Kubernetes Beyond the Edge

• K3s
• Manually Deploy Images and Binary
  • Prepare the Images Directory and K3s Binary
  • Prepare the K3s Binary
• Installing K3s in an Air-Gapped Environment
• Kubernetes Dashboard
  • Deploying the Kubernetes Dashboard
  • Dashboard RBAC Configuration
    • Obtain the Bearer Token
• Local Access to the Dashboard
• Run a Stateless Application Using a Deployment
• Uninstalling K3s

K3s

K3S - the lightweight Kubernetes. Production ready, easy to install, half the memory, all in a binary less than 100 MB. Used for Edge, IoT, CI, Development, ARM, Embedding k8s and situations where a PhD in k8s clusterology is infeasible

You can install K3s in an air-gapped environment using two different methods. An air-gapped environment is any environment that is not directly connected to the Internet. You can either deploy a private registry and mirror docker.io, or you can manually deploy images such as for small clusters.

Embedded Component Versions

Component	Version
Kubernetes	v1.25.3
Kine	v0.9.3
SQLite	3.36.0
Etcd	v3.5.3-k3s1
Containerd	v1.6.8-k3s1
Runc	v1.1.4
Flannel	v0.19.2
Metrics-server	v0.6.1
Traefik	v2.9.1
CoreDNS	v1.9.1
Helm-controller	v0.12.3
Local-path-provisioner	v0.0.21

Manually Deploy Images and Binary

This method requires you to manually deploy the necessary images to each node and is appropriate for edge deployments where running a private registry is not practical.

Prepare the Images Directory and K3s Binary

Obtain the images tar file for your architecture from the releases page for the version of K3s you will be running. Place the tar file in the images directory, for example:

wget https://github.com/k3s-io/k3s/releases/download/v1.25.3%2Bk3s1/k3s-airgap-images-amd64.tar.zst
sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo tar --use-compress-program=unzstd -xvf ./k3s-airgap-images-amd64.tar.zst --directory /var/lib/rancher/k3s/agent/images
rm ./k3s-airgap-images-amd64.tar.zst

Prepare the K3s Binary

Download the K3s binary from the releases page, matching the same version used to get the airgap images. Place the binary in /usr/local/bin on each air-gapped node and ensure it is executable:

sudo wget https://github.com/k3s-io/k3s/releases/download/v1.25.3%2Bk3s1/k3s --directory-prefix=/usr/local/bin
sudo chmod +x /usr/local/bin/k3s

Installing K3s in an Air-Gapped Environment

Download the K3s install script at get.k3s.io. Place the install script anywhere on each air-gapped node, and name it install.sh. When running the K3s script with the INSTALL_K3S_SKIP_DOWNLOAD environment variable, K3s will use the local version of the script and binary:

wget --output-document=./install.sh  https://get.k3s.io
chmod +x ./install.sh

To install K3s on a single server, simply do the following on the server node:

INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh

[INFO]  Skipping k3s download and verify
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /usr/bin/ctr
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

Then, to optionally add additional agents download the install.sh and run the following on each agent node.

INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://myserver:6443 K3S_TOKEN=mynodetoken ./install.sh

Take care to ensure you replace myserver with the IP or valid DNS of the server and replace mynodetoken with the node token from the server typically at /var/lib/rancher/k3s/server/node-token:

sudo cat /var/lib/rancher/k3s/server/node-token
K109ff43654eb75675r756r49f41e02ve5467e5v45b9139esfdh23c8::server:ef896e4377876834524356876

Before adding an external client make sure that all Kubernetes ports are opened and accessible on all systems.

INSTALL_K3S_SKIP_DOWNLOAD=true K3S_URL=https://192.168.1.101:6443 K3S_TOKEN=K109ff43654eb75675r756r49f41e02ve5467e5v45b9139esfdh23c8::server:ef896e4377876834524356876 ./install.sh

Verify that the installation was successful:

sudo kubectl version --short --output=yaml

clientVersion:
  buildDate: "2022-10-25T19:59:38Z"
  compiler: gc
  gitCommit: f2585c1671b31b4b34bddbb3bf4e7d69662b0821
  gitTreeState: clean
  gitVersion: v1.25.3+k3s1
  goVersion: go1.19.2
  major: "1"
  minor: "25"
  platform: linux/amd64
kustomizeVersion: v4.5.7
serverVersion:
  buildDate: "2022-10-25T19:59:38Z"
  compiler: gc
  gitCommit: f2585c1671b31b4b34bddbb3bf4e7d69662b0821
  gitTreeState: clean
  gitVersion: v1.25.3+k3s1
  goVersion: go1.19.2
  major: "1"
  minor: "25"
  platform: linux/amd64

Kubernetes Dashboard

The Kubernetes Dashboard is a web-based Kubernetes user interface. You can use Dashboard to deploy containerized applications to a Kubernetes cluster, troubleshoot your containerized application, and manage the cluster resources. You can use Dashboard to get an overview of applications running on your cluster, as well as for creating or modifying individual Kubernetes resources (such as Deployments, Jobs, DaemonSets, etc). For example, you can scale a Deployment, initiate a rolling update, restart a pod or deploy new applications using a deploy wizard.

Deploying the Kubernetes Dashboard

To install the dashboard on an Edge (online) system you should set the following global variables to get the latest version:

GITHUB_URL=https://github.com/kubernetes/dashboard/releases
VERSION_KUBE_DASHBOARD=$(curl -w '%{url_effective}' -I -L -s -S ${GITHUB_URL}/latest -o /dev/null | sed -e 's|.*/||')

I can check the latest version on the release page - in my case this is v2.7.0. So instead of running:

sudo k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml

I can download the file and transfer it to my air-gapped system:

sudo mkdir /opt/k3s
sudo chown myuser:myuser /opt/k3s
wget --output-document=/opt/k3s/kube-dash.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

This file will deploy two container to the Kubernetes cluster that we can pull on a live system:

docker pull kubernetesui/dashboard:v2.7.0 
docker pull kubernetesui/metrics-scraper:v1.0.8

And then transfer to my air-gapped system before applying the downloaded job file.

Now I can deploy the dashboard:

sudo k3s kubectl create -f /opt/k3s/kube-dash.yaml

namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

This seemed to have worked. Let's verify that both pods are now running:

sudo kubectl get pod --all-namespaces -o wide

NAMESPACE              NAME                                         READY STATUS    AGE   IP        
kube-system            coredns-75fc8f8fff-lm4zk                     1/1   Running   3m45s 10.42.0.6 
kube-system            local-path-provisioner-5b5579c644-znhxp      1/1   Running   3m45s 10.42.0.4 
kube-system            helm-install-traefik-crd-bqfzh               0/1   Completed 3m45s 10.42.0.5 
kube-system            helm-install-traefik-s2k47                   0/1   Completed 3m45s 10.42.0.2 
kube-system            metrics-server-5c8978b444-57t9t              1/1   Running   3m45s 10.42.0.3 
kube-system            svclb-traefik-6b2eda7a-grvsv                 2/2   Running   3m7s  10.42.0.7 
kube-system            traefik-9c6dc6686-778mw                      1/1   Running   3m7s  10.42.0.8 
kubernetes-dashboard   dashboard-metrics-scraper-64bcc67c9c-ppdj4   1/1   Running   54s   10.42.0.10
kubernetes-dashboard   kubernetes-dashboard-5c8bd6b59-96xdj         1/1   Running   54s   10.42.0.9

sudo kubectl get deployments -n kubernetes-dashboard

NAME                        READY   UP-TO-DATE   AVAILABLE   AGE
dashboard-metrics-scraper   1/1     1            1           55s
kubernetes-dashboard        1/1     1            1           55s

sudo kubectl get services -n kubernetes-dashboard 

NAME                        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
kubernetes-dashboard        ClusterIP   10.43.53.84    <none>        443/TCP    57s
dashboard-metrics-scraper   ClusterIP   10.43.58.132   <none>        8000/TCP   57s

Looking good :)

Dashboard RBAC Configuration

Create the following resource manifest files:

nano /opt/k3s/dashboard.admin-user.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

nano /opt/k3s/dashboard.admin-user-role.yml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Deploy the admin-user configuration:

sudo k3s kubectl create -f /opt/k3s/dashboard.admin-user.yml -f /opt/k3s/dashboard.admin-user-role.yml

serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created

Obtain the Bearer Token

sudo k3s kubectl -n kubernetes-dashboard create token admin-user

eyJhbGciOiJSUzI1NiIsImtpZCI6IkdnaWluV2RRbnpuMENIaUI2TFB2QmxhbGctQUhUVWVjM2FXSWhKRTRXNUEifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNjY4ODU3MDA1LCJpYXQiOjE2Njg4NTM0MDUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiYzNhNjY0ODUtYjQ2Ny00NzNjLTg4MzktMDk3YzUwMzE4NzI5In19LCJuYmYiOjE2Njg4NTM0MDUsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.Aq7mrvx3yo4EGsziJZs5poXWYJsq_s5uMkWhuinu0h_XNi-Qke9ZAX2f5cCw31vErXY2NcIYqQKgMMmcFpW9Kod_g--ZdIEmxGRqsIk_bBm1pjgYvdHvQDA8EZrFpT4BMgQMX10I8qp6zE6Y7iLckABDCiTWl0Pu42oRXxnRPp5_OppGOEbOte4Z1A5xjsR889t4YgVeKa9RHlvroWyaDkd5hyEpolpoDxteSd16e6TYXkNUkh70taPbcUzxO-DheP8apWWLsFSzQOUXbG0L2JJIAL1rYbBsvCYH346VtP2SwGFU5Z_S1whACH4O3lKu56aesnT5TERUPL6PdBclIQ

Local Access to the Dashboard

To access the Dashboard you must create a secure channel to your K3s cluster:

sudo k3s kubectl proxy

Starting to serve on 127.0.0.1:8001

The Dashboard is now accessible at:

• http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
• Sign In with the admin-user Bearer Token

Run a Stateless Application Using a Deployment

You can run an application by creating a Kubernetes Deployment object, and you can describe a Deployment in a YAML file. For example, this YAML file describes a Deployment that runs the latest nginx:alpine Docker image (the image needs to be present on the air-gapped system):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2 # tells deployment to run 2 pods matching the template
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80

Using kubectl you can now deploy this job file with:

sudo kubectl apply -f https://k8s.io/examples/application/deployment.yaml
sudo kubectl describe deployment nginx-deployment
sudo kubectl get pods -l app=nginx
sudo kubectl describe pod <pod-name>
sudo kubectl delete deployment nginx-deployment

Or we can use the Kubernetes Dashboard - click on Create a new resource in the top right and fill out the form:

Verify via kubectl:

sudo kubectl describe deployment nginx-deployment
Name:                   nginx-deployment
Namespace:              default
CreationTimestamp:      Sat, 19 Nov 2022 19:40:31 +0800
Labels:                 k8s-app=nginx-deployment
...

sudo kubectl get pods -l k8s-app=nginx-deployment

NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-7fd66545df-v2bbz   1/1     Running   0          116s

sudo kubectl describe pod nginx-deployment-7fd66545df-v2bbz

Name:             nginx-deployment-7fd66545df-v2bbz
Namespace:        default
Priority:         0
Service Account:  default
Node:             tp-link0815b/192.168.2.112
Start Time:       Sat, 19 Nov 2022 19:40:31 +0800
Labels:           k8s-app=nginx-deployment
                  pod-template-hash=7fd66545df
Annotations:      <none>
Status:           Running
IP:               10.42.0.14

...

Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  4m42s  default-scheduler  Successfully assigned default/nginx-deployment-7fd66545df-v2bbz to tp-link0815b
  Normal  Pulled     4m42s  kubelet            Container image "nginx:alpine" already present on machine
  Normal  Created    4m42s  kubelet            Created container nginx-deployment
  Normal  Started    4m42s  kubelet            Started container nginx-deployment

Uninstalling K3s

To uninstall K3s from a server node, run:

/usr/local/bin/k3s-uninstall.sh

To uninstall K3s from an agent node, run:

/usr/local/bin/k3s-agent-uninstall.sh