HoneyTrap Development

Installing kubeadm

This page shows how to use install kubeadm.

Before you begin

Verify the MAC address and product_uuid are unique for every node

It is very likely that hardware devices will have unique addresses, although some virtual machines may have identical values. Kubernetes uses these values to uniquely identify the nodes in the cluster. If these values are not unique to each node, the installation processes can fail.

Check required ports

Master node(s)

Port Range Purpose
6443* Kubernetes API server
2379-2380 etcd server client API
10250 Kubelet API
10251 kube-scheduler
10252 kube-controller-manager
10255 Read-only Kubelet API (Heapster)

Worker node(s)

Port Range Purpose
10250 Kubelet API
10255 Read-only Kubelet API (Heapster)
30000-32767 Default port range for NodePort Services. Typically, these ports would need to be exposed to external load-balancers, or other external consumers of the application itself.

Any port numbers marked with * are overridable, so you will need to ensure any custom ports you provide are also open.

Although etcd ports are included in master nodes, you can also host your own etcd cluster externally on custom ports.

The pod network plugin you use (see below) may also require certain ports to be open. Since this differs with each pod network plugin, please see the documentation for the plugins about what port(s) those need.

Installing Docker

On each of your machines, install Docker. Version v1.12 is recommended, but v1.11, v1.13 and 17.03 are known to work as well. Versions 17.06+ might work, but have not yet been tested and verified by the Kubernetes node team.

You can use the following commands to install Docker on your system:

Note: Make sure that the cgroup driver used by kubelet is the same as the one used by Docker. To ensure compatability you can either update Docker, like so:

cat << EOF > /etc/docker/daemon.json
  "exec-opts": ["native.cgroupdriver=systemd"]

and restart Docker. Or ensure the --cgroup-driver kubelet flag is set to the same value as Docker (e.g. cgroupfs).

Install Docker from Ubuntu’s repositories:

apt-get update
apt-get install -y

or install Docker CE 17.03 from Docker’s repositories for Ubuntu or Debian:

apt-get update && apt-get install -y curl apt-transport-https
curl -fsSL | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/docker.list
deb$(lsb_release -si | tr '[:upper:]' '[:lower:]') $(lsb_release -cs) stable
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')

Install Docker using your operating system’s bundled package:

yum install -y docker
systemctl enable docker && systemctl start docker

Installing kubeadm, kubelet and kubectl

You will install these packages on all of your machines:

kubeadm will not install or manage kubelet or kubectl for you, so you will need to ensure they match the version of the Kubernetes control panel you want kubeadm to install for you. If you do not, there is a risk of a version skew occurring that can lead to unexpected, buggy behaviour. However, one minor version skew between the kubelet and the control plane is supported, but the kubelet version may never exceed the API server version. For example, kubelets running 1.7.0 should be fully compatible with a 1.8.0 API server.

For more information on version skews, please read our version skew policy.

Please proceed with executing the following commands based on your OS as root. You may become the root user by executing sudo -i after SSH-ing to each host.

apt-get update && apt-get install -y apt-transport-https
curl -s | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb kubernetes-xenial main
apt-get update
apt-get install -y kubelet kubeadm kubectl
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet


  • Disabling SELinux by running setenforce 0 is required to allow containers to access the host filesystem, which is required by pod networks for example. You have to do this until SELinux support is improved in the kubelet.
  • Some users on RHEL/CentOS 7 have reported issues with traffic being routed incorrectly due to iptables being bypassed. You should ensure net.bridge.bridge-nf-call-iptables is set to 1 in your sysctl config, e.g.

    cat <<EOF >  /etc/sysctl.d/k8s.conf
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    sysctl --system

The kubelet is now restarting every few seconds, as it waits in a crashloop for kubeadm to tell it what to do.


If you are running into difficulties with kubeadm, please consult our troubleshooting docs.

What’s next