We will be using Ubuntu 20.04 for this demonstration. We will be using a bastion host on which internet is present and download the required packages and tar files required to be transferred to the air-gapped systems.
*Bastion System ==> (Master Node + Worker Node)*
On bastion system
Step 1 - Get the packages list and GPG key to be downloaded by APT.
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key
| sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg]
https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /'
| sudo tee /etc/apt/sources.list.d/kubernetes.list
Step 2 - Confirm the full version using the following command and note down the version in a variable -
sudo apt list kubelet
K8S_VERSION=1.29.15-1.1
Step 3 - Update the apt repository and download version specific binaries of kubernetes-
- kubelet
- kubeadm
- kubectl
sudo apt update
sudo apt install --download-only kubelet=$K8S_VERSION kubeadm=$K8S_VERSION
kubectl=$K8S_VERSION
Step 4 - We need to also download the engine of kubernetes i.e. containerd, but, the pre-requisite of containerd also needs to be downloaded and installed. Following are the binaries of the same and commands to follow -
- conntrack
- ethtool
- runc
- cri-tools
- containerd
sudo apt list containerd cri-tools runc conntrack ethtool
runc_1.2.5-0ubuntu1
cri-tools_1.29.0-1.1_amd64.deb
containerd_1.7.27-0ubuntu1
conntrack/focal,now 1:1.4.5-2
ethtool/focal,now 1:5.4-1
Step 5 - Now we need networking solution between the pods/containers. We will be using calico for this demo. The yaml and images in tar format needs to be downloaded and transferred.
curl -O https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/
manifests/calico.yaml
Grepping the images list from the yaml -
grep 'image:' calico.yaml | awk '{print $2}' | sort | uniq
For example -
docker.io/calico/cni:v3.27.0
docker.io/calico/kube-controllers:v3.27.0
docker.io/calico/node:v3.27.0
Step 6 - Download core images of kubernetes as well -
Either run the following command on any system or refer the list below the command -
kubeadm config images list --kubernetes-version=v1.29.0
registry.k8s.io/kube-apiserver:v1.29.0
registry.k8s.io/kube-controller-manager:v1.29.0
registry.k8s.io/kube-scheduler:v1.29.0
registry.k8s.io/kube-proxy:v1.29.0
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.10-0
registry.k8s.io/coredns/coredns:v1.11.1
Step 7 - Use the following command to save the images(one example) -
docker save -o kube-api-server.tar registry.k8s.io/kube-apiserver:v1.29.0
Step 8 - Create a folder on the system and keep all the yamls, images and deb files.
01. conntrack.deb
02. ethtool.deb
03. cri-tools.deb
04. kubeadm.deb
05. kubelet.deb
06. kubectl.deb
07. calico.yaml
08. docker.io/calico/cni:v3.27.0
09. docker.io/calico/kube-controllers:v3.27.0
10. docker.io/calico/node:v3.27.0
11. registry.k8s.io/kube-apiserver:v1.29.0
12. registry.k8s.io/kube-controller-manager:v1.29.0
13. registry.k8s.io/kube-scheduler:v1.29.0
14. registry.k8s.io/kube-proxy:v1.29.0
15. registry.k8s.io/pause:3.9
16. registry.k8s.io/etcd:3.5.10-0
17. registry.k8s.io/coredns/coredns:v1.11.1
18. kubernetes-cni_1.3.0-1.1_amd64.deb
19. containerd
20. runc_1.2.5-0ubuntu1
On Master Node
Step 9 - Install conntrack, ethtool, cri-tools and containerd first before installing kubeadm,kubectl and kubelet
sudo dpkg -i conntrack.deb runc_1.2.5-0ubuntu1.deb cri-tools.deb ethtool.deb
Step 10 - Now Installing Containerd
sudo dpkg -i containerd.deb
Step 11 - Once Installed, it won't start due to configuration issue. Below is the fix for the same -
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
sudo sed -i
's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd
Step 12 - Installing kubeadm, kubelet and kubectl on the master node now.
sudo dpkg -i kubeadm.deb kubelet.deb kubectl.deb
Step 13 - Now, we need to tune in system's configuration to make initialize the control plane so that pre-flights checks won't fail.
sudo tee /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
# Apply settings
sudo sysctl --system
sudo sysctl -w net.ipv4.ip_forward=1
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab
Step 14 - Importing all the tar files we shipped on this air-gapped system(one for example) -
sudo ctr -n k8s.io images import
registry.k8s.io_kube-controller-manager_v1.29.0.tar
Step 15 - All pre-requisites checks are done and we can initialize the control plane -
sudo kubeadm init --pod-network-cidr=192.168.0.0/16
--kubernetes-version=1.29.0
--apiserver-advertise-address=192.168.56.101
Wait for about 2-5 minutes for successful installation and save the output for later use.
Step 16 - To start using your cluster, you need to run the following as a regular user -
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
Run the following command to check the status of the cluster -
kubectl get po --all
Step 17 - Install networking plugin to fix the cluster now -
Run the following command to check the pods and node status -
kubectl get po -A
kubectl get no
You might see that coredns and kube-proxy is crashing! In order to fix it, we need to apply the calico yaml on the master node as well as all worker nodes.
Assuming that calico images are imported into the ctr registry.
kubectl apply -f calico.yaml
Once done, wait for 2-5 minutes and keep a watch on the pods of the master node. All the pods will be up and running and worker node will also be in ready status now.
On Worker Node
Step 18 - Repeat the step from 9 to 14 on worker node.
Step 19 - Once the above step is done, run the command which was shown in the output of Step 15 to join the cluster (the below one is the demo) -
kubeadm join 192.168.56.101:6443 --token
x06cy2.9tuuzcb0jswvmk6q \
--discovery-token-ca-cert-hash sha256:d0e20c6b3078b9528441cb4e3...
Top comments (0)