Skip to content

Commit

Permalink
Merge pull request kubernetes#43872 from neolit123/1.29-add-notes-abo…
Browse files Browse the repository at this point in the history
…ut-network-setup-to-create-doc

kubeadm: add notes about network setup to the "create cluster" doc
  • Loading branch information
k8s-ci-robot authored Nov 22, 2023
2 parents dad8686 + 34f93dd commit 91dbcc5
Showing 1 changed file with 57 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ Any commands under `kubeadm alpha` are, by definition, supported on an alpha lev

### Preparing the hosts

#### Component installation

Install a {{< glossary_tooltip term_id="container-runtime" text="container runtime" >}} and kubeadm on all the hosts.
For detailed instructions and other prerequisites, see [Installing kubeadm](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/).

Expand All @@ -84,6 +86,61 @@ kubeadm to tell it what to do. This crashloop is expected and normal.
After you initialize your control-plane, the kubelet runs normally.
{{< /note >}}

#### Network setup

kubeadm similarly to other Kubernetes components tries to find a usable IP on
the network interface associated with the default gateway on a host. Such
an IP is then used for the advertising and/or listening performed by a component.

To find out what this IP is on a Linux host you can use:

```shell
ip route show # Look for a line starting with "default via"
```

Kubernetes components do not accept custom network interface as an option,
therefore a custom IP address must be passed as a flag to all components instances
that need such a custom configuration.

To configure the API server advertise address for control plane nodes created with both
`init` and `join`, the flag `--apiserver-advertise-address` can be used.
Preferably, this option can be set in the [kubeadm API](/docs/reference/config-api/kubeadm-config.v1beta3)
as `InitConfiguration.localAPIEndpoint` and `JoinConfiguration.controlPlane.localAPIEndpoint`.

For kubelets on all nodes, the `--node-ip` option can be passed in
`.nodeRegistration.kubeletExtraArgs` inside a kubeadm configuration file
(`InitConfiguration` or `JoinConfiguration`).

For dual-stack see
[Dual-stack support with kubeadm](/docs/setup/production-environment/tools/kubeadm/dual-stack-support).

{{< note >}}
IP addresses become part of certificates SAN fields. Changing these IP addresses would require
signing new certificates and restarting the affected components, so that the change in
certificate files is reflected. See
[Manual certificate renewal](/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal)
for more details on this topic.
{{</ note >}}

{{< warning >}}
The Kubernetes project recommends against this approach (configuring all component instances
with custom IP addresses). Instead, the Kubernetes maintainers recommend to setup the host network,
so that the default gateway IP is the one that Kubernetes components auto-detect and use.
On Linux nodes, you can use commands such as `ip route` to configure networking; your operating
system might also provide higher level network management tools. If your node's default gateway
is a public IP address, you should configure packet filtering or other security measures that
protect the nodes and your cluster.
{{< /warning >}}

{{< note >}}
If the host does not have a default gateway, it is recommended to setup one. Otherwise,
without passing a custom IP address to a Kubernetes component, the component
will exit with an error. If two or more default gateways are present on the host,
a Kubernetes component will try to use the first one it encounters that has a suitable
global unicast IP address. While making this choice, the exact ordering of gateways
might vary between different operating systems and kernel versions.
{{< /note >}}

### Preparing the required container images

This step is optional and only applies in case you wish `kubeadm init` and `kubeadm join`
Expand Down Expand Up @@ -117,11 +174,6 @@ a provider-specific value. See [Installing a Pod network add-on](#pod-network).
known endpoints. To use different container runtime or if there are more than one installed
on the provisioned node, specify the `--cri-socket` argument to `kubeadm`. See
[Installing a runtime](/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime).
1. (Optional) Unless otherwise specified, `kubeadm` uses the network interface associated
with the default gateway to set the advertise address for this particular control-plane node's API server.
To use a different network interface, specify the `--apiserver-advertise-address=<ip-address>` argument
to `kubeadm init`. To deploy an IPv6 Kubernetes cluster using IPv6 addressing, you
must specify an IPv6 address, for example `--apiserver-advertise-address=2001:db8::101`

To initialize the control-plane node run:

Expand Down

0 comments on commit 91dbcc5

Please sign in to comment.