kubernetes.rst 5.49 KB
Newer Older
Chris Stevens's avatar
Chris Stevens committed
1
2
3
4
5
6
7
8
9
10
11
12
13
Kubernetes
==========

Creating users on your kubernetes cluster
-----------------------------------------

From the `kubernetes website <https://kubernetes.io/docs/reference/access-authn-authz/authentication/#users-in-kubernetes>`_ *Kubernetes does not have objects which represent normal user accounts.*  In other words, there is no ``adduser`` command.  In order to "create a user" you need to create an SSL cert and put the users named in the common name (CN) field.  So you'll need to create a key, a CSR, and then have that CSR signed by the certificate authority (CA) that's made by kubernetes during the bootstrap process.  The ``ca.crt`` file can be found in /etc/kubernetes/pki on the master node.  It can also be found as a configmap in the default namespace called ``kube-root-ca.crt``.  Run ``kubectl describe cm kube-root-ca.crt`` and you'll see the CA cert.

First let's create a key and a certificate signing request

.. code-block:: shell

   USER=cstevens
Chris Stevens's avatar
Chris Stevens committed
14
   openssl req -newkey ed25519 -nodes -keyout ${USER}.key -out ${USER}.csr -subj /CN=${USER}/O=admins
Chris Stevens's avatar
Chris Stevens committed
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

Kubernetes can sign certificate requests, so let's submit the certificate signing request (CSR) file for approval. It'll need to be base64 encoded.

.. code-block:: shell

   cat <<EOF | kubectl apply -f -
   apiVersion: certificates.k8s.io/v1
   kind: CertificateSigningRequest
   metadata:
     name: ${USER}
   spec:
     groups:
       - system:authenticated
     request: $(cat ${USER}.csr | base64 -w 0)
     signerName: kubernetes.io/kube-apiserver-client
     usages:
     - client auth
   EOF

You will now be able to see the CSR in a ``pending`` state in kubernetes

.. code-block:: shell

   kubectl get csr ${USER}
   NAME       AGE   SIGNERNAME                            REQUESTOR          CONDITION
   cstevens   88s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Pending

You can now approve the certificate signing by running

.. code-block:: shell

   kubectl certificate approve ${USER}

Now if you run the same ``kubectl get csr ${USER}`` command again, you'll see that it's been approved and issued:

.. code-block:: shell

   NAME       AGE     SIGNERNAME                            REQUESTOR          CONDITION
   cstevens   4m30s   kubernetes.io/kube-apiserver-client   kubernetes-admin   Approved,Issued

To view the approved certificate, you can run

.. code-block:: shell

   kubectl describe csr ${USER}

Let's grab the signed cert from kubernetes, base64 decode it and save it locally

.. code-block:: shell

   kubectl get csr ${USER} -o jsonpath="{.status.certificate}" | base64 -d > ${USER}.crt

Next let's get the CA.crt from the cluster.  We'll need this on disk for when we generate the kubeconfig for the new user.

.. code-block:: shell

   kubectl -n default get cm kube-root-ca.crt -o jsonpath="{.data.ca\.crt}" > kube-root-ca.crt

Now let's generate the kubeconfig file.  This is the file the kubernetes client ``kubectl`` will use to talk to the cluster.  First let's add the cluster to the kubeconfig.

.. code-block:: shell

   KUBECONFIG=${USER}.kubeconfig
   CONTEXT=${USER}@kubernetes
   kubectl config set-cluster kubernetes --server=https://192.168.1.231:6443 --certificate-authority=kube-root-ca.crt --embed-certs=true --kubeconfig=${KUBECONFIG}

Then set our credentials

.. code-block:: shell

   kubectl config set-credentials ${USER} --embed-certs=true --client-key=${USER}.key --client-certificate=${USER}.crt --kubeconfig=${KUBECONFIG}

Create the context

.. code-block:: shell

   kubectl config set-context ${CONTEXT} --cluster=kubernetes --user=${USER} --kubeconfig=${KUBECONFIG}

Now you can take this ${USER}.kubeconfig file and copy it to ${HOME}:/.kube/config which is the default location that the kubectl will read it from.  Once it's copied you'll need to use the created context

.. code-block:: shell

   kubectl config use-context ${CONTEXT}

Some basic pod functions
------------------------

Create an nginx deployment
""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl create deployment nginx --image nginx

Scale the deployment
""""""""""""""""""""

.. code-block:: text

    $ kubectl scale deployment nginx --replicas 2

Expose the deployment as a NodePort
"""""""""""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl expose deployment nginx --type NodePort --port 80

To access the nginx deployment use ``kubectl get service`` to find the NodePort then browse to ``http://<node>:<port>`` where <node> is the IP/hostname of any of the kubernetes nodes and <port> is the 5 digit port listed in the nginx service.

Create an nxinx pod and shell into it
"""""""""""""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl run my-nginx-pod -it --image nginx -- sh

Delete the my-nginx-pod pod you just created
""""""""""""""""""""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl delete pod my-nginx-pod

Create pod then delete after it finishes running
""""""""""""""""""""""""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl run my-nginx-pod -it --rm --image nginx -- sh

Access the nginx pod you created
""""""""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl port-forward my-nginx-pod 8080:80
      <browse to localhost:8080>

View logs of the nginx pod
""""""""""""""""""""""""""

.. code-block:: text

    $ kubectl logs my-nginx-pod

Diagnostics
-----------

Component status
""""""""""""""""

``kubectl get componentstatus`` is deprecated as of 1.20.  You can probe the API server directly on a master node

.. code-block:: shell

   curl -k https://localhost:6443/livez?verbose