我的书签
添加书签
移除书签Provisioning Compute Resources
Kubernetes requires a set of machines to host the Kubernetes control plane and the worker nodes where containers are ultimately run. In this lab you will provision the compute resources required for running a secure and highly available Kubernetes cluster across a single compute zone.
Ensure a default compute zone and region have been set as described in the Prerequisites lab.
Networking
The Kubernetes networking model assumes a flat network in which containers and nodes can communicate with each other. In cases where this is not desired network policies can limit how groups of containers are allowed to communicate with each other and external network endpoints.
Setting up network policies is out of scope for this tutorial.
Virtual Private Cloud Network
In this section a dedicated Virtual Private Cloud (VPC) network will be setup to host the Kubernetes cluster.
Create the kubernetes-the-hard-way custom VPC network:
gcloud compute networks create kubernetes-the-hard-way --mode custom
A subnet must be provisioned with an IP address range large enough to assign a private IP address to each node in the Kubernetes cluster.
Create the kubernetes subnet in the kubernetes-the-hard-way VPC network:
gcloud compute networks subnets create kubernetes \--network kubernetes-the-hard-way \--range 10.240.0.0/24
The
10.240.0.0/24IP address range can host up to 254 compute instances.
Firewall Rules
Create a firewall rule that allows internal communication across all protocols:
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-internal \--allow tcp,udp,icmp \--network kubernetes-the-hard-way \--source-ranges 10.240.0.0/24,10.200.0.0/16
Create a firewall rule that allows external SSH, ICMP, and HTTPS:
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-external \--allow tcp:22,tcp:6443,icmp \--network kubernetes-the-hard-way \--source-ranges 0.0.0.0/0
Create a firewall rule that allows health check probes from the GCP network load balancer IP ranges:
gcloud compute firewall-rules create kubernetes-the-hard-way-allow-health-checks \--allow tcp:8080 \--network kubernetes-the-hard-way \--source-ranges 209.85.204.0/22,209.85.152.0/22,35.191.0.0/16
An external load balancer will be used to expose the Kubernetes API Servers to remote clients.
List the firewall rules in the kubernetes-the-hard-way VPC network:
gcloud compute firewall-rules list --filter "network kubernetes-the-hard-way"
output
NAME NETWORK DIRECTION PRIORITY ALLOW DENYkubernetes-the-hard-way-allow-external kubernetes-the-hard-way INGRESS 1000 tcp:22,tcp:6443,icmpkubernetes-the-hard-way-allow-health-checks kubernetes-the-hard-way INGRESS 1000 tcp:8080kubernetes-the-hard-way-allow-internal kubernetes-the-hard-way INGRESS 1000 tcp,udp,icmp
Kubernetes Public IP Address
Allocate a static IP address that will be attached to the external load balancer fronting the Kubernetes API Servers:
gcloud compute addresses create kubernetes-the-hard-way \--region $(gcloud config get-value compute/region)
Verify the kubernetes-the-hard-way static IP address was created in your default compute region:
gcloud compute addresses list --filter="name=('kubernetes-the-hard-way')"
output
NAME REGION ADDRESS STATUSkubernetes-the-hard-way us-west1 XX.XXX.XXX.XX RESERVED
Compute Instances
The compute instances in this lab will be provisioned using Ubuntu Server 16.04, which has good support for the CRI-O container runtime. Each compute instance will be provisioned with a fixed private IP address to simplify the Kubernetes bootstrapping process.
Kubernetes Controllers
Create three compute instances which will host the Kubernetes control plane:
for i in 0 1 2; dogcloud compute instances create controller-${i} \--async \--boot-disk-size 200GB \--can-ip-forward \--image-family ubuntu-1604-lts \--image-project ubuntu-os-cloud \--machine-type n1-standard-1 \--private-network-ip 10.240.0.1${i} \--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \--subnet kubernetes \--tags kubernetes-the-hard-way,controllerdone
Kubernetes Workers
Each worker instance requires a pod subnet allocation from the Kubernetes cluster CIDR range. The pod subnet allocation will be used to configure container networking in a later exercise. The pod-cidr instance metadata will be used to expose pod subnet allocations to compute instances at runtime.
The Kubernetes cluster CIDR range is defined by the Controller Manager’s
--cluster-cidrflag. In this tutorial the cluster CIDR range will be set to10.200.0.0/16, which supports 254 subnets.
Create three compute instances which will host the Kubernetes worker nodes:
for i in 0 1 2; dogcloud compute instances create worker-${i} \--async \--boot-disk-size 200GB \--can-ip-forward \--image-family ubuntu-1604-lts \--image-project ubuntu-os-cloud \--machine-type n1-standard-1 \--metadata pod-cidr=10.200.${i}.0/24 \--private-network-ip 10.240.0.2${i} \--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \--subnet kubernetes \--tags kubernetes-the-hard-way,workerdone
Verification
List the compute instances in your default compute zone:
gcloud compute instances list
output
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUScontroller-0 us-west1-c n1-standard-1 10.240.0.10 XX.XXX.XXX.XXX RUNNINGcontroller-1 us-west1-c n1-standard-1 10.240.0.11 XX.XXX.X.XX RUNNINGcontroller-2 us-west1-c n1-standard-1 10.240.0.12 XX.XXX.XXX.XX RUNNINGworker-0 us-west1-c n1-standard-1 10.240.0.20 XXX.XXX.XXX.XX RUNNINGworker-1 us-west1-c n1-standard-1 10.240.0.21 XX.XXX.XX.XXX RUNNINGworker-2 us-west1-c n1-standard-1 10.240.0.22 XXX.XXX.XX.XX RUNNING
