer-urls https://${INTERNAL_IP}:2380 \\ | |
| --listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \\ | |
| --advertise-client-urls https://${INTERNAL_IP}:2379 \\ | |
| --initial-cluster-token etcd-cluster-0 \\ | |
| --initial-cluster ${ETCD_NAME}=https://${INTERNAL_IP}:2380 \\ | |
| --initial-cluster-state new \\ | |
| --data-dir=/var/lib/etcd | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable etcd | |
| sudo systemctl start etcd | |
| sudo systemctl restart etcd | |
| sudo ETCDCTL_API=3 etcdctl member list --endpoints=https://${INTERNAL_IP}:2379 --cacert=/etc/etcd/ca.pem --cert=/etc/etcd/kubernetes.pem --key=/etc/etcd/kubernetes-key.pem | |
| export KUBE_RELEASE=1.14.3 | |
| wget -q --show-progress --https-only --timestamping \ | |
| "https://storage.googleapis.com/kubernetes-release/release/v${KUBE_RELEASE}/bin/linux/amd64/kube-apiserver" \ | |
| "https://storage.googleapis.com/kubernetes-release/release/v${KUBE_RELEASE}/bin/linux/amd64/kube-controller-manager" \ | |
| "https://storage.googleapis.com/kubernetes-release/release/v${KUBE_RELEASE}/bin/linux/amd64/kube-scheduler" \ | |
| "https://storage.googleapis.com/kubernetes-release/release/v${KUBE_RELEASE}/bin/linux/amd64/kubectl" | |
| chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl | |
| mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/ | |
| mkdir -p /var/lib/kubernetes/ | |
| mkdir -p /etc/kubernetes/config | |
| mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ | |
| service-account-key.pem service-account.pem \ | |
| encryption-config.yaml /var/lib/kubernetes/ | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service | |
| [Unit] | |
| Description=Kubernetes API Server | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-apiserver \\ | |
| --advertise-address=${INTERNAL_IP} \\ | |
| --allow-privileged=true \\ | |
| --apiserver-count=3 \\ | |
| --audit-log-maxage=30 \\ | |
| --audit-log-maxbackup=3 \\ | |
| --audit-log-maxsize=100 \\ | |
| --audit-log-path=/var/log/audit.log \\ | |
| --authorization-mode=Node,RBAC \\ | |
| --bind-address=0.0.0.0 \\ | |
| --client-ca-file=/var/lib/kubernetes/ca.pem \\ | |
| --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\ | |
| --enable-swagger-ui=true \\ | |
| --etcd-cafile=/var/lib/kubernetes/ca.pem \\ | |
| --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \\ | |
| --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --etcd-servers=https://${INTERNAL_IP}:2379 \\ | |
| --event-ttl=1h \\ | |
| --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ | |
| --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ | |
| --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ | |
| --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --kubelet-https=true \\ | |
| --runtime-config=api/all \\ | |
| --service-account-key-file=/var/lib/kubernetes/service-account.pem \\ | |
| --service-cluster-ip-range=10.32.0.0/24 \\ | |
| --service-node-port-range=30000-32767 \\ | |
| --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\ | |
| --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| mv kube-controller-manager.kubeconfig /var/lib/kubernetes/ | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service | |
| [Unit] | |
| Description=Kubernetes Controller Manager | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-controller-manager \\ | |
| --address=0.0.0.0 \\ | |
| --cluster-cidr=10.200.0.0/16 \\ | |
| --cluster-name=kubernetes \\ | |
| --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ | |
| --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ | |
| --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\ | |
| --leader-elect=true \\ | |
| --root-ca-file=/var/lib/kubernetes/ca.pem \\ | |
| --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\ | |
| --service-cluster-ip-range=10.32.0.0/24 \\ | |
| --use-service-account-credentials=true \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| mv kube-scheduler.kubeconfig /var/lib/kubernetes/ | |
| cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml | |
| apiVersion: kubescheduler.config.k8s.io/v1alpha1 | |
| kind: KubeSchedulerConfiguration | |
| clientConnection: | |
| kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig" | |
| leaderElection: | |
| leaderElect: true | |
| EOF | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service | |
| [Unit] | |
| Description=Kubernetes Scheduler | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-scheduler \\ | |
| --config=/etc/kubernetes/config/kube-scheduler.yaml \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler | |
| sudo systemctl start kube-apiserver kube-controller-manager kube-scheduler | |
| if timeout 100 sh -c "while sleep 3 ; do curl --insecure --silent --show-error --fail -o /dev/null --cacert /var/lib/kubernetes/ca.pem https://${INTERNAL_IP}:6443/version && break; done"; then | |
| echo "service is up" | |
| else | |
| exit 1 | |
| fi | |
| kubectl get componentstatuses --kubeconfig admin.kubeconfig | |
| cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f - | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRole | |
| metadata: | |
| annotations: | |
| rbac.authorization.kubernetes.io/autoupdate: "true" | |
| labels: | |
| kubernetes.io/bootstrapping: rbac-defaults | |
| name: system:kube-apiserver-to-kubelet | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes/proxy | |
| - nodes/stats | |
| - nodes/log | |
| - nodes/spec | |
| - nodes/metrics | |
| verbs: | |
| - "*" | |
| EOF | |
| cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f - | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: system:kube-apiserver | |
| namespace: "" | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: system:kube-apiserver-to-kubelet | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: User | |
| name: kubernetes | |
| EOF | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment