Author Archives: admin

google nameservers in Kubernetes

title: “google nameservers in Kubernetes”
date: 2019-08-07T15:18:41
slug: google-nameservers-in-kubernetes

kubectl edit configmaps -n kube-system coredns

apiVersion: v1
data:
 Corefile: |
 .:53 {
 errors
 health
 kubernetes cluster.local in-addr.arpa ip6.arpa {
 pods insecure
 upstream
 fallthrough in-addr.arpa ip6.arpa
 ttl 30
 }
 prometheus :9153
 forward . 8.8.8.8 8.8.4.4
 cache 30
 loop
 reload
 loadbalance
 }
kind: ConfigMap
metadata:
 creationTimestamp: "2019-08-06T20:00:32Z"
 name: coredns
 namespace: kube-system
 resourceVersion: "116259"
 selfLink: /api/v1/namespaces/kube-system/configmaps/coredns
 uid: d5892fc1-b2fe-4f46-b3bb-4185a34f8f3e

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

title: “openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt”
date: 2019-07-30T14:56:10
slug: openssl-x509-req-in-ca-csr-signkey-ca-key-out-ca-crt

139931805602240:error:2406F079:random number generator:RAND\_load\_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/tasanger/.rnd

Solution:

touch /home/tasanger/.rnd

Create Certificates

title: “Create Certificates”
date: 2019-07-30T14:47:45
slug: create-certificates

Create CA Key

openssl genrsa -out ca.key 2048

Create CA CSR

openssl req -new -key ca.key -subj "/CN=KUBERNETES-CA" -out ca.csr

Create CA Certificate

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

Create Admin Key

openssl genrsa -out admin.key 2048

Create Admin CSR (CN Will be the User Name, OU Will be the System Group)

openssl req -new -key admin.key -subj \
"/CN=kube-admin/OU=system:masters" -out admin.csr

Create the Certificate

openssl x509 -req -in admin.csr –CA ca.crt -CAkey ca.key -out admin.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out admin.crt

Test the Admin Certificate:

curl https://kube-apiserver:6443/api/v1/pods \
--key admin.key --cert admin.crt --cacert ca.crt

Create Scheduler Key

openssl genrsa -out scheduler.key 2048

Create Scheduler CSR

openssl req -new -key scheduler.key -subj \
"/CN=system:kube-scheduler" -out scheduler.csr

Create the Certificate

openssl x509 -req -in scheduler.csr –CA ca.crt -CAkey ca.key -out scheduler.crt

Or in the case of a “ca.srl: No such file or directory” error:

openssl x509 -req -in scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out scheduler.crt

Create API Server Key

openssl genrsa -out apiserver.key 2048

Create openssl.cnf

[ req ]
default\_bits = 2048
prompt = no
default\_md = sha256
req\_extensions = req\_ext
distinguished\_name = dn

[ dn ]
C = <country>
ST = <state>
L = <city>
O = <organization>
OU = <organization unit>
CN = <MASTER\_IP>

[ req\_ext ]
subjectAltName = @alt\_names

[ alt\_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = 10.96.0.1
IP.2 = 172.17.0.87

[ v3\_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt\_names

Create API Server csr

openssl req -new -key apiserver.key -subj \
"/CN=kube-apiserver" -out apiserver.csr -config openssl.cnf

Create Apiserver Certificate

openssl x509 -req -in apiserver.csr \
-CA ca.crt -CAkey ca.key -out apiserver.crt

Or if you get the error unable to load number from ca.srl

openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -CAserial ca.seq -out apiserver.crt

Certification Details

title: “Certification Details”
date: 2019-07-12T08:44:38
slug: certification-details

https://www.youtube.com/watch?v=DFEOdnYw1WY
https://www.youtube.com/watch?v=Y2SA7sCtKSs

Certified Kubernetes Administrator: https://www.cncf.io/certification/cka/

Exam Curriculum (Topics): https://github.com/cncf/curriculum

Candidate Handbook: https://www.cncf.io/certification/candidate-handbook

Exam Tips: http://training.linuxfoundation.org/go//Important-Tips-CKA-CKAD

Kubernetes Tab Completion

source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc

Create a nginx Deployment

kubectl run nginx --image=nginx

Create deployment with X replicas

!!TODO

Create a pod with name and image

kubectl run redis --image=redis123 --generator=run-pod/v1.

Generate Pod Manifest

kubectl run --generator=run-pod/v1 nginx --image=nginx --dry-run -o yaml

Create Pod with command line args:

kubectl run webapp --image=webapp --generator=run-pod/v1 --dry-run -o yaml -- --color=green

Extended information

kubectl get pods -o wide

Edit a Pod

kubectl edit pod nginx

Delete all pods

kubectl delete --all pods --namespace=foo

Create a Service (ClusterIP)

kubectl expose pod redis --port=6379 --name redis-service --dry-run -o yaml

Expose Pod:

kubectl expose pod nginx --port=80 --name nginx-service --dry-run -o yaml

Create Service Nodeport (not using selector, you have to correct it in yaml)

kubectl create service nodeport nginx --tcp=80:80 --node-port=30080 --dry-run -o yaml

Übung:

Name: webapp-service
Type: NodePort
Endpoints: 3
Port: 8080
NodePort: 30082

kubectl expose deployment webapp --type=NodePort --port=8080 --name=webapp-service

And edit the nodeport with kubectl edit or create manifest first

Assign Pod to a node by nodeName

apiVersion: v1
kind: Pod
metadata:
 name: nginx
spec:
 nodeName: foo-node # schedule pod to specific node
 containers:
 - name: nginx

Get pods by selector

kubectl get pods --selector env=dev
kubectl get pods --selector env=dev,bu=finance,tier=frontend
Pod Manifest:
labels:
 env: dev

You CANNOT edit specifications of an existing POD other than the below.

spec.containers[\*].image
spec.initContainers[\*].image
spec.activeDeadlineSeconds
spec.tolerations

Edit Deployments

With Deployments you can easily edit any field/property of the POD template. Since the pod template is a child of the deployment specification,  with every change the deployment will automatically delete and create a new pod with the new changes. So if you are asked to edit a property of a POD part of a deployment you may do that simply by running the command

kubectl edit deployment my-deployment

Create Custom Scheduler

apiVersion: v1
kind: Pod
metadata:
name: my-scheduler
namespace: kube-system
spec:
containers:
- command:
 - kube-scheduler
 - --address=127.0.0.1
 - --kubeconfig=/etc/kubernetes/scheduler.conf
 - --leader-elect=false
 - --scheduler-name=my-scheduler
 image: gcr.io/my-gcp-project/my-kube-scheduler:1.0

Assign Pod to scheduler

apiVersion: v1
kind: Pod
metadata:
 name: annotation-default-scheduler
 labels:
 name: multischeduler-example
spec:
 schedulerName: my-scheduler
 containers:
 - name: pod-with-default-annotation-container
 image: k8s.gcr.io/pause:2.0

Create a configmap

kubectl create configmap special-config --from-literal=special.how=very --from-literal=special.type=charm

Assign the configmap to a pod:

apiVersion: v1
kind: Pod
metadata:
 name: dapi-test-pod
spec:
 containers:
 - name: test-container
 image: k8s.gcr.io/busybox
 command: [ "/bin/sh", "-c", "env" ]
 env:
 # Define the environment variable
 - name: SPECIAL\_LEVEL\_KEY
 valueFrom:
 configMapKeyRef:
 # The ConfigMap containing the value you want to assign to SPECIAL\_LEVEL\_KEY
 name: special-config
 # Specify the key associated with the value
 key: special.how
 restartPolicy: Never

Create a secret with multiple vars

kubectl create secret generic test-secret --from-literal=username='my-app' --from-literal=password='39528$vdg7Jb'

Pass it to aPod as environmend

apiVersion: v1
kind: Pod
metadata:
 name: envfrom-secret
spec:
 containers:
 - name: envars-test-container
 image: nginx
 envFrom:
 - secretRef:
 name: test-secret

Create a pod with two init container

apiVersion: v1
kind: Pod
metadata:
 name: myapp-pod
 labels:
 app: myapp
spec:
 containers:
 - name: myapp-container
 image: busybox:1.28
 command: ['sh', '-c', 'echo The app is running! && sleep 3600']
 initContainers:
 - name: init-myservice
 image: busybox:1.28
 command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
 - name: init-mydb
 image: busybox:1.28
 command: ['sh', '-c', 'until nslookup mydb; do echo waiting for mydb; sleep 2; done;']

Pod dead timeout

--pod-eviction-timeout duration Default: 5m0s

Upgrade the Master Node (drain first)

apt install kubeadm=1.12.10-00
kubeadm update apply v1.12.10

Update the worker node (drain first)

apt install kubeadm=1.12.0-00
apt install kubelet=1.12.0-00
kubeadm upgrade node config --kubelet-version $(kubelet --version | cut -d ' ' -f 2)

Cluster backup 1

kubectl get all --all-namespaces -o yaml > all-deploy-services.yaml

Check multiple certificates

ls \*crt | xargs -n 1 sh -c 'openssl x509 -in $0 -text -noout' | grep -i after

Gitlab external ingress

title: “Gitlab external ingress”
date: 2019-07-03T14:58:19
slug: gitlab-external-ingress

Edit Ingress controller (maybe backend is missing)

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 annotations:
 kubernetes.io/ingress.class: nginx
 kubernetes.io/tls-acme: "true"
 creationTimestamp: "2019-07-03T14:45:20Z"
 generation: 2
 labels:
 app: gitlab-gitlab-ce
 chart: gitlab-ce-0.2.2
 heritage: Tiller
 release: gitlab
 name: gitlab-gitlab-ce
 namespace: default
spec:
 rules:
 - host: gitlab.asanger.eu
 http:
 paths:
 - backend:
 serviceName: gitlab-gitlab-ce
 servicePort: 80
 tls:
 - hosts:
 - gitlab.asanger.eu
 secretName: gitlab-asanger-eu

values.yaml:

If external url is set to https, the internal nginx controller will crash because of a missing ssl cert.

image: gitlab/gitlab-ce:9.4.1-ce.0
externalUrl: http://gitlab.asanger.eu/
gitlabRootPassword: "changeme"
serviceType: LoadBalancer
ingress:
 annotations:
 kubernetes.io/ingress.class: nginx
 kubernetes.io/tls-acme: "true"
 enabled: true
 tls:
 - secretName: gitlab-asanger-eu
 hosts:
 - gitlab.asanger.eu
 url: gitlab.asanger.eu
sshPort: 22
httpPort: 80
httpsPort: 443
livenessPort: http
readinessPort: http
resources:
 ## GitLab requires a good deal of resources. We have split out Postgres and
 ## redis, which helps some. Refer to the guidelines for larger installs.
 ## ref: https://docs.gitlab.com/ce/install/requirements.html#hardware-requirements
 requests:
 memory: 1Gi
 cpu: 500m
 limits:
 memory: 2Gi
 cpu: 1
persistence:
 ## This volume persists generated configuration files, keys, and certs.
 ##
 gitlabEtc:
 enabled: true
 size: 1Gi
 ## If defined, volume.beta.kubernetes.io/storage-class: <storageClass>
 ## Default: volume.alpha.kubernetes.io/storage-class: default
 ##
 storageClass: local-disks
 accessMode: ReadWriteOnce
 ## This volume is used to store git data and other project files.
 ## ref: https://docs.gitlab.com/omnibus/settings/configuration.html#storing-git-data-in-an-alternative-directory
 ##
 gitlabData:
 enabled: true
 size: 10Gi
 ## If defined, volume.beta.kubernetes.io/storage-class: <storageClass>
 ## Default: volume.alpha.kubernetes.io/storage-class: default
 ##
 storageClass: local-disks
 accessMode: ReadWriteOnce
postgresql:
 # 9.6 is the newest supported version for the GitLab container
 imageTag: "9.6"
 cpu: 1000m
 memory: 1Gi
 postgresUser: gitlab
 postgresPassword: gitlab
 postgresDatabase: gitlab
 persistence:
 size: 10Gi
redis:
 redisPassword: "gitlab"
 resources:
 requests:
 memory: 1Gi
 persistence:
 size: 10Gi

screen share

title: “screen share”
date: 2019-06-27T10:07:22
slug: screen-share

Create a shared screen:

screen -d -m -S shared

Connect to the screen (multiple users)

screen -x shared

bashrc

title: “bashrc”
date: 2019-06-07T09:23:06
slug: bashrc

alias dl="youtube-dl -f 'bestvideo[ext=mp4]+bestaudio[ext=m4a]/bestvideo+bestaudio' --merge-output-format mp4"
export HISTTIMEFORMAT="%h %d %H:%M:%S "
export HISTSIZE=10000
export PROMPT\_COMMAND='history -a'

Youtube Download best quality

title: “Youtube Download best quality”
date: 2019-03-28T15:00:31
slug: youtube-download-best-quality

youtube-dl -f 'bestvideo[ext=mp4]+bestaudio[ext=m4a]/bestvideo+bestaudio' --merge-output-format mp4 'http://www.youtube.com/watch?v=P9pzm5b6FFY'

In der.bashrc

alias dl="youtube-dl -f 'bestvideo[ext=mp4]+bestaudio[ext=m4a]/bestvideo+bestaudio' --merge-output-format mp4"