---===---
- K8s Core Concepts/useful-links.md
- K8s official documentation: https://kubernetes.io/docs/concepts/
- Enrypting Secret Data at Rest: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
- K8s Architecture Components: https://kubernetes.io/docs/concepts/overview/components/
- Kubectl - K8s CLI: https://kubernetes.io/docs/reference/kubectl/overview/
- Managing Objects Imperative (Kubectl): https://kubernetes.io/docs/tasks/manage-kubernetes-objects/imperative-command/
- Managing Objects Declarative (Config File): https://kubernetes.io/docs/tasks/manage-kubernetes-objects/declarative-config/
- Imperative vs Declarative: https://kubernetes.io/docs/concepts/overview/working-with-objects/object-management/
---===--- 02. Install Cluster/commands.md
mv ~/Downloads/k8s-node.pem ~/.ssh
chmod 400 ~/.ssh/k8s-node.pem
ssh -i ~/.ssh/k8s-node.pem [email protected]
sudo swapoff -a
sudo vim /etc/hosts
45.14.48.178 master
45.14.48.179 worker1
45.14.48.180 worker2
we can now use these names instead of typing the IPs, when nodes talk to each other. After that, assign a hostname to each of these servers.
sudo hostnamectl set-hostname master
sudo hostnamectl set-hostname worker1
sudo hostnamectl set-hostname worker2
sudo kubeadm init
service kubelet status
systemctl status kubelet
journalctl -u kubelet
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubectl get node
kubectl get pod -n kube-system
kubectl get pod -A
kubectl get pod -n kube-system -o wide
kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml
Link to the Weave-net installation guide
kubectl exec -n kube-system weave-net-1jkl6 -c weave -- /home/weave/weave --local status
vim install-containerd.sh
chmod u+x install-containerd.sh
./install-containerd.sh
kubeadm token create --help
kubeadm token create --print-join-command
sudo kubeadm join 172.31.43.99:6443 --token 9bds1l.3g9ypte9gf69b5ft --discovery-token-ca-cert-hash sha256:xxxx
kubectl run test --image=nginx
---===--- 02. Install Cluster/install-containerd.sh
#!/bin/bash
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf overlay br_netfilter EOF
sudo modprobe overlay sudo modprobe br_netfilter
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 EOF
sudo sysctl --system
sudo apt-get update sudo apt-get -y install containerd
sudo mkdir -p /etc/containerd containerd config default | sudo tee /etc/containerd/config.toml sudo sed -i 's/SystemdCgroup = false/SystemdCgroup = true/g' /etc/containerd/config.toml sudo systemctl restart containerd ---===--- 02. Install Cluster/install-k8s-components.sh
sudo apt-get update sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update
apt-cache madison kubeadm
sudo apt-get install -y kubelet=1.21.0-00 kubeadm=1.21.0-00 kubectl=1.21.0-00 sudo apt-mark hold kubelet kubeadm kubectl
- Install Cluster/useful-links.md
- Troubleshooting SSH Connection on AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
- System Requirements: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
- Static Pods: https://kubernetes.io/docs/tasks/configure-pod-container/static-pod/
- Certificates: https://kubernetes.io/docs/setup/best-practices/certificates/
- Kubeadm: https://kubernetes.io/docs/reference/setup-tools/kubeadm/
- Pre-Requisites: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#before-you-begin
- AWS Security Group Docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
- Installing container runtime: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/#installing-runtime
- Kubeadm init command details: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/
- kubeadm init workflow: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/#init-workflow
- Addons: https://kubernetes.io/docs/concepts/overview/components/#addons
- Kubeconfig File: https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
- Namespaces Official Docs: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
- CoreDNS: https://coredns.io/plugins/kubernetes/
- CNI Specification: https://github.com/containernetworking/cni/blob/master/SPEC.md#network-configuration
- Cluster Networking - Official Docs: https://kubernetes.io/docs/concepts/cluster-administration/networking/
- Weave Net: https://www.weave.works/docs/net/latest/kubernetes/kube-addon/
- Kubeadm Join Command: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/
- Troubleshooting Weave Connection: https://www.weave.works/docs/net/latest/tasks/ipam/troubleshooting-ipam/
---===--- 03. Deploy Application/commands.md
kubectl apply -f nginx-deployment.yaml
kubectl apply -f nginx-service.yaml
kubectl get svc
kubectl describe svc {svc-name}
kubectl get ep
kubectl get svc --show-labels
kubectl get svc -l app=nginx
kubectl get pod --show-labels
kubectl get pod -l app=nginx
kubectl logs -l app=nginx
kubectl get pod -n kube-system --show-labels
kubectl logs -n kube-system -l="name=weave-net" -c weave
kubectl get node —show-labels
kubectl scale --help
kubectl scale deployment {depl-name} --replicas 4
kubectl scale deployment {depl-name} --replicas 3
kubectl scale deployment {depl-name} --replicas 5 --record
kubectl rollout history deployment {depl-name}
kubectl run test-nginx-service --image=busybox
kubectl exec -it {pod-name} -- bash
---===--- 03. Deploy Application/nginx-deployment.yaml
apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment labels: app: nginx spec: replicas: 2 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1.20
---===--- 03. Deploy Application/nginx-service.yaml
apiVersion: v1 kind: Service metadata: name: nginx-service labels: app: nginx svc: test-nginx spec: selector: app: nginx ports: - protocol: TCP port: 8080 targetPort: 80 ---===--- 03. Deploy Application/useful-links.md
- Recommended Labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
- DNS for Services and Pods: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
- Debugging DNS Resolution: https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/
- CoreDNS in K8s: https://kubernetes.io/docs/tasks/administer-cluster/coredns/
- CoreDNS: https://coredns.io/
- Kube API Server: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
- Kubeadm Init Defaults: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-config/
- Kubectl Cheatsheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/
---===--- 04. External Access/ingress.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: my-app-ingress annotations: nginx.ingress.kubernetes.io/rewrite-target: / kubernetes.io/ingress.class: "nginx" spec: rules:
- host: your-load-balancer-domain-name
http:
paths:
- backend: service: name: nginx-service port: number: 8080 path: /my-app pathType: Exact ---===---
- External Access/load-balancer-svc.yaml
apiVersion: v1 kind: Service metadata: name: nginx-service labels: app: nginx spec: type: LoadBalancer selector: app: nginx ports: - protocol: TCP port: 8080 targetPort: 80 nodePort: 30000 ---===--- 04. External Access/node-port-svc.yaml
apiVersion: v1 kind: Service metadata: name: nginx-service labels: app: nginx spec: type: NodePort selector: app: nginx ports: - protocol: TCP port: 8080 targetPort: 80 nodePort: 30000 ---===--- 04. External Access/README.md
If you get an error on creating ingress component related to "nginx-controller-admission" webhook, than manually delete the ValidationWebhook and try again. To delete the ValidationWebhook:
kubectl get ValidatingWebhookConfiguration
kubectl delete ValidatingWebhookConfiguration {name}
Link to a more detailed description of the issue ---===--- 04. External Access/useful-links.md
- NodePort Service: https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
- Load Balancer Service: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
- Ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/
- List of Ingress Controller: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
- Bare Metal Ingress Controller: https://kubernetes.github.io/ingress-nginx/deploy/baremetal/
- Install Helm: https://helm.sh/docs/intro/install/
- Nginx Ingress Controller: https://kubernetes.github.io/ingress-nginx/ ---===---
- Users and Permissions/cicd-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cicd-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cicd-role subjects:
- kind: ServiceAccount name: jenkins namespace: default ---===---
- Users and Permissions/cicd-role.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: cicd-role rules:
- apiGroups:
- "" resources:
- services verbs:
- create
- update
- list
- apiGroups:
- apps resources:
- deployments verbs:
- create
- update
- list ---===---
- Users and Permissions/commands.md
openssl genrsa -out dev-tom.key 2048
openssl req -new -key dev-tom.key -subj "/CN=tom" -out dev-tom.csr
cat dev-tom.csr | base64 | tr -d "\n"
kubectl apply -f dev-tom-csr.yaml
kubectl get csr
kubectl certificate approve dev-tom
kubectl get csr dev-tom -o yaml
kubectl --server={api-server-address} \
--certificate-authority=/etc/kubernetes/pki/ca.crt \
--client-certificate=dev-tom.crt \
--client-key=dev-tom.key \
get pods
kubectl create clusterrole dev-cr --dry-run=client -o yaml > dev-cr.yaml
kubectl create clusterrolebinding dev-crb --dry-run=client -o yaml > dev-crb.yaml
kubectl auth can-i get pod
kubectl auth can-i get pod —-as {user-name}
kubectl create serviceaccount jenkins-sa --dry-run=client -o yaml > jenkins-sa.yaml
kubectl create role cicd-role
kubectl create clusterrolebinding cicd-binding \
--clusterrole=cicd-role \
--serviceaccount=default:jenkins
kubectl options
kubectl --server $server \
--certificate-authority /etc/kubernetes/pki/ca.crt \
--token $token \
--user jenkins \
get pods
---===--- 05. Users and Permissions/dev-crb.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dev-crb roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dev-cr subjects:
- apiGroup: rbac.authorization.k8s.io kind: User name: tom ---===---
- Users and Permissions/dev-cr.yaml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dev-cr rules:
- apiGroups:
- "" resources:
- pods
- services verbs: ["*"]
- apiGroups:
- apps resources:
- deployments
- statefulSets verbs:
- get
- list
- create ---===---
- Users and Permissions/dev-tom-csr.yaml
apiVersion: certificates.k8s.io/v1 kind: CertificateSigningRequest metadata: name: dev-tom spec: request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ1ZqQ0NBVDRDQVFBd0VURVBNQTBHQTFVRUF3d0dZVzVuWld4aE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTByczhJTHRHdTYxakx2dHhWTTJSVlRWMDNHWlJTWWw0dWluVWo4RElaWjBOCnR2MUZtRVFSd3VoaUZsOFEzcWl0Qm0wMUFSMkNJVXBGd2ZzSjZ4MXF3ckJzVkhZbGlBNVhwRVpZM3ExcGswSDQKM3Z3aGJlK1o2MVNrVHF5SVBYUUwrTWM5T1Nsbm0xb0R2N0NtSkZNMUlMRVI3QTVGZnZKOEdFRjJ6dHBoaUlFMwpub1dtdHNZb3JuT2wzc2lHQ2ZGZzR4Zmd4eW8ybmlneFNVekl1bXNnVm9PM2ttT0x1RVF6cXpkakJ3TFJXbWlECklmMXBMWnoyalVnald4UkhCM1gyWnVVV1d1T09PZnpXM01LaE8ybHEvZi9DdS8wYk83c0x0MCt3U2ZMSU91TFcKcW90blZtRmxMMytqTy82WDNDKzBERHk5aUtwbXJjVDBnWGZLemE1dHJRSURBUUFCb0FBd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBR05WdmVIOGR4ZzNvK21VeVRkbmFjVmQ1N24zSkExdnZEU1JWREkyQTZ1eXN3ZFp1L1BVCkkwZXpZWFV0RVNnSk1IRmQycVVNMjNuNVJsSXJ3R0xuUXFISUh5VStWWHhsdnZsRnpNOVpEWllSTmU3QlJvYXgKQVlEdUI5STZXT3FYbkFvczFqRmxNUG5NbFpqdU5kSGxpT1BjTU1oNndLaTZzZFhpVStHYTJ2RUVLY01jSVUyRgpvU2djUWdMYTk0aEpacGk3ZnNMdm1OQUxoT045UHdNMGM1dVJVejV4T0dGMUtCbWRSeEgvbUNOS2JKYjFRQm1HCkkwYitEUEdaTktXTU0xMzhIQXdoV0tkNjVoVHdYOWl4V3ZHMkh4TG1WQzg0L1BHT0tWQW9FNkpsYWFHdTlQVmkKdjlOSjVaZlZrcXdCd0hKbzZXdk9xVlA3SVFjZmg3d0drWm89Ci0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo= signerName: kubernetes.io/kube-apiserver-client
usages:
- client auth---===---
- Users and Permissions/jenkins-sa.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: jenkins ---===--- 05. Users and Permissions/useful-links.md
- Authentication: https://kubernetes.io/docs/reference/access-authn-authz/authentication/
- Authorization: https://kubernetes.io/docs/reference/access-authn-authz/authorization/
- RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- Manage TLS Certificates: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/
- Certificate Signing Request: https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/
- Resource Types and corresponding apiGroup: https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
- API Groups: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#-strong-api-groups-strong
- Configure Service Account: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
- Managing Service Accounts: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/