Saltar a contenido

Week 21 - Bootstrap: VMs, Certificates, etcd

21.1 Conceptual Core

  • "Kubernetes the Hard Way" is Kelsey Hightower's exercise: bring up a Kubernetes cluster step by step, from raw VMs, generating certs by hand, configuring every flag explicitly. The point is not operational efficiency; it is deep understanding of every moving part.
  • This curriculum's hard-way variant: bring up 3 control-plane nodes + 3 worker nodes on cloud VMs (or bare metal). Use modern toolchain (containerd, Cilium, latest stable Kubernetes).

21.2 Mechanical Detail

  • VM provisioning: 6 VMs, ~2 vCPU 4 GB each. Cloud (AWS/GCP/Hetzner) or bare metal.
  • PKI: a CA + intermediate CAs for etcd, kube-apiserver, kubelet, front-proxy. Use cfssl or easy-rsa. Every component identifies itself with x509.
  • etcd cluster: 3 nodes, mTLS between peers and clients, snapshots scheduled.
  • Loopback bootstrap considerations: kubelet needs a kubeconfig before the apiserver is up. Either use static-pod manifests for control-plane components (the kubeadm approach) or run the control plane outside the cluster on the VMs themselves.

21.3 Lab-"Bring Up etcd"

  1. Provision 3 VMs labeled etcd-{1,2,3}.
  2. Generate CA + per-node certs.
  3. Install etcd binaries; configure systemd units with mTLS.
  4. Bring up; verify etcdctl member list shows healthy quorum.
  5. Take a snapshot. Restore on a separate test machine.

21.4 Hardening Drill

  • etcd encryption-at-rest is separate from the K8s secret encryption (next week). Configure etcd with an encryption-providers config from day one.

21.5 Operations Slice

  • etcd backup automation: etcdctl snapshot save cron'd to S3 every 6 hours. Verify restore weekly.

Comments