One place for hosting & domains


      Add CAA Records in the Linode Cloud Manager

      Updated by Linode

      Written by Linode

      Certification Authority Authorization (CAA) is a type of DNS record that allows the owner of a domain to specify which certificate authority (or authorities) are allowed to issue SSL/TLS certificates for their domain(s). This quick answer shows you how to set up CAA records on your Linode.

      Add a Single CAA Record

      1. Log in to the Linode Cloud Manager

      2. Select the Domains link in the sidebar.

      3. Select the domain you want to add the record to, or add a domain if you don’t already have one listed.

      4. Under the CAA Record section, select Add a CAA record. A form with the following fields will appear:

        Name: The subdomain you want the CAA record to cover. To apply it to your entire website (for example:, leave this field blank. To limit the record’s application to a subdomain on your site, (for example:, enter the subdomain’s name into the form field (for example: subdomain).


        • issue – Authorize the certificate authority entered in the Value field further below to issue TLS certificates for your site.

        • issuewild – Same as above, with the exception that you were issued a wildcard certificate.

        • iodef – URL where your CA can report security policy violations to you concerning certificate issue requests.

        Value: If the issue or issuewild tag was selected above, then the Value field takes the domain of your certificate issuer (for example: If the iodef tag was selected, the Value field takes a contact or submission URL (http or mailto).

        TTL (Time to Live): Time in seconds that your new CAA record will be cached by Linode’s name servers before being refreshed. The Default selection’s TTL is 300 seconds, which is fine for most cases. You can use the dig command to view the remaining time your DNS records will be cached until refreshed. Replace with your site’s domain or subdomain in the command below:

        root@debian:~# dig +nocmd +noall +answer     167 IN  A
      5. Click the Save button when finished. The CAA record should be fully propagated within the TTL duration.

      Add Multiple CAA Records

      Multiple CAA records must be added individually. If your site was issued a TLS certificate by Let’s Encrypt, but your subdomain uses a Symantec certificate, you would need two different CAA records. A reporting URL for the iodef tag would also need its own record. Those three would look something like this:

      Multiple CAA records

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.

      Source link

      How to Deploy Kubernetes on Linode with the k8s-alpha CLI

      Updated by Linode

      Written by Linode

      Deploy Kubernetes on Linode with the k8s-alpha CLI


      This guide’s example instructions will create several billable resources on your Linode account. If you do not want to keep using the example cluster that you create, be sure to delete it when you have finished the guide.

      If you remove the resources afterward, you will only be billed for the hour(s) that the resources were present on your account. Consult the Billing and Payments guide for detailed information about how hourly billing works and for a table of plan pricing.

      What is the k8s-alpha CLI?

      The Linode k8s-alpha CLI is a plugin for the Linode CLI that offers quick, single-command deployments of Kubernetes clusters on your Linode account. When you have it installed, creating a cluster can be as simple as:

      linode-cli k8s-alpha create example-cluster

      The clusters that it creates are pre-configured with useful Linode integrations, like our CCM, CSI, and ExternalDNS plugins. As well, the Kubernetes metrics-server is pre-installed, so you can run kubectl top. Nodes in your clusters will also be labeled with the Linode Region and Linode Type, which can also be used by Kubernetes controllers for the purposes of scheduling pods.

      What are Linode’s CCM, CSI, and ExternalDNS plugins?

      The CCM (Cloud Controller Manager), CSI (Container Storage Interface), and ExternalDNS plugins are Kubernetes addons published by Linode. You can use them to create NodeBalancers, Block Storage Volumes, and DNS records through your Kubernetes manifests.

      The k8s-alpha CLI will create two kinds of nodes on your account:

      • Master nodes will run the components of your Kubernetes control plane, and will also run etcd.

      • Worker nodes will run your workloads.

      These nodes will all exist as billable services on your account. You can specify how many master and worker nodes are created and also your nodes’ Linode plan and the data center they are located in.

      Alternatives for Creating Clusters

      Another easy way to create clusters is with Rancher. Rancher is a web application that provides a GUI interface for cluster creation and for management of clusters. Rancher also provides easy interfaces for deploying and scaling apps on your clusters, and it has a built-in catalog of curated apps to choose from.

      To get started with Rancher, review our How to Deploy Kubernetes on Linode with Rancher 2.2 guide. Rancher is capable of importing clusters that were created outside of it, so you can still use it even if you create your clusters through the k8s-alpha CLI or some other means.

      Beginners Resources

      If you haven’t used Kubernetes before, we recommend reading through our introductory guides on the subject:

      Before You Begin

      1. You will need to have a personal access token for Linode’s API. If you don’t have one already, follow the Get an Access Token section of our API guide and create a token with read/write permissions.

      2. If you do not already have a public-private SSH key pair, you will need to generate one. Follow the Generate a Key Pair section of our Public Key Authentication guide for instructions.


        If you’re unfamiliar with the concept of public-private key pairs, the introduction to our Public Key Authentication guide explains what they are.

      Install the k8s-alpha CLI

      The k8s-alpha CLI is bundled with the Linode CLI, and using it requires the installation and configuration of a few dependencies:

      • Terraform: The k8s-alpha CLI creates clusters by defining a resource plan in Terraform and then having Terraform create those resources. If you’re interested in how Terraform works, you can review our Beginner’s Guide to Terraform, but doing so is not required to use the k8s-alpha CLI.


      • kubectl: kubectl is the client software for Kubernetes, and it is used to interact with your Kubernetes cluster’s API.

      • SSH agent: Terraform will rely on public-key authentication to connect to the Linodes that it creates, and you will need to configure your SSH agent on your computer with the keys that Terraform should use.

      Install the Linode CLI

      Follow the Install the CLI section of our CLI guide to install the Linode CLI. If you already have the CLI, upgrade it to the latest version available:

      pip install --upgrade linode-cli

      Install Terraform

      Follow the instructions in the Install Terraform section of our Use Terraform to Provision Linode Environments guide.

      Install kubectl


      Install via Homebrew:

      brew install kubernetes-cli

      If you don’t have Homebrew installed, visit the Homebrew home page for instructions. Alternatively, you can manually install the binary; visit the Kubernetes documentation for instructions.


      1. Download the latest Kubernetes release:

        curl -LO$(curl -s
      2. Make the downloaded file executable:

        chmod +x ./kubectl
      3. Move the command into your PATH:

        sudo mv ./kubectl /usr/local/bin/kubectl



      Visit the Kubernetes documentation for a link to the most recent Windows release.

      Configure your SSH Agent

      Your SSH key pair is stored in your home directory (or another location), but the k8s-alpha CLI’s Terraform implementation will not be able to reference your keys without first communicating your keys to Terraform. To communicate your keys to Terraform, you’ll first start the ssh-agent process. ssh-agent will cache your private keys for other processes, including keys that are passphrase-protected.

      Linux: Run the following command; if you stored your private key in another location, update the path that’s passed to ssh-add accordingly:

      eval $(ssh-agent) && ssh-add ~/.ssh/id_rsa


      You will need to run all of your k8s-alpha CLI commands from the terminal that you start the ssh-agent process in. If you start a new terminal, you will need to run the commands in this step again before using the k8s-alpha CLI.

      macOS: macOS has an ssh-agent process that persists across all of your terminal sessions, and it can store your private key passphrases in the operating system’s Keychain Access service.

      1. Update your ~/.ssh/config SSH configuration file. This configuration will add keys to the persistent agent and store passphrases in the OS keychain:

        Host *
          AddKeysToAgent yes
          UseKeychain yes
          IdentityFile ~/.ssh/id_rsa


      Although kubectl should be used in all cases possible to interact with nodes in your cluster, the key pair cached in the ssh-agent process will enable you to access individual nodes via SSH as the core user.

      1. Add your key to the ssh-agent process:

        ssh-add -K ~/.ssh/id_rsa

      Create a Cluster

      1. To create your first cluster, run:

        linode-cli k8s-alpha create example-cluster
      2. Your terminal will show output related to the Terraform plan for your cluster. The output will halt with the following messages and prompt:

        Plan: 5 to add, 0 to change, 0 to destroy.
        Do you want to perform these actions in workspace "example-cluster"?
          Terraform will perform the actions described above.
          Only 'yes' will be accepted to approve.
          Enter a value:


        Your Terraform configurations will be stored under ~/.k8s-alpha-linode/

      3. Enter yes at the Enter a value: prompt. The Terraform plan will be applied over the next few minutes.


        You may see an error like the following:

        Error creating a Linode Instance: [400] Account Limit reached. Please open a support ticket.

        If this appears, then you have run into a limit on the number of resources allowed on your Linode account. If this is the case, or if your nodes do not appear in the Linode Cloud Manager as expected, contact Linode Support. This limit also applies to Block Storage Volumes and NodeBalancers, which some of your cluster app deployments may try to create.

      4. When the operation finishes, you will see options like the following:

        Apply complete! Resources: 5 added, 0 changed, 0 destroyed.
        Switched to context "example-cluster-4-kacDTg9RmZK@example-cluster-4".
        Your cluster has been created and your kubectl context updated.
        Try the following command:
        kubectl get pods --all-namespaces
        Come hang out with us in #linode on the Kubernetes Slack!
      5. If you visit the Linode Cloud Manager, you will see your newly created cluster nodes on the Linodes page. By default, your Linodes will be created under the region and Linode plan that you have set as the default for your Linode CLI. To set new defaults for your Linode CLI, run:

        linode-cli configure

        The k8s-alpha CLI will conform to your CLI defaults, with the following exceptions:

        • If you set a default plan size smaller than Linode 4GB, the k8s-alpha CLI will create your master node(s) on the Linode 4GB plan, which is the minimum recommended for master nodes. It will still create your worker nodes using your default plan.

        • The k8s-alpha CLI will always create nodes running CoreOS (instead of the default distribution that you set).

      6. The k8s-alpha CLI will also update your kubectl client’s configuration (the kubeconfig file) to allow immediate access to the cluster. Review the Manage your Clusters with kubectl section for further instructions.

      Cluster Creation Options

      The following optional arguments are available:

      linode-cli k8s-alpha create example-cluster-2 --node-type g6-standard-1 --nodes 6 --master-type g6-standard-4 --region us-east --ssh-public-key $HOME/.ssh/
      Argument                                           Description
      --node-type TYPE The Linode Type ID for cluster worker nodes (which you can retrieve by running linode-cli linodes types).
      --nodes COUNT The number of Linodes to deploy as Nodes in the cluster (default 3).
      --master-type TYPE The Linode Type ID for cluster master nodes (which you can retrieve by running linode-cli linodes types).
      --region REGION The Linode Region ID in which to deploy the cluster (which you can retrieve by running linode-cli regions list).
      --ssh-public-key KEYPATH The path to your public key file which will be used to access Nodes during initial provisioning only! The keypair must be added to an ssh-agent (default $HOME/.ssh/

      Delete a Cluster

      1. To delete a cluster, run the delete command with the name of your cluster:

        linode-cli k8s-alpha delete example-cluster
      2. Your terminal will show output from Terraform that describes the deletion operation. The output will halt with the following messages and prompt:

        Plan: 0 to add, 0 to change, 5 to destroy.
        Do you really want to destroy all resources in workspace "example-cluster"?
          Terraform will destroy all your managed infrastructure, as shown above.
          There is no undo. Only 'yes' will be accepted to confirm.
          Enter a value:
      3. Enter yes at the Enter a value: prompt. The nodes in your cluster will be deleted over the next few minutes.

      4. You should also login to the Linode Cloud Manager and confirm that any Volumes and NodeBalancers created by any of your cluster app deployments.

      5. Deleting the cluster will not remove the kubectl client configuration that the CLI inserted into your kubeconfig file. Review the Remove a Cluster’s Context section if you’d like to remove this information.

      Manage your Clusters with kubectl

      The k8s-alpha CLI will automatically configure your kubectl client to connect to your cluster. Specifically, this connection information is stored in your kubeconfig file. The path for this file is normally ~/.kube/config.

      Use the kubectl client to interact with your cluster’s Kubernetes API. This will work in the same way as with any other cluster. For example, you can get all the pods in your cluster:

      kubectl get pods --all-namespaces

      Review the Kubernetes documentation for more information about how to use kubectl.

      Switch between Cluster Contexts

      If you have more than one cluster set up, you can switch your kubectl client between them. To list all of your cluster contexts:

      kubectl config get-contexts

      An asterisk will appear before the current context:

      CURRENT   NAME                                                      CLUSTER                 AUTHINFO                            NAMESPACE
      *         example-cluster-kat7BqBBgU8@example-cluster               example-cluster         example-cluster-kat7BqBBgU8
                example-cluster-2-kacDTg9RmZK@example-cluster-2           example-cluster-2       example-cluster-2-kacDTg9RmZK

      To switch to another context, use the use-context subcommand and pass the value under the NAME column:

      kubectl config use-context example-cluster-2-kacDTg9RmZK@example-cluster-2

      All kubectl commands that you issue will now apply to the cluster you chose.

      Remove a Cluster’s Context

      When you delete a cluster with the k8s-alpha CLI, its connection information will persist in your local kubeconfig file, and it will still appear when you run kubectl config get-contexts. To remove this connection data, run the following commands:

      kubectl config delete-cluster example-cluster
      kubectl config delete-context example-cluster-kat7BqBBgU8@example-cluster
      kubectl config unset users.example-cluster-kat7BqBBgU8
      • For the delete-cluster subcommand, supply the value that appears under the CLUSTER column in the output from get-contexts.

      • For the delete-context subcommand, supply the value that appears under the NAME column in the output from get-contexts.

      • For the unset subcommand, supply users.<AUTHINFO>, where <AUTHINFO> is the value that appears under the AUTHINFO column in the output from get-contexts.

      Next Steps

      Now that you have a cluster up and running, you’re ready to start deploying apps to it. Review our other Kubernetes guides for help with deploying software and managing your cluster:

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.

      Source link

      Getting Started with Kubernetes: Use kubeadm to Deploy a Cluster on Linode

      Updated by Linode

      Contributed by


      Linode offers several pathways for users to easily deploy a Kubernetes cluster. If you prefer the command line, you can create a Kubernetes cluster with one command using the Linode CLI’s k8s-alpha plugin, and Terraform. Or, if you prefer a full featured GUI, Linode’s Rancher integration enables you to deploy and manage Kubernetes clusters with a simple web interface. The Linode Kubernetes Engine, currently under development with an early access beta version on its way this summer, allows you to spin up a Kubernetes cluster with Linode handling the management and maintenance of your control plane. These are all great options for production ready deployments.

      Kubeadm is a cloud provider agnostic tool that automates many of the tasks required to get a cluster up and running. Users of kubeadm can run a few simple commands on individual servers to turn them into a Kubernetes cluster consisting of a master node and worker nodes. This guide will walk you through installing kubeadm and using it to deploy a Kubernetes cluster on Linode. While the kubeadm approach requires more manual steps than other Kubernetes cluster creation pathways offered by Linode, this solution will be covered as way to dive deeper into the various components that make up a Kubernetes cluster and the ways in which they interact with each other to provide a scalable and reliable container orchestration mechanism.


      This guide’s example instructions will result in the creation of three billable Linodes. Information on how to tear down the Linodes are provided at the end of the guide. Interacting with the Linodes via the command line will provide the most opportunity for learning, however, this guide is written so that users can also benefit by reading along.

      Before You Begin

      1. Deploy three Linodes running Ubuntu 18.04 with the following system requirements:

        • One Linode to use as the master Node with 4GB RAM and 2 CPU cores.
        • Two Linodes to use as the Worker Nodes each with 1GB RAM and 1 CPU core.
      2. Follow the Getting Started and the Securing Your Server guides for instructions on setting up your Linodes. The steps in this guide assume the use of a limited user account with sudo privileges.


      When following the Getting Started guide, make sure that each Linode is using a different hostname. Not following this guideline will leave you unable to join some or all nodes to the cluster in a later step.
      1. Disable swap memory on your Linodes. Kubernetes requires that you disable swap memory on any cluster nodes to prevent the Kubernetes scheduler (kube-scheduler) from ever sending a pod to a node that has run out of CPU/memory or reached its designated CPU/memory limit.

        sudo swapoff -a

        Verify that your swap has been disabled. You should expect to see a value of 0 returned.

        cat /proc/meminfo | grep 'SwapTotal'

        To learn more about managing compute resources for containers, see the official Kubernetes documentation.

      2. Read the Beginners Guide to Kubernetes to familiarize yourself with the major components and concepts of Kubernetes. The current guide assumes a working knowledge of common Kubernetes concepts and terminology.

      Build a Kubernetes Cluster

      Kubernetes Cluster Architecture

      A Kubernetes cluster consists of a master node and worker nodes. The master node hosts the control plane, which is the combination of all the components that provide it the ability to maintain the desired cluster state. This cluster state is defined by manifest files and the kubectl tool. While the control plane components can be run on any cluster node, it is a best practice to isolate the control plane on its own node and to run any application containers on a separate worker node. A cluster can have a single worker node or up to 5000. Each worker node must be able to maintain running containers in a pod and be able to communicate with the master node’s control plane.

      The table below provides a list of the Kubernetes tooling you will need to install on your master and worker nodes in order to meet the minimum requirements for a functioning Kubernetes cluster as described above.

      Tool Description Master Node Worker Nodes
      kubeadm This tool provides a simple way to create a Kubernetes cluster by automating the tasks required to get a cluster up and running. New Kubernetes users with access to a cloud hosting provider, like Linode, can use kubeadm to build out a playground cluster. kubeadm is also used as a foundation to create more mature Kubernetes deployment tooling. x x
      Container Runtime A container runtime is responsible for running the containers that make up a cluster’s pods. This guide will use Docker as the container runtime. x x
      kubelet kubelet ensures that all pod containers running on a node are healthy and meet the specifications for a pod’s desired behavior. x x
      kubectl A command line tool used to manage a Kubernetes cluster. x x
      Control Plane Series of services that form Kubernetes master structure that allow it to control the cluster. Kubeadm allows the control plane services to run as containers on the master node. The control plane will be created when you initialize kubeadm later in this guide. x

      Install the Container Runtime: Docker

      Docker is the software responsible for running the pod containers on each node. You can use other container runtime software with Kubernetes, such as Containerd and CRI-O. You will need to install Docker on all three Linodes.

      These steps install Docker Community Edition (CE) using the official Ubuntu repositories. To install on another distribution, see the official installation page.

      1. Remove any older installations of Docker that may be on your system:

        sudo apt remove docker docker-engine
      2. Make sure you have the necessary packages to allow the use of Docker’s repository:

        sudo apt install apt-transport-https ca-certificates curl software-properties-common
      3. Add Docker’s GPG key:

        curl -fsSL | sudo apt-key add -
      4. Verify the fingerprint of the GPG key:

        sudo apt-key fingerprint 0EBFCD88

        You should see output similar to the following:

        pub   4096R/0EBFCD88 2017-02-22
                Key fingerprint = 9DC8 5822 9FC7 DD38 854A  E2D8 8D81 803C 0EBF CD88
        uid                  Docker Release (CE deb) 
        sub   4096R/F273FCD8 2017-02-22
      5. Add the stable Docker repository:

        sudo add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"
      6. Update your package index and install Docker CE:

        sudo apt update
        sudo apt install docker-ce
      7. Add your limited Linux user account to the docker group. Replace $USER with your username:

        sudo usermod -aG docker $USER


        After entering the usermod command, you will need to close your SSH session and open a new one for this change to take effect.

      8. Check that the installation was successful by running the built-in “Hello World” program:

        sudo docker run hello-world
      9. Setup the Docker daemon to use systemd as the cgroup driver, instead of the default cgroupfs. This is a recommended step so that Kubelet and Docker are both using the same cgroup manager. This will make it easier for Kubernetes to know which resources are available on your cluster’s nodes.

        sudo bash -c 'cat > /etc/docker/daemon.json <<EOF
          "exec-opts": ["native.cgroupdriver=systemd"],
          "log-driver": "json-file",
          "log-opts": {
            "max-size": "100m"
          "storage-driver": "overlay2"
      10. Create a systemd directory for Docker:

        sudo mkdir -p /etc/systemd/system/docker.service.d
      11. Restart Docker:

        sudo systemctl daemon-reload
        sudo systemctl restart docker

      Install kubeadm, kubelet, and kubectl

      Complete the steps outlined in this section on all three Linodes.

      1. Update the system and install the required dependencies for installation:

        sudo apt-get update && sudo apt-get install -y apt-transport-https curl
      2. Add the required GPG key to your apt-sources keyring to authenticate the Kubernetes related packages you will install:

        curl -s | sudo apt-key add -
      3. Add Kubernetes to the package manager’s list of sources:

        sudo bash -c "cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
        deb kubernetes-xenial main
      4. Update apt, install Kubeadm, Kubelet, and Kubectl, and hold the installed packages at their installed versions:

        sudo apt-get update
        sudo apt-get install -y kubelet kubeadm kubectl
        sudo apt-mark hold kubelet kubeadm kubectl
      5. Verify that kubeadm, kubelet, and kubectl have installed by retrieving their version information. Each command should return version information about each package.

        kubeadm version
        kubelet --version
        kubectl version

      Set up the Kubernetes Control Plane

      After installing the Kubernetes related tooling on all your Linodes, you are ready to set up the Kubernetes control plane on the master node. The control plane is responsible for allocating resources to your cluster, maintaining the health of your cluster, and ensuring that it meets the minimum requirements you designate for the cluster.

      The primary components of the control plane are the kube-apiserver, kube-controller-manager, kube-scheduler, and etcd. kubeadm provides a way to easily initialize the Kubernetes master node with all the necessary control plane components. For more information on each of control plane component see the Beginner’s Guide to Kubernetes.

      In addition to the baseline control plane components, there are several addons, that can be installed on the master node to access additional cluster features. You will need to install a networking and network policy provider add on that will implement Kubernetes’ network model on the cluster’s pod network.

      This guide will use Calico as the pod network add on. Calico is a secure and open source L3 networking and network policy provider for containers. There are several other network and network policy providers to choose from. To view a full list of providers, refer to the official Kubernetes documentation.


      kubeadm only supports Container Network Interface (CNI) based networks. CNI consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers

      1. Initialize kubeadm on the master node. This command will run checks against the node to ensure it contains all required Kubernetes dependencies, if the checks pass, it will then install the control plane components.

        When issuing this command, it is necessary to set the pod network range that Calico will use to allow your pods to communicate with each other. It is recommended to use the private IP address space,


        The pod network IP range should not overlap with the service IP network range. The default service IP address range is You can provide an alternative service ip address range using the --service-cidr= option when initializing kubeadm. Replace with the desired service IP range.

        For a full list of available kubeadm initialization options, see the official Kubernetes documentation.

        sudo kubeadm init --pod-network-cidr=

        You should see a similar output:

        Your Kubernetes control-plane has initialized successfully!
        To start using your cluster, you need to run the following as a regular user:
          mkdir -p $HOME/.kube
          sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
          sudo chown $(id -u):$(id -g) $HOME/.kube/config
        You should now deploy a pod network to the cluster.
        Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:

        Then you can join any number of worker nodes by running the following on each as root:
        kubeadm join --token udb8fn.nih6n1f1aijmbnx5 
            --discovery-token-ca-cert-hash sha256:b7c01e83d63808a4a14d2813d28c127d3a1c4e1b6fc6ba605fe4d2789d654f26

        The kubeadm join command will be used in the Join a Worker Node to the Cluster section of this guide to bootstrap the worker nodes to the Kubernetes cluster. This command should be kept handy for later use. Below is a description of the required options you will need to pass in with the kubeadm join command:

        • The master node’s IP address and the Kubernetes API server’s port number. In the example output, this is The Kubernetes API server’s port number is 6443 by default on all Kubernetes installations.
        • A bootstrap token. The bootstrap token has a 24-hour TTL (time to live). A new bootstrap token can be generated if your current token expires.
        • A CA key hash. This is used to verify the authenticity of the data retrieved from the Kubernetes API server during the bootstrap process.
      2. Copy the admin.conf configuration file to your limited user account. This file allows you to communicate with your cluster via kubectl and provides superuser privileges over the cluster. It contains a description of the cluster, users, and contexts. Copying the admin.conf to your limited user account will provide you with administrative privileges over your cluster.

        mkdir -p $HOME/.kube
        sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
        sudo chown $(id -u):$(id -g) $HOME/.kube/config
      3. Install the necessary Calico manifests to your master node and apply them using kubectl. The first file, rbac-kdd.yaml, works with Kubernetes’ role-based access control (RBAC) to provide Calico components access to necessary parts of the Kubernetes API. The second file, calico.yaml, configures a self-hosted Calico installation that uses the Kubernetes API directly as the datastore (instead of etcd).

        kubectl apply -f
        kubectl apply -f

      Inspect the Master Node with Kubectl

      After completing the previous section, your Kubernetes master node is ready with all the necessary components to manage a cluster. To gain a better understanding of all the parts that make up the master’s control plane, this section will walk you through inspecting your master node. If you have not yet reviewed the Beginner’s Guide to Kubernetes, it will be helpful to do so prior to continuing with this section as it relies on the understanding of basic Kubernetes concepts.

      1. View the current state of all nodes in your cluster. At this stage, the only node you should expect to see is the master node, since worker nodes have yet to be bootstrapped. A STATUS of Ready indicates that the master node contains all necessary components, including the pod network add-on, to start managing clusters.

        kubectl get nodes

        Your output should resemble the following:

        NAME        STATUS     ROLES     AGE   VERSION
        kube-master   Ready     master      1h    v1.14.1
      2. Inspect the available namespaces in your cluster.

        kubectl get namespaces

        Your output should resemble the following:

        NAME              STATUS   AGE
        default           Active   23h
        kube-node-lease   Active   23h
        kube-public       Active   23h
        kube-system       Active   23h

        Below is an overview of each namespace installed by default on the master node by kubeadm:

        • default: The default namespace contains objects with no other assigned namespace. By default, a Kubernetes cluster will instantiate a default namespace when provisioning the cluster to hold the default set of Pods, Services, and Deployments used by the cluster.
        • kube-system: The namespace for objects created by the Kubernetes system. This includes all resources used by the master node.
        • kube-public: This namespace is created automatically and is readable by all users. It contains information, like certificate authority data (CA), that helps kubeadm join and authenticate worker nodes.
        • kube-node-lease: The kube-node-lease namespace contains lease objects that are used by kubelet to determine node health. kubelet creates and periodically renews a Lease on a node. The node lifecycle controller treats this lease as a health signal. kube-node-lease was released to beta in Kubernetes 1.14.
      3. View all resources available in the kube-system namespace. The kube-system namespace contains the widest range of resources, since it houses all control plane resources. Replace kube-system with another namespace to view its corresponding resources.

        kubectl get all -n kube-system

      Join a Worker Node to the Cluster

      Now that your Kubernetes master node is set up, you can join worker nodes to your cluster. In order for a worker node to join a cluster, it must trust the cluster’s control plane, and the control plane must trust the worker node. This trust is managed via a shared bootstrap token and a certificate authority (CA) key hash. kubeadm handles the exchange between the control plane and the worker node. At a high-level the worker node bootstrap process is the following:

      1. kubeadm retrieves information about the cluster from the Kubernetes API server. The bootstrap token and CA key hash are used to ensure the information originates from a trusted source.

      2. kubelet can take over and begin the bootstrap process, since it has the necessary cluster information retrieved in the previous step. The bootstrap token is used to gain access to the Kubernetes API server and submit a certificate signing request (CSR), which is then signed by the control plane.

      3. The worker node’s kubelet is now able to connect to the Kubernetes API server using the node’s established identity.

      Before continuing, you will need to make sure that you know your Kubernetes API server’s IP address, that you have a bootstrap token, and a CA key hash. This information was provided when kubeadm was initialized on the master node in the Set up the Kubernetes Control Plane section of this guide. If you no longer have this information, you can regenerate the necessary information from the master node.

      Regenerate a Bootstrap Token

      These commands should be issued from your master node.

      1. Generate a new bootstrap token and display the kubeadm join command with the necessary options to join a worker node to the master node’s control plane:

        kubeadm token create --print-join-command

      Follow the steps below on each node you would like to bootstrap to the cluster as a worker node.

      1. SSH into the Linode that will be used as a worker node in the Kubernetes cluster.

        ssh username@
      2. Join the node to your cluster using kubeadm. Ensure you replace with the IP address for your master node along with its Kubernetes API server’s port number, udb8fn.nih6n1f1aijmbnx5 with your bootstrap token, and sha256:b7c01e83d63808a4a14d2813d28c127d3a1c4e1b6fc6ba605fe4d2789d654f26 with your CA key hash. The bootstrap process will take a few moments.

        sudo kubeadm join --token udb8fn.nih6n1f1aijmbnx5 
        --discovery-token-ca-cert-hash sha256:b7c01e83d63808a4a14d2813d28c127d3a1c4e1b6fc6ba605fe4d2789d654f26

        When the bootstrap process has completed, you should see a similar output:

          This node has joined the cluster:
        * Certificate signing request was sent to apiserver and a response was received.
        * The Kubelet was informed of the new secure connection details.
        Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
      3. Repeat the steps outlined above on the second worker node to bootstrap it to the cluster.

      4. SSH into the master node and verify the worker nodes have joined the cluster:

         kubectl get nodes

        You should see a similar output.

        NAME          STATUS   ROLES    AGE     VERSION
        kube-master   Ready    master   1d22h   v1.14.1
        kube-node-1   Ready       1d22h   v1.14.1
        kube-node-2   Ready       1d22h   v1.14.1

      Next Steps

      Now that you have a Kubernetes cluster up and running, you can begin experimenting with the various ways to configure pods, group resources, and deploy services that are exposed to the public internet. To help you get started with this, move on to follow along with the Deploy a Static Site on Linode using Kubernetes guide.

      Tear Down Your Cluster

      If you are done experimenting with your Kubernetes Cluster, be sure to remove the Linodes you have running in order to avoid being further billed for them. See the Removing Services section of the Billing and Payments guide.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.

      Source link