Openshift

Openshift

Prepare os


fdisk /dev/mmcblk0
create 2 partitions

mkfs.ext4 /dev/mmcblk0p1
mkfs.ext4 /dev/mmcblk0p2

dd if=Fedora-Server-xxx of=/dev/mmcblk0 bs=1M status=progress conv=fsync

vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=etho
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
IPADDR=192.168.1.X
DNS=8.8.8.8
USERCTL=no

systemctl restart NetworkManager

hostnamectl set-hostname server-name-xx

dnf update

 
Install CRIO



sudo modprobe overlay
sudo modprobe br_netfilter

# Set up required sysctl params, these persist across reboots.
vim /etc/sysctl.d/99-kubernetes-cri.conf
# cut paste and save
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
net.bridge.bridge-nf-call-ip6tables = 1

# install crio module

sudo sysctl --system

sudo dnf module list cri-o
sudo dnf module enable cri-o:$VERSION
sudo dnf install cri-o

sudo systemctl daemon-reload
sudo systemctl start crio

 
Install Kubernetes


                        
vim /etc/yum.repos.d/kubernetes.repo
# cut paste and save
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg 
exclude=kubelet kubeadm kubectl

# Set SELinux in permissive mode (effectively disabling it)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

sudo systemctl enable --now kubelet

vi /var/lib/kubelet/config.yaml


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
cgroupDriver: systemd
---
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: stable
---
apiVersion: kubeadm.k8s.io/v1beta1
kind: InitConfiguration

systemctl daemon-reload
systemctl restart kubelet

kubeadm init --pod-network-cidr=10.0.0.0/8

# follow the instructions to join nodes to the cluster

 
ArgoCD install and debug


kubectl run -i -t multitool -n argocd-new --image=praqma/network-multitool --restart=Never /bin/bash

To change the password, edit the argocd-secret secret and update the admin.password field with a new bcrypt hash. You can use a site like https://www.browserling.com/tools/bcrypt to generate a new hash. For example:

# crypt(password)=$2a$10$rRyBsGSHK6.uc8fntPwVIuLVHgsAhAX7TcdrqW/RADU0uh7CaChLa
kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "$2a$10$rRyBsGSHK6.uc8fntPwVIuLVHgsAhAX7TcdrqW/RADU0uh7CaChLa",
    "admin.passwordMtime": "'$(date +%FT%T%Z)'"
  }}'

kubectl api-resources

 
Kubernetes PV PVC cleanup


kubectl patch pvc pvc_name -p '{"metadata":{"finalizers":null}}'
kubectl patch pv pv_name -p '{"metadata":{"finalizers":null}}'
kubectl patch pod pod_name -p '{"metadata":{"finalizers":null}}'

 
Kubernetes SA's Roles and RoleBinding


# Create a ServiceAccount, say 'readonlyuser'.
kubectl create serviceaccount readonlyuser
# Create cluster role, say 'readonlyuser'.
kubectl create clusterrole readonlyuser --verb=get --verb=list --verb=watch --resource=pods
# Create cluster role binding, say 'readonlyuser'.
kubectl create clusterrolebinding readonlyuser --serviceaccount=default:readonlyuser --clusterrole=readonlyuser
# Now get the token from secret of ServiceAccount we have created before. we will use this token to authenticate user.
TOKEN=$(kubectl describe secrets "$(kubectl describe serviceaccount readonlyuser | grep -i Tokens | awk '{print $2}')" | grep token: | awk '{print $2}')
# Now set the credentials for the user in kube config file. I am using 'luigi' as username.
kubectl config set-credentials luigi --token=$TOKEN
# Now Create a Context say podreader. I am using my clustername 'kubernetes' here.
kubectl config set-context podreader --cluster=kubernetes --user=luigi
#Finally use the context .
kubectl config use-context podreader

# And that's it. Now one can execute 
kubectl get pods --all-namespaces. 

# One can also check the access by executing as given:

kubectl auth can-i get pods --all-namespaces
yes
kubectl auth can-i create pods
no
kubectl auth can-i delete pods
no
About
This is a collection of data for a quick lookup / reference
 
Its not an exhaustive reference (nor will it be), but as stated before its a quick lookup / reference
LMZ 2020