DEV Community: Cosmas Nyairo The latest articles on DEV Community by Cosmas Nyairo (@cosmasnyairo). https://dev.to/cosmasnyairo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F606619%2F9858baa6-57dc-4fa3-972b-385df3a6a4e7.jpeg DEV Community: Cosmas Nyairo https://dev.to/cosmasnyairo en Gateway VPC Endpoints on AWS Cosmas Nyairo Sun, 05 May 2024 10:10:33 +0000 https://dev.to/aws-builders/gateway-vpc-endpoints-on-aws-29mi https://dev.to/aws-builders/gateway-vpc-endpoints-on-aws-29mi <p>For our services, if we want to have internet access, we route the traffic via an internet gateway. </p> <p>However, there may be cases where we we don't want our network traffic to go through the public internet, we could utilise vpc endpoints, with vpc endpoints, we are able to access aws services via a private network.</p> <p>A gateway vpc endpoint targets ip routes in a prefix list that belong to an aws service. Supported services are: AWS S3 and DynamoDB</p> <p>Below architecture diagram of a gateway vpc endpoint showcases the implementation:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fgateway-vpc-endpoints.drawio.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fgateway-vpc-endpoints.drawio.png%3Fraw%3Dtrue" alt="vpc-endpoints-architecture image"></a></p> <h3> Gateway VPC Endpoints Example: </h3> <p>Guide to creating a gateway vpc endpoint.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint.png%3Fraw%3Dtrue" alt="alt text"></a></p> <p>On the vpc dashboard click on the endpoints tab, then create endpoint button on the right.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-0.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-0.png%3Fraw%3Dtrue" alt="alt text"></a></p> <p>Choose the name of the endpoint being created, For this demo, we use the aws services category, <br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-1.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-1.png%3Fraw%3Dtrue" alt="alt text"></a></p> <p>Use the filter: <code>Type = Gateway</code> for us to create a gateway vpc endpoint then, choose the service name type to be created then choose your private vpc and which route table for the prefix list entries to be added to.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-2.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-2.png%3Fraw%3Dtrue" alt="alt text"></a></p> <p>Choose the VPC endpoint policy to be used when accessing the resources and tag your resources for effective cost tracking.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-3.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-3.png%3Fraw%3Dtrue" alt="alt text"></a></p> <p>Our route table will have new entries added with the prefix list of the service we're connecting to:<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-4.png%3Fraw%3Dtrue" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fcosmasnyairo%2Faws%2Fblob%2Fmain%2Fnetworking%2Farchitecture-images%2Fcreate-gateway-vpc-endpoint-4.png%3Fraw%3Dtrue" alt="alt text"></a></p> aws networking devops vpc Certified Kubernetes Administrator (CKA) Prep. Cosmas Nyairo Wed, 06 Dec 2023 19:41:17 +0000 https://dev.to/cosmasnyairo/certified-kubernetes-administrator-cka-prep-gi0 https://dev.to/cosmasnyairo/certified-kubernetes-administrator-cka-prep-gi0 <p>Hey there,</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ThJHjTWI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1o06ipluibehyghzkzvp.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ThJHjTWI--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1o06ipluibehyghzkzvp.png" alt="Introduction" width="800" height="299"></a></p> <p>For my CKA preparation, I have noted down topics i studied for in preparation for the exam as well as commands I use on a day to day basis.</p> <blockquote> <p>N/B:</p> <ul> <li>Most of the commands here I run them on a cloud9 instance whitelisted to access to my test EKS cluster.</li> <li>A master/worker node setup on ec2 would work as well. Will share a guide on how that can be achieved.</li> </ul> </blockquote> <h2> Table of Contents </h2> <ul> <li>Notes</li> <li> Scheduling <ul> <li>Manual Scheduling</li> <li>Labels</li> <li>Taints and Tolerations</li> <li>Node Selector</li> <li>Node affinity</li> <li>Resource Limits</li> <li>Daemon Sets</li> <li>Static Pods</li> <li>Multiple Schedulers</li> <li> Scheduler Profiles </li> </ul> </li> <li>Logging and Monitoring</li> <li>OS Upgrades</li> <li> Security <ul> <li>Authentication</li> <li> TLS Certificates </li> <li>Kubeconfig</li> <li>Authorization</li> <li>Network Policy</li> </ul> </li> <li>Storage</li> <li> Networking -Network configuration - Cluster Nodes -Pod Networking -Service Networking -DNS </li> <li>JSONPATH</li> </ul> <h2> Notes </h2> <p>Useful commands and aliassed for the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># in .bashrc</span> <span class="nb">alias </span><span class="nv">k</span><span class="o">=</span><span class="s2">"kubectl"</span> <span class="nb">export </span><span class="nv">drc</span><span class="o">=</span><span class="s2">"--dry-run=client -oyaml"</span> <span class="nb">export </span><span class="nv">drs</span><span class="o">=</span><span class="s2">"--dry-run=server -oyaml"</span> <span class="nb">export </span><span class="nv">kre</span><span class="o">=</span><span class="s2">"kubectl replace --force -f"</span> <span class="c"># in .vimrc</span> <span class="nb">set </span>nu <span class="nb">set </span>autoindent </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl explain po.spec </code></pre> </div> <ul> <li>etcd - key store for information about the cluster i.e nodes, pods, roles, secrets</li> <li>kube-api sever - management component in kubernetes. Only component to interact with the etcd data store</li> <li>kube-controller-manager - manages contollers in kubernetes and brings the system to the desired state</li> <li>kube-scheduler - decides which pod goes to which node</li> <li>kubelet - registers nodes, creates pods on a nodes, monitors the pods and nodes</li> <li>kube-proxy - creates forwarding rules for nodes in the cluster </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>If we install the cluster using kubeadmin, we can view : - Exec into the etcd pod and run the `etcdctl` command - Exec into the kube-apiserver pod and access the `/etc/kubernetes/manifests/kube-apiserver.yaml` file - Exec into the kube-controller manager pod and access the `/etc/kubernetes/manifests/kube-controller-manager.yaml` file - Exec into the kube-scheduler pod and access the `/etc/kubernetes/manifests/kube-scheduler.yaml` file - Kubeadmin doesn't deploy the kubelet, we have to do it manually </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>If we install the clustrer without using kubeadmin, we can view: - explore the etcd service - the apiserver service located at `/etc/systemd/system/kube-apiserver.service` or `ps -aux | grep kube-apiserver` on the master node. - the kubecontroller manager service located at `/etc/systemd/system/kube-controller-manager.service` or `ps -aux | grep kube-controller-manager` on the master node. - explore the kube-scheduler service or `ps -aux | grep kube-scheduler` - explore the kubelet service or `ps -aux | grep kubelet` </code></pre> </div> <ul> <li><p>Kubelet config is at: <code>/var/lib/kubelet/config.yaml</code> for each node</p></li> <li><p>Test commands<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run webapp-green <span class="nt">--image</span><span class="o">=</span><span class="nb">test</span> <span class="nt">--dry-run</span><span class="o">=</span>server <span class="nt">-oyaml</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl auth can-i </code></pre> </div> <ul> <li>To pass commands to pods on creation: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl run webapp-green <span class="nt">--image</span><span class="o">=</span><span class="nb">test</span> <span class="nt">--command</span> <span class="nt">--</span> <span class="nt">--color</span><span class="o">=</span>green </code></pre> </div> <ul> <li>To pass args to pods on creation: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl run webapp-green <span class="nt">--image</span><span class="o">=</span><span class="nb">test</span> <span class="nt">--</span> <span class="nt">--color</span><span class="o">=</span>green </code></pre> </div> <p>Update env variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl <span class="nt">-n</span> <span class="nb">test set env </span>deploy/test <span class="nt">--containers</span><span class="o">=</span>container-name <span class="nv">DB_Host</span><span class="o">=</span>mysql <span class="nv">DB_User</span><span class="o">=</span>user1 <span class="nv">DB_Password</span><span class="o">=</span>pass123 </code></pre> </div> <p>Check certificate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>openssl x509 <span class="nt">-in</span> /opt/cert.crt <span class="nt">-text</span> </code></pre> </div> <p>Check service logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>journalctl <span class="nt">-u</span> service </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>service servicename status </code></pre> </div> <p>Kubelet file located at: <code>var/lib/kubelet/config.yaml</code></p> <h2> Scheduling </h2> <h3> Manual scheduling </h3> <ul> <li>Add the <code>nodeName</code> field when creating a pod only during creation time</li> <li>We can alternatively create a pod binding file as shown below: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Binding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">target</span><span class="pi">:</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Node</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-node</span> </code></pre> </div> <ul> <li>Then, we send a post request to the pod's binding api with data section set to the binding object in a json format as follows: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">--header</span> <span class="s2">"Content-Type:application/json"</span> <span class="nt">--request</span> POST <span class="nt">--data</span> <span class="o">&lt;&lt;</span><span class="no">BINDING</span><span class="sh">-OBJECT-YAML&gt;&gt; http://</span><span class="nv">$SERVER</span><span class="sh">/api/v1/namespaces/&lt;namespace&gt;/pods/</span><span class="nv">$PODNAME</span><span class="sh">/binding/ </span></code></pre> </div> <h3> Labels and Selectors </h3> <ul> <li>Annotations record other details in pod for informatory purposes </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get po <span class="nt">--selector</span> <span class="nb">type</span><span class="o">=</span><span class="nb">test</span> </code></pre> </div> <h3> Taints and Tolerations </h3> <ul> <li>Restrict what pods can be scheduled on a node</li> <li>Taints set on nodes, tolerations set on pods</li> <li>Taint effect = what happens to pods that can't tolerate the taint <ul> <li>NoSchedule</li> <li>PreferNoSchedule </li> <li>NoExecute</li> </ul> </li> </ul> <p>Taint and toleration example yaml shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">&lt;&lt;pod-name&gt;&gt;</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tolerations</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s2">"</span><span class="s">type"</span> <span class="na">value</span><span class="pi">:</span> <span class="s2">"</span><span class="s">test"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">Equal"</span> <span class="na">effect</span><span class="pi">:</span> <span class="s2">"</span><span class="s">NoSchedule"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl taint nodes my-node <span class="nb">type</span><span class="o">=</span><span class="nb">test</span>:NoSchedule </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl taint node my-node node-role<span class="o">=</span>kubernetes.io/control-plane:NoSchedule- </code></pre> </div> <h3> Node Selector </h3> <ul> <li>Add node selector section in the pod with the label of the node we want to use as shown below: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">nodeSelector</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">large</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl label nodes my-node <span class="nb">type</span><span class="o">=</span><span class="nb">test</span> </code></pre> </div> <h3> Node affinity </h3> <p>Node affinity example below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">&lt;&lt;pod-name&gt;&gt;</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">type</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">affinity</span><span class="pi">:</span> <span class="na">nodeAffinity</span><span class="pi">:</span> <span class="na">requiredDuringSchedulingIgnoredDuringExecution</span><span class="pi">:</span> <span class="na">nodeSelectorTerms</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">matchExpressions</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">type</span> <span class="na">operator</span><span class="pi">:</span> <span class="s">Exists</span> <span class="c1"># - matchExpressions:</span> <span class="c1"># - key: type</span> <span class="c1"># operator: In</span> <span class="c1"># values:</span> <span class="c1"># - test</span> </code></pre> </div> <p>Node affinity types:</p> <ul> <li>requiredDuringSchedulingIgnoredDuringExecution</li> <li>PreferredDuringSchedulingIgnoredDuringExecution</li> <li>requiredDuringSchedulingrequiredDuringExecution</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>During Scheduling</th> <th>During Execution</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Required</td> <td>Ignored</td> </tr> <tr> <td>2</td> <td>Preferred</td> <td>Ignored</td> </tr> <tr> <td>3</td> <td>Required</td> <td>Required</td> </tr> </tbody> </table></div> <p>We can combine node affinity with taints and tolerations</p> <h3> Resource Limits </h3> <p>We can create limit ranges which need to be followed by pods in a namespace as shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">LimitRange</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cpu-limit-range</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">default</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">1</span> <span class="na">defaultRequest</span><span class="pi">:</span> <span class="na">cpu</span><span class="pi">:</span> <span class="m">0.5</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Container</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">LimitRange</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mem-limit-range</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">default</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">512Mi</span> <span class="na">defaultRequest</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s">256Mi</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Container</span> <span class="nn">---</span> </code></pre> </div> <h3> Daemon Sets </h3> <p>Ensures a copy of a pod is always on each node in the cluster. Use case: Logging, monitoring agents as shown below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">DaemonSet</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">mydaemonset</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mydaemonset-app</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">mydaemonset-app</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">logviewer</span> </code></pre> </div> <h3> Static Pods </h3> <p>Pods created independently by the kubelet without help from the kubeapiserver.<br> We can do this in the following ways:</p> <ul> <li> <p>find the kubelet service config path:<br> </p> <pre class="highlight shell"><code>ps <span class="nt">-aux</span> | <span class="nb">grep</span> <span class="nt">-i</span> kubelet | <span class="nb">grep</span> <span class="nt">-i</span> config </code></pre> </li> <li><p>check the node's <code>/var/lib/kubelet/config.yaml</code> path</p></li> <li><p>Configure the pod definition path in the kubelet service at with the following entry: <code>--pod-manifest-path=etc/kubernetes/manifests</code> </p></li> <li> <p>Provide a <code>--config=mydefinition.yaml</code> entry in the kubelet service and have the <code>mydefinition.yaml</code> file contain the following:<br> </p> <pre class="highlight yaml"><code> <span class="na">staticPodPath</span><span class="pi">:</span> <span class="s">etc/kubernetes/manifests</span> </code></pre> </li> <li><p>For both approaches we then place the pod definition files at the specified directory in our case it's <code>/etc/kubernetes/manifests</code> and view pods created via the <code>docker ps</code> command</p></li> </ul> <p>We can use static pods to deploy control plane components as static pods.</p> <h3> Multiple Schedulers </h3> <p>We can create our custom scheduler in kubernetes then pass the file to the custom scheduler in this format:<br> <code>--config=/etc/kubenetes/my-scheduler/my-scheduler-conf.yaml</code>. </p> <p>The <code>my-scheduler-conf.yaml</code> file contains the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubescheduler.config.k8s.io/v1beta2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">KubeSchedulerConfiguration</span> <span class="na">profiles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">schedulerName</span><span class="pi">:</span> <span class="s">my-scheduler</span> <span class="na">leaderElection</span><span class="pi">:</span> <span class="na">leaderElect</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">resourceNamespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="na">resourceName</span><span class="pi">:</span> <span class="s">lock-object-my-scheduler</span> </code></pre> </div> <p>The leaderelection section is used when we have multiple master nodes with the custom scheduler running on them in a HA(High Availability) setup and we need to chose the active copy of the scheduler to be running at a time.</p> <p>Read more at: <a href="https://kubernetes.io/docs/tasks/extend-kubernetes/configure-multiple-schedulers/">Multiple Schedulers</a></p> <p>For pods to use our custom scheduler, we provide the scheduler name field in the pod definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">myapp</span> <span class="na">image</span><span class="pi">:</span> <span class="s">busybox</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">limits</span><span class="pi">:</span> <span class="na">memory</span><span class="pi">:</span> <span class="s2">"</span><span class="s">128Mi"</span> <span class="na">cpu</span><span class="pi">:</span> <span class="s2">"</span><span class="s">500m"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">2000</span> <span class="na">schedulerName</span><span class="pi">:</span> <span class="s">my-custom-scheduler</span> </code></pre> </div> <h3> Scheduler Profiles </h3> <p>We can disable existing scheduler plugins as well as enable our own custom plugins as below<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">kubescheduler.config.k8s.io/v1beta2</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">KubeSchedulerConfiguration</span> <span class="na">profiles</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">schedulerName</span><span class="pi">:</span> <span class="s">my-scheduler</span> <span class="na">plugins</span><span class="pi">:</span> <span class="na">filter</span><span class="pi">:</span> <span class="na">disabled</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TaintToleration</span> <span class="na">enabled</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">MyCustomPlugin</span> <span class="pi">-</span> <span class="na">schedulerName</span><span class="pi">:</span> <span class="s">my-scheduler-two</span> <span class="na">plugins</span><span class="pi">:</span> <span class="na">score</span><span class="pi">:</span> <span class="na">disabled</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">NodeAffinity'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">ImageLocality'</span> </code></pre> </div> <h2> Monitoring and Logging </h2> <p>We can use the metric server from: <a href="https://github.com/kubernetes-sigs/metrics-server">metrics-server</a> to collect metrics about our cluster performance. We can also used advanced tools for out monitoring i.e prometheus using this <a href="https://devopscube.com/setup-prometheus-monitoring-on-kubernetes/#:~:text=Prometheus%20is%20a%20high%2Dscalable,helps%20with%20metrics%20and%20alerts.">guide</a></p> <p>We can then view performance using<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl top node </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl top pods </code></pre> </div> <p>To get streamed logs of a currently running pod we use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs pod-name <span class="nt">-f</span> </code></pre> </div> <p>To get streamed logs of a currently running pod with multiple containers we use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl logs pod-name <span class="nt">-c</span> container-name <span class="nt">-f</span> </code></pre> </div> <h2> Os Upgrades </h2> <ul> <li>We can drain a node to remove the pods currently running on it and then the node is cordoned (marked as unschedulable) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl drain node1 </code></pre> </div> <ul> <li>We can also manually cordon a node </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl cordon node1 </code></pre> </div> <ul> <li>After our upgrade/fixes to the node, we then uncordon the node once it's back up </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl uncordon node1 </code></pre> </div> <ul> <li>We can have the different components with different versions but not a higher version than the kube api-server but kubectl can be one version higher or lower or the same version</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Maximum version</th> </tr> </thead> <tbody> <tr> <td>Kube Api Server</td> <td>x</td> </tr> <tr> <td>Controller Manager</td> <td>x-1</td> </tr> <tr> <td>Kube Scheduler</td> <td>x-1</td> </tr> <tr> <td>Kubectl</td> <td>x-1 or x or x+1</td> </tr> <tr> <td>Kubelet</td> <td>x-2</td> </tr> <tr> <td>Kube-Proxy</td> <td>x-2</td> </tr> </tbody> </table></div> <ul> <li>To upgrade a cluster managed by kubeadm, <ul> <li>we first start with the master node then the worker nodes.</li> <li>We first get the upgrade plan for our version, </li> </ul> </li> </ul> <p>Step 1 (master node):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeadm upgrade plan </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get upgrade <span class="nv">kubeadm</span><span class="o">=</span>&lt;version&gt; <span class="nt">-y</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeadm version </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeadm upgrade apply &lt;version&gt; </code></pre> </div> <p>If we have kubelets on the master node:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get upgrade <span class="nv">kubelet</span><span class="o">=</span>&lt;version&gt; <span class="nt">-y</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart kubelet </code></pre> </div> <p>Step 2 (worker node-&gt; one by one):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl drain node01 <span class="c"># on master node</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get upgrade <span class="nv">kubeadm</span><span class="o">=</span>&lt;version&gt; <span class="nt">-y</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>apt-get upgrade <span class="nv">kubelet</span><span class="o">=</span>&lt;version&gt; <span class="nt">-y</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>systemctl restart kubelet </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl uncordon node01 <span class="c"># on master node</span> </code></pre> </div> <p>Backup candidates : Resource configurations, etcd</p> <ul> <li>For resource configurations: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl get all <span class="nt">--all-namespaces</span> <span class="nt">-o</span> yaml <span class="o">&gt;</span> deploy-and-service.yaml </code></pre> </div> <ul> <li>For Etcd, We can either backup the directory where etcd stores to or take a snapshot and restore it </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">export </span><span class="nv">ETCDCTL_API</span><span class="o">=</span>3 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> etcdctl snapshot save <span class="nt">--endpoints</span><span class="o">=</span>&lt;enpoints&gt; <span class="se">\</span> <span class="nt">--cacert</span><span class="o">=</span>&lt;path-to-cacert&gt; <span class="se">\</span> <span class="nt">--cert</span><span class="o">=</span>&lt;path-to-cert&gt; <span class="se">\</span> <span class="nt">--key</span><span class="o">=</span>&lt;path-to-key&gt; /path/to/backup/file/mysnapshot.db </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> etcdctl snapshot status /path/to/backup/file/mysnapshot.db </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> service kube-api-server stop </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> etcdctl snapshot restore /path/to/backup/file/mysnapshot.db <span class="nt">--data-dir</span> /path/to/restore/to/ <span class="c"># We then update etcd configuration to use the new directory </span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> service etcd restart service kube-api-server start </code></pre> </div> <p>We can use scp to copy objects to a pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp test.txt my-server:/home </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scp my-server:/home test.txt </code></pre> </div> <p>To join cluster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubeadm token create <span class="nt">--print-join-command</span> </code></pre> </div> <p>More info: <a href="https://www.youtube.com/watch?v=qRPNuT080Hk&amp;ab_channel=CNCF%5BCloudNativeComputingFoundation%5D">Disaster Recovery for Kubernetes Clusters</a></p> <h2> Security </h2> <h3> Authentication </h3> <p>Authentication to the kube-api server is through:</p> <ul> <li> <p>Password file:</p> <ul> <li>Specify in kubeapiserver service or kubeapi server yaml file <code>--basic-auth-file=usercreds-basic.csv</code> </li> <li>The csv file should be in the fomat of: </li> </ul> <pre class="highlight plaintext"><code>password,username,userid,groupid </code></pre> <ul> <li>If using api to authenticate pass via <code>curl -v -k https://masternod-ip:port/api/vi/pods -u "user1:password1"</code> </li> </ul> </li> <li> <p>Token file:</p> <ul> <li>Specify in kubeapiserver service or kubeapi server yaml file <code>--token-auth-file=usercreds-token.csv</code> </li> <li>The csv file should be in the fomat of: </li> </ul> <pre class="highlight plaintext"><code>token,username,userid,groupid </code></pre> <ul> <li>If using api to authenticate pass as a bearer token <code>curl -v -k https://masternod-ip:port/api/vi/pods --header "Authorization: Bearer &lt;TOKEN&gt;"</code> </li> </ul> </li> <li><p>Certificates</p></li> <li><p>External Identity Service</p></li> </ul> <h3> TLS Certificates </h3> <blockquote> <p>Cerificates with public key usually end with <code>.crt</code> or <code>.pem</code> while those with private keys usually end with <code>.key</code> or <code>-key.pem</code></p> </blockquote> <p>List of certificates in the cluster</p> <ul> <li>Certificate Authority certs (we can use more than one ca)</li> <li>Server certificates: <ul> <li>kube-api-server </li> <li>etcd server</li> <li>kubelet server</li> </ul> </li> <li>Client certificates: <ul> <li>users (admins)</li> <li>kube-scheduler</li> <li>kube-controller-manager</li> <li>kube-proxy</li> <li>kube-api-server to kubelet</li> <li>kube-api-server to etcd</li> </ul> </li> </ul> <p>All certificate operations done by the kube controller manager. We specify the following:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> - <span class="nt">--cluster-signing-cert-file</span><span class="o">=</span><span class="s1">'pathtofile'</span> - <span class="nt">--cluster-signing-key-file</span><span class="o">=</span><span class="s1">'pathtofile'</span> </code></pre> </div> <p>Certificate signing requests using the following file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cat file.csr | base64 -w 0 </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">certificates.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">CertificateSigningRequest</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">johndoe</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">request</span><span class="pi">:</span> <span class="s">BASE64 ENCODED CSR</span> <span class="na">signerName</span><span class="pi">:</span> <span class="s">kubernetes.io/kube-apiserver-client</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">system:authenticated</span> <span class="na">expirationSeconds</span><span class="pi">:</span> <span class="m">86400</span> <span class="c1"># one day</span> <span class="na">usages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">server auth</span> <span class="pi">-</span> <span class="s">key encryptment</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get csr </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl certificate approve csr-name </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl certificate deny csr-name </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get csr csr-name <span class="nt">-o</span> yaml </code></pre> </div> <h3> Kubeconfig </h3> <p>We can send request using kubectl command without kubeconfig as follows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods <span class="nt">--server</span> server <span class="nt">--client-key</span> client.key <span class="nt">--client-certificate</span> client.crt <span class="nt">--certificate-authority</span> ca.crt </code></pre> </div> <p>We can use a kubeconfig file to remove the need to add the details and send a request like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pods </code></pre> </div> <p>Kubeconfig file has these sections:</p> <ul> <li>Clusters (dev,prod)</li> <li>Users (developer, admin, qa)</li> <li>Contexts (user-to-cluster i.e developer@dev, admin@prod)</li> </ul> <p>Sample kubeconfig file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Config</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">developer@localcluster-context</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">remotecluster</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority</span><span class="pi">:</span> <span class="s">path/remote-ca.crt</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://ip:port</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">localcluster</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">BASE64 ENCODED CSR</span> <span class="na">server</span><span class="pi">:</span> <span class="s">https://ip:port</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-admin@localcluster-context</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">remotecluster</span> <span class="na">user</span><span class="pi">:</span> <span class="s">kube-admin</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">kube-system</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer@localcluster-context</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">localcluster</span> <span class="na">user</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kube-admin</span> <span class="na">user</span><span class="pi">:</span> <span class="na">client-certificate</span><span class="pi">:</span> <span class="s">path/admin-client.crt</span> <span class="na">client-key</span><span class="pi">:</span> <span class="s">path/client.key</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">user</span><span class="pi">:</span> <span class="na">client-certificate</span><span class="pi">:</span> <span class="s">path/dev-client.crt</span> <span class="na">client-key</span><span class="pi">:</span> <span class="s">path/client.key</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config view kubectl config view <span class="nt">--kubeconfig</span> path-to-config </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl cluster-info <span class="nt">--kubeconfig</span> path-to-config </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl config use-context developer@localcluster-context </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl config set-credentials user --client-certificate=/path/user.crt </code></pre> </div> <h3> Authorization </h3> <p>We set authorization mode in the kubeapiserver entry <code>--authorization-mode=Node,RBAC</code> and they are used following the order they were specified</p> <p>Role file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">devhour"</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">apps"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">deployments"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">]</span> </code></pre> </div> <p>Role binding file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developers</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="c1">#this must be Role or ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">developer</span> <span class="c1"># this must match the name of the Role or ClusterRole you wish to bind to</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get roles kubectl get rolebindings </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl auth can-i get pods </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl auth can-i get pods <span class="nt">--as</span> developer <span class="nt">--namespace</span> dev </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create role rolename <span class="nt">--verb</span><span class="o">=</span>create,list,delete <span class="nt">--resource</span><span class="o">=</span>pod </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create rolebinding rolebindingname <span class="nt">--role</span><span class="o">=</span>rolename <span class="nt">--user</span><span class="o">=</span>user-to-bind </code></pre> </div> <p>To view namespaced resources: <code>--namespaced=true</code><br> We can use cluster roles on namespaced resources to give access to the objects in the whole cluster</p> <p>Cluster Role file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-admin</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">nodes"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">watch"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> </code></pre> </div> <p>Cluster Role binding file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admin-binding</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Group</span> <span class="na">name</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ClusterRole</span> <span class="c1">#this must be Role or ClusterRole</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cluster-admin</span> <span class="c1"># this must match the name of the Role or ClusterRole you wish to bind to</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create clusterrole clusterrolerolename <span class="nt">--verb</span><span class="o">=</span><span class="k">*</span> <span class="nt">--resource</span><span class="o">=</span>pod </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create clusterrolebinding clusterrolebindingname <span class="nt">--clusterrole</span><span class="o">=</span>clusterrolerolename <span class="nt">--user</span><span class="o">=</span>user-to-bind </code></pre> </div> <p>For service accounts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create sa service-account-name<span class="sb">`</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl create token service-account-name </code></pre> </div> <p>For registry secrets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> kubectl create secret docker-registry NAME <span class="nt">--docker-username</span><span class="o">=</span>user <span class="nt">--docker-password</span><span class="o">=</span>password <span class="nt">--docker-email</span><span class="o">=</span>email <span class="nt">--docker-server</span><span class="o">=</span>string </code></pre> </div> <h3> Network Policy </h3> <p>By default kubernetes allows traffic from all pods to all destinations. <br> We can define egress and ingress rules to block traffic to and from pods.</p> <blockquote> <p>If we add ingress rule, we don't need to specify the egress rule for the response as it is allowed automatically. <br> We do need an egress rule if we need to send external api calls<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">NetworkPolicy</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">network-policy-name</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="s">testing</span> <span class="c1"># pods matching this label will have the network policy applied on them</span> <span class="na">policyTypes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Ingress</span> <span class="pi">-</span> <span class="s">Egress</span> <span class="na">ingress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">from</span><span class="pi">:</span> <span class="c1"># The pod selector and namespace selector rules both need to be met.</span> <span class="c1"># We can add a - before the namespace selector to make it that either of them need to be met.</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-name</span> <span class="c1"># allow pods with this label to send ingress traffic</span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">testing</span> <span class="c1"># specify pods from which namespace are allowed to to send ingress traffic</span> <span class="pi">-</span> <span class="na">ipBlock</span><span class="pi">:</span> <span class="na">cidr</span><span class="pi">:</span> <span class="s">ip-cidr</span> <span class="c1"># range of ip addresses allowed to send ingress traffic</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">TCP"</span> <span class="na">port</span><span class="pi">:</span> <span class="m">3306</span> <span class="c1"># port to recieve ingress traffic</span> <span class="na">egress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">to</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">podSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pod-name</span> <span class="c1"># send egress traffic to pods with this label </span> <span class="na">namespaceSelector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">testing</span> <span class="c1"># send egress traffic to pods in the namespace with this label</span> <span class="pi">-</span> <span class="na">ipBlock</span><span class="pi">:</span> <span class="na">cidr</span><span class="pi">:</span> <span class="s">ip-cidr</span> <span class="c1"># send egress traffic to this range of ip addresses</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s2">"</span><span class="s">TCP"</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="c1"># port to send egress traffic to</span> </code></pre> </div> <h2> Storage </h2> <p>To create a volume in a pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">&lt;&lt;pod-name&gt;&gt;</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">type</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/home/</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-volume</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">test-volume</span> <span class="na">hostPath</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/home/data</span> <span class="na">type</span><span class="pi">:</span> <span class="s">Directory</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-volume</span> <span class="na">awsElasticBlockStore</span><span class="pi">:</span> <span class="na">volumeID</span><span class="pi">:</span> <span class="s">&lt;&lt;vol-id&gt;&gt;</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ntfs"</span> </code></pre> </div> <p>Persistent Volumes: A cluster wide pool of storage volumes which we can assign to applications on the cluster.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolume</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">persistent-vol</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">capacity</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">1Gi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> <span class="na">persistentVolumeReclaimPolicy</span><span class="pi">:</span> <span class="s">Retain</span> <span class="na">awsElasticBlockStore</span><span class="pi">:</span> <span class="na">volumeID</span><span class="pi">:</span> <span class="s">&lt;&lt;vol-id&gt;&gt;</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s2">"</span><span class="s">ntfs"</span> </code></pre> </div> <p>Persistent Volumes Claim: Select storage from the persistent volumes created.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">persitent-vol-claim</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">500Mi</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> </code></pre> </div> <p>Using Persistent Volumes Claim in a pod:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">&lt;&lt;pod-name&gt;&gt;</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">type</span><span class="pi">:</span> <span class="s">&lt;&lt;label-value&gt;&gt;</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-container</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/opt</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pvc-volume</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">pvc-volume</span> <span class="na">persistentVolumeClaim</span><span class="pi">:</span> <span class="na">claimName</span><span class="pi">:</span> <span class="s">persitent-vol-claim</span> </code></pre> </div> <p>Storage Classes: We don't need to creat a persitent volume. This is done automatically<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">storage.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">StorageClass</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">provisioner</span><span class="pi">:</span> <span class="s">kubernetes.io/aws-ebs</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">gp2</span> <span class="na">fsType</span><span class="pi">:</span> <span class="s">ext4</span> <span class="na">encrypted</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>Persitent volume storage class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">PersistentVolumeClaim</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">persitent-vol-claim</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">resources</span><span class="pi">:</span> <span class="na">requests</span><span class="pi">:</span> <span class="na">storage</span><span class="pi">:</span> <span class="s">500Mi</span> <span class="na">storageClassName</span><span class="pi">:</span> <span class="s">ebs-storage</span> <span class="na">accessModes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ReadWriteOnce</span> </code></pre> </div> <h2> Networking </h2> <h3> Network configuration - Cluster Nodes </h3> <p>Ports required for kubernetes: <a href="https://kubernetes.io/docs/reference/networking/ports-and-protocols/">Ports</a></p> <p>Find network interfaces:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip a </code></pre> </div> <p>Find bridges in network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip a show <span class="nb">type </span>bridge </code></pre> </div> <p>List routes in the host<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ip route </code></pre> </div> <p>Get active internet connections<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>netstat <span class="nt">-nplt</span> </code></pre> </div> <p>Get number of client connections on a program running on a port<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>netstat <span class="nt">-anp</span> | <span class="nb">grep</span> <span class="s1">'etcd\|2379'</span> | <span class="nb">wc</span> <span class="nt">-l</span> </code></pre> </div> <h3> Pod Networking </h3> <p>When a container is created, the kubelet looks at the cni configuration passed: </p> <ul> <li><code>network-plugin=cni</code></li> <li> <code>cni-conf-dir=/etc/cni/net.d</code> to find our scipts name </li> <li> <code>cni-bin-dir=/opt/cni/bin</code> to find the script </li> </ul> <p>The kubelet then runs the script with the add command with the name and namespce id of the container <code>net-script.sh add &lt;container&gt; &lt;namespace&gt;</code></p> <h3> Service Networking </h3> <ul> <li>Cluster Ip services are not bound to a specific node but are available to all pods cluster wide</li> <li>Node Port services exposes application on a port on all nodes in the cluster.</li> </ul> <p>Kube proxy creates forward rules in all nodes such that when we try to reach the ip of a service, the request is forwarded to the ip and port of the pod.</p> <p>For kubeproxy, we set the proxymode : <code>--proxy-mode [userspace | iptables | ipvs]</code> If not set, if defaults to iptables.</p> <p>For services, we set the range in the kube-api-server <code>--service-cluster-ip-range &lt;range&gt;</code> which defaults to 10.0.0.0/24</p> <p>View rules created by kube proxy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>iptables <span class="nt">-L</span> <span class="nt">-t</span> nat | <span class="nb">grep</span> <span class="nt">-i</span> servicename </code></pre> </div> <h3> DNS </h3> <ul> <li>Domain resolution for services: <code>web-service.namespace.svc.cluster-root-domain</code> i.e db-service.test-ns.svc.cluster.local</li> <li>For pods , we replace the <code>.</code> with <code>-</code>. This is turned off by default.</li> <li>Domain resolution for pods: <code>pod-ip-replaced-with-hyphens.namespace.pod.cluster-root-domain</code> i.e 10-244-1-2.test-ns.pod.cluster.local</li> <li>Coredns watches the cluster for new pods or services and adds a record for them in it's database when they're created and it also creates a service named <code>kube-dns</code>.</li> <li>Core file for coredns at : <code>etc/coredns/Corefile</code> and it's passed as a config map object</li> <li>For kubelet, we have the ip of dns server and domain in its config</li> </ul> <p>Example Corefile<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ errors health { lameduck 5s } ready kubernetes cluster.local in-addr.arpa ip6.arpa { pods insecure fallthrough in-addr.arpa ip6.arpa ttl 30 } prometheus :9153 forward . /etc/resolv.conf { max_concurrent 1000 } cache 30 loop reload loadbalance } </code></pre> </div> <p>To get the service full domain name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>host service-name </code></pre> </div> <h2> Json Path </h2> <p>Kubernetes docs for json path: <a href="https://kubernetes.io/docs/reference/kubectl/jsonpath/">Kubernetes Jsonpath</a><br> Use the following evaluator for json <a href="https://jsonpath.com/">JsonPath Evaluator</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#get field names</span> k explain deploy.spec <span class="nt">--recursive</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get all car names in an json data is equal to "abc"</span> <span class="c"># $[] -&gt; return a list</span> <span class="c"># ?() -&gt; if </span> <span class="c"># @ -&gt; Each item in list</span> <span class="nv">$[</span>?<span class="o">(</span>@.name <span class="o">==</span> <span class="s2">"abc"</span><span class="o">)]</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#Get name and image of first container of the first pod </span> kubectl get pods <span class="nt">-o</span><span class="o">=</span><span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{range .items[0].spec.containers[0]}{.name}{"\n"}{.image}'</span> <span class="nt">--sort-by</span><span class="o">=</span>.name </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#Fetch node names </span> kubectl get nodes <span class="nt">-ojsonpath</span><span class="o">=</span><span class="s1">'{range .items[*].metadata}{.name} </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Sort persisten volumes by capacity</span> kubectl get pv <span class="nt">--sort-by</span><span class="o">=</span>.spec.capacity.storage </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get pv <span class="nt">--sort-by</span><span class="o">=</span>.spec.capacity.storage <span class="nt">-o</span><span class="o">=</span>custom-columns<span class="o">=</span>NAME:.metadata.name,CAPACITY:.spec.capacity.storage </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># get names of user test in config</span> kubectl config view <span class="nt">--kubeconfig</span><span class="o">=</span>custom-config <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s2">"{.contexts[?(@.context.user=='test')].name}"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#Get deployments as per this format:</span> <span class="c"># DEPLOYMENT CONTAINER_IMAGE READY_REPLICAS NAMESPACE</span> kubectl get deploy <span class="nt">-n</span> admin2406 <span class="nt">--sort-by</span><span class="o">=</span>.metadata.name <span class="nt">-o</span><span class="o">=</span>custom-columns<span class="o">=</span>DEPLOYMENT:.metadata.name,CONTAINER_IMAGE:.spec.template.spec.containers.<span class="k">*</span>.image,READY_REPLICAS:.status.readyReplicas,NAMESPACE:.metadata.namespace </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kubectl get svc <span class="nt">--sort-by</span><span class="o">=</span>.metadata.name <span class="nt">-o</span><span class="o">=</span>custom-columns<span class="o">=</span>NAME:.metadata.name,PORTNAME:.spec.ports.name </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>k get nodes <span class="nt">-ojsonpath</span><span class="o">=</span><span class="s1">'{range .items[*]}InternalIP of {.metadata.name} {.status.addresses[?(@.type=="InternalIP")].address} {end}'</span> </code></pre> </div> kubernetes cka devops opensource My CKAD Prep Cosmas Nyairo Mon, 15 May 2023 16:05:53 +0000 https://dev.to/cosmasnyairo/my-ckad-prep-i72 https://dev.to/cosmasnyairo/my-ckad-prep-i72 <h2> Table of Contents </h2> <ul> <li>Notes</li> <li>Pod</li> <li>Replication Controller and replicaset</li> <li>Deployments</li> <li>Namespaces</li> <li>Services</li> <li>Config Map</li> <li>Secrets</li> <li>Security Context</li> <li>Service Account</li> <li>Resource Limits</li> <li>Taints and Tolerations</li> <li>Node Selectors</li> <li>Node Affinity</li> <li>Multicontainer Pods</li> <li>Observability</li> <li>Jobs and Cronjobs</li> <li>Ingress</li> <li>Network Policies</li> <li>Storage</li> <li>Authentication</li> <li>Authorization</li> <li>Admission Controllers</li> <li>Custom Resource Definition</li> <li>Custom Controller</li> </ul> <h2> Notes </h2> <p>Before we dive into the templates and commands, here are some notes about Kubernetes that you should keep in mind:</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/definition.yaml">Definition file</a></li> </ul> <p>Cluster is a collection of nodes</p> <p>Master node has:</p> <ul> <li>api sever (frontend for kube)</li> <li>etcd (key store for data used to manage cluster)</li> <li>scheduler (assigns containers to nodes)</li> <li>controller (bring up containers when they go down)</li> </ul> <p>Worked node has:</p> <ul> <li>kubelet (agent in each node in cluster that ensures containers running on nodes as expected)</li> <li>runtime (software to run containers in the background i.e docker)</li> </ul> <p>Multi container pods can communicate to each other through localhost</p> <p>Resources in a namespace can refer to each other by their names<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pods have a 1 to 1 relationship with containers entrypoint in docker -&gt; command in kubernetes cmd in docker -&gt; args in kubernetes kube system - resources for internal purposes for kubernetes kube public - resources to be made available to all users </code></pre> </div> <p>kubeapiserver path is <code>/etc/kubernetes/manifests/kube-apiserver.yaml</code><br> To check settings passed to kubeapi server: <code>ps -aux | grep authorization</code></p> <p>To view api resources and their shortnames:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl api-resources </code></pre> </div> <p>To enable alpha versions: <code>--runtime-config=api/version</code></p> <p>Run <code>watch crictl ps</code> to wait for kube api server to come back online</p> <p>To handle api deprecations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl convert -f &lt;old-file&gt; --output-version &lt;new-api-version&gt; &gt; &lt;new-file&gt; </code></pre> </div> <p>Now, let's dive into the templates and commands you can use for resources.</p> <h2> Pod </h2> <p>Single instance of an application (smallest object we can create in k8)</p> <p>We scale pods up or down</p> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/deployment.yaml">Pod Definition file</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods -o wide </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods -A </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl label pod/&lt;pod-name&gt;</span><span class="w"> </span>&lt;label&gt;<span class="o">=</span>&lt;value&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods,svc </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods --no-headers | wc -l </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl run &lt;pod-name&gt;</span><span class="w"> </span><span class="nt">--image</span><span class="o">=</span>&lt;image-name&gt; <span class="nt">-n</span> &lt;namespace&gt; <span class="nt">--dry-run</span><span class="o">=</span>client <span class="nt">-o</span> yaml <span class="o">&gt;</span> test.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl set image pod &lt;pod-name&gt;</span><span class="w"> </span>&lt;container-name&gt;<span class="o">=</span>&lt;image&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl get pod &lt;pod-name&gt;</span><span class="w"> </span><span class="nt">-o</span> yaml <span class="o">&gt;</span> pod-definition.yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl exec -it podname -- commandtorun </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl replace --force -f app.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl apply -f test.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubeclt edit pod &lt;pod-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl explain pods --recursive | less </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl explain pods --recursive | grep envFrom -A&lt;number-of-lines&gt;</span><span class="w"> </span></code></pre> </div> <ul> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/labels-selectors-annotations.yaml">Pod Design Definition file </a></p></li> <li><p>Pod labels - used to group objects i.e pods, services, replicasets<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods --selector label=value </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get pods --selector label=value,label2=value2 </span></code></pre> </div> <ul> <li><p>Selectors match labels described i.e match labels on the pod or service to match labels of a pod</p></li> <li><p>Annotation records details for informatory purposes e.g build information, tool used.</p></li> </ul> <h2> Replication Controller and Replicaset </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Replication controller is in v1 while replicaset in apps/v1 Replica set uses selector to determine pods to watch and manage even existing pods </code></pre> </div> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/replicaset.yaml">Replicaset Definition file </a></li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/replicationcontroller.yaml">Replicationcontroller Definition file</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create -f definition.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get replicationcontroller </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get rs </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl delete replicaset &lt;replicaset-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl edit replicaset &lt;replicaset-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl set image rs &lt;replica-set&gt;</span><span class="w"> </span>&lt;container-name&gt;<span class="o">=</span>&lt;image&gt; <span class="go"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl describe replicaset &lt;replicaset-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl apply -f definition.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl replace -f definition.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl scale -replicas=10 -f definition.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl scale --replicas=0 replicaset/&lt;replicaset-name&gt;</span><span class="w"> </span></code></pre> </div> <h2> Deployments </h2> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/deployment.yaml">Deployment Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create deployment nginx --image=nginx </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl scale deploy/webapp --replicas=3 </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get deploy </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get deploy -o wide </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl delete deployment &lt;deployment -name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create deploy redis-deploy --image=redis --replicas=2 -n dev-ns </span></code></pre> </div> <ul> <li>Deployment strategies: <ul> <li>Recreate - Remove all applications running on older verision and bring up applications running on newer verision</li> <li>Rolling update (default strategy) - Remove a single application and bring up a new one one by one until the newer version is running on all applications</li> <li>A new replica set is created under the hood when we do deployment upgrades</li> <li>We use record flag to save commands used to create/update deployments</li> <li>We use the to revision flag to rollback to a specific revision </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl set image deploy/deploymentname &lt;container-name&gt;</span><span class="o">=</span>&lt;image&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl set image deploy/deploymentname &lt;container-name&gt;</span><span class="o">=</span>&lt;image&gt; <span class="nt">--record</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl rollout restart deploy/deploymentname </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl rollout status deploy/deploymentname </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl rollout history deploy/deploymentname </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl rollout undo deploy/deploymentname </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl rollout undo deploy/deploymentname --to-revision=1 </span></code></pre> </div> <h2> Namespaces </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/namespace.yaml">Namespace Definition file </a></li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/resourcequota.yaml">Resource Quota Definition file</a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl create ns &lt;namespace-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl config set-context $</span><span class="o">(</span>kubectl config current-context<span class="o">)</span> <span class="nt">-n</span> &lt;namespace-name&gt; </code></pre> </div> <h2> Services </h2> <p>Enable communication between components within the application</p> <p>Types:</p> <ul> <li>Node Port <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/nodeport-service.yaml">Node Port Definition file </a></li> <li>Map a port on node to a port on the pod</li> <li>The node's port Can only be in the range 30000 to 32767</li> <li>Node port -&gt; Service -&gt; Target port (Pod's port)</li> <li>Node port and service port are not mandatory, if not provided, node port is allocated an available ip in the range 30000 to 32767 while service port is assumed to be same as port</li> <li>Acts as loadbalancer if we have multiple pods with the same label, it uses a random algorithm to select which pod to send requests to.</li> </ul> </li> <li> <p>Cluster Ip</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/clusterip-service.yaml">Cluster Ip Definition file </a></li> <li>Service assigned an ip in the cluster and it's used to access the service by other pods in the service.</li> </ul> </li> <li> <p>Load Balancer</p> <ul> <li>Builds on top of node port and allows balancing of requests to the service to it's target applications</li> </ul> </li> </ul> <p>To connect to another service in a different namespace: we use the following syntax:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;service-name&gt;.&lt;namespace&gt;.&lt;svc&gt;.&lt;domain&gt; test-service.test-ns.svc.cluster.local </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl expose resource &lt;resource-name&gt;</span><span class="w"> </span><span class="nt">--type</span><span class="o">=</span>&lt;<span class="nb">type</span><span class="o">&gt;</span> <span class="nt">--port</span><span class="o">=</span>&lt;port&gt; <span class="nt">--target-port</span><span class="o">=</span>&lt;target-port&gt; <span class="nt">--name</span><span class="o">=</span>&lt;service-name&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl create service &lt;type&gt;</span><span class="w"> </span>&lt;service-name&gt; <span class="nt">--tcp</span><span class="o">=</span>&lt;port&gt;:&lt;port&gt; </code></pre> </div> <h2> Config Map </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/configmap.yaml">ConfigMap Definition file </a></li> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/configmap-pod.yaml">Pod with configMap Definition file</a></p></li> <li><p>Imperative<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create configmap \ app-config --from-literal=APP_COLOR=RED \ --from-literal=APP_TYPE=AAB \ --from-literal=APP_ENV=PROD \ </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create configmap \ app-config --from-file=app_config.properties </span></code></pre> </div> <ul> <li>Declarative: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create -f test-config-map.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl get configmaps kubectl get cm kubectl describe configmap </span></code></pre> </div> <h2> Secrets </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/secret.yaml">Secret Definition file </a></li> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/secret-pod.yaml">Pod with Secret Definition file</a></p></li> <li><p>Imperative<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create secret generic \ app-secret --from-literal=DB_HOST=mysql \ --from-literal=DB_PORT=1000 --from-literal=DB_NAME=test \ </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create secret generic \ app-secret --from-file=test.env </span></code></pre> </div> <ul> <li>Declarative </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl create -f test-secret.yaml </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl get secrets </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> kubectl get secret &lt;secret-name&gt;</span><span class="w"> </span><span class="nt">-o</span> yaml </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go"> kubectl describe secrets </span></code></pre> </div> <h2> Security Context </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/securitycontext.yaml">Security Context Definition file </a></li> </ul> <p>We can add security context on the pod level or the container level. If both are specified, the container level takes precedence.</p> <p>Cabapilites are supported only on the container level</p> <h2> Service Account </h2> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/serviceaccount.yaml">Service Account Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create serviceaccount test-sa </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get serviceaccount </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl describe serviceaccount test-sa </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create token SERVICEACCOUNTNAME </span></code></pre> </div> <h2> Taints and Tolerations </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/taint%26toleration-pod.yaml">Taints and Tolerations Definition file </a></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl taint nodes NODENAME app=red:taint-effect </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl taint nodes NODENAME app=red:taint-effect- </span></code></pre> </div> <p>taint-effects include: <code>NoSchedule|NoExecute|PreferNoSchedule</code></p> <h2> Node Selectors </h2> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/nodeselector-pod.yaml">Node Selectors Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl label nodes NODENAME type=test </span></code></pre> </div> <p>We cannot apply advanced filters e.g not , or</p> <h2> Node Affinity </h2> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/nodeaffinity-pod.yaml">Node Affinity Definition file </a></li> </ul> <p>Node affinity types:</p> <ul> <li>requiredDuringSchedulingIgnoredDuringExecution</li> <li>PreferredDuringSchedulingIgnoredDuringExecution</li> <li>requiredDuringSchedulingrequiredDuringExecution</li> </ul> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>During Scheduling</th> <th>During Execution</th> </tr> </thead> <tbody> <tr> <td>1</td> <td>Required</td> <td>Ignored</td> </tr> <tr> <td>2</td> <td>Preferred</td> <td>Ignored</td> </tr> <tr> <td>3</td> <td>Required</td> <td>Required</td> </tr> </tbody> </table></div> <h2> Multicontainer Pods </h2> <ul> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/multicontainer.yaml">Multicontainer Pods Definition file </a></p></li> <li><p>Sidecar containers -&gt; help the main container e.g to logging agent to send logs to log server</p></li> <li><p>Adapter containers -&gt; process data for the main container e.g converts logs to readable format before sending to logging server</p></li> <li><p>Ambassador containers -&gt; proxy requests from the main container e.g send requests to db on main container's behalf</p></li> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/initcontainer.yaml">Init Containers Definition file </a></p></li> <li><p>Init containers -&gt; Process inside init container must finish before other containers start.</p></li> <li><p>If the init container fails, the pod is restarted until the init container succeeds</p></li> </ul> <h2> Observability </h2> <p>Readiness Probe:</p> <ul> <li>Perform test to check if the container is up before marking the container as ready.</li> <li>For readiness, we can do http calls, tcp calls or run a command that when succesfull, we mark the container as ready</li> </ul> <p>Liveness Probe:</p> <ul> <li>Periodically test if application within container is healthy.</li> <li><p>For liveness, we can do http calls, tcp calls or run a command that when they fail, we mark the container as unhealthy and it's restarted</p></li> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/readiness-probe.yaml">Readiness &amp; Liveness Probe Definition file </a></p></li> </ul> <p>Logging:</p> <p>Show logs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl logs podname </span></code></pre> </div> <p>Show live logs<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl logs -f podname </span></code></pre> </div> <p>For multi container we specify container name<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl logs -f podname container-name </span></code></pre> </div> <p>Metric Server:</p> <ul> <li>We can have 1 metric server per cluster</li> <li>Receives metrics from nodes and pods and stores them in memory ( we can't see historical data with metric server)</li> <li>To install on cluster,we clone the metric server repo and run kubectl create -f repourl </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl top node </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl top pod </span></code></pre> </div> <h2> Jobs and Cronjobs </h2> <p>Job - Tasks that can be run and exit after they've finalized</p> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/job.yaml">Job Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get jobs </span></code></pre> </div> <p>Cronjob - To run jobs periodically</p> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/cronjob.yaml">Cronjob Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get cronjob </span></code></pre> </div> <h2> Ingress </h2> <ul> <li><p><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/ingress.yaml">Ingress Definition file </a></p></li> <li><p>Enables users access application through an externally accessible url that we can configure to route to different services in the cluster based on url path while implementing ssl as well</p></li> <li><p>We need to expose it so it can be accessible outside the cluster</p></li> <li> <p>Ingress controller:</p> <ul> <li>Does not come with kubernetes as default. We need to deploy if first.</li> <li>Examples are istio, nginx, haproxy</li> </ul> </li> <li> <p>Ingress resources:</p> <ul> <li>Rules and configs applied to ingress controller to forward traffic to single applications, via paths or via domain name </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get ingress </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl create ingress &lt;ingress-name&gt;</span><span class="w"> </span><span class="nt">--rule</span><span class="o">=</span><span class="s2">"host/path=service-name:port"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl create ingress world --rule=world.universe.mine/europe*=europe:80 --rule=world.universe.mine/asia*=asia:80 --class=nginx -n world </code></pre> </div> <h2> Network Policies </h2> <ul> <li>Allow and deny rules configured on the pod</li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/network-policy.yaml">Network Policies Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get netpol </span></code></pre> </div> <h2> Storage </h2> <ul> <li> <p>Volumes</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/volume.yaml">Volume Definition file </a></li> </ul> </li> <li> <p>Persistent Volumes</p> <ul> <li>Cluster wide pool of storage volumes to be used by applications on the cluster</li> <li>Applications can then request storage from the pool to use</li> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/persistent-volume.yaml">Persistent Volumes Definition file </a></li> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/persistent-volume-pod.yaml">Persistent Volume in a Pod Definition file </a></li> </ul> </li> <li> <p>Persistent Volume Claim</p> <ul> <li>Users create persistent volume claims to use the storage in the persistent volume</li> <li>Kubernetes binds pvc to pv based on request and properties on the volume</li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/persitent-volume-claim.yaml">Persistent Volume Claim Definition file </a> </li> </ul> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> kubeclt delete pvc &lt;pvc-claim&gt;</span><span class="w"> </span></code></pre> </div> <ul> <li> <p>Storage Class</p> <ul> <li>We define a provisioner to automatically provision storaage which can be used by pods.</li> <li>If we specify the storage class, we don't need to specify the persistent volume as it would be created automatically when storage class is created.</li> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/storageclass.yaml">Storage Class Definition file </a></li> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/persistent-volume-claim-storageclass.yaml">Persistent Volume Claim Storage Class Definition file </a></li> </ul> </li> </ul> <h2> Authentication </h2> <p>All user access is managed by the api server</p> <p>We can store user credentials as:</p> <ul> <li>Static Password File: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> #</span><span class="w"> </span>Add this to kubeapi server service or pod definition file <span class="go"> --basic-auth-file=user-credentials.csv </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> curl -v -k &lt;api-url&gt;</span><span class="w"> </span><span class="nt">-u</span> <span class="s2">"user:password"</span> </code></pre> </div> <ul> <li>Static Token File: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> #</span><span class="w"> </span>Add this to kubeapi server service or pod definition file <span class="go"> --token-auth-file=user-credentials.csv </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp"> curl -v -k &lt;api-url&gt;</span><span class="w"> </span><span class="nt">--header</span> <span class="s2">"Authorization: Bearer &lt;TOKEN&gt;"</span> </code></pre> </div> <p>We can use kubeconfig to manage which clusters we can access</p> <ul> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/kubeconfig.yaml">Kubeconfig Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl config view --kubeconfig=my-custom-file </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl config use-context developer-development-playground </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl config get-context developer-development-playground </code></pre> </div> <h2> Authorization </h2> <p>Authorization modes:</p> <ul> <li>Node authorizer -&gt; handles node requests (user should have name prefixed system node)</li> <li>Attribute based authotization -&gt; Assosiate users/group of users with a set of permissions(difficult to manage)</li> <li>Role bases access control -&gt; We define roles and associate users with specific roles</li> <li>Webhook -&gt; Outsource authorization to 3rd party tools</li> <li>AlwaysAllow -&gt; Allows all requests without doing authorization checks (default)</li> <li>AlwaysDeny -&gt; Denys all requests</li> </ul> <p>On kubeapiserver, we specify modes to use <code>--authorization-mode=Node,RBAC,Webhook</code></p> <p>Role based access control:</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/role.yaml">Role Definition file </a></li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/role-binding.yaml">Role Binding Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get roles </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create role test --verb=list,create --resource=pods </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl describe role &lt;role-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl get rolebindings </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create rolebinding test-rb --role=test --user=user1 --group=group1 </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">kubectl describe rolebindings &lt;rolebindings-name&gt;</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl auth can-i create deploy </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl auth can-i create deploy --as dev-user --namespace dev </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl api-resources --namespaced=false </span></code></pre> </div> <p>We can create roles scoped on clusters. We can also create cluster roles on namespace scoped resources</p> <p>Cluster Role based access control:</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/role.yaml">Cluster Role Definition file </a></li> <li> <a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/role-binding.yaml">Cluster Role Binding Definition file </a> </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create clusterrole test --verb=* --resource=* </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kubectl create clusterrolebinding test-rb --clusterrole=test --user=user --group=group </span></code></pre> </div> <h2> Admission Controllers </h2> <ul> <li>Implement security measures to enforce how a cluster is used.</li> <li>It can validate, change or reject requests from users</li> <li>It can also perform operations in the backend </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">kube-apiserver -h | grep enable-admission-plugins </span></code></pre> </div> <p>On kubeapiserver, to enable an admission controller we update the <code>--enable-admission-plugins=NodeRestriction,NamespaceLifecycle</code><br> On kubeapiserver, to disable an admission controller we update the <code>--disable-admission-plugins=DefaultStorageClass</code></p> <p>We can create custom admission contollers:</p> <ul> <li><p>We use the <code>Mutating and Validating</code> webhooks that we configure to a server hosting our admission webhook service.<br> If a request is made, it goes sends an admission review object to admission webhook server that responds whith an admission review object of whether the result is allowed or not</p></li> <li><p>We then deploy our admission webhook server</p></li> <li> <p>We then configure to reach out to the service and validate or mutate requests by creating a validating configuration object</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/validating-configuration.yaml">Validating Configuration Definition file </a></li> </ul> </li> </ul> <h2> Custom Resource Definition </h2> <p>An extension of the Kubernetes API that isn't available in the Kubernetes installation</p> <ul> <li><a href="https://github.com/cosmasnyairo/kubernetes/tree/main/CKAD/definition-files/customresourcedefinition.yaml">Custom Resource Definition file </a></li> </ul> <h2> Custom Controller </h2> <p>Process or code running in a loop and monitoring the kubernetes cluster and listening to events of specific objects</p> <p>We build the custom controller then provide kubeconfig file the controller would need to authenticate to the kubernetes api</p> <p>Thanks!</p> kubernetes ckad containers devops Creating & Managing Aws Rest Api Gateway Using Terraform Cosmas Nyairo Mon, 09 Jan 2023 16:44:08 +0000 https://dev.to/cosmasnyairo/aws-rest-api-gateway-using-terraform-k76 https://dev.to/cosmasnyairo/aws-rest-api-gateway-using-terraform-k76 <p>We will be creating and managing an AWS rest api gateway using terraform</p> <h2> Table of Contents </h2> <ul> <li>Introduction</li> <li>Prerequisites</li> <li>Rest Api</li> <li>Rest Api Body</li> <li>Open API server</li> <li>Open API paths</li> <li>Method response</li> <li>Method details</li> <li>Terraform File structure</li> </ul> <h2> Introduction </h2> <p>We can create resources on cloud either manually or using automation tools.</p> <p>Lets take an example of the following api endpoint our service is exposing either through lambda or the vpc link:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> api/v1/test/get_tests -&gt; an enpoint with POST AND GET requests </code></pre> </div> <p>If we were to create then above method manually; we would have to the following:</p> <ul> <li>Create the rest api if one didnt exist</li> <li>Create the api,v1, test then the get_tests resources</li> <li>Create the GET method then and add the needed headers, add parameters the api may need, add authorization to the api and then repeat the same for the POST method.</li> </ul> <p>This would be cumbersome if we had many api endpoints to create and managing the api endpoints would be very hard. </p> <p>In this post:</p> <ul> <li>We will focus on creating a simple AWS rest api which we will manage using terraform (an Infrastructure as Code tool). </li> <li>We will be using the openapi specification for our apis</li> <li>This approach can be inegrated with a CI/CD tool i.e jenkins or gitlab ci or github actions to enable further automation of our rest api endpoint</li> </ul> <h2> Prerequisites: </h2> <ul> <li>A postman collection containing our api endpoints (swagger api documentation would work as well)</li> <li>An AWS account</li> <li>Terraform (The version in use is Terraform v1.2.6)</li> <li>We will focus on the rest apis where the underlying service is exposed using the vpc link</li> </ul> <h2> Rest api </h2> <p>For our rest api, we will need to provide the name, description and the endpoint type. </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_rest_api"</span> <span class="s2">"test_rest_api"</span><span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"&lt;&lt;REST API NAME&gt;&gt;"</span> <span class="nx">endpoint_configuration</span> <span class="p">{</span> <span class="nx">types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"REGIONAL"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"&lt;&lt;REST API DESCRIPTION&gt;&gt;"</span> <span class="nx">body</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">testfile</span><span class="p">.</span><span class="nx">rendered</span> <span class="p">}</span> </code></pre> </div> <h2> Rest api body </h2> <p>For the body we will use the code snippet below that utilizes terraform template files:</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">data</span> <span class="s2">"template_file"</span> <span class="s2">"testfile"</span><span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./test.yaml"</span><span class="p">)</span> <span class="nx">vars</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">methodresponses</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">methodresponses</span> <span class="nx">methoddetails</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">methoddetails</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Open API server </h2> <p>The servers section contains the custom domain name we would use to expose our api using.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fck4j30r0lxystdbop6yi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fck4j30r0lxystdbop6yi.png" alt="Servers"></a></p> <p>Users would be able to access the service by sending api requests to the <code>"{domainName}/{basePath}"</code> endpoint</p> <h2> Open API paths </h2> <p>The paths section contains the paths for our api endpoints. We only need to specify the following:</p> <ul> <li>Api endpoint e.g <code>/api/v1/test/get_tests</code> </li> <li> <p>The absolute path of the api endpoint being exposed via the vpc link (<code>"https://$${stageVariables.url}/api/v1/test/get_tests"</code>)</p> <ul> <li>The first part of the url is the url of the underlying domain exposing the service i.e <code>"https://$${stageVariables.url}/</code>.</li> <li>The latter part is the actual path the service expects to expose the endpoint i.e <code>"/api/v1/test/get_tests"</code> </li> </ul> </li> <li><p>The type of the http method e.g POST</p></li> </ul> <h2> Method response </h2> <p>The method reponses contains a of method reponse e.g <code>200</code> and the response headers for the reponse.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"methodresponses"</span><span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> responses: "200": description: "200 response" headers: Access-Control-Allow-Headers: schema: type: "string" content: application/json: schema: $ref: "#/components/schemas/Empty" </span><span class="no">EOT </span><span class="p">}</span> </code></pre> </div> <h2> Method details </h2> <p>The method detail are as per the template below. We can add any headers the method needs under the response parameters section as shown.</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"methoddetails"</span><span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> responses: default: statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Origin: "&lt;&lt;VALUE&gt;&gt;" passthroughBehavior: "when_no_match" connectionType: "VPC_LINK" type: "http_proxy" </span><span class="no">EOT </span><span class="p">}</span> </code></pre> </div> <h2> Terraform File structure </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh629wsmj538zppxob957.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh629wsmj538zppxob957.png" alt="Terraform File structure"></a></p> <p>Our <code>main.tf</code> file will contain the following structure:</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">resource</span> <span class="s2">"aws_api_gateway_rest_api"</span> <span class="s2">"test_rest_api"</span><span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"&lt;&lt;REST API NAME&gt;&gt;"</span> <span class="nx">endpoint_configuration</span> <span class="p">{</span> <span class="nx">types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"REGIONAL"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"&lt;&lt;REST API DESCRIPTION&gt;&gt;"</span> <span class="nx">body</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">template_file</span><span class="p">.</span><span class="nx">testfile</span><span class="p">.</span><span class="nx">rendered</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"template_file"</span> <span class="s2">"testfile"</span><span class="p">{</span> <span class="nx">template</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"./test.yaml"</span><span class="p">)</span> <span class="nx">vars</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">methodresponses</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">methodresponses</span> <span class="nx">methoddetails</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">methoddetails</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Our <code>locals.tf</code> will contain the following structure:</p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code> <span class="nx">variable</span> <span class="s2">"methodresponses"</span><span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> responses: "200": description: "200 response" headers: Access-Control-Allow-Headers: schema: type: "string" content: application/json: schema: $ref: "#/components/schemas/Empty" </span><span class="no">EOT </span><span class="p">}</span> <span class="nx">variable</span> <span class="s2">"methoddetails"</span><span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOT</span><span class="sh"> responses: default: statusCode: "200" responseParameters: method.response.header.Access-Control-Allow-Origin: "&lt;&lt;VALUE&gt;&gt;" passthroughBehavior: "when_no_match" connectionType: "VPC_LINK" type: "http_proxy" </span><span class="no">EOT </span><span class="p">}</span> </code></pre> </div> <p>Our <code>test.yaml</code> file will contain the following openapi specification:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">openapi</span><span class="pi">:</span> <span class="s2">"</span><span class="s">3.0.1"</span> <span class="na">servers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">{domainName}/{basePath}"</span> <span class="na">variables</span><span class="pi">:</span> <span class="na">domainName</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://test.com"</span> <span class="na">basePath</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s2">"</span><span class="s">/testpath"</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">/api/v1/test/get_tests</span><span class="pi">:</span> <span class="na">post</span><span class="pi">:</span> <span class="s">${methodresponses}</span> <span class="s">x-amazon-apigateway-integration</span><span class="err">:</span> <span class="na">uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://$${stageVariables.url}/api/v1/test/get_tests"</span> <span class="na">connectionId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$${stageVariables.vpcLink}"</span> <span class="na">httpMethod</span><span class="pi">:</span> <span class="s2">"</span><span class="s">POST"</span> <span class="s">${methoddetails}</span> <span class="na">get</span><span class="pi">:</span> <span class="s">${methodresponses}</span> <span class="s">x-amazon-apigateway-integration</span><span class="err">:</span> <span class="na">uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://$${stageVariables.url}/api/v1/test/get_tests"</span> <span class="na">connectionId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$${stageVariables.vpcLink}"</span> <span class="na">httpMethod</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GET"</span> <span class="s">${methoddetails}</span> <span class="na">/api/v1/test/tests</span><span class="pi">:</span> <span class="na">get</span><span class="pi">:</span> <span class="s">${methodresponses}</span> <span class="s">x-amazon-apigateway-integration</span><span class="err">:</span> <span class="na">uri</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://$${stageVariables.url}//api/v1/test/tests"</span> <span class="na">connectionId</span><span class="pi">:</span> <span class="s2">"</span><span class="s">$${stageVariables.vpcLink}"</span> <span class="na">httpMethod</span><span class="pi">:</span> <span class="s2">"</span><span class="s">GET"</span> <span class="s">${methoddetails}</span> </code></pre> </div> <p>To manage/add a new api endpoint we only need to update/change the <code>test.yaml</code> file.</p> <p>We only need to do <code>terraform plan</code> and <code>terraform apply</code> for our api to be created.</p> aws terraform openapi devops