In this Lab, you will learn how to create or deploy a Kubernetes cluster on Centos 7 from scratch. In the Kubernetes setup, we have one master host and two worker nodes.
Cluster nodes are known as worker nodes or Minion.
From the master host, we will manage the Kubernetes using the “kubeadm” and “kubectl” command.
Kubernetes can be installed and deployed using the following methods:
• Minikube (It is a single node kubernetes cluster).
• Kubeadm (Multi-node kubernetes Cluster Setup On-Prem).
• Kubespray runs on bare metal and most clouds, using Ansible.
• Kops (Multi-node kubernetes Cluster setup On-Cloud).
- Login into Master node as root user.
- Generate ssh key-pair to be able to have password-less access to master and worker nodes.
# ssh-keygen -t rsa -N ''
Note: Keep pressing enter without entering or changing any value.
Copy ssh public key to Master and Worker nodes.
# ssh-copy-id 192.168.100.11
Type yes and enter the root password as “linux” when prompted.
# ssh-copy-id 192.168.100.12
# ssh-copy-id 192.168.100.13
3. Add an entry to /etc/hosts for local name resolution.
# hostnamectl set-hostname kube-master
# cat > /etc/hosts <<EOF
192.168.100.11 kube-master
192.168.100.12 kube-node1
192.168.100.13 kube-node2
127.0.0.1 localhost
EOF
4. Disable SELinux
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel.
SELinux has three basic modes of operation, of which Enforcing is set as the installation default mode.
- Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
- Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues.
- Disabled: SELinux is turned off
# sed -i 's/enforcing/disabled/g' /etc/selinux/config
# setenforce 0
# sestatus
Output:
4.1 Disable Firewalld
FirewallD is a frontend controller for iptables used to implement persistent network traffic rules.
Working with FirewallD has two main differences compared to directly controlling iptables:
FirewallD uses zones and services instead of chain and rules. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.
# systemctl disable --now firewalld
# systemctl status firewalld
Output:
Note: If you wish to work along with the Firewall, open kubernetes services ports by running the below commands.
firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=2379-2380/tcp
firewall-cmd --permanent --add-port=10250/tcp
firewall-cmd --permanent --add-port=10251/tcp
firewall-cmd --permanent --add-port=10252/tcp
firewall-cmd --permanent --add-port=10255/tcp
firewall-cmd –reload
4.2 Enable and Start Chrony service (NTP Server).
chrony is a versatile implementation of the Network Time Protocol (NTP). The chrony suite is installed by default. The default location for the chrony daemon is
/usr/sbin/chronyd. The command-line utility will be installed to /usr/bin/chronyc
# systemctl enable --now chronyd
# systemctl status chronyd
Output:
# chronyc sources -v
Output:
5. Install the following base packages required by kubernetes:
wget: A utility for retrieving files using the HTTP or FTP protocols
net-tools: package contains basic networking tools, including ifconfig, netstat, route, and others.
git: The git rpm installs the core tools with minimal dependencies. To install all git packages
bind-utils: install bind-utils if you need to get information from DNS name servers.
bridge-utils: Install bridge-utils if you want to use the linux Ethernet bridge
# yum -y install wget git net-tools bind-utils bridge-utils bash-completion kexec-tools
5.1 You must turn off the swap space as Kubernetes does not support it.
# swapoff -a
5.2 Comment out the swap filesystem entry in /etc/fstab
# sed -e '/swap/ s/^#*/#/' -i /etc/fstab
5.3 Turn the feature on so that the packets traversing the bridge are sent to iptables
# modprobe br_netfilter
# cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
# sysctl --system
6. Update and Reboot the server to get the latest packages installed.
# yum update -y
# reboot
Login back to the kube-master as root user to proceed with next steps.
7. Configure Kubernetes Repository
7.1 Kubernetes packages are not available in the default CentOS 7 repositories, Use the below command to configure its package repositories.
# cat > /etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
7.2 You must install docker and Kubernetes packages.
# yum install -y docker kubelet kubeadm kubectl --disableexcludes=kubernetes
7.3 Enable and start docker daemons.
# systemctl enable --now docker
# systemctl status docker
Output:
7.4 Enable and start kubelet daemons.
# systemctl enable --now kubelet
# systemctl status kubelet
Output:
8. Initialize the deployment of Kubernetes Cluster by running the “kubeadm init” command.
What is kubeadm?
kubeadm is a toolkit produced by Kubernetes upstream for the creation and upgrade of Kubernetes clusters.
# kubeadm init --apiserver-advertise-address=192.168.100.11 --pod-network-cidr=172.16.0.0/16
Note: Copy the token generated from the above command output for later use.
Output:
9. Run the below commands to set variables to be able to manage kubernetes cluster
# mkdir -p $HOME/.kube
# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# sudo chown $(id -u):$(id -g) $HOME/.kube/config
Run the below command to install overlay network
# kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
Output:
10. A node taint lets you mark a node so that the scheduler avoids or prevents using it for certain Pods. A complementary feature, toleration, lets you designate Pods that can be used on “tainted” nodes.
NoSchedule: Pods that do not tolerate this taint are not scheduled on the node.
PreferNoSchedule: Kubernetes avoids scheduling Pods that do not tolerate this taint onto the node.
NoExecute: Pod is evicted from the node if it is already running on the node, and is not scheduled onto the node if it is not yet running on the node.
# kubectl taint node kube-master node-role.kubernetes.io/master:NoSchedule-
Output:
11. Now run the following command to list master node status.
# kubectl get nodes
Output:
12 Run the below command to verify the cluster information.
# kubectl cluster-info
Output: