Join Log in
Score:1
Pavel Parshin avatar Server

Deploy control plane without master node registration using kubeadm

in flag
Pavel Parshin

I'd like to set up the Kubernetes cluster and hide the control plane components for all clients (some kind of a managed cluster). Kubeadm uses Kubelet and static pods to run this components which lead to registering Node and Pod resources into the API Server so any user with ClusterRole can list and manage the master nodes and pods.

I can bootstrap the control plane, stop the Kubelet agent and delete the master node resources but it seems that in this way I can't use kubeadm to upgrade the components and Kubelet to recover pods if any crash occurs.

Can I run the control plane out of the Kubernetes cluster using kubeadm or should I use my own instruments in that case?

211
0 + 0
in flag
mdaniel
Hi Pavel Parshin welcome to S.F. It sounds like you're trying to cripple the control-plane to solve an RBAC problem; if you don't want folks twiddling with your control-plane, ensure their credentials do not have access to it
0
Reply
Mikołaj Głodziak avatar
id flag
Mikołaj Głodziak
Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud providor?
0
Reply
Pavel Parshin avatar
in flag
Pavel Parshin
@mdaniel, hi. I think it's not an RBAC problem because I'm going to give the end users an admin role. It's one of requirements
0
Reply
Pavel Parshin avatar
in flag
Pavel Parshin
@MikołajGłodziak, 1.19.14. I'm using ClusterAPI and OpenStack to set up the cluster. ClusterAPI uses kubeadm to bootstrap the control plane
0
Reply
Score:1
Mikołaj Głodziak avatar Server
id flag
Mikołaj Głodziak

Can I run the control plane out of the Kubernetes cluster using kubeadm

Short answer: No, it is not possible.

should I use my own instruments in that case

Yes, that will be the solution to this situation. If you find your own solution, feel free to write it as an answer.

As a workaround, you can try to create a separate control plane (as in Kubernetes the hard way) and thenkubeadm join. However, you must also be aware that this type of configuration will be complicated to perform. Look also at this blog page.

See also similar topics:

You can run the Kubernetes control plane outside Kubernetes as long as the worker nodes have network access to the control plane. This approach is used on most managed Kubernetes solutions.

Look also this page about Self-registration of Nodes.

EDIT: I have found another possible workaround.

EDIT2: This tutorial should help you too.

0 + 0
Wytrzymały Wiktor avatar
it flag
Wytrzymały Wiktor
Hello @PavelParshin. Does this [answer your question](https://stackoverflow.com/help/someone-answers)?
0
Reply
Score:0
Pavel Parshin avatar Server
in flag
Pavel Parshin

Eventually I rewrote the kubeadm added the option to deploy control plane components as unix services and run them out of the Kubernetes cluster.

If you are interested, have a look at PR and adopt it for your requirements. How to use:

# build the updated kubeadm
make WHAT=cmd/kubeadm KUBE_BUILD_PLATFORMS=linux/amd64

# install the control plane components
wget -q --show-progress --https-only --timestamping \
  "https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-apiserver" \
  "https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-controller-manager" \
  "https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kube-scheduler" \
  "https://storage.googleapis.com/kubernetes-release/release/v1.21.0/bin/linux/amd64/kubectl"

chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl
sudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl /usr/local/bin/

wget -q --show-progress --https-only --timestamping \
  "https://github.com/etcd-io/etcd/releases/download/v3.4.15/etcd-v3.4.15-linux-amd64.tar.gz"

tar -xvf etcd-v3.4.15-linux-amd64.tar.gz
sudo mv etcd-v3.4.15-linux-amd64/etcd* /usr/local/bin/

# run kubeadm with enabled service hosting option
kubeadm init --service-hosting

If you are using Cluster API, you have to write your own control plane controller and CRDs to support your own deployment.

0 + 0
zozo6015 avatar
us flag
zozo6015
It this PR still relevant as I have tried to build it and I get the following errors: ``` make WHAT=cmd/kubeadm KUBE_BUILD_PLATFORMS=linux/amd64 Generating prerelease lifecycle code for 28 targets ./hack/run-in-gopath.sh: line 34: _output/bin/prerelease-lifecycle-gen: Is a directory make[1]: *** [Makefile.generated_files:159: gen_prerelease_lifecycle] Error 1 make: *** [Makefile:552: generated_files] Error 2 ```
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.