Update kubeadm docs for 1.6 #2829
Conversation
jbeda
added
the
do-not-merge
k8s-ci-robot
added
the
cncf-cla: yes
docs/admin/accessing-the-api.md
Outdated
| @@ -42,7 +42,7 @@ The input to the authentication step is the entire HTTP request, however, it typ | |||
| just examines the headers and/or client certificate. | |||
|
|
|||
| Authentication modules include Client Certificates, Password, and Plain Tokens, | |||
| and JWT Tokens (used for service accounts). | |||
| Bootstrap Tokens and JWT Tokens (used for service accounts). | |||
docs/admin/authentication.md
Outdated
| as a "Bootstrap Token". | ||
|
|
||
| These tokens are stored as Secrets in the `kube-system` namespace. As such they | ||
| can be dynamically created and managed. There is a controller (BootstrapSigner) |
There was a problem hiding this comment.
I thought it was the tokencleaner.
There was a problem hiding this comment.
Good catch! Fixed in #2779
There was a problem hiding this comment.
I'd still like a section at the bottom describing what kind of stability we have on different components in kubeadm:
CLI UX: beta
Config file: alpha
Selfhosting: alpha
The phases command: alpha
Implementation under the hood: alpha
- Due to that we're targeting upgrades/HA in future versions and the fact we're using alpha features in core (the bootstrapsigner/tokencleaner and tokenauthmodule)
| Be sure to read the [limitations](#limitations); in particular note that kubeadm doesn't have great support for | ||
| automatically configuring cloud providers. Please refer to the specific cloud provider documentation or | ||
| use another provisioning system.** | ||
| **The kubeadm tool is currently in beta but please try it out and give us |
There was a problem hiding this comment.
The kubeadm command-line UX is in beta, but please...
We should mention the implementation somehow might change yet (especially when we're targeting HA it will change). And somehow we should point out that the kubeadm alpha subcommands are unstable and that we're using alpha features in core (BS, TC and BootstrapTokenAuth)
There was a problem hiding this comment.
That could be a separate section later in the doc indeed with a link to it here
There was a problem hiding this comment.
Created a sub-section of "Overview" with more details.
|
|
||
| If you are not constrained, there are some other tools built to give you complete clusters: | ||
| If you are not constrained, there are some other tools built to give you |
There was a problem hiding this comment.
some other more higher-level tools that aim to give you a complete cluster:
| 1. 1GB or more of RAM per machine (any less will leave little room for your | ||
| apps) | ||
| 1. Full network connectivity between all machines in the cluster (public or | ||
| private network is fine) | ||
|
|
||
| ## Objectives | ||
|
|
||
| * Install a secure Kubernetes cluster on your machines |
There was a problem hiding this comment.
Are we confident in the secure here? :) I know it wasn't changed here but...
There was a problem hiding this comment.
Making it clear that we "aim to create a secure cluster"
There was a problem hiding this comment.
Where did you make this change? Can't see it in the diff
| It runs on all of the machines in your cluster and does things like starting pods and containers. | ||
| * `kubectl`: the command to control the cluster once it's running. | ||
| You will only need this on the master, but it can be useful to have on the other nodes as well. | ||
| * `docker`: the container runtime, which Kubernetes depends on. v1.12 is |
There was a problem hiding this comment.
I guess v1.11.2 is still recommended or?
There was a problem hiding this comment.
I think that v1.12 is supported so i'm going to list that.
| See the reference doc if you want to read about the different [kubeadm releases](https://github.com/kubernetes/kubeadm/blob/master/CHANGELOG.md) | ||
| **Note:** If you already have kubeadm installed, you should do a `apt-get update && | ||
| apt-get upgrade` or `yum update` to get the latest version of kubeadm. See the | ||
| reference doc if you want to read about the different [kubeadm |
There was a problem hiding this comment.
See the kubeadm-specific Release Notes if you want to know more about what has changed between releases
|
|
||
| ``` bash | ||
| kubectl describe svc front-end -n sock-shop |
There was a problem hiding this comment.
a simple kubectl -n sock-shop get svc front-end is sufficent here
There was a problem hiding this comment.
BTW -- sock shop demo outputs errors like:
the namespace from the provided object "zipkin" does not match the namespace "sock-shop". You must pass '--namespace=zipkin' to perform this operation.
Might want to pass that on to weave folks.
|
|
||
| ### (Optional) Installing a sample application | ||
| Currently, only the pod network flannel is working on multiple architectures. |
There was a problem hiding this comment.
You can remove the flannel install statement here now and just say that flannel works on amd64, arm, arm64 and ppc64le and weave works on amd64, arm, arm64
| `kubeadm.conf` with the following contents: | ||
|
|
||
| ``` yaml | ||
| cloudProvider: <cloud provider> |
There was a problem hiding this comment.
please make this a full example:
kind: MasterConfiguration
apiVersion: kubeadm.k8s.io/v1alpha1
cloudProvider: <cloud provider>and point out that this part (the config file) of kubeadm is alpha
|
|
||
| Currently, only the pod network flannel is working on multiple architectures. You can install it this way: | ||
| You may have trouble in the configuration if you see the following statuses. | ||
| This example is for canal but there may be similar errors for other pod network |
There was a problem hiding this comment.
Can we have something more generic to not favor anyone?
There was a problem hiding this comment.
I just moved this down to make the main flow better. I'm open to reviewing a PR that changes the example. For now I want to get this in without having to test out a bunch of stuff by forcing some errors.
| 1. The cluster created here has a single master, with a single `etcd` database running on it. | ||
| This means that if the master fails, your cluster loses its configuration data and will need to be recreated from scratch. | ||
| Adding HA support (multiple `etcd` servers, multiple API servers, etc) to `kubeadm` is still a work-in-progress. | ||
| The ```kubectl describe``` comand gives you more details about what went wrong. |
There was a problem hiding this comment.
Yeah -- someone added that in there and I thought I got them all.
|
Yeah, just noting that some of my comments here weren't direct comments to @jbeda's changes, but improvements that we could make at the same time we're really reading through and trying to make the docs better. |
|
@devin-donnelly I based this on that so that I could review them the same. As I manage the rebase I'm keeping things clean and making sure I can resolve. Just look at the last two commits in the set. (actually, just the last one should matter). |
|
@luxas Comments addressed. PTAL @devin-donnelly This merges in the latest changes in the other PR. I'm removing the WIP mark as I think this is ready for review. |
jbeda
removed
the
do-not-merge
docs/admin/bootstrap-tokens.md
Outdated
| information filled out. The key thing being communicated here is the | ||
| `certificate-authority-data`. This may be expanded in the future. | ||
|
|
||
| The signature is a JWS signature where using a "detached" mode. To validate the |
There was a problem hiding this comment.
I think the "where" in this sentence is superfluous.
docs/admin/bootstrap-tokens.md
Outdated
| `certificate-authority-data`. This may be expanded in the future. | ||
|
|
||
| The signature is a JWS signature where using a "detached" mode. To validate the | ||
| signature, the user should encode the `kubeconfig` payload according to JWS |
docs/admin/bootstrap-tokens.md
Outdated
| The signature is a JWS signature where using a "detached" mode. To validate the | ||
| signature, the user should encode the `kubeconfig` payload according to JWS | ||
| rules (base64 encoded while discarding any trailing `=`). That encoded payload | ||
| is then used to form a whole JWS by inserting it between the 2 dots. The JWS |
There was a problem hiding this comment.
"You can verify the JWS..."
docs/admin/bootstrap-tokens.md
Outdated
| rules (base64 encoded while discarding any trailing `=`). That encoded payload | ||
| is then used to form a whole JWS by inserting it between the 2 dots. The JWS | ||
| can be verified using the `HS256` scheme (HMAC-SHA256) with the full token (e.g. | ||
| `07401b.f395accd246ae52d`) as the shared secret. Users MUST verify that HS256 |
There was a problem hiding this comment.
Users MUST -> You must
There was a problem hiding this comment.
Changed but... All caps MUST is a language from RFCs to say that this should not be ignored. People used to implementing protocols know that this is something that you shouldn't ignore.
| The kubelet is now restarting every few seconds, as it waits in a crashloop for | ||
| kubeadm to tell it what to do. | ||
|
|
||
| Note: Disabling SELinux by running `setenforce 0` is required in order to allow |
There was a problem hiding this comment.
"Note: You must disable SELinux to allow containers to access the host filesystem..."
| | gcr.io/google_containers/kube-discovery-amd64 | 1.0 | ||
| | gcr.io/google_containers/pause-amd64 | 3.0 | ||
|
|
||
| Right now you can't run `kubeadm init` twice without tearing down the cluster in |
There was a problem hiding this comment.
Remove "right now" unless we can tell the user something about when this might change.
|
|
||
| A few seconds later, you should notice that running `kubectl get nodes` on the master shows a cluster with as many machines as you created. | ||
| The nodes are where your workloads (containers and pods, etc) run. If you want | ||
| to add any new machines as nodes to your cluster, for each machine: SSH to that |
There was a problem hiding this comment.
"To add any new machines to your cluster as nodes, you must do the following for each machine"
Reformat the instructions as a numbered list.
|
|
||
| If there is a firewall, make sure it exposes this port to the internet before you try to access it. | ||
| It takes several minutes to download and start all the containers, watch the |
There was a problem hiding this comment.
Replace comma with period. Start the resulting second sentence with:
"You can watch the output of..."
|
|
||
| ## Tear down | ||
| Then go to the IP address of your cluster's master node in your browser, and |
There was a problem hiding this comment.
Comma after "Then".
|
|
||
| This workflow is not yet fully supported, however we hope to make it extremely easy to spin up clusters with cloud providers in the future. | ||
| (See [this proposal](https://github.com/kubernetes/community/pull/128) for more information) The [Kubelet Dynamic Settings](https://github.com/kubernetes/kubernetes/pull/29459) feature may also help to fully automate this process in the future. | ||
| Enabling specific cloud providers is a common request, this currently requires |
There was a problem hiding this comment.
Replace comma with period. Second sentence becomes: "However, specific cloud providers require manual configuration and are therefore not supported by kubeadm in version 1.6."
There was a problem hiding this comment.
Great work @jbeda! Please address my comments as you see fit and merge at will. No need for me to take another look.
docs/admin/authentication.md
Outdated
| controller that deletes bootstrap tokens as they expire. | ||
|
|
||
| The tokens are of the form `[a-z0-9]{6}.[a-z0-9]{16}`. The first component is a | ||
| Token ID and the second component is the Token Secret. ThYou specify the token |
docs/admin/authentication.md
Outdated
| Authorization: Bearer 781292.db7bc3a58fc5f07e | ||
| ``` | ||
|
|
||
| You must enable the Bootstrap Token Authenticator with the |
There was a problem hiding this comment.
When must you do this? Does kubeadm do this for you?
There was a problem hiding this comment.
To be clear, these docs are written not assuming kubeadm as this can be used by other systems that aren't kubeadm. I'd rather have real docs vs. referring folks to a design doc that may be a little raw.
docs/admin/bootstrap-tokens.md
Outdated
|
|
||
| Bootstrap tokens are a simple bearer token that is meant to be used when | ||
| creating new clusters or joining new nodes to an existing cluster. It was built | ||
| to support [`kubeadm`](/docs/admin/kubeadm/), but can be used in other contexts. |
There was a problem hiding this comment.
Can you give an example of when they're used in kubeadm?
And an example of how you might expect users to use them in other contexts?
docs/admin/accessing-the-api.md
Outdated
| @@ -42,7 +42,7 @@ The input to the authentication step is the entire HTTP request, however, it typ | |||
| just examines the headers and/or client certificate. | |||
|
|
|||
| Authentication modules include Client Certificates, Password, and Plain Tokens, | |||
| and JWT Tokens (used for service accounts). | |||
| Bootstrap Tokens, and JWT Tokens (used for service accounts). | |||
There was a problem hiding this comment.
What's the difference between Bootstrap Tokens and JWT Tokens? Are JWT tokens the old separate-to-API-server version, whereas Bootstrap Tokens are the new built-in thing? If we're no longer supporting "JWT Tokens" can we just remove the reference to them here?
There was a problem hiding this comment.
Bootstrap tokens don't use JWT at all -- they are just random values. The JWT tokens actually are encoded and signed tokens used for authentication. We do use JWS for doing the configmap signing, but that is unrelated and not part of the authentication flow.
docs/admin/authentication.md
Outdated
|
|
||
| This feature is currently in **alpha**. | ||
|
|
||
| o allow for streamlined bootstrapping for new clusters, Kubernetes includes a |
|
|
||
| ``` bash | ||
| scp root@<master ip>:/etc/kubernetes/admin.conf . | ||
| kubectl --kubeconfig ./admin.conf get nodes | ||
| ``` | ||
|
|
||
| **Note:** By default GCE instances disable ssh access for root. First log in to |
There was a problem hiding this comment.
First -> If you are using GCE, first
| the machine, copy the file someplace that can be accessed and then use [`gcloud | ||
| compute | ||
| copy-files`](https://cloud.google.com/sdk/gcloud/reference/compute/copy-files) | ||
|
|
||
| ### (Optional) Connecting to the API Server | ||
|
|
||
| If you want to connect to the API Server for viewing the dashboard (note: the |
There was a problem hiding this comment.
let's just get rid of the reference to dashboard here, if we're not going to describe how to install it
"If you want to connect to the API Server from outside the cluster you can use"
| @@ -428,23 +415,34 @@ running. | |||
|
|
|||
| Then go to the IP address of your cluster's master node in your browser, and | |||
| specify the given port. So for example, `http://<master_ip>:<port>`. In the | |||
| example above, this was `30001`, but it is a different port for you. | |||
| example above, this was `30001`, but it may be a different port for you. | |||
There was a problem hiding this comment.
actually, it'll always be 30001 now, so we can reword this accordingly
There was a problem hiding this comment.
Not if you've installed other services....
| * To undo what kubeadm did, simply run: | ||
| To undo what kubeadm did, you should first [drain the | ||
| node](https://kubernetes.io/docs/user-guide/kubectl/kubectl_drain/) and make | ||
| sure that the node is empty before turning it down. |
There was a problem hiding this comment.
"turning it down" -> "shutting it down" (we're not all {ex-,}googlers 😉)
| kubeadm reset | ||
| ``` | ||
|
|
||
| If you wish to start over simply run `kubeadm init` or `kubeadm join`. |
There was a problem hiding this comment.
with the appropriate arguments as described above
* Word wrap paragraphs * Switch to fenced code blocks for all code samples * Render programs as plain text * Separate out program invocation from program output Much of this is to follow the style guide: https://kubernetes.io/docs/contribute/style-guide/ Signed-off-by: Joe Beda <joe.github@bedafamily.com>
|
Pushed new changes and separated out the stuff from #2779. It turns out building these on top of each other just confused all reviewers. |
docs/admin/kubeadm.md
Outdated
| 1. kubeadm generates a self-signed CA using openssl to provision identities | ||
| for each node in the cluster, and for the API server to secure communication | ||
| with clients. | ||
| 1. kubeadm generates a self-signed CA using openssl to provision identities for |
There was a problem hiding this comment.
It's not using openssl and it's generating much more than only a CA and a serving cert
There was a problem hiding this comment.
Ref: kubernetes/kubeadm#156 if you want to describe more in detail about what kubeadm does
There was a problem hiding this comment.
I'm just reformatting here but happy to update. Once that PR goes in we can (a) turn it in to user facing docs and (b) reference it from here.
docs/admin/kubeadm.md
Outdated
|
|
||
| 1. Outputting a kubeconfig file for the kubelet to use to connect to the API | ||
| server, as well as an additional kubeconfig file for administration. | ||
| server, as well as an additional kubeconfig file for administration. | ||
|
|
||
| 1. kubeadm generates Kubernetes resource manifests for the API server, |
There was a problem hiding this comment.
generates Static Pod manifests for the API Server...
docs/admin/kubeadm.md
Outdated
| `/etc/kubernetes/manifests`. The kubelet watches this directory for static | ||
| resources to create on startup. These are the core components of Kubernetes, | ||
| and once they are up and running we can use `kubectl` to set up or manage any | ||
| additional components. | ||
|
|
There was a problem hiding this comment.
in between here kubeadm taints the master unschedulable, sets up RBAC, creates the cluster-info configmap for the token discovery and deploys both kube-proxy and kube-dns
docs/admin/kubeadm.md
Outdated
|
|
||
| 1. Use the token to talk to the API server and securely get the root CA | ||
| certificate. | ||
| 1. Download root CA infromation from the API server. Use the token to verify |
docs/admin/kubeadm.md
Outdated
| - `--kubernetes-version` (default 'latest') the kubernetes version to initialise | ||
|
|
||
| The **v1.6** version of kubeadm only supports building clusters that are at | ||
| least **v1.6.0**. This requirement is due to kubeadm's use of RBAC. With this |
There was a problem hiding this comment.
the Certificates API, Token Auth module, Token controllers, etc.
There are many reasons
docs/admin/kubeadm.md
Outdated
| WARNING: kubeadm is in alpha and the configuration API syntax will likely change before GA. | ||
| WARNING: While kubeadm command line interface is in beta, the config file is | ||
| still considered alpha. We are aiming to not break any scripted use of the main | ||
| `kubeadm init` and `kubeadm join` flow. |
There was a problem hiding this comment.
but the config file UX may still change in non-backwards-compatible ways
docs/admin/kubeadm.md
Outdated
| - <address|string> | ||
|
|
||
| tlsBootstrapToken: <string> | ||
| token: <string> |
There was a problem hiding this comment.
I would leave token invisible here, if the config file is used, one should really specify the separate tokens.
token is more of a CLI-convenience kind of thing
There was a problem hiding this comment.
Gah -- then it should be there. But I'll remove it.
docs/admin/kubeadm.md
Outdated
| a new token. This token is of the correct form for specifying with the | ||
| `--token` argument to `kubeadm init`. | ||
|
|
||
| For the gory details on how the tokens are implemented (including manaing them |
|
|
||
| 1. Generate a token. This token must have the form `<6 character string>.<16 character string>`. | ||
| 1. Generate a token. This token must have the form `<6 character string>.<16 |
There was a problem hiding this comment.
use of regex instead of . is preferred
docs/admin/kubeadm.md
Outdated
| | `KUBE_HOST_ETCD_PATH` | `/var/lib/etcd` | Local etcd state for Kubernetes cluster | | ||
| | `KUBE_HYPERKUBE_IMAGE` | `` | If set, use a single hyperkube image with this name. If not set, individual images per server component will be used. | | ||
| | `KUBE_DISCOVERY_IMAGE` | `gcr.io/google_containers/kube-discovery-<arch>:1.0` | The bootstrap discovery helper image to use. | | ||
| | `KUBE_HYPERKUBE_IMAGE` | | If set, use a single hyperkube image with this name. If not set, individual images per server component will be used. | | ||
| | `KUBE_ETCD_IMAGE` | `gcr.io/google_containers/etcd-<arch>:2.2.5` | The etcd container image to use. | |
Signed-off-by: Joe Beda <joe.github@bedafamily.com>
|
Addressed all of @luxas's comments. PTAL. |
| and handed out to each node with the `--pod-network-cidr` flag. This should be a | ||
| minimum of a /16 so controller-manager is able to assign /24 subnets to each | ||
| node in the cluster. If you are using flannel with [this | ||
| manifest](https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml) |
There was a problem hiding this comment.
shouldn't we use this the manifest that includes rbac? https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
|
Just waiting on @luxas 's LGTM. |
|
Great, thanks. |
It is also built on top of #2779 so ignore that commit.
This change is