Table of Contents
Kubernetes Training & Commands
IMPORTANT: TO RESET KUBERNETES AND START AGAIN AFTER ISSUES
RUN KUBEADM RESET
kubectl create namespace amit
kubectl delete namespace amit
kubectl get pods –namespace amit
kubectl get deployments –namespace amit
kubectl get services –namespace amit
kubectl edit deployment networkchuckcoffee-deployment –namespace amit
kubectl delete deployment networkchuckcoffee-deployment –namespace amit
kubectl delete service coffee-service –namespace amit
kubectl get pods –all-namespaces
kubectl apply -f nccoffeedeployment.yaml –namespace amit
kubectl apply -f coffee-service.yaml –namespace amit
kubectl describe services –namespace amit
kubectl describe deployment –namespace amit
kubectl describe pods –namespace amit
kubectl autoscale deployment networkchuckcoffee-deployment –cpu-percent=50 –min=1 –max=10
kubectl get hpa –namespace amit
kubectl create deployment mediawiki –image=mediawiki
kubectl get pods -o wide
kubectl create clusterrolebinding dashboard-admin -n kubernetes-dashboard –clusterrole=cluster-admin –serviceaccount=default:dashboard-token-5k7k7
kubectl exec -it mediawiki-deployment-774f8f555b-7j8kt bash
kubectl config set-context –current –namespace=default
Manage Cluster Roles
kubectl get clusterroles
kubectl get clusterrolebindings
find your role name and then delete
kubectl delete clusterrolebinding “name”
kubectl delete clusterrole “name”
How to deploy NGINX Ingress Controller & Metallb on Bare Metal Server
1. Install Metallb:
For latest install instructions go to: https://metallb.universe.tf/installation/
Run the following:
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/metallb.yaml
2. Create ConfigMap to give Metallb control of a subset of IP's (Layer 2 Mode)
apiVersion: v1
kind: ConfigMap
metadata:
namespace: metallb-system
name: config
data:
config: |
address-pools:
- name: default
protocol: layer2
addresses:
- 172.16.1.230-172.16.1.230
Save file as configmap.yaml the run the following:
kubectl apply -f configmap.yaml
3. Install Helm
Run the following:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod +x get_helm.sh ./get_helm.sh
Validate the Helm install with:
helm
4. Install the NGINX Ingress Controller
4.1 Create the following file:
controller:
config:
use-forwarded-headers: "true"
server-tokens: "False"
service:
loadBalancerIP: 192.168.1.246
Save file as internal-ingress.yaml
The above gives the Ingress Controller a load balancer IP that will be used to connect through
4.2 Use Helm to install the NGINX Ingress Controller
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install ingress-nginx ingress-nginx/ingress-nginx -f internal-ingress.yaml
4.3 Check the service and the external load balancer IP
kubectl get svc
You should see something similar to the following:
| NAME | TYPE | CLUSTER-IP | EXTERNAL-IP | PORT(S) | AGE |
| ingress-nginx-controller | LoadBalancer | 10.109.245.178 | 192.168.1.246 | 80:32041/TCP,443:30068/TCP | 23h |
| ingress-nginx-controller-admission | ClusterIP | 10.109.2.145 | <none> | 443/TCP | 23h |
Installation Complete!
The next steps would be to create a deployment and Ingress to allow access to the internet for a given Application. See below for these steps.
Ingress Controller Examples
<font 14px/inherit;;inherit;;inherit>Install Ingress controller:</font>
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.34.1/deploy/static/provider/baremetal/deploy.yaml
then do the following:
kubectl create deployment web --image=gcr.io/google-samples/hello-app:1.0 kubectl expose deployment web --type=NodePort --port=8080
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- host: hello-world.info
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
kubectl apply -f "Above_manifest.yaml"
Create host hello-world.info in Hosts file
curl hello-world.info
visit webpage: hello-world.info
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: Deny";
more_set_headers "X-Xss-Protection: 1; mode=block";
more_set_headers "X-Content-Type-Options: nosniff";
name: nginx-deploy
namespace: default
spec:
rules:
- host: nginx.devops.com
http:
paths:
- backend:
service:
name: nginx-deploy
port:
number: 80
path: /
pathType: ImplementationSpecific
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: Deny";
more_set_headers "X-Xss-Protection: 1; mode=block";
more_set_headers "X-Content-Type-Options: nosniff";
name: hotel-ingress
namespace: hotel
spec:
rules:
- host: hotel.orionmail.org
http:
paths:
- backend:
service:
name: hotel-svc
port:
number: 80
path: /
pathType: ImplementationSpecific
Steps to Expose deployment to the internet - with example
1. Create and Deploy Application:
apiVersion: apps/v1
kind: Deployment
metadata:
name: networkchuckcoffee-deployment
labels:
app: nccoffee
spec:
replicas: 3
selector:
matchLabels:
app: nccoffee
template:
metadata:
labels:
app: nccoffee
spec:
containers:
- name: nccoffee
image: thenetworkchuck/nccoffee:pourover
imagePullPolicy: Always
ports:
- containerPort: 80
2. Expose Deployment:
kubectl expose deploy networkchuckcoffee-deployment --port 80
3. Create Ingress for deployment:
Below ensure name is set to the same as the deployment name and the Host is set to the Public DNS name you would like to use.
Also note that the ingress has been deployed in the default namespace
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: Deny";
more_set_headers "X-Xss-Protection: 1; mode=block";
more_set_headers "X-Content-Type-Options: nosniff";
name: networkchuckcoffee-deployment
namespace: default
spec:
rules:
- host: coffee.orionmail.org
http:
paths:
- backend:
service:
name: networkchuckcoffee-deployment
port:
number: 80
path: /
pathType: ImplementationSpecific
How to deploy Traefik Ingress Controller
There are 2 ways to deploy the Traefik ingress controller. One way is by using a manifest file. The other is by using Helm. This is the easiest way and the preferred method.
The best way to deploy Traefik is to deploy it with a values file which provides all the parameters required for the install.
Traefik integrates with certificate resolvers allowing SSL certificates to be obtained for applications deployed.
See below the values file: values.yaml
additionalArguments:
# Cloudflare Example:
- --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
- --certificatesresolvers.cloudflare.acme.email=amitp82@protonmail.com
- --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
- --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json
logs:
# Configure log settings here...
general:
level: ERROR
ports:
# Configure your entrypoints here...
web:
# (optional) Permanent Redirect to HTTPS
redirectTo: websecure
websecure:
tls:
enabled: true
# (optional) Set a Default CertResolver
certResolver: cloudflare
env:
# Set your environment variables here...
#
# DNS Challenge Credentials
# ---
# Cloudflare Example:
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
key: email
name: cloudflare-credentials
- name: CF_API_KEY
valueFrom:
secretKeyRef:
key: apiKey
name: cloudflare-credentials
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
# Persistent Storage
persistence:
enabled: true
name: ssl-certs
size: 1Gi
storageClass: "nfs-client"
path: /ssl-certs
#deployment:
# initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /ssl-certs/*"]
# volumeMounts:
# - name: ssl-certs
# mountPath: /ssl-certs
# Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
ingressClass:
enabled: true
isDefaultClass: false
Code explanation
The above values file is using Cloudflare as a certificate resolver. Ensure that the email address and storage location for the certificates are correct. For storage a persistent volume will be required. This is referenced further into the file. See below:
# Persistent Storage persistence: enabled: true name: ssl-certs size: 1Gi storageClass: "nfs-client" path: /ssl-certs
To enable Cloudflare to issue a certificate via Traefik a vaild Email Address and API Key are required to authenticate against an existing Cloudflare Account. The code block below demonstrates this.
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
key: email
name: cloudflare-credentials
- name: CF_API_KEY
valueFrom:
secretKeyRef:
key: apiKey
name: cloudflare-credentials
The above is read from a Kubernetes Secret. This is defined in the cloudflare-credentials.yaml file below:
apiVersion: v1 kind: Secret metadata: name: cloudflare-credentials type: Opaque stringData: email: amitp82@protonmail.com apiKey: d2865b39093d2b6785586239fc3c1f80c0d18
Important: The above cloudflare-credentials.yaml should be deployed before Traefik
Deploy Traefik
To deploy traefik use the following command:
helm install traefik traefik/traefik --values=values.yaml