Kubernetes on Arch Linux with Cilium and CRI-O

arch-linux-kubernetes.md

Install and configure CRI-O runtime.

sudo pacman -S cri-o crun iptables-nft

Create /etc/crio/crio.conf.d/00-crun.conf specifying the default runtime as crun instead of runc.

[crio.runtime]
default_runtime = "crun"

[crio.runtime.runtimes.crun]
runtime_path = "/usr/bin/crun"
runtime_type = "oci"
runtime_root = "/run/crun"

Create /etc/crio/crio.conf.d/10-plugin-dir.conf to specify what paths cri-o looks for cni plugins.

[crio.network]
plugin_dirs = [
  "/usr/lib/cni",
  "/opt/cni/bin"
]

sudo modprobe overlay
sudo modprobe br_netfilter
sudo systemctl enable crio --now

sudo pacman -S kubeadm kubelet kubectl helm cilium-cli

sudo systemctl enable kubelet --now

sudo kubeadm init \
  --cri-socket='unix:///run/crio/crio.sock' \
  --skip-phases=addon/kube-proxy

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG="$HOME/.kube/config"

kubectl taint nodes <node-name> \
  node-role.kubernetes.io/control-plane:NoSchedule-

cilium-cli install \
  --set l2announcements.enabled=true \
  --set kubeProxyReplacement=true

apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy
metadata:
  name: l2-enp4s0
spec:
  interfaces:
    - ^enp4s0
  externalIPs: yes
  loadBalancerIPs: yes

apiVersion: cilium.io/v2alpha1
kind: CiliumLoadBalancerIPPool
metadata:
  name: lan-pool
spec:
  blocks:
    - start: 192.168.0.20
      stop: 192.168.0.49

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace

helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.4

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: "lol@lol.com"
    server: "https://acme-v02.api.letsencrypt.org/directory"
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - dns01:
          cloudflare:
            email: "lol@lol.com"
            apiTokenSecretRef:
              name: cloudflare-lol-token
              key: api-token