Pre-flight checks in kubeadm init demystified

Since almost a week I was fighting to setup a kubernetes cluster using a tool called kubeadm. kubeadm is tool to setup a kubernetes cluster. It is not production ready yet at the time of this writing.

At every stage I faced issues in one or other way. So I decided to look into kubeadm source code to know what it is doing behind the scene. This one is my first attempt to share my insights about Kubeadm code base. This article describes what checks kubeadm performs when you execute following command.

kubeadm init

When you execute above command and if you don’t specify — skip-preflight-checks flag, kubeadm performs some checks to validate system state before making changes. This article describes each of the checks performed.

• Root user check : This check verifies that the user executing kubeadm is root user. It does so by checking UID of a current user.
• System Verification Check : This check performs multiple other checks. It checks that OS is Linux by comparing a value of “uname” with the one specified in specs. After that it performs kernel related checks. It checks kernel release value with one specified in specs. It also checks for various kernel configurations by loading kernel config from specified path or loading kernel config module if file not found. Next check is for existence of “cpu”, “cpuacct”, “cpuset”, “devices”, “freezer”, “memory” CGroups curently. The last check it performs in this category is for Docker. It checks specific version of Docker and Graph driver it uses. Currently it checks for “aufs”, “overlay”, “devicemapper”.
• Hostname Check : It checks hostname of node. It should be in lower case and reachable.
• Service Checks : It verifies that services are loaded and active if specified. Currently it checks for Docker and Kubelet services.
• Firewall Check : It checks if firewalld is active.
• Port Checks : It checks for ports 6443, 10250, 10251 and 10252 currently.
• HTTP Proxy Check : It check if host is behind proxy.
• Directory Checks : It checks if directories are available and empty. If they are not empty then it throws error. Currently it checks for kubernetes manifest directory and /var/lib/kubelet.
• File Content Check : It checks for value of file /proc/sys/net/bridge/bridge-nf-call-iptables. It should contain a value 1. It can be set temporary by using sysctl command or permanently by setting that parameter to /etc/sysctl.conf file.
• Executable Existence Checks : In these checks it looks up for various executable in PATH. Currently it checks for ip, iptables, mount, nsenter, ebtables, ethtool, socat, tc and touch executable.
• Extra Arguments Checks : It checks for validity of extra arguments for API Server, Controller Manager and Scheduler currently.
• Etcd Check : It checks for version of etcd.
• Authorization Mode Checks : It checks for config for specified authorization mode. If mode is ABAC then it checks for <kubernetes_directory>/abac_policy.json. If it is WebHooks then it looks for <kubernetes_directory>/webhook_authz.conf.

Please keep in mind that checks performed at kubelet join and kubelet reset is different.

Feel free to reach me if you see anything misleading or changed.