This note documents the set-up of a k8s cluster from scratch, including ingress and load-balanced TLS support for web applications. It’s mainly for myself to revisit and reference later on. The result of this note is not (quite) production-grade, and additional features (e.g. firewalls/logging/backups) should be enabled to improve its robustness.
Several cloud providers offer managed k8s services (including Amazon EKS, GKE, Digital Ocean, etc.). Whilst these would be recommended for sensitive or production workloads, I wanted to create my own provider-independent cluster in order to understand the ins and outs.
Infrastructure
Create the underlying infrastructure for the cluster by provisioning at least two new instances - all with at least 2GB memory and 2 CPUs. I used the latest Ubuntu LTS.
One of the new instances (kube1) will be the “control” node, and the others (kube2+) will be the “worker” nodes. In this scenario the “control plane” is made up of just one node - kube1.
In larger clusters the control plane can be made to be highly available by using multiple control nodes in different availability zones.
Enable private networking between the nodes and ensure they can all access the internet using a public IP or through another interface (e.g. a NAT). If you use firewalls ensure the nodes can communicate with each other via their private IPs.
Dependencies
On all nodes (control and workers), install Docker and k8s binaries:
- Add Google apt keys:
wget -qO - https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - - Add Google repo:
add-apt-repository ‘deb http://apt.kubernetes.io/ kubernetes-bionic main' - Update local repos:
apt update - Install docker.io, kubelet, and kubeadm:
apt install docker.io kubelet kubeadm
On the control node only (kube1) also:
- Install kubectl:
apt install kubectl
Set-up the cluster
On the control node (kube1) prepare the cluster:
- As root, initialise the cluster:
kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=10.131.106.38- Replace apiserver-advertise-address with the private IP for the master node
- Setting
--pod-network-cidrallows Flannel (the CNI plugin we’re using here) to later allocate IP addresses to pods in your cluster from this range
- Create a new user to manage kubernetes:
useradd kubeuser - Create a new
.kubedirectory:mkdir /home/kubeuser/.kube && chown kubeuser:kubeuser /home/kubeuser/.kube - Copy in the default config file:
cp /etc/kubernetes/admin.conf /home/kubeuser/.kube/config && chown kubeuser:kubeuser /home/kubeuser/.kube/config - As the kubeuser user, install the Flannel network fabric by apply the appropriate YAML:
kubectl apply -f kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml - Finally, back as root, get and copy the kubernetes join command:
kubeadm token create --print-join-command
Now join the worker nodes to the new cluster:
- As root, copy and paste and run the output from the last command on the control node on each worker node.
After a few minutes kubectl get nodes (as the kubeuser user on the control node) should list the other nodes in the cluster.
From now on, all kubectl commands should be issued by kubeuser on the control node, and all kubeadm commands by root on the control or worker nodes.
At this point you have a working cluster ready to create pods, deployments and services. The next sections go on to set up the cluster to allow exposing, securing, and load-balancing services for access from outside the cluster.
Install Helm
It’s a good idea to install Helm (a good way to install more complex packages and services on your cluster) according to the official website.
Load-balancing and ingress
We’re now ready to route external traffic to the cluster.
Create a load balancer
Use your provider’s load balancer service (or create your own load balancer using a reverse-proxy like Nginx) and make a note of the IP address (or host name) of the load balancer server. Add your kubernetes worker nodes to your load balancer’s distribution group.
If you have a domain name you want to associate with a service on your cluster, update your DNS settings to point the domain to the load balancer.
Next install the nginx-ingress k8s ingress controller via Helm (inserting the IP address of your load balancer).
helm install nginx-ingress stable/nginx-ingress \
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.loadBalancerIP=“<LOAD BALANCER IP>”
Check the services (kubectl get services) now running and note the HTTP/HTTPS ports used by the new ingress controller. Update your load balancer to use these ports as the forwarding ports in the load balancer settings (e.g. 80 -> 32345, 443 -> 31454).
Finally create an ingress resource for the domain/service by applying the following (replacing the relevant details for your domain name (host) and the service name and port requests should be routed to).
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: primary-ingress
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: <DOMAIN>
http:
paths:
- backend:
serviceName: <SERVICE NAME>
servicePort: <SERVIE PORT>
- http:
paths:
- backend:
serviceName: nginx # this is default
servicePort: 80
This ingress forwards all requests to the host <DOMAIN> through to <SERVICE NAME> on <SERVICE PORT>. All non-matched requests (i.e. to other domains) will be sent to the default backend - in this case a simple nginx service that returns 200 response codes (this is important to ensure load balancer health-checks pass).
Visiting <DOMAIN> in your web browser should now enable you to reach the service.
Securing your ingress
Currently the ingress we created only accepts traffic over HTTP on port 80. To secure traffic (i.e. use HTTPS to access services), either terminate TLS at your load balancer and add relevant certificates there, or allow your cluster to handle the TLS connection, as described below.
You can add HTTPS for services you want to expose through your load balancer. To begin, ensure that the domain is pointing to your load balancer (as above), and that you can reach your service through the load balancer using your domain name. Finally ensure that port 443 traffic to your load balancer is routed to the HTTPS port of the ingress controller service.
We use cert-manager to automatically manage certificates for us through LetsEncrypt. Install cert-manager:
- Create a new namespace:
kubectl create namespace cert-manager - Apply the needed definitions:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml - Verify pods come online (the
webhookone may take longer):kubectl get pods --namespace cert-manager
Once installed, cert-manager is formed from Issuer objects (determines how and where certificates should be issued from) and Certificate objects (determines the Secrets which contain the certificate values - these can be autorenewed by cert-manager).
First, create an issuer that uses letsencrypt’s production ACME service:
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: letsencrypt-prod
namespace: default
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <YOUR EMAIL>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
# An empty 'selector' means that this solver matches all domains
- selector: {}
http01:
ingress:
class: nginx
Next, create a certificate that uses this issuer:
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate-prod
namespace: default
spec:
secretName: domain-tls
issuerRef:
name: letsencrypt-prod
commonName: <DOMAIN>
dnsNames:
- <OTHER DOMAINS>
Finally, update the ingress we created earlier to add a tls section that references the secret created by the Certificate:
...
spec:
tls:
- hosts:
- <DOMAIN>
secretName: domain-tls
rules:
- host: <DOMAIN>
http: ...
After a few seconds your certificate should be issued and your service will be available via HTTPS through the load balancer.