[
  {
    "path": ".gitignore",
    "content": "admin-csr.json             \nadmin-key.pem              \nadmin.csr                  \nadmin.pem                  \nadmin.kubeconfig\nca-config.json             \nca-csr.json                \nca-key.pem                 \nca.csr                     \nca.pem                     \n/encryption-config.yaml\nkube-controller-manager-csr.json\nkube-controller-manager-key.pem\nkube-controller-manager.csr\nkube-controller-manager.kubeconfig\nkube-controller-manager.pem\nkube-scheduler-csr.json\nkube-scheduler-key.pem\nkube-scheduler.csr\nkube-scheduler.kubeconfig\nkube-scheduler.pem\nkube-proxy-csr.json        \nkube-proxy-key.pem         \nkube-proxy.csr             \nkube-proxy.kubeconfig      \nkube-proxy.pem             \nkubernetes-csr.json        \nkubernetes-key.pem         \nkubernetes.csr             \nkubernetes.pem             \nworker-0-csr.json          \nworker-0-key.pem\nworker-0.csr\nworker-0.kubeconfig\nworker-0.pem\nworker-1-csr.json\nworker-1-key.pem\nworker-1.csr\nworker-1.kubeconfig\nworker-1.pem\nworker-2-csr.json\nworker-2-key.pem\nworker-2.csr\nworker-2.kubeconfig\nworker-2.pem\nservice-account-key.pem\nservice-account.csr\nservice-account.pem\nservice-account-csr.json\n*.swp\n.idea/\n"
  },
  {
    "path": "CONTRIBUTING.md",
    "content": "This project is made possible by contributors like YOU! While all contributions are welcomed, please be sure and follow the following suggestions to help your PR get merged.\n\n## License\n\nThis project uses an [Apache license](LICENSE). Be sure you're comfortable with the implications of that before working up a patch.\n\n## Review and merge process\n\nReview and merge duties are managed by [@kelseyhightower](https://github.com/kelseyhightower). Expect some burden of proof for demonstrating the marginal value of adding new content to the tutorial.\n\nHere are some examples of the review and justification process:\n- [#208](https://github.com/kelseyhightower/kubernetes-the-hard-way/pull/208)\n- [#282](https://github.com/kelseyhightower/kubernetes-the-hard-way/pull/282)\n\n## Notes on minutiae\n\nIf you find a bug that breaks the guide, please do submit it. If you are considering  a minor copy edit for tone, grammar, or simple inconsistent whitespace, consider the tradeoff between maintainer time and community benefit before investing too much of your time.\n\n"
  },
  {
    "path": "COPYRIGHT.md",
    "content": "# Copyright\n\n<a rel=\"license\" href=\"http://creativecommons.org/licenses/by-nc-sa/4.0/\"><img alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png\" /></a><br />This work is licensed under a <a rel=\"license\" href=\"http://creativecommons.org/licenses/by-nc-sa/4.0/\">Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License</a>\n"
  },
  {
    "path": "LICENSE",
    "content": "\n                                 Apache License\n                           Version 2.0, January 2004\n                        http://www.apache.org/licenses/\n\n   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n   1. Definitions.\n\n      \"License\" shall mean the terms and conditions for use, reproduction,\n      and distribution as defined by Sections 1 through 9 of this document.\n\n      \"Licensor\" shall mean the copyright owner or entity authorized by\n      the copyright owner that is granting the License.\n\n      \"Legal Entity\" shall mean the union of the acting entity and all\n      other entities that control, are controlled by, or are under common\n      control with that entity. For the purposes of this definition,\n      \"control\" means (i) the power, direct or indirect, to cause the\n      direction or management of such entity, whether by contract or\n      otherwise, or (ii) ownership of fifty percent (50%) or more of the\n      outstanding shares, or (iii) beneficial ownership of such entity.\n\n      \"You\" (or \"Your\") shall mean an individual or Legal Entity\n      exercising permissions granted by this License.\n\n      \"Source\" form shall mean the preferred form for making modifications,\n      including but not limited to software source code, documentation\n      source, and configuration files.\n\n      \"Object\" form shall mean any form resulting from mechanical\n      transformation or translation of a Source form, including but\n      not limited to compiled object code, generated documentation,\n      and conversions to other media types.\n\n      \"Work\" shall mean the work of authorship, whether in Source or\n      Object form, made available under the License, as indicated by a\n      copyright notice that is included in or attached to the work\n      (an example is provided in the Appendix below).\n\n      \"Derivative Works\" shall mean any work, whether in Source or Object\n      form, that is based on (or derived from) the Work and for which the\n      editorial revisions, annotations, elaborations, or other modifications\n      represent, as a whole, an original work of authorship. For the purposes\n      of this License, Derivative Works shall not include works that remain\n      separable from, or merely link (or bind by name) to the interfaces of,\n      the Work and Derivative Works thereof.\n\n      \"Contribution\" shall mean any work of authorship, including\n      the original version of the Work and any modifications or additions\n      to that Work or Derivative Works thereof, that is intentionally\n      submitted to Licensor for inclusion in the Work by the copyright owner\n      or by an individual or Legal Entity authorized to submit on behalf of\n      the copyright owner. For the purposes of this definition, \"submitted\"\n      means any form of electronic, verbal, or written communication sent\n      to the Licensor or its representatives, including but not limited to\n      communication on electronic mailing lists, source code control systems,\n      and issue tracking systems that are managed by, or on behalf of, the\n      Licensor for the purpose of discussing and improving the Work, but\n      excluding communication that is conspicuously marked or otherwise\n      designated in writing by the copyright owner as \"Not a Contribution.\"\n\n      \"Contributor\" shall mean Licensor and any individual or Legal Entity\n      on behalf of whom a Contribution has been received by Licensor and\n      subsequently incorporated within the Work.\n\n   2. Grant of Copyright License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      copyright license to reproduce, prepare Derivative Works of,\n      publicly display, publicly perform, sublicense, and distribute the\n      Work and such Derivative Works in Source or Object form.\n\n   3. Grant of Patent License. Subject to the terms and conditions of\n      this License, each Contributor hereby grants to You a perpetual,\n      worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n      (except as stated in this section) patent license to make, have made,\n      use, offer to sell, sell, import, and otherwise transfer the Work,\n      where such license applies only to those patent claims licensable\n      by such Contributor that are necessarily infringed by their\n      Contribution(s) alone or by combination of their Contribution(s)\n      with the Work to which such Contribution(s) was submitted. If You\n      institute patent litigation against any entity (including a\n      cross-claim or counterclaim in a lawsuit) alleging that the Work\n      or a Contribution incorporated within the Work constitutes direct\n      or contributory patent infringement, then any patent licenses\n      granted to You under this License for that Work shall terminate\n      as of the date such litigation is filed.\n\n   4. Redistribution. You may reproduce and distribute copies of the\n      Work or Derivative Works thereof in any medium, with or without\n      modifications, and in Source or Object form, provided that You\n      meet the following conditions:\n\n      (a) You must give any other recipients of the Work or\n          Derivative Works a copy of this License; and\n\n      (b) You must cause any modified files to carry prominent notices\n          stating that You changed the files; and\n\n      (c) You must retain, in the Source form of any Derivative Works\n          that You distribute, all copyright, patent, trademark, and\n          attribution notices from the Source form of the Work,\n          excluding those notices that do not pertain to any part of\n          the Derivative Works; and\n\n      (d) If the Work includes a \"NOTICE\" text file as part of its\n          distribution, then any Derivative Works that You distribute must\n          include a readable copy of the attribution notices contained\n          within such NOTICE file, excluding those notices that do not\n          pertain to any part of the Derivative Works, in at least one\n          of the following places: within a NOTICE text file distributed\n          as part of the Derivative Works; within the Source form or\n          documentation, if provided along with the Derivative Works; or,\n          within a display generated by the Derivative Works, if and\n          wherever such third-party notices normally appear. The contents\n          of the NOTICE file are for informational purposes only and\n          do not modify the License. You may add Your own attribution\n          notices within Derivative Works that You distribute, alongside\n          or as an addendum to the NOTICE text from the Work, provided\n          that such additional attribution notices cannot be construed\n          as modifying the License.\n\n      You may add Your own copyright statement to Your modifications and\n      may provide additional or different license terms and conditions\n      for use, reproduction, or distribution of Your modifications, or\n      for any such Derivative Works as a whole, provided Your use,\n      reproduction, and distribution of the Work otherwise complies with\n      the conditions stated in this License.\n\n   5. Submission of Contributions. Unless You explicitly state otherwise,\n      any Contribution intentionally submitted for inclusion in the Work\n      by You to the Licensor shall be under the terms and conditions of\n      this License, without any additional terms or conditions.\n      Notwithstanding the above, nothing herein shall supersede or modify\n      the terms of any separate license agreement you may have executed\n      with Licensor regarding such Contributions.\n\n   6. Trademarks. This License does not grant permission to use the trade\n      names, trademarks, service marks, or product names of the Licensor,\n      except as required for reasonable and customary use in describing the\n      origin of the Work and reproducing the content of the NOTICE file.\n\n   7. Disclaimer of Warranty. Unless required by applicable law or\n      agreed to in writing, Licensor provides the Work (and each\n      Contributor provides its Contributions) on an \"AS IS\" BASIS,\n      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n      implied, including, without limitation, any warranties or conditions\n      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n      PARTICULAR PURPOSE. You are solely responsible for determining the\n      appropriateness of using or redistributing the Work and assume any\n      risks associated with Your exercise of permissions under this License.\n\n   8. Limitation of Liability. In no event and under no legal theory,\n      whether in tort (including negligence), contract, or otherwise,\n      unless required by applicable law (such as deliberate and grossly\n      negligent acts) or agreed to in writing, shall any Contributor be\n      liable to You for damages, including any direct, indirect, special,\n      incidental, or consequential damages of any character arising as a\n      result of this License or out of the use or inability to use the\n      Work (including but not limited to damages for loss of goodwill,\n      work stoppage, computer failure or malfunction, or any and all\n      other commercial damages or losses), even if such Contributor\n      has been advised of the possibility of such damages.\n\n   9. Accepting Warranty or Additional Liability. While redistributing\n      the Work or Derivative Works thereof, You may choose to offer,\n      and charge a fee for, acceptance of support, warranty, indemnity,\n      or other liability obligations and/or rights consistent with this\n      License. However, in accepting such obligations, You may act only\n      on Your own behalf and on Your sole responsibility, not on behalf\n      of any other Contributor, and only if You agree to indemnify,\n      defend, and hold each Contributor harmless for any liability\n      incurred by, or claims asserted against, such Contributor by reason\n      of your accepting any such warranty or additional liability.\n\n   END OF TERMS AND CONDITIONS\n\n   APPENDIX: How to apply the Apache License to your work.\n\n      To apply the Apache License to your work, attach the following\n      boilerplate notice, with the fields enclosed by brackets \"[]\"\n      replaced with your own identifying information. (Don't include\n      the brackets!)  The text should be enclosed in the appropriate\n      comment syntax for the file format. We also recommend that a\n      file or class name and description of purpose be included on the\n      same \"printed page\" as the copyright notice for easier\n      identification within third-party archives.\n\n   Copyright [yyyy] [name of copyright owner]\n\n   Licensed under the Apache License, Version 2.0 (the \"License\");\n   you may not use this file except in compliance with the License.\n   You may obtain a copy of the License at\n\n       http://www.apache.org/licenses/LICENSE-2.0\n\n   Unless required by applicable law or agreed to in writing, software\n   distributed under the License is distributed on an \"AS IS\" BASIS,\n   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n   See the License for the specific language governing permissions and\n   limitations under the License.\n"
  },
  {
    "path": "README.md",
    "content": "# Kubernetes The Hard Way\n\nThis tutorial walks you through setting up Kubernetes the hard way. This guide is not for someone looking for a fully automated tool to bring up a Kubernetes cluster. Kubernetes The Hard Way is optimized for learning, which means taking the long route to ensure you understand each task required to bootstrap a Kubernetes cluster.\n\n> The results of this tutorial should not be viewed as production ready, and may receive limited support from the community, but don't let that stop you from learning!\n\n## Copyright\n\n<a rel=\"license\" href=\"http://creativecommons.org/licenses/by-nc-sa/4.0/\"><img alt=\"Creative Commons License\" style=\"border-width:0\" src=\"https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png\" /></a><br />This work is licensed under a <a rel=\"license\" href=\"http://creativecommons.org/licenses/by-nc-sa/4.0/\">Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License</a>.\n\n\n## Target Audience\n\nThe target audience for this tutorial is someone who wants to understand the fundamentals of Kubernetes and how the core components fit together.\n\n## Cluster Details\n\nKubernetes The Hard Way guides you through bootstrapping a basic Kubernetes cluster with all control plane components running on a single node, and two worker nodes, which is enough to learn the core concepts.\n\nComponent versions:\n\n* [kubernetes](https://github.com/kubernetes/kubernetes) v1.32.x\n* [containerd](https://github.com/containerd/containerd) v2.1.x\n* [cni](https://github.com/containernetworking/cni) v1.6.x\n* [etcd](https://github.com/etcd-io/etcd) v3.6.x\n\n## Labs\n\nThis tutorial requires four (4) ARM64 or AMD64 based virtual or physical machines connected to the same network.\n\n* [Prerequisites](docs/01-prerequisites.md)\n* [Setting up the Jumpbox](docs/02-jumpbox.md)\n* [Provisioning Compute Resources](docs/03-compute-resources.md)\n* [Provisioning the CA and Generating TLS Certificates](docs/04-certificate-authority.md)\n* [Generating Kubernetes Configuration Files for Authentication](docs/05-kubernetes-configuration-files.md)\n* [Generating the Data Encryption Config and Key](docs/06-data-encryption-keys.md)\n* [Bootstrapping the etcd Cluster](docs/07-bootstrapping-etcd.md)\n* [Bootstrapping the Kubernetes Control Plane](docs/08-bootstrapping-kubernetes-controllers.md)\n* [Bootstrapping the Kubernetes Worker Nodes](docs/09-bootstrapping-kubernetes-workers.md)\n* [Configuring kubectl for Remote Access](docs/10-configuring-kubectl.md)\n* [Provisioning Pod Network Routes](docs/11-pod-network-routes.md)\n* [Smoke Test](docs/12-smoke-test.md)\n* [Cleaning Up](docs/13-cleanup.md)\n"
  },
  {
    "path": "ca.conf",
    "content": "[req]\ndistinguished_name = req_distinguished_name\nprompt             = no\nx509_extensions    = ca_x509_extensions\n\n[ca_x509_extensions]\nbasicConstraints = CA:TRUE\nkeyUsage         = cRLSign, keyCertSign\n\n[req_distinguished_name]\nC   = US\nST  = Washington\nL   = Seattle\nCN  = CA\n\n[admin]\ndistinguished_name = admin_distinguished_name\nprompt             = no\nreq_extensions     = default_req_extensions\n\n[admin_distinguished_name]\nCN = admin\nO  = system:masters\n\n# Service Accounts\n#\n# The Kubernetes Controller Manager leverages a key pair to generate\n# and sign service account tokens as described in the\n# [managing service accounts](https://kubernetes.io/docs/admin/service-accounts-admin/)\n# documentation.\n\n[service-accounts]\ndistinguished_name = service-accounts_distinguished_name\nprompt             = no\nreq_extensions     = default_req_extensions\n\n[service-accounts_distinguished_name]\nCN = service-accounts\n\n# Worker Nodes\n#\n# Kubernetes uses a [special-purpose authorization mode](https://kubernetes.io/docs/admin/authorization/node/)\n# called Node Authorizer, that specifically authorizes API requests made\n# by [Kubelets](https://kubernetes.io/docs/concepts/overview/components/#kubelet).\n# In order to be authorized by the Node Authorizer, Kubelets must use a credential\n# that identifies them as being in the `system:nodes` group, with a username\n# of `system:node:<nodeName>`.\n\n[node-0]\ndistinguished_name = node-0_distinguished_name\nprompt             = no\nreq_extensions     = node-0_req_extensions\n\n[node-0_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Node-0 Certificate\"\nsubjectAltName       = DNS:node-0, IP:127.0.0.1\nsubjectKeyIdentifier = hash\n\n[node-0_distinguished_name]\nCN = system:node:node-0\nO  = system:nodes\nC  = US\nST = Washington\nL  = Seattle\n\n[node-1]\ndistinguished_name = node-1_distinguished_name\nprompt             = no\nreq_extensions     = node-1_req_extensions\n\n[node-1_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Node-1 Certificate\"\nsubjectAltName       = DNS:node-1, IP:127.0.0.1\nsubjectKeyIdentifier = hash\n\n[node-1_distinguished_name]\nCN = system:node:node-1\nO  = system:nodes\nC  = US\nST = Washington\nL  = Seattle\n\n\n# Kube Proxy Section\n[kube-proxy]\ndistinguished_name = kube-proxy_distinguished_name\nprompt             = no\nreq_extensions     = kube-proxy_req_extensions\n\n[kube-proxy_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Kube Proxy Certificate\"\nsubjectAltName       = DNS:kube-proxy, IP:127.0.0.1\nsubjectKeyIdentifier = hash\n\n[kube-proxy_distinguished_name]\nCN = system:kube-proxy\nO  = system:node-proxier\nC  = US\nST = Washington\nL  = Seattle\n\n\n# Controller Manager\n[kube-controller-manager]\ndistinguished_name = kube-controller-manager_distinguished_name\nprompt             = no\nreq_extensions     = kube-controller-manager_req_extensions\n\n[kube-controller-manager_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Kube Controller Manager Certificate\"\nsubjectAltName       = DNS:kube-controller-manager, IP:127.0.0.1\nsubjectKeyIdentifier = hash\n\n[kube-controller-manager_distinguished_name]\nCN = system:kube-controller-manager\nO  = system:kube-controller-manager\nC  = US\nST = Washington\nL  = Seattle\n\n\n# Scheduler\n[kube-scheduler]\ndistinguished_name = kube-scheduler_distinguished_name\nprompt             = no\nreq_extensions     = kube-scheduler_req_extensions\n\n[kube-scheduler_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Kube Scheduler Certificate\"\nsubjectAltName       = DNS:kube-scheduler, IP:127.0.0.1\nsubjectKeyIdentifier = hash\n\n[kube-scheduler_distinguished_name]\nCN = system:kube-scheduler\nO  = system:system:kube-scheduler\nC  = US\nST = Washington\nL  = Seattle\n\n\n# API Server\n#\n# The Kubernetes API server is automatically assigned the `kubernetes`\n# internal dns name, which will be linked to the first IP address (`10.32.0.1`)\n# from the address range (`10.32.0.0/24`) reserved for internal cluster\n# services.\n\n[kube-api-server]\ndistinguished_name = kube-api-server_distinguished_name\nprompt             = no\nreq_extensions     = kube-api-server_req_extensions\n\n[kube-api-server_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth, serverAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client, server\nnsComment            = \"Kube API Server Certificate\"\nsubjectAltName       = @kube-api-server_alt_names\nsubjectKeyIdentifier = hash\n\n[kube-api-server_alt_names]\nIP.0  = 127.0.0.1\nIP.1  = 10.32.0.1\nDNS.0 = kubernetes\nDNS.1 = kubernetes.default\nDNS.2 = kubernetes.default.svc\nDNS.3 = kubernetes.default.svc.cluster\nDNS.4 = kubernetes.svc.cluster.local\nDNS.5 = server.kubernetes.local\nDNS.6 = api-server.kubernetes.local\n\n[kube-api-server_distinguished_name]\nCN = kubernetes\nC  = US\nST = Washington\nL  = Seattle\n\n\n[default_req_extensions]\nbasicConstraints     = CA:FALSE\nextendedKeyUsage     = clientAuth\nkeyUsage             = critical, digitalSignature, keyEncipherment\nnsCertType           = client\nnsComment            = \"Admin Client Certificate\"\nsubjectKeyIdentifier = hash\n"
  },
  {
    "path": "configs/10-bridge.conf",
    "content": "{\n  \"cniVersion\": \"1.0.0\",\n  \"name\": \"bridge\",\n  \"type\": \"bridge\",\n  \"bridge\": \"cni0\",\n  \"isGateway\": true,\n  \"ipMasq\": true,\n  \"ipam\": {\n    \"type\": \"host-local\",\n    \"ranges\": [\n      [{\"subnet\": \"SUBNET\"}]\n    ],\n    \"routes\": [{\"dst\": \"0.0.0.0/0\"}]\n  }\n}"
  },
  {
    "path": "configs/99-loopback.conf",
    "content": "{\n  \"cniVersion\": \"1.1.0\",\n  \"name\": \"lo\",\n  \"type\": \"loopback\"\n}"
  },
  {
    "path": "configs/containerd-config.toml",
    "content": "version = 2\n\n[plugins.\"io.containerd.grpc.v1.cri\"]\n  [plugins.\"io.containerd.grpc.v1.cri\".containerd]\n    snapshotter = \"overlayfs\"\n    default_runtime_name = \"runc\"\n  [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc]\n    runtime_type = \"io.containerd.runc.v2\"\n  [plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.runc.options]\n    SystemdCgroup = true\n[plugins.\"io.containerd.grpc.v1.cri\".cni]\n  bin_dir = \"/opt/cni/bin\"\n  conf_dir = \"/etc/cni/net.d\""
  },
  {
    "path": "configs/encryption-config.yaml",
    "content": "kind: EncryptionConfiguration\napiVersion: apiserver.config.k8s.io/v1\nresources:\n  - resources:\n      - secrets\n    providers:\n      - aescbc:\n          keys:\n            - name: key1\n              secret: ${ENCRYPTION_KEY}\n      - identity: {}\n"
  },
  {
    "path": "configs/kube-apiserver-to-kubelet.yaml",
    "content": "apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n  annotations:\n    rbac.authorization.kubernetes.io/autoupdate: \"true\"\n  labels:\n    kubernetes.io/bootstrapping: rbac-defaults\n  name: system:kube-apiserver-to-kubelet\nrules:\n  - apiGroups:\n      - \"\"\n    resources:\n      - nodes/proxy\n      - nodes/stats\n      - nodes/log\n      - nodes/spec\n      - nodes/metrics\n    verbs:\n      - \"*\"\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: system:kube-apiserver\n  namespace: \"\"\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: system:kube-apiserver-to-kubelet\nsubjects:\n  - apiGroup: rbac.authorization.k8s.io\n    kind: User\n    name: kubernetes"
  },
  {
    "path": "configs/kube-proxy-config.yaml",
    "content": "kind: KubeProxyConfiguration\napiVersion: kubeproxy.config.k8s.io/v1alpha1\nclientConnection:\n  kubeconfig: \"/var/lib/kube-proxy/kubeconfig\"\nmode: \"iptables\"\nclusterCIDR: \"10.200.0.0/16\""
  },
  {
    "path": "configs/kube-scheduler.yaml",
    "content": "apiVersion: kubescheduler.config.k8s.io/v1\nkind: KubeSchedulerConfiguration\nclientConnection:\n  kubeconfig: \"/var/lib/kubernetes/kube-scheduler.kubeconfig\"\nleaderElection:\n  leaderElect: true"
  },
  {
    "path": "configs/kubelet-config.yaml",
    "content": "kind: KubeletConfiguration\napiVersion: kubelet.config.k8s.io/v1beta1\naddress: \"0.0.0.0\"\nauthentication:\n  anonymous:\n    enabled: false\n  webhook:\n    enabled: true\n  x509:\n    clientCAFile: \"/var/lib/kubelet/ca.crt\"\nauthorization:\n  mode: Webhook\ncgroupDriver: systemd\ncontainerRuntimeEndpoint: \"unix:///var/run/containerd/containerd.sock\"\nenableServer: true\nfailSwapOn: false\nmaxPods: 16\nmemorySwap:\n  swapBehavior: NoSwap\nport: 10250\nresolvConf: \"/etc/resolv.conf\"\nregisterNode: true\nruntimeRequestTimeout: \"15m\"\ntlsCertFile: \"/var/lib/kubelet/kubelet.crt\"\ntlsPrivateKeyFile: \"/var/lib/kubelet/kubelet.key\"\n"
  },
  {
    "path": "docs/01-prerequisites.md",
    "content": "# Prerequisites\n\nIn this lab you will review the machine requirements necessary to follow this tutorial.\n\n## Virtual or Physical Machines\n\nThis tutorial requires four (4) virtual or physical ARM64 or AMD64 machines running Debian 12 (bookworm). The following table lists the four machines and their CPU, memory, and storage requirements.\n\n| Name    | Description            | CPU | RAM   | Storage |\n|---------|------------------------|-----|-------|---------|\n| jumpbox | Administration host    | 1   | 512MB | 10GB    |\n| server  | Kubernetes server      | 1   | 2GB   | 20GB    |\n| node-0  | Kubernetes worker node | 1   | 2GB   | 20GB    |\n| node-1  | Kubernetes worker node | 1   | 2GB   | 20GB    |\n\nHow you provision the machines is up to you, the only requirement is that each machine meet the above system requirements including the machine specs and OS version. Once you have all four machines provisioned, verify the OS requirements by viewing the `/etc/os-release` file:\n\n```bash\ncat /etc/os-release\n```\n\nYou should see something similar to the following output:\n\n```text\nPRETTY_NAME=\"Debian GNU/Linux 12 (bookworm)\"\nNAME=\"Debian GNU/Linux\"\nVERSION_ID=\"12\"\nVERSION=\"12 (bookworm)\"\nVERSION_CODENAME=bookworm\nID=debian\n```\n\nNext: [setting-up-the-jumpbox](02-jumpbox.md)\n"
  },
  {
    "path": "docs/02-jumpbox.md",
    "content": "# Set Up The Jumpbox\n\nIn this lab you will set up one of the four machines to be a `jumpbox`. This machine will be used to run commands throughout this tutorial. While a dedicated machine is being used to ensure consistency, these commands can also be run from just about any machine including your personal workstation running macOS or Linux.\n\nThink of the `jumpbox` as the administration machine that you will use as a home base when setting up your Kubernetes cluster from the ground up. Before we get started we need to install a few command line utilities and clone the Kubernetes The Hard Way git repository, which contains some additional configuration files that will be used to configure various Kubernetes components throughout this tutorial.\n\nLog in to the `jumpbox`:\n\n```bash\nssh root@jumpbox\n```\n\nAll commands will be run as the `root` user. This is being done for the sake of convenience, and will help reduce the number of commands required to set everything up.\n\n### Install Command Line Utilities\n\nNow that you are logged into the `jumpbox` machine as the `root` user, you will install the command line utilities that will be used to preform various tasks throughout the tutorial.\n\n```bash\n{\n  apt-get update\n  apt-get -y install wget curl vim openssl git\n}\n```\n\n### Sync GitHub Repository\n\nNow it's time to download a copy of this tutorial which contains the configuration files and templates that will be used build your Kubernetes cluster from the ground up. Clone the Kubernetes The Hard Way git repository using the `git` command:\n\n```bash\ngit clone --depth 1 \\\n  https://github.com/kelseyhightower/kubernetes-the-hard-way.git\n```\n\nChange into the `kubernetes-the-hard-way` directory:\n\n```bash\ncd kubernetes-the-hard-way\n```\n\nThis will be the working directory for the rest of the tutorial. If you ever get lost run the `pwd` command to verify you are in the right directory when running commands on the `jumpbox`:\n\n```bash\npwd\n```\n\n```text\n/root/kubernetes-the-hard-way\n```\n\n### Download Binaries\n\nIn this section you will download the binaries for the various Kubernetes components. The binaries will be stored in the `downloads` directory on the `jumpbox`, which will reduce the amount of internet bandwidth required to complete this tutorial as we avoid downloading the binaries multiple times for each machine in our Kubernetes cluster.\n\nThe binaries that will be downloaded are listed in either the `downloads-amd64.txt` or `downloads-arm64.txt` file depending on your hardware architecture, which you can review using the `cat` command:\n\n```bash\ncat downloads-$(dpkg --print-architecture).txt\n```\n\nDownload the binaries into a directory called `downloads` using the `wget` command:\n\n```bash\nwget -q --show-progress \\\n  --https-only \\\n  --timestamping \\\n  -P downloads \\\n  -i downloads-$(dpkg --print-architecture).txt\n```\n\nDepending on your internet connection speed it may take a while to download over `500` megabytes of binaries, and once the download is complete, you can list them using the `ls` command:\n\n```bash\nls -oh downloads\n```\n\nExtract the component binaries from the release archives and organize them under the `downloads` directory.\n\n```bash\n{\n  ARCH=$(dpkg --print-architecture)\n  mkdir -p downloads/{client,cni-plugins,controller,worker}\n  tar -xvf downloads/crictl-v1.32.0-linux-${ARCH}.tar.gz \\\n    -C downloads/worker/\n  tar -xvf downloads/containerd-2.1.0-beta.0-linux-${ARCH}.tar.gz \\\n    --strip-components 1 \\\n    -C downloads/worker/\n  tar -xvf downloads/cni-plugins-linux-${ARCH}-v1.6.2.tgz \\\n    -C downloads/cni-plugins/\n  tar -xvf downloads/etcd-v3.6.0-rc.3-linux-${ARCH}.tar.gz \\\n    -C downloads/ \\\n    --strip-components 1 \\\n    etcd-v3.6.0-rc.3-linux-${ARCH}/etcdctl \\\n    etcd-v3.6.0-rc.3-linux-${ARCH}/etcd\n  mv downloads/{etcdctl,kubectl} downloads/client/\n  mv downloads/{etcd,kube-apiserver,kube-controller-manager,kube-scheduler} \\\n    downloads/controller/\n  mv downloads/{kubelet,kube-proxy} downloads/worker/\n  mv downloads/runc.${ARCH} downloads/worker/runc\n}\n```\n\n```bash\nrm -rf downloads/*gz\n```\n\nMake the binaries executable.\n\n```bash\n{\n  chmod +x downloads/{client,cni-plugins,controller,worker}/*\n}\n```\n\n### Install kubectl\n\nIn this section you will install the `kubectl`, the official Kubernetes client command line tool, on the `jumpbox` machine. `kubectl` will be used to interact with the Kubernetes control plane once your cluster is provisioned later in this tutorial.\n\nUse the `chmod` command to make the `kubectl` binary executable and move it to the `/usr/local/bin/` directory:\n\n```bash\n{\n  cp downloads/client/kubectl /usr/local/bin/\n}\n```\n\nAt this point `kubectl` is installed and can be verified by running the `kubectl` command:\n\n```bash\nkubectl version --client\n```\n\n```text\nClient Version: v1.32.3\nKustomize Version: v5.5.0\n```\n\nAt this point the `jumpbox` has been set up with all the command line tools and utilities necessary to complete the labs in this tutorial.\n\nNext: [Provisioning Compute Resources](03-compute-resources.md)\n"
  },
  {
    "path": "docs/03-compute-resources.md",
    "content": "# Provisioning Compute Resources\n\nKubernetes requires a set of machines to host the Kubernetes control plane and the worker nodes where containers are ultimately run. In this lab you will provision the machines required for setting up a Kubernetes cluster.\n\n## Machine Database\n\nThis tutorial will leverage a text file, which will serve as a machine database, to store the various machine attributes that will be used when setting up the Kubernetes control plane and worker nodes. The following schema represents entries in the machine database, one entry per line:\n\n```text\nIPV4_ADDRESS FQDN HOSTNAME POD_SUBNET\n```\n\nEach of the columns corresponds to a machine IP address `IPV4_ADDRESS`, fully qualified domain name `FQDN`, host name `HOSTNAME`, and the IP subnet `POD_SUBNET`. Kubernetes assigns one IP address per `pod` and the `POD_SUBNET` represents the unique IP address range assigned to each machine in the cluster for doing so.\n\nHere is an example machine database similar to the one used when creating this tutorial. Notice the IP addresses have been masked out. Your machines can be assigned any IP address as long as each machine is reachable from each other and the `jumpbox`.\n\n```bash\ncat machines.txt\n```\n\n```text\nXXX.XXX.XXX.XXX server.kubernetes.local server\nXXX.XXX.XXX.XXX node-0.kubernetes.local node-0 10.200.0.0/24\nXXX.XXX.XXX.XXX node-1.kubernetes.local node-1 10.200.1.0/24\n```\n\nNow it's your turn to create a `machines.txt` file with the details for the three machines you will be using to create your Kubernetes cluster. Use the example machine database from above and add the details for your machines.\n\n## Configuring SSH Access\n\nSSH will be used to configure the machines in the cluster. Verify that you have `root` SSH access to each machine listed in your machine database. You may need to enable root SSH access on each node by updating the sshd_config file and restarting the SSH server.\n\n### Enable root SSH Access\n\nIf `root` SSH access is enabled for each of your machines you can skip this section.\n\nBy default, a new `debian` install disables SSH access for the `root` user. This is done for security reasons as the `root` user has total administrative control of unix-like systems. If a weak password is used on a machine connected to the internet, well, let's just say it's only a matter of time before your machine belongs to someone else. As mentioned earlier, we are going to enable `root` access over SSH in order to streamline the steps in this tutorial. Security is a tradeoff, and in this case, we are optimizing for convenience. Log on to each machine via SSH using your user account, then switch to the `root` user using the `su` command:\n\n```bash\nsu - root\n```\n\nEdit the `/etc/ssh/sshd_config` SSH daemon configuration file and set the `PermitRootLogin` option to `yes`:\n\n```bash\nsed -i \\\n  's/^#*PermitRootLogin.*/PermitRootLogin yes/' \\\n  /etc/ssh/sshd_config\n```\n\nRestart the `sshd` SSH server to pick up the updated configuration file:\n\n```bash\nsystemctl restart sshd\n```\n\n### Generate and Distribute SSH Keys\n\nIn this section you will generate and distribute an SSH keypair to the `server`, `node-0`, and `node-1`, machines, which will be used to run commands on those machines throughout this tutorial. Run the following commands from the `jumpbox` machine.\n\nGenerate a new SSH key:\n\n```bash\nssh-keygen\n```\n\n```text\nGenerating public/private rsa key pair.\nEnter file in which to save the key (/root/.ssh/id_rsa):\nEnter passphrase (empty for no passphrase):\nEnter same passphrase again:\nYour identification has been saved in /root/.ssh/id_rsa\nYour public key has been saved in /root/.ssh/id_rsa.pub\n```\n\nCopy the SSH public key to each machine:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n  ssh-copy-id root@${IP}\ndone < machines.txt\n```\n\nOnce each key is added, verify SSH public key access is working:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n  ssh -n root@${IP} hostname\ndone < machines.txt\n```\n\n```text\nserver\nnode-0\nnode-1\n```\n\n## Hostnames\n\nIn this section you will assign hostnames to the `server`, `node-0`, and `node-1` machines. The hostname will be used when executing commands from the `jumpbox` to each machine. The hostname also plays a major role within the cluster. Instead of Kubernetes clients using an IP address to issue commands to the Kubernetes API server, those clients will use the `server` hostname instead. Hostnames are also used by each worker machine, `node-0` and `node-1` when registering with a given Kubernetes cluster.\n\nTo configure the hostname for each machine, run the following commands on the `jumpbox`.\n\nSet the hostname on each machine listed in the `machines.txt` file:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n    CMD=\"sed -i 's/^127.0.1.1.*/127.0.1.1\\t${FQDN} ${HOST}/' /etc/hosts\"\n    ssh -n root@${IP} \"$CMD\"\n    ssh -n root@${IP} hostnamectl set-hostname ${HOST}\n    ssh -n root@${IP} systemctl restart systemd-hostnamed\ndone < machines.txt\n```\n\nVerify the hostname is set on each machine:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n  ssh -n root@${IP} hostname --fqdn\ndone < machines.txt\n```\n\n```text\nserver.kubernetes.local\nnode-0.kubernetes.local\nnode-1.kubernetes.local\n```\n\n## Host Lookup Table\n\nIn this section you will generate a `hosts` file which will be appended to `/etc/hosts` file on the `jumpbox` and to the `/etc/hosts` files on all three cluster members used for this tutorial. This will allow each machine to be reachable using a hostname such as `server`, `node-0`, or `node-1`.\n\nCreate a new `hosts` file and add a header to identify the machines being added:\n\n```bash\necho \"\" > hosts\necho \"# Kubernetes The Hard Way\" >> hosts\n```\n\nGenerate a host entry for each machine in the `machines.txt` file and append it to the `hosts` file:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n    ENTRY=\"${IP} ${FQDN} ${HOST}\"\n    echo $ENTRY >> hosts\ndone < machines.txt\n```\n\nReview the host entries in the `hosts` file:\n\n```bash\ncat hosts\n```\n\n```text\n\n# Kubernetes The Hard Way\nXXX.XXX.XXX.XXX server.kubernetes.local server\nXXX.XXX.XXX.XXX node-0.kubernetes.local node-0\nXXX.XXX.XXX.XXX node-1.kubernetes.local node-1\n```\n\n## Adding `/etc/hosts` Entries To A Local Machine\n\nIn this section you will append the DNS entries from the `hosts` file to the local `/etc/hosts` file on your `jumpbox` machine.\n\nAppend the DNS entries from `hosts` to `/etc/hosts`:\n\n```bash\ncat hosts >> /etc/hosts\n```\n\nVerify that the `/etc/hosts` file has been updated:\n\n```bash\ncat /etc/hosts\n```\n\n```text\n127.0.0.1       localhost\n127.0.1.1       jumpbox\n\n# The following lines are desirable for IPv6 capable hosts\n::1     localhost ip6-localhost ip6-loopback\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\n\n# Kubernetes The Hard Way\nXXX.XXX.XXX.XXX server.kubernetes.local server\nXXX.XXX.XXX.XXX node-0.kubernetes.local node-0\nXXX.XXX.XXX.XXX node-1.kubernetes.local node-1\n```\n\nAt this point you should be able to SSH to each machine listed in the `machines.txt` file using a hostname.\n\n```bash\nfor host in server node-0 node-1\n   do ssh root@${host} hostname\ndone\n```\n\n```text\nserver\nnode-0\nnode-1\n```\n\n## Adding `/etc/hosts` Entries To The Remote Machines\n\nIn this section you will append the host entries from `hosts` to `/etc/hosts` on each machine listed in the `machines.txt` text file.\n\nCopy the `hosts` file to each machine and append the contents to `/etc/hosts`:\n\n```bash\nwhile read IP FQDN HOST SUBNET; do\n  scp hosts root@${HOST}:~/\n  ssh -n \\\n    root@${HOST} \"cat hosts >> /etc/hosts\"\ndone < machines.txt\n```\n\nAt this point, hostnames can be used when connecting to machines from your `jumpbox` machine, or any of the three machines in the Kubernetes cluster. Instead of using IP addresses you can now connect to machines using a hostname such as `server`, `node-0`, or `node-1`.\n\nNext: [Provisioning a CA and Generating TLS Certificates](04-certificate-authority.md)\n"
  },
  {
    "path": "docs/04-certificate-authority.md",
    "content": "# Provisioning a CA and Generating TLS Certificates\n\nIn this lab you will provision a [PKI Infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure) using openssl to bootstrap a Certificate Authority, and generate TLS certificates for the following components: kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, and kube-proxy. The commands in this section should be run from the `jumpbox`.\n\n## Certificate Authority\n\nIn this section you will provision a Certificate Authority that can be used to generate additional TLS certificates for the other Kubernetes components. Setting up CA and generating certificates using `openssl` can be time-consuming, especially when doing it for the first time. To streamline this lab, I've included an openssl configuration file `ca.conf`, which defines all the details needed to generate certificates for each Kubernetes component.\n\nTake a moment to review the `ca.conf` configuration file:\n\n```bash\ncat ca.conf\n```\n\nYou don't need to understand everything in the `ca.conf` file to complete this tutorial, but you should consider it a starting point for learning `openssl` and the configuration that goes into managing certificates at a high level.\n\nEvery certificate authority starts with a private key and root certificate. In this section we are going to create a self-signed certificate authority, and while that's all we need for this tutorial, this shouldn't be considered something you would do in a real-world production environment.\n\nGenerate the CA configuration file, certificate, and private key:\n\n```bash\n{\n  openssl genrsa -out ca.key 4096\n  openssl req -x509 -new -sha512 -noenc \\\n    -key ca.key -days 3653 \\\n    -config ca.conf \\\n    -out ca.crt\n}\n```\n\nResults:\n\n```txt\nca.crt ca.key\n```\n\n## Create Client and Server Certificates\n\nIn this section you will generate client and server certificates for each Kubernetes component and a client certificate for the Kubernetes `admin` user.\n\nGenerate the certificates and private keys:\n\n```bash\ncerts=(\n  \"admin\" \"node-0\" \"node-1\"\n  \"kube-proxy\" \"kube-scheduler\"\n  \"kube-controller-manager\"\n  \"kube-api-server\"\n  \"service-accounts\"\n)\n```\n\n```bash\nfor i in ${certs[*]}; do\n  openssl genrsa -out \"${i}.key\" 4096\n\n  openssl req -new -key \"${i}.key\" -sha256 \\\n    -config \"ca.conf\" -section ${i} \\\n    -out \"${i}.csr\"\n\n  openssl x509 -req -days 3653 -in \"${i}.csr\" \\\n    -copy_extensions copyall \\\n    -sha256 -CA \"ca.crt\" \\\n    -CAkey \"ca.key\" \\\n    -CAcreateserial \\\n    -out \"${i}.crt\"\ndone\n```\n\nThe results of running the above command will generate a private key, certificate request, and signed SSL certificate for each of the Kubernetes components. You can list the generated files with the following command:\n\n```bash\nls -1 *.crt *.key *.csr\n```\n\n## Distribute the Client and Server Certificates\n\nIn this section you will copy the various certificates to every machine at a path where each Kubernetes component will search for its certificate pair. In a real-world environment these certificates should be treated like a set of sensitive secrets as they are used as credentials by the Kubernetes components to authenticate to each other.\n\nCopy the appropriate certificates and private keys to the `node-0` and `node-1` machines:\n\n```bash\nfor host in node-0 node-1; do\n  ssh root@${host} mkdir /var/lib/kubelet/\n\n  scp ca.crt root@${host}:/var/lib/kubelet/\n\n  scp ${host}.crt \\\n    root@${host}:/var/lib/kubelet/kubelet.crt\n\n  scp ${host}.key \\\n    root@${host}:/var/lib/kubelet/kubelet.key\ndone\n```\n\nCopy the appropriate certificates and private keys to the `server` machine:\n\n```bash\nscp \\\n  ca.key ca.crt \\\n  kube-api-server.key kube-api-server.crt \\\n  service-accounts.key service-accounts.crt \\\n  root@server:~/\n```\n\n> The `kube-proxy`, `kube-controller-manager`, `kube-scheduler`, and `kubelet` client certificates will be used to generate client authentication configuration files in the next lab.\n\nNext: [Generating Kubernetes Configuration Files for Authentication](05-kubernetes-configuration-files.md)\n"
  },
  {
    "path": "docs/05-kubernetes-configuration-files.md",
    "content": "# Generating Kubernetes Configuration Files for Authentication\n\nIn this lab you will generate [Kubernetes client configuration files](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/), typically called kubeconfigs, which configure Kubernetes clients to connect and authenticate to Kubernetes API Servers.\n\n## Client Authentication Configs\n\nIn this section you will generate kubeconfig files for the `kubelet` and the `admin` user.\n\n### The kubelet Kubernetes Configuration File\n\nWhen generating kubeconfig files for Kubelets the client certificate matching the Kubelet's node name must be used. This will ensure Kubelets are properly authorized by the Kubernetes [Node Authorizer](https://kubernetes.io/docs/reference/access-authn-authz/node/).\n\n> The following commands must be run in the same directory used to generate the SSL certificates during the [Generating TLS Certificates](04-certificate-authority.md) lab.\n\nGenerate a kubeconfig file for the `node-0` and `node-1` worker nodes:\n\n```bash\nfor host in node-0 node-1; do\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://server.kubernetes.local:6443 \\\n    --kubeconfig=${host}.kubeconfig\n\n  kubectl config set-credentials system:node:${host} \\\n    --client-certificate=${host}.crt \\\n    --client-key=${host}.key \\\n    --embed-certs=true \\\n    --kubeconfig=${host}.kubeconfig\n\n  kubectl config set-context default \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=system:node:${host} \\\n    --kubeconfig=${host}.kubeconfig\n\n  kubectl config use-context default \\\n    --kubeconfig=${host}.kubeconfig\ndone\n```\n\nResults:\n\n```text\nnode-0.kubeconfig\nnode-1.kubeconfig\n```\n\n### The kube-proxy Kubernetes Configuration File\n\nGenerate a kubeconfig file for the `kube-proxy` service:\n\n```bash\n{\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://server.kubernetes.local:6443 \\\n    --kubeconfig=kube-proxy.kubeconfig\n\n  kubectl config set-credentials system:kube-proxy \\\n    --client-certificate=kube-proxy.crt \\\n    --client-key=kube-proxy.key \\\n    --embed-certs=true \\\n    --kubeconfig=kube-proxy.kubeconfig\n\n  kubectl config set-context default \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=system:kube-proxy \\\n    --kubeconfig=kube-proxy.kubeconfig\n\n  kubectl config use-context default \\\n    --kubeconfig=kube-proxy.kubeconfig\n}\n```\n\nResults:\n\n```text\nkube-proxy.kubeconfig\n```\n\n### The kube-controller-manager Kubernetes Configuration File\n\nGenerate a kubeconfig file for the `kube-controller-manager` service:\n\n```bash\n{\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://server.kubernetes.local:6443 \\\n    --kubeconfig=kube-controller-manager.kubeconfig\n\n  kubectl config set-credentials system:kube-controller-manager \\\n    --client-certificate=kube-controller-manager.crt \\\n    --client-key=kube-controller-manager.key \\\n    --embed-certs=true \\\n    --kubeconfig=kube-controller-manager.kubeconfig\n\n  kubectl config set-context default \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=system:kube-controller-manager \\\n    --kubeconfig=kube-controller-manager.kubeconfig\n\n  kubectl config use-context default \\\n    --kubeconfig=kube-controller-manager.kubeconfig\n}\n```\n\nResults:\n\n```text\nkube-controller-manager.kubeconfig\n```\n\n\n### The kube-scheduler Kubernetes Configuration File\n\nGenerate a kubeconfig file for the `kube-scheduler` service:\n\n```bash\n{\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://server.kubernetes.local:6443 \\\n    --kubeconfig=kube-scheduler.kubeconfig\n\n  kubectl config set-credentials system:kube-scheduler \\\n    --client-certificate=kube-scheduler.crt \\\n    --client-key=kube-scheduler.key \\\n    --embed-certs=true \\\n    --kubeconfig=kube-scheduler.kubeconfig\n\n  kubectl config set-context default \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=system:kube-scheduler \\\n    --kubeconfig=kube-scheduler.kubeconfig\n\n  kubectl config use-context default \\\n    --kubeconfig=kube-scheduler.kubeconfig\n}\n```\n\nResults:\n\n```text\nkube-scheduler.kubeconfig\n```\n\n### The admin Kubernetes Configuration File\n\nGenerate a kubeconfig file for the `admin` user:\n\n```bash\n{\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://127.0.0.1:6443 \\\n    --kubeconfig=admin.kubeconfig\n\n  kubectl config set-credentials admin \\\n    --client-certificate=admin.crt \\\n    --client-key=admin.key \\\n    --embed-certs=true \\\n    --kubeconfig=admin.kubeconfig\n\n  kubectl config set-context default \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=admin \\\n    --kubeconfig=admin.kubeconfig\n\n  kubectl config use-context default \\\n    --kubeconfig=admin.kubeconfig\n}\n```\n\nResults:\n\n```text\nadmin.kubeconfig\n```\n\n## Distribute the Kubernetes Configuration Files\n\nCopy the `kubelet` and `kube-proxy` kubeconfig files to the `node-0` and `node-1` machines:\n\n```bash\nfor host in node-0 node-1; do\n  ssh root@${host} \"mkdir -p /var/lib/{kube-proxy,kubelet}\"\n\n  scp kube-proxy.kubeconfig \\\n    root@${host}:/var/lib/kube-proxy/kubeconfig \\\n\n  scp ${host}.kubeconfig \\\n    root@${host}:/var/lib/kubelet/kubeconfig\ndone\n```\n\nCopy the `kube-controller-manager` and `kube-scheduler` kubeconfig files to the `server` machine:\n\n```bash\nscp admin.kubeconfig \\\n  kube-controller-manager.kubeconfig \\\n  kube-scheduler.kubeconfig \\\n  root@server:~/\n```\n\nNext: [Generating the Data Encryption Config and Key](06-data-encryption-keys.md)\n"
  },
  {
    "path": "docs/06-data-encryption-keys.md",
    "content": "# Generating the Data Encryption Config and Key\n\nKubernetes stores a variety of data including cluster state, application configurations, and secrets. Kubernetes supports the ability to [encrypt](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data) cluster data at rest.\n\nIn this lab you will generate an encryption key and an [encryption config](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration) suitable for encrypting Kubernetes Secrets.\n\n## The Encryption Key\n\nGenerate an encryption key:\n\n```bash\nexport ENCRYPTION_KEY=$(head -c 32 /dev/urandom | base64)\n```\n\n## The Encryption Config File\n\nCreate the `encryption-config.yaml` encryption config file:\n\n```bash\nenvsubst < configs/encryption-config.yaml \\\n  > encryption-config.yaml\n```\n\nCopy the `encryption-config.yaml` encryption config file to each controller instance:\n\n```bash\nscp encryption-config.yaml root@server:~/\n```\n\nNext: [Bootstrapping the etcd Cluster](07-bootstrapping-etcd.md)\n"
  },
  {
    "path": "docs/07-bootstrapping-etcd.md",
    "content": "# Bootstrapping the etcd Cluster\n\nKubernetes components are stateless and store cluster state in [etcd](https://github.com/etcd-io/etcd). In this lab you will bootstrap a single node etcd cluster.\n\n## Prerequisites\n\nCopy `etcd` binaries and systemd unit files to the `server` machine:\n\n```bash\nscp \\\n  downloads/controller/etcd \\\n  downloads/client/etcdctl \\\n  units/etcd.service \\\n  root@server:~/\n```\n\nThe commands in this lab must be run on the `server` machine. Login to the `server` machine using the `ssh` command. Example:\n\n```bash\nssh root@server\n```\n\n## Bootstrapping an etcd Cluster\n\n### Install the etcd Binaries\n\nExtract and install the `etcd` server and the `etcdctl` command line utility:\n\n```bash\n{\n  mv etcd etcdctl /usr/local/bin/\n}\n```\n\n### Configure the etcd Server\n\n```bash\n{\n  mkdir -p /etc/etcd /var/lib/etcd\n  chmod 700 /var/lib/etcd\n  cp ca.crt kube-api-server.key kube-api-server.crt \\\n    /etc/etcd/\n}\n```\n\nEach etcd member must have a unique name within an etcd cluster. Set the etcd name to match the hostname of the current compute instance:\n\nCreate the `etcd.service` systemd unit file:\n\n```bash\nmv etcd.service /etc/systemd/system/\n```\n\n### Start the etcd Server\n\n```bash\n{\n  systemctl daemon-reload\n  systemctl enable etcd\n  systemctl start etcd\n}\n```\n\n## Verification\n\nList the etcd cluster members:\n\n```bash\netcdctl member list\n```\n\n```text\n6702b0a34e2cfd39, started, controller, http://127.0.0.1:2380, http://127.0.0.1:2379, false\n```\n\nNext: [Bootstrapping the Kubernetes Control Plane](08-bootstrapping-kubernetes-controllers.md)\n"
  },
  {
    "path": "docs/08-bootstrapping-kubernetes-controllers.md",
    "content": "# Bootstrapping the Kubernetes Control Plane\n\nIn this lab you will bootstrap the Kubernetes control plane. The following components will be installed on the `server` machine: Kubernetes API Server, Scheduler, and Controller Manager.\n\n## Prerequisites\n\nConnect to the `jumpbox` and copy Kubernetes binaries and systemd unit files to the `server` machine:\n\n```bash\nscp \\\n  downloads/controller/kube-apiserver \\\n  downloads/controller/kube-controller-manager \\\n  downloads/controller/kube-scheduler \\\n  downloads/client/kubectl \\\n  units/kube-apiserver.service \\\n  units/kube-controller-manager.service \\\n  units/kube-scheduler.service \\\n  configs/kube-scheduler.yaml \\\n  configs/kube-apiserver-to-kubelet.yaml \\\n  root@server:~/\n```\n\nThe commands in this lab must be run on the `server` machine. Login to the `server` machine using the `ssh` command. Example:\n\n```bash\nssh root@server\n```\n\n## Provision the Kubernetes Control Plane\n\nCreate the Kubernetes configuration directory:\n\n```bash\nmkdir -p /etc/kubernetes/config\n```\n\n### Install the Kubernetes Controller Binaries\n\nInstall the Kubernetes binaries:\n\n```bash\n{\n  mv kube-apiserver \\\n    kube-controller-manager \\\n    kube-scheduler kubectl \\\n    /usr/local/bin/\n}\n```\n\n### Configure the Kubernetes API Server\n\n```bash\n{\n  mkdir -p /var/lib/kubernetes/\n\n  mv ca.crt ca.key \\\n    kube-api-server.key kube-api-server.crt \\\n    service-accounts.key service-accounts.crt \\\n    encryption-config.yaml \\\n    /var/lib/kubernetes/\n}\n```\n\nCreate the `kube-apiserver.service` systemd unit file:\n\n```bash\nmv kube-apiserver.service \\\n  /etc/systemd/system/kube-apiserver.service\n```\n\n### Configure the Kubernetes Controller Manager\n\nMove the `kube-controller-manager` kubeconfig into place:\n\n```bash\nmv kube-controller-manager.kubeconfig /var/lib/kubernetes/\n```\n\nCreate the `kube-controller-manager.service` systemd unit file:\n\n```bash\nmv kube-controller-manager.service /etc/systemd/system/\n```\n\n### Configure the Kubernetes Scheduler\n\nMove the `kube-scheduler` kubeconfig into place:\n\n```bash\nmv kube-scheduler.kubeconfig /var/lib/kubernetes/\n```\n\nCreate the `kube-scheduler.yaml` configuration file:\n\n```bash\nmv kube-scheduler.yaml /etc/kubernetes/config/\n```\n\nCreate the `kube-scheduler.service` systemd unit file:\n\n```bash\nmv kube-scheduler.service /etc/systemd/system/\n```\n\n### Start the Controller Services\n\n```bash\n{\n  systemctl daemon-reload\n\n  systemctl enable kube-apiserver \\\n    kube-controller-manager kube-scheduler\n\n  systemctl start kube-apiserver \\\n    kube-controller-manager kube-scheduler\n}\n```\n\n> Allow up to 10 seconds for the Kubernetes API Server to fully initialize.\n\nYou can check if any of the control plane components are active using the `systemctl` command. For example, to check if the `kube-apiserver` fully initialized, and active, run the following command:\n\n```bash\nsystemctl is-active kube-apiserver\n```\n\nFor a more detailed status check, which includes additional process information and log messages, use the `systemctl status` command:\n\n```bash\nsystemctl status kube-apiserver\n```\n\nIf you run into any errors, or want to view the logs for any of the control plane components, use the `journalctl` command. For example, to view the logs for the `kube-apiserver` run the following command:\n\n```bash\njournalctl -u kube-apiserver\n```\n\n### Verification\n\nAt this point the Kubernetes control plane components should be up and running. Verify this using the `kubectl` command line tool:\n\n```bash\nkubectl cluster-info \\\n  --kubeconfig admin.kubeconfig\n```\n\n```text\nKubernetes control plane is running at https://127.0.0.1:6443\n```\n\n## RBAC for Kubelet Authorization\n\nIn this section you will configure RBAC permissions to allow the Kubernetes API Server to access the Kubelet API on each worker node. Access to the Kubelet API is required for retrieving metrics, logs, and executing commands in pods.\n\n> This tutorial sets the Kubelet `--authorization-mode` flag to `Webhook`. Webhook mode uses the [SubjectAccessReview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access) API to determine authorization.\n\nThe commands in this section will affect the entire cluster and only need to be run on the `server` machine.\n\n```bash\nssh root@server\n```\n\nCreate the `system:kube-apiserver-to-kubelet` [ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) with permissions to access the Kubelet API and perform most common tasks associated with managing pods:\n\n```bash\nkubectl apply -f kube-apiserver-to-kubelet.yaml \\\n  --kubeconfig admin.kubeconfig\n```\n\n### Verification\n\nAt this point the Kubernetes control plane is up and running. Run the following commands from the `jumpbox` machine to verify it's working:\n\nMake a HTTP request for the Kubernetes version info:\n\n```bash\ncurl --cacert ca.crt \\\n  https://server.kubernetes.local:6443/version\n```\n\n```text\n{\n  \"major\": \"1\",\n  \"minor\": \"32\",\n  \"gitVersion\": \"v1.32.3\",\n  \"gitCommit\": \"32cc146f75aad04beaaa245a7157eb35063a9f99\",\n  \"gitTreeState\": \"clean\",\n  \"buildDate\": \"2025-03-11T19:52:21Z\",\n  \"goVersion\": \"go1.23.6\",\n  \"compiler\": \"gc\",\n  \"platform\": \"linux/arm64\"\n}\n```\n\nNext: [Bootstrapping the Kubernetes Worker Nodes](09-bootstrapping-kubernetes-workers.md)\n"
  },
  {
    "path": "docs/09-bootstrapping-kubernetes-workers.md",
    "content": "# Bootstrapping the Kubernetes Worker Nodes\n\nIn this lab you will bootstrap two Kubernetes worker nodes. The following components will be installed: [runc](https://github.com/opencontainers/runc), [container networking plugins](https://github.com/containernetworking/cni), [containerd](https://github.com/containerd/containerd), [kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet), and [kube-proxy](https://kubernetes.io/docs/concepts/cluster-administration/proxies).\n\n## Prerequisites\n\nThe commands in this section must be run from the `jumpbox`.\n\nCopy the Kubernetes binaries and systemd unit files to each worker instance:\n\n```bash\nfor HOST in node-0 node-1; do\n  SUBNET=$(grep ${HOST} machines.txt | cut -d \" \" -f 4)\n  sed \"s|SUBNET|$SUBNET|g\" \\\n    configs/10-bridge.conf > 10-bridge.conf\n\n  sed \"s|SUBNET|$SUBNET|g\" \\\n    configs/kubelet-config.yaml > kubelet-config.yaml\n\n  scp 10-bridge.conf kubelet-config.yaml \\\n  root@${HOST}:~/\ndone\n```\n\n```bash\nfor HOST in node-0 node-1; do\n  scp \\\n    downloads/worker/* \\\n    downloads/client/kubectl \\\n    configs/99-loopback.conf \\\n    configs/containerd-config.toml \\\n    configs/kube-proxy-config.yaml \\\n    units/containerd.service \\\n    units/kubelet.service \\\n    units/kube-proxy.service \\\n    root@${HOST}:~/\ndone\n```\n\n```bash\nfor HOST in node-0 node-1; do\n  scp \\\n    downloads/cni-plugins/* \\\n    root@${HOST}:~/cni-plugins/\ndone\n```\n\nThe commands in the next section must be run on each worker instance: `node-0`, `node-1`. Login to the worker instance using the `ssh` command. Example:\n\n```bash\nssh root@node-0\n```\n\n## Provisioning a Kubernetes Worker Node\n\nInstall the OS dependencies:\n\n```bash\n{\n  apt-get update\n  apt-get -y install socat conntrack ipset kmod\n}\n```\n\n> The socat binary enables support for the `kubectl port-forward` command.\n\nDisable Swap\n\nKubernetes has limited support for the use of swap memory, as it is difficult to provide guarantees and account for pod memory utilization when swap is involved.\n\nVerify if swap is disabled:\n\n```bash\nswapon --show\n```\n\nIf output is empty then swap is disabled. If swap is enabled run the following command to disable swap immediately:\n\n```bash\nswapoff -a\n```\n\n> To ensure swap remains off after reboot consult your Linux distro documentation.\n\nCreate the installation directories:\n\n```bash\nmkdir -p \\\n  /etc/cni/net.d \\\n  /opt/cni/bin \\\n  /var/lib/kubelet \\\n  /var/lib/kube-proxy \\\n  /var/lib/kubernetes \\\n  /var/run/kubernetes\n```\n\nInstall the worker binaries:\n\n```bash\n{\n  mv crictl kube-proxy kubelet runc \\\n    /usr/local/bin/\n  mv containerd containerd-shim-runc-v2 containerd-stress /bin/\n  mv cni-plugins/* /opt/cni/bin/\n}\n```\n\n### Configure CNI Networking\n\nCreate the `bridge` network configuration file:\n\n```bash\nmv 10-bridge.conf 99-loopback.conf /etc/cni/net.d/\n```\n\nTo ensure network traffic crossing the CNI `bridge` network is processed by `iptables`, load and configure the `br-netfilter` kernel module:\n\n```bash\n{\n  modprobe br-netfilter\n  echo \"br-netfilter\" >> /etc/modules-load.d/modules.conf\n}\n```\n\n```bash\n{\n  echo \"net.bridge.bridge-nf-call-iptables = 1\" \\\n    >> /etc/sysctl.d/kubernetes.conf\n  echo \"net.bridge.bridge-nf-call-ip6tables = 1\" \\\n    >> /etc/sysctl.d/kubernetes.conf\n  sysctl -p /etc/sysctl.d/kubernetes.conf\n}\n```\n\n### Configure containerd\n\nInstall the `containerd` configuration files:\n\n```bash\n{\n  mkdir -p /etc/containerd/\n  mv containerd-config.toml /etc/containerd/config.toml\n  mv containerd.service /etc/systemd/system/\n}\n```\n\n### Configure the Kubelet\n\nCreate the `kubelet-config.yaml` configuration file:\n\n```bash\n{\n  mv kubelet-config.yaml /var/lib/kubelet/\n  mv kubelet.service /etc/systemd/system/\n}\n```\n\n### Configure the Kubernetes Proxy\n\n```bash\n{\n  mv kube-proxy-config.yaml /var/lib/kube-proxy/\n  mv kube-proxy.service /etc/systemd/system/\n}\n```\n\n### Start the Worker Services\n\n```bash\n{\n  systemctl daemon-reload\n  systemctl enable containerd kubelet kube-proxy\n  systemctl start containerd kubelet kube-proxy\n}\n```\n\nCheck if the kubelet service is running:\n\n```bash\nsystemctl is-active kubelet\n```\n\n```text\nactive\n```\n\nBe sure to complete the steps in this section on each worker node, `node-0` and `node-1`, before moving on to the next section.\n\n## Verification\n\nRun the following commands from the `jumpbox` machine.\n\nList the registered Kubernetes nodes:\n\n```bash\nssh root@server \\\n  \"kubectl get nodes \\\n  --kubeconfig admin.kubeconfig\"\n```\n\n```\nNAME     STATUS   ROLES    AGE    VERSION\nnode-0   Ready    <none>   1m     v1.32.3\nnode-1   Ready    <none>   10s    v1.32.3\n```\n\nNext: [Configuring kubectl for Remote Access](10-configuring-kubectl.md)\n"
  },
  {
    "path": "docs/10-configuring-kubectl.md",
    "content": "# Configuring kubectl for Remote Access\n\nIn this lab you will generate a kubeconfig file for the `kubectl` command line utility based on the `admin` user credentials.\n\n> Run the commands in this lab from the `jumpbox` machine.\n\n## The Admin Kubernetes Configuration File\n\nEach kubeconfig requires a Kubernetes API Server to connect to.\n\nYou should be able to ping `server.kubernetes.local` based on the `/etc/hosts` DNS entry from a previous lab.\n\n```bash\ncurl --cacert ca.crt \\\n  https://server.kubernetes.local:6443/version\n```\n\n```text\n{\n  \"major\": \"1\",\n  \"minor\": \"32\",\n  \"gitVersion\": \"v1.32.3\",\n  \"gitCommit\": \"32cc146f75aad04beaaa245a7157eb35063a9f99\",\n  \"gitTreeState\": \"clean\",\n  \"buildDate\": \"2025-03-11T19:52:21Z\",\n  \"goVersion\": \"go1.23.6\",\n  \"compiler\": \"gc\",\n  \"platform\": \"linux/arm64\"\n}\n```\n\nGenerate a kubeconfig file suitable for authenticating as the `admin` user:\n\n```bash\n{\n  kubectl config set-cluster kubernetes-the-hard-way \\\n    --certificate-authority=ca.crt \\\n    --embed-certs=true \\\n    --server=https://server.kubernetes.local:6443\n\n  kubectl config set-credentials admin \\\n    --client-certificate=admin.crt \\\n    --client-key=admin.key\n\n  kubectl config set-context kubernetes-the-hard-way \\\n    --cluster=kubernetes-the-hard-way \\\n    --user=admin\n\n  kubectl config use-context kubernetes-the-hard-way\n}\n```\nThe results of running the command above should create a kubeconfig file in the default location `~/.kube/config` used by the  `kubectl` commandline tool. This also means you can run the `kubectl` command without specifying a config.\n\n\n## Verification\n\nCheck the version of the remote Kubernetes cluster:\n\n```bash\nkubectl version\n```\n\n```text\nClient Version: v1.32.3\nKustomize Version: v5.5.0\nServer Version: v1.32.3\n```\n\nList the nodes in the remote Kubernetes cluster:\n\n```bash\nkubectl get nodes\n```\n\n```\nNAME     STATUS   ROLES    AGE    VERSION\nnode-0   Ready    <none>   10m   v1.32.3\nnode-1   Ready    <none>   10m   v1.32.3\n```\n\nNext: [Provisioning Pod Network Routes](11-pod-network-routes.md)\n"
  },
  {
    "path": "docs/11-pod-network-routes.md",
    "content": "# Provisioning Pod Network Routes\n\nPods scheduled to a node receive an IP address from the node's Pod CIDR range. At this point pods can not communicate with other pods running on different nodes due to missing network [routes](https://cloud.google.com/compute/docs/vpc/routes).\n\nIn this lab you will create a route for each worker node that maps the node's Pod CIDR range to the node's internal IP address.\n\n> There are [other ways](https://kubernetes.io/docs/concepts/cluster-administration/networking/#how-to-achieve-this) to implement the Kubernetes networking model.\n\n## The Routing Table\n\nIn this section you will gather the information required to create routes in the `kubernetes-the-hard-way` VPC network.\n\nPrint the internal IP address and Pod CIDR range for each worker instance:\n\n```bash\n{\n  SERVER_IP=$(grep server machines.txt | cut -d \" \" -f 1)\n  NODE_0_IP=$(grep node-0 machines.txt | cut -d \" \" -f 1)\n  NODE_0_SUBNET=$(grep node-0 machines.txt | cut -d \" \" -f 4)\n  NODE_1_IP=$(grep node-1 machines.txt | cut -d \" \" -f 1)\n  NODE_1_SUBNET=$(grep node-1 machines.txt | cut -d \" \" -f 4)\n}\n```\n\n```bash\nssh root@server <<EOF\n  ip route add ${NODE_0_SUBNET} via ${NODE_0_IP}\n  ip route add ${NODE_1_SUBNET} via ${NODE_1_IP}\nEOF\n```\n\n```bash\nssh root@node-0 <<EOF\n  ip route add ${NODE_1_SUBNET} via ${NODE_1_IP}\nEOF\n```\n\n```bash\nssh root@node-1 <<EOF\n  ip route add ${NODE_0_SUBNET} via ${NODE_0_IP}\nEOF\n```\n\n## Verification \n\n```bash\nssh root@server ip route\n```\n\n```text\ndefault via XXX.XXX.XXX.XXX dev ens160 \n10.200.0.0/24 via XXX.XXX.XXX.XXX dev ens160 \n10.200.1.0/24 via XXX.XXX.XXX.XXX dev ens160 \nXXX.XXX.XXX.0/24 dev ens160 proto kernel scope link src XXX.XXX.XXX.XXX \n```\n\n```bash\nssh root@node-0 ip route\n```\n\n```text\ndefault via XXX.XXX.XXX.XXX dev ens160 \n10.200.1.0/24 via XXX.XXX.XXX.XXX dev ens160 \nXXX.XXX.XXX.0/24 dev ens160 proto kernel scope link src XXX.XXX.XXX.XXX \n```\n\n```bash\nssh root@node-1 ip route\n```\n\n```text\ndefault via XXX.XXX.XXX.XXX dev ens160 \n10.200.0.0/24 via XXX.XXX.XXX.XXX dev ens160 \nXXX.XXX.XXX.0/24 dev ens160 proto kernel scope link src XXX.XXX.XXX.XXX \n```\n\n\nNext: [Smoke Test](12-smoke-test.md)\n"
  },
  {
    "path": "docs/12-smoke-test.md",
    "content": "# Smoke Test\n\nIn this lab you will complete a series of tasks to ensure your Kubernetes cluster is functioning correctly.\n\n## Data Encryption\n\nIn this section you will verify the ability to [encrypt secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#verifying-that-data-is-encrypted).\n\nCreate a generic secret:\n\n```bash\nkubectl create secret generic kubernetes-the-hard-way \\\n  --from-literal=\"mykey=mydata\"\n```\n\nPrint a hexdump of the `kubernetes-the-hard-way` secret stored in etcd:\n\n```bash\nssh root@server \\\n    'etcdctl get /registry/secrets/default/kubernetes-the-hard-way | hexdump -C'\n```\n\n```text\n00000000  2f 72 65 67 69 73 74 72  79 2f 73 65 63 72 65 74  |/registry/secret|\n00000010  73 2f 64 65 66 61 75 6c  74 2f 6b 75 62 65 72 6e  |s/default/kubern|\n00000020  65 74 65 73 2d 74 68 65  2d 68 61 72 64 2d 77 61  |etes-the-hard-wa|\n00000030  79 0a 6b 38 73 3a 65 6e  63 3a 61 65 73 63 62 63  |y.k8s:enc:aescbc|\n00000040  3a 76 31 3a 6b 65 79 31  3a 4f 1b 80 d8 89 72 f4  |:v1:key1:O....r.|\n00000050  60 8a 2c a0 76 1a e1 dc  98 d6 00 7a a4 2f f3 92  |`.,.v......z./..|\n00000060  87 63 c9 22 f4 58 c8 27  b9 ff 2c 2e 1a b6 55 be  |.c.\".X.'..,...U.|\n00000070  d5 5c 4d 69 82 2f b7 e4  b3 b0 12 e1 58 c4 9c 77  |.\\Mi./......X..w|\n00000080  78 0c 1a 90 c9 c1 23 6c  73 8e 6e fd 8e 9c 3d 84  |x.....#ls.n...=.|\n00000090  7d bf 69 81 ce c9 aa 38  be 3b dd 66 aa a3 33 27  |}.i....8.;.f..3'|\n000000a0  df be 6d ac 1c 6d 8a 82  df b3 19 da 0f 93 94 1e  |..m..m..........|\n000000b0  e0 7d 46 8d b5 14 d0 c5  97 e2 94 76 26 a8 cb 33  |.}F........v&..3|\n000000c0  57 2a d0 27 a6 5a e1 76  a7 3f f0 b7 0a 7b ff 53  |W*.'.Z.v.?...{.S|\n000000d0  cf c9 1a 18 5b 45 f8 b1  06 3b a9 45 02 76 23 61  |....[E...;.E.v#a|\n000000e0  5e dc 86 cf 8e a4 d3 c9  5c 6a 6f e6 33 7b 5b 8f  |^.......\\jo.3{[.|\n000000f0  fb 8a 14 74 58 f9 49 2f  97 98 cc 5c d4 4a 10 1a  |...tX.I/...\\.J..|\n00000100  64 0a 79 21 68 a0 9e 7a  03 b7 19 e6 20 e4 1b ce  |d.y!h..z.... ...|\n00000110  91 64 ce 90 d9 4f 86 ca  fb 45 2f d6 56 93 68 e1  |.d...O...E/.V.h.|\n00000120  0b aa 8c a0 20 a6 97 fa  a1 de 07 6d 5b 4c 02 96  |.... ......m[L..|\n00000130  31 70 20 83 16 f9 0a 22  5c 63 ad f1 ea 41 a7 1e  |1p ....\"\\c...A..|\n00000140  29 1a d4 a4 e9 d7 0c 04  74 66 04 6d 73 d8 2e 3f  |).......tf.ms..?|\n00000150  f0 b9 2f 77 bd 07 d7 7c  42 0a                    |../w...|B.|\n0000015a\n```\n\nThe etcd key should be prefixed with `k8s:enc:aescbc:v1:key1`, which indicates the `aescbc` provider was used to encrypt the data with the `key1` encryption key.\n\n## Deployments\n\nIn this section you will verify the ability to create and manage [Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/).\n\nCreate a deployment for the [nginx](https://nginx.org/en/) web server:\n\n```bash\nkubectl create deployment nginx \\\n  --image=nginx:latest\n```\n\nList the pod created by the `nginx` deployment:\n\n```bash\nkubectl get pods -l app=nginx\n```\n\n```bash\nNAME                     READY   STATUS    RESTARTS   AGE\nnginx-56fcf95486-c8dnx   1/1     Running   0          8s\n```\n\n### Port Forwarding\n\nIn this section you will verify the ability to access applications remotely using [port forwarding](https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/).\n\nRetrieve the full name of the `nginx` pod:\n\n```bash\nPOD_NAME=$(kubectl get pods -l app=nginx \\\n  -o jsonpath=\"{.items[0].metadata.name}\")\n```\n\nForward port `8080` on your local machine to port `80` of the `nginx` pod:\n\n```bash\nkubectl port-forward $POD_NAME 8080:80\n```\n\n```text\nForwarding from 127.0.0.1:8080 -> 80\nForwarding from [::1]:8080 -> 80\n```\n\nIn a new terminal make an HTTP request using the forwarding address:\n\n```bash\ncurl --head http://127.0.0.1:8080\n```\n\n```text\nHTTP/1.1 200 OK\nServer: nginx/1.27.4\nDate: Sun, 06 Apr 2025 17:17:12 GMT\nContent-Type: text/html\nContent-Length: 615\nLast-Modified: Wed, 05 Feb 2025 11:06:32 GMT\nConnection: keep-alive\nETag: \"67a34638-267\"\nAccept-Ranges: bytes\n```\n\nSwitch back to the previous terminal and stop the port forwarding to the `nginx` pod:\n\n```text\nForwarding from 127.0.0.1:8080 -> 80\nForwarding from [::1]:8080 -> 80\nHandling connection for 8080\n^C\n```\n\n### Logs\n\nIn this section you will verify the ability to [retrieve container logs](https://kubernetes.io/docs/concepts/cluster-administration/logging/).\n\nPrint the `nginx` pod logs:\n\n```bash\nkubectl logs $POD_NAME\n```\n\n```text\n...\n127.0.0.1 - - [06/Apr/2025:17:17:12 +0000] \"HEAD / HTTP/1.1\" 200 0 \"-\" \"curl/7.88.1\" \"-\"\n```\n\n### Exec\n\nIn this section you will verify the ability to [execute commands in a container](https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/#running-individual-commands-in-a-container).\n\nPrint the nginx version by executing the `nginx -v` command in the `nginx` container:\n\n```bash\nkubectl exec -ti $POD_NAME -- nginx -v\n```\n\n```text\nnginx version: nginx/1.27.4\n```\n\n## Services\n\nIn this section you will verify the ability to expose applications using a [Service](https://kubernetes.io/docs/concepts/services-networking/service/).\n\nExpose the `nginx` deployment using a [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) service:\n\n```bash\nkubectl expose deployment nginx \\\n  --port 80 --type NodePort\n```\n\n> The LoadBalancer service type can not be used because your cluster is not configured with [cloud provider integration](https://kubernetes.io/docs/getting-started-guides/scratch/#cloud-provider). Setting up cloud provider integration is out of scope for this tutorial.\n\nRetrieve the node port assigned to the `nginx` service:\n\n```bash\nNODE_PORT=$(kubectl get svc nginx \\\n  --output=jsonpath='{range .spec.ports[0]}{.nodePort}')\n```\n\nRetrieve the hostname of the node running the `nginx` pod:\n\n```bash\nNODE_NAME=$(kubectl get pods \\\n  -l app=nginx \\\n  -o jsonpath=\"{.items[0].spec.nodeName}\")\n```\n\nMake an HTTP request using the IP address and the `nginx` node port:\n\n```bash\ncurl -I http://${NODE_NAME}:${NODE_PORT}\n```\n\n```text\nServer: nginx/1.27.4\nDate: Sun, 06 Apr 2025 17:18:36 GMT\nContent-Type: text/html\nContent-Length: 615\nLast-Modified: Wed, 05 Feb 2025 11:06:32 GMT\nConnection: keep-alive\nETag: \"67a34638-267\"\nAccept-Ranges: bytes\n```\n\nNext: [Cleaning Up](13-cleanup.md)\n"
  },
  {
    "path": "docs/13-cleanup.md",
    "content": "# Cleaning Up\n\nIn this lab you will delete the compute resources created during this tutorial.\n\n## Compute Instances\n\nPrevious versions of this guide made use of GCP resources for various aspects of compute and networking. The current version is agnostic, and all configuration is performed on the `jumpbox`, `server`, or nodes.\n\nClean up is as simple as deleting all virtual machines you created for this exercise.\n\nNext: [Start Over](../README.md)\n"
  },
  {
    "path": "downloads-amd64.txt",
    "content": "https://dl.k8s.io/v1.32.3/bin/linux/amd64/kubectl\nhttps://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-apiserver\nhttps://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-controller-manager\nhttps://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-scheduler\nhttps://dl.k8s.io/v1.32.3/bin/linux/amd64/kube-proxy\nhttps://dl.k8s.io/v1.32.3/bin/linux/amd64/kubelet\nhttps://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-amd64.tar.gz\nhttps://github.com/opencontainers/runc/releases/download/v1.3.0-rc.1/runc.amd64\nhttps://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-amd64-v1.6.2.tgz\nhttps://github.com/containerd/containerd/releases/download/v2.1.0-beta.0/containerd-2.1.0-beta.0-linux-amd64.tar.gz\nhttps://github.com/etcd-io/etcd/releases/download/v3.6.0-rc.3/etcd-v3.6.0-rc.3-linux-amd64.tar.gz\n"
  },
  {
    "path": "downloads-arm64.txt",
    "content": "https://dl.k8s.io/v1.32.3/bin/linux/arm64/kubectl\nhttps://dl.k8s.io/v1.32.3/bin/linux/arm64/kube-apiserver\nhttps://dl.k8s.io/v1.32.3/bin/linux/arm64/kube-controller-manager\nhttps://dl.k8s.io/v1.32.3/bin/linux/arm64/kube-scheduler\nhttps://dl.k8s.io/v1.32.3/bin/linux/arm64/kube-proxy\nhttps://dl.k8s.io/v1.32.3/bin/linux/arm64/kubelet\nhttps://github.com/kubernetes-sigs/cri-tools/releases/download/v1.32.0/crictl-v1.32.0-linux-arm64.tar.gz\nhttps://github.com/opencontainers/runc/releases/download/v1.3.0-rc.1/runc.arm64\nhttps://github.com/containernetworking/plugins/releases/download/v1.6.2/cni-plugins-linux-arm64-v1.6.2.tgz\nhttps://github.com/containerd/containerd/releases/download/v2.1.0-beta.0/containerd-2.1.0-beta.0-linux-arm64.tar.gz\nhttps://github.com/etcd-io/etcd/releases/download/v3.6.0-rc.3/etcd-v3.6.0-rc.3-linux-arm64.tar.gz\n"
  },
  {
    "path": "units/containerd.service",
    "content": "[Unit]\nDescription=containerd container runtime\nDocumentation=https://containerd.io\nAfter=network.target\n\n[Service]\nExecStartPre=/sbin/modprobe overlay\nExecStart=/bin/containerd\nRestart=always\nRestartSec=5\nDelegate=yes\nKillMode=process\nOOMScoreAdjust=-999\nLimitNOFILE=1048576\nLimitNPROC=infinity\nLimitCORE=infinity\n\n[Install]\nWantedBy=multi-user.target"
  },
  {
    "path": "units/etcd.service",
    "content": "[Unit]\nDescription=etcd\nDocumentation=https://github.com/etcd-io/etcd\n\n[Service]\nType=notify\nExecStart=/usr/local/bin/etcd \\\n  --name controller \\\n  --initial-advertise-peer-urls http://127.0.0.1:2380 \\\n  --listen-peer-urls http://127.0.0.1:2380 \\\n  --listen-client-urls http://127.0.0.1:2379 \\\n  --advertise-client-urls http://127.0.0.1:2379 \\\n  --initial-cluster-token etcd-cluster-0 \\\n  --initial-cluster controller=http://127.0.0.1:2380 \\\n  --initial-cluster-state new \\\n  --data-dir=/var/lib/etcd\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\n"
  },
  {
    "path": "units/kube-apiserver.service",
    "content": "[Unit]\nDescription=Kubernetes API Server\nDocumentation=https://github.com/kubernetes/kubernetes\n\n[Service]\nExecStart=/usr/local/bin/kube-apiserver \\\n  --allow-privileged=true \\\n  --audit-log-maxage=30 \\\n  --audit-log-maxbackup=3 \\\n  --audit-log-maxsize=100 \\\n  --audit-log-path=/var/log/audit.log \\\n  --authorization-mode=Node,RBAC \\\n  --bind-address=0.0.0.0 \\\n  --client-ca-file=/var/lib/kubernetes/ca.crt \\\n  --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\\n  --etcd-servers=http://127.0.0.1:2379 \\\n  --event-ttl=1h \\\n  --encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \\\n  --kubelet-certificate-authority=/var/lib/kubernetes/ca.crt \\\n  --kubelet-client-certificate=/var/lib/kubernetes/kube-api-server.crt \\\n  --kubelet-client-key=/var/lib/kubernetes/kube-api-server.key \\\n  --runtime-config='api/all=true' \\\n  --service-account-key-file=/var/lib/kubernetes/service-accounts.crt \\\n  --service-account-signing-key-file=/var/lib/kubernetes/service-accounts.key \\\n  --service-account-issuer=https://server.kubernetes.local:6443 \\\n  --service-node-port-range=30000-32767 \\\n  --tls-cert-file=/var/lib/kubernetes/kube-api-server.crt \\\n  --tls-private-key-file=/var/lib/kubernetes/kube-api-server.key \\\n  --v=2\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\n"
  },
  {
    "path": "units/kube-controller-manager.service",
    "content": "[Unit]\nDescription=Kubernetes Controller Manager\nDocumentation=https://github.com/kubernetes/kubernetes\n\n[Service]\nExecStart=/usr/local/bin/kube-controller-manager \\\n  --bind-address=0.0.0.0 \\\n  --cluster-cidr=10.200.0.0/16 \\\n  --cluster-name=kubernetes \\\n  --cluster-signing-cert-file=/var/lib/kubernetes/ca.crt \\\n  --cluster-signing-key-file=/var/lib/kubernetes/ca.key \\\n  --kubeconfig=/var/lib/kubernetes/kube-controller-manager.kubeconfig \\\n  --root-ca-file=/var/lib/kubernetes/ca.crt \\\n  --service-account-private-key-file=/var/lib/kubernetes/service-accounts.key \\\n  --service-cluster-ip-range=10.32.0.0/24 \\\n  --use-service-account-credentials=true \\\n  --v=2\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target"
  },
  {
    "path": "units/kube-proxy.service",
    "content": "[Unit]\nDescription=Kubernetes Kube Proxy\nDocumentation=https://github.com/kubernetes/kubernetes\n\n[Service]\nExecStart=/usr/local/bin/kube-proxy \\\n  --config=/var/lib/kube-proxy/kube-proxy-config.yaml\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target"
  },
  {
    "path": "units/kube-scheduler.service",
    "content": "[Unit]\nDescription=Kubernetes Scheduler\nDocumentation=https://github.com/kubernetes/kubernetes\n\n[Service]\nExecStart=/usr/local/bin/kube-scheduler \\\n  --config=/etc/kubernetes/config/kube-scheduler.yaml \\\n  --v=2\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target"
  },
  {
    "path": "units/kubelet.service",
    "content": "[Unit]\nDescription=Kubernetes Kubelet\nDocumentation=https://github.com/kubernetes/kubernetes\nAfter=containerd.service\nRequires=containerd.service\n\n[Service]\nExecStart=/usr/local/bin/kubelet \\\n  --config=/var/lib/kubelet/kubelet-config.yaml \\\n  --kubeconfig=/var/lib/kubelet/kubeconfig \\\n  --v=2\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\n"
  }
]