/ansible-k8s-digitalocean

A kubernetes cluster on digitalocean via ansible in under 5 mins :)

Kubernetes on Digital Ocean via Ansible

Provides

Deploy kubernetes on a 3 node digital-ocean cluster using Ansible.

These manifests are based on the following guide:

https://www.digitalocean.com/community/tutorials/how-to-create-a-kubernetes-1-10-cluster-using-kubeadm-on-ubuntu-16-04

Pre-requisites

  • Create 3 droplets on digital-ocean (ubuntu / 1gig ram / any region)
  • Create an ssh-keypair. By default, initial.yml assumes the public key on your local machine is stored at ~/.ssh/id_rsa.pub
  • Add the key: ssh-add ~/.ssh/id_rsa
  • Install ansible (ansible-playbook) on your local machine

Configure hosts

Update the hosts file and change the following with the external IPs of your new droplets

  • <master-ip>
  • <worker-ip1>
  • <worker-ip2>

Run playbooks

The ordering is important!

Wait for each stage to complete before progressing to the next.

ansible-playbook -i hosts initial.yml
ansible-playbook -i hosts kube-deps.yml
ansible-playbook -i hosts master.yml
ansible-playbook -i hosts workers.yml

Validate cluster

ssh ubuntu@<master-ip>
ububuntu@master:~$ kubectl get nodes
NAME       STATUS    ROLES     AGE       VERSION
master     Ready     master    15m       v1.11.0
worker01   Ready     <none>    12m       v1.11.0
worker02   Ready     <none>    12m       v1.11.0

Accessing locally

If you have kubectl installed on your laptop, you can copy over the remote kubeconfig from the master.

» mkdir -p ~/.kube/digital-ocean
» scp ubuntu@<master-ip>:.kube/config ~/.kube/digital-ocean/config
» export KUBECONFIG=~/.kube/digital-ocean/config

» kubectl get nodes
NAME       STATUS     ROLES     AGE       VERSION
master     Ready      master    1h        v1.11.0
worker01   Ready      <none>    1h        v1.11.0
worker02   Ready      <none>    1h        v1.11.0

Adding more workers

To add more workers, simply update the hosts.yml file and add additional entries.

Persistent Storage

Digital Ocean has a storage plugin that allows you to use DigitalOcean Block Storage with Kubernetes.

See: https://github.com/digitalocean/csi-digitalocean

This works really well and is easy to install:

  1. Create a digital ocean API token
  2. Generate the required kubernetes secret
  3. Install csi-digitalocean manifests

Security

I've not taken any additional measures over the default install via kubeadm.

General

  • There is no dashboard installed by default
  • There is no NetworkPolicy in place
  • There is no PodSecurityPolicy in place
  • RBAC is enabled and configuration seems to have sensible defaults

Relevant API Server Settings

./kube-apiserver --authorization-mode=Node,RBAC \
                 --allow-privileged=true \
                  --insecure-port=0 \
                  --secure-port=6443 \
                  ...

Relevant Kubelet Settings

authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 2m0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 5m0s
    cacheUnauthorizedTTL: 30s