Kubernetes basics - Drafts

Page content

Service type

https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

  • ClusterIP
  • NodePort
  • LoadBalancer
  • ExternalName

ClusterIP

https://d33wubrfki0l68.cloudfront.net/e351b830334b8622a700a8da6568cb081c464a9b/13020/images/docs/services-userspace-overview.svg

Internal network in the node. Use at first for ingress test.

NodePort

Bind a port of node and forward it.

  • TargetPort: port on pod.
  • Port: A Port from Service (to Deployments.)
  • NodePort: A port on the node.
  • selector: labels of the pods

It calls “Node"Port but NodePorts can proxy pass to other nodes. It opens all worker node port.

Loadbalaner

For cloud provider.

RBAC is enabled or not

kubectl api-versions
...
rbac.authorization.k8s.io/v1
rbac.authorization.k8s.io/v1beta1
...

ServiceAccount

Kind of user which has access rights. When a ServiceAccount is created, a Secret created also. There is a token in the Secret.

Ingress

https://www.youtube.com/watch?v=AXZr2OC8Unc&t=283s

  • 09:26 nginx-ingress controller and apps are in different namaspaces.
  • and in nginx-ingress namespace, make service.

kube-dns

special service.

  • Type: Cluster IPRunning on master node
  • Namespace: kube-system

Components

https://kubernetes.io/de/docs/concepts/overview/components

kube-apiserver is in only master node.

Registrty

deployment from local image imagePullPolicy: IfNotPresent in containers.

snippet here

vim /snap/docker/current/config/daemon.json vim /var/snap/docker/current/config/daemon.json /etc/docker/daemon.json { “insecure-registries” : [“localhost:32000”] }

https://github.com/docker-archive/docker-snap/issues/22

Export Docker image in a tar file

sudo docker save myapp/test > myapp.tar

And import the image to your microk8s environment.

microk8s ctr image import myapp.tar

https://microk8s.io/docs/registry-images

Another method: Docker registry

Ingress tls

https://kubernetes.github.io/ingress-nginx/user-guide/tls/

Kube-Lego automatically requests missing or expired certificates from Let’s Encrypt by monitoring ingress resources and their referenced secrets.

Kube-Lego has reached end-of-life and is being replaced by cert-manager.

need ingress https://kubernetes.io/docs/concepts/services-networking/ingress/#the-ingress-resource

selfsign

openssl genrsa -out keypair.key 2048
openssl req -nodes -newkey rsa:2048 -keyout mydomain.com.key -out mydomain.com.csr -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=mydomain.com/emailAddress=atlex@mydomain.com"
openssl x509 -req -days 365 -in ./mydomain.com.csr -signkey ./mydomain.com.key -out ./mydomain.com.crt

kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
microk8s not compatible with ingress??? no controller?

microk8s enable helm <- not needed ? not workedo

service account

create it -> token is stored in scret (automatically created)

each namespace has its own default serviceaccount

pod create d -> volume created automatically and assigned (automountServivceAccountToken) in /var/run/secrets/kubernetes.io/serviceaccount

Volume

can be written in pod easily mount the host storage to pod. but not recommended in multi node cluster