├── _config.yml
├── manual-way
    ├── ansible
    │   ├── templates
    │   │   ├── 99-loopback.conf.j2
    │   │   ├── kube-scheduler.service.j2
    │   │   ├── 10-bridge.conf.j2
    │   │   ├── kube-proxy.service.j2
    │   │   ├── kube-controller-manager.service.j2
    │   │   ├── kubelet.service.j2
    │   │   ├── etcd.service.j2
    │   │   └── kube-apiserver.service.j2
    │   ├── inventory
    │   │   └── hosts
    │   ├── configureNetwork.yaml
    │   ├── configureContainerd.yaml
    │   ├── configureEtcd.yaml
    │   ├── configureSecurity.yaml
    │   ├── configureMasters.yaml
    │   └── configureNodes.yaml
    ├── scripts
    │   ├── install_kubectl.sh
    │   ├── install_cfssl.sh
    │   ├── configure_admin_client.sh
    │   ├── generate_node_certs.sh
    │   ├── generate_node_kubeconfig.sh
    │   ├── generate_kubeconfig.sh
    │   └── generate_certificates.sh
    ├── config
    │   ├── admin-csr.json
    │   ├── ca-csr.json
    │   ├── ca-config.json
    │   ├── kubernetes-csr.json
    │   ├── kube-proxy-csr.json
    │   └── kube-flannel-for-vagrant.yaml
    ├── README.md
    ├── k8s_run_old
    ├── setUpCluster.sh
    ├── kube-flannel-vagrant.yml
    └── kube-dns.yaml
├── vagrant
    ├── etc_hosts
    ├── Vagrantfile
    └── README.md
├── heapster
    ├── README.md
    ├── heapster-rbac.yaml
    ├── config
    │   ├── heapster-rbac.yaml
    │   ├── influxdb.yaml
    │   ├── heapster.yaml
    │   └── grafana.yaml
    ├── influxdb.yaml
    ├── heapster.yaml
    └── grafana.yaml
├── .gitignore
├── kubeadm-way
    ├── ansible
    │   ├── configureClient.yaml
    │   ├── installKubernetes.yaml
    │   ├── inventory
    │   │   └── hosts
    │   ├── installDocker.yaml
    │   └── bootstrapCluster.yaml
    ├── run.sh
    └── README.md
├── installKubeCtl.sh
├── README.md
└── LICENSE


/_config.yml:
--------------------------------------------------------------------------------
1 | theme: jekyll-theme-tactile


--------------------------------------------------------------------------------
/manual-way/ansible/templates/99-loopback.conf.j2:
--------------------------------------------------------------------------------
1 | {
2 |     "cniVersion": "0.3.1",
3 |     "type": "loopback"
4 | }


--------------------------------------------------------------------------------
/vagrant/etc_hosts:
--------------------------------------------------------------------------------
1 | 10.240.0.21    node1
2 | 10.240.0.22    node2
3 | 10.240.0.23    node3
4 | 10.240.0.24    node4


--------------------------------------------------------------------------------
/heapster/README.md:
--------------------------------------------------------------------------------
1 | ## Install Heapster in Kubernetes Cluster
2 | Run:
3 | ```bash
4 | kubectl create -f config/
5 | ```
6 | 
7 | For more details visit: https://github.com/kubernetes/heapster


--------------------------------------------------------------------------------
/manual-way/scripts/install_kubectl.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | wget https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kubectl
4 | chmod +x kubectl
5 | sudo mv kubectl /usr/local/bin/
6 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # IntelliJ project files
 2 | .idea
 3 | *.iml
 4 | out
 5 | gen
 6 | 
 7 | # Vagrant files
 8 | .vagrant/
 9 | 
10 | # Log files
11 | *.log
12 | 
13 | # Ansible files
14 | *.retry
15 | 
16 | # Genereted files
17 | tmp/
18 | node*-csr.json
19 | 


--------------------------------------------------------------------------------
/kubeadm-way/ansible/configureClient.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: master
 3 |   tasks:
 4 |     - name: Fetch configuration files from master node
 5 |       fetch:
 6 |         src: /home/ubuntu/.kube/config
 7 |         dest: ../tmp/
 8 |         flat: yes
 9 |       become: true
10 |       run_once: true


--------------------------------------------------------------------------------
/manual-way/config/admin-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "admin",
 3 |   "key": {
 4 |     "algo": "rsa",
 5 |     "size": 2048
 6 |   },
 7 |   "names": [
 8 |     {
 9 |       "C": "PL",
10 |       "L": "Krakow",
11 |       "O": "system:masters",
12 |       "OU": "Kubernetes The Hard Way"
13 |     }
14 |   ]
15 | }
16 | 


--------------------------------------------------------------------------------
/manual-way/config/ca-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "example.com",
 3 |   "key": {
 4 |     "algo": "rsa",
 5 |     "size": 2048
 6 |   },
 7 |   "names": [
 8 |     {
 9 |       "C": "PL",
10 |       "L": "Krakow",
11 |       "O": "JNC Certificate Authority",
12 |       "OU": "RnD Department"
13 |     }
14 |   ]
15 | }
16 | 


--------------------------------------------------------------------------------
/manual-way/config/ca-config.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "signing": {
 3 |     "default": {
 4 |       "expiry": "8760h"
 5 |     },
 6 |     "profiles": {
 7 |       "kubernetes": {
 8 |         "usages": ["signing", "key encipherment", "server auth", "client auth"],
 9 |         "expiry": "8760h"
10 |       }
11 |     }
12 |   }
13 | }
14 | 


--------------------------------------------------------------------------------
/heapster/heapster-rbac.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: heapster
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:heapster
 9 | subjects:
10 | - kind: ServiceAccount
11 |   name: heapster
12 |   namespace: kube-system
13 | 


--------------------------------------------------------------------------------
/manual-way/config/kubernetes-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "kubernetes",
 3 |   "key": {
 4 |     "algo": "rsa",
 5 |     "size": 2048
 6 |   },
 7 |   "names": [
 8 |     {
 9 |       "C": "US",
10 |       "L": "Portland",
11 |       "O": "Kubernetes",
12 |       "OU": "Kubernetes The Hard Way",
13 |       "ST": "Oregon"
14 |     }
15 |   ]
16 | }
17 | 


--------------------------------------------------------------------------------
/heapster/config/heapster-rbac.yaml:
--------------------------------------------------------------------------------
 1 | kind: ClusterRoleBinding
 2 | apiVersion: rbac.authorization.k8s.io/v1beta1
 3 | metadata:
 4 |   name: heapster
 5 | roleRef:
 6 |   apiGroup: rbac.authorization.k8s.io
 7 |   kind: ClusterRole
 8 |   name: system:heapster
 9 | subjects:
10 | - kind: ServiceAccount
11 |   name: heapster
12 |   namespace: kube-system
13 | 


--------------------------------------------------------------------------------
/manual-way/config/kube-proxy-csr.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "CN": "system:kube-proxy",
 3 |   "key": {
 4 |     "algo": "rsa",
 5 |     "size": 2048
 6 |   },
 7 |   "names": [
 8 |     {
 9 |       "C": "US",
10 |       "L": "Portland",
11 |       "O": "system:node-proxier",
12 |       "OU": "Kubernetes The Hard Way",
13 |       "ST": "Oregon"
14 |     }
15 |   ]
16 | }
17 | 


--------------------------------------------------------------------------------
/manual-way/ansible/templates/kube-scheduler.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Scheduler
 3 | Documentation=https://github.com/kubernetes/kubernetes
 4 | 
 5 | [Service]
 6 | ExecStart=/usr/local/bin/kube-scheduler \
 7 |   --leader-elect=true \
 8 |   --master=http://127.0.0.1:8080 \
 9 |   --v=2
10 | Restart=on-failure
11 | RestartSec=5
12 | 
13 | [Install]
14 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/manual-way/scripts/install_cfssl.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | wget -q --show-progress --https-only --timestamping \
 4 |   https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 \
 5 |   https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
 6 | 
 7 | chmod +x cfssl_linux-amd64 cfssljson_linux-amd64
 8 | 
 9 | sudo mv cfssl_linux-amd64 /usr/local/bin/cfssl
10 | sudo mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
11 | 


--------------------------------------------------------------------------------
/installKubeCtl.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | echo "Download latest kubectl"
3 | curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
4 | chmod +x ./kubectl
5 | sudo mv ./kubectl /usr/local/bin/kubectl
6 | 
7 | echo "Configure kubectl autocompletion"
8 | echo "source <(kubectl completion bash)" >> ~/.bashrc


--------------------------------------------------------------------------------
/manual-way/ansible/templates/10-bridge.conf.j2:
--------------------------------------------------------------------------------
 1 | {
 2 |     "cniVersion": "0.3.1",
 3 |     "name": "bridge",
 4 |     "type": "bridge",
 5 |     "bridge": "cnio0",
 6 |     "isGateway": true,
 7 |     "ipMasq": true,
 8 |     "ipam": {
 9 |         "type": "host-local",
10 |         "ranges": [
11 |           [{"subnet": "{{ pod_cidr }}"}]
12 |         ],
13 |         "routes": [{"dst": "0.0.0.0/0"}]
14 |     }
15 | }


--------------------------------------------------------------------------------
/manual-way/ansible/templates/kube-proxy.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Kube Proxy
 3 | Documentation=https://github.com/kubernetes/kubernetes
 4 | 
 5 | [Service]
 6 | ExecStart=/usr/local/bin/kube-proxy \
 7 |   --cluster-cidr=10.244.0.0/16 \
 8 |   --kubeconfig=/var/lib/kube-proxy/kubeconfig \
 9 |   --proxy-mode=iptables \
10 |   --masquerade-all \
11 |   --v=2
12 | Restart=on-failure
13 | RestartSec=5
14 | 
15 | [Install]
16 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes Training Repository
 2 | This repository contains Kubernetes training.
 3 | 
 4 | ## Bootstrap a Kubernetes Cluster
 5 | Following ways of bootsrapping a Kubernetes Cluster across Virtual Machines (Ubuntu) are covered:
 6 | - [Kubeadm](kubeadm-way) - quick and simple solution to run a Cluster with separate Master and multiple Workers on different Virtual Machines
 7 | - [Manual](manual-way) - complex way of running a Cluster from scratch with multiple Masters and Workers across different Virtual Machines
 8 | 
 9 | ## Install Heapster
10 | TODO


--------------------------------------------------------------------------------
/kubeadm-way/ansible/installKubernetes.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: kubeadm
 3 |   become: true
 4 | 
 5 |   tasks:
 6 |     - name: Add Kubernetes repository key
 7 |       apt_key: url=https://packages.cloud.google.com/apt/doc/apt-key.gpg
 8 | 
 9 |     - name: Add Kubernetes repository
10 |       apt_repository: repo='deb http://apt.kubernetes.io/ kubernetes-xenial main' state=present
11 | 
12 |     - name: Install kubelet, kubeadm, kubectl
13 |       apt: name={{item}} state=installed
14 |       with_items:
15 |       - kubelet
16 |       - kubeadm
17 |       - kubectl
18 | 


--------------------------------------------------------------------------------
/manual-way/scripts/configure_admin_client.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | kubectl config set-cluster $KUBERNETES_CLUSTER \
 4 |   --certificate-authority=$CERTS_GEN_DIR/ca.pem \
 5 |   --embed-certs=true \
 6 |   --server=https://${KUBERNETES_PUBLIC_ADDRESS}:6443
 7 | 
 8 | kubectl config set-credentials admin \
 9 |   --client-certificate=$CERTS_GEN_DIR/admin.pem \
10 |   --client-key=$CERTS_GEN_DIR/admin-key.pem
11 | 
12 | kubectl config set-context $KUBERNETES_CLUSTER \
13 |   --cluster=$KUBERNETES_CLUSTER \
14 |   --user=admin
15 | 
16 | kubectl config use-context $KUBERNETES_CLUSTER


--------------------------------------------------------------------------------
/kubeadm-way/ansible/inventory/hosts:
--------------------------------------------------------------------------------
 1 | # Ansible inventory file
 2 | 
 3 | [master]
 4 | 10.240.0.21   ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
 5 | 
 6 | [worker]
 7 | 10.240.0.22   ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
 8 | 10.240.0.23   ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
 9 | 10.240.0.24   ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3
10 | 
11 | [docker:children]
12 | master
13 | worker
14 | 
15 | [kubeadm:children]
16 | master
17 | worker
18 | 
19 | [all:vars]
20 | MASTER_API_IP=10.240.0.21
21 | POD_NETWORK_CIDR=10.244.0.0/16
22 | SERVICE_CIDR=10.96.0.0/12


--------------------------------------------------------------------------------
/manual-way/ansible/inventory/hosts:
--------------------------------------------------------------------------------
 1 | # Ansible inventory file
 2 | 
 3 | [master]
 4 | node1   ansible_host=10.240.0.21  ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 pod_cidr=10.200.21.0/24
 5 | node2   ansible_host=10.240.0.22  ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 pod_cidr=10.200.22.0/24
 6 | 
 7 | [node]
 8 | node3   ansible_host=10.240.0.23  ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 pod_cidr=10.200.23.0/24
 9 | node4   ansible_host=10.240.0.24  ansible_user=ubuntu ansible_python_interpreter=/usr/bin/python3 pod_cidr=10.200.24.0/24
10 | 
11 | [etcd:children]
12 | master
13 | 
14 | [all:vars]
15 | master_api_ip=10.240.0.21


--------------------------------------------------------------------------------
/kubeadm-way/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | export ANSIBLE_HOST_KEY_CHECKING=False
 3 | export ANSIBLE_INVENTORY="ansible/inventory/hosts"
 4 | export PRIVATE_KEY="~/.ssh/id_rsa"
 5 | 
 6 | echo "# Install Docker"
 7 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/installDocker.yaml
 8 | 
 9 | echo "# Install kubeadm"
10 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/installKubernetes.yaml
11 | 
12 | echo "# Bootstrap cluster"
13 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/bootstrapCluster.yaml
14 | 
15 | echo "# Configure local client"
16 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureClient.yaml
17 | 


--------------------------------------------------------------------------------
/manual-way/ansible/templates/kube-controller-manager.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Controller Manager
 3 | Documentation=https://github.com/kubernetes/kubernetes
 4 | 
 5 | [Service]
 6 | ExecStart=/usr/local/bin/kube-controller-manager \
 7 |   --address=0.0.0.0 \
 8 |   --allocate-node-cidrs=true \
 9 |   --cluster-cidr=10.244.0.0/16 \
10 |   --cluster-name=kubernetes \
11 |   --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \
12 |   --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \
13 |   --leader-elect=true \
14 |   --master=http://127.0.0.1:8080 \
15 |   --root-ca-file=/var/lib/kubernetes/ca.pem \
16 |   --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \
17 |   --service-cluster-ip-range=10.32.0.0/24 \
18 |   --v=2
19 | Restart=on-failure
20 | RestartSec=5
21 | 
22 | [Install]
23 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/manual-way/ansible/configureNetwork.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: node
 3 | 
 4 |   tasks:
 5 | #    - name: configure static route
 6 | #      shell: |
 7 | #        route add -net 10.200.23.0/24 gw 10.240.0.23 dev enp0s8
 8 | #        route add -net 10.200.24.0/24 gw 10.240.0.24 dev enp0s8
 9 | #      become: true
10 | #      register: command_result
11 | #      failed_when: "not(command_result.rc == 0 or 'SIOCADDRT: File exists' in command_result.stderr)"
12 | #
13 | 
14 |     - name: Create directories
15 |       file: path={{ item }} state=directory
16 |       become: true
17 |       with_items:
18 |         - "/opt/cni/bin/"
19 | 
20 |     - name: "Get CNI plugins"
21 |       unarchive:
22 |         src: https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz
23 |         dest: /opt/cni/bin/
24 |         remote_src: yes
25 |       become: true


--------------------------------------------------------------------------------
/kubeadm-way/README.md:
--------------------------------------------------------------------------------
 1 | # Bootstrapping a Kubernetes Cluster with kubeadm
 2 | This scripts will run a Kubernetes Cluster with use of kubeadm tool.
 3 | Three steps will be executed:
 4 | 1. Docker installation on all nodes
 5 | 2. Installation of Kubernetes binaries (_kubelet_, _kubectl_, _kubeadm_)
 6 | 3. Bootstraping of the Cluster with `kubeadm init` and `kubeadm join`
 7 | 
 8 | ## Prerequisites
 9 | - [ ] [Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html) installed on host machine
10 | - [ ] Virtual Machines up and running - use [Vagrant](../vagrant) to run preconfigured VMs
11 | 
12 | ## Configuration
13 | Cluster configuration can be found in [Ansible inventory file](ansible/inventory/hosts).
14 | 
15 | ## Run script to set up Kubernetes Cluster
16 | ```bash
17 | ./run.sh
18 | ```
19 | 
20 | ## Credits
21 |  - [Kubernetes Documentation](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm)
22 | 


--------------------------------------------------------------------------------
/manual-way/scripts/generate_node_certs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | NODES_NUMBER=$1
 3 | 
 4 | echo "Generate certificates for $NODES_NUMBER nodes"
 5 | 
 6 | for i in $(seq 1 $NODES_NUMBER);
 7 | do
 8 | NODE=node$i
 9 | 
10 |     echo "Generate cert for node: $NODE"
11 |     cat > $CONFIG_DIR/$NODE-csr.json <<EOF
12 | {
13 |   "CN": "system:node:$NODE",
14 |   "key": {
15 |     "algo": "rsa",
16 |     "size": 2048
17 |   },
18 |   "names": [
19 |     {
20 |       "C": "US",
21 |       "L": "Portland",
22 |       "O": "system:nodes",
23 |       "OU": "Kubernetes The Hard Way",
24 |       "ST": "Oregon"
25 |     }
26 |   ]
27 | }
28 | EOF
29 | 
30 |     cfssl gencert \
31 |       -ca=$CERTS_GEN_DIR/ca.pem \
32 |       -ca-key=$CERTS_GEN_DIR/ca-key.pem \
33 |       -config=$CONFIG_DIR/ca-config.json \
34 |       -hostname=$NODE,10.240.0.2$i \
35 |       -profile=kubernetes \
36 |       $CONFIG_DIR/$NODE-csr.json | cfssljson -bare $NODE
37 | 
38 | #rm $CONFIG_DIR/node$i-csr.json
39 | done


--------------------------------------------------------------------------------
/vagrant/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # Configuration
 2 | CLUSTER_SIZE=4
 3 | SSH_PRIVATE_KEY="~/.ssh/id_rsa"
 4 | SSH_PUBLIC_KEY="~/.ssh/id_rsa.pub"
 5 | 
 6 | Vagrant.configure("2") do |config|
 7 |     config.vm.box = "ubuntu/xenial64"
 8 |     config.vm.box_version = "20171212.0.0"
 9 | 
10 |     # Workaround for Bug [https://bugs.launchpad.net/cloud-images/+bug/1569237]
11 |     config.ssh.insert_key = true
12 |     config.ssh.private_key_path = [SSH_PRIVATE_KEY]
13 |     config.vm.provision "file", source: SSH_PUBLIC_KEY, destination: "~/.ssh/authorized_keys"
14 | 
15 |     (1..CLUSTER_SIZE).each do |i|
16 |         config.vm.define "node#{i}" do |node|
17 |             node.vm.hostname = "node#{i}"
18 | 
19 |             node.vm.network "private_network", ip: "10.240.0.2#{i}"
20 | 
21 |             node.vm.provision "shell",
22 |                 inline: "echo '10.240.0.21 node1
23 | 10.240.0.22 node2
24 | 10.240.0.23 node3
25 | 10.240.0.24 node4' >> /etc/hosts"
26 |         end
27 |     end
28 | end
29 | 


--------------------------------------------------------------------------------
/manual-way/scripts/generate_node_kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | NODES_NUMBER=$1
 3 | 
 4 | echo "Generate config for $NODES_NUMBER nodes"
 5 | 
 6 | for i in $(seq 1 $NODES_NUMBER);
 7 | do
 8 |     echo "Generate config for node: $i"
 9 | 
10 |     kubectl config set-cluster $KUBERNETES_CLUSTER \
11 |     --certificate-authority=$CERTS_GEN_DIR/ca.pem \
12 |     --embed-certs=true \
13 |     --server=https://$KUBERNETES_PUBLIC_ADDRESS:6443 \
14 |     --kubeconfig=$KUBECONFIG_DIR/node$i.kubeconfig
15 | 
16 |     kubectl config set-credentials system:node:node$i \
17 |     --client-certificate=$CERTS_GEN_DIR/node$i.pem \
18 |     --client-key=$CERTS_GEN_DIR/node$i-key.pem \
19 |     --embed-certs=true \
20 |     --kubeconfig=$KUBECONFIG_DIR/node$i.kubeconfig
21 | 
22 |     kubectl config set-context default \
23 |     --cluster=$KUBERNETES_CLUSTER \
24 |     --user=system:node:node$i \
25 |     --kubeconfig=$KUBECONFIG_DIR/node$i.kubeconfig
26 | 
27 |     kubectl config use-context default --kubeconfig=$KUBECONFIG_DIR/node$i.kubeconfig
28 | 
29 | done


--------------------------------------------------------------------------------
/manual-way/scripts/generate_kubeconfig.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | NODES_NUMBER=$1
 3 | 
 4 | mkdir -p $KUBECONFIG_DIR/ && cd $KUBECONFIG_DIR/
 5 | 
 6 | # kube-proxy configuration file
 7 | echo "Generate kube-proxy configuration file"
 8 | 
 9 | kubectl config set-cluster $KUBERNETES_CLUSTER \
10 |   --certificate-authority=$CERTS_GEN_DIR/ca.pem \
11 |   --embed-certs=true \
12 |   --server=https://$KUBERNETES_PUBLIC_ADDRESS:6443 \
13 |   --kubeconfig=$KUBECONFIG_DIR/kube-proxy.kubeconfig
14 | 
15 | kubectl config set-credentials kube-proxy \
16 |   --client-certificate=$CERTS_GEN_DIR/kube-proxy.pem \
17 |   --client-key=$CERTS_GEN_DIR/kube-proxy-key.pem \
18 |   --embed-certs=true \
19 |   --kubeconfig=$KUBECONFIG_DIR/kube-proxy.kubeconfig
20 | 
21 | kubectl config set-context default \
22 |   --cluster=$KUBERNETES_CLUSTER \
23 |   --user=kube-proxy \
24 |   --kubeconfig=$KUBECONFIG_DIR/kube-proxy.kubeconfig
25 | 
26 | kubectl config use-context default --kubeconfig=$KUBECONFIG_DIR/kube-proxy.kubeconfig
27 | 
28 | # GENERATE NODES CERTS
29 | echo "## GENERATE NODES CERTS"
30 | $SCRIPTS_DIR/generate_node_kubeconfig.sh $NODES_NUMBER
31 | 


--------------------------------------------------------------------------------
/manual-way/ansible/templates/kubelet.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes Kubelet
 3 | Documentation=https://github.com/kubernetes/kubernetes
 4 | After=cri-containerd.service
 5 | Requires=cri-containerd.service
 6 | 
 7 | [Service]
 8 | ExecStart=/usr/local/bin/kubelet \
 9 |   --allow-privileged=true \
10 |   --anonymous-auth=false \
11 |   --authorization-mode=Webhook \
12 |   --client-ca-file=/var/lib/kubernetes/ca.pem \
13 |   --cloud-provider="" \
14 |   --cluster-dns=10.32.0.10 \
15 |   --cluster-domain=cluster.local \
16 |   --node-ip={{ ansible_host }} \
17 |   --container-runtime=remote \
18 |   --container-runtime-endpoint=unix:///var/run/cri-containerd.sock \
19 |   --runtime-request-timeout=15m \
20 |   --image-pull-progress-deadline=2m \
21 |   --kubeconfig=/var/lib/kubelet/kubeconfig \
22 |   --network-plugin=cni \
23 |   --pod-cidr={{ pod_cidr }} \
24 |   --register-node=true \
25 |   --tls-cert-file=/var/lib/kubelet/{{ inventory_hostname }}.pem \
26 |   --tls-private-key-file=/var/lib/kubelet/{{ inventory_hostname }}-key.pem \
27 |   --v=2
28 | Restart=on-failure
29 | RestartSec=5
30 | 
31 | [Install]
32 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/heapster/influxdb.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-influxdb
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: influxdb
13 |     spec:
14 |       containers:
15 |       - name: influxdb
16 |         image: k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
17 |         volumeMounts:
18 |         - mountPath: /data
19 |           name: influxdb-storage
20 |       volumes:
21 |       - name: influxdb-storage
22 |         emptyDir: {}
23 | ---
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 |   labels:
28 |     task: monitoring
29 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
30 |     # If you are NOT using this as an addon, you should comment out this line.
31 |     kubernetes.io/cluster-service: 'true'
32 |     kubernetes.io/name: monitoring-influxdb
33 |   name: monitoring-influxdb
34 |   namespace: kube-system
35 | spec:
36 |   ports:
37 |   - port: 8086
38 |     targetPort: 8086
39 |   selector:
40 |     k8s-app: influxdb
41 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2018 Jakub Nowakowski
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/heapster/config/influxdb.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-influxdb
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: influxdb
13 |     spec:
14 |       containers:
15 |       - name: influxdb
16 |         image: k8s.gcr.io/heapster-influxdb-amd64:v1.3.3
17 |         volumeMounts:
18 |         - mountPath: /data
19 |           name: influxdb-storage
20 |       volumes:
21 |       - name: influxdb-storage
22 |         emptyDir: {}
23 | ---
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 |   labels:
28 |     task: monitoring
29 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
30 |     # If you are NOT using this as an addon, you should comment out this line.
31 |     kubernetes.io/cluster-service: 'true'
32 |     kubernetes.io/name: monitoring-influxdb
33 |   name: monitoring-influxdb
34 |   namespace: kube-system
35 | spec:
36 |   ports:
37 |   - port: 8086
38 |     targetPort: 8086
39 |   selector:
40 |     k8s-app: influxdb
41 | 


--------------------------------------------------------------------------------
/kubeadm-way/ansible/installDocker.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: docker
 3 |   become: true
 4 | 
 5 |   vars:
 6 |     dockerPackage: "docker-ce"
 7 |     dockerVersion: "17.03.2~ce-0~ubuntu-xenial"
 8 |     lsbRelease: "xenial"
 9 | 
10 |   handlers:
11 |     - name: Restart server
12 |       shell: sleep 5 && shutdown -r now "Reboot triggered by Ansible script"
13 |       async: 1
14 |       poll: 0
15 |     - name: Wait for server to restart
16 |       wait_for_connection:
17 |       args:
18 |         delay: 15
19 |         timeout: 120
20 | 
21 |   tasks:
22 |     - name: Add Docker repository key
23 |       apt_key: url=https://download.docker.com/linux/ubuntu/gpg
24 | 
25 |     - name: Add Docker repository
26 |       apt_repository: repo='deb [arch=amd64] https://download.docker.com/linux/ubuntu {{ lsbRelease }} stable' state=present
27 | 
28 |     - name: Install docker-ce
29 |       apt: name={{dockerPackage}}={{dockerVersion}} state=present update_cache=yes
30 | 
31 |     - name: Add user to docker group
32 |       user:
33 |         name: "{{ansible_user}}"
34 |         append: yes
35 |         groups: docker
36 |       notify:
37 |           - Restart server
38 |           - Wait for server to restart
39 | 


--------------------------------------------------------------------------------
/manual-way/README.md:
--------------------------------------------------------------------------------
 1 | # Bootstrapping a Kubernetes Cluster from Scratch
 2 | This scripts will run a Kubernetes Cluster from scratch.
 3 | 
 4 | IN PROGRESS...
 5 | 
 6 | ## Prerequisites
 7 | - [X] [Ansible](http://docs.ansible.com/ansible/latest/intro_installation.html) installed on host machine
 8 | - [X] Virtual Machines up and running - use [Vagrant](../vagrant) to run preconfigured VMs
 9 | 
10 | 
11 | ## Run script to set up Kubernetes Cluster
12 | ```bash
13 | ./setUpCluster.sh
14 | ```
15 | 
16 | ## Credits
17 | - [Kubernetes The Hard Way Tutorial](https://github.com/kelseyhightower/kubernetes-the-hard-way) by @kelseyhightower
18 | - Kubernetes Documentation - [Creating a Custom Cluster from Scratch](https://kubernetes.io/docs/getting-started-guides/scratch)
19 | 
20 | 
21 | ## Run E2E tests
22 | 
23 | IN PROGRESS...
24 | 
25 | - [Install golang](https://golang.org/doc/install)
26 | 
27 | https://github.com/kubernetes/community/blob/master/contributors/devel/e2e-tests.md#testing-against-local-clusters
28 | ```bash
29 | export KUBECONFIG=/etc/kubernetes/admin.conf
30 | export KUBE_MASTER_IP="127.0.0.1:6443"
31 | export KUBE_MASTER=local
32 | go run hack/e2e.go -- --provider=local -v --test
33 | ```
34 | 


--------------------------------------------------------------------------------
/manual-way/ansible/templates/etcd.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=etcd
 3 | Documentation=https://github.com/coreos
 4 | 
 5 | [Service]
 6 | ExecStart=/usr/local/bin/etcd \
 7 |   --name {{ inventory_hostname }} \
 8 |   --cert-file=/etc/etcd/kubernetes.pem \
 9 |   --key-file=/etc/etcd/kubernetes-key.pem \
10 |   --peer-cert-file=/etc/etcd/kubernetes.pem \
11 |   --peer-key-file=/etc/etcd/kubernetes-key.pem \
12 |   --trusted-ca-file=/etc/etcd/ca.pem \
13 |   --peer-trusted-ca-file=/etc/etcd/ca.pem \
14 |   --peer-client-cert-auth \
15 |   --client-cert-auth \
16 |   --initial-advertise-peer-urls https://{{ ansible_host }}:2380 \
17 |   --listen-peer-urls https://{{ ansible_host }}:2380 \
18 |   --listen-client-urls https://{{ ansible_host }}:2379,http://127.0.0.1:2379 \
19 |   --advertise-client-urls https://{{ ansible_host }}:2379 \
20 |   --initial-cluster-token etcd-cluster-0 \
21 |   --initial-cluster {% for host in groups['etcd'] %}{{ hostvars[host].inventory_hostname }}=https://{{ hostvars[host].ansible_host }}:2380{% if not loop.last %},{% endif %}{% endfor %} \
22 |   --initial-cluster-state new \
23 |   --data-dir=/var/lib/etcd
24 | Restart=on-failure
25 | RestartSec=5
26 | 
27 | [Install]
28 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/manual-way/ansible/configureContainerd.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: node
 3 | 
 4 |   tasks:
 5 |     - name: Install dependencies
 6 |       apt: name={{ item }} state=installed update_cache=yes
 7 |       become: yes
 8 |       with_items:
 9 |         - "libseccomp2"
10 | #        - "libapparmor"
11 | #        - "btrfs-tools"
12 | #        - "nsenter"
13 | 
14 |     #  The socat binary enables support for the kubectl port-forward command.
15 |     - name: Install socat
16 |       apt: name=socat state=installed update_cache=yes
17 |       become: yes
18 | 
19 | 
20 |     - name: "Get CRI containerd"
21 |       unarchive:
22 |         src: https://github.com/containerd/cri-containerd/releases/download/v1.0.0-beta.1/cri-containerd-1.0.0-beta.1.linux-amd64.tar.gz
23 |         dest: /
24 |         remote_src: yes
25 |       become: true
26 | 
27 |     - name: Create directories
28 |       file: path={{ item }} state=directory
29 |       with_items:
30 |         - "/opt/cni/bin/"
31 |         - "/etc/cni/net.d/"
32 |       become: true
33 | 
34 |     - name: "Start systemd services"
35 |       systemd:
36 |         state: restarted
37 |         daemon_reload: yes
38 |         enabled: yes
39 |         name: "{{ item }}"
40 |       with_items:
41 |         - "containerd"
42 |         - "cri-containerd"
43 |       become: true


--------------------------------------------------------------------------------
/heapster/heapster.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ServiceAccount
 3 | metadata:
 4 |   name: heapster
 5 |   namespace: kube-system
 6 | ---
 7 | apiVersion: extensions/v1beta1
 8 | kind: Deployment
 9 | metadata:
10 |   name: heapster
11 |   namespace: kube-system
12 | spec:
13 |   replicas: 1
14 |   template:
15 |     metadata:
16 |       labels:
17 |         task: monitoring
18 |         k8s-app: heapster
19 |     spec:
20 |       serviceAccountName: heapster
21 |       containers:
22 |       - name: heapster
23 |         image: k8s.gcr.io/heapster-amd64:v1.4.2
24 |         imagePullPolicy: IfNotPresent
25 |         command:
26 |         - /heapster
27 |         - --source=kubernetes:https://kubernetes.default
28 |         - --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086
29 | ---
30 | apiVersion: v1
31 | kind: Service
32 | metadata:
33 |   labels:
34 |     task: monitoring
35 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
36 |     # If you are NOT using this as an addon, you should comment out this line.
37 |     kubernetes.io/cluster-service: 'true'
38 |     kubernetes.io/name: Heapster
39 |   name: heapster
40 |   namespace: kube-system
41 | spec:
42 |   ports:
43 |   - port: 80
44 |     targetPort: 8082
45 |   selector:
46 |     k8s-app: heapster
47 | 


--------------------------------------------------------------------------------
/heapster/config/heapster.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | kind: ServiceAccount
 3 | metadata:
 4 |   name: heapster
 5 |   namespace: kube-system
 6 | ---
 7 | apiVersion: extensions/v1beta1
 8 | kind: Deployment
 9 | metadata:
10 |   name: heapster
11 |   namespace: kube-system
12 | spec:
13 |   replicas: 1
14 |   template:
15 |     metadata:
16 |       labels:
17 |         task: monitoring
18 |         k8s-app: heapster
19 |     spec:
20 |       serviceAccountName: heapster
21 |       containers:
22 |       - name: heapster
23 |         image: k8s.gcr.io/heapster-amd64:v1.4.2
24 |         imagePullPolicy: IfNotPresent
25 |         command:
26 |         - /heapster
27 |         - --source=kubernetes:https://kubernetes.default
28 |         - --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086
29 | ---
30 | apiVersion: v1
31 | kind: Service
32 | metadata:
33 |   labels:
34 |     task: monitoring
35 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
36 |     # If you are NOT using this as an addon, you should comment out this line.
37 |     kubernetes.io/cluster-service: 'true'
38 |     kubernetes.io/name: Heapster
39 |   name: heapster
40 |   namespace: kube-system
41 | spec:
42 |   ports:
43 |   - port: 80
44 |     targetPort: 8082
45 |   selector:
46 |     k8s-app: heapster
47 | 


--------------------------------------------------------------------------------
/manual-way/scripts/generate_certificates.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | NODES_NUMBER=$1
 3 | 
 4 | mkdir -p $CERTS_GEN_DIR/ && cd $CERTS_GEN_DIR/
 5 | 
 6 | ## GENERATE CA
 7 | echo "## GENERATE CA"
 8 | cfssl gencert -initca $CONFIG_DIR/ca-csr.json | cfssljson -bare ca
 9 | 
10 | ## GENERATE ADMIN CLIENT CERT
11 | echo "## GENERATE ADMIN CLIENT CERT"
12 | cfssl gencert \
13 |   -profile=kubernetes \
14 |   -ca=$CERTS_GEN_DIR/ca.pem \
15 |   -ca-key=$CERTS_GEN_DIR/ca-key.pem \
16 |   -config=$CONFIG_DIR/ca-config.json \
17 |   $CONFIG_DIR/admin-csr.json | cfssljson -bare admin
18 | 
19 | # GENERATE NODES CERTS
20 | echo "## GENERATE NODES CERTS"
21 | $SCRIPTS_DIR/generate_node_certs.sh $NODES_NUMBER
22 | 
23 | # GENERATE KUBE-PROXY CERT
24 | echo "## GENERATE KUBE-PROXY CERT"
25 | cfssl gencert \
26 |   -profile=kubernetes \
27 |   -ca=$CERTS_GEN_DIR/ca.pem \
28 |   -ca-key=$CERTS_GEN_DIR/ca-key.pem \
29 |   -config=$CONFIG_DIR/ca-config.json \
30 |   $CONFIG_DIR/kube-proxy-csr.json | cfssljson -bare kube-proxy
31 | 
32 | echo "## GENERATE API SERVER CERT"
33 | cfssl gencert \
34 |   -profile=kubernetes \
35 |   -ca=$CERTS_GEN_DIR/ca.pem \
36 |   -ca-key=$CERTS_GEN_DIR/ca-key.pem \
37 |   -config=$CONFIG_DIR/ca-config.json \
38 |   -hostname=10.32.0.1,10.240.0.21,10.240.0.22,$KUBERNETES_PUBLIC_ADDRESS,127.0.0.1,kubernetes.default \
39 |   $CONFIG_DIR/kubernetes-csr.json | cfssljson -bare kubernetes
40 | 
41 | 


--------------------------------------------------------------------------------
/manual-way/ansible/configureEtcd.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: etcd
 3 | 
 4 |   vars:
 5 |     certGenDir: "{{ lookup('env','CERTS_GEN_DIR') }}"
 6 | 
 7 |   tasks:
 8 |     - stat: path=/usr/local/bin/etcd
 9 |       register: etcd_exists
10 | 
11 |     - name: "Get etcd"
12 |       unarchive:
13 |         src: https://github.com/coreos/etcd/releases/download/v3.2.11/etcd-v3.2.11-linux-amd64.tar.gz
14 |         dest: .
15 |         remote_src: yes
16 |       when: etcd_exists.stat.exists == false
17 | 
18 |     - name: "Copy etcd to bin"
19 |       copy: src="etcd-v3.2.11-linux-amd64/{{ item }}" dest="/usr/local/bin/" remote_src="yes" mode="+x"
20 |       with_items:
21 |         - "etcd"
22 |         - "etcdctl"
23 |       become: true
24 | 
25 |     - name: Create directories
26 |       file: path={{ item }} state=directory
27 |       with_items:
28 |         - "/etc/etcd"
29 |         - "/var/lib/etcd"
30 |       become: true
31 | 
32 |     - name: "Copy certificates to etcd"
33 |       copy: src={{ item }} dest="/etc/etcd/"
34 |       with_items:
35 |         - "{{ certGenDir }}/kubernetes-key.pem"
36 |         - "{{ certGenDir }}/kubernetes.pem"
37 |         - "{{ certGenDir }}/ca.pem"
38 |       become: true
39 | 
40 |     - name: "Generate etcd.service file"
41 |       template:
42 |         src: templates/etcd.service.j2
43 |         dest: /etc/systemd/system/etcd.service
44 |       become: true
45 | 
46 |     - name: "Start etcd service"
47 |       systemd:
48 |         state: started
49 |         daemon_reload: yes
50 |         enabled: yes
51 |         name: etcd
52 |       become: true


--------------------------------------------------------------------------------
/manual-way/ansible/configureSecurity.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: master
 3 | 
 4 |   tasks:
 5 |     - name: "Configure RBAC for Kubelet authorization - part 1"
 6 |       shell:
 7 |        cmd: |
 8 |         cat <<EOF | kubectl apply -f -
 9 |         apiVersion: rbac.authorization.k8s.io/v1beta1
10 |         kind: ClusterRole
11 |         metadata:
12 |           annotations:
13 |             rbac.authorization.kubernetes.io/autoupdate: "true"
14 |           labels:
15 |             kubernetes.io/bootstrapping: rbac-defaults
16 |           name: system:kube-apiserver-to-kubelet
17 |         rules:
18 |           - apiGroups:
19 |               - ""
20 |             resources:
21 |               - nodes/proxy
22 |               - nodes/stats
23 |               - nodes/log
24 |               - nodes/spec
25 |               - nodes/metrics
26 |             verbs:
27 |               - "*"
28 |         EOF
29 |       run_once: true
30 | 
31 |     - name: "Configure RBAC for Kubelet authorization - part 2"
32 |       shell:
33 |        cmd: |
34 |         cat <<EOF | kubectl apply -f -
35 |         apiVersion: rbac.authorization.k8s.io/v1beta1
36 |         kind: ClusterRoleBinding
37 |         metadata:
38 |           name: system:kube-apiserver
39 |           namespace: ""
40 |         subjects:
41 |           - apiGroup: rbac.authorization.k8s.io
42 |             kind: User
43 |             name: kubernetes
44 |         roleRef:
45 |           apiGroup: rbac.authorization.k8s.io
46 |           kind: ClusterRole
47 |           name: system:kube-apiserver-to-kubelet
48 |         EOF
49 |       run_once: true
50 | 


--------------------------------------------------------------------------------
/manual-way/ansible/templates/kube-apiserver.service.j2:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Kubernetes API Server
 3 | Documentation=https://github.com/kubernetes/kubernetes
 4 | 
 5 | [Service]
 6 | ExecStart=/usr/local/bin/kube-apiserver \
 7 |   --admission-control=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \
 8 |   --advertise-address={{ ansible_host }} \
 9 |   --allow-privileged=true \
10 |   --apiserver-count=2\
11 |   --audit-log-maxage=30 \
12 |   --audit-log-maxbackup=3 \
13 |   --audit-log-maxsize=100 \
14 |   --audit-log-path=/var/log/audit.log \
15 |   --authorization-mode=Node,RBAC{# TODO SHOULD BE: Node,RBAC #} \
16 |   --bind-address=0.0.0.0 \
17 |   --client-ca-file=/var/lib/kubernetes/ca.pem \
18 |   --enable-swagger-ui=true \
19 |   --etcd-cafile=/var/lib/kubernetes/ca.pem \
20 |   --etcd-certfile=/var/lib/kubernetes/kubernetes.pem \
21 |   --etcd-keyfile=/var/lib/kubernetes/kubernetes-key.pem \
22 |   --etcd-servers={% for host in groups['etcd'] %}https://{{ hostvars[host].ansible_host }}:2379,{% endfor %} \
23 |   --event-ttl=1h \
24 |   --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \
25 |   --insecure-bind-address=127.0.0.1 \
26 |   --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \
27 |   --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \
28 |   --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \
29 |   --kubelet-https=true \
30 |   --kubelet-preferred-address-types=InternalIP,ExternalIP \
31 |   --runtime-config=api/all \
32 |   --service-account-key-file=/var/lib/kubernetes/ca-key.pem \
33 |   --service-cluster-ip-range=10.32.0.0/24 \
34 |   --service-node-port-range=30000-32767 \
35 |   --tls-ca-file=/var/lib/kubernetes/ca.pem \
36 |   --tls-cert-file=/var/lib/kubernetes/kubernetes.pem \
37 |   --tls-private-key-file=/var/lib/kubernetes/kubernetes-key.pem \
38 |   --v=2
39 | Restart=on-failure
40 | RestartSec=5
41 | 
42 | [Install]
43 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/manual-way/ansible/configureMasters.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: master
 3 | 
 4 |   vars:
 5 |     certGenDir: "{{ lookup('env','CERTS_GEN_DIR') }}"
 6 |     kubeconfigDir: "{{ lookup('env','KUBECONFIG_DIR') }}"
 7 | 
 8 |   tasks:
 9 |     - stat: path=/usr/local/bin/kubectl
10 |       register: kubectl_exists
11 | 
12 |     - name: "Install Kubernetes Controller Binaries"
13 |       get_url:
14 |         url: https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/{{ item }}
15 |         dest: /usr/local/bin/
16 |         mode: "+x"
17 |       become: true
18 |       with_items:
19 |         - "kubectl"
20 |         - "kube-apiserver"
21 |         - "kube-controller-manager"
22 |         - "kube-scheduler"
23 |       when: kubectl_exists.stat.exists == false
24 | 
25 |     - name: Create directories
26 |       file: path={{ item }} state=directory
27 |       with_items:
28 |         - "/var/lib/kubernetes/"
29 |       become: true
30 | 
31 |     - name: "Copy certificates and config to kubernetes dir"
32 |       copy: src={{ item }} dest="/var/lib/kubernetes/"
33 |       with_items:
34 |         - "{{ certGenDir }}/ca.pem"
35 |         - "{{ certGenDir }}/ca-key.pem"
36 |         - "{{ certGenDir }}/kubernetes-key.pem"
37 |         - "{{ certGenDir }}/kubernetes.pem"
38 |         - "{{ kubeconfigDir }}/encryption-config.yaml"
39 |       become: true
40 | 
41 |     - name: "Generate systemd service files"
42 |       template:
43 |         src: templates/{{ item }}.service.j2
44 |         dest: /etc/systemd/system/{{ item }}.service
45 |       with_items:
46 |         - "kube-apiserver"
47 |         - "kube-scheduler"
48 |         - "kube-controller-manager"
49 |       become: true
50 | 
51 |     - name: "Start systemd services"
52 |       systemd:
53 |         state: restarted
54 |         daemon_reload: yes
55 |         enabled: yes
56 |         name: "{{ item }}"
57 |       with_items:
58 |         - "kube-apiserver"
59 |         - "kube-scheduler"
60 |         - "kube-controller-manager"
61 |       become: true
62 | 
63 |     - name: Wait for services to start
64 |       wait_for: timeout=30
65 |       delegate_to: localhost
66 | 


--------------------------------------------------------------------------------
/kubeadm-way/ansible/bootstrapCluster.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: all
 3 | 
 4 |   pre_tasks:
 5 |     - name: Reset cluster
 6 |       shell: kubeadm reset
 7 |       become: true
 8 | 
 9 |   tasks:
10 |     - name: Generate token
11 |       shell: kubeadm token generate
12 |       register: token
13 |       run_once: true
14 | 
15 | - hosts: master
16 |   tasks:
17 |     - name: Initialise master node
18 |       shell: kubeadm init --apiserver-advertise-address={{ MASTER_API_IP }} --pod-network-cidr={{ POD_NETWORK_CIDR }} --service-cidr {{ SERVICE_CIDR }} --token {{ token.stdout }} --token-ttl 0
19 |       become: true
20 | 
21 |     - name: "Make directory"
22 |       file:
23 |         path: "{{ansible_env.HOME}}/.kube"
24 |         state: directory
25 | 
26 |     - name: "Copy config"
27 |       copy:
28 |         src: "/etc/kubernetes/admin.conf"
29 |         dest: "{{ansible_env.HOME}}/.kube/config"
30 |         owner: "{{ansible_user}}"
31 |         group: "{{ansible_user}}"
32 |         remote_src: yes
33 |       become: true
34 | 
35 | - hosts: worker
36 |   tasks:
37 |     - name: Join worker node
38 |       shell: kubeadm join --token {{ token.stdout }} {{ MASTER_API_IP }}:6443 --discovery-token-unsafe-skip-ca-verification
39 |       become: true
40 | 
41 | - hosts: all
42 |   tasks:
43 |     #  Configurations needed by Network Overlay - https://kubernetes.io/docs/concepts/cluster-administration/network-plugins/#network-plugin-requirements
44 |     - name: 'Set bridge-nf-call-iptables'
45 |       shell: sysctl net.bridge.bridge-nf-call-iptables=1
46 |       become: true
47 | 
48 | - hosts: master
49 |   tasks:
50 | #    - name: Install networking plugin - flannel
51 | #      shell: kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/v0.9.1/Documentation/kube-flannel.yml
52 | #      run_once: true
53 | 
54 | #    - name: Install networking plugin - Calico
55 | #      shell: kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml
56 | #      run_once: true
57 | 
58 |     - name: Install networking plugin - Weave
59 |       shell: kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
60 |       run_once: true
61 | 


--------------------------------------------------------------------------------
/vagrant/README.md:
--------------------------------------------------------------------------------
 1 | # Bootstrapping Virtual Machines with Vagrant
 2 | Vagrant will handle Virtual Machines for the cluster. The script uses _Ubuntu Xenial 64-bit_ image.
 3 | 
 4 | ## Prerequisites
 5 | - [ ] [Vagrant](https://www.vagrantup.com/docs/installation/) installed on host machine
 6 | - [ ] Generated SSH keys on host machine `ssh-keygen`
 7 | 
 8 | ## Configuration
 9 | In [Vagrantfile](Vagrantfile) set variables:
10 | - _CLUSTER_SIZE_ - number of VMs to create (default _4_)
11 | - _SSH_PRIVATE_KEY_ - path to host SSH private key (default _~/.ssh/id_rsa_)
12 | - _SSH_PUBLIC_KEY_ - path to host SSH public key (default _~/.ssh/id_rsa.pub_)
13 | 
14 | ## Bootstrap Virtual Machines
15 | Each VM  will be configured in following way:
16 | - [hostname](https://www.vagrantup.com/docs/vagrantfile/machine_settings.html#available-settings) set to _node{i}_, e.g. node1
17 | - [private network IP address](https://www.vagrantup.com/docs/networking/private_network.html#static-ip) set to 10.240.0.2{i}, e.g. 10.240.0.21
18 | 
19 | where {i} is subsequent number of VM from 1 to _CLUSTER_SIZE_
20 | 
21 | To start VMs execute command:
22 | ```bash
23 | vagrant up
24 | ```
25 | 
26 | To start specific VMs provide their names to the command:
27 | ```bash
28 | vagrant up node1 node2
29 | ```
30 | 
31 | ## Check status of Virtual Machines
32 | To get a status of VMs run:
33 | ```bash
34 | vagrant status
35 | ```
36 | 
37 | This command will return similar output:
38 | ```
39 | Current machine states:
40 | 
41 | node1                     running (virtualbox)
42 | node2                     running (virtualbox)
43 | node3                     running (virtualbox)
44 | node4                     running (virtualbox)
45 | 
46 | This environment represents multiple VMs. The VMs are all listed above with their current state. 
47 | For more information about a specific VM, run `vagrant status NAME`.
48 | ```
49 | 
50 | ## SSH to a Virtual Machine
51 | To connect to a running VM via SSH run:
52 | ```bash
53 | vagrant ssh node1
54 | ```
55 | 
56 | ## Clean Up Virtual Machines
57 | To tear down Virtual Machines run:
58 | ```bash
59 | vagrant destroy
60 | ```
61 | 
62 | To destroy specific VMs provide their names to the command:
63 | ```bash
64 | vagrant destroy node1 node2
65 | ```
66 | 
67 | ## More Vagrant Commands
68 | For more Vagrant commands visit Vagrant Docs [Command-Line Interface](https://www.vagrantup.com/docs/cli/)
69 | 


--------------------------------------------------------------------------------
/heapster/grafana.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-grafana
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: grafana
13 |     spec:
14 |       containers:
15 |       - name: grafana
16 |         image: k8s.gcr.io/heapster-grafana-amd64:v4.4.3
17 |         ports:
18 |         - containerPort: 3000
19 |           protocol: TCP
20 |         volumeMounts:
21 |         - mountPath: /etc/ssl/certs
22 |           name: ca-certificates
23 |           readOnly: true
24 |         - mountPath: /var
25 |           name: grafana-storage
26 |         env:
27 |         - name: INFLUXDB_HOST
28 |           value: monitoring-influxdb
29 |         - name: GF_SERVER_HTTP_PORT
30 |           value: "3000"
31 |           # The following env variables are required to make Grafana accessible via
32 |           # the kubernetes api-server proxy. On production clusters, we recommend
33 |           # removing these env variables, setup auth for grafana, and expose the grafana
34 |           # service using a LoadBalancer or a public IP.
35 |         - name: GF_AUTH_BASIC_ENABLED
36 |           value: "false"
37 |         - name: GF_AUTH_ANONYMOUS_ENABLED
38 |           value: "true"
39 |         - name: GF_AUTH_ANONYMOUS_ORG_ROLE
40 |           value: Admin
41 |         - name: GF_SERVER_ROOT_URL
42 |           # If you're only using the API Server proxy, set this value instead:
43 |           # value: /api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
44 |           value: /
45 |       volumes:
46 |       - name: ca-certificates
47 |         hostPath:
48 |           path: /etc/ssl/certs
49 |       - name: grafana-storage
50 |         emptyDir: {}
51 | ---
52 | apiVersion: v1
53 | kind: Service
54 | metadata:
55 |   labels:
56 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
57 |     # If you are NOT using this as an addon, you should comment out this line.
58 |     kubernetes.io/cluster-service: 'true'
59 |     kubernetes.io/name: monitoring-grafana
60 |   name: monitoring-grafana
61 |   namespace: kube-system
62 | spec:
63 |   # In a production setup, we recommend accessing Grafana through an external Loadbalancer
64 |   # or through a public IP.
65 |   # type: LoadBalancer
66 |   # You could also use NodePort to expose the service at a randomly-generated port
67 |   # type: NodePort
68 |   ports:
69 |   - port: 80
70 |     targetPort: 3000
71 |   selector:
72 |     k8s-app: grafana
73 | 


--------------------------------------------------------------------------------
/heapster/config/grafana.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: extensions/v1beta1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: monitoring-grafana
 5 |   namespace: kube-system
 6 | spec:
 7 |   replicas: 1
 8 |   template:
 9 |     metadata:
10 |       labels:
11 |         task: monitoring
12 |         k8s-app: grafana
13 |     spec:
14 |       containers:
15 |       - name: grafana
16 |         image: k8s.gcr.io/heapster-grafana-amd64:v4.4.3
17 |         ports:
18 |         - containerPort: 3000
19 |           protocol: TCP
20 |         volumeMounts:
21 |         - mountPath: /etc/ssl/certs
22 |           name: ca-certificates
23 |           readOnly: true
24 |         - mountPath: /var
25 |           name: grafana-storage
26 |         env:
27 |         - name: INFLUXDB_HOST
28 |           value: monitoring-influxdb
29 |         - name: GF_SERVER_HTTP_PORT
30 |           value: "3000"
31 |           # The following env variables are required to make Grafana accessible via
32 |           # the kubernetes api-server proxy. On production clusters, we recommend
33 |           # removing these env variables, setup auth for grafana, and expose the grafana
34 |           # service using a LoadBalancer or a public IP.
35 |         - name: GF_AUTH_BASIC_ENABLED
36 |           value: "false"
37 |         - name: GF_AUTH_ANONYMOUS_ENABLED
38 |           value: "true"
39 |         - name: GF_AUTH_ANONYMOUS_ORG_ROLE
40 |           value: Admin
41 |         - name: GF_SERVER_ROOT_URL
42 |           # If you're only using the API Server proxy, set this value instead:
43 |           # value: /api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
44 |           value: /
45 |       volumes:
46 |       - name: ca-certificates
47 |         hostPath:
48 |           path: /etc/ssl/certs
49 |       - name: grafana-storage
50 |         emptyDir: {}
51 | ---
52 | apiVersion: v1
53 | kind: Service
54 | metadata:
55 |   labels:
56 |     # For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
57 |     # If you are NOT using this as an addon, you should comment out this line.
58 |     kubernetes.io/cluster-service: 'true'
59 |     kubernetes.io/name: monitoring-grafana
60 |   name: monitoring-grafana
61 |   namespace: kube-system
62 | spec:
63 |   # In a production setup, we recommend accessing Grafana through an external Loadbalancer
64 |   # or through a public IP.
65 |   # type: LoadBalancer
66 |   # You could also use NodePort to expose the service at a randomly-generated port
67 |   type: NodePort
68 |   ports:
69 |   - port: 80
70 |     targetPort: 3000
71 |   selector:
72 |     k8s-app: grafana
73 | 


--------------------------------------------------------------------------------
/manual-way/k8s_run_old:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ANSIBLE_INVENTORY="ansible/inventory/hosts"
 3 | PRIVATE_KEY="~/.ssh/id_rsa"
 4 | 
 5 | echo "Configure Ansible"
 6 | export ANSIBLE_HOST_KEY_CHECKING=False
 7 | 
 8 | # 1. DOCKER
 9 | echo "Install Docker"
10 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/installDocker.yaml
11 | 
12 | 
13 | #wget https://dl.k8s.io/v1.8.5/kubernetes.tar.gz
14 | #tar -zxvf kubernetes.tar.gz
15 | 
16 | #./kubernetes/cluster/get-kube-binaries.sh
17 | 
18 | 
19 | 
20 | # TODO: RUN KUBERNETES WITH KUBEADM AND COPY CONFIGURATION FOR SYSTEMD
21 | #Tip: One possible starting point is to setup a cluster using an existing Getting Started Guide. After getting a cluster running,
22 | # you can then copy the init.d scripts or systemd unit files from that cluster, and then modify them for use on your custom cluster.
23 | 
24 | #etcd
25 | export ETCD_VERSION=3.0.17
26 | export ETCD_IMAGE=gcr.io/google-containers/etcd:$ETCD_VERSION
27 | 
28 | docker run --detach \
29 |     --name=etcd \
30 |     --net=host \
31 |     -p 8080:8080 \
32 |     $ETCD_IMAGE \
33 |     etcd \
34 |         --data-dir=/var/etcd/data
35 | 
36 | export HYPERKUBE_VERSION=1.8.5
37 | export HYPERKUBE_IMAGE=gcr.io/google-containers/hyperkube:$HYPERKUBE_VERSION
38 | 
39 | #docker run -d \
40 | #    --net=host \
41 | #    gcr.io/google_containers/etcd:2.0.9 \
42 | #    /usr/local/bin/etcd \
43 | #        --addr=127.0.0.1:4001 \
44 | #        --bind-addr=0.0.0.0:4001 \
45 | #        --data-dir=/var/etcd/data
46 | 
47 | #kubelet - all
48 | #????
49 | #curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
50 | #sudo apt-get-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"
51 | #sudo apt update
52 | #sudo apt install -y kubelet
53 | 
54 | docker run --detach \
55 |     --net=container:etcd \
56 |     --name=kubelet \
57 |     gcr.io/google_containers/hyperkube:v1.8.5 \
58 |     /kubelet \
59 |         --kube-config=~/kubelet.conf
60 | 
61 | 
62 | 
63 | #kube-proxy - all
64 | ????
65 | 
66 | #kube-apiserver - master
67 | docker run --detach \
68 |     --net=container:etcd \
69 |     --name=apiserver \
70 |     $HYPERKUBE_IMAGE \
71 |     /apiserver \
72 |         --etcd-servers=http://10.240.0.21:2379 \
73 |         --service-cluster-ip-range=10.0.0.1/24 \
74 |         --insecure-bind-address=0.0.0.0 \
75 |         --insecure-port=8080 \
76 |         --admission-control=AlwaysAdmit
77 | 
78 | #kube-controller-manager - master
79 | docker run --detach \
80 |     --net=container:etcd \
81 |     --name=controller-manager \
82 |     $HYPERKUBE_IMAGE \
83 |     /controller-manager \
84 |         --master=10.240.0.21:8080
85 | 
86 | #kube-scheduler - master
87 | 
88 | 
89 | 
90 | 
91 | 
92 | 


--------------------------------------------------------------------------------
/manual-way/ansible/configureNodes.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - hosts: node
 3 | 
 4 |   vars:
 5 |     certGenDir: "{{ lookup('env','CERTS_GEN_DIR') }}"
 6 |     kubeconfigDir: "{{ lookup('env','KUBECONFIG_DIR') }}"
 7 | 
 8 |   tasks:
 9 |     - stat: path=/usr/local/bin/kubelet
10 |       register: kubelet_exists
11 | 
12 |     - name: "Install Kubernetes Controller Binaries"
13 |       get_url:
14 |         url: https://storage.googleapis.com/kubernetes-release/release/v1.9.0/bin/linux/amd64/{{ item }}
15 |         dest: /usr/local/bin/
16 |         mode: "+x"
17 |       become: true
18 |       with_items:
19 |         - "kubectl"
20 |         - "kube-proxy"
21 |         - "kubelet"
22 |       when: kubelet_exists.stat.exists == false
23 | 
24 |     - name: Create directories
25 |       file: path={{ item }} state=directory
26 |       with_items:
27 |         - "/var/lib/kube-proxy"
28 |       become: true
29 | 
30 | # TODO: REMOVE IF NOT NEEDED IN FLANNEL
31 | ##    - name: "Generate 10-bridge.conf file"
32 | ##      template:
33 | ##        src: templates/10-bridge.conf.j2
34 | ##        dest: /etc/cni/net.d/10-bridge.conf
35 | ##      become: true
36 | ##
37 | #    - name: "Generate 99-loopback.conf file"
38 | #      template:
39 | #        src: templates/99-loopback.conf.j2
40 | #        dest: /etc/cni/net.d/99-loopback.conf
41 | #      become: true
42 | 
43 |     - name: "Copy certificates to nodes"
44 |       copy: src={{ item }} dest="/var/lib/kubelet/"
45 |       with_items:
46 |         - "{{ certGenDir }}/{{ inventory_hostname }}.pem"
47 |         - "{{ certGenDir }}/{{ inventory_hostname }}-key.pem"
48 |       become: true
49 | 
50 |     - name: "Copy kubeconfig to nodes"
51 |       copy: src="{{ kubeconfigDir }}/{{ inventory_hostname }}.kubeconfig" dest="/var/lib/kubelet/kubeconfig"
52 |       become: true
53 | 
54 |     - name: "Copy ca to nodes"
55 |       copy: src="{{ certGenDir }}/ca.pem" dest="/var/lib/kubernetes/"
56 |       become: true
57 | 
58 |     - name: "Copy kube-proxy.kubeconfig to nodes"
59 |       copy: src="{{ kubeconfigDir }}/kube-proxy.kubeconfig" dest="/var/lib/kube-proxy/kubeconfig"
60 |       become: true
61 | 
62 |     - name: "Generate kubelet.service file"
63 |       template:
64 |         src: templates/kubelet.service.j2
65 |         dest: /etc/systemd/system/kubelet.service
66 |       become: true
67 | 
68 |     - name: "Generate kube-proxy.service file"
69 |       template:
70 |         src: templates/kube-proxy.service.j2
71 |         dest: /etc/systemd/system/kube-proxy.service
72 |       become: true
73 | 
74 |     - name: "Start systemd services"
75 |       systemd:
76 |         state: restarted
77 |         daemon_reload: yes
78 |         enabled: yes
79 |         name: "{{ item }}"
80 |       with_items:
81 |         - "kubelet"
82 |         - "kube-proxy"
83 |       become: true


--------------------------------------------------------------------------------
/manual-way/setUpCluster.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # TODO: Modify approach to run Kubernetes tools as containers https://kubernetes.io/docs/getting-started-guides/scratch/#configuring-and-installing-base-software-on-nodes
 3 | # TODO: Modify to Python script
 4 | # TODO: Download binaries once and distribute across nodes. Don't download them multiple times
 5 | 
 6 | export KUBERNETES_PUBLIC_ADDRESS="10.240.0.21"
 7 | export KUBERNETES_CLUSTER="ManualCluster"
 8 | export NODES_NUMBER=4
 9 | 
10 | export ANSIBLE_HOST_KEY_CHECKING=False
11 | export ANSIBLE_INVENTORY="$(realpath ansible/inventory/hosts)"
12 | export PRIVATE_KEY="~/.ssh/id_rsa"
13 | 
14 | 
15 | rm -rf tmp/
16 | mkdir -p tmp/certs/
17 | export CONFIG_DIR="$(realpath config/)"
18 | 
19 | export CERTS_GEN_DIR="$(realpath tmp/certs/)"
20 | export SCRIPTS_DIR="$(realpath scripts/)"
21 | export KUBECONFIG_DIR="$(realpath tmp/config/)"
22 | 
23 | # INSTALL CFSSL TOOLS
24 | #$SCRIPTS_DIR/install_cfssl.sh
25 | 
26 | # GENERATE CERTIFICATES
27 | # https://kubernetes.io/docs/concepts/cluster-administration/certificates/#cfssl
28 | $SCRIPTS_DIR/generate_certificates.sh $NODES_NUMBER
29 | 
30 | # GENERATE CONFIG FILES
31 | $SCRIPTS_DIR/generate_kubeconfig.sh $NODES_NUMBER
32 | 
33 | # CONFIGURE ENCRYPTION
34 | ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)
35 | 
36 | cat > $KUBECONFIG_DIR/encryption-config.yaml <<EOF
37 | kind: EncryptionConfig
38 | apiVersion: v1
39 | resources:
40 |   - resources:
41 |       - secrets
42 |     providers:
43 |       - aescbc:
44 |           keys:
45 |             - name: key1
46 |               secret: ${ENCRYPTION_KEY}
47 |       - identity: {}
48 | EOF
49 | 
50 | # INSTALL KUBECTL
51 | #$SCRIPTS_DIR/install_kubectl.sh
52 | 
53 | # BOOTSTRAP ETCD
54 | echo "# BOOTSTRAP ETCD"
55 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureEtcd.yaml
56 | 
57 | sleep 30
58 | 
59 | sleep 30
60 | 
61 | # CONFIGURE MASTERS
62 | # TODO: Follow instruction to replicate masters: https://kubernetes.io/docs/admin/high-availability/building/
63 | echo "# CONFIGURE MASTERS"
64 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureMasters.yaml
65 | 
66 | # CONFIGURE SECURITY
67 | echo "# CONFIGURE MASTERS"
68 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureSecurity.yaml
69 | 
70 | # CONFIGURE NODES
71 | # TODO: Run Master as a Node with appropriate "master" label node-role.kubernetes.io/master="": https://kubernetes.io/docs/getting-started-guides/scratch/
72 | echo "# CONFIGURE NODES"
73 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureContainerd.yaml
74 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureNodes.yaml
75 | 
76 | # CONFIGURE ADMIN CLIENT
77 | echo "# CONFIGURE ADMIN CLIENT"
78 | $SCRIPTS_DIR/configure_admin_client.sh
79 | 
80 | # CONFIGURE NETWORK
81 | # TODO: CHECK THIS AND REMOVE - USE NETWORK OVERLAY
82 | echo "# CONFIGURE NETWORKING"
83 | ansible-playbook -i $ANSIBLE_INVENTORY --private-key $PRIVATE_KEY ansible/configureNetwork.yaml
84 | kubectl apply -f $CONFIG_DIR/kube-flannel-for-vagrant.yaml
85 | 
86 | sleep 30
87 | 
88 | # CONFIGURE KUBE-DNS
89 | kubectl create -f https://storage.googleapis.com/kubernetes-the-hard-way/kube-dns.yaml


--------------------------------------------------------------------------------
/manual-way/kube-flannel-vagrant.yml:
--------------------------------------------------------------------------------
  1 | ---
  2 | kind: ClusterRole
  3 | apiVersion: rbac.authorization.k8s.io/v1beta1
  4 | metadata:
  5 |   name: flannel
  6 | rules:
  7 |   - apiGroups:
  8 |       - ""
  9 |     resources:
 10 |       - pods
 11 |     verbs:
 12 |       - get
 13 |   - apiGroups:
 14 |       - ""
 15 |     resources:
 16 |       - nodes
 17 |     verbs:
 18 |       - list
 19 |       - watch
 20 |   - apiGroups:
 21 |       - ""
 22 |     resources:
 23 |       - nodes/status
 24 |     verbs:
 25 |       - patch
 26 | ---
 27 | kind: ClusterRoleBinding
 28 | apiVersion: rbac.authorization.k8s.io/v1beta1
 29 | metadata:
 30 |   name: flannel
 31 | roleRef:
 32 |   apiGroup: rbac.authorization.k8s.io
 33 |   kind: ClusterRole
 34 |   name: flannel
 35 | subjects:
 36 | - kind: ServiceAccount
 37 |   name: flannel
 38 |   namespace: kube-system
 39 | ---
 40 | apiVersion: v1
 41 | kind: ServiceAccount
 42 | metadata:
 43 |   name: flannel
 44 |   namespace: kube-system
 45 | ---
 46 | kind: ConfigMap
 47 | apiVersion: v1
 48 | metadata:
 49 |   name: kube-flannel-cfg
 50 |   namespace: kube-system
 51 |   labels:
 52 |     tier: node
 53 |     app: flannel
 54 | data:
 55 |   cni-conf.json: |
 56 |     {
 57 |       "name": "cbr0",
 58 |       "plugins": [
 59 |         {
 60 |           "type": "flannel",
 61 |           "delegate": {
 62 |             "hairpinMode": true,
 63 |             "isDefaultGateway": true
 64 |           }
 65 |         },
 66 |         {
 67 |           "type": "portmap",
 68 |           "capabilities": {
 69 |             "portMappings": true
 70 |           }
 71 |         }
 72 |       ]
 73 |     }
 74 |   net-conf.json: |
 75 |     {
 76 |       "Network": "10.244.0.0/16",
 77 |       "Backend": {
 78 |         "Type": "vxlan"
 79 |       }
 80 |     }
 81 | ---
 82 | apiVersion: extensions/v1beta1
 83 | kind: DaemonSet
 84 | metadata:
 85 |   name: kube-flannel-ds
 86 |   namespace: kube-system
 87 |   labels:
 88 |     tier: node
 89 |     app: flannel
 90 | spec:
 91 |   template:
 92 |     metadata:
 93 |       labels:
 94 |         tier: node
 95 |         app: flannel
 96 |     spec:
 97 |       hostNetwork: true
 98 |       nodeSelector:
 99 |         beta.kubernetes.io/arch: amd64
100 |       tolerations:
101 |       - key: node-role.kubernetes.io/master
102 |         operator: Exists
103 |         effect: NoSchedule
104 |       serviceAccountName: flannel
105 |       initContainers:
106 |       - name: install-cni
107 |         image: quay.io/coreos/flannel:v0.10.0-amd64
108 |         command:
109 |         - cp
110 |         args:
111 |         - -f
112 |         - /etc/kube-flannel/cni-conf.json
113 |         - /etc/cni/net.d/10-flannel.conflist
114 |         volumeMounts:
115 |         - name: cni
116 |           mountPath: /etc/cni/net.d
117 |         - name: flannel-cfg
118 |           mountPath: /etc/kube-flannel/
119 |       containers:
120 |       - name: kube-flannel
121 |         image: quay.io/coreos/flannel:v0.10.0-amd64
122 |         command:
123 |         - /opt/bin/flanneld
124 |         args:
125 |         - --ip-masq
126 |         - --kube-subnet-mgr
127 |         - --iface=enp0s8
128 |         resources:
129 |           requests:
130 |             cpu: "100m"
131 |             memory: "50Mi"
132 |           limits:
133 |             cpu: "100m"
134 |             memory: "50Mi"
135 |         securityContext:
136 |           privileged: true
137 |         env:
138 |         - name: POD_NAME
139 |           valueFrom:
140 |             fieldRef:
141 |               fieldPath: metadata.name
142 |         - name: POD_NAMESPACE
143 |           valueFrom:
144 |             fieldRef:
145 |               fieldPath: metadata.namespace
146 |         volumeMounts:
147 |         - name: run
148 |           mountPath: /run
149 |         - name: flannel-cfg
150 |           mountPath: /etc/kube-flannel/
151 |       volumes:
152 |         - name: run
153 |           hostPath:
154 |             path: /run
155 |         - name: cni
156 |           hostPath:
157 |             path: /etc/cni/net.d
158 |         - name: flannel-cfg
159 |           configMap:
160 |             name: kube-flannel-cfg
161 | 


--------------------------------------------------------------------------------
/manual-way/config/kube-flannel-for-vagrant.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | kind: ClusterRole
  3 | apiVersion: rbac.authorization.k8s.io/v1beta1
  4 | metadata:
  5 |   name: flannel
  6 | rules:
  7 |   - apiGroups:
  8 |       - ""
  9 |     resources:
 10 |       - pods
 11 |     verbs:
 12 |       - get
 13 |   - apiGroups:
 14 |       - ""
 15 |     resources:
 16 |       - nodes
 17 |     verbs:
 18 |       - list
 19 |       - watch
 20 |   - apiGroups:
 21 |       - ""
 22 |     resources:
 23 |       - nodes/status
 24 |     verbs:
 25 |       - patch
 26 | ---
 27 | kind: ClusterRoleBinding
 28 | apiVersion: rbac.authorization.k8s.io/v1beta1
 29 | metadata:
 30 |   name: flannel
 31 | roleRef:
 32 |   apiGroup: rbac.authorization.k8s.io
 33 |   kind: ClusterRole
 34 |   name: flannel
 35 | subjects:
 36 | - kind: ServiceAccount
 37 |   name: flannel
 38 |   namespace: kube-system
 39 | ---
 40 | apiVersion: v1
 41 | kind: ServiceAccount
 42 | metadata:
 43 |   name: flannel
 44 |   namespace: kube-system
 45 | ---
 46 | kind: ConfigMap
 47 | apiVersion: v1
 48 | metadata:
 49 |   name: kube-flannel-cfg
 50 |   namespace: kube-system
 51 |   labels:
 52 |     tier: node
 53 |     app: flannel
 54 | data:
 55 |   cni-conf.json: |
 56 |     {
 57 |       "name": "cbr0",
 58 |       "plugins": [
 59 |         {
 60 |           "type": "flannel",
 61 |           "delegate": {
 62 |             "hairpinMode": true,
 63 |             "isDefaultGateway": true
 64 |           }
 65 |         },
 66 |         {
 67 |           "type": "portmap",
 68 |           "capabilities": {
 69 |             "portMappings": true
 70 |           }
 71 |         }
 72 |       ]
 73 |     }
 74 |   net-conf.json: |
 75 |     {
 76 |       "Network": "10.244.0.0/16",
 77 |       "Backend": {
 78 |         "Type": "vxlan"
 79 |       }
 80 |     }
 81 | ---
 82 | apiVersion: extensions/v1beta1
 83 | kind: DaemonSet
 84 | metadata:
 85 |   name: kube-flannel-ds
 86 |   namespace: kube-system
 87 |   labels:
 88 |     tier: node
 89 |     app: flannel
 90 | spec:
 91 |   template:
 92 |     metadata:
 93 |       labels:
 94 |         tier: node
 95 |         app: flannel
 96 |     spec:
 97 |       hostNetwork: true
 98 |       nodeSelector:
 99 |         beta.kubernetes.io/arch: amd64
100 |       tolerations:
101 |       - key: node-role.kubernetes.io/master
102 |         operator: Exists
103 |         effect: NoSchedule
104 |       serviceAccountName: flannel
105 |       initContainers:
106 |       - name: install-cni
107 |         image: quay.io/coreos/flannel:v0.10.0-amd64
108 |         command:
109 |         - cp
110 |         args:
111 |         - -f
112 |         - /etc/kube-flannel/cni-conf.json
113 |         - /etc/cni/net.d/10-flannel.conflist
114 |         volumeMounts:
115 |         - name: cni
116 |           mountPath: /etc/cni/net.d
117 |         - name: flannel-cfg
118 |           mountPath: /etc/kube-flannel/
119 |       containers:
120 |       - name: kube-flannel
121 |         image: quay.io/coreos/flannel:v0.10.0-amd64
122 |         command:
123 |         - /opt/bin/flanneld
124 |         args:
125 |         - --ip-masq
126 |         - --kube-subnet-mgr
127 |         - --iface=enp0s8
128 |         resources:
129 |           requests:
130 |             cpu: "100m"
131 |             memory: "50Mi"
132 |           limits:
133 |             cpu: "100m"
134 |             memory: "50Mi"
135 |         securityContext:
136 |           privileged: true
137 |         env:
138 |         - name: POD_NAME
139 |           valueFrom:
140 |             fieldRef:
141 |               fieldPath: metadata.name
142 |         - name: POD_NAMESPACE
143 |           valueFrom:
144 |             fieldRef:
145 |               fieldPath: metadata.namespace
146 |         volumeMounts:
147 |         - name: run
148 |           mountPath: /run
149 |         - name: flannel-cfg
150 |           mountPath: /etc/kube-flannel/
151 |       volumes:
152 |         - name: run
153 |           hostPath:
154 |             path: /run
155 |         - name: cni
156 |           hostPath:
157 |             path: /etc/cni/net.d
158 |         - name: flannel-cfg
159 |           configMap:
160 |             name: kube-flannel-cfg
161 | 


--------------------------------------------------------------------------------
/manual-way/kube-dns.yaml:
--------------------------------------------------------------------------------
  1 | # Copyright 2016 The Kubernetes Authors.
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     http://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | apiVersion: v1
 16 | kind: Service
 17 | metadata:
 18 |   name: kube-dns
 19 |   namespace: kube-system
 20 |   labels:
 21 |     k8s-app: kube-dns
 22 |     kubernetes.io/cluster-service: "true"
 23 |     addonmanager.kubernetes.io/mode: Reconcile
 24 |     kubernetes.io/name: "KubeDNS"
 25 | spec:
 26 |   selector:
 27 |     k8s-app: kube-dns
 28 |   clusterIP: 10.32.0.10
 29 |   ports:
 30 |   - name: dns
 31 |     port: 53
 32 |     protocol: UDP
 33 |   - name: dns-tcp
 34 |     port: 53
 35 |     protocol: TCP
 36 | ---
 37 | apiVersion: v1
 38 | kind: ServiceAccount
 39 | metadata:
 40 |   name: kube-dns
 41 |   namespace: kube-system
 42 |   labels:
 43 |     kubernetes.io/cluster-service: "true"
 44 |     addonmanager.kubernetes.io/mode: Reconcile
 45 | ---
 46 | apiVersion: v1
 47 | kind: ConfigMap
 48 | metadata:
 49 |   name: kube-dns
 50 |   namespace: kube-system
 51 |   labels:
 52 |     addonmanager.kubernetes.io/mode: EnsureExists
 53 | ---
 54 | apiVersion: extensions/v1beta1
 55 | kind: Deployment
 56 | metadata:
 57 |   name: kube-dns
 58 |   namespace: kube-system
 59 |   labels:
 60 |     k8s-app: kube-dns
 61 |     kubernetes.io/cluster-service: "true"
 62 |     addonmanager.kubernetes.io/mode: Reconcile
 63 | spec:
 64 |   # replicas: not specified here:
 65 |   # 1. In order to make Addon Manager do not reconcile this replicas parameter.
 66 |   # 2. Default is 1.
 67 |   # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
 68 |   strategy:
 69 |     rollingUpdate:
 70 |       maxSurge: 10%
 71 |       maxUnavailable: 0
 72 |   selector:
 73 |     matchLabels:
 74 |       k8s-app: kube-dns
 75 |   template:
 76 |     metadata:
 77 |       labels:
 78 |         k8s-app: kube-dns
 79 |       annotations:
 80 |         scheduler.alpha.kubernetes.io/critical-pod: ''
 81 |     spec:
 82 |       tolerations:
 83 |       - key: "CriticalAddonsOnly"
 84 |         operator: "Exists"
 85 |       volumes:
 86 |       - name: kube-dns-config
 87 |         configMap:
 88 |           name: kube-dns
 89 |           optional: true
 90 |       containers:
 91 |       - name: kubedns
 92 |         image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.7
 93 |         resources:
 94 |           # TODO: Set memory limits when we've profiled the container for large
 95 |           # clusters, then set request = limit to keep this container in
 96 |           # guaranteed class. Currently, this container falls into the
 97 |           # "burstable" category so the kubelet doesn't backoff from restarting it.
 98 |           limits:
 99 |             memory: 170Mi
100 |           requests:
101 |             cpu: 100m
102 |             memory: 70Mi
103 |         livenessProbe:
104 |           httpGet:
105 |             path: /healthcheck/kubedns
106 |             port: 10054
107 |             scheme: HTTP
108 |           initialDelaySeconds: 60
109 |           timeoutSeconds: 5
110 |           successThreshold: 1
111 |           failureThreshold: 5
112 |         readinessProbe:
113 |           httpGet:
114 |             path: /readiness
115 |             port: 8081
116 |             scheme: HTTP
117 |           # we poll on pod startup for the Kubernetes master service and
118 |           # only setup the /readiness HTTP server once that's available.
119 |           initialDelaySeconds: 3
120 |           timeoutSeconds: 5
121 |         args:
122 |         - --domain=cluster.local.
123 |         - --dns-port=10053
124 |         - --config-dir=/kube-dns-config
125 |         - --v=2
126 |         env:
127 |         - name: PROMETHEUS_PORT
128 |           value: "10055"
129 |         ports:
130 |         - containerPort: 10053
131 |           name: dns-local
132 |           protocol: UDP
133 |         - containerPort: 10053
134 |           name: dns-tcp-local
135 |           protocol: TCP
136 |         - containerPort: 10055
137 |           name: metrics
138 |           protocol: TCP
139 |         volumeMounts:
140 |         - name: kube-dns-config
141 |           mountPath: /kube-dns-config
142 |       - name: dnsmasq
143 |         image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.7
144 |         livenessProbe:
145 |           httpGet:
146 |             path: /healthcheck/dnsmasq
147 |             port: 10054
148 |             scheme: HTTP
149 |           initialDelaySeconds: 60
150 |           timeoutSeconds: 5
151 |           successThreshold: 1
152 |           failureThreshold: 5
153 |         args:
154 |         - -v=2
155 |         - -logtostderr
156 |         - -configDir=/etc/k8s/dns/dnsmasq-nanny
157 |         - -restartDnsmasq=true
158 |         - --
159 |         - -k
160 |         - --cache-size=1000
161 |         - --no-negcache
162 |         - --log-facility=-
163 |         - --server=/cluster.local/127.0.0.1#10053
164 |         - --server=/in-addr.arpa/127.0.0.1#10053
165 |         - --server=/ip6.arpa/127.0.0.1#10053
166 |         ports:
167 |         - containerPort: 53
168 |           name: dns
169 |           protocol: UDP
170 |         - containerPort: 53
171 |           name: dns-tcp
172 |           protocol: TCP
173 |         # see: https://github.com/kubernetes/kubernetes/issues/29055 for details
174 |         resources:
175 |           requests:
176 |             cpu: 150m
177 |             memory: 20Mi
178 |         volumeMounts:
179 |         - name: kube-dns-config
180 |           mountPath: /etc/k8s/dns/dnsmasq-nanny
181 |       - name: sidecar
182 |         image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.7
183 |         livenessProbe:
184 |           httpGet:
185 |             path: /metrics
186 |             port: 10054
187 |             scheme: HTTP
188 |           initialDelaySeconds: 60
189 |           timeoutSeconds: 5
190 |           successThreshold: 1
191 |           failureThreshold: 5
192 |         args:
193 |         - --v=2
194 |         - --logtostderr
195 |         - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,SRV
196 |         - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,SRV
197 |         ports:
198 |         - containerPort: 10054
199 |           name: metrics
200 |           protocol: TCP
201 |         resources:
202 |           requests:
203 |             memory: 20Mi
204 |             cpu: 10m
205 |       dnsPolicy: Default  # Don't use cluster DNS.
206 |       serviceAccountName: kube-dns
207 | 


--------------------------------------------------------------------------------