Kubeadm profile

Privileged containers

In order for Kubernetes to work properly on LXC, the following profile is applied:

# incus profile create kubeadm
# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/profile.yaml | incus profile edit kubeadm

description: Profile for cluster-api-provider-incus privileged nodes
config:
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,iptable_raw,netlink_diag,nf_nat,overlay,br_netfilter,xt_socket
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw cgroup:rw
    lxc.cgroup.devices.allow=a
    lxc.cap.drop=
  security.nesting: "true"
  security.privileged: "true"
devices:
  kubelet-dev-kmsg:
    path: /dev/kmsg
    source: /dev/kmsg
    type: unix-char
  kubeadm-host-boot:
    path: /usr/lib/ostree-boot
    readonly: "true"
    source: /boot
    type: disk

Unprivileged containers

When using unprivileged containers, the following profile is applied instead:

# incus profile create kubeadm-unprivileged
# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/unprivileged.yaml | incus profile edit kubeadm-unprivileged

description: Profile for cluster-api-provider-incus unprivileged nodes
config:
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,iptable_raw,netlink_diag,nf_nat,overlay,br_netfilter,xt_socket
devices:
  kubeadm-host-boot:
    path: /usr/lib/ostree-boot
    readonly: "true"
    source: /boot
    type: disk

Unprivileged containers (Canonical LXD)

When using unprivileged containers with Canonical LXD, it is also required to enable security.nesting and disable apparmor:

# lxc profile create kubeadm-unprivileged
# curl https://lxc.github.io/cluster-api-provider-incus/static/v0.1/unprivileged-lxd.yaml | lxc profile edit kubeadm-unprivileged

description: Profile for cluster-api-provider-incus unprivileged nodes (LXD)
config:
  linux.kernel_modules: ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,iptable_raw,netlink_diag,nf_nat,overlay,br_netfilter,xt_socket
  security.nesting: "true"
devices:
  kubeadm-host-boot:
    path: /usr/lib/ostree-boot
    readonly: "true"
    source: /boot
    type: disk
  00-disable-snapd:
    type: disk
    source: /dev/null
    path: /usr/lib/systemd/system/snapd.service
  00-disable-apparmor:
    type: disk
    source: /dev/null
    path: /usr/lib/systemd/system/apparmor.service

The cluster-api-provider-incus book

Kubeadm profile

Privileged containers

Unprivileged containers

Unprivileged containers (Canonical LXD)