In “Deploy Your Own Kubernetes Lab”
I covered multiple deployment options for a Kubernetes lab,
ranging from more lightweight (like running Kubernetes locally)
to more realistic ones (like deploying a multi-node cluster) suitable for security research.
In this blog post, I’m going to detail the steps I took to deploy my own
Kubernetes Lab on baremetal, and on an Intel NUC in particular.
I was looking for a self-contained option,
which - most importantly - didn’t take up much space,
so I ended up settling
on an Intel NUC,
starting with 250GB of storage and 32GB of RAM.
It might be worth noting that, for the initial setup phase, it is also useful to have
a small keyboard (like this one)
and a monitor (a 7inch one is just fine)
At a high level, my home network diagram looks like the one below:
As the title of this post implies, the aim was to have a Kubernetes cluster
running directly on baremetal, hence deciding which operating system to rely on
was almost straightforward:
Fedora CoreOS (FCOS) is a minimal operating systemspecifically designed for running containerized workloads securely and at scale.
Let’s see how to get it running on the Intel NUC.
Prepare a Bootable USB
First step in the installation process involves burning a Fedora CoreOS ISOonto a bootable USB stick.
The latest stable version of the ISO for baremetal installations can be found
directly on the Fedora website
(33.20210301.3.1 at the time of writing).
From there, it is simply a matter of burning the ISO, which, on macOS, can be
done using tools like Etcher. Once launched, select the
CoreOS ISO and the USB device to use, and Etcher will take care of creating
a bootable USB from it.
Prepare an Ignition Config
For those new to FCOS (me included before creating this lab), it might be worth
explaining what an Ignition file actually is.
An Ignition file specifies the configuration for provisioning FCOS instances:
the process begins with a YAML configuration file, which gets
translated by the FCOS Configuration Transpiler (fcct) into a machine-friendly JSON,
which is the final configuration file for Ignition.
FCOS ingests the Ignition file only on first boot,
applying the whole configuration or failing to boot in case of errors.
The Fedora documentation
proved to be excellent in detailing how to create a
basic Ignition file that modifies the default FCOS user (named core)
to allow logins with an SSH key.
First, on your workstation create a file (named config.fcc) with the following content,
and make sure to replace the line starting with ssh-rsa with the contents of your SSH public key file:
In the config above, we are basically telling FCOS to add the default user
named core to three additional groups (docker, wheel, and sudo),
as well as to allow key based authentication with the the public SSH key specified
in the ssh_authorized_keys section.
The public key will be provisioned to FCOS machine via Ignition,
whereas the private counterpart needs to be available to your user on your local workstation,
in order to remotely authenticate over SSH.
Next, we need to use fcct, the Fedora CoreOS Config Transpiler,
to produces a JSON Ignition file from a YAML FCC file.
An easy way to use fcct is to run it in a container:
Since this config.ign will be needed to boot FCOS,
we need to make it temporarily available for devices on the local network.
There are multiple ways to accomplish this: I did opt to quickly spin up
updog (a replacement for Python’s SimpleHTTPServer):
Install from Live USB
With the Ignition config ready,
plug the USB stick in the Intel NUC, turn it on,
and make sure to select that media as preferred boot option.
If the ISO has been burnt correctly, you should end up in a shell as
the core user.
The actual installation can be accomplished in a quite straightforward way
The command above instructs coreos-installer to use the Ignition config
we are making available to local network from our workstation (192.168.1.150 in my case).
The --insecure-ignition flag is needed if the Ignition file
is served over plaintext HTTP rather than TLS.
After a reboot of the Intel NUC, you should be able to SSH into it from your
And that’s it! FCOS is now up and running.
Next step is installing Kubernetes on it.
The installation process for Kubernetes is a bit more lenghty,
and can be broken up in a few sections:
installation of dependencies, installation of the cluster, and network setup.
While looking around (i.e., Googling) for the most effective way to deploy
a vanilla Kubernets on FCOS I came across a really detailed article from
Matthias Preu (Fedora CoreOS - Basic Kubernetes Setup) describing exactly this process.
Note that the remainder of this sub-section has been based heavily on Matthias’ setup,
and you should refer to his blog post for a detailed explanation of each installation step.