I have been in DevOps related jobs for past 6 years dealing mainly with Kubernetes in AWS and on-premise as well. I spent quite a lot …
Lima
# Deploy kubernetes via kubeadm.
# $ limactl start ./k8s.yaml
# $ limactl shell k8s sudo kubectl
# It can be accessed from the host by exporting the kubeconfig file;
# the ports are already forwarded automatically by lima:
#
# $ export KUBECONFIG=$PWD/kubeconfig.yaml
# $ limactl shell k8s sudo cat /etc/kubernetes/admin.conf >$KUBECONFIG
# $ kubectl get no
# NAME STATUS ROLES AGE VERSION
# lima-k8s Ready control-plane,master 44s v1.22.3
# This example requires Lima v0.7.0 or later.
images:
# Image is set to focal (20.04 LTS) for long-term stability
# Hint: run `limactl prune` to invalidate the "current" cache
- location: "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img"
arch: "x86_64"
- location: "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-arm64.img"
arch: "aarch64"
# Mounts are disabled in this example, but can be enabled optionally.
mounts: []
containerd:
system: true
user: false
# See https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/
provision:
- mode: system
script: |
#!/bin/bash
set -eux -o pipefail
command -v kubectl >/dev/null 2>&1 && exit 0
# Installing kubeadm on your hosts
cat <<EOF | sudo tee /usr/local/share/ca-certificates/proxy.crt
-----BEGIN CERTIFICATE-----
MI..............................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
....................................................................
..........................................Z6Lg==
-----END CERTIFICATE-----
EOF
update-ca-certificates
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
modprobe overlay
modprobe br_netfilter
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl --system
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y apt-transport-https ca-certificates curl
curl -kfsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
cat <<'EOF' > /etc/apt/apt.conf.d/99xk8s
Acquire::https::packages.cloud.google.com::Verify-Peer "false";
Acquire::https::apt.kubernetes.io::Verify-Peer "false";
Acquire::https::packages.cloud.google.com::Verify-Host "false";
Acquire::https::apt.kubernetes.io::Verify-Host "false";
EOF
apt-get update
# cri-tools
apt-get install -y cri-tools
cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
EOF
# cni-plugins
apt-get install -y kubernetes-cni
rm -f /etc/cni/net.d/*.conf*
apt-get install -y kubelet kubeadm kubectl && apt-mark hold kubelet kubeadm kubectl
systemctl enable --now kubelet
- mode: system
script: |
#!/bin/bash
set -eux -o pipefail
test -e /etc/kubernetes/admin.conf && exit 0
export KUBECONFIG=/etc/kubernetes/admin.conf
kubeadm config images list
kubeadm config images pull
# Initializing your control-plane node
kubeadm init --cri-socket=/run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans 127.0.0.1
# Installing a Pod network add-on
kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/v0.14.0/Documentation/kube-flannel.yml
# Control plane node isolation
kubectl taint nodes --all node-role.kubernetes.io/master-
sed -e "s/${LIMA_CIDATA_SLIRP_IP_ADDRESS:-192.168.5.15}/127.0.0.1/" -i $KUBECONFIG
mkdir -p ${HOME:-/root}/.kube && cp -f $KUBECONFIG ${HOME:-/root}/.kube/config
probes:
- description: "kubectl to be installed"
script: |
#!/bin/bash
set -eux -o pipefail
if ! timeout 30s bash -c "until command -v kubectl >/dev/null 2>&1; do sleep 3; done"; then
echo >&2 "kubectl is not installed yet"
exit 1
fi
hint: |
See "/var/log/cloud-init-output.log". in the guest
- description: "kubeadm to be completed"
script: |
#!/bin/bash
set -eux -o pipefail
if ! timeout 300s bash -c "until test -f /etc/kubernetes/admin.conf; do sleep 3; done"; then
echo >&2 "k8s is not running yet"
exit 1
fi
hint: |
The k8s kubeconfig file has not yet been created.
- description: "kubernetes cluster to be running"
script: |
#!/bin/bash
set -eux -o pipefail
if ! timeout 300s bash -c "until sudo kubectl version >/dev/null 2>&1; do sleep 3; done"; then
echo >&2 "kubernetes cluster is not up and running yet"
exit 1
fi
message: |
To run `kubectl` on the host (assumes kubectl is installed):
$ mkdir -p "{{.Dir}}/conf"
$ export KUBECONFIG="{{.Dir}}/conf/kubeconfig.yaml"
$ limactl shell {{.Name}} sudo cat /etc/kubernetes/admin.conf >$KUBECONFIG
$ kubectl ...
SSH access lima k8s via NodePort and SSH tunnel
limactl show-ssh k8s
...
# Create SSH tunnel to NodPort
ssh -L8080:127.0.0.1:30222 -o IdentityFile="/Users/username/.lima/_config/user" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o NoHostAuthenticationForLocalhost=yes -o GSSAPIAuthentication=no -o PreferredAuthentications=publickey -o Compression=no -o BatchMode=yes -o IdentitiesOnly=yes -o Ciphers="^aes128-gcm@openssh.com,aes256-gcm@openssh.com" -o User=username -o ControlMaster=auto -o ControlPath="/Users/username/.lima/k8s/ssh.sock" -o ControlPersist=5m -o Hostname=127.0.0.1 -o Port=58444 lima-k8s
Assign some more permissions to see something in Kubernetes Dashboard
k -n kubernetes-dashboard create rolebinding insecure-kubernetes-dashboard --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view -oyaml --dry-run=client
k -n kubernetes-dashboard create rolebinding insecure-kubernetes-dashboard --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view
rolebinding.rbac.authorization.k8s.io/insecure-kubernetes-dashboard created
Interesting dashboard arguments
https://github.com/kubernetes/dashboard/blob/master/docs/common/dashboard-arguments.md