Kubernetes*

This tutorial describes how to install, configure, and run the Kubernetes container orchestration system on Clear Linux* OS using CRI+O and kata-runtime.

Description

Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up an application into logical units for easy management and discovery. Get up and running quickly with our Cloud native setup automation.

Kata Containers* kata-runtime adheres to OCI guidelines and works seamlessly with Kubernetes. Kata Containers provides strong isolation for untrusted workloads or multi-tenant scenarios. Kata Containers can be allocated on a per-pod basis, so you can mix and match both on the same host to suit your needs.

Prerequisites

This tutorial assumes you have already installed Clear Linux OS. For detailed instructions on installing Clear Linux OS on a bare metal system, follow the bare metal installation tutorial. Learn about the benefits of having an up-to-date system for cloud orchestration on the swupd page.

Before you install any new packages, update Clear Linux OS with the following command:

sudo swupd update

Install Kubernetes and CRI runtimes

Kubernetes, a set of supported CRI runtimes, and networking plugins, are included in the cloud-native-basic bundle.

To install this framework, enter the following command:

sudo swupd bundle-add cloud-native-basic

Note

For more on networking plugins, see Install pod network add-on.

Configure Kubernetes

This tutorial uses the basic default Kubernetes configuration for simplicity. You must define your Kubernetes configuration according to your specific deployment and your security needs.

  1. Enable IP forwarding to avoid kubeadm preflight check errors:

    Create (or edit if it exists) the file /etc/sysctl.d/60-k8s.conf and include the following line:

    net.ipv4.ip_forward = 1
    

    Apply the change:

    sudo systemctl restart systemd-sysctl
    
  2. Enable the kubelet service:

    sudo systemctl enable kubelet.service
    
  3. Disable swap using one of the following methods, either:

    1. Temporarily:

      sudo swapoff -a
      

      Note

      Swap will be enabled at next reboot, causing failures in your cluster.

    or:

    1. Permanently:

      Mask the swap partition:

      sudo systemctl mask $(sed -n -e 's#^/dev/\([0-9a-z]*\).*#dev-\1.swap#p' /proc/swaps) 2>/dev/null
      sudo swapoff -a
      

      Note

      On systems with limited resources, some performance degradation may be observed while swap is disabled.

  4. Switch to root to modify the hosts file:

    sudo -s
    
  5. Create (or edit if it exists) the hosts file that Kubernetes will read to locate the master’s host:

    echo "127.0.0.1 localhost `hostname`" >> /etc/hosts
    
  6. Exit root:

    exit
    

Configure and run Kubernetes

This section describes how to configure and run Kubernetes with CRI-O and kata-runtime.

Configure and run CRI-O + kata-runtime

  1. Enable the CRI-O service:

    sudo systemctl enable crio.service
    
  2. Enter the commands:

    sudo systemctl daemon-reload
    sudo systemctl restart crio
    
  3. Initialize the master control plane with the command below and follow the displayed instructions to set up kubectl:

    sudo kubeadm init --cri-socket=/run/crio/crio.sock
    
  4. Register kata-runtime as a RuntimeClass handler:

    cat << EOF | kubectl apply -f -
    kind: RuntimeClass
    apiVersion: node.k8s.io/v1beta1
    metadata:
        name: native
    handler: runc
    ---
    kind: RuntimeClass
    apiVersion: node.k8s.io/v1beta1
    metadata:
        name: kata-containers
    handler: kata
    EOF
    

Install pod network add-on

You must choose and install a pod network add-on to allow your pods to communicate. Check whether or not your add-on requires special flags when you initialize the master control plane.

Notes about flannel add-on

If you choose the flannel add-on, then you must add the following to the kubeadm init command:

--pod-network-cidr 10.244.0.0/16

Furthermore, if you are using CRI-O and flannel and you want to use Kata Containers, edit the /etc/crio/crio.conf file to add:

[crio.runtime]
manage_network_ns_lifecycle = true

Use your cluster

Once your master control plane is successfully initialized, instructions on how to use your cluster and its IP, token, and hash values are displayed. It is important that you record the cluster values because they are needed when joining worker nodes to the cluster. Some values have a valid period. The values are presented in a format similar to:

kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash <hash>

Congratulations!

You’ve successfully installed and set up Kubernetes in Clear Linux OS using CRI-O and kata-runtime. You are now ready to follow on-screen instructions to deploy a pod network to the cluster and join worker nodes with the displayed token and IP information.

Cloud native setup automation

Optional: Clone the cloud-native-setup repository on your system and follow the instructions. This repository includes helper scripts to automate configuration.

Package configuration customization (optional)

Clear Linux OS is a stateless system that looks for user-defined package configuration files in the /etc/<package-name> directory to be used as default. If user-defined files are not found, Clear Linux OS uses the distribution-provided configuration files for each package.

If you customize any of the default package configuration files, you must store the customized files in the /etc/ directory. If you edit any of the distribution-provided default files, your changes will be lost in the next system update.

For example, to customize CRI-O configuration in your system, run the following commands:

sudo mkdir /etc/crio
sudo cp /usr/share/defaults/crio/crio.conf /etc/crio/
sudo $EDITOR /etc/crio/crio.conf

Learn more about Stateless in Clear Linux OS.

Proxy configuration (optional)

If you use a proxy server, you must set your proxy environment variables and create an appropriate proxy configuration file for both CRI-O services. Consult your IT department if you are behind a corporate proxy for the appropriate values. Ensure that your local IP is explicitly included in the environment variable NO_PROXY. (Setting localhost is not enough.)

If you have already set your proxy environment variables, run the following commands as a shell script to configure all of these services in one step:

services=('crio')
for s in "${services[@]}"; do
sudo mkdir -p "/etc/systemd/system/${s}.service.d/"
cat << EOF | sudo tee "/etc/systemd/system/${s}.service.d/proxy.conf"
[Service]
Environment="HTTP_PROXY=${http_proxy}"
Environment="HTTPS_PROXY=${https_proxy}"
Environment="SOCKS_PROXY=${socks_proxy}"
Environment="NO_PROXY=${no_proxy}"
EOF
done

Troubleshooting

  • <HOSTNAME> not found in <IP> message.

    Your DNS server may not be appropriately configured. Try adding an entry to the /etc/hosts file with your host’s IP and Name.

    For example: 100.200.50.20 myhost

    Use the commands hostname and hostname -I to retrieve them.

  • Images cannot be pulled.

    You may be behind a proxy server. Try configuring your proxy settings, using the environment variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY as required in your environment.

  • Connection refused error.

    If you are behind a proxy server, you may need to add the master’s IP to the environment variable NO_PROXY.

  • Connection timed-out or Access Refused errors.

    You must ensure that the appropriate proxy settings are available from the same terminal where you will initialize the control plane. To verify the proxy settings that Kubernetes will actually use, run the commands:

    echo $HTTP_PROXY
    echo $HTTPS_PROXY
    echo $NO_PROXY
    

    If the displayed proxy values are different from your assigned values, the cluster initialization will fail. Contact your IT support team to learn how to set the proxy variables permanently, and how to make them available for all the types of access that you will use, such as remote SSH access.

    If the result of the above commands is blank, you may need to add a profile to the /etc directory. To do so, follow these steps.

    1. Create a profile in /etc

      sudo touch profile
      
    2. With your preferred editor, open profile, and enter your proxy settings. An example is shown below.

      export "HTTP_PROXY=http://proxy.example.com:443"
      export "HTTPS_PROXY=http://proxy.example.com:445"
      export "SOCKS_PROXY=http://proxy.example.com:1080"
      export "NO_PROXY= site.com,.site.com,localhost,127.0.0.1,<master IP>
      

      Note

      <master IP> can be obtained by running ifconfig.

    3. Save and exit the profile.

    4. Update your system’s environment settings by executing the following command:

      sudo source profile
      
    5. To ensure your system isn’t running previous session variables, run:

      sudo kubeadm reset --cri-socket=/run/crio/crio.sock
      
    6. Continue below while passing -E in the command as shown.

  • Missing environment variables.

    If you are behind a proxy server, pass environment variables by adding -E to the command that initializes the master control plane.

    /* Kubernetes with CRI-O + kata-runtime */
    sudo -E kubeadm init --cri-socket=/run/crio/crio.sock