This project sets up a production-grade Kubernetes cluster using Terraform and Multipass. It's designed to create a highly available Kubernetes environment suitable for learning, testing, and CKA (Certified Kubernetes Administrator) exam preparation.
main.tf: Main Terraform configuration for creating Multipass instancesvariables.tf: Variable definitions for the Terraform configurationterraform.tfvars: Default values for Terraform variablesversions.tf: Required provider versionsoutputs.tf: Output definitions for cluster informationcontrol-plane-init.yaml: Cloud-init configuration for initializing the first control plane nodecontrol-plane-join.yaml: Cloud-init configuration for additional control plane nodesworker-init.yaml: Cloud-init configuration for worker nodeshaproxy-init.yaml: Cloud-init configuration for HAProxy load balancers with Keepalived
- 3 Control Plane nodes (1 init + 2 join)
- 3 Worker nodes
- 2 HAProxy load balancers with Keepalived for high availability
- Control Plane nodes: 4 CPUs, 4GiB memory, 20GiB disk
- Worker nodes: 2 CPUs, 3GiB memory, 20GiB disk
- HAProxy nodes: 1 CPU, 1GiB memory, 5GiB disk
- Default Multipass bridge network (mpbr0)
- Virtual IP for HAProxy: 172.16.0.100
- Pod Network CIDR: 192.168.0.0/16
- Service CIDR: 10.96.0.0/12 (Kubernetes default)
The cluster can be customized using the following variables in terraform.tfvars:
control_plane_count = 3 # Number of control plane nodes
worker_count = 3 # Number of worker nodes
haproxy_count = 2 # Number of HAProxy nodes
k8s_version = "1.29" # Kubernetes version
pod_network_cidr = "192.168.0.0/16"
virtual_ip = "172.16.0.100"- Dual HAProxy load balancers with Keepalived
- Virtual IP (192.168.64.100) for control plane access
- Automatic failover between HAProxy instances
- etcd backup and restore capabilities
- Calico network plugin
- CoreDNS with optimized configuration
- Network policies for namespace isolation
- IPVS mode for kube-proxy
- Pod Security Standards
- Audit logging
- Resource quotas
- Network policies
- Secure communication between components
- Prometheus and Grafana stack
- Metrics Server
- Comprehensive audit logging
- Log rotation for all components
- HAProxy logging and monitoring
- Automated etcd snapshots every 6 hours
- Backup retention management
- Disaster recovery procedures
- Sample deployments and services
- CKA exam scenario setups
- Resource quotas and limits
- Cluster autoscaling configuration
- Node affinity rules for critical components
- Terraform >= 1.0.0
- Multipass >= 1.8.0
- Minimum system requirements:
- 16GB RAM
- 8 CPU cores
- 100GB free disk space
- Clone this repository
git clone <repository-url>
cd kubernetes-multipass-cluster-
(Optional) Modify terraform.tfvars to customize the cluster
-
Initialize Terraform
terraform init- Apply the configuration
terraform apply- Get cluster information
# View cluster information
cat cluster_info.txt
# Get kubeconfig
eval $(terraform output -raw kubeconfig_command)The cluster can be accessed through the HAProxy virtual IP (172.16.0.100:6443)
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config- Grafana: http://:30000 (Default credentials: admin/admin)
- Prometheus: http://:30090
Automated etcd backups are configured to run every 6 hours. Backups are stored in:
/var/lib/etcd/backup/
- Kubernetes audit logs:
/var/log/kubernetes/audit/audit.log - HAProxy logs:
/var/log/haproxy.log - System logs:
/var/log/syslog
- Node connectivity issues:
kubectl get nodes
kubectl describe node <node-name>- Pod networking issues:
kubectl get pods -A
kubectl describe pod <pod-name>- HAProxy status check:
systemctl status haproxy
systemctl status keepalived# Collect all relevant logs
kubectl cluster-info dump --output-directory=cluster-logs- Check HAProxy and Keepalived status:
multipass exec haproxy-1 -- sudo systemctl status haproxy
multipass exec haproxy-1 -- sudo systemctl status keepalived- Verify virtual IP assignment:
multipass exec haproxy-1 -- ip addr show- Test control plane connectivity:
curl -k https://172.16.0.100:6443/healthz- View Terraform outputs:
terraform output- Check instance status:
multipass list- Access instance logs:
multipass exec <instance-name> -- sudo cat /var/log/cloud-init-output.log-
Network Policies are configured to:
- Deny all ingress by default
- Allow specific inter-namespace communication
- Protect system namespaces
-
Pod Security Standards:
- Restricted namespace configured
- Pod Security Policy admission controller enabled
This setup includes production-grade features but should be further hardened for actual production use. Additional security measures and customizations may be needed based on specific requirements.
Contributions are welcome! Please read our contributing guidelines and submit pull requests.