Asumptions and Clarifications

Kubernetes will be installed on Debian 10 (buster)

HA must be already configured on a Load Balancer unless you use only 1 master

This process is to install 1 master following parts we will be adding new masters and workers

We will install docker as Runtime for the containers, is the most used until now

Next tutos we will install it using others Runtimes

At least port 6433 must be open to communicate from the client to the master node in order to deploy apps on the kubernetes cluster


1. Preparing the node

As we mentioned we are going to install Docker as Runtime for that we need several tools that are not included with the OS by default

Install packages to allow apt to use a repository over HTTPS

 sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common -y

Add Docker’s official GPG key:

curl -fsSL | sudo apt-key add -

Add the Docker apt repository:

 sudo add-apt-repository \
   "deb [arch=amd64] \
   $(lsb_release -cs) \

Install Docker CE

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli -y

Set up the Docker daemon

cat > /etc/docker/daemon.json <<EOF
  "exec-opts": ["native.cgroupdriver=systemd"],
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "100m"
  "storage-driver": "overlay2"

mkdir -p /etc/systemd/system/docker.service.d

Restart Docker

systemctl daemon-reload
systemctl restart docker

Disable SWAP

swapoff -a
Remove entry in /etc/fstab of the swap file or partition

2. Installing kubeadm, kubelet and kubectl

Install tools

sudo apt-get update && sudo apt-get install -y apt-transport-https curl

Add Repo GPG Key

curl -s | sudo apt-key add -

Add Kubernetes oficial repository

cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb kubernetes-xenial main

Install packages

sudo apt-get update -y
sudo apt-get install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl

Download containers images to deploy the cluster FYI: each service will run in a container inside the master nodes

kubeadm config images pull

Setup kubernetes

The endpoint flag is the load balancer, this must be already created and working and must be a ssl passtrought for port 6443 to

As this point I would advise to take a snapshot of the VM if anything goes wrong with the LB or any other thing you won’t loose time installing everything again

kubeadm init   --control-plane-endpoint

If you have some issues with the LB just add a line to /etc/hosts

3. Connect from the client

on the same node with a non-root user you must do this

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

If you want to do it from the root user just use

export KUBECONFIG=/etc/kubernetes/admin.conf

4. Networking

As for the CNI: The Kubernetes networking plugin where the magic of communication happens we choose to deploy the weave plugin

be aware without this you won’t be able to join any node or launch any pod

kubectl apply -f "$(kubectl version | base64 | tr -d '\n')"

here is list of supported network plugins


Here is the video of the whole process

Optional Kubernetes Dashboard

if for some reason you need to install the Kubernetes Dashboard once the cluster is working you can deploy it in a few steps

Install all the components for the dashboard

kubectl apply -f

create a service account with this content as yaml

apiVersion: v1
kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Create a Role Binding

kind: ClusterRoleBinding
  name: admin-user
  kind: ClusterRole
  name: cluster-admin
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

Getting a token to access the dashboard (you will need it)

kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')

once everything is running and with the kubectl working from the client you can open it creating a secure channel

client#: kubectl proxy

and then just open the url on your client