Last active
July 26, 2020 04:39
-
-
Save surajssd/71892b7a9c5c2cb175fd050cee45d495 to your computer and use it in GitHub Desktop.
kubernetes the hard way
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo dnf -y update | |
| sudo setenforce 0 | |
| # install binaries | |
| cd /vagrant/tools | |
| sudo mkdir -p /etc/kubernetes/config | |
| chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl | |
| sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/ | |
| tar -xvf etcd-v3.3.9-linux-amd64.tar.gz | |
| sudo mv etcd-v3.3.9-linux-amd64/etcd* /usr/local/bin/ | |
| cd /vagrant/certs | |
| sudo mkdir -p /var/lib/kubernetes/ | |
| sudo mkdir -p /etc/etcd /var/lib/etcd | |
| sudo cp ca.pem kubernetes-key.pem kubernetes.pem /etc/etcd/ | |
| sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ | |
| service-account-key.pem service-account.pem \ | |
| encryption-config.yaml /var/lib/kubernetes/ | |
| export INTERNAL_IP=192.168.50.10 | |
| export ETCD_NAME=$(hostname -s) | |
| cat <<EOF | sudo tee /etc/systemd/system/etcd.service | |
| [Unit] | |
| Description=etcd | |
| Documentation=https://github.com/coreos | |
| [Service] | |
| ExecStart=/usr/local/bin/etcd \\ | |
| --name ${ETCD_NAME} \\ | |
| --cert-file=/etc/etcd/kubernetes.pem \\ | |
| --key-file=/etc/etcd/kubernetes-key.pem \\ | |
| --peer-cert-file=/etc/etcd/kubernetes.pem \\ | |
| --peer-key-file=/etc/etcd/kubernetes-key.pem \\ | |
| --trusted-ca-file=/etc/etcd/ca.pem \\ | |
| --peer-trusted-ca-file=/etc/etcd/ca.pem \\ | |
| --peer-client-cert-auth \\ | |
| --client-cert-auth \\ | |
| --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\ | |
| --listen-peer-urls https://${INTERNAL_IP}:2380 \\ | |
| --listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \\ | |
| --advertise-client-urls https://${INTERNAL_IP}:2379 \\ | |
| --initial-cluster-token etcd-cluster-0 \\ | |
| --initial-cluster master=https://192.168.50.10:2380 \\ | |
| --initial-cluster-state new \\ | |
| --data-dir=/var/lib/etcd | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable etcd | |
| sudo systemctl start etcd | |
| sudo systemctl status --no-pager etcd | |
| sudo ETCDCTL_API=3 etcdctl member list \ | |
| --endpoints=https://127.0.0.1:2379 \ | |
| --cacert=/etc/etcd/ca.pem \ | |
| --cert=/etc/etcd/kubernetes.pem \ | |
| --key=/etc/etcd/kubernetes-key.pem | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service | |
| [Unit] | |
| Description=Kubernetes API Server | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-apiserver \\ | |
| --advertise-address=${INTERNAL_IP} \\ | |
| --allow-privileged=true \\ | |
| --apiserver-count=3 \\ | |
| --audit-log-maxage=30 \\ | |
| --audit-log-maxbackup=3 \\ | |
| --audit-log-maxsize=100 \\ | |
| --audit-log-path=/var/log/audit.log \\ | |
| --authorization-mode=Node,RBAC \\ | |
| --bind-address=0.0.0.0 \\ | |
| --client-ca-file=/var/lib/kubernetes/ca.pem \\ | |
| --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\ | |
| --enable-bootstrap-token-auth=true \\ | |
| --enable-swagger-ui=true \\ | |
| --etcd-cafile=/var/lib/kubernetes/ca.pem \\ | |
| --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \\ | |
| --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --etcd-servers=https://192.168.50.10:2379 \\ | |
| --event-ttl=1h \\ | |
| --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\ | |
| --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\ | |
| --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\ | |
| --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --kubelet-https=true \\ | |
| --runtime-config=api/all \\ | |
| --service-account-key-file=/var/lib/kubernetes/service-account.pem \\ | |
| --service-cluster-ip-range=10.32.0.0/24 \\ | |
| --service-node-port-range=30000-32767 \\ | |
| --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\ | |
| --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/ | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service | |
| [Unit] | |
| Description=Kubernetes Controller Manager | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-controller-manager \\ | |
| --address=0.0.0.0 \\ | |
| --cluster-cidr=10.200.0.0/16 \\ | |
| --cluster-name=kubernetes \\ | |
| --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\ | |
| --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\ | |
| --controllers=*,bootstrapsigner,tokencleaner \\ | |
| --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\ | |
| --leader-elect=true \\ | |
| --root-ca-file=/var/lib/kubernetes/ca.pem \\ | |
| --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\ | |
| --service-cluster-ip-range=10.32.0.0/24 \\ | |
| --use-service-account-credentials=true \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo mv kube-scheduler.kubeconfig /var/lib/kubernetes/ | |
| cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml | |
| apiVersion: componentconfig/v1alpha1 | |
| kind: KubeSchedulerConfiguration | |
| clientConnection: | |
| kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig" | |
| leaderElection: | |
| leaderElect: true | |
| EOF | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service | |
| [Unit] | |
| Description=Kubernetes Scheduler | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-scheduler \\ | |
| --config=/etc/kubernetes/config/kube-scheduler.yaml \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler | |
| sudo systemctl start kube-apiserver kube-controller-manager kube-scheduler | |
| kubectl get componentstatuses --kubeconfig admin.kubeconfig | |
| cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f - | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRole | |
| metadata: | |
| annotations: | |
| rbac.authorization.kubernetes.io/autoupdate: "true" | |
| labels: | |
| kubernetes.io/bootstrapping: rbac-defaults | |
| name: system:kube-apiserver-to-kubelet | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - nodes/proxy | |
| - nodes/stats | |
| - nodes/log | |
| - nodes/spec | |
| - nodes/metrics | |
| verbs: | |
| - "*" | |
| EOF | |
| cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f - | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: system:kube-apiserver | |
| namespace: "" | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: system:kube-apiserver-to-kubelet | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: User | |
| name: kubernetes | |
| EOF | |
| cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f - | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| # Name MUST be of form "bootstrap-token-<token id>" | |
| name: bootstrap-token-07401b | |
| namespace: kube-system | |
| # Type MUST be 'bootstrap.kubernetes.io/token' | |
| type: bootstrap.kubernetes.io/token | |
| stringData: | |
| # Human readable description. Optional. | |
| description: "Created for Kubernetes the Hard Way" | |
| # Token ID and secret. Required. | |
| token-id: 07401b | |
| token-secret: f395accd246ae52d | |
| # Allowed usages. | |
| usage-bootstrap-authentication: "true" | |
| usage-bootstrap-signing: "true" | |
| EOF | |
| kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --group=system:bootstrappers | |
| kubectl create clusterrolebinding node-autoapprove-bootstrap --clusterrole=system:certificates.k8s.io:certificatesigningrequests:nodeclient --group=system:bootstrappers | |
| kubectl create clusterrolebinding node-autoapprove-certificate-rotation --clusterrole=system:certificates.k8s.io:certificatesigningrequests:selfnodeclient --group=system:nodes | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sudo dnf -y update | |
| sudo dnf -y install socat conntrack ipset iptables | |
| sudo setenforce 0 | |
| sudo mkdir -p \ | |
| /etc/cni/net.d \ | |
| /opt/cni/bin \ | |
| /var/lib/kubelet \ | |
| /var/lib/kube-proxy \ | |
| /var/lib/kubernetes \ | |
| /var/run/kubernetes \ | |
| /etc/containerd/ | |
| cd /vagrant/tools | |
| sudo mv runsc-50c283b9f56bb7200938d9e207355f05f79f0d17 runsc | |
| sudo mv runc.amd64 runc | |
| chmod +x kubectl kube-proxy kubelet runc runsc | |
| sudo mv kubectl kube-proxy kubelet runc runsc /usr/local/bin/ | |
| sudo tar -xvf crictl-v1.12.0-linux-amd64.tar.gz -C /usr/local/bin/ | |
| sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/ | |
| sudo tar -xvf containerd-1.2.0-rc.0.linux-amd64.tar.gz -C / | |
| cd /vagrant/certs | |
| POD_CIDR=10.200.0.0/24 | |
| cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf | |
| { | |
| "cniVersion": "0.3.1", | |
| "name": "bridge", | |
| "type": "bridge", | |
| "bridge": "cnio0", | |
| "isGateway": true, | |
| "ipMasq": true, | |
| "ipam": { | |
| "type": "host-local", | |
| "ranges": [ | |
| [{"subnet": "${POD_CIDR}"}] | |
| ], | |
| "routes": [{"dst": "0.0.0.0/0"}] | |
| } | |
| } | |
| EOF | |
| cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf | |
| { | |
| "cniVersion": "0.3.1", | |
| "type": "loopback" | |
| } | |
| EOF | |
| cat << EOF | sudo tee /etc/containerd/config.toml | |
| [plugins] | |
| [plugins.cri.containerd] | |
| snapshotter = "overlayfs" | |
| [plugins.cri.containerd.default_runtime] | |
| runtime_type = "io.containerd.runtime.v1.linux" | |
| runtime_engine = "/usr/local/bin/runc" | |
| runtime_root = "" | |
| [plugins.cri.containerd.untrusted_workload_runtime] | |
| runtime_type = "io.containerd.runtime.v1.linux" | |
| runtime_engine = "/usr/local/bin/runsc" | |
| runtime_root = "/run/containerd/runsc" | |
| [plugins.cri.containerd.gvisor] | |
| runtime_type = "io.containerd.runtime.v1.linux" | |
| runtime_engine = "/usr/local/bin/runsc" | |
| runtime_root = "/run/containerd/runsc" | |
| EOF | |
| cat <<EOF | sudo tee /etc/systemd/system/containerd.service | |
| [Unit] | |
| Description=containerd container runtime | |
| Documentation=https://containerd.io | |
| After=network.target | |
| [Service] | |
| ExecStartPre=/sbin/modprobe overlay | |
| ExecStart=/bin/containerd | |
| Restart=always | |
| RestartSec=5 | |
| Delegate=yes | |
| KillMode=process | |
| OOMScoreAdjust=-999 | |
| LimitNOFILE=1048576 | |
| LimitNPROC=infinity | |
| LimitCORE=infinity | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo mv ca.pem ~ | |
| cat <<EOF | sudo tee /etc/systemd/system/kubelet.service | |
| [Unit] | |
| Description=Kubernetes Kubelet | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| After=containerd.service | |
| Requires=containerd.service | |
| [Service] | |
| ExecStart=/usr/local/bin/kubelet \\ | |
| --bootstrap-kubeconfig=/home/vagrant/bootstrap.kubeconfig \\ | |
| --config=/var/lib/kubelet/kubelet-config.yaml \\ | |
| --container-runtime=remote \\ | |
| --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\ | |
| --image-pull-progress-deadline=2m \\ | |
| --kubeconfig=/home/vagrant/kubeconfig \\ | |
| --network-plugin=cni \\ | |
| --register-node=true \\ | |
| --v=2 | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig | |
| cat <<EOF | sudo tee /var/lib/kube-proxy/kube-proxy-config.yaml | |
| kind: KubeProxyConfiguration | |
| apiVersion: kubeproxy.config.k8s.io/v1alpha1 | |
| clientConnection: | |
| kubeconfig: "/var/lib/kube-proxy/kubeconfig" | |
| mode: "iptables" | |
| clusterCIDR: "10.200.0.0/16" | |
| EOF | |
| cat <<EOF | sudo tee /etc/systemd/system/kube-proxy.service | |
| [Unit] | |
| Description=Kubernetes Kube Proxy | |
| Documentation=https://github.com/kubernetes/kubernetes | |
| [Service] | |
| ExecStart=/usr/local/bin/kube-proxy \\ | |
| --config=/var/lib/kube-proxy/kube-proxy-config.yaml | |
| Restart=on-failure | |
| RestartSec=5 | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOF | |
| cd | |
| # I have used the ip address of my api-server use yours | |
| kubectl config set-cluster kthwkinvolk \ | |
| --certificate-authority=ca.pem \ | |
| --embed-certs=true \ | |
| --server=https://192.168.50.10:6443 \ | |
| --kubeconfig=/home/vagrant/bootstrap.kubeconfig | |
| # this token is above generated | |
| kubectl config set-credentials kubelet-bootstrap \ | |
| --token=07401b.f395accd246ae52d \ | |
| --kubeconfig=/home/vagrant/bootstrap.kubeconfig | |
| kubectl config set-context default \ | |
| --cluster=kthwkinvolk \ | |
| --user=kubelet-bootstrap \ | |
| --kubeconfig=/home/vagrant/bootstrap.kubeconfig | |
| kubectl config use-context default \ | |
| --kubeconfig=/home/vagrant/bootstrap.kubeconfig | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable containerd kubelet kube-proxy | |
| sudo systemctl start containerd kubelet kube-proxy | |
| sudo systemctl status containerd kubelet kube-proxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- mode: ruby -*- | |
| # vi: set ft=ruby : | |
| Vagrant.configure("2") do |config| | |
| config.vm.define "master" do |master| | |
| master.vm.box = "fedora/28-cloud-base" | |
| master.vm.hostname = "master" | |
| master.vm.network "private_network", ip: "192.168.50.10" | |
| end | |
| config.vm.define "node" do |node| | |
| node.vm.box = "fedora/28-cloud-base" | |
| node.vm.hostname = "node" | |
| node.vm.network "private_network", ip: "192.168.50.20" | |
| end | |
| config.vm.provider "virtualbox" do |virtualbox, override| | |
| virtualbox.memory = 2048 | |
| virtualbox.cpus = 2 | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Follow Kubernetes the hard way to generate certs as they are mentioned and put them in
certsdirectory. Download tools and put them intotoolsdirectory.This is how my directory structure looks like, here you can do
vagrant upand vms will start. And run above commands in respective machines.