Kubernetes: Setup K8S cluster in Airgapped environment

by

Prerequisites

  • OS installed and updated
  • Reachability with Private Registry server – See how you can setup private registry here and populate it with images here.
  • Containerd installed and service for containerd started and enabled
  • apparmor service installed, started and enabled
  • We will setup RKE2 v1.24.9 for this document

Setup

Setup Authentication directories

#mkdir -p /var/rke2-airgap/certs && cd /var/rke2-airgap/certs

Copy Certs and key from private registry to kubernetes server

#scp root@privreg.demolabs.com:/root/private-registry/certs/domain.crt .
#scp root@privreg.demolabs.com:/root/private-registry/certs/domain.key .

Setup the Binaries directory

#scp root@privreg.demolabs.com:/root/private-registry/rke2-1.24.9/binaries/* /usr/local/

Untar the file

#cd /usr/local && tar -xvf rke2.linux-amd64.tar.gz

Copy the services file under systemd and reload

#cp /usr/local/lib/systemd/system/rke2-agent.service /etc/systemd/system/rke2-agent.service
#cp /usr/local/lib/systemd/system/rke2-server.service /etc/systemd/system/rke2-server.service
systemctl daemon-reload

Create the configuration directories

#mkdir -p /etc/rancher/rke2

Create the registries yaml file

#touch /etc/rancher/rke2/registries.yaml
cat <<'EOF' >> /etc/rancher/rke2/registries.yaml
mirrors:
docker.io:
 endpoint:
    - "https://privreg.demolabs.com:443/v2"
configs:
"privreg.demolabs.com:443":
auth:
  username: registry-user
  password: password123
tls:
  cert_file: /var/rke2-airgap/certs/domain.crt
  key_file: /var/rke2-airgap/certs/domain.key
  insecure_skip_verify: true
EOF

Make sure the modify the entries for your specific environment as created during steps earlier.

Create the config yaml file

#touch /etc/rancher/rke2/config.yaml
#cat <<'EOF' >> /etc/rancher/rke2/config.yaml
system-default-registry: "privreg.demolabs.com:443"     # private registry fqdn
server: https://192.168.1.205:9345    # Master Node IP. This is required only on  secondary nodes of the cluster
token: token1   # token name for secondary nodes to join#required on all nodes
tls-san:
 - 192.168.1117   #IP or DNS name for all the servers in HA # Keep adding secondary nodes below
write-kubeconfig-mode: "0644"
EOF

Setup additional Binaries for Management

#cd /usr/local
#tar -zxvf helm-v3.11.2-linux-amd64.tar.gz && mv linux-amd64/helm /usr/local/bin/helm
#sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

Start the RKE2 Cluster

#systemctl enable rke2-server.service && systemctl start rke2-server.service

This is going to take some time as it will fetch all the images from private registry server and bring up the services.

Check the progress

#journalctl -xeu rke2-server.service

Create symlink to kube config file

#mkdir -p ~/.kube && ln -s /etc/rancher/rke2/rke2.yaml ~/.kube/config

Check and validate the cluster status, nodes and pods

#kubectl get nodes ; kubectl get pods -A

Conclusion

With this we conclude our setup of RKE2 Kubernetes cluster using private registry.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Content is protected !!