Second LIfe

ssh-keygen -f remote-key


vi Dockerfile

FROM centos:201910

RUN yum -y install openssh-server
RUN useradd remote_user && \
echo “remote_user:1234”| chpasswd && \
##centos 7일 경우
## echo “1234”| paasw remote_user —stdin && \

mkdir /home/renote_user/.ssh && \
chmod 700 /home/remote_user/.ssh

COPY reomote-key.pub /home/remote_user/.ssh/authorized_keys

RUN chown remote_user:remote_user -R /home/remote_user/.ssh && \
chmod 600 /home/remote_user/.ssh/authorized_keys

RUN /usr/sbin/sshd-keygen
CMD /usr/sbin/sshd -D

kubectl run —restart=Never —image=busybox static-busybox —dry-run -o yaml —command sleep 1000

Without kube-apiserver

Worker node의 /etc/kubernetes/manifests 에 pod.yaml(이름 상관없어요 그냥 yaml file)을 만들어 주면 된다

manifests가 없다면 만들어 주자

kubelet.service의 내용을 보면(systemctl status kubelet)
—pod-manifest-path=/etc/kuberbets/manifests
—config=kubeconfig.yaml <== 해당 경로를 넣어줌

kubeconfig.yaml파일의 내용
staticPodPath: /etc/kubernetes/manifests

docker ps 로 컨테이너가 만들어졌는지 확인
kubectl get pods <= 만들어졌는지 확인

삭제가 되지 않으며 ,해당 노드에 가서 manifests 안의 파일을 삭제해야한다

보틍은 master node 의 /etc/kubernetes/manifests 안에
controller-manager.yaml , apiservcer.yam, etcd,yaml
이 들어있어서 항상 동작하도록(삭제되지 않고) 하는데 사용됨

staticpods 는 created by kubelet
Daemonsets은 created by kube-apiserver(daemonset controller)

​​​​​​static pod가 만약 node01에서 실행되고 있고 이를 삭제하고 자 할때

kubectl get nodes -o wide
ssh node01

cat /var/lib/kubelet/config

manifest path를 찾기위해 위의 cat 명령어를 실행

해당 파일을 보면
staticPodPath: ~
가 나온다 해당 경로에 가서 삭제해주면 된다

We have deployed a number of pods they are labelled with tier ,env, and bu how many pods exits in the dev environment

Use selectors to filter the output

kubectl get pods —selector env=dev

How many pods are in the fiance busiess unit(bu)?

kubectl get pods —selector bu=finance

How many objects are in the ‘prod’ environment including PODs, ReplicasSets and anby other objects?

kubectl get all —selector env=prod


Identify the pod which is ‘prod’ , part of ‘finance’ BU and is a ‘frontend’ tier?

kubectl get all —selector env=prod,bu=finance,tier=frontend

template:
...

volumeMounts:
- mountPath: /etc/localtime
name: timezone-config
volumes:
- hostPath:
path: /usr/share/zoneifo/Asis/Seoul
name: timezone-config

Article on Setting up Basic Authentication
Setup basic authentication on kubernetes
Note: This is not recommended in a production environment. This is only for learning purposes.
Follow the below instructions to configure basic authentication in a kubeadm setup.

Create a file with user details locally at /tmp/users/user-details.csv

# User File Contents
password123,user1,u0001
password123,user2,u0002
password123,user3,u0003
password123,user4,u0004
password123,user5,u0005


Edit the kube-apiserver static pod configured by kubeadm to pass in the user details. The file is located at /etc/kubernetes/manifests/kube-apiserver.yaml



apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
<content-hidden>
image: k8s.gcr.io/kube-apiserver-amd64:v1.11.3
name: kube-apiserver
volumeMounts:
- mountPath: /tmp/users
name: usr-details
readOnly: true
volumes:
- hostPath:
path: /tmp/users
type: DirectoryOrCreate
name: usr-details


Modify the kube-apiserver startup options to include the basic-auth file



apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=Node,RBAC
<content-hidden>
- --basic-auth-file=/tmp/users/user-details.csv
Create the necessary roles and role bindings for these users:



---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]

---
# This role binding allows "jane" to read pods in the "default" namespace.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: user1 # Name is case sensitive
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role #this must be Role or ClusterRole
name: pod-reader # this must match the name of the Role or ClusterRole you wish to bind to
apiGroup: rbac.authorization.k8s.io
Once created, you may authenticate into the kube-api server using the users credentials

curl -v -k https://localhost:6443/api/v1/pods -u "user1:password123"

Resource configuration backup
kunectl get all —all-namespaces -o yaml > all-deploy-service.yaml

etcd backup n restore
복구시
token n data 경로는 원래 것과 다르게 해야한다

# 1. Get etcdctl utility if it's not already present.

Reference: https://github.com/etcd-io/etcd/releases

```
ETCD_VER=v3.3.13

# choose either URL
GOOGLE_URL=https://storage.googleapis.com/etcd
GITHUB_URL=https://github.com/etcd-io/etcd/releases/download
DOWNLOAD_URL=${GOOGLE_URL}

rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
rm -rf /tmp/etcd-download-test && mkdir -p /tmp/etcd-download-test

curl -L ${DOWNLOAD_URL}/${ETCD_VER}/etcd-${ETCD_VER}-linux-amd64.tar.gz -o /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz
tar xzvf /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz -C /tmp/etcd-download-test --strip-components=1
rm -f /tmp/etcd-${ETCD_VER}-linux-amd64.tar.gz

/tmp/etcd-download-test/etcd --version
ETCDCTL_API=3 /tmp/etcd-download-test/etcdctl version

mv /tmp/etcd-download-test/etcdctl /usr/bin
```

# 2. Backup
minikube의 경우 /etc/kubernetes/mainifests/kube-apiserver.yaml 참조

```
ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
snapshot save /tmp/snapshot-pre-boot.db
```

# -----------------------------
# Disaster Happens
# -----------------------------

# 3. Restore ETCD Snapshot to a new folder

```
ETCDCTL_API=3 etcdctl --endpoints=https://[127.0.0.1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt \
--name=master \
--cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key \
--data-dir /var/lib/etcd-from-backup \
--initial-cluster=master=https://127.0.0.1:2380 \
--initial-cluster-token etcd-cluster-1 \
--initial-advertise-peer-urls=https://127.0.0.1:2380 \
snapshot restore /tmp/snapshot-pre-boot.db
```

# 4. Modify /etc/kubernetes/manifests/etcd.yaml

Update ETCD POD to use the new data directory and cluster token by modifying the pod definition file at `/etc/kubernetes/manifests/etcd.yaml`. When this file is updated, the ETCD pod is automatically re-created as thisis a static pod placed under the `/etc/kubernetes/manifests` directory.

Update --data-dir to use new target location

```
--data-dir=/var/lib/etcd-from-backup
```

Update new initial-cluster-token to specify new cluster

```
--initial-cluster-token=etcd-cluster-1
```

Update volumes and volume mounts to point to new path

```
volumeMounts:
- mountPath: /var/lib/etcd-from-backup
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd-from-backup
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
```

> Note: You don't really need to update data directory and volumeMounts.mountPath path above. You could simply just update the hostPath.path in the volumes section to point to the new directory. But if you are not working with a kubeadm deployed cluster, then you might have to update the data directory. That's why I left it as is.

만약 pod로 구성되지 않았다면 snap save 후
ETCDCTL_API=3 etcdctl snapshot status snapshot.db


service kube-apiserver stop

모든 수정작업이 완료된후에는

systemctl daemon-reload
servicec etcd restart
service kube-apiserver start