Skip to content

Kubernetes

Preparation

The bridged traffic should be visible to the firewall1.

Check if the module br_netfilter is loaded.

1
lsmod | grep br_netfilter

If not, load it explicitly.

1
modprobe br_netfilter

Ensure that net.bridge.bridge-nf-call-iptables is set to 1 in the sysctl config.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cat <<EOF | tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

cat <<EOF | tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

sysctl --system

Node ports

Control

Port Protocol Description
64432 TCP API server
2379 - 2380 TCP etcd server client API
10250 TCP Kubelet API
10251 TCP Kube scheduler
10252 TCP Kube controller manager

Worker

Port Protocol Description
10250 TCP Kubelet API
30000 - 32767 TCP NodePort services

Installation

Docker

Follow the instructions here to set up the Docker engine.

Configure the Docker daemon to use systemd for the management of the container's cgroups.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
cat <<EOF | tee /etc/docker/daemon.json
{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}
EOF

Restart and enable on boot.

1
2
3
systemctl enable docker
systemctl daemon-reload
systemctl restart docker

Tools

Add the Kubernetes repository to the system package distribution.

1
2
3
4
5
6
apt-get update
apt-get install -y apt-transport-https ca-certificates curl

curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg

echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

Install kubelet, kubeadm and kubectl and set them on hold.

1
2
3
apt-get update
apt-get install -y kubelet kubeadm kubectl
apt-mark hold kubelet kubeadm kubectl

  1. iptables is the default tool to configure the Linux kernel IP packet filter Netfilter

  2. This port is overrideable.