Categories
Apps & OS's Linux Technology

Deploying your own Kubernetes (K8s) bare metal cluster

The “cloud” is great and there are now several cloud providers offering managed Kubernetes clusters such as Amazon’s Elastic Kubernetes Service (EKS), Google’s Kubernetes Engine (GKE) and Microsoft Azure’s Kubernetes Service (AKS) but sometimes people like to host and play with their own stuff, on their own hardware – right?!

Personally, I use several cloud services but I also like to understand how the underlying technology works – I have a bare metal K8s cluster (on a number of VM’s) at home, this enables me to play and fine-tune my containers and YAML files etc. before I push to cloud services (and start having to pay real money)

I thought I’d document the process of setting up a Kubernetes cluster on several virtual machines (obviously the same applies to true bare metal too) but here goes…

The requirements

I will create three virtual machines all of which are running Ubuntu Server 18.04 (we can add more at a later date if we wanted), the specs and the IP addresses that I will use are as follows:

  1. VSVR-KBX070 (Kubernetes Master) – 172.25.87.70
  2. VSVR-KBN071 (Kubernetes Node #1) – 172.25.87.71
  3. VSVR-KBN072 (Kubernetes Node #2) – 172.25.87.72

The master server will be configured with 2GB of RAM and 2 vCPU’s

Both node servers will be configured with 1GB of RAM and 1 vCPU’s

The above hardware configurations are the minimum recommended in the Kubernetes documentation for each server type, you can, of course, add more RAM and vCPU’s if you wanted!

Installing the base software

These instructions should be executed on ALL servers

Let’s start off as we would normally do on a fresh server, let’s update our package repository lists and apply any upgrades that are waiting for us:

sudo apt-get update -y
sudo apt-get upgrade -y

Kubernetes recommends setting net.ipv4.ip_forward is to 1 we will, therefore, need to apply this change as follows:-

sudo sysctl -w net.ipv4.ip_forward=1
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

In order for Kubelet to work correctly, we also need to disable SWAP, we can do this by running the following commands:

sudo swapoff -a
sudo sed -i '2s/^/#/' /etc/fstab

For the majority of users, the above sed command should work if you accepted the default partition map in Ubuntu Server installation but you should check that it’s disabled the correct line by running cat /etc/fstab, all being well, the ‘/swap‘ partition will be commented out (the line will pre prefixed with hash “#“).

We will now install a few dependencies before we move on to install the Docker engine…

sudo apt-get install apt-transport-https ca-certificates curl software-properties-common -y

We can now import the Docker repository GPG key and add the Docker repository and install it like so:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

Looking good!

Let’s update our package list and then install Docker from the official repository like so:

sudo apt update
sudo apt-get install docker-ce -y

Now that Docker is installed, we’ll add our user to the Docker group to ensure that we can run commands without getting permission issues.

sudo usermod -aG docker $USER

Now we will install some more packages, these are various Kubernetes software components.

Like we did before, we will now import a Google GPG key (Kubernetes is a Google project!)

curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
sudo apt-add-repository "deb http://apt.kubernetes.io/ kubernetes-xenial main"

…and now we will install the other components (making up the Kubernetes software stack):

sudo apt-get update
sudo apt-get install kubernetes-cni -y
sudo apt-get install kubelet kubeadm kubectl -y

We will now mark these packages as ‘held’ to ensure continuity in our platform – you will, however, need to manually manage updates in future though!

sudo apt-mark hold kubernetes-cni kubelet kubeadm kubectl docker-ce

Now that we have the Kubernetes components installed we will restart our kubelet service like so:

sudo systemctl daemon-reload
sudo systemctl restart kubelet

We will now download and set a default audit policy (see Audit API types for more details), run the following commands:

sudo mkdir -p /etc/kubernetes

We will download a template (basically setting the default audit level to “Metadata” which seems a sane default) and set it as follows:

wget https://blog.bobbyallen.me/wp-content/uploads/2020/02/audit-policy.txt && sudo mv audit-policy.txt /etc/kubernetes/audit-policy.yaml
sudo chown root:root /etc/kubernetes/audit-policy.yaml
sudo chmod 0600 /etc/kubernetes/audit-policy.yaml

We’ll also need to create a directory to store our Audit logs, we can do this like so:

sudo mkdir -p /var/log/kubernetes/audit

Next and although not really required at the moment, we’ll finally install the NFS client on our servers, this will come in handy later when you want to use persistent storage and is worth setting up at this point (as it’s so quick and simple), let’s run the following:

sudo apt-get install nfs-common -y

Let’s now reboot all of our servers (to ensure confidence that all services etc have started as we expect) and then we will move on to the server-specific configurations…

sudo reboot

Configuring our Master Server

All of the commands in this section should ONLY be run on our master server (VSVR-KBX070).

Let’s now initialise our cluster on our master server (ensure to replace the master server address in the command below with your own!)…

sudo kubeadm init --pod-network-cidr=192.168.0.0/16 --apiserver-advertise-address=172.25.87.70

It will now take a few minutes for this process to complete, just hold tight until you see this output…

Be sure you copy and keep the “kubeadm join” command which contains a token as highlighted in the above screenshot as we’ll need to use this on our node servers shortly.

Next, we need to run a few other commands before we can start using the cluster, run these commands:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Having run the above commands we should now be able to execute this command:

kubectl get pods -A

…and see a list of Kubernetes system pods:

The above screenshot shows that the status of the coredns pods are currently in the Pending state, these will remain like this until we’ve installed a network provider.

Next, we now need to install a Pod network plugin, we will use Calico for this, let’s download the configuration:

wget https://docs.projectcalico.org/v3.9/manifests/calico.yaml

…and then we can install it like so:

kubectl apply -f calico.yaml

If we now re-run the get pods command, after a few minutes, our coredns pod statuses should be running:

Now that we have Calico working, let’s now install MetalLB; MetalLB will provide us with a mechanism of configuring a static IP address range that our cluster will dish out to load balancer services that we set up on our bare metal cluster and will enable external access to applications on our cluster.

kubectl apply -f https://raw.githubusercontent.com/google/metallb/v0.8.3/manifests/metallb.yaml

We will now add a configuration file and update it with a range of IP addresses from our LAN IP range – this will enable all computers on our LAN to be able to access applications that are hosted on our cluster through a LoadBalancer service.

Download this example metallb-config.yaml file:

wget https://blog.bobbyallen.me/wp-content/uploads/2020/02/metallb-config.txt && mv metallb-config.txt metallb-config.yaml

Now open the file…

vi metallb-config.yaml

Update the addresses range, the LAN addresses that I’ve chosen are: 172.25.87.240-172.25.87.250 but I would almost certainly assume that you will be changing yours to a more common subnet (mine is pretty non-standard due to a number of VPN routing requirements I have at home)… your range would probably be something like 192.168.1.200-192.168.1.240.

Make sure that your range does not collide with any DHCP address ranges or other statically set IP addresses in your network!

Once you’ve saved the changes to the metallb-config.yaml file, we can apply it like so:

kubectl apply -f metallb-config.yaml

The output of running kubectl get pods -A again will show that we have two new (metallb related) pods:

Configuring and joining our Nodes to the Cluster

All of the commands in the section should ONLY be run on our Nodes (VSVR-KBN071, VSVR-KBN072 etc.)

We should simply be able to join the cluster like by pasting in the join command that we had been shown when we initiated our cluster earlier.

Run the command (your tokens and IP addresses will differ to my example below) on each of your Node server like so:

sudo kubeadm join 172.25.87.70:6443 --token hjnt72.ku3ozm905ocqag7y \
    --discovery-token-ca-cert-hash sha256:18a6e985269123b891d6117af3bf4356cec7b140680ea118b98ce72b68ad157d

That’s it! – That’s all that is required to be run on the Node servers.

Testing it

Let’s now test it out by deploying some pods and setting up a load-balancer.

All of these commands should be run from our master server (VSVR-KBX070) – you should not need to login to any of the nodes now as the master will control them remotely.

Let’s check the current status of our nodes, running the following command should show (after a few minutes) that each of our nodes (servers) as Ready.

kubectl get nodes

The output shows as follows:

Let’s now check the status of all of our metallb pods…

kubectl get pods -n metallb-system -o wide

The output shows that we have the controller pod current running on vsvr-kbn01 and a speaker pod deployed on all nodes and the master server.

Ok, that all looks healthy.

Now, and for the final test… let’s deploy a demo application (from my public Docker Hub registry), a load-balancer service and attempt to scale the instances:

kubectl run jenkkube --image=allebb/jenkkube-demo:latest --port=8000 --env=APP_KEY=base64:cUPmwHx4LXa4Z25HhzFiWCf7TlQmSqnt98pnuiHmzgY=

Now we have deployed an instance of the application, lets now create a LoadBalancer service like so:

kubectl expose deployment jenkkube --type=LoadBalancer --port=80 --target-port=8000 --name jenkkube-loadbalancer

Let’s find out what our assigned load-balancer IP address (all going to plan this will be the first IP address from your range that you configured in the metallb-config.yaml file earlier) is by running:

kubectl describe service jenkkube-loadbalancer

We can also use this command to get the external IP too if you wanted:

kubectl get services -o wide

Now, opening a browser on a machine on your LAN, try accessing the demo application like so:

http://{load-balancer-ip-address}/

The basic landing page for our demo application.

Now for the cool part… let’s scale this application “horizontally” (to to 8 instances) by running:

kubectl scale --replicas 8 deployment/jenkkube

You can also, very easily scale back the number of replica pods by simply re-running the command with the number of replica’s eg. we can scale it back to a single instance by simply running kubectl scale --replicas 1 deployment/jenkkube.

We can check the state of the replica pods and where (on what node) they are running by executing this command:

kubectl get pods -o wide

Now, each time you refresh your browser you are getting bounced between application instances (pods) which are spread over different nodes (servers).

Want to see proof that we’re getting load-balanced behind the scenes? – as part of the demo application that we deployed, I added a response header to an application API endpoint. We can, therefore, use cURL and grep to very easily prove that we are hitting random instances (pods) each time we make a request…

curl -sD - -o /dev/null http://172.25.87.240/api/v1/quote | grep X-Handled-By

The above cURL command makes the request, ignores the actual page content (by sending the output to /dev/null) but will output the value of the X-Handled-By response header of the pod that handled the request, which I’ve set to use the instance hostname…

If you want to clean up your cluster by removing the demo application and our load-balancer service you can run the following commands:

kubectl delete deployment jenkkube
kubectl delete services jenkkube-loadbalancer

If you want to add additional nodes to your cluster at a later date, given that the initial kubeadm join command token is only valid for 24 hours, you would need to generate a new one on your master server by running: kubeadm token create --print-join-command

You will get the following output (use this command on your new nodes to add them to the cluster)…

kubeadm join 172.25.87.70:6443 –token mm86yg.1j6k2qzl5rdiw7so –discovery-token-ca-cert-hash sha256:9a3c138a00c27e9a26a22f6b8bd3eef126ca24af452308040ed3d3f1ad11384d

Managing your cluster from your workstation

So far, we’ve deployed and interacted with our Cluster through our Master (VSVR-KBX070), you can also execute commands from your workstation simply by copying down the admin.conf file.

You can do this like so (run these commands from your workstation):

# Create a kube directory (if it doesn't already exist)
mkdir ~/.kube 
# Now copy our cluster configuration file to our local machine.
scp {username}@{master-server}/home/{username}/.kube/config ~/.kube/my-cluster

The above command will copy the configuration file to our local machine and will then enable you to run commands against your cluster by specifying the cluster configuration file like so:

kubectl --kubeconfig='.kube/my-cluster' get pods

As you would expect, the other commands all work too such as remoting (SSH’ing) into a running pod:

# Example of running BASH interactively in a pod:
kubectl --kubeconfig='.kube/my-cluster' exec -it jenkkube-7b7f6bf8b6-bv2rc -- /bin/bash
# Want to just output the contents of a log file from a running pod? - This would work too...
kubectl --kubeconfig='.kube/my-cluster' exec jenkkube-7b7f6bf8b6-bv2rc cat /var/log/bootstrap.log

If you wanted to default your kubectl commands on your workstation to interact with your new cluster, you could se it to be the default configuration (by simply copying the remote config file to ~/.kube/config instead – you then wouldn’t need to pass in the –kubeconfig=” argument with every command.

Well, that’s it for this one, your cluster is now set up and working and you are now ready to explore and experiment with Kubernetes further!