Shihta's Note

© Copyright 2023 | Shihta's Note | All rights reserved

Init kubernetes

12 Jun 2019

Rancher

  1. Start rancher main service:
1
2
3
4

docker run -d --restart=unless-stopped -p 80:80 -p 443:443 \
  --restart always --name st-rancher \
  --log-driver json-file --log-opt max-size=10m --log-opt max-file=3 \
  rancher/rancher:v2.4.3
  1. Go to 10.103.3.8 and then add cluster
  1. Cluster => Add Cluster
  2. Add Cluster - Select Cluster Type => From existing nodes (custom)
  3. Add Cluster - Custom => Enter the cluster name. e.g. cluster-00
  4. copy the command and run it on the server. the command example is shown as the follows:
1
2
3
4

sudo docker run -d --privileged --restart=unless-stopped --net=host \
  -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/rancher-agent:v2.4.3 \
  --server https://10.103.3.8 --token cql6mr6w5hgt7wv8pxndnn75b5qm8j68tzl9dq4j2mcg4rk7nkrbl9 \
  --ca-checksum a23269d29331f0f2bc1cea30e9fc5b00b8a7436fbe3950b5a7de1363da0dfcc9 --worker

Kubectl Autocomplete

1
2
3

source <(kubectl completion bash)

kubectl run test0 --image=shihta/u1804-nfv-base --generator=run-pod/v1 -t -i --rm --namespace=cdn

ServiceAccount

Prometheus

  1. Get the rbac example:
  1. Create it:
1
2
3
4

root@u1804d-4:~/workspace/prometheus# kubectl create -f rbac-setup.yml
clusterrole.rbac.authorization.k8s.io/prometheus created
serviceaccount/prometheus created
clusterrolebinding.rbac.authorization.k8s.io/prometheus created
  1. 在完成角色权限以及用户的绑定之后,就可以指定Prometheus使用特定的ServiceAccount创建Pod实例。修改prometheus-deployment.yml文件,并添加serviceAccountName和serviceAccount定义:
1
2
3
4
5
6
7
8
9

spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: prometheus
    spec:
      serviceAccountName: prometheus
      serviceAccount: prometheus
  • 指定ServiceAccount创建的Pod实例中,会自动将用于访问Kubernetes API的CA证书以及当前账户对应的访问令牌文件挂载到Pod实例的/var/run/secrets/kubernetes.io/serviceaccount/目录下,可以通过以下命令进行查看:

  • Examples:

    1
2
3

    curl -k -H "Authorization: Bearer ${TOKEN}" https://10.103.3.53:6443/metrics
curl -k -H "Authorization: Bearer ${TOKEN}" https://kubernetes.default.svc:443/api/v1/nodes/u1804d-4/proxy/metrics
curl -k -H "Authorization: Bearer ${TOKEN}" https://kubernetes.default.svc:443/api/v1/nodes/u1804d-4/proxy/metrics/cadvisor

MIQ

  1. Create management-infra namespace:
1

kubectl create ns management-infra
  1. Create required serviceaccounts:
1
2

kubectl create sa -n management-infra management-admin
kubectl create sa -n management-infra inspector-admin
  1. Grant cluster-reader cluster role to management-admin SA:
1

kubectl create clusterrolebinding management-infra-cluster-reader --clusterrole=cluster-reader --user=system:serviceaccount:management-infra:management-admin
  1. Retrieve the serviceaccount token for management-admin (this will be the auth token ManageIQ uses):
1

kubectl describe secret -n management-infra $(kubectl get secrets -n management-infra | grep management-admin | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t'

  • miq-k8s-provider.yml

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

    apiVersion: v1
kind: Namespace
metadata:
  name: miq
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: miq-sa
  namespace: miq
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: miq-cr
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: miq-crb
  namespace: miq
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: miq-cr
subjects:
- kind: ServiceAccount
  name: miq-sa
  namespace: miq

kustomization

  1. prepare the file kustomization.yaml, refer to here for examples
  2. command: kubectl apply -k .
:

Related Posts

comments powered by Disqus