## page was renamed from Azure/Kubernetes #format wiki #language en = Kubernets cluster in Azure cloud = == Links == * [[k8s/Azure/RbacAAD]] * [[k8s/helm]] [[k8s/Azure/KustoLogs]] * [[https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough|Quickstart: AKS cluster]] * [[https://docs.microsoft.com/en-us/azure/aks/kubernetes-helm|2018-Helm in Azure Kubernetes AKS]] * [[https://kubernetes.io/docs/reference/kubectl/cheatsheet/|cheatsheet]] * [[https://dzone.com/articles/access-azure-key-vault-from-your-kubernetes-pods| Azure KeyVault exposed to k8s pods as flexVol]] == Kubernets config == * Use Declarative, we declare the state and kubectl implements using {{{ kubectl apply -R -f configs/ }}} == Setup Cluster, using the Azure az commands and azure aks install-cli kubectl == * Use az tool, with docker run -it microsoft/azure-cli * in the container add the kubectl {{{ az aks install-cli az aks get-credentials --resource-group --name --subscription }}} * list subscriptions {{{ az account list --output table }}} * set subscription to the one that contains k8s {{{ az account set --subscription xx-xx-xx }}} * run az proxy to connect the browser to kubernets admin in cloud {{{ Proxy running on http://127.0.0.1:8001/ Press CTRL+C to close the tunnel... Forwarding from 127.0.0.1:8001 -> 9090 ## Problem only binds to loopback, in a container, if not using container for microsoft/azure-cli skip next command. nc -v -lk -p 8001 -s $(hostname -i) -e /usr/bin/nc 127.0.0.1 8001 ## Web dashboard no right - nodes is forbidden: User "system:serviceaccount:kube-system:kubernetes-dashboard" cannot list nodes at the cluster scope ## RBAC ClusterRoleBinding must be created for Kubernetes dashboard kubectl create clusterrolebinding kubernetes-dashboard \ --clusterrole=cluster-admin \ --serviceaccount=kube-system:kubernetes-dashboard }}} * List nodes {{{ kubectl get nodes }}} * If this fails with "Unable to connect to the server: dial tcp: lookup ...." reset with {{{ rm .kube/config az aks get-credentials --resource-group --name >nameClusterInRG> kubectl get nodes }}} * List namespaces {{{ kubectl get namespaces }}} == Reset ssh key and password to get access to k8s Node in Azure 2020-05 == * reset ssh key and password {{{ AZ_RG=aks--nodes AZ_SUBSCRIPTION="xxx" RANDOM_PWD=$( ( head /dev/urandom ; date +%s) | sha256sum | base64 | head -c32 ) SCALE_SET_NAME=$(az vmss list --resource-group $AZ_RG --subscription "$AZ_SUBSCRIPTION" --query [0].name -o tsv) echo "SCALE_SET_NAME=$SCALE_SET_NAME RANDOM_PWD=$RANDOM_PWD AZ_SUBSCRIPTION=$AZ_SUBSCRIPTION" az vmss extension set --resource-group "$AZ_RG" --vmss-name "$SCALE_SET_NAME" --name VMAccessForLinux --publisher Microsoft.OSTCExtensions --version 1.4 --protected-settings "{\"reset_ssh\": true, \"username\": \"azureuser\", \"password\": \"$RANDOM_PWD\", \"ssh_key\": \"$(cat ~/.ssh/id_rsa.pub)\"}" ( set -x ; az vmss update-instances --instance-ids '*' --resource-group "$AZ_RG" --name "$SCALE_SET_NAME" ) }}} * Then get the ip of the node with {{{ $ kubectl get nodes -o wide }}} * Launch container in k8s cluster {{{ $ kubectl run -i --tty --rm MyContainer -generator="run-pod/v1" --image=debian /bin/bash # apt-get update && apt-get install openssh-client -y }}} * Copy pvt ssh key into container {{{ $ kubectl cp ~/.ssh/id_rsa MyContainer-xxx:/id_rsa }}} * ssh to node. {{{ # ssh -i /id_rsa azureuser@10.240.0.x }}} == Test == * az - setup proxy tunnel to web admin * az aks get-credentials --resource-group K8S-xxx --name K8S-xxx {{{ Merged "K8S-INF" as current context in /root/.kube/config }}} * kubectl get nodes * Create azure-vote.yml from https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough * kubectl apply -f azure-vote.yaml {{{ deployment.apps/azure-vote-back created service/azure-vote-back created deployment.apps/azure-vote-front created service/azure-vote-front created bash-4.4# }}} * kubectl get service azure-vote-front --watch {{{ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE azure-vote-front LoadBalancer 10.0.61.46 1.5.1.39 80:31745/TCP 101s }}} ==== Own namespace ==== * Created with json file that gets deployed * Set default namespace to mynamespace e.g. {{{ # kubectl config set-context $(kubectl config current-context) --namespace=MyNameSpace # kubectl config view | grep namespace }}} === Perf monitoring === * kubectl top nodes * kubectl describe nodes * kubectl top pod * Prometheus - https://github.com/google-cloud-tools/kube-eagle === AZ check clusters and PSP/NetPolicy === * export azure subscription and run {{{ export azsub=--subscription \"Non-Prod\" " az aks list $azsub | jq "[ .[] | {name: .name, k8sV: .kubernetesVersion, sp: .servicePrincipalProfile.clientId, NetPolicy: .networkProfile.networkPolicy, Nodes: ((.agentPoolProfiles[0].count|tostring) + \"/\" + ( .agentPoolProfiles[0].maxCount|tostring ) + \" \" + .agentPoolProfiles[0].provisioningState), psp: .enablePodSecurityPolicy, rbac: .enableRbac, apiAuth: .apiServerAccessProfile.authorizedIpRanges, }]" }}} ... ---- CategoryK8sKubernetes CategoryK8sKubernetes