Admin: Created page with "=Intro= Installation example of Kubernetes Cluster on Debian 11 Hosts used in this sample: c1-control-plane c1-worker-1 c1-worker-2 Host specs: VM's with 2CPUs, 4GB Ram each, running Debian11 '''Note''' No sudo was used in this Lab, instead work as root *Host file example of c1-control-plane 127.0.1.1 c1-control-plane 127.0.0.1 localhost 192.168.178.100 c1-control-plane vm-c1-control-plane 192.168.178.101 c1-worker-1 vm-c1-worker-1 192.168.178.1..."

2023-10-23T15:57:48Z

Created page with "=Intro= Installation example of Kubernetes Cluster on Debian 11 Hosts used in this sample: *c1-control-plane *c1-worker-1 *c1-worker-2 *Host specs: *VM's with 2CPUs, 4GB Ram each, running Debian11 *'''Note''' No sudo was used in this Lab, instead work as root *Host file example of c1-control-plane 127.0.1.1 c1-control-plane 127.0.0.1 localhost 192.168.178.100 c1-control-plane vm-c1-control-plane 192.168.178.101 c1-worker-1 vm-c1-worker-1 192.168.178.1..."

New page

=Intro=
Installation example of Kubernetes Cluster on Debian 11
Hosts used in this sample:
*c1-control-plane
*c1-worker-1
*c1-worker-2

*Host specs:
*VM's with 2CPUs, 4GB Ram each, running Debian11

*'''Note''' No sudo was used in this Lab, instead work as root

*Host file example of c1-control-plane
127.0.1.1 c1-control-plane
127.0.0.1 localhost
192.168.178.100 c1-control-plane vm-c1-control-plane
192.168.178.101 c1-worker-1 vm-c1-worker-1
192.168.178.102 c1-worker-2 vm-c1-worker-2

=Installation on Master and on all Nodes=
==Hostnames==
Hostnames used in this Lab, makle sure to add them into /etc/hosts on all machines
*c1-control-plane
*c1-worker-1
*c1-worker-2

==Load required modules and set kernel settings==
cat << EOF | tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF

cat << EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF

*Turn off swap
sudo sed -i '/swap/d' /etc/fstab

*Apply
modprobe overlay
modprobe br_netfilter
sysctl --system
swapoff -a

*Install an NTP server otherwise etcd will be mad.
apt install -y chrony

==Containerd==

*Requires the Docker repository
apt install -y curl gpg lsb-release apparmor apparmor-utils
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null

*Update and install
apt update
apt-get install -y containerd.io
*Create a default configuration
mkdir -p /etc/containerd
containerd config default | tee /etc/containerd/config.toml

*Open /etc/containerd/config.toml
**Search
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
*Underneath add or change to:
SystemdCgroup = true

*Restart and check the service
systemctl restart containerd
systemctl status containerd

==Kubernetes==
===Repository===
apt-get install -y apt-transport-https ca-certificates curl
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" | sudo tee /etc/apt/sources.list.d/kubernetes.list
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
===Additional Packages===
*Need iptables
apt-get install -y iptables libiptc0/stable libxtables12/stable
*Need the containertools (https://github.com/flannel-io/flannel)
apt-get install containernetworking-plugins

===Install and Hold===
apt-get install -y kubelet kubeadm kubectl
apt-mark hold kubelet kubeadm kubectl

=Initialization - MASTER ONLY=
==Init==
'''ATTENTION''' As per Flannel requirement: You need to choose the below network
*https://gist.github.com/rkaramandi/44c7cea91501e735ea99e356e9ae7883
*https://stackoverflow.com/questions/48984659/understanding-kubeadm-init-command-for-flannel

# '''sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --kubernetes-version 1.28.3'''

root@c1-control-plane:~# sudo kubeadm init --pod-network-cidr=10.244.0.0/16 --kubernetes-version 1.28.3
[init] Using Kubernetes version: v1.28.3
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
W1023 17:26:28.088349 876 checks.go:835] detected that the sandbox image "registry.k8s.io/pause:3.6" of the container runtime is inconsistent with that used by kubeadm. It is recommended that using
"registry.k8s.io/pause:3.9" as the CRI sandbox image.
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [c1-control-plane kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.2.47]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [c1-control-plane localhost] and IPs [192.168.2.47 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [c1-control-plane localhost] and IPs [192.168.2.47 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 9.505068 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node c1-control-plane as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node c1-control-plane as control-plane by adding the taints [node-role.kubernetes.io/control-plane:NoSchedule]
[bootstrap-token] Using token: hupohh.k18w02d2ow031qpj
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.2.47:6443 --token hupohh.k18w02d2ow031qpj \
--discovery-token-ca-cert-hash sha256:8ed8285288a7a332e80123cf347034b6f0361a358d7f44b19882cf317d33e834
root@c1-control-plane:~#

==Regular user setup==
Switch to a normal, non root user
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

==Before Flannel==
Before Flannel
vmadmin@vm-c1-control-plane:~$ '''kubectl get nodes'''
NAME STATUS ROLES AGE VERSION
vm-c1-control-plane '''NotReady''' control-plane 2m30s v1.28.3

==Apply Flannel==

# '''kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml'''

vmadmin@vm-c1-control-plane:~$ kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
namespace/kube-flannel created
serviceaccount/flannel created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created

==After Flannel==
After Flannel - '''This may take a while'''
vmadmin@vm-c1-control-plane:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
vm-c1-control-plane '''Ready''' control-plane 3m35s v1.28.3

=Join the worker nodes=
==Node01==
# '''root@c1-worker-1:~# kubeadm join 192.168.2.47:6443 --token hupohh.k18w02d2ow031qpj --discovery-token-ca-cert-hash sha256:8ed8285288a7a332e80123cf347034b6f0361a358d7f44b19882cf317d33e834'''

root@c1-worker-1:~# kubeadm join 192.168.2.47:6443 --token hupohh.k18w02d2ow031qpj --discovery-token-ca-cert-hash sha256:8ed8285288a7a332e80123cf347034b6f0361a358d7f44b19882cf317d33e834
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

==Node02==
# '''root@c1-worker-1:~# kubeadm join 192.168.2.47:6443 --token hupohh.k18w02d2ow031qpj --discovery-token-ca-cert-hash sha256:8ed8285288a7a332e80123cf347034b6f0361a358d7f44b19882cf317d33e834'''

root@c1-worker-1:~# kubeadm join 192.168.2.47:6443 --token hupohh.k18w02d2ow031qpj --discovery-token-ca-cert-hash sha256:8ed8285288a7a332e80123cf347034b6f0361a358d7f44b19882cf317d33e834
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

==Show Results==
# '''kubectl get nodes'''
vmadmin@vm-c1-control-plane:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
vm-c1-control-plane Ready control-plane 7m37s v1.28.3
vm-c1-worker-1 Ready <none> 64s v1.28.3
vm-c1-worker-2 Ready <none> 58s v1.28.3

==Optional Labeling==
kubectl label node vm-c1-worker-1 node-role.kubernetes.io/worker=worker
kubectl label node vm-c1-worker-2 node-role.kubernetes.io/worker=worker

vmadmin@vm-c1-control-plane:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
vm-c1-control-plane Ready control-plane 4m51s v1.28.3
vm-c1-worker-1 Ready worker 2m56s v1.28.3
vm-c1-worker-2 Ready worker 2m5s v1.28.3

=Testing=
==Apply Test Pods==
*create nginx.yml
---
apiVersion: v1
kind: Pod
metadata:
name: nginx1
labels:
app: web
spec:
containers:
- name: nginx1
image: nginx
ports:
- containerPort: 80
---
apiVersion: v1
kind: Pod
metadata:
name: nginx2
labels:
app: web
spec:
containers:
- name: nginx2
image: nginx
ports:
- containerPort: 80

*Apply
# kubectl create -f nginx.yml

*The result should look like:
vmadmin@vm-c1-control-plane:~$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx1 1/1 Running 0 31s 10.244.2.4 vm-c1-worker-2 <none> <none>
nginx2 1/1 Running 0 31s 10.244.1.3 vm-c1-worker-1 <none> <none>

==Network Test==
*Connect to nginx1:
kubectl exec --stdin --tty nginx -- /bin/bash

*Install apps
root@nginx1:/# apt-get update
root@nginx1:/# apt-get install iputils-ping

*Ping Nginx2 (YES!!!)
root@nginx1:/# ping 10.244.1.3
PING 10.244.1.3 (10.244.1.3) 56(84) bytes of data.
64 bytes from 10.244.1.3: icmp_seq=1 ttl=62 time=0.563 ms

=References=
*Self installation using calico
https://www.howtoforge.de/anleitung/kubernetes-cluster-mit-kubeadm-auf-debian-11-einrichten/ 
https://www.linuxtechi.com/install-kubernetes-cluster-on-debian/ 
https://www.oueta.com/linux/create-a-debian-11-kubernetes-cluster-with-kubeadm/ 
*About calico
https://www.inovex.de/de/blog/kubernetes-networking-2-calico-cilium-weavenet/# 
*Interesting about installation via Ansible:
https://www.linuxsysadmins.com/install-kubernetes-cluster-with-ansible/ 
*About Container Network Interface (CNI) - Add Ons
https://kubernetes.io/docs/concepts/cluster-administration/addons/ 
https://platform9.com/blog/the-ultimate-guide-to-using-calico-flannel-weave-and-cilium/ 
https://kubevious.io/blog/post/comparing-kubernetes-container-network-interface-cni-providers 
https://www.linux-magazin.de/ausgaben/2017/08/netz-in-kubernetes/ 
https://ronaknathani.com/blog/2020/08/how-a-kubernetes-pod-gets-an-ip-address/ 
*Nice cheat sheet https://spacelift.io/blog/kubernetes-cheat-sheet
*Troubleshoot Flannel
https://www.continualintegration.com/miscellaneous-articles/how-do-you-solve-the-kubernetes-error-networkplugin-cni-failed-to-set-up-pod-network-open-run-flannel-subnet-env-no-such-file-or-directory/ 
https://www.programmersought.com/article/7824768991/ 
*Continue from Flannel
https://github.com/Thoorium/kubernetes-local-cluster-flannel-metallb-traefik

Install Kubernetes 1.28 on Debian 12 with Flannel - Revision history