Second LIfe

template:
...

volumeMounts:
- mountPath: /etc/localtime
name: timezone-config
volumes:
- hostPath:
path: /usr/share/zoneifo/Asis/Seoul
name: timezone-config

Article on Setting up Basic Authentication
Setup basic authentication on kubernetes
Note: This is not recommended in a production environment. This is only for learning purposes.
Follow the below instructions to configure basic authentication in a kubeadm setup.

Create a file with user details locally at /tmp/users/user-details.csv

# User File Contents
password123,user1,u0001
password123,user2,u0002
password123,user3,u0003
password123,user4,u0004
password123,user5,u0005


Edit the kube-apiserver static pod configured by kubeadm to pass in the user details. The file is located at /etc/kubernetes/manifests/kube-apiserver.yaml



apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
<content-hidden>
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserver
volumeMounts:
- mountPath: /tmp/users
name: usr-details
readOnly: true
volumes:
- hostPath:
path: /tmp/users
type: DirectoryOrCreate
name: usr-details


Modify the kube-apiserver startup options to include the basic-auth file



apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
<content-hidden>
- --basic-auth-file=/tmp/users/user-details.csv
Create the necessary roles and role bindings for these users:



---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

---
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: user1 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
Once created, you may authenticate into the kube-api server using the users credentials

curl -v -k https://localhost:6443/api/v1/pods -u "user1:password123"

Resource configuration backup
kunectl get all —all-namespaces -o yaml > all-deploy-service.yaml

etcd backup n restore
복구시
token n data 경로는 원래 것과 다르게 해야한다

# 1. Get etcdctl utility if it's not already present.

Reference: https://github.com/etcd-io/etcd/releases

```
ETCD_VER=v3.3.13

# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

/tmp/etcd-download-test/etcd --version
ETCDCTL_API=3 /tmp/etcd-download-test/etcdctl version

mv /tmp/etcd-download-test/etcdctl /usr/bin
```

# 2. Backup
minikube의 경우 /etc/kubernetes/mainifests/kube-apiserver.yaml 참조

```
ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /tmp/snapshot-pre-boot.db
```

# -----------------------------
# Disaster Happens
# -----------------------------

# 3. Restore ETCD Snapshot to a new folder

```
ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
--name=master \
--cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
--data-dir /var/lib/etcd-from-backup \
--initial-cluster=master=https://127.0.0.1:2380 \
--initial-cluster-token etcd-cluster-1 \
--initial-advertise-peer-urls=https://127.0.0.1:2380 \
snapshot restore /tmp/snapshot-pre-boot.db
```

# 4. Modify /etc/kubernetes/manifests/etcd.yaml

Update ETCD POD to use the new data directory and cluster token by modifying the pod definition file at `/etc/kubernetes/manifests/etcd.yaml`. When this file is updated, the ETCD pod is automatically re-created as thisis a static pod placed under the `/etc/kubernetes/manifests` directory.

Update --data-dir to use new target location

```
--data-dir=/var/lib/etcd-from-backup
```

Update new initial-cluster-token to specify new cluster

```
--initial-cluster-token=etcd-cluster-1
```

Update volumes and volume mounts to point to new path

```
volumeMounts:
- mountPath: /var/lib/etcd-from-backup
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd-from-backup
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
```

> Note: You don't really need to update data directory and volumeMounts.mountPath path above. You could simply just update the hostPath.path in the volumes section to point to the new directory. But if you are not working with a kubeadm deployed cluster, then you might have to update the data directory. That's why I left it as is.

만약 pod로 구성되지 않았다면 snap save 후
ETCDCTL_API=3 etcdctl snapshot status snapshot.db


service kube-apiserver stop

모든 수정작업이 완료된후에는

systemctl daemon-reload
servicec etcd restart
service kube-apiserver start

1.11 에서 1.12로 업글
모든 업글은 마이너 한 단계씩 업글 해야함

— Master 에서
kubectl drain master —ignore-daemonsets

apt-get update && apt-get upgrade -y kubeadm=1.12.0-00

kubeadm upgrade apply v1.12.0

apt install kubelet=1.12.0-00

Kubectl uncordon master

—-Slave node upgrade

kubectl drain node01 —ignore-daemonsets
수동 pod가 있다면. —force 추가

ssh node01
apt-get update && apt-get upgrade -u kubeadm=1.12.0-00

apt install kubelet=1.12.0-00

exit

Master에서
kubeadm upgrade node cofnig —kubelet-version $(kubelet —version | cut -d ‘ ‘ -f 2)

kubectl get nodes
kubectl uncordon node01


혹 안되면 systemctl restart kubelet를 해보시길

Slave가 5분동안 죽어있으면 다운으로 간주함
Pod가 다른 노드로 분산됨
시간 변경방법

kube-cotroller-manager —pod-eviction-timeout=5m0s

kubectl drain node-1

노드관리를 위해 지정된 노드에 있는 포드들을 다른곳으로 이동시키는 명령어다, 우선 새로운 포드가 노드에 스케줄링되어서 실행되지 않도록 설정한다. 그리고 나서 기존에 이 노드에서 실행중이던 포드들을 삭제한다. 이때 노드에 데몬셋으로 실행된 포드들이 있으면 drain 이 실패한다, 데몬셋으로 실핸된 포드들은 삭제해도 데몬셋이 즉시 다시 실행되기 때문이다. 그래서 데몬샛으로 실행된 포드들을 무시하고 진행하려면

—ignore—daemonsets=true 옵션을 주고 drain하면된다 컨트롤러를 통해서 실행되지 않은 포드만으로 실행된 포드들이 있으면 drain이 실해한다. 컨트롤러에 의해 관리되고 있는 포드들은 삭제가 되더라도 컨트롤러가 클러스트내 달른 노드에 다시 동일한 역화라ㅏ을 하는 포드를 실행하지만 포드만으로 실행된 포드들은 한번 삭제되면 그것으로 끝이기 때문에 중요한 역할을 하는 포드였다면 위험하기 때문에 drain이 진행되지 않고 실패단다. 이럴경우 강제로진행하려면 —force 옵션을 주고 실행하면 된다.

drain되어서 스케줄링이 되지 않고 있는 상태를 풀어주려면 uncordon명령을 사용하면된다,

kubectl uncordon node-1

kubectl cordon ndoe-2

cordon은 지정된 노드에 더 이상 포드들이 스케줄링 되어 실행되지 않도록 한다

kubectl get nodes를 해보면 status에 ready외에 scheduingDisabled이 추가된걸 확인할수 있다.

​

​

나무나 피곤하고 지친 하루의 끝자락

그래도 힘들게 버텨낸 나 자신을 응원한다

오늘도 정말 수고 했어

‘작은 것에 연연하지 말고 인생을 좀 더 즐겨!’

​

to join new nodes to existing cluster is
kubeadm token create —print-join-command

토큰 새로만들면 된다
기존에 붙어 있는 노드와 무관
그냥 위처럼 하면됨
네트워크는 초기에 데몬셋로 구현되어 있어(데몬셋이 아니면. 개별 설치를 해줘야한다)
자동 설치됨