Admin
https://kubernetes.io/docs/reference/kubectl/cheatsheet/
Create Admin service account and kubeconfig out of it¶
kubectl create serviceaccount cluster-admin -n kube-system
kubectl create clusterrolebinding cluster:admin --clusterrole=cluster-admin --serviceaccount=kube-system:cluster-admin
TOKEN_NAME=$(kg sa -n kube-system cluster-admin -o jsonpath='{.secrets[0].name}')
TOKEN=$(kgsec -n kube-system $TOKEN_NAME -o jsonpath='{.data.token}'| base64 --decode)
kubectl config set-credentials cluster-admin --token=$TOKEN --kubeconfig <kubeconfig_file>
Create kubeconfig using service account¶
kubectl create serviceaccount cluster-admin -n kube-system
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: cluster-admin
namespace: kube-system
annotations:
kubernetes.io/service-account.name: cluster-admin
type: kubernetes.io/service-account-token
EOF
kubectl create token cluster-admin -n kube-system # for Kubernetes 1.25 and above
kubectl create clusterrolebinding cluster:admin --clusterrole=cluster-admin --serviceaccount=kube-system:cluster-admin
export TOKEN_NAME=$(kubectl get sa -n kube-system cluster-admin -o jsonpath='{.metadata.name}')
export TOKEN=$(kubectl get secret -n kube-system $TOKEN_NAME -o jsonpath='{.data.token}'| base64 --decode)
export CURRENT_CONTEXT=$(kubectl config current-context)
export CLUSTER_NAME=$(echo ${CURRENT_CONTEXT} | awk -F/ '{print $2}')
export CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
export CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ .cluster.server }}{{end}}{{ end }}')
cat << EOF > $CLUSTER_NAME
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${CLUSTER_CA}
server: ${CLUSTER_SERVER}
name: ${CLUSTER_NAME}
contexts:
- context:
cluster: ${CLUSTER_NAME}
user: cluster-admin
name: ${CLUSTER_NAME}
current-context: ${CLUSTER_NAME}
kind: Config
preferences: {}
users:
- name: cluster-admin
user:
token: ${TOKEN}
EOF
To get access to worker node's shell¶
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
t470s Ready <none> 149d v1.25.6
$ kubectl debug node/t470s -it --image alpine
Creating debugging pod node-debugger-t470s-2sdxd with container debugger on node t470s.
If you don't see a command prompt, try pressing enter.
/ #
Once inside the shell, the nodes '/' folder is mounted as /host Make /host as /
/ # df
Filesystem 1K-blocks Used Available Use% Mounted on
overlay 239261308 27621172 199413476 12% /
tmpfs 65536 0 65536 0% /dev
/dev/nvme0n1p5 239261308 27621172 199413476 12% /host
udev 10080456 0 10080456 0% /host/dev
tmpfs 10115776 0 10115776 0% /host/dev/shm
tmpfs 2023156 3340 2019816 0% /host/run
tmpfs 5120 4 5116 0% /host/run/lock
tmpfs 2023156 3340 2019816 0% /host/run/snapd/ns
tmpfs 2023152 2416 2020736 0% /host/run/user/1002
tmpfs 2023152 72 2023080 0% /host/run/user/125
/dev/loop1 128 128 0 100% /host/snap/bare/5
change the '/' to /host using the chroot command
chroot /host
Now, you can view the logs, and even run systemctl commands in the host system
To view the Kubernetes configuration:¶
$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: REDACTED
server: https://192.168.11.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
To view the Kubernetes server events¶
$ kubectl get events
LAST SEEN FIRST SEEN COUNT NAME KIND SUBOBJECT TYPE REASON SOURCE MESSAGE
44m 44m 1 kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afc58ae19f Pod Normal Scheduled default-scheduler Successfully assigned kubernetes-bootcamp-5d7f968ccb-bwqxz to k8s-node1
44m 44m 1 kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afd26f11ec Pod Normal SuccessfulMountVolume kubelet, k8s-node1 MountVolume.SetUp succeeded for volume "default-token-fzcmd"
44m 44m 1 kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afe896caac Pod spec.containers{kubernetes-bootcamp} Normal Pulled kubelet, k8s-node1 Container image "docker.io/jocatalin/kubernetes-bootcamp:v1" already present on machine
44m 44m 1 kubernetes-bootcamp-5d7f968ccb-bwqxz.151009afea59f2e7 Pod spec.containers{kubernetes-bootcamp} Normal Created kubelet, k8s-node1 Created container
44m 44m 1 kubernetes-bootcamp-5d7f968ccb-bwqxz.151009aff1576040 Pod spec.containers{kubernetes-bootcamp} Normal Started kubelet, k8s-node1 Started container
$ kubectl cluster-info
Kubernetes master is running at https://192.168.11.10:6443
KubeDNS is running at https://192.168.11.10:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
To register a Docker registry:¶
kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
- <your-registry-server> is your Private Docker Registry FQDN. (https://index.docker.io/v1/ for DockerHub)
- <your-name> is your Docker username.
- <your-pword> is your Docker password.
- <your-email> is your Docker email.
To register a GCR registry using the Json credential (for the service account)¶
kubectl create secret docker-registry gcr-phc-sb \
--docker-server=https://gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ~/Desktop/phc-shared-sb-001-fa237d9e-d41f32bb2bc8.json)" \
--namespace=jeeva-test \
--docker-email="jeevandk@science.roche.com"
kubectl patch serviceaccount default \
--namespace=jeeva-test \
-p '{"imagePullSecrets": [{"name": "gcr-phc-sb"}]}'
kubectl create secret docker-registry gcr-phc-sb \
--docker-server=https://gcr.io \
--docker-username=_json_key \
--docker-password="$(cat ~/Desktop/phc-shared-sb-001-fa237d9e-d41f32bb2bc8.json)" \
--docker-email="jeevandk@science.roche.com"
kubectl patch serviceaccount default \
-p '{"imagePullSecrets": [{"name": "gcr-phc-sb"}]}'
kubectl get secret gcr-phc-sb --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
gcr.io/phc-shared-sb-001-fa237d9e/jkailasam/nginx
apiVersion: v1
kind: Pod
metadata:
name: jeeva-test
spec:
containers:
- name: jeeva-test-container
image: gcr.io/phc-shared-sb-001-fa237d9e/jkailasam/nginx
imagePullSecrets:
- name: gcr-phc-sb