SEANK.H.LIAO

hetzner arch k8s cilium

yay new server

new server

So new Arch Linux dedicated server from Hetzner. Time to set it up.

 1# rename things
 2NEWHOST=medea
 3OLDHOST=$(cat /etc/hostname)
 4echo $NEWHOST > /etc/hostname
 5sed -i s/$OLDHOST/$NEWHOST/ /etc/hosts
 6
 7# change mounts / sysctls for k8s
 8# remove hetzner settings
 9sed -i '/ swap /d' /etc/fstab
10echo br_netfilter > /etc/modules-load.d/br_netfilter.conf
11rm /etc/sysctl.d/*
12cat << EOF > /etc/sysctl.d/30-ipforward.conf
13net.ipv4.ip_forward=1
14net.ipv4.conf.lxc*.rp_filter=0
15net.ipv6.conf.default.forwarding=1
16net.ipv6.conf.all.forwarding=1
17EOF
18
19# cleanup junk
20pacman -Rns btrfs-progs gptfdisk haveged xfsprogs wget vim net-tools cronie
21pacman -S neovim containerd kubeadm kubelet
22
23# remove arch cni dir overrides
24rm /etc/kubernetes/kubelet.env
25systemctl enable containerd kubelet
26
27sed -i /#PasswordAuthentication yes/PasswordAuthentication no/ /etc/ssh/sshd_config
28sed -i /#PrintLastLog yes/PrintLastLog no/ /etc/ssh/sshd_config
29rm /etc/ssh/ssh_host_{dsa,rsa,ecdsa}_key*
30
31reboot
32
33kubeadm init --skip-phases=addon/kube-proxy --pod-network-cidr=10.244.0.0/16 --service-cidr=10.245.0.0/16

On local machine (see next section for cilium.yaml)

 1# setup ssh
 2cat << EOF > ~/.ssh/config
 3
 4Host medea
 5    Hostname 65.21.73.144
 6    # Hostname 2a01:4f9:3b:4e2f::2
 7    User root
 8    IdentityFile ~/.ssh/id_ed25519
 9EOF
10
11ssh-copy-id -i ~/.ssh/id_ecdsa_sk medea
12ssh-copy-id -i ~/.ssh/id_ed25519_sk medea
13
14# get kubeconfig
15rsync -P medea:/etc/kubernetes/admin.conf ~/.config/kube/config
16
17# allow workloads on my single node
18kubectl taint nodes --all node-role.kubernetes.io/master-
19
20# networking
21k apply -f cilium.yaml

cilium

So I want some control over the k8s network settings, specifically the network ranges used and no kube-proxy. So using the cilium helm chart, make sure you read the text of the cilium docs to figure out all the settings you need to enable.

 1helm template cilium cilium/cilium \
 2    --version 1.9.6 \
 3    --namespace kube-system \
 4    --set kubeProxyReplacement=strict \
 5    --set k8sServiceHost=65.21.73.144 \
 6    --set k8sServicePort=6443 \
 7    --set operator.replicas=1 \
 8    --set hostServices.enabled=true \
 9    --set endpointRoutes.enabled=true \
10    --set ipam.mode=cluster-pool \
11    --set ipam.operator.clusterPoolIPv4MaskSize=24 \
12    --set ipam.operator.clusterPoolIPv4PodCIDR=10.244.0.0/16 \
13    --set tunnel=disabled \
14    --set autoDirectNodeRoutes=true \
15    --set nativeRoutingCIDR=10.244.0.0/15 \
16    > cilium.yaml