public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-26 06:38:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve k3s navigation / move content around (#1985)

Browse Source 
* Move airgap from advanced to install

- move Air-Gap section in Advanced Options to Install Options
-- small tweak to the air-gap content but looks like may need more tweaks later
- update Installation Options _index.md so that it now lists "Air-Gap Installation" as an option with hyperlink

* Move airgap part 2 (actually del airgap from advanced)

Whoopsie. I forgot to remove the Air-Gap section from advanced in my last commit.
This simply deletes the Air-Gap section that used to be in the advanced page since we have moved the content to the installation/airgap section.

* Move ha backend options from configuration to install
- move storage backend options from the Configuration Info page to the Install Options (HA) page
-- small tweaks to content, very minor

* Move Uninstallation notes from advanced to install
- move note about Uninstallation from the Advanced Options page to Install Options main page
-- small tweaks to fix content and wording, very minor

* Fix and move upgrades content to main Install Options section
- In a previous commit, "Upgrades" section under the advanced section was mistakenly moved to the new airgap page
  This fixes that and moves this content to the main install options section.
-- Some content tweaks to make the wording better and fix things up.

* Move networking info from Configuration Info to new Networking section

- Move networking info from confiuration to networking (new section)

* Move networking port info from configuration to networking
- Move some networking/security port info from the configuration page to the new networking page.
Note: This info is also intentionally already duplicated on the Node Registration page as it has important info on ports that need to be open and accessible.

* REMOVE "Building from Source" section completely
- Remove the Building from Source section
- Add FAQ Q&A about this and link to the k3s README.md where this info will go
Note: This was done after some discussion a while back. The Building from Source section is important, but not for the majority of users as release binaries / curl script should be utilized to install k3s.
A separate PR will add this content into the main k3s README.md file which the FAQ question that was added references.

* Fixes for comments, tweak ha install heading names
- Resolves comments asking to change headings in 2 areas of ha install
- Removes ambiguity in these areas
This commit is contained in:
David Nuzik
2019-11-11 10:31:56 -07:00
committed by Denise
parent 373eae6e90
commit 83f3ecd221
8 changed files with 217 additions and 248 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/k3s/latest/en/advanced/_index.md
-64
View File
@@ -104,70 +104,6 @@ To run the agent only in Docker, use `docker-compose up node`. Alternatively the
-e K3S_TOKEN=${NODE_TOKEN} \
--privileged rancher/k3s:vX.Y.Z
Air-Gap Support
---------------
k3s supports pre-loading of containerd images by placing them in the `images` directory for the agent before starting, for example:
```sh
sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/
```
Images needed for a base install are provided through the releases page, additional images can be created with the `docker save` command.
Offline Helm charts are served from the `/var/lib/rancher/k3s/server/static` directory, and Helm chart manifests may reference the static files with a `%{KUBERNETES_API}%` templated variable. For example, the default traefik manifest chart installs from `https://%{KUBERNETES_API}%/static/charts/traefik-X.Y.Z.tgz`.
If networking is completely disabled k3s may not be able to start (ie ethernet unplugged or wifi disconnected), in which case it may be necessary to add a default route. For example:
```sh
sudo ip -c address add 192.168.123.123/24 dev eno1
sudo ip route add default via 192.168.123.1
```
k3s additionally provides a `--resolv-conf` flag for kubelets, which may help with configuring DNS in air-gap networks.
Upgrades
--------
To upgrade k3s from an older version you can re-run the installation script using the same flags, for example:
```sh
curl -sfL https://get.k3s.io | sh -
```
If you want to upgrade to specific version you can run the following command:
```sh
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -
```
Or to manually upgrade k3s:
1. Download the desired version of k3s from [releases](https://github.com/rancher/k3s/releases/latest)
2. Install to an appropriate location (normally `/usr/local/bin/k3s`)
3. Stop the old version
4. Start the new version
Restarting k3s is supported by the installation script for systemd and openrc.
To restart manually for systemd use:
```sh
sudo systemctl restart k3s
```
To restart manually for openrc use:
```sh
sudo service k3s restart
```
Upgrading an air-gap environment can be accomplished in the following manner:
1. Download air-gap images and install if changed
2. Install new k3s binary (from installer or manual download)
3. Restart k3s (if not restarted automatically by installer)
Uninstalling
------------
If you installed k3s with the help of `install.sh` script an uninstall script is generated during installation, which will be created on your server node at `/usr/local/bin/k3s-uninstall.sh` (or as `k3s-agent-uninstall.sh`).
Hyperkube
---------
content/k3s/latest/en/building/_index.md
-47
View File
@@ -1,47 +0,0 @@
---
title: "Building from Source"
weight: 99999
---
This section provides information on building k3s from source.
See the [release](https://github.com/rancher/k3s/releases/latest) page for pre-built releases.
The clone will be much faster on this repo if you do
git clone --depth 1 https://github.com/rancher/k3s.git
This repo includes all of Kubernetes history so `--depth 1` will avoid most of that.
To build the full release binary run `make` and that will create `./dist/artifacts/k3s`.
Optionally to build the binaries without running linting or building docker images:
```sh
./scripts/download && ./scripts/build && ./scripts/package-cli
```
For development, you just need go 1.12 and a sane GOPATH. To compile the binaries run:
```bash
go build -o k3s
go build -o kubectl ./cmd/kubectl
go build -o hyperkube ./vendor/k8s.io/kubernetes/cmd/hyperkube
```
This will create the main executable, but it does not include the dependencies like containerd, CNI,
etc. To run a server and agent with all the dependencies for development run the following
helper scripts:
```bash
# Server
./scripts/dev-server.sh
# Agent
./scripts/dev-agent.sh
```
Kubernetes Source
-----------------
The source code for Kubernetes is in `vendor/` and the location from which that is copied
is in `./vendor.conf`. Go to the referenced repo/tag and you'll find all the patches applied
to upstream Kubernetes.
content/k3s/latest/en/configuration/_index.md
-135
View File
@@ -92,19 +92,6 @@ Accessing Cluster from Outside
Copy `/etc/rancher/k3s/k3s.yaml` on your machine located outside the cluster as `~/.kube/config`. Then replace
"localhost" with the IP or name of your k3s server. `kubectl` can now manage your k3s cluster.
Open Ports / Network Security
---------------------------
The server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach
other nodes over UDP port 8472. The nodes also need to be able to reach the server on UDP port 8472. This is used for flannel VXLAN. If you don't use flannel
and provide your own custom CNI, then 8472 is not needed by k3s. The node should not listen
on any other port. k3s uses reverse tunneling such that the nodes make outbound connections
to the server and all kubelet traffic runs through that tunnel.
IMPORTANT. The VXLAN port on nodes should not be exposed to the world, it opens up your
cluster network to accessed by anyone. Run your nodes behind a firewall/security group that
disables access to port 8472.
Node Registration
-----------------
@@ -175,34 +162,6 @@ k3s agents can be configured with options `--node-label` and `--node-taint` whic
--node-taint key1=value1:NoExecute
```
Flannel
-------
Flannel is included by default, if you don't want flannel then run the agent with `--no-flannel` option.
In this setup you will still be required to install your own CNI driver. More info [here](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#pod-network)
CoreDNS
-------
CoreDNS is deployed on start of the agent, to disable run the server with the `--no-deploy coredns` option.
If you don't install CoreDNS you will need to install a cluster DNS provider yourself.
Traefik
-------
Traefik is deployed by default when starting the server; to disable it, start the server with the `--no-deploy traefik` option. The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`.
Service Load Balancer
---------------------
k3s includes a basic service load balancer that uses available host ports. If you try to create
a load balancer that listens on port 80, for example, it will try to find a free host in the cluster
for port 80. If no port is available the load balancer will stay in Pending.
To disable the embedded load balancer run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB.
Metrics Server
--------------
@@ -214,97 +173,3 @@ this should be edited as appropriate for your architecture. As of this writing m
the following images relevant to k3s: `amd64:v0.3.3`, `arm64:v0.3.2`, and `arm:v0.3.2`. Further information
on the images provided through gcr.io can be found at https://console.cloud.google.com/gcr/images/google-containers/GLOBAL.
Storage Backends (Experimental)
----------------
As of version 0.6.0, k3s can support various storage backends including: SQLite (default), MySQL, Postgres, and etcd, this enhancement depends on the following arguments that can be passed to k3s server:
* `--storage-endpoint` _value_
Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$`K3S_STORAGE_ENDPOINT`]
* `--storage-cafile` _value_
SSL Certificate Authority file used to secure storage backend communication [$`K3S_STORAGE_CAFILE`]
* `--storage-certfile` _value_
SSL certification file used to secure storage backend communication [$`K3S_STORAGE_CERTFILE`]
* `--storage-keyfile` _value_
SSL key file used to secure storage backend communication [$`K3S_STORAGE_KEYFILE`]
### MySQL
To use k3s with MySQL storage backend, you can specify the following for insecure connection:
```
--storage-endpoint="mysql://"
```
By default the server will attempt to connect to mysql using the mysql socket at `/var/run/mysqld/mysqld.sock` using the root user and with no password, k3s will also create a database with the name `kubernetes` if the database is not specified in the DSN.
To override the method of connection, user/pass, and database name, you can provide a custom DSN, for example:
```
--storage-endpoint="mysql://k3suser:k3spass@tcp(192.168.1.100:3306)/k3stest"
```
This command will attempt to connect to MySQL on host `192.168.1.100` on port `3306` with username `k3suser` and password `k3spass` and k3s will automatically create a new database with the name `k3stest` if it doesn't exist, for more information about the MySQL driver data source name, please refer to https://github.com/go-sql-driver/mysql#dsn-data-source-name
To connect to MySQL securely, you can use the following example:
```
--storage-endpoint="mysql://k3suser:k3spass@tcp(192.168.1.100:3306)/k3stest" \
--storage-cafile ca.crt \
--storage-certfile mysql.crt \
--storage-keyfile mysql.key
```
The above command will use these certificates to generate the tls config to communicate with mysql securely.
### Postgres
Connection to postgres can be established using the following command:
```
--storage-endpoint="postgres://"
```
By default the server will attempt to connect to postgres on localhost with using the `postgres` user and with `postgres` password, k3s will also create a database with the name `kubernetes` if the database is not specified in the DSN.
To override the method of connection, user/pass, and database name, you can provide a custom DSN, for example:
```
--storage-endpoint="postgres://k3suser:k3spass@192.168.1.100:5432/k3stest"
```
This command will attempt to connect to Postgres on host `192.168.1.100` on port `5432` with username `k3suser` and password `k3spass` and k3s will automatically create a new database with the name `k3stest` if it doesn't exist, for more information about the Postgres driver data source name, please refer to https://godoc.org/github.com/lib/pq
To connect to Postgres securely, you can use the following example:
```
--storage-endpoint="postgres://k3suser:k3spass@192.168.1.100:5432/k3stest" \
--storage-certfile postgres.crt \
--storage-keyfile postgres.key \
--storage-cafile ca.crt
```
The above command will use these certificates to generate the tls config to communicate with postgres securely.
### etcd
Connection to etcd3 can be established using the following command:
```
--storage-endpoint="https://127.0.0.1:2379"
```
The above command will attempt to connect insecurely to etcd on localhost with port `2379`, you can connect securely to etcd using the following command:
```
--storage-endpoint="https://127.0.0.1:2379" \
--storage-cafile ca.crt \
--storage-certfile etcd.crt \
--storage-keyfile etcd.key
```
The above command will use these certificates to generate the tls config to communicate with etcd securely.
content/k3s/latest/en/faq/_index.md
+4
View File
@@ -16,3 +16,7 @@ Simply start k3s server with `--no-deploy=traefik` and deploy your ingress.
**Does k3s support Windows?**
At this time k3s does not natively support Windows, however we are open to the idea in the future.
**How can I build from source?**
Please reference the k3s [README.md](https://github.com/rancher/k3s/blob/master/README.md) with instructions.
content/k3s/latest/en/installation/_index.md
+42
View File
@@ -14,3 +14,45 @@ This section contains instructions for installing k3s in testing and production
* [High Availability (HA) Installation]({{< baseurl >}}/k3s/latest/en/installation/ha/)
Install k3s on two or more Linux hosts. High Availability installs are recommended for production environments.
* [Air-Gap Installation]({{< baseurl >}}/k3s/latest/en/installation/airgap/)
Install k3s in an air-gapped environment. High Availability is recommended for production environments.
### Upgrading
>**Note:** When upgrading, upgrade server nodes first one at a time then any worker nodes.
To upgrade k3s from an older version you can re-run the installation script using the same flags, for example:
```sh
curl -sfL https://get.k3s.io | sh -
```
If you want to upgrade to specific version you can run the following command:
```sh
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=vX.Y.Z-rc1 sh -
```
Or to manually upgrade k3s:
1. Download the desired version of k3s from [releases](https://github.com/rancher/k3s/releases/latest)
2. Install to an appropriate location (normally `/usr/local/bin/k3s`)
3. Stop the old version
4. Start the new version
Restarting k3s is supported by the installation script for systemd and openrc.
To restart manually for systemd use:
```sh
sudo systemctl restart k3s
```
To restart manually for openrc use:
```sh
sudo service k3s restart
```
### Uninstalling
If you installed k3s with the help of the `install.sh` script an uninstall script is generated during installation, which will be created on your node at `/usr/local/bin/k3s-uninstall.sh` (or as `k3s-agent-uninstall.sh`).
content/k3s/latest/en/installation/airgap/_index.md
+28
View File
@@ -0,0 +1,28 @@
---
title: "Air-Gap Install"
weight: 40
---
k3s supports pre-loading of containerd images by placing them in the `images` directory for the agent before starting, for example:
```sh
sudo mkdir -p /var/lib/rancher/k3s/agent/images/
sudo cp ./k3s-airgap-images-$ARCH.tar /var/lib/rancher/k3s/agent/images/
```
Images needed for a base install are provided through the releases page, additional images can be created with the `docker save` command.
Offline Helm charts are served from the `/var/lib/rancher/k3s/server/static` directory, and Helm chart manifests may reference the static files with a `%{KUBERNETES_API}%` templated variable. For example, the default traefik manifest chart installs from `https://%{KUBERNETES_API}%/static/charts/traefik-X.Y.Z.tgz`.
If networking is completely disabled k3s may not be able to start (ie ethernet unplugged or wifi disconnected), in which case it may be necessary to add a default route. For example:
```sh
sudo ip -c address add 192.168.123.123/24 dev eno1
sudo ip route add default via 192.168.123.1
```
k3s additionally provides a `--resolv-conf` flag for kubelets, which may help with configuring DNS in air-gap networks.
Upgrading an air-gap environment can be accomplished in the following manner:
1. Download air-gap images and install if changed
2. Install new k3s binary (from installer or manual download)
3. Restart k3s (if not restarted automatically by installer)
content/k3s/latest/en/installation/ha/_index.md
+98 -2
View File
@@ -23,8 +23,8 @@ Installation Outline
2. Create master nodes
3. Join worker nodes
### Create Database
The first step for setting up High Availability (HA) is to create the database for the backend. As of v0.10.0 release (Experimental HA) we are currently supporting PostgreSQL 10.7-R1 thru 11.5-R1
### Create Database for Cluster Datastore
The first step for setting up High Availability (HA) is to create the database for the backend. As of v0.10.0 release (Experimental HA) we are currently supporting PostgreSQL 10.7-R1 thru 11.5-R1.
### Create Master Nodes
Following the [Node Requirements]({{< baseurl >}}/k3s/latest/en/installation/node-requirements/) page, provision at least two machines.
@@ -57,3 +57,99 @@ curl -sfL https://get.k3s.io | K3S_URL=https:/<master_node>:6443 K3S_TOKEN=XXX s
Provide the IP or DNS in place of `<master_node>` this can be any one master node. k3s automatically handles load balancing the master nodes.
# Cluster Datastore Options
>**Note:** As of v0.10.0 release (Experimental HA) we are currently supporting PostgreSQL 10.7-R1 thru 11.5-R1.
k3s can support various storage backends including: SQLite (default), MySQL, Postgres, and etcd, this enhancement depends on the following arguments that can be passed to k3s server:
* `--storage-endpoint` _value_
Specify etcd, Mysql, Postgres, or Sqlite (default) data source name [$`K3S_STORAGE_ENDPOINT`]
* `--storage-cafile` _value_
SSL Certificate Authority file used to secure storage backend communication [$`K3S_STORAGE_CAFILE`]
* `--storage-certfile` _value_
SSL certification file used to secure storage backend communication [$`K3S_STORAGE_CERTFILE`]
* `--storage-keyfile` _value_
SSL key file used to secure storage backend communication [$`K3S_STORAGE_KEYFILE`]
### MySQL
To use k3s with MySQL storage backend, you can specify the following for insecure connection:
```
--storage-endpoint="mysql://"
```
By default the server will attempt to connect to mysql using the mysql socket at `/var/run/mysqld/mysqld.sock` using the root user and with no password, k3s will also create a database with the name `kubernetes` if the database is not specified in the DSN.
To override the method of connection, user/pass, and database name, you can provide a custom DSN, for example:
```
--storage-endpoint="mysql://k3suser:k3spass@tcp(192.168.1.100:3306)/k3stest"
```
This command will attempt to connect to MySQL on host `192.168.1.100` on port `3306` with username `k3suser` and password `k3spass` and k3s will automatically create a new database with the name `k3stest` if it doesn't exist, for more information about the MySQL driver data source name, please refer to https://github.com/go-sql-driver/mysql#dsn-data-source-name
To connect to MySQL securely, you can use the following example:
```
--storage-endpoint="mysql://k3suser:k3spass@tcp(192.168.1.100:3306)/k3stest" \
--storage-cafile ca.crt \
--storage-certfile mysql.crt \
--storage-keyfile mysql.key
```
The above command will use these certificates to generate the tls config to communicate with mysql securely.
### Postgres
Connection to postgres can be established using the following command:
```
--storage-endpoint="postgres://"
```
By default the server will attempt to connect to postgres on localhost with using the `postgres` user and with `postgres` password, k3s will also create a database with the name `kubernetes` if the database is not specified in the DSN.
To override the method of connection, user/pass, and database name, you can provide a custom DSN, for example:
```
--storage-endpoint="postgres://k3suser:k3spass@192.168.1.100:5432/k3stest"
```
This command will attempt to connect to Postgres on host `192.168.1.100` on port `5432` with username `k3suser` and password `k3spass` and k3s will automatically create a new database with the name `k3stest` if it doesn't exist, for more information about the Postgres driver data source name, please refer to https://godoc.org/github.com/lib/pq
To connect to Postgres securely, you can use the following example:
```
--storage-endpoint="postgres://k3suser:k3spass@192.168.1.100:5432/k3stest" \
--storage-certfile postgres.crt \
--storage-keyfile postgres.key \
--storage-cafile ca.crt
```
The above command will use these certificates to generate the tls config to communicate with postgres securely.
### etcd
Connection to etcd3 can be established using the following command:
```
--storage-endpoint="https://127.0.0.1:2379"
```
The above command will attempt to connect insecurely to etcd on localhost with port `2379`, you can connect securely to etcd using the following command:
```
--storage-endpoint="https://127.0.0.1:2379" \
--storage-cafile ca.crt \
--storage-certfile etcd.crt \
--storage-keyfile etcd.key
```
The above command will use these certificates to generate the tls config to communicate with etcd securely.
content/k3s/latest/en/networking/_index.md
+45
View File
@@ -0,0 +1,45 @@
---
title: "Networking"
weight: 35
---
Open Ports / Network Security
---------------------------
The server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach
other nodes over UDP port 8472. The nodes also need to be able to reach the server on UDP port 8472. This is used for flannel VXLAN. If you don't use flannel
and provide your own custom CNI, then 8472 is not needed by k3s. The node should not listen
on any other port. k3s uses reverse tunneling such that the nodes make outbound connections
to the server and all kubelet traffic runs through that tunnel.
IMPORTANT. The VXLAN port on nodes should not be exposed to the world, it opens up your
cluster network to accessed by anyone. Run your nodes behind a firewall/security group that
disables access to port 8472.
Flannel
-------
Flannel is included by default, if you don't want flannel then run the agent with `--no-flannel` option.
In this setup you will still be required to install your own CNI driver. More info [here](https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#pod-network)
CoreDNS
-------
CoreDNS is deployed on start of the agent, to disable run the server with the `--no-deploy coredns` option.
If you don't install CoreDNS you will need to install a cluster DNS provider yourself.
Traefik
-------
Traefik is deployed by default when starting the server; to disable it, start the server with the `--no-deploy traefik` option. The default config file is found in `/var/lib/rancher/k3s/server/manifests/traefik.yaml` and any changes made to this file will automatically be deployed to Kubernetes in a manner similar to `kubectl apply`.
Service Load Balancer
---------------------
k3s includes a basic service load balancer that uses available host ports. If you try to create
a load balancer that listens on port 80, for example, it will try to find a free host in the cluster
for port 80. If no port is available the load balancer will stay in Pending.
To disable the embedded load balancer run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB.