kubernetes

Add new Node to k8s cluster with Bootstrap token

Use this technique to add new node to the cluster without providing any certificates and without having to restart the kube-apiserver

Suraj Deshmukh

4 minute read

Few days back I wrote a blog about adding new node to the cluster using the static token file. The problem with that approach is that you need to restart kube-apiserver providing it the path to the token file. Here we will see how to use the bootstrap token, which is very dynamic in nature and can be controlled by using Kubernetes resources like secrets. So if you are following Kubernetes the Hard Way to set up the cluster here are the changes you should do to adapt it to run with bootstrap token.

PodSecurityPolicy on existing Kubernetes clusters

Burnt by enabling PSPs on existing Kubernetes and wondering why everything still works

Suraj Deshmukh

2 minute read

I enabled PodSecurityPolicy on a minikube cluster by appending PodSecurityPolicy to the apiserver flag in minikube like this: –extra-config=apiserver.enable-admission-plugins=Initializers,NamespaceLifecycle,\ LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,\ NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,\ ResourceQuota,PodSecurityPolicy Ideally when you have PSP enabled and if you don’t define any PSP and authorize it with right RBAC no pod will start in the cluster. But what I saw was that there were some pods still running in kube-system namespace. $ kubectl -n kube-system get pods NAME READY STATUS RESTARTS AGE coredns-576cbf47c7-g2t8v 11 Running 4 5d11h etcd-minikube 11 Running 2 5d11h heapster-bn5xp 11 Running 2 5d11h influxdb-grafana-qzpv4 22 Running 4 5d11h kube-addon-manager-minikube 11 Running 2 5d11h kube-controller-manager-minikube 11 Running 1 4d20h kube-scheduler-minikube 11 Running 2 5d11h kubernetes-dashboard-5bb6f7c8c6-9d564 11 Running 8 5d11h storage-provisioner 11 Running 7 5d11h Which got me thinking what is wrong with the way PSPs work.

Road to CKA

My experience with CKA exam preparation

Suraj Deshmukh

4 minute read

I passed CKA exam with 92% marks on 19th October 2018. A lot of folks are curious about how to prepare and what resources to follow. Here is my list of things to do and list of resources that might help you on successful CKA exam. The duration of exam is three hours, which is enough time if you do good practice. The exam is pretty straight forward and tests your Kubernetes hands-on knowledge, so whatever you read please try to do it on a real cluster.

Add new Node to k8s cluster with cert rotation

Use this technique to add node to the cluster without providing any certificates

Suraj Deshmukh

3 minute read

The setup here is created by following Kubernetes the Hard Way by Kelsey Hightower. So if you are following along in this then do all the setup till the step Bootstrapping the Kubernetes Worker Nodes. In this just don’t start the kubelet, start other services like containerd and kube-proxy. master node Following the docs of TLS Bootstrapping, let’s first create the token authentication file. Create a file with following content:

Adding new worker to existing Kubernetes cluster

Step by step guide to add new node

Suraj Deshmukh

5 minute read

To setup a multi-node Kubernetes cluster just run this script and you will have a cluster with 3 masters and 3 workers. $ kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME worker-0 Ready <none> 1h v1.11.2 192.168.199.20 <none> Ubuntu 18.04.1 LTS 4.15.0-33-generic cri-o://1.11.2 worker-1 Ready <none> 1h v1.11.2 192.168.199.21 <none> Ubuntu 18.04.1 LTS 4.15.0-33-generic cri-o://1.11.2 worker-2 Ready <none> 1h v1.11.2 192.168.199.22 <none> Ubuntu 18.

Single node Kubernetes Cluster on Fedora with SELinux enabled

Kubeadm to install Single Node K8S with SELinux

Suraj Deshmukh

2 minute read

Start a single node fedora machine, using whatever method but I have used this Vagrantfile to do it:

-- mode: ruby -- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.define "fedora" do |fedora| fedora.vm.box = "fedora/28-cloud-base" config.vm.hostname = "fedora" end config.vm.provider "virtualbox" do |virtualbox, override| virtualbox.memory = 4096 virtualbox.cpus = 4 end config.vm.provision "shell", privileged: false, inline: <<-SHELL echo ‘127.0.0.1 localhost’ | cat - /etc/hosts > temp && sudo mv temp /etc/hosts SHELL end Now start it and ssh into it:

HostPath volumes and it's problems

Kubernetes HostPath volume good way to nuke your Kubernetes Nodes

Suraj Deshmukh

8 minute read

This post will demonstrate how Kubernetes HostPath volumes can help you get access to the Kubernetes nodes. Atleast you can play with the filesystem of the node on which you pod is scheduled on. You can get access to other containers running on the host, certificates of the kubelet, etc. I have a 3-master and 3-node cluster and setup using this script, running in a Vagrant environment. All the nodes are in ready state:

Change namespaces in Kubernetes

Easy way to change namespace in Kubernetes

Suraj Deshmukh

3 minute read

There is no easy way to change namespace in Kubernetes using kubectl command line utility. But here are some commands that you can alias in your bashrc file so that it’s just a single command that you can use to change the namespace in the Kubernetes cluster. Change namespace Let’s see step by step what goes in to change the namespace. So the first step is to find the context.

Using private container registries from minikube

A guide to how would you download image from private container registry in minikube

Suraj Deshmukh

2 minute read

I am doing Kubernetes native development using minikube. And for doing that I had to download a Container image that is available in internally hosted private container registry. On the configuration side of doing that you will need to create Kubernetes Secret of type docker-registry. And now refer that secret you just created in your Pod manifest under pod.spec.imagePullSecrets. For more info follow the tutorial in Kubernetes docs on Pull an Image from a Private Registry.

Static Pods using Kubelet on Fedora

Extension to the Kelsey Hightower's tutorial on 'Standalone Kubelet'

Suraj Deshmukh

2 minute read

I wanted to try out Standalone Kubelet Tutorial of Kelsey Hightower by myself but I could not follow it as it is, because it was firstly on GCE and secondly it uses CoreOS, but since I am very familiar to Fedora I thought of following that tutorial on it. To get a quick setup of a fresh Fedora machine use Vagrant. I have used Vagrantfile available here. This blog is only replacement of section Install the Standalone Kubelet in tutorial.