Creating Debian OS and Installing Kubernetes on GCP Platform
Creating Debian OS
After logging into the GCP platform, select on the left menu:
Compute Engine > VM Instances
Click the 'Create Instance' button at the top.
Fill in the basic instance information and configure the region, machine settings, advanced options, etc., according to your needs and budget.
Pay attention to two main points:
- Choose Debian OS for the boot disk image; if using Ubuntu OS, some commands may differ.
- Make sure to select 'Allow HTTP traffic' and 'Allow HTTPS traffic' in the firewall settings.
Click 'Create,' wait for the instance creation to complete, then click 'SSH' connection > choose 'Open in browser window' to enter the VM instance.
Next, configure local SSH connection keys; this step is optional, as you can also directly use the browser window for SSH connection.
# Note: For ease of explanation in the following steps, no password is set here. It is recommended to set a password in practice.
# <user-name> is your username.
# <server-name> is your server name.
ssh-keygen -m PEM -t rsa -f ~/.ssh/ssh-key -C <user-name>@<server-name> -b 4096
Copy the ssh-key file to your local machine, and copy the content of the ssh-key.pub file to
Compute Engine > Metadata > SSH Keys
Now, you can close the browser window connection and use SSH to connect to the GCP VM instance locally.
Open the local terminal and enter the following command to connect to the GCP VM instance:
# <user-name> is your username.
# <server-ip> is your server IP.
ssh -i ssh-key <user-name>@<server-ip>
Installing Kubernetes
# First, switch to root to execute the following commands as root.
sudo -s
# Update the apt package repository.
apt-get update
# Set up the bridge module.
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
# Load system modules.
modprobe overlay
# Load bridge modules.
modprobe br_netfilter
# Configure Kubernetes network.
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
EOF
# Reload relevant configurations.
sysctl --system
# Update the apt package repository.
apt-get update
Kubernetes requires the installation of Container Runtime Interface (CRI) to run containers, and here we use cri-o as the CRI.
For other versions, please refer to CRI version support.
Note: If the server has previously installed Docker, unexpected errors may occur. Before installation, please ensure that important data has been backed up, and no critical containers are running on Docker.
# Set Kubernetes version.
# <version> is the version you want to install.
# Example: v1.29
KUBERNETES_VERSION=<version>
# cri-o environment variables.
PROJECT_PATH=prerelease:/main
# Download Kubernetes public key.
curl -fsSL https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
# Add Kubernetes repository.
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/$KUBERNETES_VERSION/deb/ /" | tee /etc/apt/sources.list.d/kubernetes.list
# Download cri-o public key.
curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/$PROJECT_PATH/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
# Add cri-o repository.
echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/$PROJECT_PATH/deb/ /" | tee /etc/apt/sources.list.d/cri-o.list
# Update the apt package repository.
apt-get update
# Install cri-o kubelet kubeadm kubectl
apt-get install -y cri-o kubelet kubeadm kubectl
# Disable kubelet automatic updates.
apt-mark hold kubelet kubeadm kubectl
# Start crio.
systemctl start crio.service
# Turn off all swap spaces in the system.
swapoff -a
# Set kubelet to start automatically.
systemctl enable kubelet
# Set crio to start automatically.
systemctl enable crio
# Start Kubernetes. The above steps are for nodes, but for nodes, this step changes to the kubeadm join command.
kubeadm init
# Switch back to the original user.
exit
# Create Kubernetes configuration directory.
mkdir -p $HOME/.kube
# Copy the configuration files.
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# Set permissions for the original user.
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# Remove restrictions to allow the default node to join pods.
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
Kubernetes requires the installation of Container Network Interface (CNI) to set up the network. Here, Cilium is used as the CNI.
For other versions, please refer to Networking and Network Policy。
# Set Cilium version.
CILIUM_CLI_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt)
# Set Cilium environment variables.
CLI_ARCH=amd64
# Confirm Cilium environment variables.
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
# Download Cilium.
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
# Verify Cilium.
sha256sum --check cilium-linux-${CLI_ARCH}.tar.gz.sha256sum
# Unzip Cilium.
sudo tar xzvfC cilium-linux-${CLI_ARCH}.tar.gz /usr/local/bin
# Remove Cilium compressed files.
rm cilium-linux-${CLI_ARCH}.tar.gz{,.sha256sum}
# Install Cilium.
# You can specify the version, for example: cilium install --version 1.15.0
cilium install
Possible Scenarios
When executing 'kubeadm init,' you may encounter the following error:
ERROR FileAvailable--etc-kubernetes-manifests-***.yaml]: /etc/kubernetes/manifests/***.yaml already exists
This is because you have previously executed 'kubeadm init'.
In this case, you can use the following command to revert the system to an uninstalled state.
kubeadm reset
Node Installation and Joining
Essentially, the process is similar to installing a Kubernetes cluster. The only difference is that the cluster uses the 'kubeadm init' command, while the node uses the 'kubeadm join' command.
After both the cluster and nodes are installed, you can configure their respective labels according to your needs for easier management.
Deploying Kubernetes Dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
After deploying the dashboard, you need to create a service account and assign roles.
# account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
kubectl apply -f account.yaml
# role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
kubectl apply -f role-binding.yaml
After deployment, you can use the following command to obtain the token for logging into the dashboard.
kubectl -n kubernetes-dashboard create token admin-user
You can also create a Secret to save the token for long-term use.
# secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: admin-user
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: "admin-user"
type: kubernetes.io/service-account-token
kubectl apply -f secret.yaml
After creating the Secret, use the following command to obtain the token.
kubectl get secret admin-user -n kubernetes-dashboard -o jsonpath={".data.token"} | base64 -d
Other
Kubernetes certificates have a validity period of 365 days. To renew them when approaching expiration, you can use the following commands.
# Check the certificate expiration date.
kubeadm certs check-expiration
# Backup the certificate.
cp -rp /etc/kubernetes /etc/kubernetes.bak
# Backup the configuration file.
cp ~/.kube/config ~/.kube/config.bak
# Renew all certificates.
kubeadm certs renew all
# Update the configuration file.
cp /etc/kubernetes/admin.conf ~/.kube/config
# Restart Kubernetes (Testing as of 2023.11.19, indicates that restarting may not be necessary).
systemctl restart kubelet