mbogning.com - Building is my Passion
Post
Cancel

Deploying and Configuration a High-Security Kubernetes Cluster on Debian 12: Entreprise Infrastructure Guide

Posted Feb 20, 2025
Preview Image
By Junior Mbogning
5 min read

This guide covers the entire process of installing and configuring a Kubernetes cluster in an entreprise environment, with a particular focus on security and best practice.

1. Architecture and prerequisites

Target architecture

  • 1 master node
  • 2 worker nodes
  • Calico overlay network
  • OS: Debian 12 (Bookworm)
  • Environment: VirtualBox

Master node

  • CPU: 2vCPU minimum
  • RAM: 4Go minimun
  • Disque: 50 Go mimimum

Worker nodes

  • CPU: 4vCPU minimum
  • RAM: 8Go minimun
  • Disque: 100 Go mimimum

Initial system configuration

On all nodes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# Initial system update
sudo apt update && sudo apt upgrade -y

# Installing essential packages
sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release systemd-timesyncd

# NTP configuration
sudo systemctl enable systemd-timesyncd
sudo systemctl start systemd-timesyncd

# Disable swap
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab

# Load the necessary kernel modules
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF

sudo modprobe overlay
sudo modprobe br_netfilter

# Network requirements for kubernetes
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables  = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward                 = 1
EOF

sudo sysctl --system

3. Installation of basic components

On all nodes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Installing containerd 
sudo apt install -y containerd

# Configuring containerd for kubernetes
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' /etc/containerd/config.toml
sudo systemctl restart containerd

# Installing kubernetes tools
# Download the public key for the official kubernetes repository
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.31/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg

# Add the kubernetes repository
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.31/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list

# Installing kubernetes packages
sudo apt update
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

4. Cluster initialization

On the master node only

1
2
3
4
5
6
7
8
9
10

# Initialization with Calico
sudo kubeadm init --pod-network-cidr=192.168.0.0/16 --control-plane-endpoint="MASTER_IP:6443" --upload-certs

# Configuration for the non-root user
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# Installing Calico
kubectl create -f https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/calico.yaml

On worker node

1
2

# Execute the join command obtained during initialisation
sudo kubeadm join MASTER_IP:6443 --token <token> --discovery-token-ca-cert-hash sha256:<hash>

5. Post-installation configuration

On master node

1
2
3
4
5
6
7

# Cluster verification
kubectl get nodes
kubectl get pods -A

# Storage configuration
kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/deploy/local-path-storage.yaml
kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

6. Securing the cluster

On the master node only

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

# Creating a user with limited access
# 1. Generate a certificate for the user
openssl genrsa -out mbogning.key 2048
openssl req -new -key mbogning.key -out mbogning.csr -subj "/CN=mbogning/O=team1"

# 2. Sign the certificate
sudo openssl x509 -req -in mbogning.csr \
    -CA /etc/kubernetes/pki/ca.crt \
    -CAkey /etc/kubernetes/pki/ca.key \
    -CAcreateserial \
    -out mbogning.crt -days 365

# 3. Create the namespace and configure rights
kubectl create namespace production

kubectl create role pod-reader --verb=get,list,watch --resource=pods --namespace=production
kubectl create rolebinding pod-reader-binding --role=pod-reader --user=mbogning --namespace=production

# 4. Create the kubeconfig file for the user
kubectl config set-credentials mbogning \
    --client-certificate=mbogning.crt \
    --client-key=mbogning.key

kubectl config set-context mbogning-context \
    --cluster=kubernetes \
    --namespace=production \
    --user=mbogning

# Configuring network policies
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
EOF

7. Monitoring and logging

On master node

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# Helm installation
curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt update && sudo apt install -y helm

# Add the necessary deposits
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add elastic https://helm.elastic.co
helm repo add fluent https://fluent.github.io/helm-charts
helm repo update

# Installing Prometheus and Grafana
helm install prometheus prometheus-community/kube-prometheus-stack --namespace monitoring --create-namespace

# Installing the EFK stack
kubectl create namespace logging
helm install elasticsearch elastic/elasticsearch --namespace logging
helm install fluentd fluent/fluentd --namespace logging
helm install kibana elastic/kibana --namespace logging

8. Maintenance and backup

On master node

1
2
3
4
5
6
7
8
9
10

# Installing etcd tools
sudo apt install -y etcd-client

# Configuring etcd backups
sudo mkdir -p /etc/kubernetes/backup
sudo ETCDCTL_API=3 etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert=/etc/kubernetes/pki/etcd/ca.crt \
  --cert=/etc/kubernetes/pki/etcd/server.crt \
  --key=/etc/kubernetes/pki/etcd/server.key \
  snapshot save /etc/kubernetes/backup/etcd-snapshot-$(date +%Y%m%d).db

9. Validation and testing

1
2
3
4
5
6
7
8
9
10
11
12
13

# Cluster status check
kubectl get nodes
kubectl get pods -A
kubectl get componentstatuses

# Checking monitoring services
kubectl get pods -n monitoring
kubectl get pods -n logging

# Network policy test
kubectl run test-pod --image=nginx -n production
kubectl run test-client --image=nginx
kubectl exec test-client -- curl test-pod

10. Best practices

Security

  • Regularly update all components
  • Apply the principle of least privilege
  • Activate audit logging
  • Regularly scan for vulnerabilities
  • Monitor security logs

Performance

  • Configure resource limits for all pods
  • Monitor resource usage
  • Optimise API requests
  • Use appropriate health checks

Maintenance

  • Backup etcd daily
  • Document all changes
  • Maintain a disaster recovery plan
  • Regularly test restoration procedures

Documentation

Featured Blog Posts
    Quote
    "When faith and will unite in a person, he realises all that is in his mind and it shapes itself." Merlin Lagowo
    Contents