Installation
First ensure the pre-requisites are met
Install Kuid#
Once the cluster is deployed we install the kuid server. These manifests deploys kuid as a deployment:
- the kuid container embeds an apiserver and various controllers
Artifact Content
---
apiVersion: v1
kind: Namespace
metadata:
name: kuid-system
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.as.be.kuid.dev
spec:
group: as.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.extcomm.be.kuid.dev
spec:
group: extcomm.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.genid.be.kuid.dev
spec:
group: genid.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.infra.kuid.dev
spec:
group: infra.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.ipam.be.kuid.dev
spec:
group: ipam.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.vlan.be.kuid.dev
spec:
group: vlan.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.vxlan.be.kuid.dev
spec:
group: vxlan.be.kuid.dev
groupPriorityMinimum: 1000
insecureSkipTLSVerify: true
service:
name: kuid-server
namespace: kuid-system
port: 6443
version: v1alpha1
versionPriority: 15
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: kuid-server
name: kuid-server
namespace: kuid-system
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: kuid-server
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: kuid-server
spec:
containers:
- args:
- --tls-cert-file=/apiserver.local.config/certificates/tls.crt
- --tls-private-key-file=/apiserver.local.config/certificates/tls.key
- --audit-log-path=-
- --audit-log-maxage=0
- --audit-log-maxbackup=0
- --secure-port=6443
command:
- /app/kuid-server
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: NODE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
- name: ENABLE_ASINDEX
value: "true"
- name: ENABLE_ASCLAIM
value: "true"
- name: ENABLE_VLANINDEX
value: "true"
- name: ENABLE_VLANCLAIM
value: "true"
- name: ENABLE_VXLANINDEX
value: "true"
- name: ENABLE_VXLANCLAIM
value: "true"
- name: ENABLE_IPINDEX
value: "true"
- name: ENABLE_IPCLAIM
value: "true"
- name: ENABLE_EXTCOMMINDEX
value: "true"
- name: ENABLE_EXTCOMMCLAIM
value: "true"
- name: ENABLE_GENIDINDEX
value: "true"
- name: ENABLE_GENIDCLAIM
value: "true"
image: ghcr.io/kuidio/kuid-server:v0.0.11
imagePullPolicy: Always
name: kuid-server
volumeMounts:
- mountPath: /apiserver.local.config/certificates
name: apiserver-certs
readOnly: true
- mountPath: /config
name: config-store
securityContext:
fsGroup: 10000
runAsGroup: 10000
runAsUser: 10000
serviceAccountName: kuid-server
volumes:
- name: apiserver-certs
secret:
secretName: kuid-server
- name: config-store
persistentVolumeClaim:
claimName: pvc-config-store
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kuid-server-clusterrole
rules:
- apiGroups:
- ""
resources:
- namespaces
- secrets
- services
- pods
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- get
- watch
- list
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- get
- watch
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- ipam.be.kuid.dev
resources:
- ipclaims
- ipclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- ipam.be.kuid.dev
resources:
- ipentries
- ipentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- ipam.be.kuid.dev
resources:
- ipindices
- ipindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vlan.be.kuid.dev
resources:
- vlanclaims
- vlanclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vlan.be.kuid.dev
resources:
- vlanentries
- vlanentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vlan.be.kuid.dev
resources:
- vlanindices
- vlanindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vxlan.be.kuid.dev
resources:
- vxlanclaims
- vxlanclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vxlan.be.kuid.dev
resources:
- vxlanentries
- vxlanentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- vxlan.be.kuid.dev
resources:
- vxlanindices
- vxlanindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- as.be.kuid.dev
resources:
- asclaims
- asclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- as.be.kuid.dev
resources:
- asentries
- asentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- as.be.kuid.dev
resources:
- asindices
- asindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- extcomm.be.kuid.dev
resources:
- extcommclaims
- extcommclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- extcomm.be.kuid.dev
resources:
- extcommentries
- extcommentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- extcomm.be.kuid.dev
resources:
- extcommindices
- extcommindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- genid.be.kuid.dev
resources:
- genidclaims
- genidclaims/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- genid.be.kuid.dev
resources:
- genidentries
- genidentries/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
- apiGroups:
- genid.be.kuid.dev
resources:
- genidindices
- genidindices/status
verbs:
- get
- watch
- list
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: config:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kuid-server
namespace: kuid-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kuid-server-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kuid-server-clusterrole
subjects:
- kind: ServiceAccount
name: kuid-server
namespace: kuid-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kuid-server-apiserver-role
namespace: kuid-system
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kuid-server-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kuid-server
namespace: kuid-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kuid-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kuid-server
namespace: kuid-system
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-config-store
namespace: kuid-system
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZekNDQWt1Z0F3SUJBZ0lJSC9mSFZHenZ3cnN3RFFZSktvWklodmNOQVFFTEJRQXdaVEVMTUFrR0ExVUUKQmhNQ2RXNHhDekFKQmdOVkJBZ01Bbk4wTVFvd0NBWURWUVFIREFGc01Rb3dDQVlEVlFRS0RBRnZNUXN3Q1FZRApWUVFMREFKdmRURWtNQ0lHQTFVRUF3d2JZbUZ6YVdNdFkyVnlkR2xtYVdOaGRHVXRZWFYwYUc5eWFYUjVNQjRYCkRUSXlNRE16TVRBNU1UYzFNMW9YRFRNeU1ETXlPREE1TVRjMU5Gb3dIREVhTUJnR0ExVUVBeE1SWW1GemFXTXUKWkdWbVlYVnNkQzV6ZG1Nd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN0TUt0eApjc3Rjdk8rdDVMazZRQkRBZ3g1akZCL2F1dStVb3BDR2Z6VitaRW5obldpaC8xMVZ2ek44cjhmdGZuUkZGTVZ6CmJqYlVhSXNDOFc1eGJDNXNpc2VrdnVBWDlpanUzMlFybEU0RTR1UzNYREdVZkhGSFhMcWxBRU9RclUvRzQ0RGgKa0I3ajJOcDRzbk9IckF0aDA3TStvbXBmVklhSTlkQmdYY3hsUE5QRkNNamlOb1VweVM4eXNha3RQRXFjZTBpawpmNDBYVERmN1YwekFFelI0QkE4Yzh0b05UMVNnSXFIV0xueERKcnZRempDaTVFN2NMNkpmTmhlZDQ5MUVNWlEwCmVnbkV5bXd6d1Jya3BYTkZ4RHJzSXpOZmhHelB6RGJLdmFIUHh5NUwvM3h3clZ3VHllbklaOVExK0tjemtCSksKRXZIaVVKL1BML0VYZkloakFnTUJBQUdqWURCZU1BNEdBMVVkRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVQpCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3TFFZRFZSMFJCQ1l3SklJSmJHOWpZV3hvYjNOMGdoRmlZWE5wCll5NWtaV1poZFd4MExuTjJZNGNFZndBQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFEa1hsbGZMTlpzWDEKYmp1b0h4RXVUWitaODlMWUxPUDBMM0dHMFgwdVdkZzJFcXY1bmZNRHVRVmJIRmt5dVo3ZDlDY01QYk12MTdDWgoxZGwwQk1GQTJkTkJzK3V1UXFIUFh3RkI4SFdPSDhBc1pMMnYvbG91T3g2dU1QQk9uWUhuQ3pFY21FQXZoR2dLCkpXMDNkd2QwNlJPeUdLT29qSklFTlRnd0xnQ1dZSytPWmIzQklyMUJqS012Q2dHN3pJVDFUUVNna3hGN1NGNzUKYk5BaEdOa0NWMGVrSnNXQWk1UGhzVS9IdWthdGVHUGNMS3hia0RGdHpSV2tRNmdKUXhkZmVuOVBKTjVJVCt4RQpFci8wYUkrOFM5Y1FPUnk0VTNDSFRodmlnOGFyZ3FucmFWMU92OXZNTWxzZ3pnYXc3SjdaeGtkWWwrSkMyWUcvCjJrUThVd1IzQnc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBclRDcmNYTExYTHp2cmVTNU9rQVF3SU1lWXhRZjJycnZsS0tRaG44MWZtUko0WjFvCm9mOWRWYjh6ZksvSDdYNTBSUlRGYzI0MjFHaUxBdkZ1Y1d3dWJJckhwTDdnRi9Zbzd0OWtLNVJPQk9Ma3Qxd3gKbEh4eFIxeTZwUUJEa0sxUHh1T0E0WkFlNDlqYWVMSnpoNndMWWRPelBxSnFYMVNHaVBYUVlGM01aVHpUeFFqSQo0amFGS2Nrdk1yR3BMVHhLbkh0SXBIK05GMHczKzFkTXdCTTBlQVFQSFBMYURVOVVvQ0toMWk1OFF5YTcwTTR3Cm91Uk8zQytpWHpZWG5lUGRSREdVTkhvSnhNcHNNOEVhNUtWelJjUTY3Q016WDRSc3o4dzJ5cjJoejhjdVMvOTgKY0sxY0U4bnB5R2ZVTmZpbk01QVNTaEx4NGxDZnp5L3hGM3lJWXdJREFRQUJBb0lCQUJWWU16ajNLZU1URWdMLwpkbWljYnJRYk5NcUhOMm5Rc2loQ1pNZCt0QXdRdGg1Tk5SRUtGT20xZDlYOUlBbkFGUHBTbGdjazVUTUdjMk40CmQrRVlzUndGZXBkdVF0WVJLM2hOSmQ1TkY5UjRWakhXOWZGVDZPNGZtbzB0WENaZmhiNkFXV2p6Unl0VGxaRmMKaE9xS3BKaDQ2OVZqVlBMTXl3dmtKN3RJdENFaHl4b0t0VVhwcm45SXBLNnNUa051OTFmMVA4czJNbDd1RlVqYwpJdGhMb3JnMEYyU3RaeEJmVDJGaFRYaFZxRlRJS1pmazFGbnRpbUwyWlQrRXZzQlpnZHYwa2Z1Q2hFdE5jRW1PCnRZc2dKT3ExTWF5M2d0dlk3VDB6WkRtTTIrOVpKQ0JLcm8yV2IxdGw0RHNnaWNkR0I2SlhnTi81aklSMTNmbDUKMTRJd1hza0NnWUVBemtQb1MrTko0QkJkR3RYem5tZWVhRFFQVVU0dkF1R3YyU2VtajR3RG1KRXB6aDdoMWlQZAprVWxmYjcxZ1VMbmk0SDVkVFlyVFpwOElUaXZvM3A1bUNrV3lFV09wMmx4VUZoM3JnVWN6NWt0RUhkejl1bjNoCnFYNVJpTWlkM0Y3dWRIODdqYTdJVi9mUEFGSnlremQrWHNaZGFuT0tPK1UvV0t2ek0rSFEzUThDZ1lFQTF2TWoKdml3dnFxM0FBa0VpN2RlOUxLUE1uS1N5VE9BdHQzS2dqV1RLNU5aQUdqeWpoSGxEbjRCempSS25DWk8xY0lJZwo0Wnl1VzQrUlB5aGQreEFubzVoMVh0Ny9LYzNFaW1ucjBLU0ZmRWVza2NORFIyVHNTdCtjYTl6aFFPTFJ0TWRCCnE5OWZDeFprK1pmcEhpSzJCK0pHVExNdVJRY0tDYU43RldKTkIyMENnWUJhc2k5bGx3WjMySm9uMzZYa3BDbGEKSm5JSnpUZ01xMUlZU1VBSzVJVDhRL0ErNndOZ2xwcXBkTHJiTmtrd2xkdjEzSHFJU3gvVGd1QXpCMG01QWF0YQpudlRDZ3JGQUM5TUplcFNBWHQrcVJyUW44WEU3M0hncWdCbTM3SWJGVEpUTGN0cXIzUXZJNm5VQjdqN2xEc1NwClJjM3pyZVE5bS9yenNZQVo4eFJVN3dLQmdRQ0JYTjg4Q3JlOVRzaHFFdTJFbXZ4ZEswOXZUcWVJSUxzaTFyZk4Kb01XREozWjQwOW5OVm5YZVBwNU1YdGRzcWhyZVZWS1l0WVV4MFp1bW1STEdrSmhxbXN5NGhoaW0vaEcxQTc1SwpXVm1FekZZTmU2aTRCUU00cEk4dFUwZTFsMHlDTWhGUjhTTHdOMUFaN3RUN3NBUkJobXFzcW9IRVJWSkRMc0phCndraDltUUtCZ0NYR2xoZzY4aVMzMldmSWVtYUFRMTJpNFRUUk1FNWppTFl0ZlkyREJTMDBWV3NxY0l1OEFUWm0KVHVoZHBRVG9mKzE3LzFyU0cyYnFaWFA2L0h3ak14OTVIdWlXbjVKSjA3RTduOUVCUDlkQTY0K0lHdWlvd0h5RAo2a3g3VVhuTUtTYXdiV2JxZ1JGZTFOZEdLbkh0ZE5GOGxndEdjdytxUTk3YkIreXFreXMxCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
kind: Secret
metadata:
labels:
app.kubernetes.io/name: kuid-server
name: kuid-server
namespace: kuid-system
type: kubernetes.io/tls
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: kuid-server
name: kuid-server-metrics
namespace: kuid-system
spec:
ports:
- name: metrics
port: 8443
protocol: TCP
targetPort: 8443
selector:
app.kubernetes.io/name: kuid-server
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: kuid-server
name: kuid-server
namespace: kuid-system
spec:
ports:
- name: apiserver
port: 6443
protocol: TCP
targetPort: 6443
selector:
app.kubernetes.io/name: kuid-server
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: kuid-server
name: kuid-server
namespace: kuid-system
if successfull you should see a running container similar to this
output