Post

Lima

lima

Posted Updated
Preview Image
By
4 min read
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

---
# Deploy kubernetes via kubeadm.
# $ limactl start ./k8s.yaml
# $ limactl shell k8s sudo kubectl
# It can be accessed from the host by exporting the kubeconfig file;
# the ports are already forwarded automatically by lima:
#
# $ export KUBECONFIG=$PWD/kubeconfig.yaml
# $ limactl shell k8s sudo cat /etc/kubernetes/admin.conf >$KUBECONFIG
# $ kubectl get no
# NAME       STATUS   ROLES                  AGE   VERSION
# lima-k8s   Ready    control-plane,master   44s   v1.22.3
# This example requires Lima v0.7.0 or later.

images:
  # Image is set to focal (20.04 LTS) for long-term stability
  # Hint: run `limactl prune` to invalidate the "current" cache
  - location: "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img"
    arch: "x86_64"
  - location: "https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-arm64.img"
    arch: "aarch64"

# Mounts are disabled in this example, but can be enabled optionally.
mounts: []

containerd:
  system: true
  user: false

# See https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/
provision:
  - mode: system
    script: |
      
      #!/bin/bash
      set -eux -o pipefail
      command -v kubectl >/dev/null 2>&1 && exit 0
      # Installing kubeadm on your hosts
      cat <<'CERTIFICATE_EOF' | sudo tee /usr/local/share/ca-certificates/proxy.crt
      -----BEGIN CERTIFICATE-----
      MI..............................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      ................................................................
      -----END CERTIFICATE-----
      CERTIFICATE_EOF
      update-ca-certificates
      cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
      overlay
      br_netfilter
      EOF
      modprobe overlay
      modprobe br_netfilter
      cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
      net.bridge.bridge-nf-call-iptables  = 1
      net.ipv4.ip_forward                 = 1
      net.bridge.bridge-nf-call-ip6tables = 1
      EOF
      sysctl --system
      export DEBIAN_FRONTEND=noninteractive
      apt-get update
      apt-get install -y apt-transport-https ca-certificates curl
      curl -kfsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
      echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
      cat <<'APT_EOF' > /etc/apt/apt.conf.d/99xk8s
      Acquire::https::packages.cloud.google.com::Verify-Peer "false";
      Acquire::https::apt.kubernetes.io::Verify-Peer "false";
      Acquire::https::packages.cloud.google.com::Verify-Host "false";
      Acquire::https::apt.kubernetes.io::Verify-Host "false";
      APT_EOF
      apt-get update
      # cri-tools
      apt-get install -y cri-tools
      cat <<EOF | sudo tee /etc/crictl.yaml
      runtime-endpoint: unix:///run/containerd/containerd.sock
      image-endpoint: unix:///run/containerd/containerd.sock
      EOF
      # cni-plugins
      apt-get install -y kubernetes-cni
      rm -f /etc/cni/net.d/*.conf*
      apt-get install -y kubelet kubeadm kubectl && apt-mark hold kubelet kubeadm kubectl
      systemctl enable --now kubelet
      

  - mode: system
    script: |
      
      #!/bin/bash
      set -eux -o pipefail
      test -e /etc/kubernetes/admin.conf && exit 0
      export KUBECONFIG=/etc/kubernetes/admin.conf
      kubeadm config images list
      kubeadm config images pull
      # Initializing your control-plane node
      kubeadm init --cri-socket=/run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans 127.0.0.1
      # Installing a Pod network add-on
      kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/v0.14.0/Documentation/kube-flannel.yml
      # Control plane node isolation
      kubectl taint nodes --all node-role.kubernetes.io/master-
      sed -e "s/${LIMA_CIDATA_SLIRP_IP_ADDRESS:-192.168.5.15}/127.0.0.1/" -i $KUBECONFIG
      mkdir -p "${HOME:-/root}/.kube" && cp -f $KUBECONFIG "${HOME:-/root}/.kube/config"
      

probes:
  - description: "kubectl to be installed"
    script: |
      
      #!/bin/bash
      set -eux -o pipefail
      if ! timeout 30s bash -c "until command -v kubectl >/dev/null 2>&1; do sleep 3; done"; then
        echo >&2 "kubectl is not installed yet"
        exit 1
      fi
      
    hint: |
      See "/var/log/cloud-init-output.log" in the guest

  - description: "kubeadm to be completed"
    script: |
      
      #!/bin/bash
      set -eux -o pipefail
      if ! timeout 300s bash -c "until test -f /etc/kubernetes/admin.conf; do sleep 3; done"; then
        echo >&2 "k8s is not running yet"
        exit 1
      fi
      
    hint: |
      The k8s kubeconfig file has not yet been created.

  - description: "kubernetes cluster to be running"
    script: |
      
      #!/bin/bash
      set -eux -o pipefail
      if ! timeout 300s bash -c "until sudo kubectl version >/dev/null 2>&1; do sleep 3; done"; then
        echo >&2 "kubernetes cluster is not up and running yet"
        exit 1
      fi
      

message: |
  
  To run `kubectl` on the host (assumes kubectl is installed):
  $ mkdir -p "{{.Dir}}/conf"
  $ export KUBECONFIG="{{.Dir}}/conf/kubeconfig.yaml"
  $ limactl shell {{.Name}} sudo cat /etc/kubernetes/admin.conf >$KUBECONFIG
  $ kubectl ...
SSH access lima k8s via NodePort and SSH tunnel
1
2
3
4
5
6

limactl show-ssh k8s
...

# Create SSH tunnel to NodPort
ssh -L8080:127.0.0.1:30222 -o IdentityFile="/Users/username/.lima/_config/user" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o NoHostAuthenticationForLocalhost=yes -o GSSAPIAuthentication=no -o PreferredAuthentications=publickey -o Compression=no -o BatchMode=yes -o IdentitiesOnly=yes -o Ciphers="^aes128-gcm@openssh.com,aes256-gcm@openssh.com" -o User=username -o ControlMaster=auto -o ControlPath="/Users/username/.lima/k8s/ssh.sock" -o ControlPersist=5m -o Hostname=127.0.0.1 -o Port=58444 lima-k8s
Assign some more permissions to see something in Kubernetes Dashboard
1
2
3
4
5

k -n kubernetes-dashboard create rolebinding insecure-kubernetes-dashboard --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view -oyaml --dry-run=client

k -n kubernetes-dashboard create rolebinding insecure-kubernetes-dashboard --serviceaccount kubernetes-dashboard:kubernetes-dashboard --clusterrole view
rolebinding.rbac.authorization.k8s.io/insecure-kubernetes-dashboard created
Interesting dashboard arguments

https://github.com/kubernetes/dashboard/blob/master/docs/common/dashboard-arguments.md

lima
This post is licensed under CC BY 4.0 by the author.