Prerequisite: Install required client tools. You will need to install the following tools on your Linux server:
- awscli – to be used to manage your AWS services
- kubectl – this command line utility will be your main control tool to manage your K8s cluster.
- cfssl – a Cloudflare open source toolkit for everything TLS/SSL
- cfssljson – a program, which takes the JSON output from the cfssl and writes certificates, keys, CSRs, and bundles to disk.
- Configure AWSCLI to access all AWS services required. You need a user with programmatic access keys configured in AWS Identity and Access Management (IAM)
- Generate your access keys and save them safely.
- Install AWSCLI on your VM. Click on this link to install AWSCLI.(https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
- Next configure AWSCLI on your VM with the following steps:
type `aws configure`
enter the access key ID you save
enter the secret access key
enter your desired region
enter `json` for your default output format.
- Type
aws ec2 describe-vpcsto test AWSCLI. - It should give you a list of available VPCs in the region you selected of the account.
Kubectl is a tool that allows you easily interact with Kubernetes to deploy applications, inspect and manage cluster resources, view logs and perform many more administrative operations instead of using curl everytime you need to send commands to the Kubernetes cluster API. To install Kubectl:
- Download the binary
wget https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl - Make it executable
chmod +x kubectl - Move to the Bin directory
sudo mv kubectl /usr/local/bin/ - Verify that kubectl version 1.21.0 or higher is installed:
kubectl version --client
- Download the binary:
wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssl \
https://storage.googleapis.com/kubernetes-the-hard-way/cfssl/1.4.1/linux/cfssljson
- Make it executeable:
chmod +x cfssl cfssljson - Move it to binary directory:
sudo mv cfssl cfssljson /usr/local/bin/
##PROVISION AWS CLOUD RESOURCES FOR KUBERNETES CLUSTER
Our Kubernetes cluster will be needing some AWS resouces to run the Control plane and the Worker nodes This step can be easily automated with Terraform but for the purposes of learning, we will be doing it manually with AWSCLI. SOme of the resources we will be provisioning includes: VPC, SUbnet, EC2, Security groups, Loadbalancer etc. Lets begin.
Virtual Private Cloud – VPC
- Create a directory named k8s-cluster-from-ground-up:
mkdir k8s-cluster-from-ground-up - Create a VPC and store the ID as a variable:
VPC_ID=$(aws ec2 create-vpc \
--cidr-block 172.31.0.0/16 \
--output text --query 'Vpc.VpcId'
)
- Tag the VPC so that it is named k8s-cluster-from-ground-up:
NAME=k8s-cluster-from-ground-up
aws ec2 create-tags \
--resources ${VPC_ID} \
--tags Key=Name,Value=${NAME}
Domain Name System – DNS
- Enable DNS support for your VPC:
aws ec2 modify-vpc-attribute \
--vpc-id ${VPC_ID} \
--enable-dns-support '{"Value": true}'
- Enable DNS support for hostnames:
aws ec2 modify-vpc-attribute \
--vpc-id ${VPC_ID} \
--enable-dns-hostnames '{"Value": true}'
Set AWS Region
- Set the required region:
AWS_REGION=us-east-2Subnet
Create the Subnet and tag it:
SUBNET_ID=$(aws ec2 create-subnet \
--vpc-id ${VPC_ID} \
--cidr-block 172.31.0.0/24 \
--output text --query 'Subnet.SubnetId')
aws ec2 create-tags \
--resources ${SUBNET_ID} \
--tags Key=Name,Value=${NAME}
Internet Gateway – IGW
Create the Internet Gateway and attach it to the VPC:
INTERNET_GATEWAY_ID=$(aws ec2 create-internet-gateway \
--output text --query 'InternetGateway.InternetGatewayId')
aws ec2 create-tags \
--resources ${INTERNET_GATEWAY_ID} \
--tags Key=Name,Value=${NAME}
aws ec2 attach-internet-gateway \
--internet-gateway-id ${INTERNET_GATEWAY_ID} \
--vpc-id ${VPC_ID}
Route tables
- Create route tables, associate the route table to subnet, and create a route to allow external traffic to the Internet through the Internet Gateway:
ROUTE_TABLE_ID=$(aws ec2 create-route-table \
--vpc-id ${VPC_ID} \
--output text --query 'RouteTable.RouteTableId')
aws ec2 create-tags \
--resources ${ROUTE_TABLE_ID} \
--tags Key=Name,Value=${NAME}
aws ec2 associate-route-table \
--route-table-id ${ROUTE_TABLE_ID} \
--subnet-id ${SUBNET_ID}
aws ec2 create-route \
--route-table-id ${ROUTE_TABLE_ID} \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id ${INTERNET_GATEWAY_ID}
Your output should look like this:
{
"AssociationId": "rtbassoc-07a8877e92504def7",
"AssociationState": {
"State": "associated"
}
}
{
"Return": true
}
Security Groups
- To configure security groups, create seecurity group and tag it:
# Create the security group and store its ID in a variable
SECURITY_GROUP_ID=$(aws ec2 create-security-group \
--group-name ${NAME} \
--description "Kubernetes cluster security group" \
--vpc-id ${VPC_ID} \
--output text --query 'GroupId')
# Create the NAME tag for the security group
aws ec2 create-tags \
--resources ${SECURITY_GROUP_ID} \
--tags Key=Name,Value=${NAME}
- Configure inbound traffic for all communication within the subnet:
# Create Inbound traffic for all communication within the subnet to connect on ports used by the master node(s)
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--ip-permissions IpProtocol=tcp,FromPort=2379,ToPort=2380,IpRanges='[{CidrIp=172.31.0.0/24}]'
# # Create Inbound traffic for all communication within the subnet to connect on ports used by the worker nodes
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--ip-permissions IpProtocol=tcp,FromPort=30000,ToPort=32767,IpRanges='[{CidrIp=172.31.0.0/24}]'
# Create inbound traffic to allow connections to the Kubernetes API Server listening on port 6443
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--protocol tcp \
--port 6443 \
--cidr 0.0.0.0/0
# Create Inbound traffic for SSH from anywhere (Do not do this in production. Limit access ONLY to IPs or CIDR that MUST connect)
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0
# Create ICMP ingress for all types
aws ec2 authorize-security-group-ingress \
--group-id ${SECURITY_GROUP_ID} \
--protocol icmp \
--port -1 \
--cidr 0.0.0.0/0
Network Load Balancer
- Create a network Load balancer:
LOAD_BALANCER_ARN=$(aws elbv2 create-load-balancer \
--name ${NAME} \
--subnets ${SUBNET_ID} \
--scheme internet-facing \
--type network \
--output text --query 'LoadBalancers[].LoadBalancerArn')
Tagret Group
- Create a target group: (For now it will be unhealthy because there are no real targets yet.)
TARGET_GROUP_ARN=$(aws elbv2 create-target-group \
--name ${NAME} \
--protocol TCP \
--port 6443 \
--vpc-id ${VPC_ID} \
--target-type ip \
--output text --query 'TargetGroups[].TargetGroupArn')
Register targets Just like above, no real targets. You will just put the IP addresses so that, when the nodes become available, they will be used as targets
aws elbv2 register-targets \
--target-group-arn ${TARGET_GROUP_ARN} \
--targets Id=172.31.0.1{0,1,2}
Create Listener
- Create a listener to listen for requests and forward to the target nodes on TCP port 6443
aws elbv2 create-listener \
--load-balancer-arn ${LOAD_BALANCER_ARN} \
--protocol TCP \
--port 6443 \
--default-actions Type=forward,TargetGroupArn=${TARGET_GROUP_ARN} \
--output text --query 'Listeners[].ListenerArn'
K8s Public Address
- Get the Kubernetes Public address
KUBERNETES_PUBLIC_ADDRESS=$(aws elbv2 describe-load-balancers \
--load-balancer-arns ${LOAD_BALANCER_ARN} \
--output text --query 'LoadBalancers[].DNSName')
AMI
- Get an image to create EC2 instances: Before getting the Image you need to install JQ here. Then copy and paste these commands to your terminal:
IMAGE_ID=$(aws ec2 describe-images --owners 099720109477 \
--filters \
'Name=root-device-type,Values=ebs' \
'Name=architecture,Values=x86_64' \
'Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*' \
| jq -r '.Images|sort_by(.Name)[-1]|.ImageId')
SSH key-pair
- Create SSH Key-Pair:
mkdir -p ssh
aws ec2 create-key-pair \
--key-name ${NAME} \
--output text --query 'KeyMaterial' \
> ssh/${NAME}.id_rsa
chmod 600 ssh/${NAME}.id_rsa
EC2 Instances for Controle Plane (Master Nodes)
- Create 3 Master nodes using t2.micro:
for i in 0 1 2; do
instance_id=$(aws ec2 run-instances \
--associate-public-ip-address \
--image-id ${IMAGE_ID} \
--count 1 \
--key-name ${NAME} \
--security-group-ids ${SECURITY_GROUP_ID} \
--instance-type t2.micro \
--private-ip-address 172.31.0.1${i} \
--user-data "name=master-${i}" \
--subnet-id ${SUBNET_ID} \
--output text --query 'Instances[].InstanceId')
aws ec2 modify-instance-attribute \
--instance-id ${instance_id} \
--no-source-dest-check
aws ec2 create-tags \
--resources ${instance_id} \
--tags "Key=Name,Value=${NAME}-master-${i}"
done
EC2 Instances for Worker Nodes
- Create 3 worker nodes:
for i in 0 1 2; do
instance_id=$(aws ec2 run-instances \
--associate-public-ip-address \
--image-id ${IMAGE_ID} \
--count 1 \
--key-name ${NAME} \
--security-group-ids ${SECURITY_GROUP_ID} \
--instance-type t2.micro \
--private-ip-address 172.31.0.2${i} \
--user-data "name=worker-${i}|pod-cidr=172.20.${i}.0/24" \
--subnet-id ${SUBNET_ID} \
--output text --query 'Instances[].InstanceId')
aws ec2 modify-instance-attribute \
--instance-id ${instance_id} \
--no-source-dest-check
aws ec2 create-tags \
--resources ${instance_id} \
--tags "Key=Name,Value=${NAME}-worker-${i}"
done
The following components running on the Master node will require TLS certificates: Kube controller manager, Kube scheduler, Etcd, and Kube apiserver. On the Worker nodes the following componets will require TLS certificates: Kubelet, Kube-proxy. We will provision a PKI Infrastructure using cfssl which will have a Certificate Authority. The CA will then generate certificates for all the individual components.
Self-Signed Root Certificate Authority (CA)
Here, we will provision a CA that will be used to sign additional TLS certificates.
- Create a directory and cd into it:
mkdir ca-authority && cd ca-authority - Generate the CA configuration file, Root Certificate, and Private key:
{
cat > ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h"
}
}
}
}
EOF
cat > ca-csr.json <<EOF
{
"CN": "Kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "Kubernetes",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
}
- List the directory to see the created files:
ls -ltr
- The 3 important files here are: ca.pem – The Root Certificate, ca-key.pem – The Private Key, and ca.csr – The Certificate Signing Request.
You will need to provision Client/Server certificates for all the components. It is a MUST to have encrypted communication within the cluster. Therefore, the server here are the master nodes running the api-server component. While the client is every other component that needs to communicate with the api-server.
Now we have a certificate for the Root CA, we can then begin to request more certificates which the different Kubernetes components, i.e. clients and server, will use to have encrypted communication.
Remember, the clients here refer to every other component that will communicate with the api-server. These are:
kube-controller-manager kube-scheduler etcd kubelet kube-proxy Kubernetes Admin User
The Kubernetes API-Server Certificate and Private Key
The certificate for the Api-server must have IP addresses, DNS names, and a Load Balancer address included. Otherwise, you will have a lot of difficulties connecting to the api-server.
- Generate the Certificate Signing Request (CSR), Private Key and the Certificate for the Kubernetes Master Nodes:
{
cat > master-kubernetes-csr.json <<EOF
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"172.31.0.10",
"172.31.0.11",
"172.31.0.12",
"ip-172-31-0-10",
"ip-172-31-0-11",
"ip-172-31-0-12",
"ip-172-31-0-10.${AWS_REGION}.compute.internal",
"ip-172-31-0-11.${AWS_REGION}.compute.internal",
"ip-172-31-0-12.${AWS_REGION}.compute.internal",
"${KUBERNETES_PUBLIC_ADDRESS}",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "Kubernetes",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
master-kubernetes-csr.json | cfssljson -bare master-kubernetes
}
Create the other certificates
Create certificates for the following Kubernetes components: Scheduler Client Certificate, Kube Proxy Client Certificate, Controller Manager Client Certificate, Kubelet Client Certificates, and K8s admin user Client Certificate.
- kube-scheduler Client Certificate and Private Key
{
cat > kube-scheduler-csr.json <<EOF
{
"CN": "system:kube-scheduler",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "system:kube-scheduler",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-scheduler-csr.json | cfssljson -bare kube-scheduler
}
- kube-proxy Client Certificate and Private Key
{
cat > kube-proxy-csr.json <<EOF
{
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "system:node-proxier",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-proxy-csr.json | cfssljson -bare kube-proxy
}
- kube-controller-manager Client Certificate and Private Key
{
cat > kube-controller-manager-csr.json <<EOF
{
"CN": "system:kube-controller-manager",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "system:kube-controller-manager",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager
}
- kubelet Client Certificate and Private Key Similar to how we configured the api-server's certificate, Kubernetes requires that the hostname of each worker node is included in the client certificate.
Also, Kubernetes uses a special-purpose authorization mode called Node Authorizer, that specifically authorizes API requests made by kubelet services. In order to be authorized by the Node Authorizer, kubelets must use a credential that identifies them as being in the system:nodes group, with a username of system:node:. Notice the "CN": "system:node:${instance_hostname}", in the below code.
Therefore, the certificate to be created must comply to these requirements. In the below example, there are 3 worker nodes, hence we will use bash to loop through a list of the worker nodes’ hostnames, and based on each index, the respective Certificate Signing Request (CSR), private key and client certificates will be generated.
for i in 0 1 2; do
instance="${NAME}-worker-${i}"
instance_hostname="ip-172-31-0-2${i}"
cat > ${instance}-csr.json <<EOF
{
"CN": "system:node:${instance_hostname}",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "system:nodes",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
internal_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PrivateIpAddress')
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-hostname=${instance_hostname},${external_ip},${internal_ip} \
-profile=kubernetes \
${NAME}-worker-${i}-csr.json | cfssljson -bare ${NAME}-worker-${i}
done
- kubernetes admin user's Client Certificate and Private Key
{
cat > admin-csr.json <<EOF
{
"CN": "admin",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "system:masters",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare admin
}
- Token Controller certificate and private key: Token controllers is a part of the Kubernetes Controller Manager kube-controller-manager responsible for generating and signing service account tokens which are used by pods or other resources to establish connectivity to the api-server. Read more about Service Accounts from the official documentation.
{
cat > service-account-csr.json <<EOF
{
"CN": "service-accounts",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "UK",
"L": "England",
"O": "Kubernetes",
"OU": "DAREY.IO DEVOPS",
"ST": "London"
}
]
}
EOF
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
service-account-csr.json | cfssljson -bare service-account
}
Well done! you are done with creating PKI.
Now it is time to send all the client and server certificates we created to their respective instances.
- Let us begin with the worker nodes:
We will copy these files securely to the worker nodes using scp utility: Root CA certificate – ca.pem, X509 Certificate for each worker node and Private Key of the certificate for each worker node
for i in 0 1 2; do
instance="${NAME}-worker-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
ca.pem ${instance}-key.pem ${instance}.pem ubuntu@${external_ip}:~/; \
done
You should get an output like this:
- Next we will send the api-server related files to the Master or Controller nodes:
for i in 0 1 2; do
instance="${NAME}-master-${i}" \
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
ca.pem ca-key.pem service-account-key.pem service-account.pem \
master-kubernetes.pem master-kubernetes-key.pem ubuntu@${external_ip}:~/;
done
The kube-proxy, kube-controller-manager, kube-scheduler, and kubelet client certificates will be used to generate client authentication configuration files later.
In this step, we will create some files known as kubeconfig, that enables Kubernetes clients to locate and authenticate to the Kubernetes API Servers. We will need a client tool called kubectl to do this. Let's generate kubeconfig files for the kubelet, controller manager, kube-proxy, and scheduler clients and then the admin user****.
-
First, let us create a few environment variables for reuse by multiple commands:
KUBERNETES_API_SERVER_ADDRESS=$(aws elbv2 describe-load-balancers --load-balancer-arns ${LOAD_BALANCER_ARN} --output text --query 'LoadBalancers[].DNSName') -
Generate the kubelet kubeconfig file For each of the nodes running the kubelet component, it is very important that the client certificate configured for that node is used to generate the kubeconfig. This is because each certificate has the node’s DNS name or IP Address configured at the time the certificate was generated. It will also ensure that the appropriate authorization is applied to that node through the Node Authorizer
Below command must be run in the directory where all the certificates were generated.
for i in 0 1 2; do
instance="${NAME}-worker-${i}"
instance_hostname="ip-172-31-0-2${i}"
# Set the kubernetes cluster in the kubeconfig file
kubectl config set-cluster ${NAME} \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://$KUBERNETES_API_SERVER_ADDRESS:6443 \
--kubeconfig=${instance}.kubeconfig
# Set the cluster credentials in the kubeconfig file
kubectl config set-credentials system:node:${instance_hostname} \
--client-certificate=${instance}.pem \
--client-key=${instance}-key.pem \
--embed-certs=true \
--kubeconfig=${instance}.kubeconfig
# Set the context in the kubeconfig file
kubectl config set-context default \
--cluster=${NAME} \
--user=system:node:${instance_hostname} \
--kubeconfig=${instance}.kubeconfig
kubectl config use-context default --kubeconfig=${instance}.kubeconfig
done
3. List the output: ls -ltr *.kubeconfig
- Generate the kube-proxy kubeconfig:
{
kubectl config set-cluster ${NAME} \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${KUBERNETES_API_SERVER_ADDRESS}:6443 \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials system:kube-proxy \
--client-certificate=kube-proxy.pem \
--client-key=kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=${NAME} \
--user=system:kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
}
- Generate the Kube-Controller-Manager kubeconfig Notice that the --server is set to use 127.0.0.1. This is because, this component runs on the API-Server so there is no point routing through the Load Balancer.
{
kubectl config set-cluster ${NAME} \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-credentials system:kube-controller-manager \
--client-certificate=kube-controller-manager.pem \
--client-key=kube-controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config set-context default \
--cluster=${NAME} \
--user=system:kube-controller-manager \
--kubeconfig=kube-controller-manager.kubeconfig
kubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig
}
- Generating the Kube-Scheduler Kubeconfig:
{
kubectl config set-cluster ${NAME} \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://127.0.0.1:6443 \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-credentials system:kube-scheduler \
--client-certificate=kube-scheduler.pem \
--client-key=kube-scheduler-key.pem \
--embed-certs=true \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config set-context default \
--cluster=${NAME} \
--user=system:kube-scheduler \
--kubeconfig=kube-scheduler.kubeconfig
kubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig
}
- Finally, generate the kubeconfig file for the admin user:
{
kubectl config set-cluster ${NAME} \
--certificate-authority=ca.pem \
--embed-certs=true \
--server=https://${KUBERNETES_API_SERVER_ADDRESS}:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.pem \
--client-key=admin-key.pem \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context default \
--cluster=${NAME} \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context default --kubeconfig=admin.kubeconfig
}
- Distribute the files to their respective servers, using scp and a for loop:
# This would distribute the kube-proxy, and individual workers to the server
for i in 0; do
instance="${NAME}-worker-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
kube-proxy.kubeconfig k8s-cluster-from-ground-up-worker-${i}.kubeconfig ubuntu@${external_ip}:~/; \
done
for i in 1; do
instance="${NAME}-worker-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
kube-proxy.kubeconfig k8s-cluster-from-ground-up-worker-${i}.kubeconfig ubuntu@${external_ip}:~/; \
done
for i in 2; do
instance="${NAME}-worker-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
kube-proxy.kubeconfig k8s-cluster-from-ground-up-worker-${i}.kubeconfig ubuntu@${external_ip}:~/; \
done
# This would distribute the admin, controller and scheduler to the master nodes
for i in 0 1 2; do
instance="${NAME}-master-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
admin.kubeconfig kube-scheduler.kubeconfig kube-controller-manager.kubeconfig ubuntu@${external_ip}:~/; \
done
##STEP 6- PREPARE THE ETCD DATABASE FOR ENCRYPTION AT REST
Kubernetes uses etcd (a distributed key value store) to store variety of data including the cluster state, application configurations, and secrets. By default, the data that is persisted to the disk is not encrypted making it a security risk for Kubernetes that needs to be addressed. To mitigate this risk, we must prepare to encrypt etcd at rest.
- Generate the encryption key and encode it using base64:
ETCD_ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)To see the output that will be generated when called, run:echo $ETCD_ENCRYPTION_KEY
OUTPUT:
- Create an encryption-config.yaml file as documented by kubernetes
cat > encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: ${ETCD_ENCRYPTION_KEY}
- identity: {}
EOF
- Send the encryption file to the Controller nodes using scp and a for loop:
for i in 0 1 2; do
instance="${NAME}-master-${i}"
external_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${instance}" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
scp -i ../ssh/${NAME}.id_rsa \
encryption-config.yaml ubuntu@${external_ip}:~/; \
done
- Bootstrap etcd cluster The primary purpose of the etcd component is to store the state of the cluster, because Kubernetes itself is stateless. Therefore, all its stateful data will persist in etcd. Since Kubernetes is a distributed system – it needs a distributed storage to keep persistent data in it. etcd is a highly-available key value store that fits the purpose. All K8s cluster configurations are stored in a form of key value pairs in etcd, it also stores the actual and desired states of the cluster. etcd cluster is intelligent enough to watch for changes made on one instance and almost instantly replicate those changes to the rest of the instances, so all of them will be always reconciled.
NOTE: I used MobaXterm to make it easy to run commands on multiple terminal screens(Multiplex) at once. SSH into the controller server
Master-1
master_1_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-master-0" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${master_1_ip}
Master-2
master_2_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-master-1" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${master_2_ip}
Master-3
master_3_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-master-2" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${master_3_ip}
You should have a a similar pane like below. You should be able to see all the files that have been sent to the nodes.
- Download and install etcd
wget -q --show-progress --https-only --timestamping \
"https://github.com/etcd-io/etcd/releases/download/v3.4.15/etcd-v3.4.15-linux-amd64.tar.gz"
- Extract and install the etcd server and the etcdctl command line utility:
{
tar -xvf etcd-v3.4.15-linux-amd64.tar.gz
sudo mv etcd-v3.4.15-linux-amd64/etcd* /usr/local/bin/
}
- Configure the etcd server
{
sudo mkdir -p /etc/etcd /var/lib/etcd
sudo chmod 700 /var/lib/etcd
sudo cp ca.pem master-kubernetes-key.pem master-kubernetes.pem /etc/etcd/
}
-
The instance internal IP address will be used to serve client requests and communicate with etcd cluster peers. Retrieve the internal IP address for the current compute instance:
export INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
-
Each etcd member must have a unique name within an etcd cluster. Set the etcd name to node Private IP address so it will uniquely identify the machine:
ETCD_NAME=$(curl -s http://169.254.169.254/latest/user-data/ \
| tr "|" "\n" | grep "^name" | cut -d"=" -f2)
echo ${ETCD_NAME}
- Create the etcd.service systemd unit file: View documentation of flags here
cat <<EOF | sudo tee /etc/systemd/system/etcd.service
[Unit]
Description=etcd
Documentation=https://github.com/coreos
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd \\
--name ${ETCD_NAME} \\
--trusted-ca-file=/etc/etcd/ca.pem \\
--peer-trusted-ca-file=/etc/etcd/ca.pem \\
--peer-client-cert-auth \\
--client-cert-auth \\
--listen-peer-urls https://${INTERNAL_IP}:2380 \\
--listen-client-urls https://${INTERNAL_IP}:2379,https://127.0.0.1:2379 \\
--advertise-client-urls https://${INTERNAL_IP}:2379 \\
--initial-cluster-token etcd-cluster-0 \\
--initial-cluster master-0=https://172.31.0.10:2380,master-1=https://172.31.0.11:2380,master-2=https://172.31.0.12:2380 \\
--cert-file=/etc/etcd/master-kubernetes.pem \\
--key-file=/etc/etcd/master-kubernetes-key.pem \\
--peer-cert-file=/etc/etcd/master-kubernetes.pem \\
--peer-key-file=/etc/etcd/master-kubernetes-key.pem \\
--initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\
--initial-cluster-state new \\
--data-dir=/var/lib/etcd
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
- Start and enable the etcd Server
{
sudo systemctl daemon-reload
sudo systemctl enable etcd
sudo systemctl start etcd
}
- Verify the etcd installation
sudo ETCDCTL_API=3 etcdctl member list \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/etcd/ca.pem \
--cert=/etc/etcd/master-kubernetes.pem \
--key=/etc/etcd/master-kubernetes-key.pem
- Confirm status of etcd:
systemctl status etcd
In this section, we will configure the components for the control plane on the master/controller nodes.
- Start with creating the Kubernetes configuration directory:
sudo mkdir -p /etc/kubernetes/config - Download the official Kubernetes release binaries:
wget -q --show-progress --https-only --timestamping \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-apiserver" \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-controller-manager" \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-scheduler" \
"https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl"
- Install the Kubernetes binaries:
{
chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/
}
- Configure the Kubernetes API Server:
{
sudo mkdir -p /var/lib/kubernetes/
sudo mv ca.pem ca-key.pem master-kubernetes-key.pem master-kubernetes.pem \
service-account-key.pem service-account.pem \
encryption-config.yaml /var/lib/kubernetes/
}
5.The instance internal IP address will be used to advertise the API Server to members of the cluster. Retrieve the internal IP address for the current compute instance: export INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
6. Create the kube-apiserver.service systemd unit file. Read about each startup flag used in below systemd file from the documentation here
cat <<EOF | sudo tee /etc/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-apiserver \\
--advertise-address=${INTERNAL_IP} \\
--allow-privileged=true \\
--apiserver-count=3 \\
--audit-log-maxage=30 \\
--audit-log-maxbackup=3 \\
--audit-log-maxsize=100 \\
--audit-log-path=/var/log/audit.log \\
--authorization-mode=Node,RBAC \\
--bind-address=0.0.0.0 \\
--client-ca-file=/var/lib/kubernetes/ca.pem \\
--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\
--etcd-cafile=/var/lib/kubernetes/ca.pem \\
--etcd-certfile=/var/lib/kubernetes/master-kubernetes.pem \\
--etcd-keyfile=/var/lib/kubernetes/master-kubernetes-key.pem\\
--etcd-servers=https://172.31.0.10:2379,https://172.31.0.11:2379,https://172.31.0.12:2379 \\
--event-ttl=1h \\
--encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\
--kubelet-certificate-authority=/var/lib/kubernetes/ca.pem \\
--kubelet-client-certificate=/var/lib/kubernetes/master-kubernetes.pem \\
--kubelet-client-key=/var/lib/kubernetes/master-kubernetes-key.pem \\
--runtime-config='api/all=true' \\
--service-account-key-file=/var/lib/kubernetes/service-account.pem \\
--service-account-signing-key-file=/var/lib/kubernetes/service-account-key.pem \\
--service-account-issuer=https://${INTERNAL_IP}:6443 \\
--service-cluster-ip-range=172.32.0.0/24 \\
--service-node-port-range=30000-32767 \\
--tls-cert-file=/var/lib/kubernetes/master-kubernetes.pem \\
--tls-private-key-file=/var/lib/kubernetes/master-kubernetes-key.pem \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
- Configure the Kubernetes Controller Manager. Move the kube-controller-manager kubeconfig into place:
sudo mv kube-controller-manager.kubeconfig /var/lib/kubernetes/ - Export some variables to retrieve the vpc_cidr – This will be required for the bind-address flag:
export AWS_METADATA="http://169.254.169.254/latest/meta-data"
export EC2_MAC_ADDRESS=$(curl -s $AWS_METADATA/network/interfaces/macs/ | head -n1 | tr -d '/')
export VPC_CIDR=$(curl -s $AWS_METADATA/network/interfaces/macs/$EC2_MAC_ADDRESS/vpc-ipv4-cidr-block/)
export NAME=k8s-cluster-from-ground-up
- Create the kube-controller-manager.service systemd unit file:
cat <<EOF | sudo tee /etc/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \\
--bind-address=0.0.0.0 \\
--cluster-cidr=${VPC_CIDR} \\
--cluster-name=${NAME} \\
--cluster-signing-cert-file=/var/lib/kubernetes/ca.pem \\
--cluster-signing-key-file=/var/lib/kubernetes/ca-key.pem \\
--kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
--authentication-kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
--authorization-kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\
--leader-elect=true \\
--root-ca-file=/var/lib/kubernetes/ca.pem \\
--service-account-private-key-file=/var/lib/kubernetes/service-account-key.pem \\
--service-cluster-ip-range=172.32.0.0/24 \\
--use-service-account-credentials=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
- Configure the Kubernetes Scheduler. Move the kube-scheduler kubeconfig into place:
sudo mv kube-scheduler.kubeconfig /var/lib/kubernetes/
sudo mkdir -p /etc/kubernetes/config
- Create the kube-scheduler.yaml configuration file:
cat <<EOF | sudo tee /etc/kubernetes/config/kube-scheduler.yaml
apiVersion: kubescheduler.config.k8s.io/v1beta1
kind: KubeSchedulerConfiguration
clientConnection:
kubeconfig: "/var/lib/kubernetes/kube-scheduler.kubeconfig"
leaderElection:
leaderElect: true
EOF
- Create the kube-scheduler.service systemd unit file:
cat <<EOF | sudo tee /etc/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kube-scheduler \\
--config=/etc/kubernetes/config/kube-scheduler.yaml \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
- Start the Controller Services
{
sudo systemctl daemon-reload
sudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler
sudo systemctl start kube-apiserver kube-controller-manager kube-scheduler
}
- Check the status of the services. Start with the kube-scheduler and kube-controller-manager. It may take up to 20 seconds for kube-apiserver to be fully loaded.
{
sudo systemctl status kube-apiserver
sudo systemctl status kube-controller-manager
sudo systemctl status kube-scheduler
}
- To get the cluster details run:
kubectl cluster-info --kubeconfig admin.kubeconfigYour output should look like this:
Kubernetes control plane is running at https://k8s-api-server.svc.darey.io:6443
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
- To get the current namespaces:
kubectl get namespaces --kubeconfig admin.kubeconfig - To reach the Kubernetes API Server publicly:
curl --cacert /var/lib/kubernetes/ca.pem https://$INTERNAL_IP:6443/versionOUTPUT:
{
"major": "1",
"minor": "21",
"gitVersion": "v1.21.0",
"gitCommit": "cb303e613a121a29364f75cc67d3d580833a7479",
"gitTreeState": "clean",
"buildDate": "2021-04-08T16:25:06Z",
"goVersion": "go1.16.1",
"compiler": "gc",
"platform": "linux/amd64"
}
- To get the status of each component:
kubectl get componentstatuses --kubeconfig admin.kubeconfig - Next, configure Role based Access Control (RBAC) on one of the controller nodes to ensure the api-server has necessary authorization for the kubelet. Create the ClusterRole:
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
EOF
- Create the ClusterRoleBinding to bind the kubernetes user with the role created above:
cat <<EOF | kubectl --kubeconfig admin.kubeconfig apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
Before we begin to bootstrap the worker nodes, it is important to note that the K8s API Server authenticates to the kubelet as the kubernetes user using the same kubernetes.pem certificate. Therefore we will need to configure Role Based Access (RBAC) for Kubelet Authorization to allow API server to retrieve metrics, logs, and executing commands in pods.
- Create the system:kube-apiserver-to-kubelet ClusterRole with permissions to access the Kubelet API and perform most common tasks associated with managing pods on the worker nodes. Run the below script on the Controller node:
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
verbs:
- "*"
EOF
- Bind the system:kube-apiserver-to-kubelet ClusterRole to the kubernetes user so that API server can authenticate successfully to the kubelets on the worker nodes:
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
- Bootstraping components on the worker nodes. We need to install the following components on each node: Kubelet, Kube-proxy, Containerd or Docker and Networking plugins. To begin, SSH into the worker nodes:
Worker-1
worker_1_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-worker-0" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${worker_1_ip}
Worker-2
worker_2_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-worker-1" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${worker_2_ip}
Worker-3
worker_3_ip=$(aws ec2 describe-instances \
--filters "Name=tag:Name,Values=${NAME}-worker-2" \
--output text --query 'Reservations[].Instances[].PublicIpAddress')
ssh -i k8s-cluster-from-ground-up.id_rsa ubuntu@${worker_3_ip}
- Install OS dependencies(socat, conntrack and ipset):
{
sudo apt-get update
sudo apt-get -y install socat conntrack ipset
}
-
Disable Swap. If swap is not disabled, kubelet will not start. Test if swap is already enabled on the host:
sudo swapon --showIf there is no output, then you are good to go. Otherwise, run below command to turn it off:sudo swapoff -a -
Download and install a container runtime(Docker Or Containerd). Docker is now deprecated, and Kubernetes no longer supports the Dockershim codebase from v1.20 release. We will be using Containerd for our container runtime. Download binaries for runc, cri-ctl, and containerd:
wget https://github.com/opencontainers/runc/releases/download/v1.0.0-rc93/runc.amd64 \
https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.21.0/crictl-v1.21.0-linux-amd64.tar.gz \
https://github.com/containerd/containerd/releases/download/v1.4.4/containerd-1.4.4-linux-amd64.tar.gz
- Configure containerd:
{
mkdir containerd
tar -xvf crictl-v1.21.0-linux-amd64.tar.gz
tar -xvf containerd-1.4.4-linux-amd64.tar.gz -C containerd
sudo mv runc.amd64 runc
chmod +x crictl runc
sudo mv crictl runc /usr/local/bin/
sudo mv containerd/bin/* /bin/
}
sudo mkdir -p /etc/containerd/
cat << EOF | sudo tee /etc/containerd/config.toml
[plugins]
[plugins.cri.containerd]
snapshotter = "overlayfs"
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/local/bin/runc"
runtime_root = ""
EOF
- Create the containerd.service systemd unit file:
cat <<EOF | sudo tee /etc/systemd/system/containerd.service
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target
[Service]
ExecStartPre=/sbin/modprobe overlay
ExecStart=/bin/containerd
Restart=always
RestartSec=5
Delegate=yes
KillMode=process
OOMScoreAdjust=-999
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
EOF
- Create directories to configure kubelet, kube-proxy, cni, and a directory to keep the kubernetes root ca file:
sudo mkdir -p \
/var/lib/kubelet \
/var/lib/kube-proxy \
/etc/cni/net.d \
/opt/cni/bin \
/var/lib/kubernetes \
/var/run/kubernetes
- Download and Install CNI(Container Network Interface), a Cloud Native Computing Foundation project, that consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers. It also comes with a number of plugins. Kubernetes uses CNI as an interface between network providers and Kubernetes Pod networking. Network providers create network plugin that can be used to implement the Kubernetes networking, and includes additional set of rich features that Kubernetes does not provide out of the box.
Download the plugins available from containernetworking’s GitHub repo and read more about CNIs and why it is being developed.
wget -q --show-progress --https-only --timestamping \
https://github.com/containernetworking/plugins/releases/download/v0.9.1/cni-plugins-linux-amd64-v0.9.1.tgz
- Install CNI into /opt/cni/bin/
sudo tar -xvf cni-plugins-linux-amd64-v0.9.1.tgz -C /opt/cni/bin/
Your output shouls show the plugins that comes with the CNI:
- Download binaries for kubectl, kube-proxy, and kubelet
wget -q --show-progress --https-only --timestamping \
https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl \
https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-proxy \
https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubelet
- Install the downloaded binaries
{
chmod +x kubectl kube-proxy kubelet
sudo mv kubectl kube-proxy kubelet /usr/local/bin/
}