¶ решение проблем
❌: не работает веб-консоль
✅: перезагрузить ВМ, на которую установлен контейнер
¶ setup vm
❌:
Структура папки web
✅: также выделять 1 Гб на /boot partition
- create VM (8 CPU, 26 RAM), install Rocky 8 minimal
- configure ip (/etc/sysconfig/network-scripts or during setup)
¶ install kubeadm
https://www.redpill-linpro.com/techblog/2019/04/04/kubernetes-setup.html
https://blog.radwell.codes/2022/07/single-node-kubernetes-cluster-via-kubeadm-on-ubuntu-22-04/
https://phoenixnap.com/kb/install-kubernetes-on-rocky-linux
¶ network configuration
allow bridge and overlay networking
cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
modprobe -a overlay br_netfilter
# sysctl params required by setup, params persist across reboots
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# Apply sysctl params without reboot
sysctl --system
¶ install containerd and runc
https://docs.docker.com/engine/install/centos/
sudo yum install -y yum-utils
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum update -y
reboot
sudo yum install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin vim
sudo systemctl daemon-reload
sudo systemctl enable --now docker
sudo systemctl enable --now containerd
curl -Lo containerd-config.toml https://gist.githubusercontent.com/oradwell/31ef858de3ca43addef68ff971f459c2/raw/5099df007eb717a11825c3890a0517892fa12dbf/containerd-config.toml
sudo mkdir -p /etc/containerd
sudo mv containerd-config.toml /etc/containerd/config.toml
reboot
¶ install network plugins
curl -Lo cni-plugins-linux-amd64-v1.3.0.tgz https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz
sudo mkdir -p /opt/cni/bin
sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.3.0.tgz
¶ selinux and swap
# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
# See if swap is enabled
swapon --show
# Turn off swap
sudo swapoff -a
# Disable swap completely
sudo sed -i -e '/swap/d' /etc/fstab
reboot
¶ install kube utils
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable --now kubelet
¶ firewalld
firewall-cmd --zone=public --add-port=8001/tcp --permanent
firewall-cmd --zone=public --add-port=8443/tcp --permanent
firewall-cmd --zone=public --add-port=6443/tcp --permanent # api
firewall-cmd --zone=public --add-port=10250/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --add-port=31390/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --add-port=30000-30300/tcp --permanent
firewall-cmd --zone=public --add-port=30100-30300/tcp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
¶ init kubeadm
reboot
kubeadm config images pull
kubeadm init --pod-network-cidr=10.244.0.0/16
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
source <(kubectl completion bash)
¶ install a CNI plugin
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
¶ check and untain nodes
kubectl get nodes
# wait until ready
kubectl taint nodes --all node-role.kubernetes.io/master-
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
¶ dashboard
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
kubectl get services -A
kubectl get service -A
kubectl edit service kubernetes-dashboard --namespace kubernetes-dashboard
spec:
ports:
- port: 443
nodePort: 30001
protocol: TCP
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
type: NodePort
open https://172.18.209.231:30001
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/README.md#login-not-available
¶ service account
kubectl create sa robot
kubectl describe sa robot
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: robot-secret
annotations:
kubernetes.io/service-account.name: robot
type: kubernetes.io/service-account-token
EOF
kubectl describe secrets/robot-secret
eyJhbGciOiJSUzI1NiIsImtpZCI6IkJreEFBT0l3TEVhYTZIYnV5WWxVLXhoV0l1SnluZVVod0ZPWUNJbldIV0UifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjNkNGVjYzI5LWVmZTItNGEyMS1iM2EzLTAyNGZlNDQ4YzdlNSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.vnsRB0KFue_V5rJYmuKtBa0I1dsMAQnyy0vvVu97333133JJmpNFXc9QmcSUOLdkPa_e_eSQGD7I1oN1hc2mDN2hfNkivkdH3r5yaCtO6_KNI5v8Sk2l1ALXlALUNQpagcPFkx17GxHiL85WzO11Tm8j2Hwp4FJlwnnC6F6BLstRXbNcCx9bhXpOCf-YjOA0gvUkwFErEhDBwmQRA97xXDXeCi8d5tvyKUcXWTqYKbyfj1PA5ZTayce6y30CAAQFbWa7_-nw0qBQ9s8SonI-z9XQTaHK19fgfjtt_jtuqCWeSsM3rp2HpmMB4aDwYkj_mQcvHVDtu5ISoWOWjgs4iA
# kubectl create clusterrolebinding admin --clusterrole=cluster-admin --serviceaccount=default:admin
kubectl create clusterrolebinding robot \
--clusterrole=cluster-admin \
--serviceaccount=default:robot
¶ deploy iwtm
¶ create docker secret
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
kubectl create secret docker-registry regcred --docker-server=registry.miem.hse.ru --docker-username=asshadrunov --docker-password=
kubectl create secret docker-registry regcred --docker-server=https://index.docker.io/v1/ --docker-username=iwtm --docker-password=''
¶ deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: iwtm-deployment
labels:
app: iwtm
spec:
replicas: 1
selector:
matchLabels:
app: iwtm
template:
metadata:
labels:
app: iwtm
spec:
containers:
- name: iwtm
image: iwtm/iwtm:0.6
ports:
- containerPort: 25
- containerPort: 443
securityContext:
privileged: true
imagePullSecrets:
- name: regcred
---
apiVersion: v1
kind: Service
metadata:
name: iwtm-service
spec:
type: NodePort
selector:
app: iwtm
ports:
- name: https
protocol: TCP
port: 443
targetPort: 443
nodePort: 30100
- name: smtp
protocol: TCP
port: 25
targetPort: 25
nodePort: 30200
[root@kube iwtm]# kubectl apply -f iwtm.yml
deployment.apps/iwtm-deployment created
service/iwtm-service created
port forwarding to 6443
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5tbE01Y2M1V19TRXdvdURRbjB4TlNDanNWREJiVlVzR192eElTeVh2NXMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3ZTQyMjI3LTM0OGEtNGI3Yi04YjczLWViZGZkMjFhMTNmZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.ksJC25nYNrPfKG8889H3tAi9eImTV5YxXcgmk4ubr4fO9Htl2FcoPxGftAZOc85K5BZTzoxoWUSRxXKJHMkRIchKF7H67mldZ8j2YeAcYJTOHoOaY0UaimaB_R3APy21d54CrFDRpQnTgWhAKSojtVR3Uhhv0OmilzEdbAfhMVcMOrqDCGBeedT_CEiRFXrHYM3jDME-gMfnKfy9zEBohYwkz72ZMaOZ-OWdz-q2F3GiHiLv60I8N1AreN3zKhh2rskCIy_bWxqL0evvloYNO9-VlM8Ktu8MTX7BhZyO2rGxPNXTT9UCDMxc-vX7IIn05oiYhewxGEVLzP34lCeAEA"
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = "https://172.18.169.26:46443"
configuration.verify_ssl = False
api_client = client.ApiClient(configuration)
v1 = client.CoreV1Api(api_client)
ret = v1.list_namespaced_pod(namespace="default", watch=False)
print(ret)
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5tbE01Y2M1V19TRXdvdURRbjB4TlNDanNWREJiVlVzR192eElTeVh2NXMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3ZTQyMjI3LTM0OGEtNGI3Yi04YjczLWViZGZkMjFhMTNmZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.ksJC25nYNrPfKG8889H3tAi9eImTV5YxXcgmk4ubr4fO9Htl2FcoPxGftAZOc85K5BZTzoxoWUSRxXKJHMkRIchKF7H67mldZ8j2YeAcYJTOHoOaY0UaimaB_R3APy21d54CrFDRpQnTgWhAKSojtVR3Uhhv0OmilzEdbAfhMVcMOrqDCGBeedT_CEiRFXrHYM3jDME-gMfnKfy9zEBohYwkz72ZMaOZ-OWdz-q2F3GiHiLv60I8N1AreN3zKhh2rskCIy_bWxqL0evvloYNO9-VlM8Ktu8MTX7BhZyO2rGxPNXTT9UCDMxc-vX7IIn05oiYhewxGEVLzP34lCeAEA"
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = "https://172.18.169.26:46443"
configuration.verify_ssl = False
with client.ApiClient(configuration) as api_client:
api_instance = client.CoreV1Api(api_client)
namespace = "default"
api_response = api_instance.list_namespaced_pod(namespace, watch=False)
for pod in api_response.items:
print(f"Name: {pod.metadata.name}, Namespace: {pod.metadata.namespace} IP: {pod.status.pod_ip}")
# print(api_response)
deployment_name = "my-deploy"
deployment_manifest = {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {"name": deployment_name, "namespace": "default"},
"spec": {"replicas": 3,
"selector": {
"matchLabels": {
"app": "nginx"
}},
"template": {"metadata": {"labels": {"app": "nginx"}},
"spec": {"containers": [
{"name": "nginx", "image": "nginx:1.21.6", "ports": [{"containerPort": 80}]}]
}
},
}
}
import time
from kubernetes.client.rest import ApiException
v1 = client.AppsV1Api(api_client)
response = v1.create_namespaced_deployment(body=deployment_manifest, namespace="default")
while True:
try:
response = v1.read_namespaced_deployment_status(name=deployment_name, namespace="default")
if response.status.available_replicas != 3:
print("Waiting for Deployment to become ready...")
time.sleep(5)
else:
break
except ApiException as e:
print(f"Exception when calling AppsV1Api -> read_namespaced_deployment_status: {e}\n")
kubectl exec --stdin --tty shell-demo -- /bin/bash