kubernetes
Kubernetes , also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications.
Kubernetes groups containers that make up an application into logical units for easy management and discovery and runs them on a kubernetes cluster. A kubernetes cluster is made of two groups of components, namely control plane components, which are used to manage the cluster, and node components, which run the workers hosting the applications. Kubernetes requires a container runtime interface (CRI), which is the mechanism for running a container.
Installation
USE flags
Control Plane Components
USE flags for sys-cluster/kube-apiserver Kubernetes API server
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kube-controller-manager Kubernetes Controller Manager
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kube-proxy Kubernetes Proxy service
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kube-scheduler Kubernetes Scheduler
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kubectl CLI to run commands against Kubernetes clusters
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kubeadm CLI to Easily bootstrap a secure Kubernetes cluster
USE flags for sys-cluster/kubelet Kubernetes Node Agent
USE flags for sys-cluster/kubeletctl A client for kubelet
Node Plane Components
USE flags for sys-cluster/kube-proxy Kubernetes Proxy service
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
USE flags for sys-cluster/kubelet Kubernetes Node Agent
Container Runtime Interface
USE flags for app-containers/containerd A daemon to control runC
+cri
|
Support for Kubernetes CRI |
+seccomp
|
Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs |
apparmor
|
Enable support for the AppArmor application security system |
btrfs
|
Support for BTRFS snapshot driver |
device-mapper
|
Support for device mapper snapshot driver |
hardened
|
Activate default security enhancements for toolchain (gcc, glibc, binutils) |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
USE flags for app-containers/cri-o OCI-based implementation of Kubernetes Container Runtime Interface
+device-mapper
|
Enables dependencies for the "devicemapper" graph driver, including necessary kernel flags. |
btrfs
|
Enables dependencies for the "btrfs" graph driver, including necessary kernel flags. |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
systemd
|
Enable use of systemd-specific libraries and features like socket activation or session tracking |
Setup
With SystemD
This article demonstrates how to a setup a kubernetes cluster using kubeadm with app-containers/containerd on a systemd machine.
First ensure that containerd is installed and is started. Make sure that the socket for containerd exists, which is at /var/run/containerd/containerd.sock by default.
root #systemctl enable --now containerd
With OpenRC
To automatically start containerd with OpenRC run
root #rc-update add containerd default
root #kubeadm init --apiserver-advertise-address=192.168.122.100 --control-plane-endpoint=k8s-adm.example.com --pod-network-cidr=10.169.0.0/16
See also
- Docker — a container virtualization environment
- LXD — is a next generation system container manager.
- Podman — a daemonless container engine for developing, managing, and running OCI Containers on Linux.