hetzner arch k8s cilium

yay new server

SEAN K.H. LIAO

hetzner arch k8s cilium

yay new server

new server

So new Arch Linux dedicated server from Hetzner. Time to set it up.

 1# rename things
 2NEWHOST=medea
 3OLDHOST=$(cat /etc/hostname)
 4echo $NEWHOST > /etc/hostname
 5sed -i s/$OLDHOST/$NEWHOST/ /etc/hosts
 6
 7# change mounts / sysctls for k8s
 8# remove hetzner settings
 9sed -i '/ swap /d' /etc/fstab
10echo br_netfilter > /etc/modules-load.d/br_netfilter.conf
11rm /etc/sysctl.d/*
12cat << EOF > /etc/sysctl.d/30-ipforward.conf
13net.ipv4.ip_forward=1
14net.ipv4.conf.lxc*.rp_filter=0
15net.ipv6.conf.default.forwarding=1
16net.ipv6.conf.all.forwarding=1
17EOF
18
19# cleanup junk
20pacman -Rns btrfs-progs gptfdisk haveged xfsprogs wget vim net-tools cronie
21pacman -S neovim containerd kubeadm kubelet
22
23# remove arch cni dir overrides
24rm /etc/kubernetes/kubelet.env
25systemctl enable containerd kubelet
26
27sed -i /#PasswordAuthentication yes/PasswordAuthentication no/ /etc/ssh/sshd_config
28sed -i /#PrintLastLog yes/PrintLastLog no/ /etc/ssh/sshd_config
29rm /etc/ssh/ssh_host_{dsa,rsa,ecdsa}_key*
30
31reboot
32
33kubeadm init --skip-phases=addon/kube-proxy --pod-network-cidr=10.244.0.0/16 --service-cidr=10.245.0.0/16

On local machine (see next section for cilium.yaml)

 1# setup ssh
 2cat << EOF > ~/.ssh/config
 3
 4Host medea
 5    Hostname 65.21.73.144
 6    # Hostname 2a01:4f9:3b:4e2f::2
 7    User root
 8    IdentityFile ~/.ssh/id_ed25519
 9EOF
10
11ssh-copy-id -i ~/.ssh/id_ecdsa_sk medea
12ssh-copy-id -i ~/.ssh/id_ed25519_sk medea
13
14# get kubeconfig
15rsync -P medea:/etc/kubernetes/admin.conf ~/.config/kube/config
16
17# allow workloads on my single node
18kubectl taint nodes --all node-role.kubernetes.io/master-
19
20# networking
21k apply -f cilium.yaml

cilium

So I want some control over the k8s network settings, specifically the network ranges used and no kube-proxy. So using the cilium helm chart, make sure you read the text of the cilium docs to figure out all the settings you need to enable.

 1helm template cilium cilium/cilium \
 2    --version 1.9.6 \
 3    --namespace kube-system \
 4    --set kubeProxyReplacement=strict \
 5    --set k8sServiceHost=65.21.73.144 \
 6    --set k8sServicePort=6443 \
 7    --set operator.replicas=1 \
 8    --set hostServices.enabled=true \
 9    --set endpointRoutes.enabled=true \
10    --set ipam.mode=cluster-pool \
11    --set ipam.operator.clusterPoolIPv4MaskSize=24 \
12    --set ipam.operator.clusterPoolIPv4PodCIDR=10.244.0.0/16 \
13    --set tunnel=disabled \
14    --set autoDirectNodeRoutes=true \
15    --set nativeRoutingCIDR=10.244.0.0/15 \
16    > cilium.yaml