Production-ready Kubernetes cluster setup guide from scratch using binaries and systemd**, with:
- 1 Master, 2 Worker Nodes
- Private IPs only
- OpenSSL for certs (valid for 10 years)
- Calico as CNI
- kubectl on master
🖥️ SERVER SETUP
✅ 1. Prerequisites (On All Nodes)
A. Set Hostnames
| Node | Example Hostname | Example Private IP |
|---|---|---|
| Master | kmaster | 10.0.0.10 |
| Worker 1 | kworker1 | 10.0.0.11 |
| Worker 2 | kworker2 | 10.0.0.12 |
sudo hostnamectl set-hostname <kmaster|kworker1|kworker2>B. Add to /etc/hosts on all nodes
10.0.0.10 kmaster
10.0.0.11 kworker1
10.0.0.12 kworker2C. Disable swap, enable modules
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab
sudo modprobe br_netfilter
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sudo sysctl --system📦 2. Download Kubernetes Binaries
Repeat on all nodes:
VERSION=v1.30.0
wget https://dl.k8s.io/release/$VERSION/bin/linux/amd64/{kubelet,kube-proxy,kubectl,kube-apiserver,kube-controller-manager,kube-scheduler} -P /usr/local/bin/
chmod +x /usr/local/bin/*
# etcd for master only
wget https://github.com/etcd-io/etcd/releases/download/v3.5.12/etcd-v3.5.12-linux-amd64.tar.gz
tar -xvf etcd-v3.5.12-linux-amd64.tar.gz
sudo cp etcd-v3.5.12-linux-amd64/{etcd,etcdctl} /usr/local/bin/🔐 3. Generate Certificates with OpenSSL (on master)
mkdir -p ~/k8s-certs && cd ~/k8s-certs
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -subj "/CN=k8s-ca" -days 3650 -out ca.crtYou need to generate certificates for:
kube-apiserver(SANs for127.0.0.1,localhost,kmaster,10.0.0.10)etcdkubelet(per-node)adminusercontroller-manager,scheduler
I’ll provide an automation script to generate all certs with OpenSSL if needed.
🧠 4. etcd (on Master)
Systemd Unit: /etc/systemd/system/etcd.service
[Unit]
Description=etcd
After=network.target
[Service]
ExecStart=/usr/local/bin/etcd \
--name kmaster \
--data-dir=/var/lib/etcd \
--initial-advertise-peer-urls=https://10.0.0.10:2380 \
--listen-peer-urls=https://10.0.0.10:2380 \
--listen-client-urls=https://10.0.0.10:2379,https://127.0.0.1:2379 \
--advertise-client-urls=https://10.0.0.10:2379 \
--initial-cluster=kmaster=https://10.0.0.10:2380 \
--cert-file=/etc/kubernetes/pki/etcd.pem \
--key-file=/etc/kubernetes/pki/etcd-key.pem \
--trusted-ca-file=/etc/kubernetes/pki/ca.crt \
--client-cert-auth=true
Restart=always
[Install]
WantedBy=multi-user.targetEnable it:
sudo systemctl daemon-reexec
sudo systemctl enable --now etcd🧩 5. Control Plane (Master Only)
Create systemd units for:
kube-apiserver.service
Include:
--advertise-address=10.0.0.10--etcd-servers=https://127.0.0.1:2379--client-ca-file--authorization-mode=RBAC
kube-controller-manager.service
kube-scheduler.service
I’ll generate these systemd unit files for you if you want.
🧑💻 6. Admin Kubeconfig (on master)
kubectl config set-cluster kubernetes \
--certificate-authority=ca.crt \
--embed-certs=true \
--server=https://10.0.0.10:6443 \
--kubeconfig=admin.kubeconfig
kubectl config set-credentials admin \
--client-certificate=admin.crt \
--client-key=admin.key \
--embed-certs=true \
--kubeconfig=admin.kubeconfig
kubectl config set-context admin@kubernetes \
--cluster=kubernetes \
--user=admin \
--kubeconfig=admin.kubeconfig
kubectl config use-context admin@kubernetes --kubeconfig=admin.kubeconfig
sudo mv admin.kubeconfig /root/.kube/config⚙️ 7. Worker Node Setup
Each worker node needs:
kubeletkube-proxy- Certs from master (or generated locally with same CA)
kubeconfig
Create:
kubelet.servicekube-proxy.service
Join them by pointing to https://10.0.0.10:6443 and using their own certs signed by the same CA.
🌐 8. Calico CNI (from master)
Apply Calico after API server is working:
kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml✅ 9. Validate
kubectl get nodes
kubectl get pods -A🛡️ 10. Production Hardening Checklist
- Use OpenSSL certs (valid for 10 years)
- Disable anonymous auth on API Server
- Enable RBAC
- Use secure etcd with mTLS
- Lock down firewall (allow ports 6443, 2379, 10250)
- Use non-root containers in workloads
- Install audit logging (Falco, OPA, etc.)
- Ready to install Istio, Ingress, Jaeger
🔧 What's Next?
Would you like:
- A repo or tarball with all systemd unit files + cert scripts?
- A Bash script that builds all certs and kubeconfigs automatically?
- Help with installing Istio + NGINX ingress + Jaeger after setup?
Let me know how you'd like to proceed.