Commands
Best practices for encrypting Kubernetes Secrets include using encryption at rest, KMS integration, RBAC, and key rotation. Learn how to secure your cluster effectively. Table
A complete step-by-step guide to configuring Kubernetes worker nodes on baremetal Linux, covering OS preparation, networking, storage, kubelet tuning, cluster joining, and performance optimization.
Running Kubernetes on baremetal Linux servers gives teams full control over performance, networking, hardware utilization, and costs. While managed cloud clusters often reduce infrastructure complexity, baremetal Kubernetes remains a preferred choice for organizations needing predictable performance, hardware-level tuning, or on-premise deployments with strict compliance requirements.
This guide provides an inclusive, concise, and fully practical walkthrough of configuring Kubernetes worker nodes on baremetal Linux. It covers planning considerations, OS preparation, storage and networking, kubelet configuration, cluster joining, and post-deployment validation. CLI commands and tables help you quickly navigate real-world setup scenarios.
Before diving into configuration steps, it helps to understand the advantages:
|
|
|
|
Challenges do exist—provisioning, IP management, network overlays, and monitoring require more planning—but with a clear setup plan, bare-metal worker nodes can be just as maintainable as cloud instances.
Successful configurations start with correct hardware and OS planning. Here are the main factors:
🟢 Minimum Hardware Requirements |
| Component | Recommended Baseline for Worker Nodes | Notes |
|---|---|---|
| CPU | 4–8 cores | More for compute-heavy workloads |
| RAM | 16–32 GB | Ensure extra capacity for kubelet + system daemons |
| Storage | SSD/NVMe with 100–300 GB | Use separate partitions for container storage |
| Network | 1–10 GbE | Multus/CNI overlays can multiply network traffic |
| OS | Ubuntu 22.04 LTS, Debian 12, RHEL 9, or similar | Ensure long-term support |
These values vary depending on your workloads, but they establish a solid foundation.
A consistent, hardened OS increases cluster reliability. The following steps assume Ubuntu/Debian, but can be easily adapted.
▶️ Update and Harden the Base System |
sudo apt update && sudo apt full-upgrade -y
sudo apt install -y curl gnupg2 software-properties-common apt-transport-https
sudo systemctl disable --now ufw
Disable swap, since Kubernetes requires it:
sudo swapoff -a
sudo sed -i '/ swap / s/^/#/' /etc/fstab
Ensure required kernel modules are loaded:
sudo modprobe br_netfilter
sudo modprobe overlay
Make them persistent:
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
Set sysctl values recommended for Kubernetes networking:
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system
Kubernetes supports containerd, CRI-O, and Docker Engine (via dockershim alternatives). For bare-metal performance and stability, containerd is the most common choice.
▶️ Install Containerd |
sudo apt install -y containerd
Create the default config and enable systemd cgroups:
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/' \
/etc/containerd/config.toml
sudo systemctl restart containerd
sudo systemctl enable containerd
Add the Kubernetes package repository (example: Ubuntu with the v1.30 repo):
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.30/deb/Release.key \
| sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes.gpg] \
https://pkgs.k8s.io/core:/stable:/v1.30/deb/ /" \
| sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
Install kubelet, kubeadm, and kubectl:
sudo apt install -y kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
Storage decisions impact performance and reliability. On bare metal, you choose everything—from drive types to CSI drivers.
▶️ Filesystems and Partitioning |
| Storage Type | Use Cases | Notes |
|---|---|---|
| EXT4 | Most nodes | Stable and well-supported |
| XFS | High throughput | Good for databases or logs |
| NVMe SSDs | High I/O workloads | Ideal for caching layers or ML workloads |
| Ceph/Rook | Distributed storage | Popular in on-prem clusters |
Ensure that the container runtime storage directory is on a fast disk:
sudo mkdir -p /var/lib/containerd
If you plan to use Rook-Ceph or another CSI, ensure your kernel supports necessary modules (e.g., rbd, cephfs).
Networking is one of the most important pieces of a bare-metal Kubernetes deployment. Since there is no cloud provider to manage internal routing, everything must be configured manually or via CNI.
▶️ Popular CNI Solutions |
| CNI Plugin | Best For | Features |
|---|---|---|
| Calico | Enterprise deployments | BGP routing, network policies |
| Flannel | Simplicity | Lightweight and easy to deploy |
| Cilium | Security & observability | eBPF-powered, high performance |
| Weave Net | Auto-mesh networks | Good for multi-node clusters |
Choose based on your networking model and performance needs.
After the control plane is configured, join commands are generated using:
kubeadm token create --print-join-command
Run the output on each worker node, for example:
sudo kubeadm join 192.168.10.20:6443 \
--token a1b2c3.d4e5f6g7h8i9j0kl \
--discovery-token-ca-cert-hash sha256:abcdef123456...
If you lose the token:
kubeadm token create
kubeadm token list
▶️ Confirm Node Registration |
On the control plane:
kubectl get nodes -o wide
You should see each worker node in the NotReady state until the CNI is installed.
Here’s an example using Calico:
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
Within ~30 seconds, nodes should transition to Ready.
Bare-metal clusters often require deeper performance tuning than cloud nodes.
▶️ CPU and Kernel Optimizations |
|
sudo apt install linux-tools-common linux-tools-$(uname -r)
sudo cpupower frequency-set -g performance
|
▶️ Kubelet Resource Reservations |
Set kubelet configuration:
sudo vim /var/lib/kubelet/config.yaml
Example snippet:
kubeReserved:
cpu: "500m"
memory: "1Gi"
ephemeral-storage: "1Gi"
systemReserved:
cpu: "250m"
memory: "512Mi"
evictionHard:
memory.available: "500Mi"
Restart kubelet:
sudo systemctl restart kubelet
Bare-metal worker nodes benefit from additional operational controls.
▶️ Node Auto-Rejoin |
Enable automatic node reboot recovery:
sudo systemctl enable kubelet
▶️ Using firewalls (optional but secure) |
If you enable firewalls:
sudo ufw allow 6443/tcp
sudo ufw allow 10250/tcp
sudo ufw allow 30000:32767/tcp
▶️ File Integrity Monitoring (FIM) |
Tools like Wazuh, Falco, or OpenSCAP help secure workloads on physical nodes.
Run a simple nginx workload:
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port 80 --type NodePort
kubectl get pods -o wide
Verify external access via the worker node’s IP:
curl http://<node/ip>:<nodeport>
If everything responds correctly, your worker node is fully functional.
Bare-metal clusters need consistent upkeep:
▶️ Upgrade Kubernetes Properly |
Always upgrade in this sequence:
|
|
|
Example:
sudo apt install -y kubeadm=1.30.x-00
sudo kubeadm upgrade node
sudo apt install -y kubelet=1.30.x-00
sudo systemctl restart kubelet
▶️ Monitor Hardware Health |
Use tools like:
|
|
|
▶️ Back Up ETCD Regularly (Control Plane) |
Even though it’s not on worker nodes, it ensures overall cluster recovery.
Best practices for encrypting Kubernetes Secrets include using encryption at rest, KMS integration, RBAC, and key rotation. Learn how to secure your cluster effectively. Table
Learn how to install a Kubernetes cluster on RHEL 9 | CentOS 9. Explore step-by-step instructions, best practices, and considerations for smooth deployment and operation.
Configure Kubernetes networking on Minikube: learn how to set up Pod networking, Service networking, ingress routing, and network policies step‑by‑step with CLI examples and troubleshooting