Skip to content

chore: Add minimal setup README #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ThanKarab merged 1 commit into from
Mar 21, 2026
Merged

chore: Add minimal setup README #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions documentation/deployment-pack/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ The installation prerequisites, hardware requirements and other considerations p
- [Deployment Pack (PDF)](../legal-docs/MIP_Executive_Summary_V02.00_7960b8432e.pdf)
- [Installation and License Agreement (PDF)](../legal-docs/MIP_Installation_and_License_Agreement_-_V02.10_210c5d6538.pdf)
- [Installation Prerequisites and Installation Guide](./install-prerequisites.md)
- [Minimal Worker Setup (Tailscale-only)](./minimal-setup.md)
- [Ethics and Legal Requirements](./ethics-legal.md)
- [FAQ](./faq.md)

Expand Down
121 changes: 121 additions & 0 deletions documentation/deployment-pack/minimal-setup.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
# Minimal Worker VM Installation
**Goal:** Join a hospital-side VM to a MicroK8s cluster as a **worker** using **Tailscale-only** networking (no public MicroK8s ports).
**Security posture:** If host firewall policy is strict, keep inbound closed and allow only the minimum required traffic on `tailscale0`.
---

## 0) Variables (set these)
- `MASTER_TS` = the master VM's Tailscale IPv4 (e.g., `100.x.y.z`)
- `TS_AUTHKEY` = short-lived, **one-off** Tailscale auth key (ideally tagged)

Example:
```bash
export MASTER_TS="100.108.97.6"
export TS_AUTHKEY="tskey-auth-REDACTED"
```

---

## 1) Install MicroK8s and Tailscale (worker VM)

```bash
sudo snap install microk8s --classic --channel=1.33/stable
curl -fsSL https://tailscale.com/install.sh | sh
```

---

## 2) Join the Tailnet (worker VM)

**Note:** `--accept-dns=false` prevents changing hospital DNS settings.

```bash
sudo tailscale up --auth-key="$TS_AUTHKEY" --accept-dns=false
tailscale ip -4
tailscale status
```

---

## 3) UFW minimum rules (explicit split: public network vs Tailnet)

Apply this section only if the hospital VM enforces UFW with restrictive defaults.
Assumed baseline policy: `sudo ufw default deny incoming` and a controlled outbound policy per hospital standard.

Rule scope in this section:
- **Public network rules**: not bound to `tailscale0`; used only so the Tailscale client can establish/maintain connectivity.
- **Tailnet-only rules**: explicitly bound to `tailscale0`; these carry MicroK8s node traffic.

### 3.1 Public network outbound rules (Tailscale client only)

```bash
# Public egress needed by the Tailscale daemon for control/relay/connectivity
sudo ufw allow out 443/tcp
sudo ufw allow out 80/tcp
sudo ufw allow out 3478/udp
sudo ufw allow out 41641/udp
```

**Important:** These are **public-network egress-only** exceptions. They are not MicroK8s service ports and they are not opened inbound.

### 3.2 Tailnet-only: worker -> master (MicroK8s join + API)

```bash
# Restricted to tailscale0 and to the master Tailscale IP
sudo ufw allow out on tailscale0 to "$MASTER_TS" port 25000 proto tcp # cluster-agent
sudo ufw allow out on tailscale0 to "$MASTER_TS" port 16443 proto tcp # Kubernetes API (MicroK8s)
```

### 3.3 Tailnet-only: master/cluster -> worker (kubelet secure port)

```bash
# Restricted to tailscale0 and master Tailscale IP
sudo ufw allow in on tailscale0 from "$MASTER_TS" to any port 10250 proto tcp
```

### 3.4 Tailnet-only: Calico VXLAN dataplane between nodes

```bash
# Calico VXLAN is UDP 4789 between nodes, only on tailscale0
sudo ufw allow in on tailscale0 to any port 4789 proto udp
sudo ufw allow out on tailscale0 to any port 4789 proto udp
```

**Scope note:** VXLAN is node-to-node traffic, so `4789/udp` applies to all cluster node peers reachable on `tailscale0`, not only the master.
Use Tailscale ACLs/tags to ensure only authorized worker/master nodes can join that Tailnet segment.

**Dependency note:** These VXLAN rules are valid when the cluster backend is Calico VXLAN. If the backend changes (for example IPIP or WireGuard), ports/protocols must be adjusted by the cluster operator.

### 3.5 Reload and verify UFW rules

```bash
sudo ufw reload
sudo ufw status verbose
sudo ufw status numbered
```

---

## 4) Connectivity checks (before `microk8s join`)

```bash
tailscale ping "$MASTER_TS"

# Optional reachability checks to master
nc -vz -w2 "$MASTER_TS" 25000
nc -vz -w2 "$MASTER_TS" 16443
```

Expected:

* `tailscale ping` replies (no timeout)
* `nc` to 25000 and 16443 succeeds

---

## 5) Join MicroK8s as a worker

Run the join command provided securely by the master operator (short-lived / one-time):

```bash
sudo microk8s join <MASTER_TS>:25000/<token>/<hash> --worker
```
Loading