Error: server type cpx21 is not available in location nbg1
Error: server type cpx21 is not available in location nbg1
Error: server type cpx21 is not available in location nbg1
# Check availability before planning
hcloud server-type list | grep cpx
# Check availability before planning
hcloud server-type list | grep cpx
# Check availability before planning
hcloud server-type list | grep cpx
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR FileNotFound]: /usr/sbin/conntrack not found
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR FileNotFound]: /usr/sbin/conntrack not found
[preflight] Running pre-flight checks
error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR FileNotFound]: /usr/sbin/conntrack not found
apt-get install -y conntrack
apt-get install -y conntrack
apt-get install -y conntrack
apt-get update
apt-get install -y \ apt-transport-https \ ca-certificates \ curl \ conntrack \ socat \ ipset
apt-get update
apt-get install -y \ apt-transport-https \ ca-certificates \ curl \ conntrack \ socat \ ipset
apt-get update
apt-get install -y \ apt-transport-https \ ca-certificates \ curl \ conntrack \ socat \ ipset
ip addr show
ip addr show
ip addr show
1: lo: <LOOPBACK>
2: eth0: <BROADCAST> inet 5.x.x.x/32 ← public interface
3: enp7s0: <BROADCAST> inet 10.0.0.2/24 ← private interface
1: lo: <LOOPBACK>
2: eth0: <BROADCAST> inet 5.x.x.x/32 ← public interface
3: enp7s0: <BROADCAST> inet 10.0.0.2/24 ← private interface
1: lo: <LOOPBACK>
2: eth0: <BROADCAST> inet 5.x.x.x/32 ← public interface
3: enp7s0: <BROADCAST> inet 10.0.0.2/24 ← private interface
ip route | grep "10.0.0" | awk '{print $3}'
ip route | grep "10.0.0" | awk '{print $3}'
ip route | grep "10.0.0" | awk '{print $3}'
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 \ --node-ip=10.0.0.2
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 \ --node-ip=10.0.0.2
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 \ --node-ip=10.0.0.2
# In kube-flannel.yml, under kube-flannel container args:
args:
- --ip-masq
- --kube-subnet-mgr
- --iface=enp7s0 # Add this line
# In kube-flannel.yml, under kube-flannel container args:
args:
- --ip-masq
- --kube-subnet-mgr
- --iface=enp7s0 # Add this line
# In kube-flannel.yml, under kube-flannel container args:
args:
- --ip-masq
- --kube-subnet-mgr
- --iface=enp7s0 # Add this line
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload
systemctl restart kubelet
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload
systemctl restart kubelet
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload
systemctl restart kubelet
Error: chart "fluent-bit" not found in stable repository
WARNING: This chart is deprecated
Error: chart "fluent-bit" not found in stable repository
WARNING: This chart is deprecated
Error: chart "fluent-bit" not found in stable repository
WARNING: This chart is deprecated
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push
kubectl get pods -n falco
kubectl get pods -n falco
kubectl get pods -n falco
NAME READY STATUS RESTARTS AGE
falco-abcd1 1/1 Running 0 4m
falcosidekick-xyz99 0/1 CrashLoopBackOff 6 4m
NAME READY STATUS RESTARTS AGE
falco-abcd1 1/1 Running 0 4m
falcosidekick-xyz99 0/1 CrashLoopBackOff 6 4m
NAME READY STATUS RESTARTS AGE
falco-abcd1 1/1 Running 0 4m
falcosidekick-xyz99 0/1 CrashLoopBackOff 6 4m
kubectl logs falcosidekick-xyz99 -n falco
kubectl logs falcosidekick-xyz99 -n falco
kubectl logs falcosidekick-xyz99 -n falco
panic: runtime error: invalid memory address or nil pointer dereference
error: failed to load configuration:
SLACK_WEBHOOKURL is required when Slack output is enabled
panic: runtime error: invalid memory address or nil pointer dereference
error: failed to load configuration:
SLACK_WEBHOOKURL is required when Slack output is enabled
panic: runtime error: invalid memory address or nil pointer dereference
error: failed to load configuration:
SLACK_WEBHOOKURL is required when Slack output is enabled
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \ -n falco
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \ -n falco
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="https://hooks.slack.com/services/YOUR/WEBHOOK/URL" \ -n falco
# falcosidekick-values.yaml
config: slack: webhookurl: "" minimumpriority: "notice" existingSecret: "falcosidekick-secrets"
# falcosidekick-values.yaml
config: slack: webhookurl: "" minimumpriority: "notice" existingSecret: "falcosidekick-secrets"
# falcosidekick-values.yaml
config: slack: webhookurl: "" minimumpriority: "notice" existingSecret: "falcosidekick-secrets"
helm upgrade --install falcosidekick falcosecurity/falcosidekick \ --namespace falco \ -f falcosidekick-values.yaml
helm upgrade --install falcosidekick falcosecurity/falcosidekick \ --namespace falco \ -f falcosidekick-values.yaml
helm upgrade --install falcosidekick falcosecurity/falcosidekick \ --namespace falco \ -f falcosidekick-values.yaml
kubectl get pods -n monitoring
kubectl get pods -n monitoring
kubectl get pods -n monitoring
NAME READY STATUS RESTARTS AGE
loki-backend-0 0/1 Pending 0 8m
loki-read-0 0/1 Pending 0 8m
loki-write-0 0/1 Pending 0 8m
loki-gateway-xyz 0/1 CrashLoopBackOff 4 8m
NAME READY STATUS RESTARTS AGE
loki-backend-0 0/1 Pending 0 8m
loki-read-0 0/1 Pending 0 8m
loki-write-0 0/1 Pending 0 8m
loki-gateway-xyz 0/1 CrashLoopBackOff 4 8m
NAME READY STATUS RESTARTS AGE
loki-backend-0 0/1 Pending 0 8m
loki-read-0 0/1 Pending 0 8m
loki-write-0 0/1 Pending 0 8m
loki-gateway-xyz 0/1 CrashLoopBackOff 4 8m
# loki-values.yaml
loki: commonConfig: replication_factor: 1 storage: type: filesystem schemaConfig: configs: - from: "2024-01-01" store: tsdb object_store: filesystem schema: v13 index: prefix: loki_index_ period: 24h deploymentMode: SingleBinary singleBinary: replicas: 1 persistence: enabled: false extraVolumes: - name: loki-data emptyDir: {} extraVolumeMounts: - name: loki-data mountPath: /var/loki read: replicas: 0
write: replicas: 0
backend: replicas: 0
gateway: enabled: false
chunksCache: enabled: false
resultsCache: enabled: false
lokiCanary: enabled: false
test: enabled: false
# loki-values.yaml
loki: commonConfig: replication_factor: 1 storage: type: filesystem schemaConfig: configs: - from: "2024-01-01" store: tsdb object_store: filesystem schema: v13 index: prefix: loki_index_ period: 24h deploymentMode: SingleBinary singleBinary: replicas: 1 persistence: enabled: false extraVolumes: - name: loki-data emptyDir: {} extraVolumeMounts: - name: loki-data mountPath: /var/loki read: replicas: 0
write: replicas: 0
backend: replicas: 0
gateway: enabled: false
chunksCache: enabled: false
resultsCache: enabled: false
lokiCanary: enabled: false
test: enabled: false
# loki-values.yaml
loki: commonConfig: replication_factor: 1 storage: type: filesystem schemaConfig: configs: - from: "2024-01-01" store: tsdb object_store: filesystem schema: v13 index: prefix: loki_index_ period: 24h deploymentMode: SingleBinary singleBinary: replicas: 1 persistence: enabled: false extraVolumes: - name: loki-data emptyDir: {} extraVolumeMounts: - name: loki-data mountPath: /var/loki read: replicas: 0
write: replicas: 0
backend: replicas: 0
gateway: enabled: false
chunksCache: enabled: false
resultsCache: enabled: false
lokiCanary: enabled: false
test: enabled: false
helm upgrade --install loki grafana/loki \ --namespace monitoring \ -f loki-values.yaml
helm upgrade --install loki grafana/loki \ --namespace monitoring \ -f loki-values.yaml
helm upgrade --install loki grafana/loki \ --namespace monitoring \ -f loki-values.yaml
kubectl get pods -n monitoring
# NAME READY STATUS RESTARTS AGE
# loki-0 1/1 Running 0 45s
kubectl get pods -n monitoring
# NAME READY STATUS RESTARTS AGE
# loki-0 1/1 Running 0 45s
kubectl get pods -n monitoring
# NAME READY STATUS RESTARTS AGE
# loki-0 1/1 Running 0 45s
# Step 1 — Node prerequisites (run on BOTH nodes)
apt-get update && apt-get install -y \ conntrack socat ipset curl # Step 2 — Container runtime + kubeadm/kubelet/kubectl
# (standard Ubuntu kubeadm installation docs) # Step 3 — Find your private NIC name
ip addr show
# Note the interface name next to your 10.x.x.x address # Step 4 — kubeadm init (control plane only)
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 # Step 5 — Flannel with explicit interface
# Download manifest, add --iface=enp7s0 to container args, apply
kubectl apply -f kube-flannel-enp7s0.yml # Step 6 — Worker node prep (run on worker)
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload && systemctl restart kubelet # Step 7 — Worker join (run on worker)
kubeadm join 10.0.0.2:6443 \ --token <token> \ --discovery-token-ca-cert-hash sha256:<hash> # Step 8 — Namespaces
kubectl create namespace monitoring
kubectl create namespace falco # Step 9 — Falco secret first
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="YOUR_WEBHOOK_URL" \ -n falco # Step 10 — Falco + Falcosidekick
helm repo add falcosecurity \ https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \ --namespace falco -f falco-values.yaml
helm install falcosidekick falcosecurity/falcosidekick \ --namespace falco -f falcosidekick-values.yaml # Step 11 — Loki SingleBinary
helm repo add grafana https://grafana.github.io/helm-charts
helm install loki grafana/loki \ --namespace monitoring -f loki-values.yaml # Step 12 — Promtail
helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push # Step 13 — Grafana
helm install grafana grafana/grafana \ --namespace monitoring \ --set adminPassword=changeme # Step 14 — Trivy Operator
helm install trivy-operator \ aquasecurity/trivy-operator \ --namespace monitoring \ --set trivy.ignoreUnfixed=true
# Step 1 — Node prerequisites (run on BOTH nodes)
apt-get update && apt-get install -y \ conntrack socat ipset curl # Step 2 — Container runtime + kubeadm/kubelet/kubectl
# (standard Ubuntu kubeadm installation docs) # Step 3 — Find your private NIC name
ip addr show
# Note the interface name next to your 10.x.x.x address # Step 4 — kubeadm init (control plane only)
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 # Step 5 — Flannel with explicit interface
# Download manifest, add --iface=enp7s0 to container args, apply
kubectl apply -f kube-flannel-enp7s0.yml # Step 6 — Worker node prep (run on worker)
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload && systemctl restart kubelet # Step 7 — Worker join (run on worker)
kubeadm join 10.0.0.2:6443 \ --token <token> \ --discovery-token-ca-cert-hash sha256:<hash> # Step 8 — Namespaces
kubectl create namespace monitoring
kubectl create namespace falco # Step 9 — Falco secret first
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="YOUR_WEBHOOK_URL" \ -n falco # Step 10 — Falco + Falcosidekick
helm repo add falcosecurity \ https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \ --namespace falco -f falco-values.yaml
helm install falcosidekick falcosecurity/falcosidekick \ --namespace falco -f falcosidekick-values.yaml # Step 11 — Loki SingleBinary
helm repo add grafana https://grafana.github.io/helm-charts
helm install loki grafana/loki \ --namespace monitoring -f loki-values.yaml # Step 12 — Promtail
helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push # Step 13 — Grafana
helm install grafana grafana/grafana \ --namespace monitoring \ --set adminPassword=changeme # Step 14 — Trivy Operator
helm install trivy-operator \ aquasecurity/trivy-operator \ --namespace monitoring \ --set trivy.ignoreUnfixed=true
# Step 1 — Node prerequisites (run on BOTH nodes)
apt-get update && apt-get install -y \ conntrack socat ipset curl # Step 2 — Container runtime + kubeadm/kubelet/kubectl
# (standard Ubuntu kubeadm installation docs) # Step 3 — Find your private NIC name
ip addr show
# Note the interface name next to your 10.x.x.x address # Step 4 — kubeadm init (control plane only)
kubeadm init \ --apiserver-advertise-address=10.0.0.2 \ --pod-network-cidr=10.244.0.0/16 # Step 5 — Flannel with explicit interface
# Download manifest, add --iface=enp7s0 to container args, apply
kubectl apply -f kube-flannel-enp7s0.yml # Step 6 — Worker node prep (run on worker)
echo "KUBELET_EXTRA_ARGS=--node-ip=10.0.0.3" \ >> /etc/default/kubelet
systemctl daemon-reload && systemctl restart kubelet # Step 7 — Worker join (run on worker)
kubeadm join 10.0.0.2:6443 \ --token <token> \ --discovery-token-ca-cert-hash sha256:<hash> # Step 8 — Namespaces
kubectl create namespace monitoring
kubectl create namespace falco # Step 9 — Falco secret first
kubectl create secret generic falcosidekick-secrets \ --from-literal=slackWebhookUrl="YOUR_WEBHOOK_URL" \ -n falco # Step 10 — Falco + Falcosidekick
helm repo add falcosecurity \ https://falcosecurity.github.io/charts
helm install falco falcosecurity/falco \ --namespace falco -f falco-values.yaml
helm install falcosidekick falcosecurity/falcosidekick \ --namespace falco -f falcosidekick-values.yaml # Step 11 — Loki SingleBinary
helm repo add grafana https://grafana.github.io/helm-charts
helm install loki grafana/loki \ --namespace monitoring -f loki-values.yaml # Step 12 — Promtail
helm install promtail grafana/promtail \ --namespace monitoring \ --set config.clients[0].url=http://loki:3100/loki/api/v1/push # Step 13 — Grafana
helm install grafana grafana/grafana \ --namespace monitoring \ --set adminPassword=changeme # Step 14 — Trivy Operator
helm install trivy-operator \ aquasecurity/trivy-operator \ --namespace monitoring \ --set trivy.ignoreUnfixed=true - Control plane: cpx32 — 4 vCPU, 8GB RAM, Ubuntu 22.04
- Worker node: cpx22 — 3 vCPU, 4GB RAM, Ubuntu 22.04
- Private network enabled (Hetzner Cloud Networks)
- CNI: Flannel
- Goal: foundation for a Kubernetes security detection stack — Falco, Loki, Grafana, Trivy Operator, kube-bench - kubeadm advertised the public IP for the API server — worker joins routed over the public internet
- Flannel defaulted to the public interface for pod-to-pod traffic
