Skip to content

Instantly share code, notes, and snippets.

@yuanying

yuanying/secure-k8s.txt

Created October 8, 2015 05:10
Show Gist options
  • Save yuanying/c74f9983b7dd373f6657 to your computer and use it in GitHub Desktop.
Save yuanying/c74f9983b7dd373f6657 to your computer and use it in GitHub Desktop.
Download ZIP
Create secure k8s by Magnum
Raw
secure-k8s.txt
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 openssl genrsa -out /client.key 4096
Generating RSA private key, 512 bit long modulus
.....++++++++++++
...............++++++++++++
e is 65537 (0x10001)
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 openssl req -new -days 1000 \
-key "client.key" \
-out "client.csr" \
-reqexts req_ext \
-config client.conf
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 cat << _EOC_ > client.conf
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
subjectAltName=dirName:kubelet,dirName:kubeproxy
[kubelet]
CN=kubelet
[kubeproxy]
CN=kube-proxy
_EOC_
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 magnum baymodel-create --name secure-kubernetes --keypair-id default \
--external-network-id public \
--image-id fedora-21-atomic-5 \
--flavor-id m1.small --docker-volume-size 1 \
--coe kubernetes --network-driver flannel
+---------------------+--------------------------------------+
| Property | Value |
+---------------------+--------------------------------------+
| http_proxy | None |
| updated_at | None |
| master_flavor_id | None |
| fixed_network | None |
| uuid | 668a5e97-ba92-4b84-bdc3-e2388e0462ea |
| no_proxy | None |
| https_proxy | None |
| tls_disabled | False |
| keypair_id | default |
| public | False |
| labels | {} |
| docker_volume_size | 1 |
| external_network_id | public |
| cluster_distro | fedora-atomic |
| image_id | fedora-21-atomic-5 |
| registry_enabled | False |
| apiserver_port | None |
| name | secure-kubernetes |
| created_at | 2015-10-08T05:05:10+00:00 |
| network_driver | flannel |
| ssh_authorized_key | None |
| coe | kubernetes |
| flavor_id | m1.small |
| dns_nameserver | 8.8.8.8 |
+---------------------+--------------------------------------+
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 magnum bay-create --name secure-k8sbay --baymodel secure-kubernetes --node-count 1
+--------------------+------------------------------------------------------------+
| Property | Value |
+--------------------+------------------------------------------------------------+
| status | None |
| uuid | 04952c60-a338-437f-a7e7-d016d1d00e65 |
| status_reason | None |
| created_at | 2015-10-08T04:19:14+00:00 |
| updated_at | None |
| bay_create_timeout | 0 |
| api_address | None |
| baymodel_id | da2825a0-6d09-4208-b39e-b2db666f1118 |
| node_count | 1 |
| node_addresses | None |
| master_count | 1 |
| discovery_url | https://discovery.etcd.io/3b7fb09733429d16679484673ba3bfd5 |
| name | secure-k8sbay |
+--------------------+------------------------------------------------------------+
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 magnum ca-show --bay secure-k8sbay > ca.crt
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 magnum ca-sign --bay secure-k8sbay --csr ./client.csr > client.crt
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 magnum bay-show secure-k8sbay
+--------------------+------------------------------------------------------------+
| Property | Value |
+--------------------+------------------------------------------------------------+
| status | CREATE_COMPLETE |
| uuid | 04952c60-a338-437f-a7e7-d016d1d00e65 |
| status_reason | Stack CREATE completed successfully |
| created_at | 2015-10-08T04:19:14+00:00 |
| updated_at | 2015-10-08T04:21:00+00:00 |
| bay_create_timeout | 0 |
| api_address | https://192.168.19.86:6443 |
| baymodel_id | da2825a0-6d09-4208-b39e-b2db666f1118 |
| node_count | 1 |
| node_addresses | [u'192.168.19.88'] |
| master_count | 1 |
| discovery_url | https://discovery.etcd.io/3b7fb09733429d16679484673ba3bfd5 |
| name | secure-k8sbay |
+--------------------+------------------------------------------------------------+
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 export KUBERNETES_URL=https://192.168.19.86:6443
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 kubectl version --certificate-authority=ca.crt --client-key=client.key --client-certificate=client.crt -s $KUBERNETES_URL
Client Version: version.Info{Major:"1", Minor:"0", GitVersion:"v1.0.6", GitCommit:"388061f00f0d9e4d641f9ed4971c775e1654579d", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"0", GitVersion:"v1.0.4", GitCommit:"65d28d5fd12345592405714c81cd03b9c41d41d9", GitTreeState:"clean"}
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 kubectl create -f redis-master.yaml --certificate-authority=ca.crt --client-key=client.key --client-certificate=client.crt -s $KUBERNETES_URL
pods/test2
(venv)[yuanying@Soloist] ~/Projects/OpenStack/python-magnumclient/.tox
 kubectl get pods --certificate-authority=ca.crt --client-key=client.key --client-certificate=client.crt -s $KUBERNETES_URL
NAME READY STATUS RESTARTS AGE
test2 1/1 Running 0 1m
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment