Kubernetes the hard way on bare metal/VMs — Testing everything
Part of the Kubernetes the hard way on bare metal/VM. This is designed for beginners.
Introduction
This guide is part of the Kubernetes the hard way on bare metal/VMs tutorial I have written. On its own, it may be useful however it’s tailored for this tutorial so may not be completely suited to your needs.
Smoke test encryption
Create a secret
kubectl create secret generic kubernetes-the-bm-hard-way -- from-literal="mykey=mydata"
Now print a hexdump of it (run this one command on a controller — or all of them)
sudo etcdctl get \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/etcd/ca.pem \
--cert=/etc/etcd/kubernetes.pem \
--key=/etc/etcd/kubernetes-key.pem\
/registry/secrets/default/kubernetes-the-bm-hard-way | hexdump -C
The output should be a hexdump and on the right, be prefixed with:
/registry/secrets/default/kubernetes-the-bm-hard-way.k8s:enc:aescbc:v1:key1
If not, there is an issue with encryption.
Test the lot!
So all that’s left it’s the POC to ensure all is working as one would expect. You can run all of this on the remote PC you configured during remote access now.
Confirm deployments work
kubectl run nginx --image=nginx
kubectl get pods -l run=nginx
Confirm port forwarding works
POD_NAME=$(kubectl get pods -l run=nginx -o jsonpath="{.items[0].metadata.name}")kubectl port-forward $POD_NAME 8080:80
Then in another Terminal
curl --head http://127.0.0.1:8080HTTP/1.1 200 OK
Server: nginx/1.21.4
Date: Tue, 14 Dec 2021 18:19:18 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 02 Nov 2021 14:49:22 GMT
Connection: keep-alive
ETag: "61814ff2-267"
Accept-Ranges: bytes
You can close the new session and cancel the port forwarding now.
Check logs work. You should the output of the curl command you just ran.
kubectl logs $POD_NAME#Results
127.0.0.1 - - [14/Dec/2021:18:19:18 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.68.0" "-"
Check you can execute commands against pods
kubectl exec -ti $POD_NAME -- nginx -v#Results
nginx version: nginx/1.21.4
Check services can be created and exposed
kubectl expose po nginx --port 80 --type NodePortNODE_PORT=$(kubectl get svc nginx --output=jsonpath=’{range .spec.ports[0]}{.nodePort}’)
On Google, you’d create a firewall rule that allows remote access to the nginx node port.
EXTERNAL_IP=$(gcloud compute instances describe worker-0 \
--format ‘value(networkInterfaces[0].accessConfigs[0].natIP)’)
You can’t do this so add the node_port to your firewall on your router and forward it to one of your worker nodes — ideally we’d have something load balancing here too. Then run the following to make an HTTP request using the external IP address and the nginx node port.
curl -I http://${EXTERNAL_IP}:${NODE_PORT}
You can also visit the address in your browser!
http://${EXTERNAL_IP}:${NODE_PORT}
If you don’t have an external IP as such, you can still test this by running:
curl -I http://$(kubectl get po $POD_NAME --output=jsonpath='{.status.hostIP}'):$NODE_PORT#Result
HTTP/1.1 200 OK
Server: nginx/1.21.4
Date: Tue, 14 Dec 2021 18:21:58 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 02 Nov 2021 14:49:22 GMT
Connection: keep-alive
ETag: "61814ff2-267"
Accept-Ranges: bytes
And finally…
You can exit the SSH connection now back to your main, remote PC that you’re running commands from.
Let’s clean up the cluster so you have a nice fresh one to start playing with.
kubectl delete secret kubernetes-the-bm-hard-way
kubectl delete svc nginx
kubectl delete po dnsutils nginx
I also recommend you remove the keys from the ~/ directories on the controller and worker nodes.
And you’re all done.
Conclusion
You’ve configured the cluster, tested it and are just plain great.
Next: Extra Credit