You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Difference between revisions of "Kubernetes/Kubernetes Workshop/Step 6"

From Wikitech-static
Jump to navigation Jump to search
imported>Wolfgang Kandek
 
imported>Wolfgang Kandek
 
(7 intermediate revisions by 3 users not shown)
Line 3: Line 3:
So far we have used minikube as our testcluster. In this step we will first setup a “real” kubernetes cluster.
So far we have used minikube as our testcluster. In this step we will first setup a “real” kubernetes cluster.


There are a number of tools to setup up kubernetes clusters, including kubeadm and rancher. There is also a completely manual way as well (kubernetes the hard way™) and many methods that are in between. Here we will use kubespray to setup a cluster. Kubespray uses ansible to configure a set of machines into a kubernetes cluster. The machines can be bare metal or VMs, in our lab case we use VMs that are hosted at Wikimedia’s cloud service Horizon. You will need access to a project under Horizon with the ability to create 3 VMs with a total of 6 CPus and of 12 GB.
There are a number of tools to setup up kubernetes clusters, including kubeadm and rancher. There is also a completely manual way as well (kubernetes the hard way™) and many methods that are in between. Here we will use kubespray to setup a cluster. Kubespray uses ansible to configure a set of machines into a kubernetes cluster. The machines can be bare metal or VMs, in our lab case we use VMs that are hosted at Wikimedia’s cloud service Horizon. You will need access to a project under Horizon with the ability to create 3 VMs with a total of 6 CPus and of 12 GB. We have also tested at Digitalocean with smaller machines - 1 CPU, 2GB each and that worked as well, at least for our simple tests.


==== Hands-on: create a cluster with kubespray ====
==== Hands-on: create a cluster with kubespray ====
Line 10: Line 10:
Log into horizon.wmflabs.org, select your project and launch 3x VMs:
Log into horizon.wmflabs.org, select your project and launch 3x VMs:


* name: ks1, ks2 and ks3
* name: node1, node2 and node3. These names are relevant, with other names you will get puppet errors, as kubespray changes the hostname to node1, node2 and node3.
* source: debian.buster
* source: debian.buster
* flavor: g2.cores2.ram4.disk40
* flavor: g2.cores2.ram4.disk40
Line 76: Line 76:
</syntaxhighlight>Install Kubernetes - this will take  a while:
</syntaxhighlight>Install Kubernetes - this will take  a while:


* ansible-playbook -i inventory/mycluster/hosts.yml -u <your user> -b cluster.yml
* ansible-playbook -i inventory/mycluster/hosts.yml -u <your user> -b cluster.yml # <your user> = your shell user name that you used before to login


Test access:
Test access:
Line 98: Line 98:


The 2 control plane nodes run the etcd database, the api-server, the scheduler and the controller-manager. The worker nodes run the kubelet and the kube-proxy. Note that the control plane nodes are also worker nodes in this limited configuration, i.e. kubernetes can also schedule pods to run on the control plane nodes.
The 2 control plane nodes run the etcd database, the api-server, the scheduler and the controller-manager. The worker nodes run the kubelet and the kube-proxy. Note that the control plane nodes are also worker nodes in this limited configuration, i.e. kubernetes can also schedule pods to run on the control plane nodes.


Modified Kubernetes Architecture Chart
Modified Kubernetes Architecture Chart
[[File:Kubernetes architecture.png]]


For an overview of the kubernetes architecture watch Joe Breda’s talk: <nowiki>https://drive.google.com/file/d/192ewPeKLzXM4EUsO3ksfiIGcvzlpec6f/view</nowiki>, if you are with limited time start at 13:30 forward, else watch it all.
For an overview of the kubernetes architecture watch Joe Breda’s talk: <nowiki>https://drive.google.com/file/d/192ewPeKLzXM4EUsO3ksfiIGcvzlpec6f/view</nowiki>, if you are with limited time start at 13:30 forward, else watch it all.
Line 108: Line 111:
You can run a simple workload on this kubernetes cluster by ssh’ing into node1 and running the steps for our checksum generating program.  
You can run a simple workload on this kubernetes cluster by ssh’ing into node1 and running the steps for our checksum generating program.  


Create the yaml file on node1 and run kubectl create -f cron_mywpchksumbot.yaml.
Create the yaml file on node1 and run kubectl create -f cron_mywpchksumbot.yaml as root.


Don’t forget to substitute the <userid> for the username you have used on dockerhub.
Don’t forget to substitute the <userid> for the username you have used on dockerhub.
Line 131: Line 134:




See if the process is posting the checksums on the IRC channel.(#demok8sws on Freenode)
See if the process is posting the checksums on the IRC channel.({{Irc|#demok8sws}} on [[Libera.chat]])


Stop the process: kubectl delete cronjob --all
Stop the process: kubectl delete cronjob --all
Line 210: Line 213:
*** Edit the index.html file
*** Edit the index.html file
*** curl again to see the change
*** curl again to see the change
==== Hands-on: Browser access to our service ====
In WMCS one can define web proxies to allow external access to a service. Two configuration need to be created and adjusted:
* Web proxy under Menu item DNS
* Security group under Menu item Network
With "kubectl get svc" get the port mapped for our service:<syntaxhighlight lang="bash">
root@node1:~# kubectl get svc
NAME        TYPE        CLUSTER-IP    EXTERNAL-IP  PORT(S)        AGE
baseapache  NodePort    10.233.3.209  <none>        80:31818/TCP  14m
</syntaxhighlight>Here 31818 is the port that we are looking for. A "curl http://172.16.1.242:31818" should work and give us a response from our service
Define a webproxy for that port:
[[File:Web proxy definition.png]]
Note that the name baseapache might be taken by another instance of this tutorial. You will get an Error: Duplicate Recordset message in that case
In addition the firewall for the project needs to allow the port, add a rule to the security group that you are using, might be called the Default group if you did not select anything specific when creating the VMs.
[[File:Security group rule.png]]
Now external access should work. A browser pointed at http://baseapache.wmcloud.org should get you an answer from the service.
You can add more web proxies for other services that might run on the kubernetes cluster by following the same sequence.


==== Hands-on: use kubectl locally ====
==== Hands-on: use kubectl locally ====
Line 220: Line 253:
* Set the server: field to <nowiki>https://127.0.0.1:6443</nowiki> in the config file
* Set the server: field to <nowiki>https://127.0.0.1:6443</nowiki> in the config file
* Test via: kubectl get nodes
* Test via: kubectl get nodes
*On our digitalocean test this can work directly, without any ssh forwarding. Copy the config file as detailed above, but use the IP address of node1 in the config file instead of 127.0.0.1 and make sure port 6443 is accessible in the associated firewall


Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.
Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.
==== Hands-on: use kubectl locally with Floating IPs ====
Horizon has Floating IPs that can be forwarded to a local IP. If we take a floating IP and forward it to one of the API servers and open the firewall for port 6443 we can access the k8s cluster directly. Just copy the .kube/config fiel from node1 and use it locally, substitute the 127.0.0.1 address with the floating IP address. This can be useful if you want to test another application's access to the cluster, for example GitLab runners.
PS: Floating IPs have to requested and take some time to approve


==== Hands-on: use Google’s Google Kubernetes Engine (GKE) ====
==== Hands-on: use Google’s Google Kubernetes Engine (GKE) ====
Line 234: Line 273:
*** <nowiki>https://cloud.google.com/sdk/docs/quickstart</nowiki>
*** <nowiki>https://cloud.google.com/sdk/docs/quickstart</nowiki>
*** You can do this on a VM on your machine, a VM in the cloud (Horizon works) or your local machine
*** You can do this on a VM on your machine, a VM in the cloud (Horizon works) or your local machine
** gcloud auth connect with user above
** gcloud auth login with user above
** gcloud container clusters get-credentials cluster-2 --zone us-central1-c --project constant-host-290520 or similar
** gcloud container clusters get-credentials cluster-2 --zone us-central1-c --project constant-host-290520 or similar
** kubectl get nodes should now work
** kubectl get nodes should now work

Latest revision as of 17:18, 8 August 2021

Step 6: A “real” cluster

So far we have used minikube as our testcluster. In this step we will first setup a “real” kubernetes cluster.

There are a number of tools to setup up kubernetes clusters, including kubeadm and rancher. There is also a completely manual way as well (kubernetes the hard way™) and many methods that are in between. Here we will use kubespray to setup a cluster. Kubespray uses ansible to configure a set of machines into a kubernetes cluster. The machines can be bare metal or VMs, in our lab case we use VMs that are hosted at Wikimedia’s cloud service Horizon. You will need access to a project under Horizon with the ability to create 3 VMs with a total of 6 CPus and of 12 GB. We have also tested at Digitalocean with smaller machines - 1 CPU, 2GB each and that worked as well, at least for our simple tests.

Hands-on: create a cluster with kubespray

We will use kubespray largely as a black box to create a cluster, we will not go into any advanced use cases.

Log into horizon.wmflabs.org, select your project and launch 3x VMs:

  • name: node1, node2 and node3. These names are relevant, with other names you will get puppet errors, as kubespray changes the hostname to node1, node2 and node3.
  • source: debian.buster
  • flavor: g2.cores2.ram4.disk40
  • Security group default: we will need SSH access
  • Server groups: none

Once launched you will have to be able to ssh into each VM by its IP address, a kubespray requirement! You should do this from a 4th VM in Horizon, which is probably the most straightforward way to do, as connectivity works and anything that needs to get installed will not be done on your local machine. You can also do it from your local machine, to make it work from my laptop I had to add 172.16.*.* in the wmflabs stanza in .ssh/config on my laptop.

Host 172.16.* *.wmflabs *.wikimedia.cloud
   User <Username>
   ProxyJump bastion.wmcloud.org:22
   IdentityFile ~/.ssh/labs.key

Try each host and accept the host key.

  • ssh 172.16.0.199 and ssh 172.16.0.204 and 172.16.1.242 in this test case. Remember your IPs may differ and you should interpret all mentions of IPs with that in mind and substitute the IPs you got.

Clone kubespray to the VM or your local machine:

  • git clone https://github.com/kubernetes-sigs/kubespray.git

Add the required software:

  • cd kubespray; pip3 install -r requirements.txt

Add your hosts to the mycluster inventory configuration by running the inventory.py script:

  • cp -rfp inventory/sample inventory/mycluster
  • IPS=(172.16.1.242 172.16.0.204 172.16.0.199);CONFIG_FILE=inventory/mycluster/hosts.yml python3 contrib/inventory_builder/inventory.py ${IPS[@]}

inventory/mycluster/hosts.yml:

all:
 hosts:
   node1:
     ansible_host: 172.16.1.242
     ip: 172.16.1.242
     access_ip: 172.16.1.242
   node2:
     ansible_host: 172.16.0.204
     ip: 172.16.0.204
     access_ip: 172.16.0.204
   node3:
     ansible_host: 172.16.0.199
     ip: 172.16.0.199
     access_ip: 172.16.0.199
 children:
   kube-master:
     hosts:
       node1:
       node2:
   kube-node:
     hosts:
       node1:
       node2:
       node3:
   etcd:
     hosts:
       node1:
       node2:
       node3:
   k8s-cluster:
     children:
       kube-master:
       kube-node:
   calico-rr:
     hosts: {}

Install Kubernetes - this will take  a while:

  • ansible-playbook -i inventory/mycluster/hosts.yml -u <your user> -b cluster.yml # <your user> = your shell user name that you used before to login

Test access:

  • ssh 172.16.1.242
  • sudo su -
  • kubectl get nodes
kubectl get nodes
NAME    STATUS   ROLES    AGE     VERSION
node1   Ready    master   11m     v1.19.2
node2   Ready    master   11m     v1.19.2
node3   Ready    <none>   9m46s   v1.19.2

kubectl get nodes -o wide
NAME    STATUS   ROLES    AGE     VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE                       KERNEL-VERSION   CONTAINER-RUNTIME
node1   Ready    master   10m     v1.19.2   172.16.1.242   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12
node2   Ready    master   10m     v1.19.2   172.16.0.204   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12
node3   Ready    <none>   8m56s   v1.19.2   172.16.0.199   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12

Kubespray has built a kubernetes cluster with 3 nodes - 2 control plane and 1 worker node.

The 2 control plane nodes run the etcd database, the api-server, the scheduler and the controller-manager. The worker nodes run the kubelet and the kube-proxy. Note that the control plane nodes are also worker nodes in this limited configuration, i.e. kubernetes can also schedule pods to run on the control plane nodes.


Modified Kubernetes Architecture Chart

File:Kubernetes architecture.png

For an overview of the kubernetes architecture watch Joe Breda’s talk: https://drive.google.com/file/d/192ewPeKLzXM4EUsO3ksfiIGcvzlpec6f/view, if you are with limited time start at 13:30 forward, else watch it all.

You can verify what is running on the individual nodes by ssh’ing into them and check for the processes of etcd, apiserver, scheduler, controller-manager and kubelet, kube-proxy. Check all three nodes and see what the differences are…

Hands-on: run a simple workload

You can run a simple workload on this kubernetes cluster by ssh’ing into node1 and running the steps for our checksum generating program.

Create the yaml file on node1 and run kubectl create -f cron_mywpchksumbot.yaml as root.

Don’t forget to substitute the <userid> for the username you have used on dockerhub.

cron_mywpchksumbot.yaml:

apiVersion: batch/v1beta1
kind: CronJob
metadata:
 name: cronpywpchksumbot
spec:
 schedule: "*/5 * * * *"
 jobTemplate:
   spec:
     template:
       spec:
         containers:
         - name: pywpchksumbot
           image: <userid>/pywpchksumbot
           imagePullPolicy: IfNotPresent
         restartPolicy: OnFailure


See if the process is posting the checksums on the IRC channel.(##demok8sws connect on Libera.chat)

Stop the process: kubectl delete cronjob --all

Hands-on: run a simple service workload

Now let’s run a simple service again, our baseapache image.

baseapache.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
 name: baseapache
 labels:
   app: baseapache
spec:
 replicas: 1
 strategy:
   type: RollingUpdate
 selector:
   matchLabels:
     app: baseapache
 template:
   metadata:
     labels:
       app: baseapache
   spec:
     containers:
      - name: baseapache
        image: <userid>/baseapache:latest
        imagePullPolicy: Always

On node1 (as root)

  • kubectl create -f baseapache.yaml
  • kubectl get pods -o wide

Create the corresponding service.

baseapacheservice.yaml:

kind: Service
apiVersion: v1
metadata:
 name: baseapache
spec:
 selector:
   app: baseapache
 ports:
 - protocol: TCP
   port: 80
   targetPort: 80
  • kubectl create -f baseapacheservice.yaml
  • On node3 we can use curl to get the page
    • curl 10.233.41.127
    • The IP ^^^ comes from kubectl get svc on node1

SSH into the node and let’s see what we can find out about the pod:

  • ps -ef | grep apache2
  • who is the parent process for apache2?
  • In the parent process there is a workdir on the command line, take a look at that:

Docker uses the overlay filesystem to represent the layers in a docker image. For example when we use “FROM ubuntu” in our baseapache docker image that means that we base our image on the ubuntu image and that any changes get captured in one or more layers. You can see the layers with “docker inspect <imagename>”. Try it on node3 (or wherever the image is running)

  • docker image inspect <userid>/baseapache

We can use the filesystem ids in the baseapache docker image to identify the filesystem that is used by that pod.

  • docker image inspect <userid>/baseapache
    • Get the “MergedDir” id (after /var/lib/docker/overlay2/
    • Grep in /var/lib/docker/overlay2/l for the id: ls -l | grep <id> and get the mapped string as the new id
    • Find the mounted filesystem by mount -l | grep <new id>
      • That is the filesystem used by the container
      • cat /var/lib/docker/overlay2/<hex string found>/merged/var/www/html/index.html
    • We can use the filesystem to look at apache logs (substitute the right filesystem id
      • tail -f /var/lib/docker/overlay2/0a17a81f309e6d7e4e5afdb83bea72519d31beb2ea99d725390a60b8528c6cf4/merged/var/log/apache2/access.log
    • We can edit the index.html file here, which would change the container image in a non-controlled way: not recommended, but nevertheless possible
      • Edit the index.html file
      • curl again to see the change

Hands-on: Browser access to our service

In WMCS one can define web proxies to allow external access to a service. Two configuration need to be created and adjusted:

  • Web proxy under Menu item DNS
  • Security group under Menu item Network

With "kubectl get svc" get the port mapped for our service:

root@node1:~# kubectl get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
baseapache   NodePort    10.233.3.209   <none>        80:31818/TCP   14m

Here 31818 is the port that we are looking for. A "curl http://172.16.1.242:31818" should work and give us a response from our service

Define a webproxy for that port:

File:Web proxy definition.png


Note that the name baseapache might be taken by another instance of this tutorial. You will get an Error: Duplicate Recordset message in that case

In addition the firewall for the project needs to allow the port, add a rule to the security group that you are using, might be called the Default group if you did not select anything specific when creating the VMs.

File:Security group rule.png


Now external access should work. A browser pointed at http://baseapache.wmcloud.org should get you an answer from the service.

You can add more web proxies for other services that might run on the kubernetes cluster by following the same sequence.

Hands-on: use kubectl locally

Often we want to use kubectl from our local workstation to create and delete deployments. To do so we need to change the config file (in ~/.kube/config) and point it to the new cluster. Our local workstation then needs access to the api-server on the cluster. Since the cluster runs in the WMCS cloud behind a bastion host the only way I have found to do that is to setup an SSH tunnel.

  • Make a backup copy of the local config file
  • Copy the config file from node1
  • Setup the SSH tunnel: (172.16.1.242 is the IP for node1)
    • ssh -L 6443:172.16.1.242:6443 172.16.1.242
  • Set the server: field to https://127.0.0.1:6443 in the config file
  • Test via: kubectl get nodes
  • On our digitalocean test this can work directly, without any ssh forwarding. Copy the config file as detailed above, but use the IP address of node1 in the config file instead of 127.0.0.1 and make sure port 6443 is accessible in the associated firewall

Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.

Hands-on: use kubectl locally with Floating IPs

Horizon has Floating IPs that can be forwarded to a local IP. If we take a floating IP and forward it to one of the API servers and open the firewall for port 6443 we can access the k8s cluster directly. Just copy the .kube/config fiel from node1 and use it locally, substitute the 127.0.0.1 address with the floating IP address. This can be useful if you want to test another application's access to the cluster, for example GitLab runners.

PS: Floating IPs have to requested and take some time to approve

Hands-on: use Google’s Google Kubernetes Engine (GKE)

Let’s try running our database at Google’s GKE .

  • Login into the Google Cloud console: gkeuser.wikimedia@gmail.com/1Jdr5&VWsffd
  • Click on Kubernetes Engine/Clusters, then Create Cluster
    • Defaults here are ok: name, zone and version
    • You can change the default node type to an N1 machine to save some money. It will probably only be pennies as the plan is to delete the cluster right after testing…
  • Click connect
    • In a terminal, install the gcloud CLI - cloud shell will not work for what we want to do...
      • https://cloud.google.com/sdk/docs/quickstart
      • You can do this on a VM on your machine, a VM in the cloud (Horizon works) or your local machine
    • gcloud auth login with user above
    • gcloud container clusters get-credentials cluster-2 --zone us-central1-c --project constant-host-290520 or similar
    • kubectl get nodes should now work

First let’s see if our IRC bot works.

  • kubectl create -f cron_pywpchksumbot.yaml
  • Check the IRC channel

Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.

Btw GKE has a networking part that is integrated with kubernetes, something that we have not configured yet, so the bookdbapp gets an outside address and is accessible through the Internet.

At the end delete the cluster.