2017-08-29 00:19:25 +03:00
# Bootstrapping the Kubernetes Worker Nodes
2018-05-14 05:16:45 +03:00
In this lab you will bootstrap three Kubernetes worker nodes. The following components will be installed on each node: [runc ](https://github.com/opencontainers/runc ), [gVisor ](https://github.com/google/gvisor ), [container networking plugins ](https://github.com/containernetworking/cni ), [containerd ](https://github.com/containerd/containerd ), [kubelet ](https://kubernetes.io/docs/admin/kubelet ), and [kube-proxy ](https://kubernetes.io/docs/concepts/cluster-administration/proxies ).
2017-08-29 00:19:25 +03:00
## Prerequisites
The commands in this lab must be run on each worker instance: `worker-0` , `worker-1` , and `worker-2` . Login to each worker instance using the `gcloud` command. Example:
```
gcloud compute ssh worker-0
```
2018-05-13 23:19:07 +03:00
### Running commands in parallel with tmux
[tmux ](https://github.com/tmux/tmux/wiki ) can be used to run commands on multiple compute instances at the same time. See the [Running commands in parallel with tmux ](01-prerequisites.md#running-commands-in-parallel-with-tmux ) section in the Prerequisites lab.
2017-08-29 00:19:25 +03:00
## Provisioning a Kubernetes Worker Node
2017-10-02 06:37:09 +03:00
Install the OS dependencies:
2017-08-29 00:19:25 +03:00
2018-05-13 06:10:12 +03:00
```
sudo apt-get update
```
2017-08-29 00:19:25 +03:00
```
2018-05-13 05:36:40 +03:00
sudo apt-get -y install socat conntrack ipset
2017-08-29 00:19:25 +03:00
```
2017-10-02 06:37:09 +03:00
> The socat binary enables support for the `kubectl port-forward` command.
2017-08-29 00:19:25 +03:00
### Download and Install Worker Binaries
```
wget -q --show-progress --https-only --timestamping \
2018-05-14 05:16:45 +03:00
https://github.com/kubernetes-incubator/cri-tools/releases/download/v1.0.0-beta.0/crictl-v1.0.0-beta.0-linux-amd64.tar.gz \
https://storage.googleapis.com/kubernetes-the-hard-way/runsc \
2018-05-12 19:54:18 +03:00
https://github.com/opencontainers/runc/releases/download/v1.0.0-rc5/runc.amd64 \
2017-08-29 00:19:25 +03:00
https://github.com/containernetworking/plugins/releases/download/v0.6.0/cni-plugins-amd64-v0.6.0.tgz \
2018-05-12 19:54:18 +03:00
https://github.com/containerd/containerd/releases/download/v1.1.0/containerd-1.1.0.linux-amd64.tar.gz \
https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubectl \
https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kube-proxy \
https://storage.googleapis.com/kubernetes-release/release/v1.10.2/bin/linux/amd64/kubelet
2017-08-29 00:19:25 +03:00
```
Create the installation directories:
```
sudo mkdir -p \
/etc/cni/net.d \
/opt/cni/bin \
/var/lib/kubelet \
/var/lib/kube-proxy \
/var/lib/kubernetes \
/var/run/kubernetes
```
Install the worker binaries:
2018-05-12 19:54:18 +03:00
```
2018-05-14 05:16:45 +03:00
chmod +x kubectl kube-proxy kubelet runc.amd64 runsc
2018-05-12 19:54:18 +03:00
```
```
2018-05-14 05:16:45 +03:00
sudo mv runc.amd64 runc
2018-05-12 19:54:18 +03:00
```
2017-08-29 00:19:25 +03:00
```
2018-05-14 05:16:45 +03:00
sudo mv kubectl kube-proxy kubelet runc runsc /usr/local/bin/
2017-08-29 00:19:25 +03:00
```
```
2018-05-14 05:16:45 +03:00
tar -xvf crictl-v1.0.0-beta.0-linux-amd64.tar.gz -C /usr/local/bin/
2017-08-29 00:19:25 +03:00
```
```
2018-05-14 05:16:45 +03:00
sudo tar -xvf cni-plugins-amd64-v0.6.0.tgz -C /opt/cni/bin/
2017-08-29 00:19:25 +03:00
```
```
2018-05-14 05:16:45 +03:00
sudo tar -xvf containerd-1.1.0.linux-amd64.tar.gz -C /
2017-08-29 00:19:25 +03:00
```
### Configure CNI Networking
Retrieve the Pod CIDR range for the current compute instance:
```
POD_CIDR=$(curl -s -H "Metadata-Flavor: Google" \
http://metadata.google.internal/computeMetadata/v1/instance/attributes/pod-cidr)
```
Create the `bridge` network configuration file:
```
cat > 10-bridge.conf < < EOF
{
"cniVersion": "0.3.1",
"name": "bridge",
"type": "bridge",
"bridge": "cnio0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"ranges": [
[{"subnet": "${POD_CIDR}"}]
],
"routes": [{"dst": "0.0.0.0/0"}]
}
}
EOF
```
Create the `loopback` network configuration file:
```
cat > 99-loopback.conf < < EOF
{
"cniVersion": "0.3.1",
"type": "loopback"
}
EOF
```
Move the network configuration files to the CNI configuration directory:
```
sudo mv 10-bridge.conf 99-loopback.conf /etc/cni/net.d/
```
2018-05-12 19:54:18 +03:00
### Configure containerd
2018-05-14 05:16:45 +03:00
Create the `containerd` configuration file:
```
sudo mkdir -p /etc/containerd/
```
```
cat < < EOF | sudo tee / etc / containerd / config . toml
[plugins]
[plugins.cri.containerd]
snapshotter = "overlayfs"
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/local/bin/runc"
runtime_root = ""
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/local/bin/runsc"
runtime_root = ""
EOF
```
> Untrusted workloads will be run using the gVisor runtime.
Create the `containerd.service` systemd unit file:
2018-05-12 19:54:18 +03:00
```
cat > containerd.service < < EOF
[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target
[Service]
ExecStartPre=/sbin/modprobe overlay
ExecStart=/bin/containerd
Restart=always
RestartSec=5
Delegate=yes
KillMode=process
OOMScoreAdjust=-999
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
[Install]
WantedBy=multi-user.target
EOF
```
2017-08-29 00:19:25 +03:00
### Configure the Kubelet
```
sudo mv ${HOSTNAME}-key.pem ${HOSTNAME}.pem /var/lib/kubelet/
```
```
sudo mv ${HOSTNAME}.kubeconfig /var/lib/kubelet/kubeconfig
```
```
sudo mv ca.pem /var/lib/kubernetes/
```
2018-05-13 05:36:40 +03:00
Create the `kubelet-config.yaml` configuration file:
```
cat > kubelet-config.yaml < < EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.pem"
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "10.32.0.10"
podCIDR: "${POD_CIDR}"
runtimeRequestTimeout: "15m"
tlsCertFile: "/var/lib/kubelet/${HOSTNAME}.pem"
tlsPrivateKeyFile: "/var/lib/kubelet/${HOSTNAME}-key.pem"
EOF
```
```
sudo mv kubelet-config.yaml /var/lib/kubelet/kubelet-config.yaml
```
2017-08-29 00:19:25 +03:00
Create the `kubelet.service` systemd unit file:
```
cat > kubelet.service < < EOF
[Unit]
Description=Kubernetes Kubelet
2017-12-18 18:07:54 +03:00
Documentation=https://github.com/kubernetes/kubernetes
2018-05-12 19:54:18 +03:00
After=containerd.service
Requires=containerd.service
2017-08-29 00:19:25 +03:00
[Service]
ExecStart=/usr/local/bin/kubelet \\
2018-05-13 05:36:40 +03:00
--config=/var/lib/kubelet/kubelet-config.yaml \\
2017-08-29 00:19:25 +03:00
--container-runtime=remote \\
2018-05-12 19:54:18 +03:00
--container-runtime-endpoint=unix:///var/run/containerd/containerd.sock \\
2017-08-29 00:19:25 +03:00
--image-pull-progress-deadline=2m \\
--kubeconfig=/var/lib/kubelet/kubeconfig \\
--network-plugin=cni \\
--register-node=true \\
--v=2
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
```
### Configure the Kubernetes Proxy
```
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
```
2018-05-13 05:36:40 +03:00
Create the `kube-proxy-config.yaml` configuration file:
```
cat > kube-proxy-config.yaml < < EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
clientConnection:
kubeconfig: "/var/lib/kube-proxy/kubeconfig"
mode: "iptables"
clusterCIDR: "10.200.0.0/16"
EOF
```
```
sudo mv kube-proxy-config.yaml /var/lib/kube-proxy/kube-proxy-config.yaml
```
2017-08-29 00:19:25 +03:00
Create the `kube-proxy.service` systemd unit file:
```
cat > kube-proxy.service < < EOF
[Unit]
Description=Kubernetes Kube Proxy
2017-12-18 18:07:54 +03:00
Documentation=https://github.com/kubernetes/kubernetes
2017-08-29 00:19:25 +03:00
[Service]
ExecStart=/usr/local/bin/kube-proxy \\
2018-05-13 05:36:40 +03:00
--config=/var/lib/kube-proxy/kube-proxy-config.yaml
2017-08-29 00:19:25 +03:00
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
EOF
```
### Start the Worker Services
```
2018-05-12 19:54:18 +03:00
sudo mv containerd.service kubelet.service kube-proxy.service /etc/systemd/system/
2017-08-29 00:19:25 +03:00
```
```
sudo systemctl daemon-reload
```
```
2018-05-12 19:54:18 +03:00
sudo systemctl enable containerd kubelet kube-proxy
2017-08-29 00:19:25 +03:00
```
```
2018-05-12 19:54:18 +03:00
sudo systemctl start containerd kubelet kube-proxy
2017-08-29 00:19:25 +03:00
```
> Remember to run the above commands on each worker node: `worker-0`, `worker-1`, and `worker-2`.
## Verification
2018-05-14 02:43:46 +03:00
> The compute instances created in this tutorial will not have permission to complete this section. Run the following commands from the same machine used to create the compute instances.
Print the Kubernetes nodes:
2017-08-29 00:19:25 +03:00
```
2018-05-14 02:43:46 +03:00
gcloud compute ssh controller-0 \
--command="kubectl get nodes \
--kubeconfig /var/lib/kubernetes/kube-controller-manager.kubeconfig"
2017-08-29 00:19:25 +03:00
```
List the registered Kubernetes nodes:
```
kubectl get nodes
```
> output
```
2017-10-02 06:37:09 +03:00
NAME STATUS ROLES AGE VERSION
2018-05-12 19:54:18 +03:00
worker-0 Ready < none > 20s v1.10.2
worker-1 Ready < none > 20s v1.10.2
worker-2 Ready < none > 20s v1.10.2
2017-08-29 00:19:25 +03:00
```
Next: [Configuring kubectl for Remote Access ](10-configuring-kubectl.md )
