kairos icon indicating copy to clipboard operation
kairos copied to clipboard

Published 20 hours ago verified publisher icon kairos-io

Document the usage of provider-kubeadm

Open ci-robbot opened this issue 7 months ago • 1 comments

This issue is to document the usage of provider-kubeadm. The cloud config example provided is for a single node cluster (role: init) with Kubernetes version 1.30.0. The example includes the necessary configuration for the API server, controller manager, DNS, etcd, networking, and kubelet.

Cloud Config Example

#cloud-config  
install:
  device: auto
  auto: true
  reboot: true
cluster:
  cluster_token: "random_token"
  control_plane_host: "1.1.1.1"
  role: init
  config: |
    clusterConfiguration:  
      apiServer:  
        extraArgs:
          advertise-address: 0.0.0.0  
          anonymous-auth: "true"  
          audit-log-maxage: "30"  
          audit-log-maxbackup: "10"  
          audit-log-maxsize: "100"  
          audit-log-path: /var/log/apiserver/audit.log  
          authorization-mode: RBAC,Node  
          default-not-ready-toleration-seconds: "60"  
          default-unreachable-toleration-seconds: "60"  
          disable-admission-plugins: AlwaysAdmit  
          enable-admission-plugins: AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction  
          profiling: "false"  
          secure-port: "6443"  
          tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256  
        extraVolumes:  
        - hostPath: /var/log/apiserver  
          mountPath: /var/log/apiserver  
          name: audit-log  
          pathType: DirectoryOrCreate    
        timeoutForControlPlane: 10m0s  
      controllerManager:  
        extraArgs:  
          feature-gates: RotateKubeletServerCertificate=true  
          profiling: "false"  
          terminated-pod-gc-threshold: "25"  
          use-service-account-credentials: "true"  
      dns: {}  
      etcd:  
        local:  
          dataDir: /etc/kubernetes/etcd  
          extraArgs:  
            listen-client-urls: <https://0.0.0.0:2379>  
            max-snapshots: "12"  
            snapshot-count: "50000"  
      kubernetesVersion: v1.30.0
      networking:  
        podSubnet: 192.168.0.0/16  
        serviceSubnet: 192.169.0.0/16  
      scheduler:  
        extraArgs:  
          profiling: "false"  
    initConfiguration:  
      localAPIEndpoint: {}  
      nodeRegistration:  
        kubeletExtraArgs:  
          event-qps: "0"  
          feature-gates: RotateKubeletServerCertificate=true  
          protect-kernel-defaults: "true"  
          read-only-port: "0"  
          tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256  
        taints: null  
    joinConfiguration:  
      discovery: {}  
      nodeRegistration:  
        kubeletExtraArgs:  
          event-qps: "0"  
          feature-gates: RotateKubeletServerCertificate=true  
          protect-kernel-defaults: "true"  
          read-only-port: "0"  
          tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256  
        taints: null  
    kubeletConfiguration:  
      authentication:  
        anonymous: {}  
        webhook:  
          cacheTTL: 0s  
        x509: {}  
      authorization:  
        webhook:  
          cacheAuthorizedTTL: 0s  
          cacheUnauthorizedTTL: 0s  
      cpuManagerReconcilePeriod: 0s  
      evictionPressureTransitionPeriod: 0s  
      fileCheckFrequency: 0s  
      httpCheckFrequency: 0s  
      imageMinimumGCAge: 0s  
      logging:  
        flushFrequency: 0  
        options:  
          json:  
            infoBufferSize: "0"  
        verbosity: 0  
      memorySwap: {}  
      nodeStatusReportFrequency: 0s  
      nodeStatusUpdateFrequency: 0s  
      runtimeRequestTimeout: 0s  
      shutdownGracePeriod: 0s  
      shutdownGracePeriodCriticalPods: 0s  
      streamingConnectionIdleTimeout: 0s  
      syncFrequency: 0s  
      volumeStatsAggPeriod: 0s  
stages:
  initramfs:
    - users:
        kairos:
          groups:
            - sudo
          passwd: kairos
    - commands:
        - ln -s /etc/kubernetes/admin.conf /run/kubeconfig
        - mkdir -p /etc/kubernetes/manifests
      files:
        - path: /etc/hosts
          permissions: "0644"
          content: |
            127.0.0.1 localhost  
          encoding: ""
          ownerstring: ""
      sysctl:
        kernel.panic: "10"
        kernel.panic_on_oops: "1"
        vm.overcommit_memory: "1"
      name: pre-kubeadm

Building the Image

The image is being built in the following way:

  • Dockerfile: Link
  • Building the provider binary: Link

Acceptance Criteria

  • The cloud config example is documented and tested for a single node cluster.
  • The Dockerfile and Earthfile links are included and verified.
  • The document is clear and easy to follow.

ci-robbot avatar Apr 14 '25 14:04 ci-robbot

@mauromorales have a look into this

mauromorales avatar May 05 '25 09:05 mauromorales

Also a minimal version of the config required is here https://github.com/jimmykarily/kamaji-demo/blob/8726857bb209dc1b7707eda08c9e379fa4fb1bee/config.yaml.tmpl#L31

mudler avatar Jul 07 '25 09:07 mudler