Kubernetes Infrastructure FDD
Overview
This FDD describes the Kubernetes infrastructure setup for running Arcana services in production. The infrastructure provides container orchestration, networking, ingress control, and SSL/TLS certificate management.
Status
- Basic Kubernetes cluster setup
- Flannel CNI networking
- Nginx ingress controller
- Let's Encrypt SSL certificates
- Monitoring and logging NEXT_TASK: Implement Kubernetes monitoring and logging stack with Prometheus, Grafana, and ELK
- Automatic certificate renewal
- Horizontal pod autoscaling
- Backup and disaster recovery
Components
Core Infrastructure
- Single-node Kubernetes cluster on Hetzner
- Flannel CNI for pod networking
- Nginx ingress controller for traffic routing
- Let's Encrypt certificates for HTTPS
Networking
# Flannel Configuration
networking:
podSubnet: 10.244.0.0/16
mtu: 1450
ipMasq: true
Ingress
# Nginx Ingress Configuration
ingress:
controller:
kind: DaemonSet
hostNetwork: true
ports:
http: 80
https: 443
config:
disable-default-backend: 'true'
ssl-redirect: 'true'
SSL/TLS
# Certificate Configuration
certificates:
provider: letsEncrypt
domains:
- mercury.arcana.cfd
secretName: mercury-tls
renewBefore: 720h # 30 days
Technical Implementation
Pod Networking
- Flannel CNI plugin installed and configured
- Required kernel modules loaded:
- br_netfilter
- overlay
- Network policies to be implemented for security
Ingress Controller
- Nginx ingress controller deployed as DaemonSet
- Host networking enabled for direct port binding
- Default backend disabled
- SSL redirect enforced
Certificate Management
- Let's Encrypt certificates obtained via certbot
- Certificates stored as Kubernetes secrets
- TLS termination at ingress level
- Manual renewal process (automation planned)
Configuration
Required Environment Variables
# Node Configuration
KUBERNETES_VERSION=1.28
NODE_IP=95.217.130.127
POD_NETWORK_CIDR=10.244.0.0/16
# Ingress Configuration
INGRESS_CLASS=nginx
INGRESS_CONTROLLER_PORT_HTTP=80
INGRESS_CONTROLLER_PORT_HTTPS=443
# Certificate Configuration
CERT_DOMAIN=mercury.arcana.cfd
[email protected]
Network Requirements
- Port 80/443 open for HTTP/HTTPS
- Port 6443 for Kubernetes API
- Pod network CIDR: 10.244.0.0/16
- Service CIDR: 10.96.0.0/12
Development Guidelines
Local Development
- Use minikube or kind for local testing
- Match production Kubernetes version
- Use ingress-nginx addon in minikube
Deployment Process
- Update kernel modules if needed
- Apply Flannel CNI configuration
- Deploy ingress controller
- Configure SSL certificates
- Deploy application services
Troubleshooting
-
Check pod networking:
kubectl get pods -A
kubectl describe pod <pod-name> -
Verify ingress:
kubectl get ingress -A
kubectl describe ingress <ingress-name> -
Certificate issues:
kubectl get secrets
kubectl describe secret <tls-secret>
Security Considerations
-
Network Policies
- Implement default deny
- Allow only required traffic
- Separate critical services
-
Certificate Management
- Regular rotation
- Secure storage of secrets
- Automated renewal (planned)
-
Access Control
- RBAC for service accounts
- Minimal privileges principle
- Regular audit of permissions
Monitoring and Maintenance
Health Checks
- Node status
- Pod status
- Service endpoints
- Certificate expiration
Backup Strategy
- etcd snapshots
- Certificate backups
- Configuration backups
Upgrade Process
- Backup current state
- Update node components
- Update CNI plugins
- Update ingress controller
- Verify functionality
Future Improvements
-
High Availability
- Multi-node setup
- Load balancing
- Failover configuration
-
Automation
- Certificate renewal
- Backup process
- Health monitoring
-
Security
- Network policy implementation
- Regular security audits
- Vulnerability scanning