├── .gitignore
├── README.md
├── Vagrantfile
├── Vagrantfile-Windows
├── scripts
    ├── bootstrap
    │   ├── vagrant-setup-haproxy.sh
    │   ├── vagrant-setup-hosts-file.sh
    │   └── vagrant-setup-routes.sh
    └── k8s-the-hard-way
    │   ├── 0400-certificate-authority.sh
    │   ├── 0410-admin-client-certificate.sh
    │   ├── 0411-kubelet-client-certificates.sh
    │   ├── 0412-controller-manager-client-certfiicate.sh
    │   ├── 0413-kube-proxy-client-certificate.sh
    │   ├── 0414-scheduler-client-certificate.sh
    │   ├── 0415-kubernetes-api-server-certificate.sh
    │   ├── 0420-service-account-key-pair.sh
    │   ├── 0430-distribute-certificates.sh
    │   ├── 0500-kubelet-kubeconfig.sh
    │   ├── 0501-kube-proxy-kubeconfig.sh
    │   ├── 0502-kube-controller-manager-kubeconfig.sh
    │   ├── 0503-kube-scheduler-kubeconfig.sh
    │   ├── 0504-admin-kubeconfig.sh
    │   ├── 0510-distribute-kubeconfig.sh
    │   ├── 0600-encryption-config.sh
    │   ├── 0610-distribute-encryption-config.sh
    │   ├── 0700-download-and-install-etcd.sh
    │   ├── 0701-configure-etcd.sh
    │   ├── 0702-start-etcd.sh
    │   ├── 0710-verify-etcd.sh
    │   ├── 0800-download-and-install-k8s-controllers.sh
    │   ├── 0801-configure-k8s-api-server.sh
    │   ├── 0802-configure-k8s-controller-manager.sh
    │   ├── 0803-configure-k8s-schedueler.sh
    │   ├── 0804-start-controller-services.sh
    │   ├── 0805-verify.sh
    │   ├── 0810-rbac-for-kubelet-auth.sh
    │   ├── 0820-verify-frontend-lb.sh
    │   ├── 0900-download-and-install-workers.sh
    │   ├── 0901-configure-cni.sh
    │   ├── 0902-configure-containerd.sh
    │   ├── 0903-configure-kubelet.sh
    │   ├── 0904-configure-kube-proxy.sh
    │   ├── 0905-start-worker-services.sh
    │   ├── 0910-verify-worker.sh
    │   ├── 1000-admin-kubeconfig.sh
    │   ├── 1001-verify-admin-kubeconfig.sh
    │   ├── 1200-dns-cluster-add-on.sh
    │   ├── 1210-verify-dns.sh
    │   ├── 1211-verify-dns.sh
    │   ├── 1300-data-encryption.sh
    │   ├── 1310-deployments.sh
    │   ├── 1311-port-forwarding.sh
    │   ├── 1312-logs.sh
    │   ├── 1313-exec.sh
    │   ├── 1320-services.sh
    │   ├── 1330-untrusted-workloads.sh
    │   ├── 1331-verify-untrusted-workloads.sh
    │   └── 1332-verify-untrusted-workloads.sh
└── workspace
    └── .gitkeep


/.gitignore:
--------------------------------------------------------------------------------
 1 | workspace/*
 2 | !workspace/.gitkeep
 3 | *.log
 4 | 
 5 | # Created by https://www.gitignore.io/api/macos,vagrant
 6 | 
 7 | ### macOS ###
 8 | *.DS_Store
 9 | .AppleDouble
10 | .LSOverride
11 | 
12 | # Icon must end with two \r
13 | Icon
14 | 
15 | # Thumbnails
16 | ._*
17 | 
18 | # Files that might appear in the root of a volume
19 | .DocumentRevisions-V100
20 | .fseventsd
21 | .Spotlight-V100
22 | .TemporaryItems
23 | .Trashes
24 | .VolumeIcon.icns
25 | .com.apple.timemachine.donotpresent
26 | 
27 | # Directories potentially created on remote AFP share
28 | .AppleDB
29 | .AppleDesktop
30 | Network Trash Folder
31 | Temporary Items
32 | .apdisk
33 | 
34 | ### Vagrant ###
35 | .vagrant/
36 | *.box
37 | 
38 | 
39 | # End of https://www.gitignore.io/api/macos,vagrant


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes the hard way with vagrant
 2 | 
 3 | You can study kubernetes with vagrant. Credits go to the Kinvolk team because this repository is based on https://github.com/kinvolk/kubernetes-the-hard-way-vagrant .
 4 | 
 5 | #### Differences with the Kinvolk version atm
 6 | 
 7 | * Uses containerd
 8 | * Uses gVisor
 9 | * The pod-cidr is the same as the tutorial ( `10.200.${i}.0/24` )
10 | 
11 | ## How to  use this repository
12 | 
13 | * Hit `vagrant up` to bring up the vms (1 load balancer node, 3 controllers nodes , 3 worker nodes)
14 | * Use the `workspace` directory to follow Kelsey Hightower's repository https://github.com/kelseyhightower/kubernetes-the-hard-way
15 | * A few things to care about is
16 |   * `gcloud` commands won't work (of course). Skip everything related to `gcloud` or use an alternative command. Have a look at the `scripts` directory if you get stuck. They correspond with the chapters.
17 |   * `EXTERNAL_IP` , `KUBERNETES_PUBLIC_ADDRESS` would be `10.240.0.40` (the load balancer's ip)
18 |   * [vagrant-scp](https://github.com/invernizzi/vagrant-scp) would come in handy for `scp` commands
19 |   * Careful about `INTERNAL_IP`s and `POD_CIDR` because you cannot fetch them with `gcloud` commands.
20 |   * Be sure to add the `[plugins.cri]` config and `stream_server_address` setting to the `containerd`'s `config.toml`. If you miss this, you won't be able to `exec` in to the container. Have a look at the [script](./scripts/k8s-the-hard-way/0902-configure-containerd.sh) .
21 | * `vagrant destroy -f` when you finish and clean up the `workspace` .
22 | 
23 | 
24 | 
25 | All the scripts inside the `scripts` directory correspond to the commands and chapters mentioned in the tutorial. It uses alternative commands which correspond to `gcloud` commands. This has been tested with [this version](https://github.com/kelseyhightower/kubernetes-the-hard-way/tree/36d4bbf4ad16cbe3c6eb809d9f567c07eaddea8c) of the tutorial.
26 | 
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | Vagrant.configure("2") do |config|
 5 |   config.vm.box = "ubuntu/bionic64"
 6 | 
 7 |   config.vm.provider "virtualbox" do |vb|
 8 |     vb.memory = "512"
 9 |   end
10 | 
11 |   # must be at the top
12 |   config.vm.define "lb-0" do |c|
13 |       c.vm.hostname = "lb-0"
14 |       c.vm.network "private_network", ip: "10.240.0.40"
15 | 
16 |       c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-haproxy.sh"
17 | 
18 |       c.vm.provider "virtualbox" do |vb|
19 |         vb.memory = "256"
20 |       end
21 |   end
22 | 
23 |   (0..2).each do |n|
24 |     config.vm.define "controller-#{n}" do |c|
25 |         c.vm.hostname = "controller-#{n}"
26 |         c.vm.network "private_network", ip: "10.240.0.1#{n}"
27 | 
28 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
29 |     end
30 |   end
31 | 
32 |   (0..2).each do |n|
33 |     config.vm.define "worker-#{n}" do |c|
34 |         c.vm.hostname = "worker-#{n}"
35 |         c.vm.network "private_network", ip: "10.240.0.2#{n}"
36 | 
37 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-routes.sh"
38 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
39 |     end
40 |   end
41 | 
42 | end


--------------------------------------------------------------------------------
/Vagrantfile-Windows:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | 
 4 | Vagrant.configure("2") do |config|
 5 |   config.vm.box = "ubuntu/bionic64"
 6 | 
 7 |   config.vm.provider "virtualbox" do |vb|
 8 |     vb.memory = "512"
 9 |     vb.customize [ "modifyvm", :id, "--uartmode1", "disconnected" ]
10 |   end
11 | 
12 |   # must be at the top
13 |   config.vm.define "lb-0" do |c|
14 |       c.vm.hostname = "lb-0"
15 |       c.vm.network "private_network", ip: "10.240.0.40"
16 | 
17 |       c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-haproxy.sh"
18 | 
19 |       c.vm.provider "virtualbox" do |vb|
20 |         vb.memory = "256"
21 |       end
22 |   end
23 | 
24 |   (0..2).each do |n|
25 |     config.vm.define "controller-#{n}" do |c|
26 |         c.vm.hostname = "controller-#{n}"
27 |         c.vm.network "private_network", ip: "10.240.0.1#{n}"
28 | 
29 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
30 |     end
31 |   end
32 | 
33 |   (0..2).each do |n|
34 |     config.vm.define "worker-#{n}" do |c|
35 |         c.vm.hostname = "worker-#{n}"
36 |         c.vm.network "private_network", ip: "10.240.0.2#{n}"
37 | 
38 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-routes.sh"
39 |         c.vm.provision :shell, :path => "scripts/bootstrap/vagrant-setup-hosts-file.sh"
40 |     end
41 |   end
42 | 
43 | end


--------------------------------------------------------------------------------
/scripts/bootstrap/vagrant-setup-haproxy.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -euo pipefail
 4 | 
 5 | apt-get update
 6 | apt-get install -y haproxy
 7 | 
 8 | grep -q -F 'net.ipv4.ip_nonlocal_bind=1' /etc/sysctl.conf || echo 'net.ipv4.ip_nonlocal_bind=1' >> /etc/sysctl.conf
 9 | 
10 | cat >/etc/haproxy/haproxy.cfg <<EOF
11 | global
12 | 	log /dev/log	local0
13 | 	log /dev/log	local1 notice
14 | 	chroot /var/lib/haproxy
15 | 	stats socket /run/haproxy/admin.sock mode 660 level admin
16 | 	stats timeout 30s
17 | 	user haproxy
18 | 	group haproxy
19 | 	daemon
20 | 	# Default SSL material locations
21 | 	ca-base /etc/ssl/certs
22 | 	crt-base /etc/ssl/private
23 | 	# Default ciphers to use on SSL-enabled listening sockets.
24 | 	# For more information, see ciphers(1SSL). This list is from:
25 | 	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
26 | 	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
27 | 	ssl-default-bind-options no-sslv3
28 | defaults
29 | 	log	global
30 | 	mode	tcp
31 | 	option	tcplog
32 | 	option	dontlognull
33 |         timeout connect 5000
34 |         timeout client  50000
35 |         timeout server  50000
36 | 	errorfile 400 /etc/haproxy/errors/400.http
37 | 	errorfile 403 /etc/haproxy/errors/403.http
38 | 	errorfile 408 /etc/haproxy/errors/408.http
39 | 	errorfile 500 /etc/haproxy/errors/500.http
40 | 	errorfile 502 /etc/haproxy/errors/502.http
41 | 	errorfile 503 /etc/haproxy/errors/503.http
42 | 	errorfile 504 /etc/haproxy/errors/504.http
43 | frontend k8s
44 | 	bind 10.240.0.40:6443
45 | 	default_backend k8s_backend
46 | backend k8s_backend
47 | 	balance roundrobin
48 | 	mode tcp
49 | 	server controller-0 10.240.0.10:6443 check inter 1000
50 | 	server controller-1 10.240.0.11:6443 check inter 1000
51 | 	server controller-2 10.240.0.12:6443 check inter 1000
52 | EOF
53 | 
54 | systemctl restart haproxy


--------------------------------------------------------------------------------
/scripts/bootstrap/vagrant-setup-hosts-file.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -euo pipefail
 4 | 
 5 | cat <<EOF | sudo tee -a /etc/hosts
 6 | # KTHW Vagrant machines
 7 | 10.240.0.10 controller-0
 8 | 10.240.0.11 controller-1
 9 | 10.240.0.12 controller-2
10 | 10.240.0.20 worker-0
11 | 10.240.0.21 worker-1
12 | 10.240.0.22 worker-2
13 | EOF


--------------------------------------------------------------------------------
/scripts/bootstrap/vagrant-setup-routes.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -euo pipefail
 4 | 
 5 | case "$(hostname)" in
 6 |   worker-0)
 7 |     route add -net 10.200.1.0/24 gw 10.240.0.21
 8 |     route add -net 10.200.2.0/24 gw 10.240.0.22
 9 |     ;;
10 |   worker-1)
11 |     route add -net 10.200.0.0/24 gw 10.240.0.20
12 |     route add -net 10.200.2.0/24 gw 10.240.0.22
13 |     ;;
14 |   worker-2)
15 |     route add -net 10.200.0.0/24 gw 10.240.0.20
16 |     route add -net 10.200.1.0/24 gw 10.240.0.21
17 |     ;;
18 |   *)
19 |     route add -net 10.200.0.0/24 gw 10.240.0.20
20 |     route add -net 10.200.1.0/24 gw 10.240.0.21
21 |     route add -net 10.200.2.0/24 gw 10.240.0.22
22 |     ;;
23 | esac


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0400-certificate-authority.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > ca-config.json <<EOF
 4 | {
 5 |   "signing": {
 6 |     "default": {
 7 |       "expiry": "8760h"
 8 |     },
 9 |     "profiles": {
10 |       "kubernetes": {
11 |         "usages": ["signing", "key encipherment", "server auth", "client auth"],
12 |         "expiry": "8760h"
13 |       }
14 |     }
15 |   }
16 | }
17 | EOF
18 | 
19 | cat > ca-csr.json <<EOF
20 | {
21 |   "CN": "Kubernetes",
22 |   "key": {
23 |     "algo": "rsa",
24 |     "size": 2048
25 |   },
26 |   "names": [
27 |     {
28 |       "C": "US",
29 |       "L": "Portland",
30 |       "O": "Kubernetes",
31 |       "OU": "CA",
32 |       "ST": "Oregon"
33 |     }
34 |   ]
35 | }
36 | EOF
37 | 
38 | cfssl gencert -initca ca-csr.json | cfssljson -bare ca


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0410-admin-client-certificate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > admin-csr.json <<EOF
 4 | {
 5 |   "CN": "admin",
 6 |   "key": {
 7 |     "algo": "rsa",
 8 |     "size": 2048
 9 |   },
10 |   "names": [
11 |     {
12 |       "C": "US",
13 |       "L": "Portland",
14 |       "O": "system:masters",
15 |       "OU": "Kubernetes The Hard Way",
16 |       "ST": "Oregon"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | cfssl gencert \
23 |   -ca=ca.pem \
24 |   -ca-key=ca-key.pem \
25 |   -config=ca-config.json \
26 |   -profile=kubernetes \
27 |   admin-csr.json | cfssljson -bare admin
28 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0411-kubelet-client-certificates.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | for instance in worker-0 worker-1 worker-2; do
 4 | cat > ${instance}-csr.json <<EOF
 5 | {
 6 |   "CN": "system:node:${instance}",
 7 |   "key": {
 8 |     "algo": "rsa",
 9 |     "size": 2048
10 |   },
11 |   "names": [
12 |     {
13 |       "C": "US",
14 |       "L": "Portland",
15 |       "O": "system:nodes",
16 |       "OU": "Kubernetes The Hard Way",
17 |       "ST": "Oregon"
18 |     }
19 |   ]
20 | }
21 | EOF
22 | 
23 | EXTERNAL_IP=10.240.0.40
24 | 
25 | cfssl gencert \
26 |   -ca=ca.pem \
27 |   -ca-key=ca-key.pem \
28 |   -config=ca-config.json \
29 |   -hostname=${instance},${EXTERNAL_IP} \
30 |   -profile=kubernetes \
31 |   ${instance}-csr.json | cfssljson -bare ${instance}
32 | done


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0412-controller-manager-client-certfiicate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > kube-controller-manager-csr.json <<EOF
 4 | {
 5 |   "CN": "system:kube-controller-manager",
 6 |   "key": {
 7 |     "algo": "rsa",
 8 |     "size": 2048
 9 |   },
10 |   "names": [
11 |     {
12 |       "C": "US",
13 |       "L": "Portland",
14 |       "O": "system:kube-controller-manager",
15 |       "OU": "Kubernetes The Hard Way",
16 |       "ST": "Oregon"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | cfssl gencert \
23 |   -ca=ca.pem \
24 |   -ca-key=ca-key.pem \
25 |   -config=ca-config.json \
26 |   -profile=kubernetes \
27 |   kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
28 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0413-kube-proxy-client-certificate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > kube-proxy-csr.json <<EOF
 4 | {
 5 |   "CN": "system:kube-proxy",
 6 |   "key": {
 7 |     "algo": "rsa",
 8 |     "size": 2048
 9 |   },
10 |   "names": [
11 |     {
12 |       "C": "US",
13 |       "L": "Portland",
14 |       "O": "system:node-proxier",
15 |       "OU": "Kubernetes The Hard Way",
16 |       "ST": "Oregon"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | cfssl gencert \
23 |   -ca=ca.pem \
24 |   -ca-key=ca-key.pem \
25 |   -config=ca-config.json \
26 |   -profile=kubernetes \
27 |   kube-proxy-csr.json | cfssljson -bare kube-proxy


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0414-scheduler-client-certificate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > kube-scheduler-csr.json <<EOF
 4 | {
 5 |   "CN": "system:kube-scheduler",
 6 |   "key": {
 7 |     "algo": "rsa",
 8 |     "size": 2048
 9 |   },
10 |   "names": [
11 |     {
12 |       "C": "US",
13 |       "L": "Portland",
14 |       "O": "system:kube-scheduler",
15 |       "OU": "Kubernetes The Hard Way",
16 |       "ST": "Oregon"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | cfssl gencert \
23 |   -ca=ca.pem \
24 |   -ca-key=ca-key.pem \
25 |   -config=ca-config.json \
26 |   -profile=kubernetes \
27 |   kube-scheduler-csr.json | cfssljson -bare kube-scheduler


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0415-kubernetes-api-server-certificate.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | KUBERNETES_PUBLIC_ADDRESS=10.240.0.40
 4 | 
 5 | cat > kubernetes-csr.json <<EOF
 6 | {
 7 |   "CN": "kubernetes",
 8 |   "key": {
 9 |     "algo": "rsa",
10 |     "size": 2048
11 |   },
12 |   "names": [
13 |     {
14 |       "C": "US",
15 |       "L": "Portland",
16 |       "O": "Kubernetes",
17 |       "OU": "Kubernetes The Hard Way",
18 |       "ST": "Oregon"
19 |     }
20 |   ]
21 | }
22 | EOF
23 | 
24 | cfssl gencert \
25 |   -ca=ca.pem \
26 |   -ca-key=ca-key.pem \
27 |   -config=ca-config.json \
28 |   -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \
29 |   -profile=kubernetes \
30 |   kubernetes-csr.json | cfssljson -bare kubernetes


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0420-service-account-key-pair.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat > service-account-csr.json <<EOF
 4 | {
 5 |   "CN": "service-accounts",
 6 |   "key": {
 7 |     "algo": "rsa",
 8 |     "size": 2048
 9 |   },
10 |   "names": [
11 |     {
12 |       "C": "US",
13 |       "L": "Portland",
14 |       "O": "Kubernetes",
15 |       "OU": "Kubernetes The Hard Way",
16 |       "ST": "Oregon"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | cfssl gencert \
23 |   -ca=ca.pem \
24 |   -ca-key=ca-key.pem \
25 |   -config=ca-config.json \
26 |   -profile=kubernetes \
27 |   service-account-csr.json | cfssljson -bare service-account
28 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0430-distribute-certificates.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script assumes you have the vagrant-scp plugin installed
 4 | 
 5 | for instance in worker-0 worker-1 worker-2; do
 6 |   vagrant scp ca.pem ${instance}:~/
 7 |   vagrant scp ${instance}-key.pem ${instance}:~/
 8 |   vagrant scp ${instance}.pem ${instance}:~/
 9 | done
10 | 
11 | for instance in controller-0 controller-1 controller-2; do
12 |   vagrant scp ca.pem ${instance}:~/
13 |   vagrant scp ca-key.pem ${instance}:~/
14 |   vagrant scp kubernetes-key.pem ${instance}:~/
15 |   vagrant scp kubernetes.pem ${instance}:~/
16 |   vagrant scp service-account-key.pem ${instance}:~/
17 |   vagrant scp service-account.pem ${instance}:~/
18 | done


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0500-kubelet-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | KUBERNETES_PUBLIC_ADDRESS=10.240.0.40
 4 | 
 5 | for instance in worker-0 worker-1 worker-2; do
 6 |   kubectl config set-cluster kubernetes-the-hard-way \
 7 |     --certificate-authority=ca.pem \
 8 |     --embed-certs=true \
 9 |     --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
10 |     --kubeconfig=${instance}.kubeconfig
11 | 
12 |   kubectl config set-credentials system:node:${instance} \
13 |     --client-certificate=${instance}.pem \
14 |     --client-key=${instance}-key.pem \
15 |     --embed-certs=true \
16 |     --kubeconfig=${instance}.kubeconfig
17 | 
18 |   kubectl config set-context default \
19 |     --cluster=kubernetes-the-hard-way \
20 |     --user=system:node:${instance} \
21 |     --kubeconfig=${instance}.kubeconfig
22 | 
23 |   kubectl config use-context default --kubeconfig=${instance}.kubeconfig
24 | done
25 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0501-kube-proxy-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | KUBERNETES_PUBLIC_ADDRESS=10.240.0.40
 4 | 
 5 | kubectl config set-cluster kubernetes-the-hard-way \
 6 |   --certificate-authority=ca.pem \
 7 |   --embed-certs=true \
 8 |   --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443 \
 9 |   --kubeconfig=kube-proxy.kubeconfig
10 | 
11 | kubectl config set-credentials system:kube-proxy \
12 |   --client-certificate=kube-proxy.pem \
13 |   --client-key=kube-proxy-key.pem \
14 |   --embed-certs=true \
15 |   --kubeconfig=kube-proxy.kubeconfig
16 | 
17 | kubectl config set-context default \
18 |   --cluster=kubernetes-the-hard-way \
19 |   --user=system:kube-proxy \
20 |   --kubeconfig=kube-proxy.kubeconfig
21 | 
22 | kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
23 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0502-kube-controller-manager-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | kubectl config set-cluster kubernetes-the-hard-way \
 4 |   --certificate-authority=ca.pem \
 5 |   --embed-certs=true \
 6 |   --server=https://127.0.0.1:6443 \
 7 |   --kubeconfig=kube-controller-manager.kubeconfig
 8 | 
 9 | kubectl config set-credentials system:kube-controller-manager \
10 |   --client-certificate=kube-controller-manager.pem \
11 |   --client-key=kube-controller-manager-key.pem \
12 |   --embed-certs=true \
13 |   --kubeconfig=kube-controller-manager.kubeconfig
14 | 
15 | kubectl config set-context default \
16 |   --cluster=kubernetes-the-hard-way \
17 |   --user=system:kube-controller-manager \
18 |   --kubeconfig=kube-controller-manager.kubeconfig
19 | 
20 | kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
21 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0503-kube-scheduler-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | kubectl config set-cluster kubernetes-the-hard-way \
 4 |   --certificate-authority=ca.pem \
 5 |   --embed-certs=true \
 6 |   --server=https://127.0.0.1:6443 \
 7 |   --kubeconfig=kube-scheduler.kubeconfig
 8 | 
 9 | kubectl config set-credentials system:kube-scheduler \
10 |   --client-certificate=kube-scheduler.pem \
11 |   --client-key=kube-scheduler-key.pem \
12 |   --embed-certs=true \
13 |   --kubeconfig=kube-scheduler.kubeconfig
14 | 
15 | kubectl config set-context default \
16 |   --cluster=kubernetes-the-hard-way \
17 |   --user=system:kube-scheduler \
18 |   --kubeconfig=kube-scheduler.kubeconfig
19 | 
20 | kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
21 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0504-admin-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | kubectl config set-cluster kubernetes-the-hard-way \
 4 |   --certificate-authority=ca.pem \
 5 |   --embed-certs=true \
 6 |   --server=https://127.0.0.1:6443 \
 7 |   --kubeconfig=admin.kubeconfig
 8 | 
 9 | kubectl config set-credentials admin \
10 |   --client-certificate=admin.pem \
11 |   --client-key=admin-key.pem \
12 |   --embed-certs=true \
13 |   --kubeconfig=admin.kubeconfig
14 | 
15 | kubectl config set-context default \
16 |   --cluster=kubernetes-the-hard-way \
17 |   --user=admin \
18 |   --kubeconfig=admin.kubeconfig
19 | 
20 | kubectl config use-context default --kubeconfig=admin.kubeconfig
21 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0510-distribute-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script assumes you have the vagrant-scp plugin installed
 4 | 
 5 | for instance in worker-0 worker-1 worker-2; do
 6 |   vagrant scp ${instance}.kubeconfig ${instance}:~/
 7 |   vagrant scp kube-proxy.kubeconfig ${instance}:~/
 8 | done
 9 | 
10 | for instance in controller-0 controller-1 controller-2; do
11 |   vagrant scp admin.kubeconfig ${instance}:~/
12 |   vagrant scp kube-controller-manager.kubeconfig ${instance}:~/
13 |   vagrant scp kube-scheduler.kubeconfig ${instance}:~/
14 | done


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0600-encryption-config.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
 4 | 
 5 | cat >encryption-config.yaml <<EOF
 6 | kind: EncryptionConfig
 7 | apiVersion: v1
 8 | resources:
 9 |   - resources:
10 |       - secrets
11 |     providers:
12 |       - aescbc:
13 |           keys:
14 |             - name: key1
15 |               secret: ${ENCRYPTION_KEY}
16 |       - identity: {}
17 | EOF
18 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0610-distribute-encryption-config.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | # This script assumes you have the vagrant-scp plugin installed
4 | 
5 | for instance in controller-0 controller-1 controller-2; do
6 |   vagrant scp encryption-config.yaml ${instance}:~/
7 | done


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0700-download-and-install-etcd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | wget -q --show-progress --https-only --timestamping \
4 |   "https://github.com/coreos/etcd/releases/download/v3.3.5/etcd-v3.3.5-linux-amd64.tar.gz"
5 | 
6 | tar -xvf etcd-v3.3.5-linux-amd64.tar.gz
7 | sudo mv etcd-v3.3.5-linux-amd64/etcd* /usr/local/bin/
8 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0701-configure-etcd.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mkdir -p /etc/etcd /var/lib/etcd
 4 | sudo cp ca.pem kubernetes-key.pem kubernetes.pem /etc/etcd/
 5 | 
 6 | INTERNAL_IP=$(ifconfig enp0s8 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')
 7 | 
 8 | ETCD_NAME=$(hostname -s)
 9 | 
10 | cat <<EOF | sudo tee /etc/systemd/system/etcd.service
11 | [Unit]
12 | Description=etcd
13 | Documentation=https://github.com/coreos
14 | 
15 | [Service]
16 | ExecStart=/usr/local/bin/etcd \\
17 |   --name ${ETCD_NAME} \\
18 |   --cert-file=/etc/etcd/kubernetes.pem \\
19 |   --key-file=/etc/etcd/kubernetes-key.pem \\
20 |   --peer-cert-file=/etc/etcd/kubernetes.pem \\
21 |   --peer-key-file=/etc/etcd/kubernetes-key.pem \\
22 |   --trusted-ca-file=/etc/etcd/ca.pem \\
23 |   --peer-trusted-ca-file=/etc/etcd/ca.pem \\
24 |   --peer-client-cert-auth \\
25 |   --client-cert-auth \\
26 |   --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\
27 |   --listen-peer-urls https://${INTERNAL_IP}:2380 \\
28 |   --listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \\
29 |   --advertise-client-urls https://${INTERNAL_IP}:2379 \\
30 |   --initial-cluster-token etcd-cluster-0 \\
31 |   --initial-cluster controller-0=https://10.240.0.10:2380,controller-1=https://10.240.0.11:2380,controller-2=https://10.240.0.12:2380 \\
32 |   --initial-cluster-state new \\
33 |   --data-dir=/var/lib/etcd
34 | Restart=on-failure
35 | RestartSec=5
36 | 
37 | [Install]
38 | WantedBy=multi-user.target
39 | EOF
40 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0702-start-etcd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | sudo systemctl daemon-reload
4 | sudo systemctl enable etcd
5 | sudo systemctl start etcd
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0710-verify-etcd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | sudo ETCDCTL_API=3 etcdctl member list \
4 |   --endpoints=https://127.0.0.1:2379 \
5 |   --cacert=/etc/etcd/ca.pem \
6 |   --cert=/etc/etcd/kubernetes.pem \
7 |   --key=/etc/etcd/kubernetes-key.pem
8 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0800-download-and-install-k8s-controllers.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mkdir -p /etc/kubernetes/config
 4 | 
 5 | wget -q --show-progress --https-only --timestamping \
 6 |   "https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-apiserver" \
 7 |   "https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-controller-manager" \
 8 |   "https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-scheduler" \
 9 |   "https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubectl"
10 | 
11 | chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
12 | sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/
13 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0801-configure-k8s-api-server.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mkdir -p /var/lib/kubernetes/
 4 | 
 5 | sudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
 6 |   service-account-key.pem service-account.pem \
 7 |   encryption-config.yaml /var/lib/kubernetes/
 8 | 
 9 | INTERNAL_IP=$(ifconfig enp0s8 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')
10 | 
11 | cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service
12 | [Unit]
13 | Description=Kubernetes API Server
14 | Documentation=https://github.com/kubernetes/kubernetes
15 | 
16 | [Service]
17 | ExecStart=/usr/local/bin/kube-apiserver \\
18 |   --advertise-address=${INTERNAL_IP} \\
19 |   --allow-privileged=true \\
20 |   --apiserver-count=3 \\
21 |   --audit-log-maxage=30 \\
22 |   --audit-log-maxbackup=3 \\
23 |   --audit-log-maxsize=100 \\
24 |   --audit-log-path=/var/log/audit.log \\
25 |   --authorization-mode=Node,RBAC \\
26 |   --bind-address=0.0.0.0 \\
27 |   --client-ca-file=/var/lib/kubernetes/ca.pem \\
28 |   --enable-admission-plugins=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
29 |   --enable-swagger-ui=true \\
30 |   --etcd-cafile=/var/lib/kubernetes/ca.pem \\
31 |   --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \\
32 |   --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \\
33 |   --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
34 |   --event-ttl=1h \\
35 |   --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
36 |   --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
37 |   --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
38 |   --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
39 |   --kubelet-https=true \\
40 |   --runtime-config=api/all \\
41 |   --service-account-key-file=/var/lib/kubernetes/service-account.pem \\
42 |   --service-cluster-ip-range=10.32.0.0/24 \\
43 |   --service-node-port-range=30000-32767 \\
44 |   --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \\
45 |   --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \\
46 |   --v=2
47 | Restart=on-failure
48 | RestartSec=5
49 | 
50 | [Install]
51 | WantedBy=multi-user.target
52 | EOF
53 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0802-configure-k8s-controller-manager.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/
 4 | 
 5 | cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service
 6 | [Unit]
 7 | Description=Kubernetes Controller Manager
 8 | Documentation=https://github.com/kubernetes/kubernetes
 9 | 
10 | [Service]
11 | ExecStart=/usr/local/bin/kube-controller-manager \\
12 |   --address=0.0.0.0 \\
13 |   --cluster-cidr=10.200.0.0/16 \\
14 |   --cluster-name=kubernetes \\
15 |   --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
16 |   --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
17 |   --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
18 |   --leader-elect=true \\
19 |   --root-ca-file=/var/lib/kubernetes/ca.pem \\
20 |   --service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\
21 |   --service-cluster-ip-range=10.32.0.0/24 \\
22 |   --use-service-account-credentials=true \\
23 |   --v=2
24 | Restart=on-failure
25 | RestartSec=5
26 | 
27 | [Install]
28 | WantedBy=multi-user.target
29 | EOF
30 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0803-configure-k8s-schedueler.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mv kube-scheduler.kubeconfig /var/lib/kubernetes/
 4 | 
 5 | cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml
 6 | apiVersion: componentconfig/v1alpha1
 7 | kind: KubeSchedulerConfiguration
 8 | clientConnection:
 9 |   kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig"
10 | leaderElection:
11 |   leaderElect: true
12 | EOF
13 | 
14 | cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service
15 | [Unit]
16 | Description=Kubernetes Scheduler
17 | Documentation=https://github.com/kubernetes/kubernetes
18 | 
19 | [Service]
20 | ExecStart=/usr/local/bin/kube-scheduler \\
21 |   --config=/etc/kubernetes/config/kube-scheduler.yaml \\
22 |   --v=2
23 | Restart=on-failure
24 | RestartSec=5
25 | 
26 | [Install]
27 | WantedBy=multi-user.target
28 | EOF
29 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0804-start-controller-services.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | sudo systemctl daemon-reload
4 | sudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler
5 | sudo systemctl start kube-apiserver kube-controller-manager kube-scheduler
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0805-verify.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl get componentstatuses --kubeconfig admin.kubeconfig
4 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0810-rbac-for-kubelet-auth.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
 4 | apiVersion: rbac.authorization.k8s.io/v1beta1
 5 | kind: ClusterRole
 6 | metadata:
 7 |   annotations:
 8 |     rbac.authorization.kubernetes.io/autoupdate: "true"
 9 |   labels:
10 |     kubernetes.io/bootstrapping: rbac-defaults
11 |   name: system:kube-apiserver-to-kubelet
12 | rules:
13 |   - apiGroups:
14 |       - ""
15 |     resources:
16 |       - nodes/proxy
17 |       - nodes/stats
18 |       - nodes/log
19 |       - nodes/spec
20 |       - nodes/metrics
21 |     verbs:
22 |       - "*"
23 | EOF
24 | 
25 | cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
26 | apiVersion: rbac.authorization.k8s.io/v1beta1
27 | kind: ClusterRoleBinding
28 | metadata:
29 |   name: system:kube-apiserver
30 |   namespace: ""
31 | roleRef:
32 |   apiGroup: rbac.authorization.k8s.io
33 |   kind: ClusterRole
34 |   name: system:kube-apiserver-to-kubelet
35 | subjects:
36 |   - apiGroup: rbac.authorization.k8s.io
37 |     kind: User
38 |     name: kubernetes
39 | EOF
40 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0820-verify-frontend-lb.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | KUBERNETES_PUBLIC_ADDRESS=10.240.0.40
4 | 
5 | curl --cacert ca.pem https://${KUBERNETES_PUBLIC_ADDRESS}:6443/version
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0900-download-and-install-workers.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo apt-get update
 4 | sudo apt-get -y install socat conntrack ipset
 5 | 
 6 | wget -q --show-progress --https-only --timestamping \
 7 |   https://github.com/kubernetes-incubator/cri-tools/releases/download/v1.0.0-beta.0/crictl-v1.0.0-beta.0-linux-amd64.tar.gz \
 8 |   https://storage.googleapis.com/kubernetes-the-hard-way/runsc \
 9 |   https://github.com/opencontainers/runc/releases/download/v1.0.0-rc5/runc.amd64 \
10 |   https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz \
11 |   https://github.com/containerd/containerd/releases/download/v1.1.0/containerd-1.1.0.linux-amd64.tar.gz \
12 |   https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubectl \
13 |   https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-proxy \
14 |   https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubelet
15 | 
16 | sudo mkdir -p \
17 |   /etc/cni/net.d \
18 |   /opt/cni/bin \
19 |   /var/lib/kubelet \
20 |   /var/lib/kube-proxy \
21 |   /var/lib/kubernetes \
22 |   /var/run/kubernetes
23 | 
24 | chmod +x kubectl kube-proxy kubelet runc.amd64 runsc
25 | sudo mv runc.amd64 runc
26 | sudo mv kubectl kube-proxy kubelet runc runsc /usr/local/bin/
27 | sudo tar -xvf crictl-v1.0.0-beta.0-linux-amd64.tar.gz -C /usr/local/bin/
28 | sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/
29 | sudo tar -xvf containerd-1.1.0.linux-amd64.tar.gz -C /
30 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0901-configure-cni.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | INTERNAL_IP=$(ifconfig enp0s8 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')
 4 | 
 5 | case "$INTERNAL_IP" in
 6 | 10.240.0.20)
 7 |   POD_CIDR="10.200.0.0/24"
 8 |   ;;
 9 | 10.240.0.21)
10 |   POD_CIDR="10.200.1.0/24"
11 |   ;;
12 | 10.240.0.22)
13 |   POD_CIDR="10.200.2.0/24"
14 |   ;;
15 | *)
16 |   echo "invalid ip"
17 |   ;;
18 | esac
19 | 
20 | cat <<EOF | sudo tee /etc/cni/net.d/10-bridge.conf
21 | {
22 |     "cniVersion": "0.3.1",
23 |     "name": "bridge",
24 |     "type": "bridge",
25 |     "bridge": "cnio0",
26 |     "isGateway": true,
27 |     "ipMasq": true,
28 |     "ipam": {
29 |         "type": "host-local",
30 |         "ranges": [
31 |           [{"subnet": "${POD_CIDR}"}]
32 |         ],
33 |         "routes": [{"dst": "0.0.0.0/0"}]
34 |     }
35 | }
36 | EOF
37 | 
38 | cat <<EOF | sudo tee /etc/cni/net.d/99-loopback.conf
39 | {
40 |     "cniVersion": "0.3.1",
41 |     "type": "loopback"
42 | }
43 | EOF
44 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0902-configure-containerd.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mkdir -p /etc/containerd/
 4 | 
 5 | INTERNAL_IP=$(ifconfig enp0s8 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')
 6 | 
 7 | cat <<EOF | sudo tee /etc/containerd/config.toml
 8 | [plugins]
 9 |   [plugins.cri]
10 |   # stream_server_address is the ip address streaming server is listening on.
11 |   stream_server_address = "${INTERNAL_IP}"
12 |   [plugins.cri.containerd]
13 |     snapshotter = "overlayfs"
14 |     [plugins.cri.containerd.default_runtime]
15 |       runtime_type = "io.containerd.runtime.v1.linux"
16 |       runtime_engine = "/usr/local/bin/runc"
17 |       runtime_root = ""
18 |     [plugins.cri.containerd.untrusted_workload_runtime]
19 |       runtime_type = "io.containerd.runtime.v1.linux"
20 |       runtime_engine = "/usr/local/bin/runsc"
21 |       runtime_root = "/run/containerd/runsc"
22 | EOF
23 | 
24 | cat <<EOF | sudo tee /etc/systemd/system/containerd.service
25 | [Unit]
26 | Description=containerd container runtime
27 | Documentation=https://containerd.io
28 | After=network.target
29 | 
30 | [Service]
31 | ExecStartPre=/sbin/modprobe overlay
32 | ExecStart=/bin/containerd
33 | Restart=always
34 | RestartSec=5
35 | Delegate=yes
36 | KillMode=process
37 | OOMScoreAdjust=-999
38 | LimitNOFILE=1048576
39 | LimitNPROC=infinity
40 | LimitCORE=infinity
41 | 
42 | [Install]
43 | WantedBy=multi-user.target
44 | EOF
45 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0903-configure-kubelet.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mv ${HOSTNAME}-key.pem ${HOSTNAME}.pem /var/lib/kubelet/
 4 | sudo mv ${HOSTNAME}.kubeconfig /var/lib/kubelet/kubeconfig
 5 | sudo mv ca.pem /var/lib/kubernetes/
 6 | 
 7 | INTERNAL_IP=$(ifconfig enp0s8 | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')
 8 | 
 9 | case "$INTERNAL_IP" in
10 | 10.240.0.20)
11 |   POD_CIDR="10.200.0.0/24"
12 |   ;;
13 | 10.240.0.21)
14 |   POD_CIDR="10.200.1.0/24"
15 |   ;;
16 | 10.240.0.22)
17 |   POD_CIDR="10.200.2.0/24"
18 |   ;;
19 | *)
20 |   echo "invalid ip"
21 |   ;;
22 | esac
23 | 
24 | cat <<EOF | sudo tee /var/lib/kubelet/kubelet-config.yaml
25 | kind: KubeletConfiguration
26 | apiVersion: kubelet.config.k8s.io/v1beta1
27 | authentication:
28 |   anonymous:
29 |     enabled: false
30 |   webhook:
31 |     enabled: true
32 |   x509:
33 |     clientCAFile: "/var/lib/kubernetes/ca.pem"
34 | authorization:
35 |   mode: Webhook
36 | clusterDomain: "cluster.local"
37 | clusterDNS:
38 |   - "10.32.0.10"
39 | podCIDR: "${POD_CIDR}"
40 | runtimeRequestTimeout: "15m"
41 | tlsCertFile: "/var/lib/kubelet/${HOSTNAME}.pem"
42 | tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME}-key.pem"
43 | EOF
44 | 
45 | cat <<EOF | sudo tee /etc/systemd/system/kubelet.service
46 | [Unit]
47 | Description=Kubernetes Kubelet
48 | Documentation=https://github.com/kubernetes/kubernetes
49 | After=containerd.service
50 | Requires=containerd.service
51 | 
52 | [Service]
53 | ExecStart=/usr/local/bin/kubelet \\
54 |   --config=/var/lib/kubelet/kubelet-config.yaml \\
55 |   --container-runtime=remote \\
56 |   --container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
57 |   --image-pull-progress-deadline=2m \\
58 |   --kubeconfig=/var/lib/kubelet/kubeconfig \\
59 |   --network-plugin=cni \\
60 |   --register-node=true \\
61 |   --v=2
62 | Restart=on-failure
63 | RestartSec=5
64 | 
65 | [Install]
66 | WantedBy=multi-user.target
67 | EOF
68 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0904-configure-kube-proxy.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
 4 | 
 5 | cat <<EOF | sudo tee /var/lib/kube-proxy/kube-proxy-config.yaml
 6 | kind: KubeProxyConfiguration
 7 | apiVersion: kubeproxy.config.k8s.io/v1alpha1
 8 | clientConnection:
 9 |   kubeconfig: "/var/lib/kube-proxy/kubeconfig"
10 | mode: "iptables"
11 | clusterCIDR: "10.200.0.0/16"
12 | EOF
13 | 
14 | cat <<EOF | sudo tee /etc/systemd/system/kube-proxy.service
15 | [Unit]
16 | Description=Kubernetes Kube Proxy
17 | Documentation=https://github.com/kubernetes/kubernetes
18 | 
19 | [Service]
20 | ExecStart=/usr/local/bin/kube-proxy \\
21 |   --config=/var/lib/kube-proxy/kube-proxy-config.yaml
22 | Restart=on-failure
23 | RestartSec=5
24 | 
25 | [Install]
26 | WantedBy=multi-user.target
27 | EOF
28 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0905-start-worker-services.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | sudo systemctl daemon-reload
4 | sudo systemctl enable containerd kubelet kube-proxy
5 | sudo systemctl start containerd kubelet kube-proxy
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/0910-verify-worker.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | vagrant ssh controller-0 \
4 |   --command "kubectl get nodes --kubeconfig admin.kubeconfig"
5 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1000-admin-kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | KUBERNETES_PUBLIC_ADDRESS=10.240.0.40
 4 | 
 5 | kubectl config set-cluster kubernetes-the-hard-way \
 6 |   --certificate-authority=ca.pem \
 7 |   --embed-certs=true \
 8 |   --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443
 9 | 
10 | kubectl config set-credentials admin \
11 |   --client-certificate=admin.pem \
12 |   --client-key=admin-key.pem
13 | 
14 | kubectl config set-context kubernetes-the-hard-way \
15 |   --cluster=kubernetes-the-hard-way \
16 |   --user=admin
17 | 
18 | kubectl config use-context kubernetes-the-hard-way
19 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1001-verify-admin-kubeconfig.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl get componentstatuses
4 | 
5 | echo ''
6 | 
7 | kubectl get nodes
8 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1200-dns-cluster-add-on.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl create -f https://storage.googleapis.com/kubernetes-the-hard-way/kube-dns.yaml
4 | 
5 | watch kubectl get pods -l k8s-app=kube-dns -n kube-system
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1210-verify-dns.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl run busybox --image=busybox --command -- sleep 3600
4 | 
5 | watch kubectl get pods -l run=busybox
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1211-verify-dns.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | POD_NAME=$(kubectl get pods -l run=busybox -o jsonpath="{.items[0].metadata.name}")
4 | 
5 | kubectl exec -ti $POD_NAME -- nslookup kubernetes
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1300-data-encryption.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | kubectl create secret generic kubernetes-the-hard-way \
 4 |   --from-literal="mykey=mydata"
 5 | 
 6 | vagrant ssh controller-0 \
 7 |   --command "sudo ETCDCTL_API=3 etcdctl get \
 8 |   --endpoints=https://127.0.0.1:2379 \
 9 |   --cacert=/etc/etcd/ca.pem \
10 |   --cert=/etc/etcd/kubernetes.pem \
11 |   --key=/etc/etcd/kubernetes-key.pem\
12 |   /registry/secrets/default/kubernetes-the-hard-way | hexdump -C"


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1310-deployments.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl run nginx --image=nginx
4 | 
5 | watch kubectl get pods -l run=nginx
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1311-port-forwarding.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}")
 4 | 
 5 | kubectl port-forward $POD_NAME 8080:80 &
 6 | 
 7 | 
 8 | sleep 5
 9 | 
10 | echo ''
11 | curl --head http://127.0.0.1:8080
12 | 
13 | kill $!
14 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1312-logs.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}")
4 | 
5 | kubectl logs $POD_NAME
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1313-exec.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}")
4 | 
5 | kubectl exec -ti $POD_NAME -- nginx -v
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1320-services.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | kubectl expose deployment nginx --port 80 --type NodePort
4 | 
5 | NODE_PORT=$(kubectl get svc nginx \
6 |   --output=jsonpath='{range .spec.ports[0]}{.nodePort}')
7 | 
8 | curl -I http://10.240.0.20:${NODE_PORT}
9 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1330-untrusted-workloads.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | cat <<EOF | kubectl apply -f -
 4 | apiVersion: v1
 5 | kind: Pod
 6 | metadata:
 7 |   name: untrusted
 8 |   annotations:
 9 |     io.kubernetes.cri.untrusted-workload: "true"
10 | spec:
11 |   containers:
12 |     - name: webserver
13 |       image: gcr.io/hightowerlabs/helloworld:2.0.0
14 | EOF
15 | 
16 | watch kubectl get pods -o wide
17 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1331-verify-untrusted-workloads.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | INSTANCE_NAME=$(kubectl get pod untrusted --output=jsonpath='{.spec.nodeName}')
4 | 
5 | vagrant ssh ${INSTANCE_NAME}
6 | 


--------------------------------------------------------------------------------
/scripts/k8s-the-hard-way/1332-verify-untrusted-workloads.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | sudo runsc --root /run/containerd/runsc/k8s.io list
 4 | 
 5 | POD_ID=$(sudo crictl -r unix:///var/run/containerd/containerd.sock \
 6 |   pods --name untrusted -q)
 7 | 
 8 | CONTAINER_ID=$(sudo crictl -r unix:///var/run/containerd/containerd.sock \
 9 |   ps -p ${POD_ID} -q)
10 | 
11 | sudo runsc --root /run/containerd/runsc/k8s.io ps ${CONTAINER_ID}
12 | 


--------------------------------------------------------------------------------
/workspace/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/kenfdev/kubernetes-the-hard-way-vagrant/0a8ce90a0745f74a681a67f31f052348f4e3f399/workspace/.gitkeep


--------------------------------------------------------------------------------