Last active
September 8, 2025 05:57
-
-
Save diyfr/7b7dca515b6e70e542eba6e475c3fcff to your computer and use it in GitHub Desktop.
Cluster K3s + helm + UFW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Modifier le port SSH par défaut | |
| vi /etc/ssh/sshd_config | |
| # Décommenter Port 22 et préciser le port souhaité | |
| # Mettre PasswordAuthentication no | |
| sudo su | |
| curl -sfL https://get.k3s.io | sh - | |
| # Check | |
| systemctl status k3s | |
| # Ad kube user | |
| sudo adduser --system --group --home /home/kube --shell /bin/bash kube | |
| echo "DenyUsers kube" | sudo tee -a /etc/ssh/sshd_config | |
| sudo systemctl reload sshd | |
| sudo mkdir -p /home/kube/.kube | |
| sudo cp /etc/rancher/k3s/k3s.yaml /home/kube/.kube/config | |
| sudo chown -R kube:kube /home/kube/.kube | |
| sudo su - kube | |
| export KUBECONFIG=~/.kube/config | |
| # Check | |
| kubectl get nodes | |
| # Pour futures sessions | |
| echo "export KUBECONFIG=~/.kube/config" >> ~/.bashrc | |
| # Autocompletion | |
| source <(kubectl completion bash) | |
| # Tester | |
| # Ajout au profil | |
| echo "source <(kubectl completion bash)" >> ~/.bashrc | |
| # en cas de problème d'autocompletion ex Ubuntu 24.04 | |
| echo "source /etc/bash_completion " >> ~/.bashrc | |
| #Helm (root) | |
| wget -O helm.zip https://get.helm.sh/helm-v3.18.5-linux-amd64.tar.gz | |
| tar -zxvf helm.zip | |
| sudo mv linux-amd64/helm /usr/local/bin/helm | |
| # Install UFW | |
| sudo apt update && sudo apt install ufw | |
| # Politique par défaut | |
| sudo ufw default deny incoming | |
| sudo ufw default allow outgoing | |
| # SSH | |
| sudo ufw allow 22/tcp | |
| # API Kubernetes (si besoin public) | |
| sudo ufw allow 6443/tcp | |
| # Flannel VXLAN | |
| sudo ufw allow 8472/udp | |
| # Kubelet | |
| sudo ufw allow 10250/tcp | |
| # Tunnel SSG | |
| sudo ufw allow 6222/tcp | |
| # NodePort | |
| sudo ufw allow 30000:32767/tcp | |
| # Ingress | |
| sudo ufw allow 80/tcp | |
| sudo ufw allow 443/tcp | |
| # Réseau interne cluster | |
| # Vérifiable via kubectl cluster-info dump | grep ".svc,.cluster.local" | |
| sudo ufw allow from 10.42.0.0/16 | |
| sudo ufw allow from 10.43.0.0/16 | |
| # Vérifiable via ip -c link | |
| sudo ufw allow in on cni0 | |
| sudo ufw allow in on flannel.1 | |
| sudo ufw enable |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: PersistentVolume | |
| metadata: | |
| name: traefik-acme-pv | |
| spec: | |
| capacity: | |
| storage: 100Mi | |
| accessModes: | |
| - ReadWriteOnce | |
| persistentVolumeReclaimPolicy: Retain | |
| storageClassName: local-hostpath | |
| hostPath: | |
| path: /srv/vol/traefik | |
| type: DirectoryOrCreate | |
| claimRef: | |
| namespace: kube-system | |
| name: traefik-acme-pvc | |
| --- | |
| apiVersion: v1 | |
| kind: PersistentVolumeClaim | |
| metadata: | |
| name: traefik-acme-pvc | |
| namespace: kube-system | |
| spec: | |
| accessModes: | |
| - ReadWriteOnce | |
| resources: | |
| requests: | |
| storage: 100Mi | |
| storageClassName: local-hostpath | |
| --- | |
| apiVersion: helm.cattle.io/v1 | |
| kind: HelmChartConfig | |
| metadata: | |
| name: traefik | |
| namespace: kube-system | |
| spec: | |
| valuesContent: |- | |
| annotations: | |
| prometheus.io/scrape: "true" | |
| prometheus.io/port: "9100" | |
| prometheus.io/path: "/metrics" | |
| persistence: | |
| enabled: true | |
| existingClaim: traefik-acme-pvc | |
| accessMode: ReadWriteOnce | |
| size: 100Mi | |
| path: /data | |
| globalArguments: | |
| - "--global.sendanonymoususage=false" | |
| - "--global.checknewversion=false" | |
| additionalArguments: | |
| - "--certificatesresolvers.myresolver.acme.email=MAIL@DOMAIN.TLD" | |
| - "--certificatesresolvers.myresolver.acme.storage=/data/acme.json" | |
| - "--certificatesresolvers.myresolver.acme.tlschallenge=true" | |
| - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web" | |
| - "--certificatesresolvers.myresolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory" | |
| - "--metrics.prometheus.addEntryPointsLabels=true" | |
| - "--metrics.prometheus.addServicesLabels=true" | |
| ports: | |
| metrics: | |
| port: 9100 | |
| exposedPort: 9100 | |
| web: | |
| port: 80 | |
| expose: | |
| default: true | |
| websecure: | |
| port: 443 | |
| tls: | |
| enabled: true | |
| forwardedHeaders: | |
| trustedIPs: | |
| - "0.0.0.0/0" | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: traefik-metrics | |
| namespace: kube-system | |
| spec: | |
| selector: | |
| app.kubernetes.io/instance: traefik-kube-system | |
| app.kubernetes.io/name: traefik | |
| ports: | |
| - name: metrics | |
| port: 9100 | |
| targetPort: 9100 | |
| type: ClusterIP | |
| providers: | |
| kubernetesCRD: | |
| allowCrossNamespace: true | |
| hosts: | |
| enabled: true | |
| --- | |
| ### Il faut se connecter sur le container traefik en sh taper id pour appliquer ces id sur le dossier du host |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment