Install on secured machines

Install on secured machines

Before you begin

Before installing, ensure that your environment has the following basic requirements:

  • Docker version 18.09.2 or later

    You must have Docker Desktop installed on the host where the Konvoy command line interface (CLI) will run. For example, if you are installing Konvoy on your laptop, be sure the laptop has a supported version of Docker Desktop.

  • kubectl v1.16.12 or later

    To enable interaction with the running cluster, you must have kubectl installed on the host where the Konvoy command line interface (CLI) will run.

  • The konvoy_air_gapped.tar.bz2 that contains the required artifacts to perform an air-gapped installation.

Control plane nodes

  • You should have at least three control plane nodes.

  • Each control plane node should have at least:

    • 4 cores
    • 16 GiB memory
    • 80 GiB of free space in the root partition, and the root partition must be less than 85% full.

Worker nodes

  • You should have at least four worker nodes.

    The specific number of worker nodes required for your environment varies depending on the cluster workload and size of the nodes.

  • Each worker node should have at least:

    • 8 cores
    • 32 GiB memory
    • 80 GiB of free space in the root partition and the root partition must be less than 85% full.
  • If you plan to use local volume provisioning to provide persistent volumes for the workloads, you must mount at least three volumes to /mnt/disks/ mount point on each node. Each volume must have at least 55 GiB of capacity if the default addon configurations are used.

Operating system and services for all nodes

For all hosts that are part of the cluster – except the deploy host – you should verify the following configuration requirements:

  • Firewalld is disabled.
  • Containerd is uninstalled.
  • Docker-ce is uninstalled.
  • Swap is disabled.

Installation

On highly secured clusters you may need to modify the cluster.yaml file with additional options. See the sample file below for possible changes that may be applied in your cluster.

Kubernetes CVE Patches

At times, CVEs may be discovered in the Kubernetes codebase. Based on the severity and the impact of a specific CVE, you may want to temporarily use alternative docker images for the core Kubernetes components instead of the default k8s.gcr.io repository. To do so, set the version and imageRepository as describe below. The repository docker.io/mesosphere will contain patched images with a suffix of +d2iq.1, +d2iq.2, etc.

kind: ClusterConfiguration
apiVersion: konvoy.mesosphere.io/v1beta1
spec:
  kubernetes:
    version: 1.16.12+d2iq.2
    imageRepository: docker.io/mesosphere