CoreOS + Kubernetes Step By Step

This guide will walk you through a deployment of a single-master/multi-worker Kubernetes cluster on CoreOS. We're going to:

  • configure an etcd cluster for Kubernetes to use
  • generate the required certificates for communication between Kubernetes components
  • deploy a master node
  • deploy worker nodes
  • configure kubectl to work with our cluster
  • deploy the DNS add-on
  • deploy the network policy add-on

Working through this guide may take you a few hours, but it will give you good understanding of the moving pieces of your cluster and set you up for success in the long run. For a shortcut, you can utilize these generic user-data scripts. Let's get started.

Deployment Options

The following variables will be used throughout this guide. Most of the provided defaults can safely be used, however some values such as ETCD_ENDPOINTS and MASTER_HOST will need to be customized to your infrastructure.

MASTER_HOST=no default

The address of the master node. In most cases this will be the publicly routable IP of the node. Worker nodes must be able to reach the master node(s) via this address on port 443. Additionally, external clients (such as an administrator using kubectl) will also need access, since this will run the Kubernetes API endpoint.

If you will be running a high-availability control-plane consisting of multiple master nodes, then MASTER_HOST will ideally be a network load balancer that sits in front of them. Alternatively, a DNS name can be configured which will resolve to the master IPs. How requests are routed to the master nodes will be an important consideration when creating the TLS certificates.


List of etcd machines (http://ip:port), comma separated. If you're running a cluster of 5 machines, list them all here.


The CIDR network to use for pod IPs. Each pod launched in the cluster will be assigned an IP out of this range. This network must be routable between all hosts in the cluster. In a default installation, the flannel overlay network will provide routing to this network.


The CIDR network to use for service cluster VIPs (Virtual IPs). Each service will be assigned a cluster IP out of this range. This must not overlap with any IP ranges assigned to the POD_NETWORK, or other existing network infrastructure. Routing to these VIPs is handled by a local kube-proxy service to each host, and are not required to be routable between hosts.


The VIP (Virtual IP) address of the Kubernetes API Service. If the SERVICE_IP_RANGE is changed above, this must be set to the first IP in that range.


The VIP (Virtual IP) address of the cluster DNS service. This IP must be in the range of the SERVICE_IP_RANGE and cannot be the first IP in the range. This same IP must be configured on all worker nodes to enable DNS service discovery.

Deploy etcd Cluster

Kubernetes uses etcd for data storage and for cluster consensus between different software components. Your etcd cluster will be heavily utilized since all objects storing within and every scheduling decision is recorded. It's recommended that you run a multi-machine cluster on dedicated hardware (with fast disks) to gain maximum performance and reliability of this important part of your cluster. For development environments, a single etcd is ok.


You can simply start etcd via cloud-config when you create your CoreOS machine or start it manually.

If you are starting etcd manually, we need to first configure it to listen on all interfaces:

  • Replace ${PUBLIC_IP} with the etcd machines publicly routable IP address.



Use the value of ETCD_ADVERTISE_CLIENT_URLS as the value of ETCD_ENDPOINTS in the rest of this guide.

Next, start etcd

$ sudo systemctl start etcd2

To ensure etcd starts after a reboot, enable it too:

$ sudo systemctl enable etcd2
Created symlink from /etc/systemd/system/ to /usr/lib64/systemd/system/etcd2.service.


It is highly recommended that etcd is run as a dedicated cluster separately from Kubernetes components.

Use the official etcd clustering guide to decide how best to deploy etcd into your environment.

Generate Kubernetes TLS Assets

The Kubernetes API has various methods for validating clients — this guide will configure the API server to use client certificate authentication.

This means it is necessary to have a Certificate Authority and generate the proper credentials. Generate the necessary assets from existing PKI infrastructure, or by following these OpenSSL-based instructions to create the needed certificates and keys.

In the following steps, it is assumed that you will have generated the following TLS assets:

Root CA Public Key


API Server Public & Private Keys



Worker Node Public & Private Keys

You should have one certificate/key set for every worker node in the planned cluster.



Cluster Admin Public & Private Keys



Is your etcd cluster up and running? You need the IPs for the next step.

Did you generate all of the certificates? You will place these on disk next.

Yes, ready to deploy the master node