Initializing the Kubernetes cluster: Difference between revisions

Latest revision as of 12:08, 19 June 2019

Kubernetes and pre-requisites (every node)

Install Kubernetes on Ubuntu 18.04. Assuming version 1.14.3 is pulled, check how to fix version. On new systems, copy over the install script from the master node.

> cd init
> ./install_kubernetes.sh

Reconfigure docker runtime. Edit /etc/docker/daemon.json as follows:

{
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  },
  "storage-driver": "overlay2"
}

On nodes with an nVidia GPU, add the following:

  "default-runtime": "nvidia",
  "default-shm-size": "1g",
  "runtimes": {
    "nvidia": {
      "path": "nvidia-container-runtime",
      "runtimeArgs": []
    }
  }

Restart docker daemon:

> mkdir -p /etc/systemd/system/docker.service.d
> systemctl daemon-reload
> systemctl restart docker

Make sure swap is off

> sudo swapoff -a

Check /etc/fstab if swap is still configured there, delete if this is the case.

Spin up the master node

Use kubeadm with vanilla defaults to initialize the control plane.

> sudo systemctl enable docker.service
> sudo kubeadm init

If this fails at any point, use kubeadm reset after problems have been fixed before trying to re-initialize.

Post-init steps to setup admin user on this account

> cd init
> ./finalize_master.sh

Update kubelet configuration for master node

Edit /etc/kubernetes/manifests/kube-controller-manager.yaml:

spec:
  containers:
  - command:
    # add these two
    - --allocate-node-cidrs=true
    - --cluster-cidr=10.244.0.0/16

Copy certs/ca.crt (certificate for ccu.uni-konstanz.de) to /usr/share/ca-certificates/ca-dex.pem.

Edit /etc/kubernetes/manifests/kube-apiserver.yaml:

spec:
  containers:
  - command:
    # add these five
    - --oidc-issuer-url=https://ccu.uni-konstanz.de:32000/dex
    - --oidc-client-id=loginapp
    - --oidc-ca-file=/usr/share/ca-certificates/ca-dex.pem
    - --oidc-username-claim=name
    - --oidc-groups-claim=groups

Daemonsets on Master node

Flannel daemonset (pod network for communication)

> cd init
> ./start_pod_network.sh

nVidia daemonset

> cd init
> ./deploy_nvidia_device_plugin.sh

The daemonset should be active on any node with an nVidia GPU.

Authentication systems

The master node should now login to the docker registry of the cluster.

> docker login https://ccu.uni-konstanz.de:5000
Username: bastian.goldluecke
Password:

Also, we need to provide the read-only secret for the docker registry in every namespace.

TODO: howto.

Finally, we need to set up all the rules for rbac.

> cd rbac
# generate namespaces for user groups
> ./generate_namespaces.sh
# label all compute nodes for which namespace they serve
# (after they are up, needs to be redone when new nodes are added)
> ./label_nodes.sh
# set up access rights for namespaces
> kubectl apply -f rbac.yaml
# set up rights for which namespaces can access which compute node
> kubectl apply -f node_to_groups.yaml

Persistent volumes

Local persistent volumes

Check directory local_storage:

clone the git repository for the provisioner using clone_provisioner.sh (delete first if already here).
install helm: install_helm.sh, get_helm.sh. Do NOT run helm init (unsafe and soon obsolete).
set up and run provisioner:

> cd install
> generate_config.sh
> kubectl apply -f install_storageclass.yaml
> kubectl apply -f install_service.yaml
> kubectl apply -f provisioner_generated.yaml

After local persistent volumes on the nodes have been generated in /mnt/kubernetes, they should show up under

> kubectl get pv

@@ Line 1: / Line 1: @@
-== Master node from scratch ==
+== Kubernetes and pre-requisites (every node) ==
-* Install Kubernetes on Ubuntu 18.04. Assuming version 1.14.2 is pulled, check how to fix version.
+Install Kubernetes on Ubuntu 18.04. Assuming version 1.14.3 is pulled, check how to fix version. On new systems, copy over the install script from the master node.
 <syntaxhighlight lang="bash">
-> sudo snap install kubeadm --classic
+> cd init
-> sudo snap install kubelet --classic
+> ./install_kubernetes.sh
-> sudo snap install kubectl --classic
-> sudo apt install rand faketime
 </syntaxhighlight>
-* Set up other pre-requisites:
+Reconfigure docker runtime. Edit /etc/docker/daemon.json as follows:
-** Reconfigure docker runtime. Edit /etc/docker/daemon.json as follows:
 <syntaxhighlight lang="bash">
 {
@@ Line 22: / Line 19: @@
 }
 </syntaxhighlight>
-** Restart docker daemon:
+On nodes with an nVidia GPU, add the following:
+<syntaxhighlight lang="bash">
+  "default-runtime": "nvidia",
+  "default-shm-size": "1g",
+  "runtimes": {
+    "nvidia": {
+      "path": "nvidia-container-runtime",
+      "runtimeArgs": []
+    }
+  }
+</syntaxhighlight>
+Restart docker daemon:
 <syntaxhighlight lang="bash">
 > mkdir -p /etc/systemd/system/docker.service.d
@@ Line 29: / Line 40: @@
 </syntaxhighlight>
-** Make sure swap is off
+Make sure swap is off
 <syntaxhighlight lang="bash">
 > sudo swapoff -a
@@ Line 35: / Line 46: @@
 Check /etc/fstab if swap is still configured there, delete if this is the case.
-* Create cluster configuration scripts.
+== Spin up the master node ==
+Use kubeadm with vanilla defaults to initialize the control plane.
+<syntaxhighlight lang="bash">
+> sudo systemctl enable docker.service
+> sudo kubeadm init
+</syntaxhighlight>
+If this fails at any point, use kubeadm reset after problems have been fixed before trying to re-initialize.
+* Post-init steps to setup admin user on this account
 <syntaxhighlight lang="bash">
-> cd init/templates
+> cd init
-# edit cluster information in the following config file
+> ./finalize_master.sh
-> nano make_init_config.sh
-> touch /home/kubernetes/.rnd
-> ./make_init_config.sh
 </syntaxhighlight>
-This will generate the init config from the config template and store it in /home/kubernetes/clusters/ccu.
-* Spin up the master node.
+== Update kubelet configuration for master node ==
+Edit /etc/kubernetes/manifests/kube-controller-manager.yaml:
+<syntaxhighlight lang="bash">
+spec:
+  containers:
+  - command:
+    # add these two
+    - --allocate-node-cidrs=true
+    - --cluster-cidr=10.244.0.0/16
+</syntaxhighlight>
+Copy certs/ca.crt (certificate for ccu.uni-konstanz.de) to /usr/share/ca-certificates/ca-dex.pem.
+Edit /etc/kubernetes/manifests/kube-apiserver.yaml:
+<syntaxhighlight lang="bash">
+spec:
+  containers:
+  - command:
+    # add these five
+    - --oidc-issuer-url=https://ccu.uni-konstanz.de:32000/dex
+    - --oidc-client-id=loginapp
+    - --oidc-ca-file=/usr/share/ca-certificates/ca-dex.pem
+    - --oidc-username-claim=name
+    - --oidc-groups-claim=groups
+</syntaxhighlight>
+== Daemonsets on Master node ==
-Use kubeadm with the generated config to initialize the control plane.
+=== Flannel daemonset (pod network for communication) ===
 <syntaxhighlight lang="bash">
-> cd /home/kubernetes/clusters/ccu
+> cd init
-> sudo systemctl enable docker.service
+> ./start_pod_network.sh
-> sudo kubeadm init --config kubeadm-init-config.yaml
 </syntaxhighlight>
-* Flannel daemonset (node communication)
+=== nVidia daemonset ===
-* nVidia daemonset
+<syntaxhighlight lang="bash">
+> cd init
+> ./deploy_nvidia_device_plugin.sh
+</syntaxhighlight>
-* Update kubelet configuration for master node
+The daemonset should be active on any node with an nVidia GPU.
 == Authentication systems ==
-=== DEX with LDAP ===
+The master node should now login to the docker registry of the cluster.
+<syntaxhighlight lang="bash">
+> docker login https://ccu.uni-konstanz.de:5000
+Username: bastian.goldluecke
+Password:
+</syntaxhighlight>
+Also, we need to provide the read-only secret for the docker registry in every namespace.
+TODO: howto.
+Finally, we need to set up all the rules for rbac.
+<syntaxhighlight lang="bash">
+> cd rbac
+# generate namespaces for user groups
+> ./generate_namespaces.sh
+# label all compute nodes for which namespace they serve
+# (after they are up, needs to be redone when new nodes are added)
+> ./label_nodes.sh
+# set up access rights for namespaces
+> kubectl apply -f rbac.yaml
+# set up rights for which namespaces can access which compute node
+> kubectl apply -f node_to_groups.yaml
+</syntaxhighlight>
+== Persistent volumes ==
-TODO: outdated, switched to containerized DEX. Check what still needs to be done.
+=== Local persistent volumes ===
-Set up according to [https://github.com/krishnapmv/k8s-ldap this tutorial]
+Check directory local_storage:
-with customized install scripts in kubernetes/init/dex/
+* clone the git repository for the provisioner using clone_provisioner.sh (delete first if already here).
+* install helm: install_helm.sh, get_helm.sh. Do NOT run helm init (unsafe and soon obsolete).
+* set up and run provisioner:
-# Create secrets for TLS connections, use certs for ccu.uni-konstanz.de
+<syntaxhighlight lang="bash">
-## Modify ca-cm.yml to contain correct ca.
+> cd install
-## Run upload_ccu_tls.sh
+> generate_config.sh
-# Spin up login application service.
+> kubectl apply -f install_storageclass.yaml
-## Modify loginapp-cm.yml: server config
+> kubectl apply -f install_service.yaml
-## Modify loginapp-ing-srv.yml: service data, mapping of ports to outside world
+> kubectl apply -f provisioner_generated.yaml
-## Modify loginapp-deploy.yml: ID secret for TLS
+</syntaxhighlight>
-## Run start-login-service.sh
-# Spin up dex
+After local persistent volumes on the nodes have been generated in /mnt/kubernetes, they should show up under
-## Modify dex-cm.yml: server data and LDAP configuration
-## Modify dex-ing-srv.yml: service data, mapping of ports to outside world
+<syntaxhighlight lang="bash">
-## Modify dex-deploy.yml: ID secret for TLS
+> kubectl get pv
-## Run start-dex-service.sh
+</syntaxhighlight>

Initializing the Kubernetes cluster: Difference between revisions

Latest revision as of 12:08, 19 June 2019

Contents

Kubernetes and pre-requisites (every node)

Spin up the master node

Update kubelet configuration for master node

Daemonsets on Master node

Flannel daemonset (pod network for communication)

nVidia daemonset

Authentication systems

Persistent volumes

Local persistent volumes

Navigation menu

Initializing the Kubernetes cluster: Difference between revisions

Latest revision as of 12:08, 19 June 2019

Kubernetes and pre-requisites (every node)

Spin up the master node

Update kubelet configuration for master node

Daemonsets on Master node

Flannel daemonset (pod network for communication)

nVidia daemonset

Authentication systems

Persistent volumes

Local persistent volumes

Navigation menu

Search