Lab 1: Deploying the Kubernetes Cluster

Introduction
In this Lab, you will learn how to create kubernetes cluster
In the Kubernetes setup, we have one master host and two worker nodes.

Cluster nodes are known as worker nodes or Minion.

From the master host, we will manage the kubernetes using the “kubeadm” and
“kubectl” command.

Kubernetes can be installed and deployed using the following methods:

• Minikube (It is a single node kubernetes cluster).

• Kubeadm (Multi-node kubernetes Cluster Setup On-Prem).
• Kubespray runs on bare metal and most clouds, using Ansible.
• Kops (Multi-node kubernetes Cluster setup On-Cloud).

1 Login into Master node as root user with the password linux if not already.
2 Generate ssh key-pair to be able to have password less access to master and worker nodes

# ssh-keygen -t rsa -N ''

Note: Keep pressing enter without entering or changing any value.
output:

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
Copy ssh public key to Master and Worker nodes.

# ssh-copy-id 192.168.100.11

Output:

Type yes and enter the root password as “linux” when prompted.

# ssh-copy-id 192.168.100.12

Output:

# ssh-copy-id 192.168.100.13

Output:

3 Add an entry to /etc/hosts for local name resolution.

# hostnamectl set-hostname kube-master

# cat > /etc/hosts <<EOF
192.168.100.11 kube-master
192.168.100.12 kube-node1
192.168.100.13 kube-node2
127.0.0.1 localhost
EOF

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
4 Disable SELinux
Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security
mechanism implemented in the kernel.

SELinux has three basic modes of operation, of which Enforcing is set as the
installation default mode.
• Enforcing: The default mode which will enable and enforce the SELinux
security policy on the system, denying access and logging actions
• Permissive: In Permissive mode, SELinux is enabled but will not enforce
the security policy, only warn and log actions. Permissive mode is useful
for troubleshooting SELinux issues.
• Disabled: SELinux is turned off

# sed -i 's/enforcing/disabled/g' /etc/selinux/config

# setenforce 0
# sestatus

Output:

4.1 Disable Firewalld

FirewallD is a frontend controller for iptables used to implement persistent network traffic
rules.
Working with FirewallD has two main differences compared to directly controlling iptables:
FirewallD uses zones and services instead of chain and rules. It manages rulesets dynamically,
allowing updates without breaking existing sessions and connections.

# systemctl disable --now firewalld

# systemctl status firewalld --no-pager

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
Output:

Note: If you wish to work along with the Firewall, open kubernetes services ports by running
below commands.
firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=2379-2380/tcp
firewall-cmd --permanent --add-port=10250/tcp
firewall-cmd --permanent --add-port=10251/tcp
firewall-cmd --permanent --add-port=10252/tcp
firewall-cmd --permanent --add-port=10255/tcp
firewall-cmd –reload

4.2 Enable and Start Chrony service (NTP Server).

chrony is a versatile implementation of the Network Time Protocol (NTP). The chrony suite is
installed by default. The default location for the chrony daemon is
/usr/sbin/chronyd. The command-line utility will be installed to /usr/bin/chronyc

# systemctl enable --now chronyd

# systemctl status chronyd --no-pager

Output:

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
 # chronyc sources -v
Output:

3.6 Install the following base packages required by kubernetes:

wget: A utility for retrieving files using the HTTP or FTP protocols
net-tools: package contains basic networking tools, including ifconfig, netstat, route, and
others.
git: The git rpm installs the core tools with minimal dependencies. To install all git packages
bind-utils: install bind-utils if you need to get information from DNS name servers.

# yum -y install wget git net-tools bind-utils bash-completion

kexec-tools yum-plugin-versionlock yum-utils

3.7 You must turn off the swap space as Kubernetes does not support it.

# swapoff -a

3.8 Comment out the swap filesystem entry in /etc/fstab

# sed -e '/swap/ s/^#*/#/' -i /etc/fstab

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
3.9 Turn the feature on so that the packets traversing the bridge are sent to iptables

# modprobe br_netfilter

# cat > /etc/sysctl.d/k8s.conf <<EOF

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF

# sysctl --system

4 Update and Reboot the server to get the latest packages installed.

# yum update -y
# reboot
Login back to the kube-master as root user to proceed with next steps.

5 Let us uninstall podman, by executing the below command.

# yum remove -y podman buildah

5.1 Let us setup the repository for docker, by executing the below commands.

# yum-config-manager --add-repo
https://download.docker.com/linux/centos/docker-ce.repo

5.2 Let us install and configure Docker, by executing the below commands.

# yum -y install docker-ce docker-ce-cli containerd.io --

nobest

# mkdir /etc/docker

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
 # cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
EOF

# mkdir -p /etc/systemd/system/docker.service.d

5.3 Kubernetes packages are not available in the default repositories, Use the below command
to configure its package repositories.

# cat > /etc/yum.repos.d/kubernetes.repo <<EOF

[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kuber
netes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-
key.gpg https://packages.cloud.google.com/yum/doc/rpm-
package-key.gpg
EOF

5.4 You must install kubernetes packages.

# yum install -y kubeadm-1.19.0-00 kubelet-1.19.0-00

kubectl-1.19.0-00 --disableexcludes=kubernetes

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
5.5 Let us lock the version, by executing the below command.
# yum versionlock kubeadm-* kubelet-* kubectl-*

Output:

5.6 Enable and start docker daemons.

# systemctl enable --now docker

# systemctl status docker --no-pager

Output:

5.4 Enable and start kubelet daemons.

# systemctl enable --now kubelet

# systemctl status kubelet --no-pager

Output:

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
6 Initialize the deployment of Kubernetes Cluster by running the "kubeadm init" command.
What is kubeadm?
kubeadm is a toolkit produced by Kubernetes upstream for the creation and upgrade of
Kubernetes clusters.

# kubeadm init --apiserver-advertise-address=192.168.100.11 --

pod-network-cidr=172.16.0.0/16
Note: Copy the token generated from the above command output for later use.

7 Run the below commands to set variables to be able to manage kubernetes cluste

# mkdir -p $HOME/.kube

# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

# sudo chown $(id -u):$(id -g) $HOME/.kube/config

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
Run the below command to install overlay network

# kubectl apply -f
https://docs.projectcalico.org/manifests/calico.yaml

Output:

8 A node taint lets you mark a node so that the scheduler avoids or prevents using it for
certain Pods. A complementary feature, toleration, lets you designate Pods that can be used
on “tainted” nodes.

NoSchedule: Pods that do not tolerate this taint are not scheduled on the node.
PreferNoSchedule: Kubernetes avoids scheduling Pods that do not tolerate this taint onto the
node.
NoExecute: Pod is evicted from the node if it is already running on the node, and is not
scheduled onto the node if it is not yet running on the node.

# kubectl taint node kube-master node-

role.kubernetes.io/master:NoSchedule-
Output:

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/
9 Now run the following command to list master node status.
# kubectl get nodes
Output:

10 Run the below command to verify the cluster information.

# kubectl cluster-info
Output:

Student Material – Do Not Re-distribute. For any queries contact:

naushad.p.tech@gmail.com or https://www.linkedin.com/in/naushadpasha/