Hi Team,
Does anyone has an experience with Kubernetes offline upgrade from 1.18 → 1.19 , or Kubernetes offline installation for 1.19 and higher? For now I could not find any instructions within internet…
Please, advice
Cluster information:
Kubernetes version: 1.18
Cloud being used:
https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
Installation method:
As described here: Documentation:GCXI:Dep:DockerOffline:9.0.0 - Genesys Documentation
Host OS:
RHEL 7
You couldn’t find any instructions within Internet, maybe because it’s time consuming task and not recommended.
Just wow… I stopped reading that Genesys document’s notice at the top… I’m here for the tech
, the whole tech
, and nothing but the tech
.
@tej-singh-rana just because documentation doesn’t exist doesn’t mean it isn’t worth doing. Being completely disconnected is the best security you can have in combination with physical security. This may even be legally required in some cases.
Anyways @edremin , if you want to manage an offline kubernetes cluster, look into maintaining your own repositories for the linux distro you use and container registries. This is going to be time consuming to setup, but once you do, you can follow normal practices for upgrades.
There are plenty of tutorials on maintaining your own repositories for every distro out there.
As for container registries, there are tutorials about making mirror registries, and I think if you learn about that, you can figure out a pipeline for pulling down container images, storing them where you want, and pushing them to private registries that aren’t accessible outside of your secure facility.
Something you might run into a problem with is that container engines really like SSL and you have to maintain CA certificates of your own. Here’s some notes I have for generating a CA cert and making signed certificates that I hijacked from here.
Creating the CA Certificate & Key
------------------------------------------------------------------------------------------------
# mkdir -p /etc/ssl/k8s/
# openssl req -subj '/C=K8/ST=Cluster/L=Pod/O=SnakeOilCA/OU=SnakeOilCA/CN=*.cluster.local' -nodes -x509 -newkey rsa:4096 -keyout /etc/ssl/k8s/cluster-shared-ca.key -out /etc/ssl/k8s/cluster-shared-ca.crt -days 1825
Adding the CA Certificate
------------------------------------------------------------------------------------------------
Note: containerd requires a restart for new CAs before version 1.5.
Ubuntu
------------
# cp /etc/ssl/k8s/cluster-shared-ca.crt /usr/local/share/ca-certificates/
# update-ca-certificates
RHEL
------------
# cp /etc/ssl/k8s/cluster-shared-ca.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust
Create a Certificate Signing Request (CSR)
------------------------------------------------------------------------------------------------
# openssl req -subj '/C=K8/ST=Cluster/L=Pod/O=SnakeOil/OU=SnakeOil/CN=*.cluster.local' -nodes -newkey rsa:4096 -keyout snakeoil.key -out snakeoil.csr
Create Signed Certificate
------------------------------------------------------------------------------------------------
# openssl x509 -req -in snakeoil.csr -CA /etc/ssl/k8s/cluster-shared-ca.crt -CAkey /etc/ssl/k8s/cluster-shared-ca.key -CAcreateserial -out snakeoil.crt -days 365 -sha256
Hi guys,
Thank you for your comments.
Its quite complicated to have our own repository… machines are managed by our customer, so we can only have permission to perform installation/configuration for a certain application. With Kubernetes 1.18 it was not problem to perform offline installation, but starting with 1.19 its appeared not that simple. I’ve create an issue here Offline upgrade Kubernetes 1.18 -> 1.19 fails · Issue #102807 · kubernetes/kubernetes · GitHub, so maybe it will have some progress.
The problem you’re overcoming is that you’re using a software that wasn’t really made with offline use in mind.