Open7

おうちKubernetes最速セットアップ手順(個人メモ)

matorurumatoruru

Ubuntuのバージョンは22.04。

ノードのIP発見

for i in (seq 2 100)
  ssh -o "ConnectTimeout 1" matoruru@192.168.11.$i
end
matorurumatoruru

パッケージ更新 & 必須パッケージインストール & システム設定

sudo tee /etc/needrestart/conf.d/99_skip_dialog.conf <<EOF
\$nrconf{kernelhints} = '0';
\$nrconf{restart} = 'a';
EOF

curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg && \
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list && \
sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install -y containerd apt-transport-https ca-certificates curl gpg linux-modules-extra-raspi qemu-user-static nfs-common kubelet kubeadm kubectl && \
sudo apt-mark hold kubelet kubeadm kubectl && \
sudo systemctl enable --now kubelet && \

# IP固定
sudo tee /etc/netplan/99-fixed-ip.yaml <<EOF
network:
    ethernets:
        eth0:
            dhcp4: false
            addresses: [192.168.11.101/22]
            nameservers:
              addresses: [1.1.1.1]
            routes:
            - to: default
              via: 192.168.11.1
    version: 2
EOF

# 冷却ファンの騒音低減 & LED消灯
sudo tee -a /boot/firmware/config.txt <<EOF
dtoverlay=rpi-poe-plus
dtparam=poe_fan_temp0=60000,poe_fan_temp0_hyst=2000
dtparam=poe_fan_temp1=70000,poe_fan_temp1_hyst=2000
dtparam=poe_fan_temp2=80000,poe_fan_temp2_hyst=2000
dtparam=poe_fan_temp3=85000,poe_fan_temp3_hyst=5000

# Turn off Power LED
dtparam=pwr_led_trigger=default-on
dtparam=pwr_led_activelow=off
# Turn off Activity LED
dtparam=act_led_trigger=none
dtparam=act_led_activelow=off
# Turn off Ethernet LED
dtparam=eth_led0=4
dtparam=eth_led1=4
EOF

sudo reboot
matorurumatoruru
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# この構成に必要なカーネルパラメーター、再起動しても値は永続する
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

# 再起動せずにカーネルパラメーターを適用
sudo sysctl --system

sudo sh -c 'mkdir /etc/containerd && containerd config default > /etc/containerd/config.toml'
sudo sed -ie 's/\(\s* SystemdCgroup = \)false.*/\1true/' /etc/containerd/config.toml
sudo systemctl daemon-reload
sudo systemctl enable --now containerd
cat << EOF | sudo tee /etc/default/kubelet
KUBELET_EXTRA_ARGS=--cgroup-driver=systemd
EOF
sudo systemctl daemon-reload
sudo systemctl restart kubelet

sudo reboot

(Radxa ROCKの場合のみ次の記事の手順を実施)
https://zenn.dev/matoruru/articles/cce6633f2a5f1f

(コントールプレーンノードの場合)

sudo kubeadm init --pod-network-cidr '10.0.0.0/8' --skip-phases=addon/kube-proxy

(ワーカーノードの場合)

# `kubeadm init`の終了後メッセージに表示されるコマンド
kubeadm join ....
matorurumatoruru

kubeconfigのコピー

ssh k8s-master sudo cat /etc/kubernetes/admin.conf > ~/.kube/config

Gateway CRD

kubectl create -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml
kubectl label namespaces kube-system shared-gateway-access="true"

CNI(Cilium)

helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.16.1 --namespace kube-system --set k8sServiceHost=192.168.11.100 --set k8sServicePort=6443 --set kubeProxyReplacement=true --set gatewayAPI.enabled=true
matorurumatoruru

初期化手順

sudo kubeadm reset --force

<< EOF sudo su
systemctl stop kubelet
rm -rf /etc/kubernetes/
rm -rf ~/.kube/
rm -rf /var/lib/kubelet/
rm -rf /var/lib/cni/
rm -rf /etc/cni/
rm -rf /var/lib/etcd/
iptables -F && iptables -X
EOF

sudo reboot
matorurumatoruru

Argo CD

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets --namespace external-secrets --create-namespace external-secrets/external-secrets
kubectl kustomize 'https://github.com/matoruru/home-kubernetes/manifests/tools/manifests/argocd?timeout=90' | kubectl create -f -
echo "Sleeping 60s ..." && sleep 60
kubectl config set-context --current --namespace argocd
argocd login --core
argocd repo add https://github.com/matoruru/home-kubernetes.git
argocd app create tools --repo https://github.com/matoruru/home-kubernetes.git --path manifests/tools --dest-namespace argocd --dest-server https://kubernetes.default.svc
argocd app create apps --repo https://github.com/matoruru/home-kubernetes.git --path manifests/apps --dest-namespace argocd --dest-server https://kubernetes.default.svc
argocd app sync tools apps
kubectl config set-context --current --namespace ""
kubectl -n argocd rollout restart deployment
matorurumatoruru

/etc/kubernetes/manifests/kube-apiserver.yamlに以下の設定を追加すると、自動でAPI serverが再起動する。

参考: https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/service-account-key-generation.html

Service Account Key Generationセクションのキーは/etc/kubernetes/pki/sa.pubで代用する。

/etc/kubernetes/manifests/kube-apiserver.yaml
- --service-account-issuer=<OIDC endpoint>

全ノードの再起動を行う。

ssh k8s-master sudo reboot
ssh k8s-worker1 sudo reboot
ssh k8s-worker2 sudo reboot

API serverのコンテナの確認

sudo crictl ps -a
sudo crictl logs <container id>