Difference between revisions of "Kubeadm init ubuntu 24.04"
Jump to navigation
Jump to search
lxd-vm-launch.sh
| Line 87: | Line 87: | ||
get_join_command(){ | get_join_command(){ | ||
kubeadm token create --print-join-command | kubeadm token create --print-join-command | ||
| + | } | ||
| + | |||
| + | wip_harden_security(){ | ||
| + | # 1. Enable RBAC (Role-Based Access Control) | ||
| + | kubectl create clusterrolebinding default-worker --clusterrole=cluster-role.rbac.authorization.k8s.io/system:node --serviceaccount=default:default | ||
| + | |||
| + | # 2. Configure Network Policies (example: deny all by default) | ||
| + | cat <<EOF | kubectl apply -f - | ||
| + | apiVersion: networking.k8s.io/v1 | ||
| + | kind: NetworkPolicy | ||
| + | metadata: | ||
| + | name: deny-all | ||
| + | namespace: default | ||
| + | spec: | ||
| + | podSelector: {} # Apply to all pods in the namespace | ||
| + | policyTypes: | ||
| + | - Ingress | ||
| + | - Egress | ||
| + | ingress: [] # No ingress allowed by default | ||
| + | egress: [] # No egress allowed by default | ||
| + | EOF | ||
| + | |||
| + | # 3. Enable Pod Security Policies (if supported by your Kubernetes version) | ||
| + | # ... (Add PSP definitions and enforcement configurations here) ... | ||
| + | |||
| + | # 4. Limit Resource Requests and Limits for Pods | ||
| + | # ... (Modify deployments/deployments.yaml to include resource limits) ... | ||
| + | |||
| + | # 5. Enable Audit Logging | ||
| + | # ... (Configure audit logging using the Kubernetes API) ... | ||
| + | |||
| + | # 6. Regularly update Kubernetes components | ||
| + | kubectl apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/kubernetes-dashboard/dashboard-rbac.yaml | ||
| + | kubectl apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/kubernetes-dashboard/dashboard.yaml | ||
| + | |||
| + | # 7. Enable TLS encryption for API server communication | ||
| + | # ... (Modify kube-apiserver configuration) ... | ||
| + | |||
| + | # 8. Secure the Kubernetes API server | ||
| + | # ... (Restrict access to the API server using firewall rules and authentication methods) ... | ||
| + | |||
| + | # 9. Regularly review and update security best practices | ||
} | } | ||
| Line 93: | Line 135: | ||
set_kubectl_config | set_kubectl_config | ||
add_calico_cni | add_calico_cni | ||
| + | # harden_security | ||
``` | ``` | ||
Revision as of 05:44, 21 December 2024
Kubernetes multi-node cluster using kubeadm based on Ubuntu 24.04
- https://medium.com/@subhampradhan966/kubeadm-setup-for-ubuntu-24-04-lts-f6a5fc67f0df
- https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/
Scripts
lxd-vm-launch.sh
#!/bin/bash set -eu export name=$1 lxc init ubuntu:24.04 --vm -c limits.cpu=4 -c limits.memory=16GB $name lxc config device override $name root size=30GB lxc start $name
Create two containers
./lxd-vm-launch.sh myk8s1 ./lxd-vm-launch.sh myk8s2
kubeadm-bootstrap.sh
#!/bin/bash
set -eu
k8s_subnet="10.244.0.0/16"
prep_vm(){
sudo apt update && sudo apt upgrade -y
sudo apt install apt-transport-https curl -y
sudo apt install containerd -y
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
sudo swapoff -a
sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
sudo modprobe overlay
sudo modprobe br_netfilter
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sysctl --system
}
kubeadm_init(){
sudo kubeadm init --pod-network-cidr=${k8s_subnet} --v=5
}
set_kubectl_config(){
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# alternative # export KUBECONFIG=/etc/kubernetes/admin.conf
kubectl get nodes
kubectl get pods --all-namespaces
}
add_calico_cni(){
# kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
# https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/onpremises
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
curl https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/custom-resources.yaml -O
# kubectl create -f custom-resources.yaml
kubectl create --set spec.calicoNetwork.ipPools[0].cidr=${k8s_subnet} -f custom-resources.yaml
watch kubectl get pods -n calico-system
}
get_join_command(){
kubeadm token create --print-join-command
}
wip_harden_security(){
# 1. Enable RBAC (Role-Based Access Control)
kubectl create clusterrolebinding default-worker --clusterrole=cluster-role.rbac.authorization.k8s.io/system:node --serviceaccount=default:default
# 2. Configure Network Policies (example: deny all by default)
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {} # Apply to all pods in the namespace
policyTypes:
- Ingress
- Egress
ingress: [] # No ingress allowed by default
egress: [] # No egress allowed by default
EOF
# 3. Enable Pod Security Policies (if supported by your Kubernetes version)
# ... (Add PSP definitions and enforcement configurations here) ...
# 4. Limit Resource Requests and Limits for Pods
# ... (Modify deployments/deployments.yaml to include resource limits) ...
# 5. Enable Audit Logging
# ... (Configure audit logging using the Kubernetes API) ...
# 6. Regularly update Kubernetes components
kubectl apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/kubernetes-dashboard/dashboard-rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/kubernetes/master/cluster/addons/kubernetes-dashboard/dashboard.yaml
# 7. Enable TLS encryption for API server communication
# ... (Modify kube-apiserver configuration) ...
# 8. Secure the Kubernetes API server
# ... (Restrict access to the API server using firewall rules and authentication methods) ...
# 9. Regularly review and update security best practices
}
prep_vm
kubeadm_init
set_kubectl_config
add_calico_cni
# harden_security
pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: nginx
spec:
containers:
- name: nginx
image: docker.io/library/nginx:latest
ports:
- containerPort: 80
create pod
kubectl apply -f pod.yaml
get pods
kubectl get pods
Some Examples of Commands
Join command
kubeadm join 10.1.9.209:6443 --token qmcl0q.m2r... --discovery-token-ca-cert-hash sha256:d1fbc1851c161a617c986...
Install Docker
sudo apt install docker.io
Issues
Docker Hub Rate Limit
Just wait
Warning Failed 2s (x3 over 48s) kubelet Failed to pull image "docker.io/calico/node-driver-registrar:v3.29.1": failed to pull and unpack image "docker.io/calico/node-driver-registrar:v3.29.1": failed to copy: httpReadSeeker: failed open: unexpected status code https://registry-1.docker.io/v2/calico/node-driver-registrar/manifests/sha256:c15fcc64ea239e0f5a0df9ca01a632c7fbcab93c77c228b5b517272ca7fef01d: 429 Too Many Requests - Server message: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit