https://www.redpill-linpro.com/techblog/2019/04/04/kubernetes-setup.html
https://blog.radwell.codes/2022/07/single-node-kubernetes-cluster-via-kubeadm-on-ubuntu-22-04/
allow bridge and overlay networking
cat <<EOF | tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
modprobe -a overlay br_netfilter
# sysctl params required by setup, params persist across reboots
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# Apply sysctl params without reboot
sysctl --system
yum install nc
firewall-cmd --zone=public --add-port=6443/tcp --permanent
firewall-cmd --reload
nc 127.0.0.1 6443
containerd and runcusing docker:
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
better to install directly:
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable --now kubelet
curl -fsSLo cni-plugins-linux-amd64-v1.3.0.tgz https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz
sudo mkdir -p /opt/cni/bin
sudo tar Cxzvf /opt/cni/bin cni-plugins-linux-amd64-v1.3.0.tgz
swapoff -a
curl -fsSLo containerd-config.toml \
https://gist.githubusercontent.com/oradwell/31ef858de3ca43addef68ff971f459c2/raw/5099df007eb717a11825c3890a0517892fa12dbf/containerd-config.toml
sudo mkdir /etc/containerd
sudo mv containerd-config.toml /etc/containerd/config.toml
sudo systemctl daemon-reload
sudo systemctl enable --now containerd
kubeadm config images pull
kubeadm init --pod-network-cidr=10.244.0.0/16
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown (id -g) $HOME/.kube/config
source <(kubectl completion bash)
kubectl taint nodes --all node-role.kubernetes.io/master-
kubectl taint nodes --all node-role.kubernetes.io/control-plane-
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
test app https://medium.com/@mngaonkar/kubernetes-get-started-deploy-a-simple-web-server-9636f4aa8706
dashboard
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md
https://github.com/kubernetes/dashboard/blob/master/docs/user/accessing-dashboard/README.md#login-not-available
https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
kubectl create secret docker-registry regcred --docker-server=registry.miem.hse.ru --docker-username=asshadrunov --docker-password=
apiVersion: apps/v1
kind: Deployment
metadata:
name: iwtm-deployment
labels:
app: iwtm
spec:
replicas: 1
selector:
matchLabels:
app: iwtm
template:
metadata:
labels:
app: iwtm
spec:
containers:
- name: iwtm
image: registry.miem.hse.ru/19032/iwtm-micro/iwtm:0.3
ports:
- containerPort: 443
securityContext:
privileged: true
imagePullSecrets:
- name: regcred
---
apiVersion: v1
kind: Service
metadata:
name: iwtm-service
spec:
type: NodePort
selector:
app: iwtm
ports:
- protocol: TCP
port: 443
targetPort: 443
nodePort: 30100
[root@kube iwtm]# kubectl apply -f iwtm.yml
deployment.apps/iwtm-deployment created
service/iwtm-service created
kubectl create sa robot
kubectl describe sa robot
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: robot-secret
annotations:
kubernetes.io/service-account.name: robot
type: kubernetes.io/service-account-token
EOF
kubectl describe secrets/robot-secret
eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5tbE01Y2M1V19TRXdvdURRbjB4TlNDanNWREJiVlVzR192eElTeVh2NXMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3ZTQyMjI3LTM0OGEtNGI3Yi04YjczLWViZGZkMjFhMTNmZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.ksJC25nYNrPfKG8889H3tAi9eImTV5YxXcgmk4ubr4fO9Htl2FcoPxGftAZOc85K5BZTzoxoWUSRxXKJHMkRIchKF7H67mldZ8j2YeAcYJTOHoOaY0UaimaB_R3APy21d54CrFDRpQnTgWhAKSojtVR3Uhhv0OmilzEdbAfhMVcMOrqDCGBeedT_CEiRFXrHYM3jDME-gMfnKfy9zEBohYwkz72ZMaOZ-OWdz-q2F3GiHiLv60I8N1AreN3zKhh2rskCIy_bWxqL0evvloYNO9-VlM8Ktu8MTX7BhZyO2rGxPNXTT9UCDMxc-vX7IIn05oiYhewxGEVLzP34lCeAEA
kubectl create clusterrolebinding admin --clusterrole=cluster-admin --serviceaccount=default:admin
kubectl create clusterrolebinding robot \
--clusterrole=cluster-admin \
--serviceaccount=default:robot
port forwarding to 6443
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5tbE01Y2M1V19TRXdvdURRbjB4TlNDanNWREJiVlVzR192eElTeVh2NXMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3ZTQyMjI3LTM0OGEtNGI3Yi04YjczLWViZGZkMjFhMTNmZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.ksJC25nYNrPfKG8889H3tAi9eImTV5YxXcgmk4ubr4fO9Htl2FcoPxGftAZOc85K5BZTzoxoWUSRxXKJHMkRIchKF7H67mldZ8j2YeAcYJTOHoOaY0UaimaB_R3APy21d54CrFDRpQnTgWhAKSojtVR3Uhhv0OmilzEdbAfhMVcMOrqDCGBeedT_CEiRFXrHYM3jDME-gMfnKfy9zEBohYwkz72ZMaOZ-OWdz-q2F3GiHiLv60I8N1AreN3zKhh2rskCIy_bWxqL0evvloYNO9-VlM8Ktu8MTX7BhZyO2rGxPNXTT9UCDMxc-vX7IIn05oiYhewxGEVLzP34lCeAEA"
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = "https://172.18.169.26:46443"
configuration.verify_ssl = False
api_client = client.ApiClient(configuration)
v1 = client.CoreV1Api(api_client)
ret = v1.list_namespaced_pod(namespace="default", watch=False)
print(ret)
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = "eyJhbGciOiJSUzI1NiIsImtpZCI6Ik5tbE01Y2M1V19TRXdvdURRbjB4TlNDanNWREJiVlVzR192eElTeVh2NXMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InJvYm90LXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJyb2JvdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY3ZTQyMjI3LTM0OGEtNGI3Yi04YjczLWViZGZkMjFhMTNmZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnJvYm90In0.ksJC25nYNrPfKG8889H3tAi9eImTV5YxXcgmk4ubr4fO9Htl2FcoPxGftAZOc85K5BZTzoxoWUSRxXKJHMkRIchKF7H67mldZ8j2YeAcYJTOHoOaY0UaimaB_R3APy21d54CrFDRpQnTgWhAKSojtVR3Uhhv0OmilzEdbAfhMVcMOrqDCGBeedT_CEiRFXrHYM3jDME-gMfnKfy9zEBohYwkz72ZMaOZ-OWdz-q2F3GiHiLv60I8N1AreN3zKhh2rskCIy_bWxqL0evvloYNO9-VlM8Ktu8MTX7BhZyO2rGxPNXTT9UCDMxc-vX7IIn05oiYhewxGEVLzP34lCeAEA"
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = "https://172.18.169.26:46443"
configuration.verify_ssl = False
with client.ApiClient(configuration) as api_client:
api_instance = client.CoreV1Api(api_client)
namespace = "default"
api_response = api_instance.list_namespaced_pod(namespace, watch=False)
for pod in api_response.items:
print(f"Name: {pod.metadata.name}, Namespace: {pod.metadata.namespace} IP: {pod.status.pod_ip}")
# print(api_response)
deployment_name = "my-deploy"
deployment_manifest = {
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {"name": deployment_name, "namespace": "default"},
"spec": {"replicas": 3,
"selector": {
"matchLabels": {
"app": "nginx"
}},
"template": {"metadata": {"labels": {"app": "nginx"}},
"spec": {"containers": [
{"name": "nginx", "image": "nginx:1.21.6", "ports": [{"containerPort": 80}]}]
}
},
}
}
import time
from kubernetes.client.rest import ApiException
v1 = client.AppsV1Api(api_client)
response = v1.create_namespaced_deployment(body=deployment_manifest, namespace="default")
while True:
try:
response = v1.read_namespaced_deployment_status(name=deployment_name, namespace="default")
if response.status.available_replicas != 3:
print("Waiting for Deployment to become ready...")
time.sleep(5)
else:
break
except ApiException as e:
print(f"Exception when calling AppsV1Api -> read_namespaced_deployment_status: {e}\n")
kubectl exec --stdin --tty shell-demo -- /bin/bash