Anbei ein kleines Skript, welches ich gerne nutze um auf einer frischen Ubuntu 20.04 Installation Google Kubernetes inkl. dem Dashboard und dem Metis Server zu Testzwecken auszurollen. Das Skript hat keinerlei Vorbedingungen sondern kann direkt nach einer Ubuntu 20.04 (Server-)Installation ausgeführt werden. Wie immer gilt jedoch:
Bitte testet das Skript vorab in einer sicheren Umgebung.
#!/bin/bash
# Lösche die folgende Zeile, wenn du das Skript verstanden und an dein System angepasst hast :)
exit
echo "Update System"
apt-get update
apt-get -y dist-upgrade
echo "Install some tools"
apt-get -y install aptitude apt-transport-https curl nftables net-tools zip jq
echo "Add Kubernetes Repository"
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
apt-get update
echo "Install Docker"
apt-get -y install docker.io
systemctl enable docker.service
echo "Install Kubernetes"
apt-get -y install kubelet kubeadm kubectl
echo "Enable IP Forwarding"
sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "Disable SWAP"
cp /etc/fstab /tmp/fstab
echo "" > /etc/fstab
cat /tmp/fstab | grep -v swap >> /etc/fstab
rm /tmp/fstab
swapoff -a
echo "Setup Kubernetes Cluster"
kubeadm config images pull
kubeadm init --pod-network-cidr=192.168.0.0/16 --apiserver-advertise-address=<HIER DIE IP ADRESSE DES SERVERS>
echo "Distribute .kube Files for root"
mkdir -p /root/.kube
cp -i /etc/kubernetes/admin.conf /root/.kube/config
chown root:root /root/.kube/config
echo "Distribute .kube Files for user"
mkdir $HOME/.kube
sudo cp /etc/kubernetes/admin.conf $HOME/.kube/
sudo chown $(id -u):$(id -g) $HOME/.kube/admin.conf
export KUBECONFIG=$HOME/.kube/admin.conf
echo "Untainted Node"
kubectl taint nodes --all node-role.kubernetes.io/master-
echo "Install calico"
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
echo "Install Kubernetes Dashboard"
kubectl create namespace kubernetes-dashboard
mkdir /tmp/certs
openssl genrsa -out /tmp/certs/tls.key 4096
openssl rsa -in /tmp/certs/tls.key -out /tmp/certs/tls.key
openssl req -sha256 -new -key /tmp/certs/tls.key -out /tmp/certs/tls.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 365 -in /tmp/certs/tls.csr -signkey /tmp/certs/tls.key -out /tmp/certs/tls.crt
kubectl -n kube-system create secret generic kubernetes-dashboard-certs --from-file=/tmp/certs -n kubernetes-dashboard
rm -r /tmp/certs/
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc7/aio/deploy/recommended.yaml
kubectl apply -f ./install/dashboard-adminuser.yaml
kubectl apply -f ./install/dashboard-role.yaml
kubectl create clusterrolebinding kube-dashboard-binding --clusterrole=admin --user=admin-user
openssl genrsa -out /tmp/kbdb.key 4096
openssl req -config ./install/dashboard-csr.cnf -new -key /tmp/kbdb.key -nodes -out /tmp/kbdb.csr
export BASE64_CSR=$(cat /tmp/kbdb.csr | base64 | tr -d '\n')
cat ./install/dashboard-csr.yaml | envsubst | kubectl apply -f -
kubectl certificate approve mycsr
echo "Install Metis-Server"
wget https://get.helm.sh/helm-v2.16.5-linux-amd64.tar.gz
tar -zxvf helm-v2.16.5-linux-amd64.tar.gz
mv ./linux-amd64/helm /usr/local/bin/helm
rm ./helm-v2.16.5-linux-amd64.tar.gz
rm -r ./linux-amd64
/usr/local/bin/helm init --wait
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
kubectl apply -f ./install/metis.yaml
sleep 10
/usr/local/bin/helm install --name metrics-server stable/metrics-server --namespace metrics --set args={"--kubelet-insecure-tls=true,--kubelet-preferred-address-types=InternalIP\,Hostname\,ExternalIP"}
echo "Generating Access Keys"
sleep 60
kubectl get csr mycsr -o jsonpath='{.status.certificate}' | base64 --decode > /tmp/kbdb.crt
openssl pkcs12 -export -in /tmp/kbdb.crt -inkey /tmp/kbdb.key -out /tmp/kbdb.p12 -passout pass:
mv /tmp/kbdb.p12 $HOME/
chown $(id -u):$(id -g) $HOME/kbdb.p12
rm /tmp/kbdb.key
rm /tmp/kbdb.csr
rm /tmp/kbdb.crt
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') > /tmp/token.txt
mv /tmp/token.txt $HOME/
chown $(id -u):$(id -g) $HOME/token.txt
Das zu verwendende Clientzertifikat zum Import für euren lokalen Browser liegt anschließend unter $HOME/kbdb.p12
. Der Zugriffstoken liegt unter $HOME/token.txt
. Folgende Dateien habe ich im Skript im Unterordner "install" verwendet:
dashboard-adminuser.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
dashboard-csr.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
CN = admin-user
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
dashboard-csr.yaml
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: mycsr
spec:
groups:
- system:authenticated
request: ${BASE64_CSR}
usages:
- digital signature
- key encipherment
- server auth
- client auth
dashboard-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
metis.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubelet-api-admin
subjects:
- kind: User
name: kubelet-api
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: system:kubelet-api-admin
apiGroup: rbac.authorization.k8s.io
Quellen / Bildnachweis:
- Beitragsbild: © Alex - Fotolia.com