Running Kubelet in Standalone Mode

This tutorial shows you how to run a standalone kubelet instance.

You may have different motivations for running a standalone kubelet. This tutorial is aimed at introducing you to Kubernetes, even if you don’t have much experience with it. You can follow this tutorial and learn about node setup, basic (static) Pods, and how Kubernetes manages containers.

Once you have followed this tutorial, you could try using a cluster that has a control plane to manage pods and nodes, and other types of objects. For example, Hello, minikube.

You can also run the kubelet in standalone mode to suit production use cases, such as to run the control plane for a highly available, resiliently deployed cluster. This tutorial does not cover the details you need for running a resilient control plane.

Objectives

  • Install cri-o, and kubelet on a Linux system and run them as systemd services.
  • Launch a Pod running nginx that listens to requests on TCP port 80 on the Pod’s IP address.
  • Learn how the different components of the solution interact among themselves.

Caution:

The kubelet configuration used for this tutorial is insecure by design and should not be used in a production environment.

Before you begin

  • Admin (root) access to a Linux system that uses systemd and iptables (or nftables with iptables emulation).
  • Access to the Internet to download the components needed for the tutorial, such as:

Prepare the system

Swap configuration

By default, kubelet fails to start if swap memory is detected on a node. This means that swap should either be disabled or tolerated by kubelet.

Note:

If you configure the kubelet to tolerate swap, the kubelet still configures Pods (and the containers in those Pods) not to use swap space. To find out how Pods can actually use the available swap, you can read more about swap memory management on Linux nodes.

If you have swap memory enabled, either disable it or add failSwapOn: false to the kubelet configuration file.

To check if swap is enabled:

  1. sudo swapon --show

If there is no output from the command, then swap memory is already disabled.

To disable swap temporarily:

  1. sudo swapoff -a

To make this change persistent across reboots:

Make sure swap is disabled in either /etc/fstab or systemd.swap, depending on how it was configured on your system.

Enable IPv4 packet forwarding

To check if IPv4 packet forwarding is enabled:

  1. cat /proc/sys/net/ipv4/ip_forward

If the output is 1, it is already enabled. If the output is 0, then follow next steps.

To enable IPv4 packet forwarding, create a configuration file that sets the net.ipv4.ip_forward parameter to 1:

  1. sudo tee /etc/sysctl.d/k8s.conf <<EOF
  2. net.ipv4.ip_forward = 1
  3. EOF

Apply the changes to the system:

  1. sudo sysctl --system

The output is similar to:

  1. ...
  2. * Applying /etc/sysctl.d/k8s.conf ...
  3. net.ipv4.ip_forward = 1
  4. * Applying /etc/sysctl.conf ...

Download, install, and configure the components

Note: This section links to third party projects that provide functionality required by Kubernetes. The Kubernetes project authors aren’t responsible for these projects, which are listed alphabetically. To add a project to this list, read the content guide before submitting a change. More information.

Install a container runtime

Download the latest available versions of the required packages (recommended).

This tutorial suggests installing the CRI-O container runtime (external link).

There are several ways to install the CRI-O container runtime, depending on your particular Linux distribution. Although CRI-O recommends using either deb or rpm packages, this tutorial uses the static binary bundle script of the CRI-O Packaging project, both to streamline the overall process, and to remain distribution agnostic.

The script installs and configures additional required software, such as cni-plugins, for container networking, and crun and runc, for running containers.

The script will automatically detect your system’s processor architecture (amd64 or arm64) and select and install the latest versions of the software packages.

Set up CRI-O

Visit the releases page (external link).

Download the static binary bundle script:

  1. curl https://raw.githubusercontent.com/cri-o/packaging/main/get > crio-install

Run the installer script:

  1. sudo bash crio-install

Enable and start the crio service:

  1. sudo systemctl daemon-reload
  2. sudo systemctl enable --now crio.service

Quick test:

  1. sudo systemctl is-active crio.service

The output is similar to:

  1. active

Detailed service check:

  1. sudo journalctl -f -u crio.service

Install network plugins

The cri-o installer installs and configures the cni-plugins package. You can verify the installation running the following command:

  1. /opt/cni/bin/bridge --version

The output is similar to:

  1. CNI bridge plugin v1.5.1
  2. CNI protocol versions supported: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 1.0.0

To check the default configuration:

  1. cat /etc/cni/net.d/11-crio-ipv4-bridge.conflist

The output is similar to:

  1. {
  2. "cniVersion": "1.0.0",
  3. "name": "crio",
  4. "plugins": [
  5. {
  6. "type": "bridge",
  7. "bridge": "cni0",
  8. "isGateway": true,
  9. "ipMasq": true,
  10. "hairpinMode": true,
  11. "ipam": {
  12. "type": "host-local",
  13. "routes": [
  14. { "dst": "0.0.0.0/0" }
  15. ],
  16. "ranges": [
  17. [{ "subnet": "10.85.0.0/16" }]
  18. ]
  19. }
  20. }
  21. ]
  22. }

Note:

Make sure that the default subnet range (10.85.0.0/16) does not overlap with any of your active networks. If there is an overlap, you can edit the file and change it accordingly. Restart the service after the change.

Download and set up the kubelet

Download the latest stable release of the kubelet.

  1. curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubelet"
  1. curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubelet"

Configure:

  1. sudo mkdir -p /etc/kubernetes/manifests
  1. sudo tee /etc/kubernetes/kubelet.yaml <<EOF
  2. apiVersion: kubelet.config.k8s.io/v1beta1
  3. kind: KubeletConfiguration
  4. authentication:
  5. webhook:
  6. enabled: false # Do NOT use in production clusters!
  7. authorization:
  8. mode: AlwaysAllow # Do NOT use in production clusters!
  9. enableServer: false
  10. logging:
  11. format: text
  12. address: 127.0.0.1 # Restrict access to localhost
  13. readOnlyPort: 10255 # Do NOT use in production clusters!
  14. staticPodPath: /etc/kubernetes/manifests
  15. containerRuntimeEndpoint: unix:///var/run/crio/crio.sock
  16. EOF

Note:

Because you are not setting up a production cluster, you are using plain HTTP (readOnlyPort: 10255) for unauthenticated queries to the kubelet’s API.

The authentication webhook is disabled and authorization mode is set to AlwaysAllow for the purpose of this tutorial. You can learn more about authorization modes and webhook authentication to properly configure kubelet in standalone mode in your environment.

See Ports and Protocols to understand which ports Kubernetes components use.

Install:

  1. chmod +x kubelet
  2. sudo cp kubelet /usr/bin/

Create a systemd service unit file:

  1. sudo tee /etc/systemd/system/kubelet.service <<EOF
  2. [Unit]
  3. Description=Kubelet
  4. [Service]
  5. ExecStart=/usr/bin/kubelet \
  6. --config=/etc/kubernetes/kubelet.yaml
  7. Restart=always
  8. [Install]
  9. WantedBy=multi-user.target
  10. EOF

The command line argument --kubeconfig has been intentionally omitted in the service configuration file. This argument sets the path to a kubeconfig file that specifies how to connect to the API server, enabling API server mode. Omitting it, enables standalone mode.

Enable and start the kubelet service:

  1. sudo systemctl daemon-reload
  2. sudo systemctl enable --now kubelet.service

Quick test:

  1. sudo systemctl is-active kubelet.service

The output is similar to:

  1. active

Detailed service check:

  1. sudo journalctl -u kubelet.service

Check the kubelet’s API /healthz endpoint:

  1. curl http://localhost:10255/healthz?verbose

The output is similar to:

  1. [+]ping ok
  2. [+]log ok
  3. [+]syncloop ok
  4. healthz check passed

Query the kubelet’s API /pods endpoint:

  1. curl http://localhost:10255/pods | jq '.'

The output is similar to:

  1. {
  2. "kind": "PodList",
  3. "apiVersion": "v1",
  4. "metadata": {},
  5. "items": null
  6. }

Run a Pod in the kubelet

In standalone mode, you can run Pods using Pod manifests. The manifests can either be on the local filesystem, or fetched via HTTP from a configuration source.

Create a manifest for a Pod:

  1. cat <<EOF > static-web.yaml
  2. apiVersion: v1
  3. kind: Pod
  4. metadata:
  5. name: static-web
  6. spec:
  7. containers:
  8. - name: web
  9. image: nginx
  10. ports:
  11. - name: web
  12. containerPort: 80
  13. protocol: TCP
  14. EOF

Copy the static-web.yaml manifest file to the /etc/kubernetes/manifests directory.

  1. sudo cp static-web.yaml /etc/kubernetes/manifests/

Find out information about the kubelet and the Pod

The Pod networking plugin creates a network bridge (cni0) and a pair of veth interfaces for each Pod (one of the pair is inside the newly made Pod, and the other is at the host level).

Query the kubelet’s API endpoint at http://localhost:10255/pods:

  1. curl http://localhost:10255/pods | jq '.'

To obtain the IP address of the static-web Pod:

  1. curl http://localhost:10255/pods | jq '.items[].status.podIP'

The output is similar to:

  1. "10.85.0.4"

Connect to the nginx server Pod on http://<IP>:<Port> (port 80 is the default), in this case:

  1. curl http://10.85.0.4

The output is similar to:

  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4. <title>Welcome to nginx!</title>
  5. ...

Where to look for more details

If you need to diagnose a problem getting this tutorial to work, you can look within the following directories for monitoring and troubleshooting:

  1. /var/lib/cni
  2. /var/lib/containers
  3. /var/lib/kubelet
  4. /var/log/containers
  5. /var/log/pods

Clean up

kubelet

  1. sudo systemctl disable --now kubelet.service
  2. sudo systemctl daemon-reload
  3. sudo rm /etc/systemd/system/kubelet.service
  4. sudo rm /usr/bin/kubelet
  5. sudo rm -rf /etc/kubernetes
  6. sudo rm -rf /var/lib/kubelet
  7. sudo rm -rf /var/log/containers
  8. sudo rm -rf /var/log/pods

Container Runtime

  1. sudo systemctl disable --now crio.service
  2. sudo systemctl daemon-reload
  3. sudo rm -rf /usr/local/bin
  4. sudo rm -rf /usr/local/lib
  5. sudo rm -rf /usr/local/share
  6. sudo rm -rf /usr/libexec/crio
  7. sudo rm -rf /etc/crio
  8. sudo rm -rf /etc/containers

Network Plugins

  1. sudo rm -rf /opt/cni
  2. sudo rm -rf /etc/cni
  3. sudo rm -rf /var/lib/cni

Conclusion

This page covered the basic aspects of deploying a kubelet in standalone mode. You are now ready to deploy Pods and test additional functionality.

Notice that in standalone mode the kubelet does not support fetching Pod configurations from the control plane (because there is no control plane connection).

You also cannot use a ConfigMap or a Secret to configure the containers in a static Pod.

What’s next