diff --git a/README.md b/README.md index 30a73e356..d0d427bf2 100644 --- a/README.md +++ b/README.md @@ -19,11 +19,12 @@ The target audience for this tutorial is someone planning to support a productio Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication. -* [Kubernetes](https://github.com/kubernetes/kubernetes) 1.10.2 -* [containerd Container Runtime](https://github.com/containerd/containerd) 1.1.0 -* [gVisor](https://github.com/google/gvisor) 08879266fef3a67fac1a77f1ea133c3ac75759dd +* [Kubernetes](https://github.com/kubernetes/kubernetes) 1.12.0 +* [containerd Container Runtime](https://github.com/containerd/containerd) 1.2.0-rc.0 +* [gVisor](https://github.com/google/gvisor) 50c283b9f56bb7200938d9e207355f05f79f0d17 * [CNI Container Networking](https://github.com/containernetworking/cni) 0.6.0 -* [etcd](https://github.com/coreos/etcd) 3.3.5 +* [etcd](https://github.com/coreos/etcd) v3.3.9 +* [CoreDNS](https://github.com/coredns/coredns) v1.2.2 ## Labs diff --git a/docs/02-client-tools.md b/docs/02-client-tools.md index c893706c5..d1cd294af 100644 --- a/docs/02-client-tools.md +++ b/docs/02-client-tools.md @@ -76,9 +76,9 @@ If this step fails with a runtime error, try installing cfssl following instruct > output ```shell -Version: 1.2.0 +Version: 1.3.2 Revision: dev -Runtime: go1.9 +Runtime: go1.10.3 ``` ```shell @@ -88,9 +88,9 @@ cfssljson -version > output ```shell -Version: 1.2.0 +Version: 1.3.2 Revision: dev -Runtime: go1.9 +Runtime: go1.10.3 ``` ## Install kubectl @@ -100,7 +100,7 @@ The `kubectl` command line utility is used to interact with the Kubernetes API S ### OS X ```shell -curl -o kubectl https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/darwin/amd64/kubectl +curl -o kubectl https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/darwin/amd64/kubectl ``` ```shell @@ -114,7 +114,7 @@ sudo mv kubectl /usr/local/bin/ ### Linux ```shell -wget https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubectl +wget https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubectl ``` ```shell @@ -134,7 +134,7 @@ PS C:\Windows\system32>choco install kubernetes-cli ### Verification -Verify `kubectl` version 1.10.2 or higher is installed: +Verify `kubectl` version 1.12.0 or higher is installed: ```shell kubectl version --client @@ -143,7 +143,7 @@ kubectl version --client > output ```shell -Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.2", GitCommit:"81753b10df112992bf51bbc2c2f85208aad78335", GitTreeState:"clean", BuildDate:"2018-04-27T09:22:21Z", GoVersion:"go1.9.4", Compiler:"gc", Platform:"linux/amd64"} +Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.0", GitCommit:"0ed33881dc4355495f623c6f22e7dd0b7632b7c0", GitTreeState:"clean", BuildDate:"22018-09-27T17:05:32Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"darwin/amd64"} ``` Next: [Provisioning Compute Resources](03-compute-resources.md) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index c47837f0e..a9d8187ae 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -399,7 +399,7 @@ for instance in worker-0 worker-1 worker-2; do PUBLIC_IP_ADDRESS=$(az network public-ip show -g kubernetes \ -n ${instance}-pip --query "ipAddress" -otsv) - scp ca.pem ${instance}-key.pem ${instance}.pem $(whoami)@${PUBLIC_IP_ADDRESS}:~/ + scp -o StrictHostKeyChecking=no ca.pem ${instance}-key.pem ${instance}.pem $(whoami)@${PUBLIC_IP_ADDRESS}:~/ done ``` @@ -410,7 +410,8 @@ for instance in controller-0 controller-1 controller-2; do PUBLIC_IP_ADDRESS=$(az network public-ip show -g kubernetes \ -n ${instance}-pip --query "ipAddress" -otsv) - scp ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem $(whoami)@${PUBLIC_IP_ADDRESS}:~/ + scp -o StrictHostKeyChecking=no ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \ + service-account-key.pem service-account.pem $(whoami)@${PUBLIC_IP_ADDRESS}:~/ done ``` diff --git a/docs/07-bootstrapping-etcd.md b/docs/07-bootstrapping-etcd.md index 7834d278b..f79b840a2 100644 --- a/docs/07-bootstrapping-etcd.md +++ b/docs/07-bootstrapping-etcd.md @@ -22,15 +22,15 @@ Download the official etcd release binaries from the [coreos/etcd](https://githu ```shell wget -q --show-progress --https-only --timestamping \ - "https://github.com/coreos/etcd/releases/download/v3.3.5/etcd-v3.3.5-linux-amd64.tar.gz" + "https://github.com/coreos/etcd/releases/download/v3.3.9/etcd-v3.3.9-linux-amd64.tar.gz" ``` Extract and install the `etcd` server and the `etcdctl` command line utility: ```shell { - tar -xvf etcd-v3.3.5-linux-amd64.tar.gz - sudo mv etcd-v3.3.5-linux-amd64/etcd* /usr/local/bin/ + tar -xvf etcd-v3.3.9-linux-amd64.tar.gz + sudo mv etcd-v3.3.9-linux-amd64/etcd* /usr/local/bin/ } ``` @@ -100,7 +100,7 @@ sudo mv etcd.service /etc/systemd/system/ { sudo systemctl daemon-reload sudo systemctl enable etcd - sudo systemctl start etcd + ps -ef | grep apiserver } ``` @@ -112,7 +112,7 @@ List the etcd cluster members: ```shell sudo ETCDCTL_API=3 etcdctl member list \ - --endpoints=https://127.0.0.1:2379 \ + --endpoints=https://${INTERNAL_IP}:2379 \ --cacert=/etc/etcd/ca.pem \ --cert=/etc/etcd/kubernetes.pem \ --key=/etc/etcd/kubernetes-key.pem diff --git a/docs/08-bootstrapping-kubernetes-controllers.md b/docs/08-bootstrapping-kubernetes-controllers.md index 0c24aea90..85298adec 100644 --- a/docs/08-bootstrapping-kubernetes-controllers.md +++ b/docs/08-bootstrapping-kubernetes-controllers.md @@ -321,12 +321,12 @@ curl --cacert ca.pem https://${KUBERNETES_PUBLIC_IP_ADDRESS}:6443/version ```shell { "major": "1", - "minor": "10", - "gitVersion": "v1.10.2", - "gitCommit": "81753b10df112992bf51bbc2c2f85208aad78335", + "minor": "12", + "gitVersion": "v1.12.0", + "gitCommit": "0ed33881dc4355495f623c6f22e7dd0b7632b7c0", "gitTreeState": "clean", - "buildDate": "2018-04-27T09:10:24Z", - "goVersion": "go1.9.3", + "buildDate": "2018-09-27T16:55:41Z", + "goVersion": "go1.10.4", "compiler": "gc", "platform": "linux/amd64" } diff --git a/docs/09-bootstrapping-kubernetes-workers.md b/docs/09-bootstrapping-kubernetes-workers.md index 8c90c9e23..ad7fb9fd5 100644 --- a/docs/09-bootstrapping-kubernetes-workers.md +++ b/docs/09-bootstrapping-kubernetes-workers.md @@ -38,7 +38,10 @@ ssh $(whoami)@${PUBLIC_IP_ADDRESS} Install the OS dependencies: ```shell -sudo apt-get -y install socat +{ + sudo apt-get update + sudo apt-get -y install socat conntrack ipset +} ``` > The socat binary enables support for the `kubectl port-forward` command. @@ -47,14 +50,14 @@ sudo apt-get -y install socat ```shell wget -q --show-progress --https-only --timestamping \ - https://github.com/kubernetes-incubator/cri-tools/releases/download/v1.0.0-beta.0/crictl-v1.0.0-beta.0-linux-amd64.tar.gz \ - https://storage.googleapis.com/kubernetes-the-hard-way/runsc \ + https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.12.0/crictl-v1.12.0-linux-amd64.tar.gz \ + https://storage.googleapis.com/kubernetes-the-hard-way/runsc-50c283b9f56bb7200938d9e207355f05f79f0d17 \ https://github.com/opencontainers/runc/releases/download/v1.0.0-rc5/runc.amd64 \ - https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz \ - https://github.com/containerd/containerd/releases/download/v1.1.0/containerd-1.1.0.linux-amd64.tar.gz \ - https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubectl \ - https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-proxy \ - https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubelet + https://github.com/containernetworking/cni/releases/download/v0.6.0/cni-amd64-v0.6.0.tgz \ + https://github.com/containerd/containerd/releases/download/v1.2.0-rc.0/containerd-1.2.0-rc.0.linux-amd64.tar.gz \ + https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubectl \ + https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kube-proxy \ + https://storage.googleapis.com/kubernetes-release/release/v1.12.0/bin/linux/amd64/kubelet ``` Create the installation directories: @@ -73,12 +76,13 @@ Install the worker binaries: ```shell { - chmod +x kubectl kube-proxy kubelet runc.amd64 runsc + sudo mv runsc-50c283b9f56bb7200938d9e207355f05f79f0d17 runsc sudo mv runc.amd64 runc + chmod +x kubectl kube-proxy kubelet runc runsc sudo mv kubectl kube-proxy kubelet runc runsc /usr/local/bin/ - sudo tar -xvf crictl-v1.0.0-beta.0-linux-amd64.tar.gz -C /usr/local/bin/ + sudo tar -xvf crictl-v1.12.0-linux-amd64.tar.gz -C /usr/local/bin/ sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/ - sudo tar -xvf containerd-1.1.0.linux-amd64.tar.gz -C / + sudo tar -xvf containerd-1.2.0-rc.0.linux-amd64.tar.gz -C / } ``` @@ -141,6 +145,10 @@ cat << EOF | sudo tee /etc/containerd/config.toml runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "/usr/local/bin/runsc" runtime_root = "/run/containerd/runsc" + [plugins.cri.containerd.gvisor] + runtime_type = "io.containerd.runtime.v1.linux" + runtime_engine = "/usr/local/bin/runsc" + runtime_root = "/run/containerd/runsc" EOF ``` @@ -201,12 +209,15 @@ clusterDomain: "cluster.local" clusterDNS: - "10.32.0.10" podCIDR: "${POD_CIDR}" +resolvConf: "/run/systemd/resolve/resolv.conf" runtimeRequestTimeout: "15m" tlsCertFile: "/var/lib/kubelet/${HOSTNAME}.pem" tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME}-key.pem" EOF ``` +> The `resolvConf` configuration is used to avoid loops when using CoreDNS for service discovery on systems running `systemd-resolved`. + Create the `kubelet.service` systemd unit file: ```shell diff --git a/docs/12-dns-addon.md b/docs/12-dns-addon.md index 809199cd5..67c5e5b59 100644 --- a/docs/12-dns-addon.md +++ b/docs/12-dns-addon.md @@ -1,68 +1,76 @@ # Deploying the DNS Cluster Add-on -In this lab you will deploy the [DNS add-on](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) which provides DNS based service discovery to applications running inside the Kubernetes cluster. +In this lab you will deploy the [DNS add-on](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) which provides DNS based service discovery, backed by [CoreDNS](https://coredns.io/), to applications running inside the Kubernetes cluster. ## The DNS Cluster Add-on -Deploy the `kube-dns` cluster add-on: +Deploy the `coredns` cluster add-on: -```shell -kubectl create -f https://storage.googleapis.com/kubernetes-the-hard-way/kube-dns.yaml +``` +kubectl apply -f https://storage.googleapis.com/kubernetes-the-hard-way/coredns.yaml ``` > output -```shell -serviceaccount "kube-dns" created -configmap "kube-dns" created -service "kube-dns" created -deployment "kube-dns" created +``` +serviceaccount/coredns created +clusterrole.rbac.authorization.k8s.io/system:coredns created +clusterrolebinding.rbac.authorization.k8s.io/system:coredns created +configmap/coredns created +deployment.extensions/coredns created +service/kube-dns created ``` List the pods created by the `kube-dns` deployment: -```shell +``` kubectl get pods -l k8s-app=kube-dns -n kube-system ``` > output -```shell -NAME READY STATUS RESTARTS AGE -kube-dns-3097350089-gq015 3/3 Running 0 20s -kube-dns-3097350089-q64qc 3/3 Running 0 20s +``` +NAME READY STATUS RESTARTS AGE +coredns-699f8ddd77-94qv9 1/1 Running 0 20s +coredns-699f8ddd77-gtcgb 1/1 Running 0 20s ``` ## Verification Create a `busybox` deployment: -```shell -kubectl create -f https://k8s.io/examples/admin/dns/busybox.yaml +``` +kubectl run busybox --image=busybox:1.28 --command -- sleep 3600 ``` List the pod created by the `busybox` deployment: -```shell -kubectl get pods/busybox +``` +kubectl get pods -l run=busybox ``` > output -```shell -NAME READY STATUS RESTARTS AGE -busybox 1/1 Running 0 15s +``` +NAME READY STATUS RESTARTS AGE +busybox-bd8fb7cbd-vflm9 1/1 Running 0 10s +``` + +Retrieve the full name of the `busybox` pod: + +``` +POD_NAME=$(kubectl get pods -l run=busybox -o jsonpath="{.items[0].metadata.name}") ``` Execute a DNS lookup for the `kubernetes` service inside the `busybox` pod: -```shell -kubectl exec -ti busybox -- nslookup kubernetes.default +``` +kubectl exec -ti $POD_NAME -- nslookup kubernetes ``` > output -```shell +``` Server: 10.32.0.10 Address 1: 10.32.0.10 kube-dns.kube-system.svc.cluster.local