sigs.k8s.io/kubespray

Deploy a Production Ready Kubernetes Cluster

If you have questions, check the documentation at kubespray.io and join us on the kubernetes slack, channel #kubespray. You can get your invite here

• Can be deployed on AWS, GCE, Azure, OpenStack, vSphere, Equinix Metal (bare metal), Oracle Cloud Infrastructure (Experimental), or Baremetal
• Highly available cluster
• Composable (Choice of the network plugin for instance)
• Supports most popular Linux distributions
• Continuous integration tests

Quick Start

Below are several ways to use Kubespray to deploy a Kubernetes cluster.

Docker

Ensure you have installed Docker then

docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory \
  --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa \
  quay.io/kubespray/kubespray:v2.29.0 bash
# Inside the container you may now run the kubespray playbooks:
ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml

Ansible

Usage

See Getting started

Collection

See here if you wish to use this repository as an Ansible collection

Vagrant

For Vagrant we need to install Python dependencies for provisioning tasks. Check that Python and pip are installed:

python -V && pip -V

If this returns the version of the software, you're good to go. If not, download and install Python from here https://www.python.org/downloads/source/

Install Ansible according to Ansible installation guide then run the following step:

vagrant up

Documents

• Requirements
• Kubespray vs ...
• Getting started
• Setting up your first cluster
• Ansible inventory and tags
• Integration with existing ansible repo
• Deployment data variables
• DNS stack
• HA mode
• Network plugins
• Vagrant install
• Flatcar Container Linux bootstrap
• Fedora CoreOS bootstrap
• openSUSE setup
• Downloaded artifacts
• Equinix Metal
• OpenStack
• vSphere
• Large deployments
• Adding/replacing a node
• Upgrades basics
• Air-Gap installation
• NTP
• Hardening
• Mirror
• Roadmap

Supported Linux Distributions

• Flatcar Container Linux by Kinvolk
• Debian Bookworm, Bullseye, Trixie
• Ubuntu 22.04, 24.04
• CentOS/RHEL 8, 9
• Fedora 39, 40
• Fedora CoreOS (see fcos Note)
• openSUSE Leap 15.x/Tumbleweed
• Oracle Linux 8, 9
• Alma Linux 8, 9
• Rocky Linux 8, 9
• Kylin Linux Advanced Server V10 (experimental: see kylin linux notes)
• Amazon Linux 2 (experimental: see amazon linux notes)
• UOS Linux (experimental: see uos linux notes)
• openEuler (experimental: see openEuler notes)

Note:

• Upstart/SysV init based OS types are not supported.
• Kernel requirements (please read if the OS kernel version is < 4.19).

Supported Components

• Core
  • kubernetes 1.33.7
  • etcd 3.5.25
  • docker 28.3
  • containerd 2.1.5
  • cri-o 1.33.7 (experimental: see CRI-O Note. Only on fedora, ubuntu and centos based OS)
• Network Plugin
  • cni-plugins 1.8.0
  • calico 3.30.5
  • cilium 1.18.4
  • flannel 0.27.3
  • kube-ovn 1.12.21
  • kube-router 2.1.1
  • multus 4.2.2
  • kube-vip 0.8.0
• Application
  • cert-manager 1.15.3
  • coredns 1.12.0
  • ingress-nginx 1.13.3
  • argocd 2.14.5
  • helm 3.18.4
  • metallb 0.13.9
  • registry 2.8.1
• Storage Plugin
  • aws-ebs-csi-plugin 0.5.0
  • azure-csi-plugin 1.10.0
  • cinder-csi-plugin 1.30.0
  • gcp-pd-csi-plugin 1.9.2
  • local-path-provisioner 0.0.32
  • local-volume-provisioner 2.5.0
  • node-feature-discovery 0.16.4

Container Runtime Notes

• The cri-o version should be aligned with the respective kubernetes version (i.e. kube_version=1.20.x, crio_version=1.20)

Requirements

• Minimum required version of Kubernetes is v1.30
• Ansible v2.14+, Jinja 2.11+ and python-netaddr is installed on the machine that will run Ansible commands
• The target servers must have access to the Internet in order to pull docker images. Otherwise, additional configuration is required (See Offline Environment)
• The target servers are configured to allow IPv4 forwarding.
• If using IPv6 for pods and services, the target servers are configured to allow IPv6 forwarding.
• The firewalls are not managed, you'll need to implement your own rules the way you used to. in order to avoid any issue during deployment you should disable your firewall.
• If kubespray is run from non-root user account, correct privilege escalation method should be configured in the target servers. Then the ansible_become flag or command parameters --become or -b should be specified.

Hardware: These limits are safeguarded by Kubespray. Actual requirements for your workload can differ. For a sizing guide go to the Building Large Clusters guide.

• Control Plane
  • Memory: 2 GB
• Worker Node
  • Memory: 1 GB

Network Plugins

You can choose among ten network plugins. (default: calico, except Vagrant uses flannel)

• flannel: gre/vxlan (layer 2) networking.

• Calico is a networking and network policy provider. Calico supports a flexible set of networking options designed to give you the most efficient networking across a range of situations, including non-overlay and overlay networks, with or without BGP. Calico uses the same engine to enforce network policy for hosts, pods, and (if using Istio and Envoy) applications at the service mesh layer.

• cilium: layer 3/4 networking (as well as layer 7 to protect and secure application protocols), supports dynamic insertion of BPF bytecode into the Linux kernel to implement security services, networking and visibility logic.

• kube-ovn: Kube-OVN integrates the OVN-based Network Virtualization with Kubernetes. It offers an advanced Container Network Fabric for Enterprises.

• kube-router: Kube-router is a L3 CNI for Kubernetes networking aiming to provide operational simplicity and high performance: it uses IPVS to provide Kube Services Proxy (if setup to replace kube-proxy), iptables for network policies, and BGP for ods L3 networking (with optionally BGP peering with out-of-cluster BGP peers). It can also optionally advertise routes to Kubernetes cluster Pods CIDRs, ClusterIPs, ExternalIPs and LoadBalancerIPs.

• macvlan: Macvlan is a Linux network driver. Pods have their own unique Mac and Ip address, connected directly the physical (layer 2) network.

• multus: Multus is a meta CNI plugin that provides multiple network interface support to pods. For each interface Multus delegates CNI calls to secondary CNI plugins such as Calico, macvlan, etc.

• custom_cni : You can specify some manifests that will be applied to the clusters to bring you own CNI and use non-supported ones by Kubespray. See tests/files/custom_cni/README.md and tests/files/custom_cni/values.yamlfor an example with a CNI provided by a Helm Chart.

The network plugin to use is defined by the variable kube_network_plugin. There is also an option to leverage built-in cloud provider networking instead. See also Network checker.

Ingress Plugins

• nginx: the NGINX Ingress Controller.

• metallb: the MetalLB bare-metal service LoadBalancer provider.

Community docs and resources

• kubernetes.io/docs/setup/production-environment/tools/kubespray/
• kubespray, monitoring and logging by @gregbkr
• Deploy Kubernetes w/ Ansible & Terraform by @rsmitty
• Deploy a Kubernetes Cluster with Kubespray (video)

Tools and projects on top of Kubespray

• Digital Rebar Provision
• Terraform Contrib
• Kubean

CI Tests

CI/end-to-end tests sponsored by: CNCF, Equinix Metal, OVHcloud, ELASTX.

See the test matrix for details.