update to Kubernetes 1.6

README.md

@@ -17,9 +17,9 @@ The target audience for this tutorial is someone planning to support a productio
 
 ## Cluster Details
 
-* Kubernetes 1.5.1
+* Kubernetes 1.6.0
 * Docker 1.12.1
-* etcd 3.0.10
+* etcd 3.1.4
 * [CNI Based Networking](https://github.com/containernetworking/cni)
 * Secure communication between all components (etcd, control plane, workers)
 * Default Service Account and Secrets

docs/01-infrastructure-gcp.md

@@ -33,6 +33,7 @@ gcloud config set compute/region us-central1
 ```
 gcloud config set compute/zone us-central1-f
 ```
+
 Create a Kubernetes network:
 
 ```
@@ -104,13 +105,14 @@ gcloud compute firewall-rules list --filter "network=kubernetes"
 ```
 
 ```
-NAME                         NETWORK     SRC_RANGES      RULES                         SRC_TAGS  TARGET_TAGS
-kubernetes-allow-api-server  kubernetes  0.0.0.0/0       tcp:6443
-kubernetes-allow-healthz     kubernetes  130.211.0.0/22  tcp:8080
-kubernetes-allow-icmp        kubernetes  0.0.0.0/0       icmp
-kubernetes-allow-internal    kubernetes  10.240.0.0/24   tcp:0-65535,udp:0-65535,icmp
-kubernetes-allow-rdp         kubernetes  0.0.0.0/0       tcp:3389
-kubernetes-allow-ssh         kubernetes  0.0.0.0/0       tcp:22
+NAME                               NETWORK     SRC_RANGES      RULES                         SRC_TAGS  TARGET_TAGS
+kubernetes-allow-api-server        kubernetes  0.0.0.0/0       tcp:6443
+kubernetes-allow-healthz           kubernetes  130.211.0.0/22  tcp:8080
+kubernetes-allow-icmp              kubernetes  0.0.0.0/0       icmp
+kubernetes-allow-internal          kubernetes  10.240.0.0/24   tcp:0-65535,udp:0-65535,icmp
+kubernetes-allow-internal-podcidr  kubernetes  10.200.0.0/16   tcp:0-65535,udp:0-65535,icmp
+kubernetes-allow-rdp               kubernetes  0.0.0.0/0       tcp:3389
+kubernetes-allow-ssh               kubernetes  0.0.0.0/0       tcp:22
 ```
 
 ### Kubernetes Public Address

docs/02-certificate-authority.md

@@ -139,26 +139,63 @@ KUBERNETES_PUBLIC_ADDRESS=$(aws elb describe-load-balancers \
 
 ---
 
+Create the `admin-csr.json` file:
+
+```
+cat > admin-csr.json <<EOF
+{
+  "CN": "admin",
+  "hosts": [],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "Portland",
+      "O": "system:masters",
+      "OU": "Cluster",
+      "ST": "Oregon"
+    }
+  ]
+}
+EOF
+```
+
+Generate the admin certificate and private key:
+
+```
+cfssl gencert \
+  -ca=ca.pem \
+  -ca-key=ca-key.pem \
+  -config=ca-config.json \
+  -profile=kubernetes \
+  admin-csr.json | cfssljson -bare admin
+```
+
+Results:
+
+```
+admin-key.pem
+admin.csr
+admin.pem
+```
+
 Create the `kubernetes-csr.json` file:
 
 ```
 cat > kubernetes-csr.json <<EOF
 {
   "CN": "kubernetes",
   "hosts": [
-    "worker0",
-    "worker1",
-    "worker2",
-    "ip-10-240-0-20",
-    "ip-10-240-0-21",
-    "ip-10-240-0-22",
     "10.32.0.1",
     "10.240.0.10",
     "10.240.0.11",
     "10.240.0.12",
-    "10.240.0.20",
-    "10.240.0.21",
-    "10.240.0.22",
+    "ip-10-240-0-20",
+    "ip-10-240-0-21",
+    "ip-10-240-0-22",
     "${KUBERNETES_PUBLIC_ADDRESS}",
     "127.0.0.1",
     "kubernetes.default"
@@ -213,6 +250,10 @@ Set the list of Kubernetes hosts where the certs should be copied to:
 KUBERNETES_HOSTS=(controller0 controller1 controller2 worker0 worker1 worker2)
 ```
 
+```
+KUBERNETES_CONTROLLERS=(controller0 controller1 controller2)
+```
+
 ### GCE
 
 The following command will:
@@ -221,7 +262,13 @@ The following command will:
 
 ```
 for host in ${KUBERNETES_HOSTS[*]}; do
-  gcloud compute copy-files ca.pem kubernetes-key.pem kubernetes.pem ${host}:~/
+  gcloud compute copy-files ca.pem ${host}:~/
+done
+```
+
+```
+for host in ${KUBERNETES_CONTROLLERS[*]}; do
+  gcloud compute copy-files ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem ${host}:~/
 done
 ```
 
@@ -236,7 +283,17 @@ for host in ${KUBERNETES_HOSTS[*]}; do
   PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
     --filters "Name=tag:Name,Values=${host}" | \
     jq -r '.Reservations[].Instances[].PublicIpAddress')
-  scp -o "StrictHostKeyChecking no" ca.pem kubernetes-key.pem kubernetes.pem \
+  scp -o "StrictHostKeyChecking no" ca.pem \
+    ubuntu@${PUBLIC_IP_ADDRESS}:~/
+done
+```
+
+```
+for host in ${KUBERNETES_HOSTS[*]}; do
+  PUBLIC_IP_ADDRESS=$(aws ec2 describe-instances \
+    --filters "Name=tag:Name,Values=${host}" | \
+    jq -r '.Reservations[].Instances[].PublicIpAddress')
+  scp -o "StrictHostKeyChecking no" ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \
     ubuntu@${PUBLIC_IP_ADDRESS}:~/
 done
 ```

docs/03-etcd.md

@@ -40,17 +40,17 @@ sudo cp ca.pem kubernetes-key.pem kubernetes.pem /etc/etcd/
 Download the official etcd release binaries from `coreos/etcd` GitHub project:
 
 ```
-wget https://github.com/coreos/etcd/releases/download/v3.0.15/etcd-v3.0.15-linux-amd64.tar.gz
+wget https://github.com/coreos/etcd/releases/download/v3.1.4/etcd-v3.1.4-linux-amd64.tar.gz
 ```
 
 Extract and install the `etcd` server binary and the `etcdctl` command line client: 
 
 ```
-tar -xvf etcd-v3.0.15-linux-amd64.tar.gz
+tar -xvf etcd-v3.1.4-linux-amd64.tar.gz
 ```
 
 ```
-sudo mv etcd-v3.0.15-linux-amd64/etcd* /usr/bin/
+sudo mv etcd-v3.1.4-linux-amd64/etcd* /usr/bin/
 ```
 
 All etcd data is stored under the etcd data directory. In a production cluster the data directory should be backed by a persistent disk. Create the etcd data directory:
@@ -59,38 +59,6 @@ All etcd data is stored under the etcd data directory. In a production cluster t
 sudo mkdir -p /var/lib/etcd
 ```
 
-The etcd server will be started and managed by systemd. Create the etcd systemd unit file:
-
-```
-cat > etcd.service <<"EOF"
-[Unit]
-Description=etcd
-Documentation=https://github.com/coreos
-
-[Service]
-ExecStart=/usr/bin/etcd --name ETCD_NAME \
-  --cert-file=/etc/etcd/kubernetes.pem \
-  --key-file=/etc/etcd/kubernetes-key.pem \
-  --peer-cert-file=/etc/etcd/kubernetes.pem \
-  --peer-key-file=/etc/etcd/kubernetes-key.pem \
-  --trusted-ca-file=/etc/etcd/ca.pem \
-  --peer-trusted-ca-file=/etc/etcd/ca.pem \
-  --initial-advertise-peer-urls https://INTERNAL_IP:2380 \
-  --listen-peer-urls https://INTERNAL_IP:2380 \
-  --listen-client-urls https://INTERNAL_IP:2379,http://127.0.0.1:2379 \
-  --advertise-client-urls https://INTERNAL_IP:2379 \
-  --initial-cluster-token etcd-cluster-0 \
-  --initial-cluster controller0=https://10.240.0.10:2380,controller1=https://10.240.0.11:2380,controller2=https://10.240.0.12:2380 \
-  --initial-cluster-state new \
-  --data-dir=/var/lib/etcd
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-```
-
 ### Set The Internal IP Address
 
 The internal IP address will be used by etcd to serve client requests and communicate with other etcd peers.
@@ -116,14 +84,37 @@ Each etcd member must have a unique name within an etcd cluster. Set the etcd na
 ETCD_NAME=controller$(echo $INTERNAL_IP | cut -c 11)
 ```
 
-Substitute the etcd name and internal IP address:
+The etcd server will be started and managed by systemd. Create the etcd systemd unit file:
 
 ```
-sed -i s/INTERNAL_IP/${INTERNAL_IP}/g etcd.service
-```
+cat > etcd.service <<EOF
+[Unit]
+Description=etcd
+Documentation=https://github.com/coreos
 
-```
-sed -i s/ETCD_NAME/${ETCD_NAME}/g etcd.service
+[Service]
+ExecStart=/usr/bin/etcd \\
+  --name ${ETCD_NAME} \\
+  --cert-file=/etc/etcd/kubernetes.pem \\
+  --key-file=/etc/etcd/kubernetes-key.pem \\
+  --peer-cert-file=/etc/etcd/kubernetes.pem \\
+  --peer-key-file=/etc/etcd/kubernetes-key.pem \\
+  --trusted-ca-file=/etc/etcd/ca.pem \\
+  --peer-trusted-ca-file=/etc/etcd/ca.pem \\
+  --initial-advertise-peer-urls https://${INTERNAL_IP}:2380 \\
+  --listen-peer-urls https://${INTERNAL_IP}:2380 \\
+  --listen-client-urls https://${INTERNAL_IP}:2379,http://127.0.0.1:2379 \\
+  --advertise-client-urls https://${INTERNAL_IP}:2379 \\
+  --initial-cluster-token etcd-cluster-0 \\
+  --initial-cluster controller0=https://10.240.0.10:2380,controller1=https://10.240.0.11:2380,controller2=https://10.240.0.12:2380 \\
+  --initial-cluster-state new \\
+  --data-dir=/var/lib/etcd
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
 ```
 
 Once the etcd systemd unit file is ready, move it to the systemd system directory:
@@ -160,7 +151,11 @@ Once all 3 etcd nodes have been bootstrapped verify the etcd cluster is healthy:
 * On one of the controller nodes run the following command:
 
 ```
-etcdctl --ca-file=/etc/etcd/ca.pem cluster-health
+etcdctl \
+  --ca-file=/etc/etcd/ca.pem \
+  --cert-file=/etc/etcd/kubernetes.pem \
+  --key-file=/etc/etcd/kubernetes-key.pem \
+  cluster-health
 ```
 
 ```