Joining Worker Node to HA Cluster Kubernetes
- To join the worker node to kubernetes cluster
kubeadm join 172.31.48.55:6443 --token haivop.inwadxpo7k77b51r \
--discovery-token-ca-cert-hash sha256:69a613df875e6ad57b8e7717ea0a7726d6d29876ccc046da583f46c71d76d0fc \
--cri-socket="unix:///var/run/cri-dockerd.sock"
Config Map
- This allows us to define application related data and these values can be injected into the Pod
Creating a config map from literal values
- Creating the config map
kubectl create namespace configmap-test
kubectl create configmap hello-map --from-literal="url=https://directdevops.blog" --namespace configmap-test
* Lets mount this configmap into some test pod
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-demo
namespace: configmap-test
spec:
containers:
- name: cm-container
image: alpine
command: [ "sleep", "1d" ]
envFrom:
- configMapRef:
name: hello-map
- Apply and print environmental variables
- Config Map Values can be mounted as volumes as well
---
apiVersion: v1
kind: Pod
metadata:
name: configmap-demo-vol
namespace: configmap-test
spec:
containers:
- name: cm-container
image: alpine
command: [ "sleep", "1d" ]
volumeMounts:
- name: conf-vol
mountPath: /etc/hello-conf
volumes:
- name: conf-vol
configMap:
name: hello-map
- Now Apply this spec and view the contents of /etc/hello-conf
Secret
- Secret is similar to config map with following differences
- Secret is used to store a small amount of sensitive data. Secret is base64 encoded
- K8s ensures that secrets are passed only to the nodes that are running the Pods that need respective secrets
- Types of Secrets
- generic
- tls
- docker-registry
Define a secret from Literal values and Lets load into Environmental variables
- imperative command
kubectl create secret generic <name> --from-literal="<name-value>"
- Manifest
---
apiVersion: v1
kind: Secret
metadata:
name: test-secret
data:
username: cXRkZXZvcHM=
password: cXRkZXZvcHNAMTIz
- Now mount this to the pod as environmental variable
---
apiVersion: v1
kind: Pod
metadata:
name: secret-demo-env
spec:
containers:
- name: cm-container
image: alpine
command: [ "sleep", "1d" ]
envFrom:
- secretRef:
name: test-secret
Lets load into Container as Volume
- Pod Manifest
---
apiVersion: v1
kind: Pod
metadata:
name: secret-demo-vol
spec:
containers:
- name: cm-container
image: alpine
command: [ "sleep", "1d" ]
volumeMounts:
- name: credentials-vol
mountPath: /etc/credentials
volumes:
- name: credentials-vol
secret:
secretName: test-secret
- Lets get the yaml for the pod from k8s
apiVersion: v1
kind: Pod
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"secret-demo-vol","namespace":"default"},"spec":{"containers":[{"command":["sleep","1d"],"image":"alpine","name":"cm-container","volumeMounts":[{"mountPath":"/etc/credentials","name":"credentials-vol"}]}],"volumes":[{"name":"credentials-vol","secret":{"secretName":"test-secret"}}]}}
creationTimestamp: "2023-09-12T14:28:31Z"
name: secret-demo-vol
namespace: default
resourceVersion: "5928"
uid: 97530253-ee30-4959-9512-457327f63321
spec:
containers:
- command:
- sleep
- 1d
image: alpine
imagePullPolicy: Always
name: cm-container
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/credentials
name: credentials-vol
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-dn8wv
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: node-2
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: credentials-vol
secret:
defaultMode: 420
secretName: test-secret
- name: kube-api-access-dn8wv
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2023-09-12T14:28:31Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2023-09-12T14:28:33Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2023-09-12T14:28:33Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2023-09-12T14:28:31Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://3e4d11a0b122f9e5d20b911a1bcc2f3b4f10fdb04e9f9fb87a7ecf4a37bde626
image: alpine:latest
imageID: docker-pullable://alpine@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a
lastState: {}
name: cm-container
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2023-09-12T14:28:33Z"
hostIP: 10.0.0.4
phase: Running
podIP: 10.244.1.3
podIPs:
- ip: 10.244.1.3
qosClass: BestEffort
startTime: "2023-09-12T14:28:31Z"
Lets Create a TLS Certificate and use it as secret
- Lets generate a public-private key pair using rsa:2048 as shown below which creates two files khaja.key and khaja.crt
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout khaja.key -out khaja.crt -sub "/CN=khaja/O=directdevops"
* Lets create a secret in default namespace
kubectl create secret tls khaja-tls --key="khaja.key" --cert="khaja.crt"
Exercises
- We have mounted config maps and secrets into Pod as Environmental variable and Volume
- Change the config map/secret
- Observe whether the changes are updated in the pod or not
