K3s on Fedora CoreOS

#technology #Kubernetes #K3s #Fedora_CoreOS

使わなかったので供養

K3s は SELinux が有効じゃないと動かないのでとりあえず permissive にしてある

VMware vSphere Hypervisor で動かすので open-vm-tools を入れているが、環境によっては不要

これを butane に通すと ignition が吐かれるのでそれをインストール時に読み込ませれば K3s セットアップ済みの Fedora CoreOS のできあがり

code:k3s.bu#.yml

variant: fcos

version: 1.0.0

passwd:

users:

- name: core

ssh_authorized_keys:

- ssh-ed25519 your-key here

storage:

files:

- path: /etc/hostname

overwrite: true

mode: 0644

contents:

inline: localhost

- path: /etc/selinux/config

contents:

inline: |

SELINUX=permissive

SELINUXTYPE=targeted

mode: 0664

overwrite: true

- path: /etc/NetworkManager/system-connections/eth0.nmconnection

contents:

inline: |

connection

interface-name=ens192

type=ethernet

ipv4

addresses=192.168.1.2

dns=192.168.1.1;1.1.1.1

gateway=192.168.1.1

method=manual

ipv6

method=auto

mode: 0600

overwrite: true

- path: /etc/sysconfig/nftables.conf

contents:

inline: |

# This file will contain your nftables rules and

# is read by the systemd service when restarting

# These provide an iptables like set of filters

# (uncomment to include)

# include "/etc/nftables/arp-filter.nft"

# include "/etc/nftables/bridge-filter.nft"

# include "/etc/nftables/inet-filter.nft"

# include "/etc/nftables/ipv4-filter.nft"

# include "/etc/nftables/ipv4-mangle.nft"

# include "/etc/nftables/ipv4-nat.nft"

# include "/etc/nftables/ipv4-raw.nft"

# include "/etc/nftables/ipv6-filter.nft"

# include "/etc/nftables/ipv6-mangle.nft"

# include "/etc/nftables/ipv6-nat.nft"

# include "/etc/nftables/ipv6-raw.nft"

flush ruleset;

table inet filter {

chain input {

type filter hook input priority 0; policy drop;

ct state established,related accept;

ct state invalid drop;

iif lo accept;

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept;

ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept;

ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/second accept;

ip protocol icmp icmp type echo-request limit rate 10/second accept;

# Allow SSH

tcp dport ssh limit rate 15/minute accept;

# Allow k3s

tcp dport { 2379-2380, 6443, 10250 } accept;

udp dport { 8472, 51820, 51821 } accept;

}

chain forward {

type filter hook forward priority 0; policy drop;

}

chain output {

type filter hook output priority 0; policy accept;

}

mode: 0600

overwrite: true

- path: /etc/sysctl.d/50-forward.conf

contents:

inline: |

net.ipv4.ip_forward = 1

net.ipv6.conf.all.forwarding = 1

mode: 0644

- path: /opt/open-vm-tools/Dockerfile

contents:

inline: |

FROM registry.fedoraproject.org/fedora:36

RUN dnf install \

--setopt=install_weak_deps=False \

--setopt=tsflags=nodocs \

-y \

open-vm-tools \

&& dnf clean all

ENTRYPOINT "/usr/bin/vmtoolsd"

mode: 0644

- path: /var/lib/systemd/linger/core

mode: 0644

links:

- path: /etc/localtime

target: /usr/share/zoneinfo/Asia/Tokyo

systemd:

units:

- name: nftables.service

enabled: true

- name: vmtoolsd.service

enabled: true

contents: |

# container-e7dd5c943b947a6a7e8dcbd67a01e70856f94f639d0edf0336248c8c776cedff.service

# autogenerated by Podman 4.2.0

# Mon Oct 10 01:08:55 JST 2022

Unit

ConditionVirtualization=vmware

Description=Open Virtual Machine Tools (VMware Tools)

Documentation=man:podman-generate-systemd(1)

Wants=network-online.target

After=network-online.target

RequiresMountsFor=%t/containers

Service

Environment=PODMAN_SYSTEMD_UNIT=%n

Restart=on-failure

TimeoutStopSec=70

ExecStartPre=/usr/bin/podman build --network host -t open-vm-tools /opt/open-vm-tools

ExecStartPre=/bin/rm -f %t/%n.ctr-id

ExecStart=/usr/bin/podman run \

--cidfile=%t/%n.ctr-id \

--cgroups=no-conmon \

--rm \

--sdnotify=conmon \

--detach \

--replace \

--ipc=host \

--name=vmtoolsd \

--net=host \

--pid=host \

--privileged \

--uts=host \

--env SYSTEMD_IGNORE_CHROOT=1 \

--volume=/proc/:/hostproc/ \

--volume=/run/systemd:/run/systemd \

--volume=/sys/fs/cgroup:/sys/fs/cgroup \

open-vm-tools

ExecStop=/usr/bin/podman stop --ignore --cidfile=%t/%n.ctr-id

ExecStopPost=/usr/bin/podman rm -f --ignore --cidfile=%t/%n.ctr-id

Type=notify

NotifyAccess=all

Install

WantedBy=default.target

- name: setup-k3s.service

enabled: true

contents: |

Unit

Description=Setup k3s

After=systemd-machine-id-commit.service

ConditionPathExists=!/var/lib/setup-k3s.stamp

Service

Type=oneshot

RemainAfterExit=yes

ExecStart=/usr/bin/rpm-ostree install -Ay https://github.com/k3s-io/k3s-selinux/releases/download/v1.2.stable.2/k3s-selinux-1.2-2.el8.noarch.rpm

ExecStart=/bin/sh -c "export K3S_KUBECONFIG_MODE=\"644\";export INSTALL_K3S_EXEC=\" --no-deploy servicelb --no-deploy traefik\";curl -sfL https://get.k3s.io | sh -"

ExecStart=/bin/touch /var/lib/setup-k3s.stamp

ExecStart=/bin/systemctl --no-block reboot

Install

WantedBy=multi-user.target