Kubeadm on GCE

export GOOGLE_CLOUD_KEYFILE_JSON="~/my-beautiful-project-39276-3b4467fd2113.json"
provider "google" {
project = "${var.project_id}"
region = "${var.region}"
zone = "${var.zone}"
}

resource "google_compute_firewall" "allow-kube-api" {
name = "allow-kube-api"
network = "default"

allow {
protocol = "tcp"
ports = ["6443"]
}

source_ranges = ["0.0.0.0/0"]
target_tags = ["kube-api"]
}

resource "google_compute_firewall" "allow-nodeports" {
name = "allow-nodeports"
network = "default"

allow {
protocol = "tcp"
ports = ["30000-32767"]
}

source_ranges = ["0.0.0.0/0"]
target_tags = ["nodeports"]
}

resource "google_compute_instance_template" "default" {
name = "kubernetes-nodes-instances"
description = "This template is used to create Kubernetes nodes instances."

tags = ["kube-api", "nodeports"]

labels = {
environment = "medium"
}

instance_description = "description assigned to instances"
machine_type = "n1-standard-2"
can_ip_forward = true

scheduling {
automatic_restart = true
on_host_maintenance = "MIGRATE"
}

// Create a new boot disk from an image
disk {
source_image = "debian-cloud/debian-9"
auto_delete = true
boot = true
}

network_interface {
network = "default"
access_config {
// Ephemeral IP
}
}
metadata = {
ssh-keys = "saphoooo:${file("id_rsa.pub")}"
}

metadata_startup_script = "${file("startup.sh")}"

service_account {
scopes = ["storage-full", "cloud-platform", "compute-rw", "logging-write", "monitoring", "service-control", "service-management"]
}
}

resource "google_compute_region_instance_group_manager" "default" {
name = "kubernetes-node-group-manager"
instance_template = "${google_compute_instance_template.default.self_link}"
base_instance_name = "kubernetes-node"
region = "europe-west2"
distribution_policy_zones = ["europe-west2-a", "europe-west2-b", "europe-west2-c"]
target_size = "3"
}
[Global]
project-id = "my-beautiful-project-39276"
node-tags = nodeports
node-instance-prefix = "kubernetes-node"
multizone = true
#! /bin/bash
apt-get update
apt-get install libseccomp2 apt-transport-https curl -y
export VERSION="1.3.0"
wget https://storage.googleapis.com/cri-containerd-release/cri-containerd-${VERSION}.linux-amd64.tar.gz
tar --no-overwrite-dir -C / -xzf cri-containerd-${VERSION}.linux-amd64.tar.gz
echo \"overlay\nbr_netfilter\" >> /etc/modules
systemctl enable containerd
modprobe overlay
modprobe br_netfilter
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl --system
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm kubectl
apt-mark hold kubelet kubeadm kubectl
export DEBIAN_FRONTEND=noninteractive
ARCH=$(arch)
BRANCH="${BRANCH:-master}"
source /etc/os-release
echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH}/Debian_${VERSION_ID}/ /' > /etc/apt/sources.list.d/kata-containers.list
curl -sL http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH}/Debian_${VERSION_ID}/Release.key | sudo apt-key add -
apt-get update
apt-get -y install kata-runtime kata-proxy kata-shim
mkdir /etc/containerd
containerd config default > /etc/containerd/config.toml
sed -i '/containerd.untrusted_workload_runtime/{n;s/\"\"/\"io.containerd.kata.v2\"/}' /etc/containerd/config.toml
systemctl restart containerd
metadata = {
ssh-keys = "saphoooo:${file("id_rsa.pub")}"
}
apiVersion: kubeadm.k8s.io/v1beta2
kind: InitConfiguration
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: medium.howtok5678songce
ttl: 24h0m0s
usages:
- signing
- authentication
nodeRegistration:
criSocket: "/var/run/containerd/containerd.sock"
kubeletExtraArgs:
cloud-provider: "gce"
cloud-config: "/etc/kubernetes/cloud-config"
taints: []
---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
clusterName: medium
kubernetesVersion: v1.16.2
networking:
podSubnet: 10.244.0.0/16
apiServer:
certSANs:
- 35.187.224.267
extraArgs:
authorization-mode: Node,RBAC
cloud-provider: "gce"
cloud-config: "/etc/kubernetes/cloud-config"
extraVolumes:
- name: cloud
hostPath: "/etc/kubernetes/cloud-config"
mountPath: "/etc/kubernetes/cloud-config"
controllerManager:
extraArgs:
cloud-provider: "gce"
cloud-config: "/etc/kubernetes/cloud-config"
extraVolumes:
- name: cloud
hostPath: "/etc/kubernetes/cloud-config"
mountPath: "/etc/kubernetes/cloud-config"
$ sudo kubeadm init --config gce.yaml
$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://35.187.224.267:6443
name: medium
contexts:
- context:
cluster: medium
user: kubernetes-admin
name: kubernetes-admin@medium
current-context: kubernetes-admin@medium
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
$ kubectl label node kubernetes-node-4244 node-role.kubernetes.io/master-
$ kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
apiVersion: kubeadm.k8s.io/v1beta2
kind: JoinConfiguration
discovery:
bootstrapToken:
apiServerEndpoint: "10.154.0.62:6443"
token: medium.howtok5678songce
unsafeSkipCAVerification: true
nodeRegistration:
criSocket: "/var/run/containerd/containerd.sock"
kubeletExtraArgs:
cloud-provider: "gce"
taints: []
$ sudo kubeadm join --config join.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: standard
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/gce-pd
parameters:
type: pd-standard
replication-type: none
allowedTopologies:
- matchLabelExpressions:
- key: failure-domain.beta.kubernetes.io/zone
values:
- europe-west2-a
- europe-west2-b
- europe-west2-c

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store