Kubernetes

From XennisWiki
Jump to: navigation, search

Kubernetes (commonly referred to as "K8s") is an open source system for automating deployment, scaling and management of containerized applications that was originally designed by Google and donated to the Cloud Native Computing Foundation. It aims to provide a "platform for automating deployment, scaling, and operations of application containers across clusters of hosts". It supports a range of container tools, including Docker. (Wikipedia)

kubectl (command line interface)

Installation

Further information: Installing and Setting Up kubectl

Debian

apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubectl

Via gcloud

One way to install kubectl is to use gcloud

gcloud components install kubectl

Via download

Another way is to (1) download the latest release, (2) make the binary executable and (3) move it to your local binaries

curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl

Shell autocomplete

For Zsh

source <(kubectl completion zsh)

For Bash

source <(kubectl completion bash)

Basic usage

Further information: kubectl Cheat Sheet

Create, delete and get

Create or delete components by a configuration file

kubectl create -f example.yaml
kubectl delete -f example.yaml

Delete for instance a service by it's name

kubectl delete service <name>

List pods, services, ... Use --watch to watch changes

kubectl get pods
kubectl get services

Create namespace

kubectl create namespace my-namespace

ConfigMap

Create a config map from (1) a literal and (2) property files

kubectl create configmap <name> --from-literal=<key>=<value>
kubectl create configmap <name> --from-file *.properties

Get a configmap

kubectl get configmap <name> -o yaml

Secrets

From literal

kubectl create secret generic db-credentials \
    --from-literal=username=tom \
    --from-literal=password=my-super-password

From file

kubectl create secret generic ssh-key-secret \
    --from-file=ssh-privatekey=fuu.ssh \
    --from-file=ssh-publickey=fuu.ssh.pub

Output secrets value

kubectl get secret/my-secret -o jsonpath="{.data['service-key\.json']}" | base64 --decode

Cron job

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: my-cronjob
spec:
  schedule: "@daily"
  successfulJobsHistoryLimit: 1 # Keep only 1 completed job
  jobTemplate:
    spec:
      template:
        spec:
          containers:
          - name: my-cronjob
            image: <image>
            env:
            - name: EXAMPLE
              value: "bar"
            command:
             - /bin/bash
             - -c
             - /example.sh $EXAMPLE
          restartPolicy: Never

Service account

List service accounts of the kube-system namespace

kubectl --namespace kube-system get serviceaccount

Create a service account and a cluster role binding for that account

kubectl --namespace kube-system create serviceaccount <account-name>
kubectl create clusterrolebinding <account-name>-cluster-rule \
    --clusterrole=cluster-admin \
    --serviceaccount=kube-system:<account-name>

Delete the service account

kubectl --namespace kube-system delete serviceaccount <account-name>

Tips

Get pods with a specfic label

kubectl get pods -l <label>=<value>

Open the dashboard

Start the proxy and open http://localhost:8001/ui

kubectl proxy

Port forward to a pod

kubectl port-forward <pod-name> <local-port>:<remote-port>

SSH into a pod

kubectl -it exec <pod-name> -- /bin/sh

Parse JSON output

Returns the Docker image of the first container

kubectl get deployment <deployment> -o jsonpath="{.spec.template.spec.containers[0].image}"

Delete multiple pods

Delete all pods with the label jenkins=slave and the status Error by using cut and grep

for i in $(kubectl get pods --selector "jenkins=slave" | grep Error | cut --delimiter " " --fields 1); do kubectl delete pod $i; done

Start Ubuntu container for debugging

Create a deployment and pods with the Bash as entry point

kubectl run -i --tty load-generator --image=ubuntu /bin/bash

Service with self-signed certificate

Use OpenSSL to generate a self-signed key and certificate. Then create a Kubernetes secret with SSL key and certificate

kubectl create secret generic nginx-ssl \
	--from-file=nginx.key \
	--from-file=nginx.crt

In the service define 443 as port

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  ports:
    - port: 443
      protocol: TCP
      name: https
  selector:
    app: my-app
  type: LoadBalancer

In the container mount the secret

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: my-deployment
spec:
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        [...]
        ports:
        - name: https-port
          containerPort: 443
        volumeMounts:
          - mountPath: /etc/nginx/ssl
            name: nginx-ssl
            readOnly: true
      volumes:
      - name: nginx-ssl
        secret:
          secretName: nginx-ssl

Encode the content for a secret without line breaks

cat my-file.json | base64 | tr -d '\n'

Get the pod name by deployment

When the deployment has for instance the label app: my-service the first pod name can be retrieved by

pod=$(kubectl get pods -l app="my-service" -o jsonpath --template="{.items[0].metadata.name}")
echo $pod

Tools

Minikube (local cluster)

see Minikube

Kubetest

Kubetest is a tool to unit unit test Kubernetes configurations.

Kubeval

Kubeval is a tool to validate that Kubernetes configuration supports multiple Kubernetes versions.

Installation
curl -O https://github.com/garethr/kubeval/releases/download/0.7.2/kubeval-linux-amd64.tar.gz
tar xf kubeval-darwin-amd64.tar.gz
cp kubeval /usr/local/bin
Usage
kubeval my-deployment.yaml

Errors and problems

Pods stuck at terminating status

Force a pod deletion

kubectl delete pod <pod> --force --grace-period=0

Hosts entry and Golang

[...]
    spec:
      hostAliases:
      - ip: "100.00.000.00"
        hostnames:
        - "example.org"
      containers:
      - name: my-container
      [...]

Golang uses DNS first and then the local /etc/hosts file. For change that, add to your Golang container the /etc/nsswitch.conf file:

# /etc/nsswitch.conf
#
# The default setting of Golang under Linux for hosts is
# `hosts: dns files`, i.e. ask DNS first and then use the local files.
# Now it is files first and then DNS.
hosts: files dns

Node status is SchedulingDisabled

Exemplary output
$ kubectl get nodes
NAME                                        STATUS                     ROLES     AGE       VERSION
gke-my-cluster-default-pool-af09084b-jn9b   Ready,SchedulingDisabled   <none>    3h        v1.11.2-gke.18
Solution
kubectl uncordon <node>

See also

Kubernetes tools

External links