Versions updated 1.8.0

kelseyhightower · Oct 2, 2017 · a1cd3a6 · a1cd3a6
1 parent 0be9f64
commit a1cd3a6
Show file tree

Hide file tree

Showing 9 changed files with 142 additions and 127 deletions.
diff --git a/README.md b/README.md
@@ -19,10 +19,10 @@ The target audience for this tutorial is someone planning to support a productio
 
 Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication.
 
-* [Kubernetes](https://github.com/kubernetes/kubernetes) 1.7.5
-* [CRI-O Container Runtime](https://github.com/kubernetes-incubator/cri-o) v1.0.0-beta.0
-* [CNI Container Networking](https://github.com/containernetworking/cni) v0.6.0
-* [etcd](https://github.com/coreos/etcd) 3.2.7
+* [Kubernetes](https://github.com/kubernetes/kubernetes) 1.8.0
+* [cri-containerd Container Runtime](https://github.com/kubernetes-incubator/cri-containerd) 1.0.0-alpha.0
+* [CNI Container Networking](https://github.com/containernetworking/cni) 0.6.0
+* [etcd](https://github.com/coreos/etcd) 3.2.8
 
 ## Labs
 

diff --git a/docs/02-client-tools.md b/docs/02-client-tools.md
@@ -11,21 +11,16 @@ Download and install `cfssl` and `cfssljson` from the [cfssl repository](https:/
 ### OS X
 
 ```shell
-wget -q --show-progress --https-only --timestamping \
-  https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64 \
-  https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
-```
-
-```shell
-chmod +x cfssl_darwin-amd64 cfssljson_darwin-amd64
+curl -o cfssl https://pkg.cfssl.org/R1.2/cfssl_darwin-amd64
+curl -o cfssljson https://pkg.cfssl.org/R1.2/cfssljson_darwin-amd64
 ```
 
 ```shell
-sudo mv cfssl_darwin-amd64 /usr/local/bin/cfssl
+chmod +x cfssl cfssljson
 ```
 
 ```shell
-sudo mv cfssljson_darwin-amd64 /usr/local/bin/cfssljson
+sudo mv cfssl cfssljson /usr/local/bin/
 ```
 
 ### Linux
@@ -85,7 +80,7 @@ The `kubectl` command line utility is used to interact with the Kubernetes API S
 ### OS X
 
 ```shell
-wget https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/darwin/amd64/kubectl
+curl -o kubectl https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/darwin/amd64/kubectl
 ```
 
 ```shell
@@ -99,7 +94,7 @@ sudo mv kubectl /usr/local/bin/
 ### Linux
 
 ```shell
-wget https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kubectl
+wget https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kubectl
 ```
 
 ```shell
@@ -112,7 +107,7 @@ sudo mv kubectl /usr/local/bin/
 
 ### Verification
 
-Verify `kubectl` version 1.7.5 or higher is installed:
+Verify `kubectl` version 1.8.0 or higher is installed:
 
 ```shell
 kubectl version --client
@@ -121,7 +116,7 @@ kubectl version --client
 > output
 
 ```shell
-Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.5", GitCommit:"17d7182a7ccbb167074be7a87f0a68bd00d58d97", GitTreeState:"clean", BuildDate:"2017-09-02T18:55:00Z", GoVersion:"go1.9", Compiler:"gc", Platform:"darwin/amd64"}
+Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:57:57Z", GoVersion:"go1.9", Compiler:"gc", Platform:"darwin/amd64"}
 ```
 
 Next: [Provisioning Compute Resources](03-compute-resources.md)
diff --git a/docs/03-compute-resources.md b/docs/03-compute-resources.md
@@ -19,7 +19,7 @@ Create the `kubernetes-vnet` custom VNet network with a subnet `kubernetes` prov
 ```shell
 az network vnet create -g kubernetes \
   -n kubernetes-vnet \
-  --address-prefix 10.240.0.0/16 \
+  --address-prefix 10.240.0.0/24 \
   --subnet-name kubernetes-subnet
 ```
 
@@ -117,7 +117,7 @@ kubernetes       westus2   Static        XX.XXX.XXX.XXX
 
 ## Virtual Machines
 
-The compute instances in this lab will be provisioned using [Ubuntu Server](https://www.ubuntu.com/server) 16.04, which has good support for the [CRI-O container runtime](https://github.com/kubernetes-incubator/cri-o). Each compute instance will be provisioned with a fixed private IP address to simplify the Kubernetes bootstrapping process.
+The compute instances in this lab will be provisioned using [Ubuntu Server](https://www.ubuntu.com/server) 16.04, which has good support for the [cri-containerd container runtime](https://github.com/kubernetes-incubator/cri-containerd). Each compute instance will be provisioned with a fixed private IP address to simplify the Kubernetes bootstrapping process.
 
 ### Kubernetes Controllers
 

diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md
@@ -167,9 +167,10 @@ worker-2.pem
 Create the `kube-proxy` client certificate signing request:
 
 ```shell
-cat > kube-proxy-csr.json <<EOF
+for instance in worker-0 worker-1 worker-2; do
+cat > ${instance}-csr.json <<EOF
 {
-  "CN": "system:kube-proxy",
+  "CN": "system:node:${instance}",
   "key": {
     "algo": "rsa",
     "size": 2048
@@ -178,13 +179,27 @@ cat > kube-proxy-csr.json <<EOF
     {
       "C": "US",
       "L": "Portland",
-      "O": "system:node-proxier",
+      "O": "system:nodes",
       "OU": "Kubernetes The Hard Way",
       "ST": "Oregon"
     }
   ]
 }
 EOF
+
+EXTERNAL_IP=$(az network public-ip show -g kubernetes \
+  -n kubernetes-pip --query ipAddress -otsv)
+
+INTERNAL_IP=$(az vm show -d -n ${instance} -g kubernetes --query privateIps -otsv)
+
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -hostname=${instance},${EXTERNAL_IP},${INTERNAL_IP} \
+  -profile=kubernetes \
+  ${instance}-csr.json | cfssljson -bare ${instance}
+done
 ```
 
 Generate the `kube-proxy` client certificate and private key:

diff --git a/docs/07-bootstrapping-etcd.md b/docs/07-bootstrapping-etcd.md
@@ -22,17 +22,17 @@ Download the official etcd release binaries from the [coreos/etcd](https://githu
 
 ```shell
 wget -q --show-progress --https-only --timestamping \
-  "https://github.com/coreos/etcd/releases/download/v3.2.7/etcd-v3.2.7-linux-amd64.tar.gz"
+  "https://github.com/coreos/etcd/releases/download/v3.2.8/etcd-v3.2.8-linux-amd64.tar.gz"
 ```
 
 Extract and install the `etcd` server and the `etcdctl` command line utility:
 
 ```shell
-tar -xvf etcd-v3.2.7-linux-amd64.tar.gz
+tar -xvf etcd-v3.2.8-linux-amd64.tar.gz
 ```
 
 ```shell
-sudo mv etcd-v3.2.7-linux-amd64/etcd* /usr/local/bin/
+sudo mv etcd-v3.2.8-linux-amd64/etcd* /usr/local/bin/
 ```
 
 ### Configure the etcd Server

diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md
@@ -22,10 +22,10 @@ Download the official Kubernetes release binaries:
 
 ```shell
 wget -q --show-progress --https-only --timestamping \
-  "https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kube-apiserver" \
-  "https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kube-controller-manager" \
-  "https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kube-scheduler" \
-  "https://storage.googleapis.com/kubernetes-release/release/v1.7.5/bin/linux/amd64/kubectl"
+  "https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kube-apiserver" \
+  "https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kube-controller-manager" \
+  "https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kube-scheduler" \
+  "https://storage.googleapis.com/kubernetes-release/release/v1.8.0/bin/linux/amd64/kubectl"
 ```
 
 Install the Kubernetes binaries:
@@ -64,7 +64,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 
 [Service]
 ExecStart=/usr/local/bin/kube-apiserver \\
-  --admission-control=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
+  --admission-control=Initializers,NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
   --advertise-address=${INTERNAL_IP} \\
   --allow-privileged=true \\
   --apiserver-count=3 \\
@@ -82,12 +82,12 @@ ExecStart=/usr/local/bin/kube-apiserver \\
   --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 \\
   --event-ttl=1h \\
   --experimental-encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
-  --insecure-bind-address=0.0.0.0 \\
+  --insecure-bind-address=127.0.0.1 \\
   --kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
   --kubelet-client-certificate=/var/lib/kubernetes/kubernetes.pem \\
   --kubelet-client-key=/var/lib/kubernetes/kubernetes-key.pem \\
   --kubelet-https=true \\
-  --runtime-config=rbac.authorization.k8s.io/v1alpha1 \\
+  --runtime-config=api/all \\
   --service-account-key-file=/var/lib/kubernetes/ca-key.pem \\
   --service-cluster-ip-range=10.32.0.0/24 \\
   --service-node-port-range=30000-32767 \\
@@ -121,10 +121,10 @@ ExecStart=/usr/local/bin/kube-controller-manager \\
   --cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
   --cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
   --leader-elect=true \\
-  --master=http://${INTERNAL_IP}:8080 \\
+  --master=http://127.0.0.1:8080 \\
   --root-ca-file=/var/lib/kubernetes/ca.pem \\
   --service-account-private-key-file=/var/lib/kubernetes/ca-key.pem \\
-  --service-cluster-ip-range=10.32.0.0/16 \\
+  --service-cluster-ip-range=10.32.0.0/24 \\
   --v=2
 Restart=on-failure
 RestartSec=5
@@ -147,7 +147,7 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 [Service]
 ExecStart=/usr/local/bin/kube-scheduler \\
   --leader-elect=true \\
-  --master=http://${INTERNAL_IP}:8080 \\
+  --master=http://127.0.0.1:8080 \\
   --v=2
 Restart=on-failure
 RestartSec=5
@@ -194,6 +194,68 @@ etcd-1               Healthy   {"health": "true"}
 
 > Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`.
 
+## RBAC for Kubelet Authorization
+
+In this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.
+
+> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/admin/authorization/#checking-api-access) API to determine authorization.
+
+```shell
+CONTROLLER="controller-0"
+PUBLIC_IP_ADDRESS=$(az network public-ip show -g kubernetes \
+  -n ${CONTROLLER}-pip --query "ipAddress" -otsv)
+
+ssh $(whoami)@${PUBLIC_IP_ADDRESS}
+```
+
+Create the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: system:kube-apiserver-to-kubelet
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/proxy
+      - nodes/stats
+      - nodes/log
+      - nodes/spec
+      - nodes/metrics
+    verbs:
+      - "*"
+EOF
+```
+
+The Kubernetes API Server authenticates to the Kubelet as the `kubernetes` user using the client certificate as defined by the `--kubelet-client-certificate` flag.
+
+Bind the `system:kube-apiserver-to-kubelet` ClusterRole to the `kubernetes` user:
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: system:kube-apiserver
+  namespace: ""
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:kube-apiserver-to-kubelet
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: kubernetes
+EOF
+```
+
 ## The Kubernetes Frontend Load Balancer
 
 In this section you will provision an external load balancer to front the Kubernetes API Servers. The `kubernetes-the-hard-way` static IP address will be attached to the resulting load balancer.
@@ -202,15 +264,6 @@ In this section you will provision an external load balancer to front the Kubern
 
 Create the external load balancer network resources:
 
-```shell
-az network lb probe create -g kubernetes \
-  -n kubernetes-apiserver-check \
-  --lb-name kubernetes-lb \
-  --protocol http \
-  --port 8080 \
-  --path /healthz
-```
-
 ```shell
 az network lb rule create -g kubernetes \
   -n kubernetes-apiserver-rule \
@@ -219,8 +272,7 @@ az network lb rule create -g kubernetes \
   --frontend-ip-name LoadBalancerFrontEnd \
   --frontend-port 6443 \
   --backend-pool-name kubernetes-lb-pool \
-  --backend-port 6443 \
-  --probe-name kubernetes-apiserver-check
+  --backend-port 6443
 ```
 
 ### Verification
@@ -243,11 +295,11 @@ curl --cacert ca.pem https://${KUBERNETES_PUBLIC_IP_ADDRESS}:6443/version
 ```shell
 {
   "major": "1",
-  "minor": "7",
-  "gitVersion": "v1.7.5",
-  "gitCommit": "17d7182a7ccbb167074be7a87f0a68bd00d58d97",
+  "minor": "8",
+  "gitVersion": "v1.8.0",
+  "gitCommit": "6e937839ac04a38cac63e6a7a306c5d035fe7b0a",
   "gitTreeState": "clean",
-  "buildDate": "2017-08-31T08:56:23Z",
+  "buildDate": "2017-09-28T22:46:41Z",
   "goVersion": "go1.8.3",
   "compiler": "gc",
   "platform": "linux/amd64"