let the pain begin

README.md

@@ -0,0 +1,2 @@
+# Kubernetes The Hard Way
+

authorization-policy.jsonl

@@ -0,0 +1,8 @@
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*",         "nonResourcePath": "*", "readonly": true}}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"admin",     "namespace": "*",              "resource": "*",         "apiGroup": "*"                   }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"scheduler", "namespace": "*",              "resource": "bindings"                                     }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "pods",                       "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "services",                   "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "endpoints",                  "readonly": true }}
+{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"kubelet",   "namespace": "*",              "resource": "events"                                       }}

docs/certificate-authority.md

@@ -0,0 +1,114 @@
+# Certificate Authority
+
+In this lab you will setup the necessary PKI infrastructure to secure the Kuberentes API for remote communication. This lab will leverage CloudFlare's PKI toolkit, [cfssl](https://github.com/cloudflare/cfssl), to bootstrap a Certificate Authority.
+
+## Initialize a CA
+
+### Create the CA configuration file
+
+```
+echo '{
+  "signing": {
+    "default": {
+      "expiry": "8760h"
+    },
+    "profiles": {
+      "kubernetes": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "8760h"
+      }
+    }
+  }
+}' > ca-config.json
+```
+
+### Generate the CA certificate and private key
+
+Create the CA CSR:
+
+```
+echo '{
+  "CN": "Kubernetes",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "CA",
+      "ST": "Oregon"
+    }
+  ]
+}' > ca-csr.json
+```
+
+Generate the CA certificate and private key:
+
+```
+cfssl gencert -initca ca-csr.json | cfssljson -bare ca
+```
+
+Results:
+
+```
+ca-key.pem
+ca.csr
+ca.pem
+```
+
+```
+openssl x509 -in ca.pem -text -noout
+```
+
+## Generate Server and Client Certs
+
+### Generate the kube-apiserver server cert
+
+
+```
+echo '{
+  "CN": "kubernetes",
+  "hosts": [
+    "10.240.0.10",
+    "10.240.0.11",
+    "10.240.0.12",
+    "10.240.0.20",
+    "10.240.0.21",
+    "10.240.0.22",
+    "10.240.0.30",
+    "10.240.0.31",
+    "10.240.0.32",
+    "146.148.34.151",
+    "127.0.0.1"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "Kubernetes",
+      "OU": "Cluster",
+      "ST": "Oregon"
+    }
+  ]
+}' > kubernetes-csr.json
+```
+
+```
+cfssl gencert \
+-ca=ca.pem \
+-ca-key=ca-key.pem \
+-config=ca-config.json \
+-profile=kubernetes \
+kubernetes-csr.json | cfssljson -bare kubernetes
+```
+
+```
+openssl x509 -in kubernetes.pem -text -noout
+```

docs/downloads.md

@@ -0,0 +1,31 @@
+# Downloads
+
+## Kubernetes 1.3.0
+
+```
+wget https://github.com/kubernetes/kubernetes/releases/download/v1.3.0/kubernetes.tar.gz
+```
+
+## etcd 3.0.1
+
+```
+wget https://github.com/coreos/etcd/releases/download/v3.0.1/etcd-v3.0.1-linux-amd64.tar.gz
+```
+
+## Docker 1.11.2
+
+```
+wget https://get.docker.com/builds/Linux/x86_64/docker-1.11.2.tgz
+```
+
+
+```
+tar -xvf kubernetes.tar.gz
+```
+
+```
+tar -xvf kubernetes/server/kubernetes-server-linux-amd64.tar.gz
+```
+
+```
+```