Add consistency, split up the giant , add nftables

Split up common/init.sls into kubernetes common/util.sls type of file
- Switch out containerd for cri-o
- add nftables
- make the blocks consistent by using `-require:` appropriately

Signed-off-by: Pratyush Desai <pratyush.desai@liberta.casa>
This commit is contained in:
Pratyush Desai 2025-07-18 01:02:37 +05:30
parent 4dd550e06e
commit 54a55f01ce
Signed by: pratyush
GPG Key ID: DBA5BB7505946FAD
9 changed files with 289 additions and 153 deletions

View File

@ -1,148 +1,9 @@
# Common Setup procedures for all Kubernetes nodes
#### Swap off
# This state file serves as the main entry point for common Kubernetes node setup.
kubernetes_swap_off:
cmd.run:
- name: swapoff -a
- unless: "grep -q '^[^#]* swap' /etc/fstab"
- stateful: False
kubernetes_fstab+no_swap:
cmd.run:
- name: swapoff -a
- pat: '^(\S+\s+none\s+swap\s+sw\s+0\s+0)$'
- repl: '#\1'
- stateful: False
#### Necessary Kernel Modules
kubernetes_kmod_config_dir:
file.directory:
- name: /etc/modules-load.d
- mode: "0755"
- makedirs: True
kubernetes_kmod_config_file:
file.managed:
- name: /etc/modules-load.d/k8s.conf
- contents: |
br_netfilter
overlay
ip_tables
iptable_filter
iptable_nat
- mode: '0644'
kubernetes_modprobe_br_netfilter:
cmd.run:
- name: modprobe br_netfilter
- unless: "lsmod | grep -q br_netfilter"
kubernetes_modprobe_overlay:
cmd.run:
- name: modprobe overlay
- unless: "lsmod | grep -q overlay"
kubernetes_modprobe_ip_tables:
cmd.run:
- name: modprobe ip_tables
- unless: "lsmod | grep -q ip_tables"
kubernetes_modprobe_iptable_filter:
cmd.run:
- name: modprobe iptable_filter
- unless: "lsmod | grep -q iptable_filter"
kubernetes_modprobe_iptable_nat:
cmd.run:
- name: modprobe iptable_nat
- unless: "lsmod | grep -q iptable_nat"
##### Port Forwarding
kubernetes_sysctl_config_dir:
file.directory:
- name: /etc/sysctl.d
- mode: "0755"
- makedirs: True
kubernetes_sysctl_file:
file.managed:
- name: /etc/sysctl.d/k8s.conf
- contents: |
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
- mode: "0644"
kubernetes_sysctl_reload:
cmd.run:
- name: sysctl --system
- onchanges:
- file: kubernetes_sysctl_file
##### Container Runtime
containerd_pkg:
pkg.installed:
- name: containerd
containerd_config_dir:
file.directory:
- name: /etc/containerd
- mode: "0755"
- makedirs: True
- require:
- pkg: containerd_pkg
containerd_default_config:
cmd.run:
- name: containerd config default > /etc/containerd/config.toml
- unless: "test -f /etc/containerd/config.toml"
- require:
- file: containerd_config_dir
containerd_systemdcgroup_true:
file.replace:
- name: /etc/containerd/config.toml
- pattern: 'SystemdCgroup = false'
- repl: 'SystemdCgroup = true'
- require:
- cmd: containerd_default_config
containerd_service:
service.running:
- name: containerd
- enable: True
- watch:
- file: containerd_systemdcgroup_true
##### Kubernetes tooling
kubernetes_repo:
pkgrepo.managed:
- name: isv_kubernetes_core_stable_v1_33_build
- humanname: "isv:kubernetes:core:stable:v1.33:build"
- baseurl: https://download.opensuse.org/repositories/isv:/kubernetes:/core:/stable:/v1.33:/build/rpm/
- gpgcheck: 1
- gpgkey: https://download.opensuse.org/repositories/isv:/kubernetes:/core:/stable:/v1.33:/build/rpm/repodata/repomd.xml.key
- enabled: 1
- priority: 90
- refresh: True
kubernetes_tools_pkg:
pkg.installed:
- names:
- kubeadm
- kubelet
- kubectl
- require:
- pkgrepo: kubernetes_repo
kubelet_service:
service.running:
- name: kubelet
- enable: True
- require:
- pkg: kubernetes_tools_pkg
include:
- kubernetes.common.swap
- kubernetes.common.kernel_modules
- kubernetes.common.sysctl
- kubernetes.common.firewall
- kubernetes.common.cri_o
- kubernetes.common.tools

View File

@ -0,0 +1,35 @@
# SaltStack state for installing and configuring CRI-O container runtime.
# Install CRI-O package, which is the container runtime for Kubernetes.
cri_o_pkg:
pkg.installed:
- name: cri-o
# Create CRI-O configuration directory.
cri_o_config_dir:
file.directory:
- name: /etc/crio
- mode: "0755"
- makedirs: True
- require:
- pkg: cri_o_pkg
# Modify CRI-O configuration to use systemd cgroup driver.
cri_o_systemdcgroup_true:
file.replace:
- name: /etc/crio/crio.conf
- pattern: '(?m)^cgroup_manager\s*=\s*".*"'
- repl: 'cgroup_manager = "systemd"'
- require:
- pkg: cri_o_pkg
- watch_in:
- service: crio_service
# Ensure CRI-O service is running and enabled.
crio_service:
service.running:
- name: crio
- enable: True
- watch:
- pkg: cri_o_pkg
- file: cri_o_systemdcgroup_true

View File

@ -0,0 +1,75 @@
# SaltStack state for managing firewall (firewalld removal, nftables installation and configuration).
# Ensure firewalld is stopped and disabled if it's installed.
firewalld_service_dead:
service.dead:
- name: firewalld
- enable: False
- onlyif: 'systemctl is-enabled firewalld.service || systemctl is-active firewalld.service'
# Remove the firewalld package if it's installed.
firewalld_pkg_removed:
pkg.removed:
- name: firewalld
- require:
- service: firewalld_service_dead
- onlyif: 'rpm -q firewalld || dpkg -s firewalld'
# Install the nftables package.
nftables_pkg:
pkg.installed:
- name: nftables
# Manage the nftables configuration file.
nftables_config_file:
file.managed:
- name: /etc/nftables.conf
- contents: |
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state {established, related} accept
iif "lo" accept
tcp dport 22 accept
tcp dport 10250 accept
tcp dport 30000-32767 accept
icmp type echo-request accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
{{ pillar.get("node_nftables_extra_rules", "") }}
- mode: "0644"
- require:
- pkg: nftables_pkg
# Ensure the nftables service is running and enabled on boot.
nftables_service:
service.running:
- name: nftables
- enable: True
- watch:
- file: nftables_config_file
- require:
- pkg: nftables_pkg

View File

@ -0,0 +1,55 @@
#### Necessary Kernel Modules
kubernetes_kmod_config_dir:
file.directory:
- name: /etc/modules-load.d
- mode: "0755"
- makedirs: True
kubernetes_kmod_config_file:
file.managed:
- name: /etc/modules-load.d/k8s.conf
- contents: |
br_netfilter
overlay
ip_tables
iptable_filter
iptable_nat
- mode: '0644'
- require:
- file: kubernetes_kmod_config_dir
kubernetes_modprobe_br_netfilter:
cmd.run:
- name: modprobe br_netfilter
- unless: "lsmod | grep -q br_netfilter"
- require:
- file: kubernetes_kmod_config_file
kubernetes_modprobe_overlay:
cmd.run:
- name: modprobe overlay
- unless: "lsmod | grep -q overlay"
- require:
- file: kubernetes_kmod_config_file
kubernetes_modprobe_ip_tables:
cmd.run:
- name: modprobe ip_tables
- unless: "lsmod | grep -q ip_tables"
- require:
- file: kubernetes_kmod_config_file
kubernetes_modprobe_iptable_filter:
cmd.run:
- name: modprobe iptable_filter
- unless: "lsmod | grep -q iptable_filter"
- require:
- file: kubernetes_kmod_config_file
kubernetes_modprobe_iptable_nat:
cmd.run:
- name: modprobe iptable_nat
- unless: "lsmod | grep -q iptable_nat"
- require:
- file: kubernetes_kmod_config_file

View File

@ -0,0 +1,15 @@
# swap off for k8s
kubernetes_swap_off:
cmd.run:
- name: swapoff -a
- unless: "grep -q '^[^#]* swap' /etc/fstab"
- stateful: False
kubernetes_fstab+no_swap:
cmd.run:
- name: swapoff -a
- pat: '^(\S+\s+none\s+swap\s+sw\s+0\s+0)$'
- repl: '#\1'
- stateful: False
- require:
- cmd: kubernetes_swap_off

View File

@ -0,0 +1,24 @@
##### Port Forwarding
kubernetes_sysctl_config_dir:
file.directory:
- name: /etc/sysctl.d
- mode: "0755"
- makedirs: True
kubernetes_sysctl_file:
file.managed:
- name: /etc/sysctl.d/k8s.conf
- contents: |
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
- mode: "0644"
- require:
- file: kubernetes_sysctl_config_dir
kubernetes_sysctl_reload:
cmd.run:
- name: sysctl --system
- onchanges:
- file: kubernetes_sysctl_file

View File

@ -0,0 +1,31 @@
# SaltStack state for installing Kubernetes tooling (kubeadm, kubelet, kubectl).
# Add Kubernetes package repository.
kubernetes_repo:
pkgrepo.managed:
- name: isv_kubernetes_core_stable_v1_33_build
- humanname: "isv:kubernetes:core:stable:v1.33:build"
- baseurl: https://download.opensuse.org/repositories/isv:/kubernetes:/core:/stable:/v1.33:/build/rpm/
- gpgcheck: 1
- gpgkey: https://download.opensuse.org/repositories/isv:/kubernetes:/core:/stable:/v1.33:/build/rpm/repodata/repomd.xml.key
- enabled: 1
- priority: 90
- refresh: True
# Install Kubernetes tools: kubeadm, kubelet, and kubectl.
kubernetes_tools_pkg:
pkg.installed:
- names:
- kubeadm
- kubelet
- kubectl
- require:
- pkgrepo: kubernetes_repo
# Ensure kubelet service is running and enabled.
kubelet_service:
service.running:
- name: kubelet
- enable: True
- require:
- pkg: kubernetes_tools_pkg

View File

@ -1,31 +1,35 @@
# This state file contains configurations specific to a Kubernetes control plane node.
include:
- common.init
- cilium.init
# Initialize the Kubernetes control plane using kubeadm.
# --pod-network-cidr is required for CNI, but we stop before installing CNI.
# --ignore-preflight-errors=NumCPU is added as per original request.
kubeadm_init:
cmd.run:
- name: 'kubeadm init --pod-network-cidr={{ pillar["pod_cidr"] }} --ignore-preflight-errors=NumCPU'
- unless: 'test -f /etc/kubernetes/admin.conf'
- require:
- service: kubelet_service
- service: containerd_service
- service: crio_service
kubeconfig_dir:
file.directory:
- name: /root/.kube
- mode: 755
- mode: "0755"
- makedirs: True
- require:
- cmd: kubeadm_init
kubeconfig_file:
file.managed:
- name: /root/.kube/config
- source: file:///etc/kubernetes/admin.conf
- user: root
- group: root
- mode: 600
- mode: "0600"
- require:
- cmd: kubeadm_init
- file: kubeconfig_dir
- file: kubeconfig_dir

View File

@ -0,0 +1,36 @@
# This state file contains configurations specific to a Kubernetes worker node.
include:
- common.init
# Initialize the Kubernetes control plane using kubeadm.
# --pod-network-cidr is required for CNI, but we stop before installing CNI.
# --ignore-preflight-errors=NumCPU is added as per original request.
kubeadm_init:
cmd.run:
- name: 'kubeadm init --pod-network-cidr={{ pillar["pod_cidr"] }} --ignore-preflight-errors=NumCPU'
- unless: 'test -f /etc/kubernetes/admin.conf'
- require:
- service: kubelet_service
- service: crio_service # Ensure CRI-O is running before kubeadm init
# Create .kube directory for the root user.
kubeconfig_dir:
file.directory:
- name: /root/.kube
- mode: 755
- makedirs: True
- require:
- cmd: kubeadm_init
# Copy the kubeconfig file to the root user's home directory for kubectl access.
kubeconfig_file:
file.managed:
- name: /root/.kube/config
- source: file:///etc/kubernetes/admin.conf
- user: root
- group: root
- mode: 600
- require:
- cmd: kubeadm_init
- file: kubeconfig_dir