444 lines
9.1 KiB
Markdown
444 lines
9.1 KiB
Markdown
# KUBERNETES@RUG
|
|
|
|
## Access
|
|
Vraag een API aan via webhosting.cit@rug.nl voor toegang tot de kubernetes test omgeving.
|
|
|
|
````
|
|
cat > .kube/config <<EOF
|
|
|
|
apiVersion: v1
|
|
kind: Config
|
|
clusters:
|
|
- name: "example"
|
|
cluster:
|
|
server: "https://example.rug.nl:1234"
|
|
api-version: v1
|
|
|
|
users:
|
|
- name: "user-test"
|
|
user:
|
|
token: "user-example:asdkfljfiwejlakjkdlasdakljdiwqdjiqw&$"
|
|
|
|
contexts:
|
|
- name: "example"
|
|
context:
|
|
user: "user-example"
|
|
cluster: "example"
|
|
|
|
current-context: "example"
|
|
|
|
EOF
|
|
````
|
|
|
|
## Ingress Controller (edit)
|
|
|
|
Steps :
|
|
|
|
````
|
|
kubectl --namespace=<namespace> get ingress
|
|
kubectl --namespace=<namespace> get ingress | grep <name>
|
|
|
|
kubectl edit --namespace=<namespace> ingress <name>
|
|
|
|
Adjust some values :
|
|
|
|
metadata:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/proxy-body-size: 10m
|
|
nginx.ingress.kubernetes.io/proxy-connect-timeout: "120"
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
|
|
nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
|
|
|
|
|
|
save/quit
|
|
|
|
````
|
|
|
|
## Ingress WhiteList
|
|
|
|
````
|
|
kubectl edit ingress ....
|
|
|
|
# add annotation
|
|
|
|
nginx.ingress.kubernetes.io/whitelist-source-range = "1.1.1.1/24"
|
|
|
|
|
|
````
|
|
|
|
## Ingress Basic Auth
|
|
|
|
````
|
|
htpasswd -c passfile foo
|
|
kubectl create secret generic basic-auth --from-file=passfile
|
|
````
|
|
|
|
check secret
|
|
|
|
````
|
|
kubectl get secret basic-auth -o yaml
|
|
````
|
|
|
|
edit ingress
|
|
````
|
|
kubectl edit ingress example
|
|
|
|
|
|
metadata:
|
|
name: ingress-with-auth
|
|
annotations:
|
|
# type of authentication
|
|
nginx.ingress.kubernetes.io/auth-type: basic
|
|
# name of the secret that contains the user/password definitions
|
|
nginx.ingress.kubernetes.io/auth-secret: basic-auth
|
|
# message to display with an appropriate context why the authentication is required
|
|
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
|
|
|
|
````
|
|
|
|
|
|
## Edit Deployment
|
|
|
|
Steps :
|
|
|
|
````
|
|
|
|
kubectl --namespace=<namespace> get deployments
|
|
kubectl --namespace=<namespace> get deployment | grep <name>
|
|
|
|
kubectl edit --namespace=<namespace> deployments <name>
|
|
|
|
Adjust some values :
|
|
|
|
hostAliases:
|
|
- hostnames:
|
|
- example.com
|
|
ip: 127.0.0.1
|
|
|
|
save/quit
|
|
|
|
````
|
|
|
|
|
|
|
|
## Register SSL test environment ( only with public IP )
|
|
|
|
Register SSL with letsencrypt-issuer
|
|
|
|
````
|
|
cat > nginx.yml <<EOF
|
|
apiVersion: certmanager.k8s.io/v1alpha1
|
|
kind: Certificate
|
|
metadata:
|
|
name: example-rug-nl
|
|
namespace: default
|
|
spec:
|
|
secretName: letsencrypt-issuer-tls
|
|
issuerRef:
|
|
name: letsencrypt-issuer
|
|
dnsNames:
|
|
- example.rug.nl
|
|
acme:
|
|
config:
|
|
- http01:
|
|
ingress: nginx
|
|
domains:
|
|
- example.rug.nl
|
|
EOF
|
|
````
|
|
kubectl apply -f nginx.yml
|
|
|
|
|
|
## Simple deployment
|
|
|
|
````
|
|
cat > simple.yml <<EOF
|
|
|
|
metadata:
|
|
name: nginx-service-example-rug-nl
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
k8s-app: nginx-service-example-rug-nl
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: nginx-service-example-rug-nl
|
|
spec:
|
|
terminationGracePeriodSeconds: 60
|
|
containers:
|
|
- name: nginx-service-example-rug-nl
|
|
image: nginx:latest
|
|
ports:
|
|
- containerPort: 80
|
|
---
|
|
apiVersion: extensions/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
name: host-based-ingress
|
|
spec:
|
|
rules:
|
|
- host: example.rug.nl
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: nginx-service-example-rug-nl
|
|
servicePort: 80
|
|
EOF
|
|
|
|
````
|
|
|
|
kubectl -f simple.yml
|
|
|
|
|
|
## PersistentVolume
|
|
|
|
````
|
|
cat > pv.yml <<EOF
|
|
apiVersion: v1
|
|
kind: PersistentVolume
|
|
metadata:
|
|
name: user
|
|
labels:
|
|
name: nfs4
|
|
spec:
|
|
storageClassName: nfs-class
|
|
capacity:
|
|
storage: 5Gi
|
|
accessModes:
|
|
- ReadWriteMany
|
|
persistentVolumeReclaimPolicy: Retain
|
|
nfs:
|
|
server: 1.2.3.4
|
|
path: /
|
|
EOF
|
|
````
|
|
kubectl apply -f pv.yml
|
|
|
|
|
|
## PersistentVolumeClaim
|
|
|
|
````
|
|
cat > pvc.yml <<EOF
|
|
kind: PersistentVolumeClaim
|
|
apiVersion: v1
|
|
metadata:
|
|
name: user
|
|
spec:
|
|
storageClassName: nfs-class
|
|
accessModes:
|
|
- ReadWriteMany
|
|
resources:
|
|
requests:
|
|
storage: 5Gi
|
|
EOF
|
|
````
|
|
|
|
kubectl apply -f pvc.yaml
|
|
|
|
## Service
|
|
|
|
````
|
|
cat > service.yml <<EOF
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: service-name
|
|
labels:
|
|
app: service-name
|
|
spec:
|
|
ports:
|
|
- port: 80
|
|
targetPort: 80
|
|
protocol: TCP
|
|
name: http
|
|
selector:
|
|
app: service-name
|
|
|
|
EOF
|
|
````
|
|
kubectl apply -f service.yml
|
|
|
|
## Deployment
|
|
|
|
````
|
|
cat > deploy.yml <<EOF
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: example
|
|
labels:
|
|
app: example
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: example
|
|
minReadySeconds: 10
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: example
|
|
version: v0.2
|
|
spec:
|
|
terminationGracePeriodSeconds: 60
|
|
containers:
|
|
- name: example
|
|
image: nginx
|
|
imagePullPolicy: IfNotPresent
|
|
ports:
|
|
- containerPort: 80
|
|
protocol: TCP
|
|
env:
|
|
- name: WEBSERVER
|
|
value: NGINX
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
httpGet:
|
|
path: /
|
|
port: 80
|
|
scheme: HTTP
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 2
|
|
successThreshold: 2
|
|
timeoutSeconds: 2
|
|
tty: true
|
|
volumeMounts:
|
|
- mountPath: /var/www
|
|
name: user
|
|
dnsPolicy: ClusterFirst
|
|
hostAliases:
|
|
- hostnames:
|
|
- example.rug.nl
|
|
ip: 127.0.0.1
|
|
imagePullSecrets:
|
|
- name: registry
|
|
restartPolicy: Always
|
|
schedulerName: default-scheduler
|
|
terminationGracePeriodSeconds: 30
|
|
volumes:
|
|
- name: user
|
|
persistentVolumeClaim:
|
|
claimName: user
|
|
EOF
|
|
````
|
|
kubectl apply -f deploy.yml
|
|
|
|
## HTTPS
|
|
|
|
````
|
|
cat > https.yml <<EOF
|
|
apiVersion: extensions/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
annotations:
|
|
ingress.kubernetes.io/ssl-redirect: "true"
|
|
name: example
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: example.rug.nl
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: example
|
|
servicePort: 80
|
|
tls:
|
|
- secretName: letsencrypt-issuer-tls
|
|
hosts:
|
|
- example.rug.nl
|
|
EOF
|
|
````
|
|
|
|
kubectl -f apply https.yml
|
|
|
|
|
|
## Ingress annotations
|
|
|
|
### redirect SSL
|
|
````
|
|
nginx.ingress.kubernetes.io/server-snippet =
|
|
|
|
if ($http_x_ssl_enabled != "true") {
|
|
rewrite ^ https://$host$request_uri? permanent;
|
|
}
|
|
````
|
|
|
|
### Ingress app root
|
|
Set application root to /wp
|
|
|
|
````
|
|
nginx.ingress.kubernetes.io/app-root = /wp
|
|
|
|
````
|
|
|
|
|
|
### Ingress app root force https
|
|
Set application root to /wp
|
|
|
|
````
|
|
nginx.ingress.kubernetes.io/app-root = /wp
|
|
nginx.ingress.kubernetes.io/force-ssl-redirect = true
|
|
|
|
````
|
|
|
|
|
|
|
|
|
|
|
|
## Cheat sheet
|
|
|
|
````
|
|
### cluster
|
|
kubectl get services # List all services
|
|
kubectl get pods # List all pods
|
|
kubectl get nodes -w # Watch nodes continuously
|
|
kubectl version # Get version information
|
|
kubectl cluster-info # Get cluster information
|
|
kubectl config view # Get the configuration
|
|
kubectl describe node <node> # Output information about a node
|
|
|
|
### pod and container
|
|
kubectl get pods # List the current pods
|
|
kubectl describe pod <name> # Describe pod <name>
|
|
kubectl get rc # List the replication controllers
|
|
kubectl get rc --namespace="<namespace>" # List the replication controllers in <namespace>
|
|
kubectl describe rc <name> # Describe replication controller <name>
|
|
kubectl get svc # List the services
|
|
kubectl describe svc <name> # Describe service <name>
|
|
|
|
### interacting
|
|
|
|
kubectl run <name> --image=<image-name> # Launch a pod called <name>
|
|
# using image <image-name>
|
|
|
|
kubectl create -f <manifest.yaml> # Create a service described
|
|
# in <manifest.yaml>
|
|
|
|
kubectl scale --replicas=<count> rc <name> # Scale replication controller
|
|
# <name> to <count> instances
|
|
|
|
kubectl expose rc <name> --port=<external> --target-port=<internal> # Map port <external> to
|
|
# port <internal> on replication
|
|
# controller <name>
|
|
|
|
### stopping
|
|
kubectl delete pod <name> # Delete pod <name>
|
|
kubectl delete rc <name> # Delete replication controller <name>
|
|
kubectl delete svc <name> # Delete service <name>
|
|
kubectl drain <n> --delete-local-data --force --ignore-daemonsets # Stop all pods on <n>
|
|
kubectl delete node <name>
|
|
|
|
### administration
|
|
kubeadm init # Initialize your master node
|
|
kubeadm join --token <token> <master-ip>:<master-port> # Join a node to your Kubernetes cluster
|
|
kubectl create namespace <namespace> # Create namespace <name>
|
|
kubectl taint nodes --all node-role.kubernetes.io/master- # Allow Kubernetes master nodes to run pods
|
|
kubeadm reset # Reset current state
|
|
|
|
kubectl get secrets
|
|
|
|
|
|
````
|
|
|