Authentication and Authorization Create local htpasswd file: htpasswd -c -B -b ./htpasswd admin redhat htpasswd -b ./htpasswd developer developer Then login as admin and create secret: oc create secret generic localusers \ --from-file htpasswd=./htpasswd \ -n openshift-config Can also use set to udpate secret: oc set data secret/localusers -n openshift-config --from-file htpasswd=./htpasswd Add cluster-admin role to new admin account, and it’s ok to ignore warnings since admin is not existed in the system yet:

Continue reading

Openshift comes with enforced security context design which aims to solve security issues that normal Kubernetes cluster ignores. In a non-prod environment, the default Kubernetes approach is capible to deploy simple application and providing access to the service, but such design often introduce challenges to enterprise companies like banks or teleco which cause them hasitate to migrate data to the cloud. Build A Openshift Compatible Image Normal docker image which uses root level action like following would cause trouble in Openshift:

Continue reading

Taint, Toleration, Label, And Node Selector In Kubernetes can be confusing in daily work, worth a post here. Taint It functions like assigning nodes with default attribute, like a tatoo, this tatoo has its magic effects. kubectl taint nodes node1 key1=value1:NoSchedule # add taint kubectl taint nodes node1 key1=value1:NoSchedule- # remove taint it translates to set attribute for node1 that there will be NoSchedule unless if pod have toleration parameter key1=value1.

Continue reading

All config and cmd in this blog has been verified and tested against Openshift 4.5 release Openshift 4.5 introduced new way to deploy kubernetes by using Coreos with Igition, this solution makes sure all nodes in a cluster share same image and end-users are not encouraged to modify anything on OS level, everything(nic changes, troubleshoot, ssl injection) should be done through Openshift itself by defining yaml(Machineconfig for OS files, nmstate can mod nic).

Continue reading

This method has been tested working on a single master k8s, for multi-master clusters, may not work! Kubernetes requires certs on each nodes/masters to validate each other’s integrity, if the cert ever gets expired, you’d see an error like this: Unable to connect to the server: x509: certificate has expired or is not yet valid.. To fix this cluster, we first need to verify the cert status by: $ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.

Continue reading

MaaS Notes Installation LXD based maas is so far the best solution. Follow official guide lxc install maas and mass installation. Few steps to install: Create dedicated lxd env for maas, including network and storage pool. maas init to create admin user. Login https://{MAAS}:5240/MAAS Setup user public key injection for bare metal commissioning. Commision nodes and setup networks. Deploy. Storage Preparation Volume can be ZFS/LVM/btrfs: Create lvm pool. e.g /dev/lxc-vg/maas apt install thin-provisioning-tools to install lvmthiner driver.

Continue reading

To enable onboard Horizontal Autoscaling feature, a Metric Server needs to be installed first for k8s to pull resource data from. helm install stable/metrics-server -n metric --namespace kube-system -f metric.yml Metric Server has a chart on Helm stable, but somehow new version of it behaves weirdly, it shows error as: unable to fetch pod metrics for pod rook-ceph/csi-rbdplugin-qv94k: no metrics known for pod When this happens, it means you are facing some TLS and network issues.

Continue reading

How to properly remove a node from cluster Find your node then drain it to let k8s reschedule pods and avoid future schedule on this node: kubectl drain <node-name> --ignore-daemonsets --delete-local-data Then you’ll fine node.kubernetes.io/unschedulable=NoSchedule label on this node. Delete node from cluster. kubectl delete node <node-name> Then everything k8s related will be removed, and you’ll only see this left on node: t login: Fri Dec 6 05:25:27 2019 from 10.

Continue reading

Rook CRD

Rook is a Cloud Native Storage solution, it creates CRDs which in turn create their corresponding storage pods and resources. Install Rook CRD Install Operator via helm chart. This is the foundation of all fun. helm repo add rook-release https://charts.rook.io/release helm install --namespace rook-ceph rook-release/rook-ceph -n rook Note: Rook Operator and CRD cluster must be in the same namespace, because CRD will use helm created serviceaccount to create all resources.

Continue reading

All config and cmd in this blog has been verified and tested against Openshift 3.11 release Openshift is Redhat Container Platform, it mainly uses Kubernetes as its PaaS underlay and added more feature such as CICD, app store, etc. How to Install Similar as Kubespray, it uses a toolbox which has root access to all nodes and run ansible scripts to install and deploy everything. Few prerequisites before install:

Continue reading

Author's picture

Charles

Love coding and new technologies

Cloud Solution Consultant

Canada