Skip to content

Instantly share code, notes, and snippets.

@keithpl
Last active July 18, 2024 23:38
Show Gist options
  • Save keithpl/42f42983901abc9f21f8cb7163f2dfda to your computer and use it in GitHub Desktop.
Save keithpl/42f42983901abc9f21f8cb7163f2dfda to your computer and use it in GitHub Desktop.
Kubernetes on Arch Linux with Cilium and CRI-O

Install and configure CRI-O runtime.

sudo pacman -S cri-o crun iptables-nft

Create /etc/crio/crio.conf.d/00-crun.conf specifying the default runtime as crun instead of runc.

[crio.runtime]
default_runtime = "crun"

[crio.runtime.runtimes.crun]
runtime_path = "/usr/bin/crun"
runtime_type = "oci"
runtime_root = "/run/crun"

Create /etc/crio/crio.conf.d/10-plugin-dir.conf to specify what paths cri-o looks for cni plugins.

[crio.network]
plugin_dirs = [
  "/usr/lib/cni",
  "/opt/cni/bin"
]
sudo modprobe overlay
sudo modprobe br_netfilter
sudo systemctl enable crio --now
sudo pacman -S kubeadm kubelet kubectl helm cilium-cli

sudo systemctl enable kubelet --now
sudo kubeadm init \
  --cri-socket='unix:///run/crio/crio.sock' \
  --skip-phases=addon/kube-proxy
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG="$HOME/.kube/config"
kubectl taint nodes <node-name> \
  node-role.kubernetes.io/control-plane:NoSchedule-
cilium-cli install \
  --set l2announcements.enabled=true \
  --set kubeProxyReplacement=true
apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy
metadata:
  name: l2-enp4s0
spec:
  interfaces:
    - ^enp4s0
  externalIPs: yes
  loadBalancerIPs: yes
apiVersion: cilium.io/v2alpha1
kind: CiliumLoadBalancerIPPool
metadata:
  name: lan-pool
spec:
  blocks:
    - start: 192.168.0.20
      stop: 192.168.0.49
helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace
helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.4
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: "lol@lol.com"
    server: "https://acme-v02.api.letsencrypt.org/directory"
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - dns01:
          cloudflare:
            email: "lol@lol.com"
            apiTokenSecretRef:
              name: cloudflare-lol-token
              key: api-token
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment