Differences

This shows you the differences between two versions of the page.

--- система_kubernetes [2025/11/24 15:00]
val [Ingress]
+++ система_kubernetes [2025/12/04 13:25] (current)
val [Volumes]
@@ Line 71: / Line 71: @@
 kubectl version
-kubectl get all -o wide --all-namespaces
+kubectl get all -o wide --all-namespaces #-A
-kubectl get all -o wide -A
+kubectl get nodes
 </code>
-=== Настройка автодополнения ===
+==== Настройка автодополнения ====
 <code>
 kube1:~# less /etc/bash_completion.d/kubectl.sh
@@ Line 90: / Line 91: @@
 </code>
-=== Подключение к другому кластеру ===
+==== Создание файла конфигурации kubectl ====
+  * [[https://kubernetes.io/docs/reference/kubectl/generated/kubectl_config/kubectl_config_set-credentials/]]
 <code>
-gitlab-runner@server:~$ scp root@kube1:.kube/config .kube/config_kube1
+user1@client1:~$ ###export KUBECONFIG=~/.kube/config_test
+user1@client1:~$ ###rm -rf .kube/
-gitlab-runner@server:~$ cat .kube/config_kube1
+user1@client1:~$ kubectl config set-cluster cluster.local --server=https://192.168.13.221:6443 --insecure-skip-tls-verify=true
-</code><code>
+kubeN# ###cat /etc/kubernetes/ssl/ca.crt
-...
+  ИЛИ
-    .kube/config_kube1
+root@my-debian:~# kubectl config set-cluster cluster.local --server=https://192.168.13.221:6443 --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt #--embed-certs=true
-...
-</code><code>
+user1@client1:~$ cat .kube/config
-gitlab-runner@server:~$ export KUBECONFIG=~/.kube/config_kube1
+user1@client1:~$ kubectl config set-credentials user1 --client-certificate=user1.crt --client-key=user1.key #--embed-certs=true
+  ИЛИ
+user1@client1:~$ kubectl config set-credentials user1 --token=...................................
+  ИЛИ
+root@my-debian:~# kubectl config set-credentials user1 --token=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
+user1@client1:~$ kubectl config get-users
+user1@client1:~$ kubectl config set-context default-context --cluster=cluster.local --user=user1
+user1@client1:~$ kubectl config use-context default-context
+user1@client1:~$ kubectl auth whoami
+user1@client1:~$ kubectl auth can-i get pods #-n my-ns
-gitlab-runner@server:~$ kubectl get nodes
+user1@client1:~$ kubectl get pods #-A
+Error from server (Forbidden) или ...
 </code>
@@ Line 183: / Line 203: @@
 </code>
 ===== Кластер Kubernetes =====
 ==== Развертывание через kubeadm ====
@@ Line 418: / Line 437: @@
 <code>
-server# ssh-keygen    # -t rsa
+server# ssh-keygen    ### -t rsa
 server# ssh-copy-id kube1;ssh-copy-id kube2;ssh-copy-id kube3;ssh-copy-id kube4;
@@ Line 425: / Line 444: @@
 === Вариант 1 (ansible) ===
+  * [[https://github.com/kubernetes-sigs/kubespray/blob/v2.26.0/README.md]]
   * [[Язык программирования Python#Виртуальная среда Python]]
@@ Line 550: / Line 570: @@
 === Вариант 2 (docker) ===
+  * [[https://github.com/kubernetes-sigs/kubespray/blob/v2.29.0/README.md]]
 <code>
 server:~# mkdir -p inventory/sample
@@ Line 555: / Line 578: @@
 server:~# cat inventory/sample/inventory.ini
 </code><code>
+#[all]
+#kube1 ansible_host=192.168.X.221
+#kube2 ansible_host=192.168.X.222
+#kube3 ansible_host=192.168.X.223
+##kube4 ansible_host=192.168.X.224
 [kube_control_plane]
 kube[1:3]
@@ Line 563: / Line 592: @@
 [kube_node]
 kube[1:3]
+#kube[1:4]
 </code><code>
-server:~# docker run --rm -it --mount type=bind,source="$(pwd)"/inventory/sample,dst=/inventory --mount type=bind,source="${HOME}"/.ssh/id_rsa,dst=/root/.ssh/id_rsa quay.io/kubespray/kubespray:v2.29.0 bash
+server:~# docker run --userns=host --rm -it -v /root/inventory/sample:/inventory -v /root/.ssh/:/root/.ssh/ quay.io/kubespray/kubespray:v2.29.0 bash
-root@cf764ca3b291:/kubespray# ansible-playbook -i /inventory/inventory.ini --private-key /root/.ssh/id_rsa cluster.yml
+root@cf764ca3b291:/kubespray# time ansible-playbook -i /inventory/inventory.ini cluster.yml
+...
+real    12m18.679s
+...
+</code>
+==== Управление образами ====
+<code>
+kubeN#
+crictl pull server.corpX.un:5000/student/gowebd
+crictl images
+crictl rmi server.corpX.un:5000/student/gowebd
 </code>
@@ Line 1154: / Line 1195: @@
 #    nginx.ingress.kubernetes.io/canary-weight: "30"
 #    cert-manager.io/issuer: "letsencrypt-staging"
+#    cert-manager.io/issuer: "letsencrypt-prod"
 spec:
   ingressClassName: nginx
@@ Line 1220: / Line 1262: @@
   * [[https://cert-manager.io/docs/installation/|cert-manager Installation]]
   * [[https://cert-manager.io/docs/tutorials/acme/nginx-ingress/|cert-manager Securing NGINX-ingress]]
-  * [[Сервис Keepalived]] для 443-го порта
-  * [[Решение HAProxy]] для 80-го (cert-manager проверяет ссылку изнутри кластера)
 <code>
-увидеть ссылку
+student@vps:~$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.19.1/cert-manager.yaml
-student@debian:~/gowebd-k8s$ kubectl -n my-ns get ingress -o yaml | less
+student@vps:~$ kubectl -n cert-manager get all
+student@vps:~/apwebd-k8s$ cat letsencrypt-staging-issuer.yaml
+student@vps:~/apwebd-k8s$ cat letsencrypt-prod-issuer.yaml
+</code><code>
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  #name: letsencrypt-staging
+  #name: letsencrypt-prod
+spec:
+  acme:
+    #server: https://acme-staging-v02.api.letsencrypt.org/directory
+    #server: https://acme-v02.api.letsencrypt.org/directory
+    email: val@bmstu.ru
+    profile: tlsserver
+    privateKeySecretRef:
+      #name: letsencrypt-staging
+      #name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
+</code><code>
+student@vps:~/apwebd-k8s$ kubectl -n my-ns apply -f letsencrypt-staging-issuer.yaml
+student@vps:~/apwebd-k8s$ kubectl -n my-ns apply -f letsencrypt-prod-issuer.yaml
+student@vps:~/apwebd-k8s$ kubectl -n my-ns get secret letsencrypt-staging -o yaml
+student@vps:~/apwebd-k8s$ kubectl -n my-ns get certificate
+student@vps:~/apwebd-k8s$ kubectl -n my-ns events
+...
+Certificate fetched from issuer successfully
-увидеть обработчик
+student@vps:~/apwebd-k8s$ kubectl -n my-ns get secret webd-tls -o yaml
-student@debian:~/gowebd-k8s$ kubectl -n my-ns get pods
-NAME                        READY   STATUS    RESTARTS   AGE
-cm-acme-http-solver-5j2pr   1/1     Running   0          28s
-my-webd-78ffd6cc5f-4qplt    1/1     Running   0          4d14h
-my-webd-78ffd6cc5f-zpcsh    1/1     Running   0          4d14h
 </code>
 ==== Volumes ====
@@ Line 1442: / Line 1512: @@
 ssh root@kube2 'chmod 777 /opt/local-path-provisioner'
 ssh root@kube3 'chmod 777 /opt/local-path-provisioner'
+ssh root@kube4 'mkdir /opt/local-path-provisioner'
+ssh root@kube4 'chmod 777 /opt/local-path-provisioner'
 $ ###kubectl patch storageclass local-path -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
@@ Line 1461: / Line 1533: @@
 (venv1) server:~# ansible all -f 4 -m apt -a 'pkg=open-iscsi state=present update_cache=true' -i /root/kubespray/inventory/mycluster/hosts.yaml
+root@a7818cd3f7c7:/kubespray# ansible all -f 4 -m apt -a 'pkg=open-iscsi state=present update_cache=true' -i /inventory/inventory.ini
 </code>
   * [[https://github.com/longhorn/longhorn]]
@@ Line 1473: / Line 1547: @@
 </code>
-Подключение через kubectl proxy
+Подключение через [[#kubectl proxy]]
   * [[https://stackoverflow.com/questions/45172008/how-do-i-access-this-kubernetes-service-via-kubectl-proxy|How do I access this Kubernetes service via kubectl proxy?]]
@@ Line 1859: / Line 1933: @@
 $ helm upgrade ingress-nginx -i ingress-nginx -f values.yaml --repo https://kubernetes.github.io/ingress-nginx -n ingress-nginx --create-namespace
+$ kubectl get all -n ingress-nginx
 $ kubectl exec -n ingress-nginx pods/ingress-nginx-controller-<TAB> -- cat /etc/nginx/nginx.conf | tee nginx.conf | grep use_forwarded_headers

Методические материалы Лохтурова Вячеслава

User Tools

Site Tools

Differences

Page Tools