dominik/k3s
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

canal

Browse Source
This commit is contained in:
Dominik Chilla 2022-04-17 21:51:23 +02:00
parent ae84283fd1
commit 08ec8d16f1
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -3,6 +3,7 @@
* [On premises/IaaS](#install-k3s-on-premises)
* [Configure upstream DNS-resolver](#upstream-dns-resolver)
* [Change NodePort range](#nodeport-range)
* [Install Canal as NetworkPolicy controller](#canal)
* [Clustering](#clustering)
* [On Docker with k3d](#install-k3s-on-docker-k3d)
* [Namespaces and resource limits](#namespaces-limits)
@ -87,6 +88,13 @@ ExecStart=/usr/local/bin/k3s \
2. Re-load systemd config: `systemctl daemon-reload`
3. Re-start k3s: `systemctl restart k3s.service`
### Install Canal as NetworkPolicy controller <a name="user-content-canal"></a>
1. Download the yaml manifest Canal: `wget https://docs.projectcalico.org/manifests/canal.yaml -O canal.yaml`
1. Find and enable (uncomment) the env variable `CALICO_IPV4POOL_CIDR`
1. Set the value of `CALICO_IPV4POOL_CIDR` to `10.42.0.0/16` (or your value of `--cluster-cidr` - k3s defaults to `10.42.0.0/16`)
1. Apply the manifest: `kubectl apply -f canal.yaml`
1. Wait a moment and then check if canal was installed successfully
### Clustering <a name="user-content-clustering"></a>
If you want to build a K3s-cluster the default networking model is *overlay@VXLAN*. In this case make sure that
* all of your nodes can reach (ping) each other over the underlying network (local, routed/vpn). This is required for the overlay network to work properly. VXLAN spans a mashed network over all K3s-nodes.
@ -101,6 +109,23 @@ ExecStart=/usr/local/bin/k3s \
agent \
--flannel-iface <name-of-vpn-interface> \
```
* if your public/external nodes are connected through VPN and you have configured [canal](https://github.com/projectcalico/canal) to manage NetworkPolicies you will need to edit node config and change the public IP-addresses (in this example: `1.2.3.4`) of your nodes to internal VPN-IPs (in this example: `172.16.1.2`). Otherwise canal will bypass VPN and route VXLAN traffic through public IP addresses:
```
kubectl edit node <external-node-01>
apiVersion: v1
kind: Node
metadata:
annotations:
alpha.kubernetes.io/provided-node-ip: 172.16.1.2
[...]
flannel.alpha.coreos.com/backend-data: '{"VtepMAC":"ce:09:ce:de:4d:36"}'
flannel.alpha.coreos.com/backend-type: vxlan
flannel.alpha.coreos.com/kube-subnet-manager: "true"
>> DEL >> flannel.alpha.coreos.com/public-ip: 1.2.3.4
>> ADD >> flannel.alpha.coreos.com/public-ip: 172.16.1.2
[...]
```
## On Docker with K3d <a name="user-content-install-k3s-on-docker-k3d"></a>
K3d is a terraforming orchestrator which deploys a K3s cluster (masters and nodes) directly on docker without the need for virtual machines for each node (master/worker).