Kubernetes with Kops: Mostly Automated Installation with Terraform
Kops is a Kubernetes distribution that installs a Kubernetes cluster on cloud providers. Fully supported are AWS und GCE, and beta support exists for Digital Ocean, Hetzner and Open Stack.
This article is a tutorial for installing a 3 node Kubernetes cluster on AWS. We will quickly review the prerequisite requirements, then start the installation process. This encompasses the download of the AWS and kops binary, then creating AWS IAM users and an S3 Bucket, and finally the cluster configuration. In order to automate this process as much as possible, we will use Terraform to automate the installation.
You can clone the terraform project files from my Github project kubernetes-kops-terraform.
Prerequisites
To follow this tutorial, you need to have this:
- A fully registered and activated AWS account to create the required resources (IAM user, Rout53 DNS entries, AWS instances), and you should also be willing to pay for the AWS resources if you want to use the cluster for several days or weeks
- A domain name at which the cluster is publicly or privately reachable (you can use Amazon or any other domain registrar with which you can configure nameserver entries)
The installation happens from a dedicated computer which I call the kops controller. You will install the AWS cli and the kops binary on it, and you should be able to run Terraform from it. You can use the AWS GUI or CLI to create the resources, but I decided to use Terraform for automating as many installation steps as possible. AWS is complex, and I made generous use of the GUI and documentation to learn about the AWS resources that are created, and then put them into Terraform.
Part 1: Tool Installation
AWS CLI
To install the AWS CLI on a Linux host, execute the following commands in you shell:
$> curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
$> unzip awscliv2.zip
$> sudo ./aws/install
installer: Package name is AWS Command Line Interface
installer: Installing at base path /
installer: The install was successful.
$> aws --version
aws-cli/2.8.2 Python/3.9.11
Kops Binary
The kops binary is provided platform specifically compiled - fetch the correct version, make the binary executable, and put it into your shells executable path. For Linux it’s this:
curl -Lo kops https://github.com/kubernetes/kops/releases/download/$(curl -s https://api.github.com/repos/kubernetes/kops/releases/latest | grep tag_name | cut -d '"' -f 4)/kops-linux-amd64
chmod +x kops
sudo mv kops /usr/local/bin/
Terraform
Terraform is also a binary specific to your platform. When running Linux, use the following commands:
cd ~
wget https://releases.hashicorp.com/terraform/1.3.1/terraform_1.3.1_linux_amd64.zip
unzip terraform_1.3.1_linux_amd64.zip
chmod +x terraform
mv terraform /usr/local/bin
export PATH=$PATH:/usr/local/bin
Part 2: AWS Resource Creation
Environment Variables
Before starting, we need to define environment variables that will be used by the AWS cli via Terraform in order to authenticate and authorize changes with AWS.
As mentioned in the introduction, I decided to use Terraform as much as possible. Therefore, with an admin user first, we will create a new IAM user with the appropriate access rights. Then, all subsequent commands will be run as the new user.
Define these environment variables:
export AWS_ACCESS_KEY_ADMIN_USER=REDACTED
export AWS_SECRET_KEY_ADMIN_USER=REDACTED
export AWS_ACCESS_KEY_KOPS_USER=""
export AWS_SECRET_KEY_KOPS_USER=""
And then, for the following Terraform commands, we will set the context like this:
// Admin Context
export AWS_ACCESS_KEY=$AWS_ACCESS_KEY_ADMIN_USER
export AWS_SECRET_KEY=$AWS_SECRET_KEY_ADMIN_USER
IAM User
If you do not have an AWS account yet, create one on the AWS startpage.
An AWS user is given access right by defining policies. Working with AWS for the first time, I needed to invest some time in learning how AWS polices are defined and represented in Terraform. My approach is this:
- Check the requires
arn
policies of kops - For each line, identify the service that is being used. Example: From
arn:aws:iam::aws:policy/AmazonEC2FullAcces
itsec2
- Add all of these services in the notation
<servicename>:*
into a Terraform policy project.
When you are unsure, log into the AWS management console, create the policy, and study its JSON representation:
The final Terraform configuration is this:
// Admin Context
// export AWS_ACCESS_KEY=$AWS_ACCESS_KEY_ADMIN_USER
// export AWS_SECRET_KEY=$AWS_SECRET_KEY_ADMIN_USER
resource "aws_iam_user" "kops" {
name = "kops"
path = "/"
}
resource "aws_iam_user_policy" "kops_access" {
name = "kops_access"
user = aws_iam_user.kops.id
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ec2:*",
"route53:*",
"s3:*",
"iam:*",
"vpc:*",
"sqs:*",
"events:*",
"autoscaling:*",
"elasticloadbalancing:*"
],
"Resource" : "*"
}
]
})
}
This user will be used from hereon to create the other required resources. We need to get the users access keys first:
// Admin Context
// export AWS_ACCESS_KEY=$AWS_ACCESS_KEY_ADMIN_USER
// export AWS_SECRET_KEY=$AWS_SECRET_KEY_ADMIN_USER
resource "aws_iam_access_key" "kops" {
user = aws_iam_user.kops.id
}
output "kops_iam_key" {
value = aws_iam_access_key.kops.id
}
output "kops_iam_secret" {
value = aws_iam_access_key.kops.secret
sensitive = true
}
Then, using these outputs, we can get the secrets and store them in ENV vars:
export AWS_ACCESS_KEY_KOPS_USER=${$(terraform output kops_iam_key)}
export AWS_SECRET_KEY_KOPS_USER=${$(terraform output kops_iam_secret)}
Route53 Domain
When using Kops, the cluster needs an DNS entry that resolves to AWS. You cannot work with pure IP addresses. The kops documentation mentions several options: You can use a domain name registered with AWS or any other registrar, and you can use either a top-level domain or a subdomain. I decided to use a subdomain with my default registrar, and then create an AWS Rout53 domain definition that essentially provides nameserver entries that I need to put to my registrar.
The required Terraform config is this:
// Kops Context
// export AWS_ACCESS_KEY=$AWS_ACCESS_KEY_KOPS_USER
// export AWS_SECRET_KEY=$AWS_SECRET_KEY_KOPS_USER
resource "aws_route53_zone" "example_com" {
name = "example.com"
}
resource "aws_route53_zone" "k8s_example_com" {
name = "k8s.example.com"
}
resource "aws_route53_record" "dev-ns" {
zone_id = aws_route53_zone.example_com.zone_id
name = "k8s.example.com"
type = "NS"
ttl = "30"
records = aws_route53_zone.k8s_example_com.name_servers
}
During the run, all required resources will be created:
aws_iam_user.kops: Creating...
aws_iam_user.terraform: Creating...
aws_route53_zone.k8s_example_com: Creating...
aws_route53_zone.example_com: Creating...
...
aws_route53_zone.k8s_example_com: Creation complete after 54s [id=Z091510633HKXRCKOKW5K]
...
aws_route53_record.dev-ns: Creation complete after 48s [id=Z02685872Q1CYFRCQO740_k8s.example.com_NS]
Once completed, we access the Terraform state object to grab the nameserver entries:
terraform state show output.kops_name_servers
output.kops_name_servers = [
"ns-115.awsdns-14.com",
"ns-1433.awsdns-51.org",
"ns-1745.awsdns-26.co.uk",
"ns-752.awsdns-30.net",
]
Put those nameserver entries into your registrar, and check that the domain is reachable. I'm sorry to not provide any automation for this step.
S3 Bucket
The final part is to create an S3 Bucket that will hold the state of the Kops cluster (yes, there is no ETCD). Its rather easy, and as before, we define an output variable to catch the information that we need for kops.
// Kops Context
// export AWS_ACCESS_KEY=$AWS_ACCESS_KEY_KOPS_USER
// export AWS_SECRET_KEY=$AWS_SECRET_KEY_KOPS_USER
resource "aws_s3_bucket" "kops_state" {
bucket = "${random_pet.bucket_name.id}-kops-state"
}
resource "random_pet" "bucket_name" {}
output kops_bucket_name = aws_s3_bucket.kops_state
Part 3: Cluster Creation
Finally, we have all tools installed and all required resources setup. We can now create the cluster.
Setup
The cluster will be created in one of the availability zones of AWS. To see which ones are available, we will run the following AWS command:
$> aws ec2 describe-availability-zones --region eu-central-1
This will output a list of zones, typically they are enumerated following the schema <zone><{a..c}>
. Use one of the availability zones, define the domain name and run the following commands:
export KOPS_CLUSTER_NAME=k8s.example.com
export KOPS_BUCKET_NAME=${$(terraform output kops_bucket_name)//\"/}
export KOPS_STATE_STORE=s3://${KOPS_BUCKET_NAME}
$> kops create cluster \
--name=${KOPS_CLUSTER_NAME} \
--cloud=aws \
--ssh-public-key=.ssh/id_rsa.pub \
--zones=eu-central-1a \
--discovery-store=${KOPS_STATE_STORE}/${KOPS_CLUSTER_NAME}/discovery
This will create a configuration file describing your cluster. If you want to fine tune them, run the kops edit cluster
command: It will open a YAML file containing all cluster information. Kubernetes user will feel right at home. Amongst other, you can also define which Kubernetes version to use.
apiVersion: kops.k8s.io/v1alpha2
kind: Cluster
metadata:
creationTimestamp: "2022-10-16T18:39:36Z"
name: k8s.example.com
spec:
api:
dns: {}
authorization:
rbac: {}
channel: stable
cloudProvider: aws
configBase: s3://blessed-bat-kops-state/k8s.example.com
etcdClusters:
- cpuRequest: 200m
etcdMembers:
- encryptedVolume: true
instanceGroup: master-eu-central-1a
name: a
memoryRequest: 100Mi
name: main
- cpuRequest: 100m
etcdMembers:
- encryptedVolume: true
instanceGroup: master-eu-central-1a
name: a
memoryRequest: 100Mi
name: events
...
kubernetesVersion: 1.24.6
masterInternalName: api.internal.k8s.example.com
masterPublicName: api.k8s.example.com
networkCIDR: 172.20.0.0/16
networking:
kubenet: {}
nonMasqueradeCIDR: 100.64.0.0/10
When you are happy, run the following command:
$> kops update cluster --name ${KOPS_CLUSTER_NAME} --yes
... and see the cluster being created:
I1015 16:24:57.034956 5692 executor.go:111] Tasks: 0 done / 101 total; 50 can run
W1015 16:24:57.178958 5692 vfs_castore.go:379] CA private key was not found
I1015 16:24:57.199138 5692 keypair.go:225] Issuing new certificate: "etcd-clients-ca"
...
I1015 16:25:00.170992 5692 executor.go:111] Tasks: 97 done / 101 total; 2 can run
...
Cluster is starting. It should be ready in a few minutes.
Suggestions:
* validate cluster: kops validate cluster --wait 10m
* list nodes: kubectl get nodes --show-labels
* ssh to the master: ssh -i ~/.ssh/id_rsa ubuntu@api.k8s.example.com
* the ubuntu user is specific to Ubuntu. If not using Ubuntu please use the appropriate user based on your OS.
* read about installing addons at: https://kops.sigs.k8s.io/addons.
Part 4: Cluster Access and Maintenance
Kubeconfig and SSH Access
Like every other Kubernetes cluster, you need to use the kubeconfig file. Run the following command to configure kubectl
in your shell to access the new cluster:
kops export kubeconfig --admin
kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
i-04d11902bdae6741f Ready node 3m3s v1.24.6 172.20.44.129 3.120.193.125 Ubuntu 20.04.5 LTS 5.15.0-1020-aws containerd://1.6.8
i-0785e808463cabcfd Ready control-plane 4m10s v1.24.6 172.20.49.96 3.68.96.186 Ubuntu 20.04.5 LTS 5.15.0-1020-aws containerd://1.6.8
In addition, you can access the controller node with the created ssh key:
ssh -i .ssh/id_rsa.key ubuntu@api.k8s.example.com
top
iB Mem : 3864.0 total, 106.0 free, 866.1 used, 2891.9 buff/cache
MiB Swap: 0.0 total, 0.0 free, 0.0 used. 2722.1 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4393 root 20 0 1174448 374632 74056 S 5.3 9.5 0:41.99 kube-apiserver
4576 root 20 0 10.7g 54144 23988 S 3.7 1.4 0:13.12 etcd
3642 root 20 0 1953272 102788 64404 S 2.0 2.6 0:15.43 kubelet
5007 root 20 0 819560 104940 62780 S 1.3 2.7 0:08.18 kube-controll+
3415 root 20 0 1728452 76664 39452 S 0.7 1.9 0:21.60 containerd
Conclusion
For installing a Kubernetes cluster, you have many options. One of them is kops which installs the cluster within AWS. For this, you need the AWS CLI or GUI to create an IAM user, S3 buckets, and route 53 DNS servers. In this article, I showed how to automate these steps using Terraform. With the correct setup of the required binaries and environment variables, you can execute the Terraform project and all AWS resources are created automatic. Then, use the kops binary to provision the cluster.