I’ve been playing with Kubernetes on CoreOS Container Linux for a couple of months now. As I prefer to implement real world workloads instead of examples, I planned on containerising a couple of applications my family and I rely on. Beforehand I wanted to create an easy way for installing a Kubernetes cluster spread across multiple VPS providers, securely connected over the internet via VPN or something similar. I did a speed test for initial evaluation of different methods and began working on a proof of concept CoreOS Kubernetes cluster secured via tinc. This prove more difficult than initially planned, taking me months for a simple setup and setting me back multiple times.

Therefore I settled with a Kubernetes installation residing on a single node. The clustering was a bit overkill for family applications anyways and this step just took to much time. For the Single Node installation I found a blog entry from Victor Palau who also created a GitHub repository for an automated Kubernetes installation to an existing Container Linux server. I tested his script on my server from Chicago VPS and although it largely worked, I was dissatisfied. As the script was initially intended to be run on Microsofts Azure, the requirements a bare metal installation has were not taken into account:
A couple of ports meant for internal use only were publicy accessible, insecure etcd2 being the worst one. Furthermore I didn’t like the apiserver listening on port 443. While on Azure you’d normaly prepend a Load balancer in front of the Single node, this doesn’t apply to a Bare Metal installation. Thusly HTTPS was effectively blocked on the node and there was no easy way for integrating a containerised load balancer like Træfɪk. Addtionally there were some smaller problems or additions I had in mind and wanted to integrate into the automation to ease installations for others and a possible reinstallation for myself.

So I took Victors script and expanded it to be more “Individual Production Ready” by:

• changing the published port of the API server to 6443
• enabling IPtables for port 2379 and 10250-10255 only permitting access from the own IP
• properly integrating kube-dns (not sure about that, didn’t work properly in my setup with Victors script)
• enabling Basic Authentication for the API server via random username and password
• integrating an automatic deployment of Kubernetes Dashboard which is accessible via said Basic Authentication

If you want to check it out, you’ll obviously need a running CoreOS Container Linux installation. The steps you have to do on the server are quite simple:

git clone https://github.com/m3adow/k8single
cd k8single
./kubeform.sh [myip-address] [DNS entry for K8s apiserver (optional)]

You can use the second argument on kubeform.sh to add an additional FQDN to your API server if you want to use a FQDN for connection instead of an IP.
Afterwards you should be able to access the dashboard via https://fqdn-of-your-server.com:6443/ui authenticating with the credentials the script displayed at the end.

I still hope I can revisit my project to get a secured Baremetal Kubernetes cluster running one day, but for now this Single Node installation satisfies my needs. If you have any questions or remarks, feel free to comment.