Skip to content

Instantly share code, notes, and snippets.

@donaldguy

donaldguy/0-eth0.network

Last active April 3, 2024 19:59
Show Gist options
  • Save donaldguy/2b571cc1ad9a6228fb8f86ad8a70d648 to your computer and use it in GitHub Desktop.
Save donaldguy/2b571cc1ad9a6228fb8f86ad8a70d648 to your computer and use it in GitHub Desktop.
Download ZIP
kubeadm stuff
Raw
0-eth0.network
[Match]
MACAddress=62:55:1b:5f:f7:d6
[Network]
IPForward=yes
DNS=9.9.9.9
Address=10.0.0.1/12
Gateway=10.15.0.1
[Route]
Destination=10.0.0.0/16
Gateway=10.0.0.1
Scope=host
[Route]
Destination=10.1.0.0/16
Gateway=10.1.0.1
GatewayOnLink=yes
Scope=link
[Route]
Destination=10.2.0.0/16
Gateway=10.2.0.1
GatewayOnLink=yes
Scope=link
[Route]
Destination=10.3.0.0/16
Gateway=10.3.0.1
GatewayOnLink=yes
Scope=link
Raw
cilium-values.yaml
# -- (string) Kubernetes service host
k8sServiceHost: "10.0.0.1"
# -- (string) Kubernetes service port
k8sServicePort: "6443"
# -- Enable native-routing mode or tunneling mode.
# Possible values:
# - ""
# - native
# - tunnel
# @default -- `"tunnel"`
routingMode: "native"
# -- Enable installation of PodCIDR routes between worker
# nodes if worker nodes share a common L2 network segment.
autoDirectNodeRoutes: true
# -- Annotate k8s node upon initialization with Cilium's metadata.
annotateK8sNode: true
# -- Configure L2 announcements
l2announcements:
# -- Enable L2 announcements
enabled: true
# -- If a lease is not renewed for X duration, the current leader is considered dead, a new leader is picked
# leaseDuration: 15s
# -- The interval at which the leader will renew the lease
# leaseRenewDeadline: 5s
# -- The timeout between retries if renewal fails
# leaseRetryPeriod: 2s
# -- Configure L2 pod announcements
l2podAnnouncements:
# -- Enable L2 pod announcements
enabled: true
# -- Interface used for sending Gratuitous ARP pod announcements
interface: "eth0"
# -- Configure container runtime specific integration.
# Deprecated in favor of bpf.autoMount.enabled. To be removed in 1.15.
containerRuntime:
# -- Enables specific integrations for container runtimes.
# Supported values:
# - crio
# - none
integration: crio
# -- Enable Kubernetes EndpointSlice feature in Cilium if the cluster supports it.
# enableK8sEndpointSlice: true
# -- Enable CiliumEndpointSlice feature.
enableCiliumEndpointSlice: false
envoyConfig:
# -- Enable CiliumEnvoyConfig CRD
# CiliumEnvoyConfig CRD can also be implicitly enabled by other options.
enabled: true
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve secrets from.
secretsNamespace:
# -- Create secrets namespace for CiliumEnvoyConfig CRDs.
create: true
# -- The name of the secret namespace to which Cilium agents are given read access.
name: cilium-secrets
ingressController:
# -- Enable cilium ingress controller
# This will automatically set enable-envoy-config as well.
enabled: true
# -- Set cilium ingress controller to be the default ingress controller
# This will let cilium ingress controller route entries without ingress class set
default: true
# -- Default ingress load balancer mode
# Supported values: shared, dedicated
# For granular control, use the following annotations on the ingress resource
# ingress.cilium.io/loadbalancer-mode: shared|dedicated,
loadbalancerMode: dedicated
# -- Enforce https for host having matching TLS host in Ingress.
# Incoming traffic to http listener will return 308 http error code with respective location in header.
enforceHttps: true
# -- Enable proxy protocol for all Ingress listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
enableProxyProtocol: false
# -- IngressLBAnnotations are the annotation and label prefixes, which are used to filter annotations and/or labels to propagate from Ingress to the Load Balancer service
ingressLBAnnotationPrefixes: ['service.beta.kubernetes.io', 'service.kubernetes.io', 'cloud.google.com']
# -- Default secret namespace for ingresses without .spec.tls[].secretName set.
defaultSecretNamespace:
# -- Default secret name for ingresses without .spec.tls[].secretName set.
defaultSecretName:
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
secretsNamespace:
# -- Create secrets namespace for Ingress.
create: true
# -- Name of Ingress secret namespace.
name: cilium-secrets
# -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.
# If disabled, TLS secrets must be maintained externally.
sync: true
# -- Load-balancer service in shared mode.
# This is a single load-balancer service for all Ingress resources.
service:
# -- Service name
name: cilium-ingress
# -- Labels to be added for the shared LB service
labels: {}
# -- Annotations to be added for the shared LB service
annotations: {}
# -- Service type for the shared LB service
type: LoadBalancer
# -- Configure a specific nodePort for insecure HTTP traffic on the shared LB service
insecureNodePort: ~
# -- Configure a specific nodePort for secure HTTPS traffic on the shared LB service
secureNodePort : ~
# -- Configure a specific loadBalancerClass on the shared LB service (requires Kubernetes 1.24+)
loadBalancerClass: ~
# -- Configure a specific loadBalancerIP on the shared LB service
loadBalancerIP : ~
# -- Configure if node port allocation is required for LB service
# ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
allocateLoadBalancerNodePorts: ~
gatewayAPI:
# -- Enable support for Gateway API in cilium
# This will automatically set enable-envoy-config as well.
enabled: false
# -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
secretsNamespace:
# -- Create secrets namespace for Gateway API.
create: true
# -- Name of Gateway API secret namespace.
name: cilium-secrets
# -- Enable secret sync, which will make sure all TLS secrets used by Ingress are synced to secretsNamespace.name.
# If disabled, TLS secrets must be maintained externally.
sync: true
# -- Enables the fallback compatibility solution for when the xt_socket kernel
# module is missing and it is needed for the datapath L7 redirection to work
# properly. See documentation for details on when this can be disabled:
# https://docs.cilium.io/en/stable/operations/system_requirements/#linux-kernel.
enableXTSocketFallback: true
k8sNetworkPolicy:
# -- Enable support for K8s NetworkPolicy
enabled: true
externalIPs:
# -- Enable ExternalIPs service support.
enabled: false
# -- Enable connectivity health checking.
healthChecking: true
# -- TCP port for the agent health API. This is not the port for cilium-health.
healthPort: 9879
# -- Configure the host firewall.
hostFirewall:
# -- Enables the enforcement of host policies in the eBPF datapath.
enabled: false
hostPort:
# -- Enable hostPort service support.
enabled: false
# -- Configure socket LB
socketLB:
# -- Enable socket LB
enabled: false
# -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
# hostNamespaceOnly: false
hubble:
# -- Enable Hubble (true by default).
enabled: true
metrics:
dashboards:
enabled: false
label: grafana_dashboard
namespace: ~
labelValue: "1"
annotations: {}
# -- Unix domain socket path to listen to when Hubble is enabled.
socketPath: /var/run/cilium/hubble.sock
# -- Enables redacting sensitive information present in Layer 7 flows.
redact:
enabled: false
relay:
# -- Enable Hubble Relay (requires hubble.enabled=true)
enabled: false
# -- Enable prometheus metrics for hubble-relay on the configured port at
# /metrics
prometheus:
enabled: false
ui:
# -- Whether to enable the Hubble UI.
enabled: false
standalone:
# -- When true, it will allow installing the Hubble UI only, without checking dependencies.
# It is useful if a cluster already has cilium and Hubble relay installed and you just
# want Hubble UI to be deployed.
# When installed via helm, installing UI should be done via `helm upgrade` and when installed via the cilium cli, then `cilium hubble enable --ui`
enabled: false
ipam:
# -- Configure IP Address Management mode.
# ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
mode: "cluster-pool"
# -- Maximum rate at which the CiliumNode custom resource is updated.
ciliumNodeUpdateRate: "15s"
operator:
# -- IPv4 CIDR list range to delegate to individual nodes for IPAM.
clusterPoolIPv4PodCIDRList: ["10.0.0.0/14"]
# -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
clusterPoolIPv4MaskSize: 16
# -- The api-rate-limit option can be used to overwrite individual settings of the default configuration for rate limiting calls to the Cilium Agent API
apiRateLimit: ~
ipv4:
# -- Enable IPv4 support.
enabled: true
ipv6:
# -- Enable IPv6 support.
enabled: false
# -- Configure the kube-proxy replacement in Cilium BPF datapath
# Valid options are "true", "false", "disabled" (deprecated), "partial" (deprecated), "strict" (deprecated).
# ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
kubeProxyReplacement: "true"
# -- healthz server bind address for the kube-proxy replacement.
# To enable set the value to '0.0.0.0:10256' for all ipv4
# addresses and this '[::]:10256' for all ipv6 addresses.
# By default it is disabled.
kubeProxyReplacementHealthzBindAddr: "0.0.0.0:10256"
l2NeighDiscovery:
# -- Enable L2 neighbor discovery in the agent
enabled: true
# -- Override the agent's default neighbor resolution refresh period.
refreshPeriod: "30s"
# -- Enable Layer 7 network policy.
l7Proxy: true
# -- Enable Local Redirect Policy.
localRedirectPolicy: false
# -- Enables masquerading of IPv4 traffic leaving the node from endpoints.
enableIPv4Masquerade: true
egressGateway:
# -- Enables egress gateway to redirect and SNAT the traffic that leaves the
# cluster.
enabled: false
# -- Deprecated without a replacement necessary.
installRoutes: false
# -- Time between triggers of egress gateway state reconciliations
reconciliationTriggerInterval: 1s
# -- Maximum number of entries in egress gateway policy map
# maxPolicyEntries: 16384
# -- (string) Allows to explicitly specify the IPv4 CIDR for native routing.
# When specified, Cilium assumes networking for this CIDR is preconfigured and
# hands traffic destined for that range to the Linux network stack without
# applying any SNAT.
# Generally speaking, specifying a native routing CIDR implies that Cilium can
# depend on the underlying networking stack to route packets to their
# destination. To offer a concrete example, if Cilium is configured to use
# direct routing and the Kubernetes CIDR is included in the native routing CIDR,
# the user must configure the routes to reach pods, either manually or by
# setting the auto-direct-node-routes flag.
ipv4NativeRoutingCIDR: "10.0.0.0/14"
# -- cilium-monitor sidecar.
monitor:
# -- Enable the cilium-monitor sidecar.
enabled: false
# -- Configure service load balancing
loadBalancer:
# -- standalone enables the standalone L4LB which does not connect to
# kube-apiserver.
# standalone: false
# -- algorithm is the name of the load balancing algorithm for backend
# selection e.g. random or maglev
# algorithm: random
# -- mode is the operation mode of load balancing for remote backends
# e.g. snat, dsr, hybrid
# mode: snat
# -- acceleration is the option to accelerate service handling via XDP
# Applicable values can be: disabled (do not use XDP), native (XDP BPF
# program is run directly out of the networking driver's early receive
# path), or best-effort (use native mode XDP acceleration on devices
# that support it).
acceleration: disabled
# -- dsrDispatch configures whether IP option or IPIP encapsulation is
# used to pass a service IP and port to remote backend
# dsrDispatch: opt
# -- serviceTopology enables K8s Topology Aware Hints -based service
# endpoints filtering
# serviceTopology: false
# -- L7 LoadBalancer
l7:
# -- Enable L7 service load balancing via envoy proxy.
# The request to a k8s service, which has specific annotation e.g. service.cilium.io/lb-l7,
# will be forwarded to the local backend proxy to be load balanced to the service endpoints.
# Please refer to docs for supported annotations for more configuration.
#
# Applicable values:
# - envoy: Enable L7 load balancing via envoy proxy. This will automatically set enable-envoy-config as well.
# - disabled: Disable L7 load balancing by way of service annotation.
backend: disabled
# -- List of ports from service to be automatically redirected to above backend.
# Any service exposing one of these ports will be automatically redirected.
# Fine-grained control can be achieved by using the service annotation.
ports: []
# -- Default LB algorithm
# The default LB algorithm to be used for services, which can be overridden by the
# service annotation (e.g. service.cilium.io/lb-l7-algorithm)
# Applicable values: round_robin, least_request, random
algorithm: round_robin
# -- Configure N-S k8s service loadbalancing
nodePort:
# -- Enable the Cilium NodePort service implementation.
enabled: false
# -- Port range to use for NodePort services.
# range: "30000,32767"
# -- Set to true to prevent applications binding to service ports.
bindProtection: true
# -- Append NodePort range to ip_local_reserved_ports if clash with ephemeral
# ports is detected.
autoProtectPortRange: true
# -- Enable healthcheck nodePort server for NodePort services
enableHealthCheck: true
# -- Enable access of the healthcheck nodePort on the LoadBalancerIP. Needs
# EnableHealthCheck to be enabled
enableHealthCheckLoadBalancerIP: false
# -- Grafana dashboards for cilium-agent
# grafana can import dashboards based on the label and value
# ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
dashboards:
enabled: false
label: grafana_dashboard
namespace: ~
labelValue: "1"
annotations: {}
etcd:
# -- Enable etcd mode for the agent.
enabled: false
operator:
# -- Enable the cilium-operator component (required).
enabled: true
# -- Number of replicas to run for the cilium-operator deployment
replicas: 1
# -- Grafana dashboards for cilium-operator
# grafana can import dashboards based on the label and value
# ref: https://github.com/grafana/helm-charts/tree/main/charts/grafana#sidecar-for-dashboards
dashboards:
enabled: false
label: grafana_dashboard
namespace: ~
labelValue: "1"
annotations: {}
nodeinit:
# -- Enable the node initialization DaemonSet
enabled: false
preflight:
# -- Enable Cilium pre-flight resources (required for upgrade)
enabled: false
# disableEnvoyVersionCheck removes the check for Envoy, which can be useful
# on AArch64 as the images do not currently ship a version of Envoy.
disableEnvoyVersionCheck: true
# -- Configure external workloads support
externalWorkloads:
# -- Enable support for external workloads, such as VMs (false by default).
enabled: false
Raw
cluster-init.yaml
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
nodeRegistration:
criSocket: unix:///run/crio/crio.sock
taints: []
skipPhases:
- addon/kube-proxy
---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
networking:
serviceSubnet: "10.8.0.0/16"
podSubnet: "10.0.0.0/14
Raw
clusterize.sh
#!/bin/bash
curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key |
sudo gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /" |
sudo tee /etc/apt/sources.list.d/cri-o.list
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key |
sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /" |
sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update && sudo apt-get install -y cri-o kubelet kubeadm kubectl
sudo systemctl start crio
(echo "$(hostname -I | awk '{print $1}') $(hostname)"$'\n'"$(hostname -I | awk '{print $2}') $(hostname).owl-royal.ts.net" ; cat /etc/hosts) | sudo tee /etc/hosts
sudo swapoff --all && sudo rm /lib/systemd/system/swapfile.swap && sudo rm -f /swapfile
sudo kubeadm join 10.0.0.1:6443 --token gkg9tz.0lkxl55nl8sdz95o \
--discovery-token-ca-cert-hash sha256:8bab2083e709f746373f7b88e321d27f0c97ee8f03601261f5276b8a9aefceb3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment