Table of Contents

1. Description
2. Setup - The basics of getting started with simp_kubernetes
   • What simp_kubernetes affects
   • Setup requirements
   • Beginning with simp_kubernetes
3. Usage - Configuration options and additional functionality
4. Reference - An under-the-hood peek at what the module is doing and how
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module
   • Acceptance Tests - Beaker env variables

Description

Minimally manage a Kubernetes cluster! This module will configure the core services required to get a basic Kubernetes cluster up and running, based on the distribution available in the extras CentOS repo.

This is currently Kubernetes 1.5

(Source: https://speakerdeck.com/luxas/kubeadm-cluster-creation-internals-from-self-hosting-to-upgradability-and-ha)

This module can set up:

• Every host
  • etcd (only one peer has been tested)
  • flanneld
• Master hosts
  • kube-apiserver
  • kube-controller-manager
  • kube-scheduler
• Node hosts
  • kubelet
  • kube-proxy
• Kubeconfigs

Using the following packages from the CentOS Extras repo:

• kubernetes

This module will not interact with Kubernetes in any way, besides what can be configured on a system level.

NOTE: This module only supports EL7. It does not support EL6.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they may be submitted to our bug tracker.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server, but only on the systems running kubernetes, not the content in kubernetes.
• If used independently, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in simp/simp_options for details.

Setup

What simp_kubernetes affects

simp_kubernetes only sets up the services listed above, with a few catches:

• The integration with SIMP's PKI may give you trouble, because kubernetes expects certificates with IP subjectAltNames
• This module does not deploy any services on kubernetes, even if they are required for a complete set up
• There are no Load Balancers available in the CentOS repos, so there is not one available out of the box using this module

NOTE: This module only supports EL7. It does not support EL6.

Usage

The minimal set up would look as follows:

On all nodes:

class { 'simp_kubernetes':
  etcd_peers   => ['kube-master01.domain.net'],
  kube_masters => ['kube-master01.domain.net','kube-master02.domain.net','kube-master03.domain.net']
}

or in hiera:

---
simp_kubernetes::is_master: false # or unset - default is false
simp_kubernetes::etcd_peers:
- kube-master01.domain.net
simp_kubernetes::kube_masters:
- kube-master01.domain.net
- kube-master02.domain.net
- kube-master03.domain.net

On the master node (only one is supported at this time):

class { 'simp_kubernetes':
  etcd_peers   => ['kube-master01.domain.net'],
  kube_masters => ['kube-master01.domain.net','kube-master02.domain.net','kube-master03.domain.net'],
  is_master    => true
}

or in the hiera configuration for master nodes, assuming the hiera for all nodes listed above is present:

---
simp_kubernetes::is_master: true

Where etcd_peers is a list of hostnames that will be etcd servers, and kube_masters is the list of servers where the kubernetes API will be available. These parameters will result in a kubernetes cluster using flannel as a network backend with all communication over http.

If you need a HA etcd, you will probably be better off setting that up elsewhere for now, and setting manage_etcd to false.

To enable TLS, call your class like this:

class { 'simp_kubernetes':
  etcd_peers           => ['kube-master01.domain.net'],
  etcd_peer_protocol   => 'https',
  etcd_client_protocol => 'https',
  etcd_app_pki_key     => '/path/to/cert',
  etcd_app_pki_cert    => '/path/to/cert',
  etcd_app_pki_ca      => '/path/to/cert',
  kube_masters         => ['kube-master01.domain.net','kube-master02.domain.net','kube-master03.domain.net'],
  kube_api_protocol    => 'https',
  kubelet_protocol     => 'https',
  kube_api_port        => 6443,
  app_pki_key          => '/path/to/cert',
  app_pki_cert         => '/path/to/cert',
  app_pki_ca           => '/path/to/cert',
}

There are many parameters in this module that are useful for tweaking every service in this module:

• flannel_network_config
• flannel_args
• etcd_options
• api_args
• master_api_args
• scheduler_args
• controller_args
• proxy_args
• kubelet_args

Reference

Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.

Limitations

This module is only intended to work with RedHat's distribution of kubernetes. If a newer version is required or a version from a different source, this module may not work as intended.

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

There is also a suite in simp-core (kubernetes) that tests this component in the context of a SIMP system.

Please refer to the SIMP Beaker Helpers documentation for more information.