Commit eb34bec7 authored by Daniele Santoro's avatar Daniele Santoro
Browse files

Rlease lab lesson 8

parent 8c50426a
......@@ -60,4 +60,9 @@ As a general rule, if the exercise contains only the =README.org=, you should pr
- [[file:e24][Exercise 24 - Create a multi-node cluster]]
- [[file:e25][Exercise 25 - Pod-to-Pod Communications]]
- [[file:e26][Exercise 26 - External World-To-Pod Communication]]
- [[file:e27][Exercise 27 - Load Balancing]]
\ No newline at end of file
- [[file:e27][Exercise 27 - Load Balancing]]
* Lab08_20220520
- [[file:e28][Exercise 28 - Namespaces]]
- [[file:e29][Exercise 29 - Labels and Selectors]]
- [[file:e30][Exercise 30 - Install k8s Dashboard]]
- [[file:e31][Exercise 31 - ConfigMaps & Secrets]]
\ No newline at end of file
* Exercise 28 - Namespaces
- Time :: 10 minutes
- 4 minutes: /Try by yourself/
- 6 minutes: /Check, Verify, Ask/
- Description :: Play with namespaces and explore “hidden”
workload. Can you find out where is Kubernetes control plane
running?
* Solutions and Instructions
Explore the namespaces in your cluster
#+BEGIN_SRC sh
kubectl get namespaces
#+END_SRC
Explore the workload of the =kube-system= namespace
#+BEGIN_SRC sh
kubectl get pod -n kube-system -o wide
#+END_SRC
Where is Kubernetes control-plane running?
Explore how node services are represented in the system
#+BEGIN_SRC sh
kubectl get daemonset -n kube-system
#+END_SRC
Create your personal namespace
#+BEGIN_SRC sh
MYNS=$(echo $USER | sed -e 's/\.//g')
kubectl create ns $MYNS
#+END_SRC
Deploy some workload in a dedicated namespace
#+BEGIN_SRC sh
kubectl run --image=jpetazzo/clock myclock -n $MYNS
#+END_SRC
Check where this workload is running
#+BEGIN_SRC sh
kubectl get pod
kubectl get pod -n $MYNS
#+END_SRC
Check all workload in the cluster
#+BEGIN_SRC sh
kubectl get pod --all-namespaces
#+END_SRC
* Exercise 29 - Labels and Selectors
- Time :: 10 minutes
- 4 minutes: /Try by yourself/
- 6 minutes: /Check, Verify, Ask/
- Description :: Create five replicas of an example
application. Mark the first three with a label =com=frontend= and
=env=prod=, the last two with label =com=backend= and the last one
with label =env=dev=. Then try to perform the following queries
using selectors:
1) List all Pods with their labels
2) List Pods with label =com=backend=
3) List Pods with label =com!=backend=
4) List Pods with labels =env=prod= AND =env=dev=
5) List all Pods with labels =env=prod= OR =env=dev=
* Solutions and Instructions
Clear everything
#+BEGIN_SRC sh
kubectl delete all --all
#+END_SRC
Create some test workload
#+BEGIN_SRC sh
kubectl create deploy --image=jpetazzo/clock clock --replicas=5
#+END_SRC
Mark 1
#+BEGIN_SRC sh
kubectl get po -o json | jq -r '.items[] | .metadata.name' | head -n3 | xargs -I{} kubectl label pods {} com=frontend env=prod
#+END_SRC
Mark 2
#+BEGIN_SRC sh
kubectl get po -o json | jq -r '.items[] | .metadata.name' | tail -n2 | xargs -I{} kubectl label pods {} com=backend
#+END_SRC
Mark 3
#+BEGIN_SRC sh
kubectl get po -o json | jq -r '.items[] | .metadata.name' | tail -n1 | xargs -I{} kubectl label pods {} env=dev
#+END_SRC
1) List all Pods with their labels
#+BEGIN_SRC sh
kubectl get pod --show-labels
#+END_SRC
2) List Pods with label =com=backend=
#+BEGIN_SRC sh
kubectl get po -l com=backend
#+END_SRC
3) List Pods with label =com!=backend=
#+BEGIN_SRC sh
kubectl get po -l com!=backend
#+END_SRC
4) List Pods with labels =env=prod= AND =env=dev=
#+BEGIN_SRC sh
kubectl get po -l env=prod,env=dev
#+END_SRC
5) List all Pods with labels =env=prod= OR =env=dev=
#+BEGIN_SRC sh
kubectl get po -l 'env in (prod,dev)'
#+END_SRC
* Exercise 30 - Install k8s Dashboard
- Time :: 10 minutes
- 5 minutes: /Try by yourself/
- 5 minutes: /Check, Verify, Ask/
- Description :: With the help of the official [[https://github.com/kubernetes/dashboard][k8s Dashboard
repository]] install the GUI on your cluster, access to it and
perform some operations.
* Solutions and Instructions
Clear everything
#+BEGIN_SRC sh
kubectl delete all --all
#+END_SRC
Install the dashboard
#+BEGIN_SRC sh
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml
#+END_SRC
Create a user, see [[https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md][this guide]] for more details
#+BEGIN_SRC sh
kubectl create -f dashboard-sample-user.yaml
#+END_SRC
Get a valid token, keep note of it
#+BEGIN_SRC sh
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
#+END_SRC
Enable access to the dashboard using =kubectl proxy=
#+BEGIN_SRC sh
kubectl proxy &
#+END_SRC
Access the dashboard using your browser (remember to set the SSH socks tunnel)
#+BEGIN_EXAMPLE
open http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/
#+END_EXAMPLE
Paste the token into "Enter token" field on login screen
Now, try to explore the dashboard and create some new workload from it, for example:
1) Create from the terminal and check the Dashboard
#+BEGIN_SRC sh
kubectl create deploy --image=jpetazzo/clock clock --replicas=5
#+END_SRC
Inspect the Pod logs from the dashboard UI
2) Deploy the example of exercise =e26= using =lb-example.yaml= from the dasboard
3) Create some workload using the dashboard form
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
\ No newline at end of file
* Exercise 23 - ConfigMaps and Secrets
- Time :: 10 minutes
- 4 minutes: /Try by yourself/
- 6 minutes: /Check, Verify, Ask/
- Description :: Create ConfigMaps and Secrets in various ways,
attach them to a Pod and try to retrieve them from inside the
Pod.
* Solutions and Instructions
Create a ConfigMap from literal values
#+BEGIN_SRC sh
kubectl create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2
#+END_SRC
Create a ConfigMap from the =customer1-configmap.yaml= file (filename must correspond to ConfigMap name)
#+BEGIN_SRC sh
kubectl create -f customer1-configmap.yaml
#+END_SRC
Create a ConfigMap from a folder structure, see [[file:numbers/][here]]
#+BEGIN_SRC sh
kubectl create configmap numbers --from-file=./numbers/
#+END_SRC
Create a ConfigMap from a plain file, see [[file:favorite][here]]
#+BEGIN_SRC sh
kubectl create configmap color --from-file=./favorite
#+END_SRC
Get values from an existing ConfigMap
#+BEGIN_SRC sh
kubectl get configmaps my-config -o yaml | yq e -C | cat -n
kubectl get configmaps customer1 -o yaml | yq e -C | cat -n
kubectl get configmaps numbers -o yaml | yq e -C | cat -n
kubectl get configmaps color -o yaml | yq e -C | cat -n
#+END_SRC
Start a Pod using ConfigMap values as environment variables, see Pod manifest [[file:simpleshell.yaml][here]]
#+BEGIN_SRC sh
kubectl create -f simpleshell.yaml
#+END_SRC
Check env values inside the pod
#+BEGIN_SRC sh
kubectl exec shell-demo -- /bin/bash -c 'env'
#+END_SRC
Start a pod which mount a configmap in a volume, see [[file:simpleshell-vol.yaml][here]]
#+BEGIN_SRC sh
kubectl create -f simpleshell-vol.yaml
#+END_SRC
Inspect the configmap volume inside the pod
#+BEGIN_SRC sh
kubectl exec shell-demo-vol -- /bin/bash -c 'df -ha |grep customer'
#+END_SRC
Get a value from the cofigmap
#+BEGIN_SRC sh
kubectl exec shell-demo-vol -- /bin/bash -c 'cat /etc/customer1/TEXT1.name'
#+END_SRC
Create a Secret
#+BEGIN_SRC sh
kubectl create secret generic my-password --from-literal=password=mysqlpassword
#+END_SRC
/The above command would create a secret called/ =my-password=/,
which has the value of the/ =password= /key set to/
=mysqlpassword=./
Inspect the secret
#+BEGIN_SRC sh
kubectl get secret my-password -o yaml | yq e -C | cat -n
#+END_SRC
Secrets can be created manually using the YAML representation as
other k8s resources.
With Secrets, each object data must be encoded using
=base64=. If we want to have a configuration file for our Secret, we
must first get the =base64= encoding for our password:
#+BEGIN_SRC sh
echo -n mysqlpassword | base64
#+END_SRC
Should output
#+begin_example
bXlzcWxwYXNzd29yZA==
#+end_example
The obfuscated =base64= string must be used in the secret file as
value of the desired key, when creating it.
Please note that base64 encoding does not do any encryption, and anyone can easily decode it:
#+BEGIN_SRC sh
echo "bXlzcWxwYXNzd29yZA==" | base64 --decode; echo
#+END_SRC
_Therefore, make sure you do not commit a Secret's configuration file in the source code._
Use the secret as an =ENV_VAR= in a pod, see [[file:simpleshell-sec.yaml][here]]
#+BEGIN_SRC sh
kubectl create -f simpleshell-sec.yaml
#+END_SRC
Inspect the secret in the pod
#+BEGIN_SRC sh
kubectl exec shell-demo-sec -- /bin/bash -c 'echo $MYPWD'
#+END_SRC
apiVersion: v1
kind: ConfigMap
metadata:
name: customer1
data:
TEXT1.name: Customer1_Company
TEXT2: Welcomes You
COMPANY: Customer1 Company Technology Pct. Ltd.
apiVersion: v1
kind: Pod
metadata:
name: shell-demo-sec
spec:
containers:
- name: nginx
image: nginx
env:
- name: MYPWD
valueFrom:
secretKeyRef:
name: my-password
key: password
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: shell-demo-vol
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: customer-vol
mountPath: /etc/customer1
volumes:
- name: customer-vol
configMap:
name: customer1
\ No newline at end of file
apiVersion: v1
kind: Pod
metadata:
name: shell-demo
spec:
containers:
- name: nginx
image: nginx
env:
- name: COLOR
valueFrom:
configMapKeyRef:
name: color
key: favorite
envFrom:
- configMapRef:
name: my-config
- configMapRef:
name: numbers
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment