tim/ansible-k8s-pi-cluster
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added basic setup for master and certification material

Browse Source
This commit is contained in:
Tim Unkrig
2022-04-27 16:02:08 +02:00
parent 5f1ddaa73d
commit 2feefe0fd0
66 changed files with 2364 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
enable_display.yml Normal file
View File

@@ -0,0 +1,22 @@
- name: Install prerequisits
apt:
name: git
update_cache: true
- name: enable I2S Circuit
shell: raspi-config nonint do_i2c 0
- name: Get Github Repo
git:
repo: https://github.com/UCTRONICS/U6143_ssd1306.git
dest: /srv/U6143_ssd1306
- name: write to rc.local
blockinfile:
path: /etc/rc.local
insertbefore: exit 0
block: |
cd /srv/U6143_ssd1306/C
sudo make clean
sudo make
sudo ./display &

21
etchostsupdate.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
- name: "generate /etc/hosts.ansible file"
template: "src=templates/etchosts.j2 dest='/etc/hosts.ansible' owner=root group=root mode=0644"
tags: etc_hosts
become: true
- name: "check if debian generated hosts file has a backup"
stat: "path=/etc/hosts.debian"
tags: etc_hosts
register: etc_hosts_debian
- name: "backup debian generated /etc/hosts"
command: "cp /etc/hosts /etc/hosts.debian"
when: etc_hosts_debian.stat.islnk is not defined
tags: etc_hosts
become: true
- name: "install /etc/hosts.ansible file"
command: "cp /etc/hosts.ansible /etc/hosts"
tags: etc_hosts
become: true

280
files/LFS258/SOLUTIONS/LICENSE Normal file
View File

@@ -0,0 +1,280 @@
-------------------------------------------------------------------------------
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
-------------------------------------------------------------------------------

4
files/LFS258/SOLUTIONS/s_03/99-kubernetes-cri.conf Normal file
View File

@@ -0,0 +1,4 @@
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1

183
files/LFS258/SOLUTIONS/s_03/containerd-setup.txt Normal file
View File

@@ -0,0 +1,183 @@
#
# This script is intended to be run on an Ubuntu 20.04,
# 2cpu, 8G node. The course is **not** tested using containerd,
# so you may have endless issues, or not. Only for those already
# comfortable with Kubernetes, who want to compare and contrast
# various container engines
# By Tim Serewicz, 03/2022 GPL
# Note there is a lot of software downloaded, which may require
# some troubleshooting if any of the sites updates their code,
# which should be expected.
# These first several steps can be done on cp and worker.
# Ensure two modules are loaded after reboot
cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
# Disable swap if not on a cloud instance - done anyway
sudo swapoff -a
# Load the modules now
sudo modprobe overlay
sudo modprobe br_netfilter
# Update sysctl to load iptables and ipforwarding
cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sudo sysctl --system
# Install some necessary software
sudo apt-get update && sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common
# Install the Docker keyring
# In Ubuntu 20.04, containerd part of local repos.
sudo apt install containerd -y
#Older OS steps
#curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key --keyring /etc/apt/trusted.gpg.d/docker.gpg add -
# Create a Docker repository
#sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
# Install and configure the containerd package
#sudo apt-get update && sudo apt-get install -y containerd.io
#sudo mkdir -p /etc/containerd
#sudo containerd config default | sudo tee /etc/containerd/config.toml
# Verify the file has the appropriate contents
#cat /etc/containerd/config.toml
# Restart and check containerd
sudo systemctl restart containerd
sudo systemctl status containerd
#
#
# RETURN TO THE BOOK now that containerd is installed.
# Some of same steps included following to make life easier, and some
# troubleshooting
#
#
# Add the Kubernetes repo
sudo sh -c "echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' >> /etc/apt/sources.list.d/kubernetes.list"
# Add the GPG key for the new repo
sudo sh -c "curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -"
# Install the Kubernetes packages - Using older version of k8s
# so we can upgrade to current in future lab. Stop after these steps
# if on the worker
sudo apt-get update
sudo apt-get install -y kubeadm=1.22.1-00 kubelet=1.22.1-00 kubectl=1.22.1-00
sudo apt-mark hold kubelet kubeadm kubectl
# Create a cluster using containerd - Using older version of k8s
# so we can upgrade to current in future lab. Only run init on
# the control plane (cp) - **not** the worker.
sudo kubeadm init --kubernetes-version 1.22.1 --cri-socket=/var/run/containerd/containerd.sock --pod-network-cidr 192.168.0.0/16 | tee $HOME/cp.out
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# We'll use Calico for the network plugin
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
# Make sure all the infrastructure pods are running
kubectl get pod --all-namespaces
kubectl describe pod -l component=kube-apiserver -n kube-system
kubectl get events
# Enable command line completion
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> $HOME/.bashrc
# Untaint the control plane, as we only have one node
kubectl taint node --all node-role.kubernetes.io/master-
# Troubleshooting and or optional add ons
# Get containerd running, append or create several files.
cat <<EOF | sudo tee /etc/containerd/config.toml
disabled_plugins = ["restart"]
[plugins.linux]
shim_debug = true
[plugins.cri.containerd.runtimes.runsc]
runtime_type = "io.containerd.runsc.v1"
EOF
cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///var/run/dockershim.sock
timeout: 10
debug: true
EOF
# Ensure containerd starts and
sudo systemctl restart containerd
kubectl get pod --all-namespaces
# Optional
# Install and configure crictl and gVisor if you want a more secure environment.
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.22.0/crictl-v1.22.0-linux-amd64.tar.gz
tar zxvf crictl-v1.22.0-linux-amd64.tar.gz
sudo mv crictl /usr/local/bin
cat <<EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
EOF
sudo wget https://storage.googleapis.com/gvisor/releases/nightly/latest/containerd-shim-runsc-v1 -O /usr/local/bin/containerd-shim-runsc-v1
sudo chmod +x /usr/local/bin/containerd-shim-runsc-v1
sudo wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc -O /usr/local/bin/runsc
sudo chmod +x /usr/local/bin/runsc

278
files/LFS258/SOLUTIONS/s_03/crio.conf Normal file
View File

@@ -0,0 +1,278 @@
# The CRI-O configuration file specifies all of the available configuration
# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
# daemon, but in a TOML format that can be more easily modified and versioned.
#
# Please refer to crio.conf(5) for details of all configuration options.
# CRI-O reads its storage defaults from the containers-storage.conf(5) file
# located at /etc/containers/storage.conf. Modify this storage configuration if
# you want to change the system's defaults. If you want to modify storage just
# for CRI-O, you can change the storage configuration options here.
[crio]
# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
#root = "/home/lsm5/.local/share/containers/storage"
# Path to the "run directory". CRI-O stores all of its state in this directory.
#runroot = "/tmp/1000"
# Storage driver used to manage the storage of images and containers. Please
# refer to containers-storage.conf(5) to see all available storage drivers.
#storage_driver = "vfs"
# List to pass options to the storage driver. Please refer to
# containers-storage.conf(5) to see all available storage options.
#storage_option = [
#]
# If set to false, in-memory locking will be used instead of file-based locking.
file_locking = false
# Path to the lock file.
file_locking_path = "/run/crio.lock"
# The crio.api table contains settings for the kubelet/gRPC interface.
[crio.api]
# Path to AF_LOCAL socket on which CRI-O will listen.
listen = "/var/run/crio/crio.sock"
# IP address on which the stream server will listen.
stream_address = "127.0.0.1"
# The port on which the stream server will listen.
stream_port = "0"
# Enable encrypted TLS transport of the stream server.
stream_enable_tls = false
# Path to the x509 certificate file used to serve the encrypted stream. This
# file can change, and CRI-O will automatically pick up the changes within 5
# minutes.
stream_tls_cert = ""
# Path to the key file used to serve the encrypted stream. This file can
# change, and CRI-O will automatically pick up the changes within 5 minutes.
stream_tls_key = ""
# Path to the x509 CA(s) file used to verify and authenticate client
# communication with the encrypted stream. This file can change, and CRI-O will
# automatically pick up the changes within 5 minutes.
stream_tls_ca = ""
# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_send_msg_size = 16777216
# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_recv_msg_size = 16777216
# The crio.runtime table contains settings pertaining to the OCI runtime used
# and options for how to set up and manage the OCI runtime.
[crio.runtime]
# A list of ulimits to be set in containers by default, specified as
# "<ulimit name>=<soft limit>:<hard limit>", for example:
# "nofile=1024:2048"
# If nothing is set here, settings will be inherited from the CRI-O daemon
#default_ulimits = [
#]
# default_runtime is the _name_ of the OCI runtime to be used as the default.
# The name is matched against the runtimes map below.
default_runtime = "runc"
# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
no_pivot = false
# Path to the conmon binary, used for monitoring the OCI runtime.
conmon = "/usr/bin/conmon"
# Environment variable list for the conmon process, used for passing necessary
# environment variables to conmon or the runtime.
conmon_env = [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
# If true, SELinux will be used for pod separation on the host.
selinux = false
# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime.
seccomp_profile = "/usr/share/containers/seccomp.json"
# Used to change the name of the default AppArmor profile of CRI-O. The default
# profile name is "crio-default-" followed by the version string of CRI-O.
apparmor_profile = "crio-default"
# Cgroup management implementation used for the runtime.
cgroup_manager = "systemd"
# List of default capabilities for containers. If it is empty or commented out,
# only the capabilities defined in the containers json file by the user/kube
# will be added.
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"NET_RAW",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"SYS_CHROOT",
"KILL",
]
# List of default sysctls. If it is empty or commented out, only the sysctls
# defined in the container json file by the user/kube will be added.
default_sysctls = [
]
# List of additional devices. specified as
# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
#If it is empty or commented out, only the devices
# defined in the container json file by the user/kube will be added.
additional_devices = [
]
# Path to OCI hooks directories for automatically executed hooks.
hooks_dir = [
]
# List of default mounts for each container. **Deprecated:** this option will
# be removed in future versions in favor of default_mounts_file.
default_mounts = [
]
# Path to the file specifying the defaults mounts for each container. The
# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
# its default mounts from the following two files:
#
# 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
# override file, where users can either add in their own default mounts, or
# override the default mounts shipped with the package.
#
# 2) /usr/share/containers/mounts.conf: This is the default file read for
# mounts. If you want CRI-O to read from a different, specific mounts file,
# you can change the default_mounts_file. Note, if this is done, CRI-O will
# only add mounts it finds in this file.
#
#default_mounts_file = ""
# Maximum number of processes allowed in a container.
pids_limit = 1024
# Maximum sized allowed for the container log file. Negative numbers indicate
# that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1
# Whether container output should be logged to journald in addition to the kuberentes log file
log_to_journald = false
# Path to directory in which container exit files are written to by conmon.
container_exits_dir = "/var/run/crio/exits"
# Path to directory for container attach sockets.
container_attach_socket_dir = "/var/run/crio"
# If set to true, all containers will run in read-only mode.
read_only = false
# Changes the verbosity of the logs based on the level it is set to. Options
# are fatal, panic, error, warn, info, and debug.
log_level = "error"
# The UID mappings for the user namespace of each container. A range is
# specified in the form containerUID:HostUID:Size. Multiple ranges must be
# separated by comma.
uid_mappings = ""
# The GID mappings for the user namespace of each container. A range is
# specified in the form containerGID:HostGID:Size. Multiple ranges must be
# separated by comma.
gid_mappings = ""
# The minimal amount of time in seconds to wait before issuing a timeout
# regarding the proper termination of the container.
ctr_stop_timeout = 0
# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
# The runtime to use is picked based on the runtime_handler provided by the CRI.
# If no runtime_handler is provided, the runtime will be picked based on the level
# of trust of the workload.
[crio.runtime.runtimes.runc]
runtime_path = "/usr/lib/cri-o-runc/sbin/runc"
runtime_type = ""
# The crio.image table contains settings pertaining to the management of OCI images.
#
# CRI-O reads its configured registries defaults from the system wide
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
# you want to modify just CRI-O, you can change the registries configuration in
# this file. Otherwise, leave insecure_registries and registries commented out to
# use the system's defaults from /etc/containers/registries.conf.
[crio.image]
# Default transport for pulling images from a remote container storage.
default_transport = "docker://"
# The path to a file containing credentials necessary for pulling images from
# secure registries. The file is similar to that of /var/lib/kubelet/config.json
global_auth_file = ""
# The image used to instantiate infra containers.
pause_image = "k8s.gcr.io/pause:3.1"
# The path to a file containing credentials specific for pulling the pause_image from
# above. The file is similar to that of /var/lib/kubelet/config.json
pause_image_auth_file = ""
# The command to run to have a container stay in the paused state.
pause_command = "/pause"
# Path to the file which decides what sort of policy we use when deciding
# whether or not to trust an image that we've pulled. It is not recommended that
# this option be used, as the default behavior of using the system-wide default
# policy (i.e., /etc/containers/policy.json) is most often preferred. Please
# refer to containers-policy.json(5) for more details.
signature_policy = ""
# Controls how image volumes are handled. The valid values are mkdir, bind and
# ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir"
# List of registries to be used when pulling an unqualified image (e.g.,
# "alpine:latest"). By default, registries is set to "docker.io" for
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
#registries = [
# "quay.io",
# "docker.io",
#]
registries = [
"docker.io",
"quay.io",
"registry.fedoraproject.org",
]
# The crio.network table containers settings pertaining to the management of
# CNI plugins.
[crio.network]
# Path to the directory where CNI configuration files are located.
network_dir = "/etc/cni/net.d/"
# Paths to directories where CNI plugin binaries are located.
plugin_dirs = [
"/opt/cni/bin",
]

9
files/LFS258/SOLUTIONS/s_03/daemon.json Normal file
View File

@@ -0,0 +1,9 @@
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2"
}

43
files/LFS258/SOLUTIONS/s_03/first.yaml Normal file
View File

@@ -0,0 +1,43 @@
# Already edited file to remove unique values
# Port information not yet added.
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
generation: 1
labels:
run: nginx
name: nginx
namespace: default
spec:
replicas: 1
selector:
matchLabels:
run: nginx
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30

6
files/LFS258/SOLUTIONS/s_03/kubeadm-config.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: 1.22.1
controlPlaneEndpoint: "k8s-master:6443"
networking:
podSubnet: 10.20.0.0/16

37
files/LFS258/SOLUTIONS/s_03/kubeadm-containerd.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 1.2.3.4
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
imagePullPolicy: IfNotPresent
name: node
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: 1.22.0
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
scheduler: {}

77
files/LFS258/SOLUTIONS/s_03/kubeadm-crio.yaml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
bindPort: 6443
nodeRegistration:
criSocket: unix:///var/run/crio/crio.sock
name: k8scp
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: 1.22.1
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
podSubnet: 192.168.0.0/16
scheduler: {}
---
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

13
files/LFS258/SOLUTIONS/s_03/low-resource-range.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: LimitRange
metadata:
name: low-resource-range
spec:
limits:
- default:
cpu: 1
memory: 500Mi
defaultRequest:
cpu: 0.5
memory: 100Mi
type: Container

67
files/LFS258/SOLUTIONS/s_03/second.yaml Normal file
View File

@@ -0,0 +1,67 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "2"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"generation":1,"labels":{"run":"nginx"},"name":"nginx","namespace":"default"},"spec":{"replicas":1,"selector":{"matchLabels":{"run":"nginx"}},"strategy":{"rollingUpdate":{"maxSurge":1,"maxUnavailable":1},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"run":"nginx"}},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30}}}}
creationTimestamp: 2017-10-25T16:09:08Z
generation: 2
labels:
run: nginx
name: nginx
namespace: default
resourceVersion: "1820"
uid: d51d309a-b99e-11e7-894c-0a77bb381638
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
run: nginx
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2017-10-25T16:09:08Z
lastUpdateTime: 2017-10-25T16:09:08Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: 2017-10-25T16:12:29Z
lastUpdateTime: 2017-10-25T16:12:32Z
message: ReplicaSet "nginx-1423793266" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 2
readyReplicas: 1
replicas: 1
updatedReplicas: 1

56
files/LFS258/SOLUTIONS/s_04/hog.yaml Normal file
View File

@@ -0,0 +1,56 @@
# Edited to contain commented-out stress arguments. Remove
# the comments to pass those values to the container.
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
generation: 1
labels:
app: hog
name: hog
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: hog
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: hog
spec:
containers:
- image: vish/stress
imagePullPolicy: Always
name: hog
resources:
limits:
# cpu: "1"
memory: "4Gi"
requests:
# cpu: "0.5"
memory: "2500Mi"
# args:
# - -cpus
# - "2"
# - -mem-total
# - "1950Mi"
# - -mem-alloc-size
# - "100Mi"
# - -mem-alloc-sleep
# - "1s"
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30

54
files/LFS258/SOLUTIONS/s_04/hog2.yaml Normal file
View File

@@ -0,0 +1,54 @@
# Edited to contain new namespace
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
generation: 1
labels:
run: hog
name: hog
namespace: low-usage-limit
spec:
replicas: 1
selector:
matchLabels:
run: hog
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: hog
spec:
containers:
- image: vish/stress
imagePullPolicy: Always
name: hog
resources:
limits:
cpu: "1"
memory: "4Gi"
requests:
cpu: "0.5"
memory: "2500Mi"
args:
- -cpus
- "2"
- -mem-total
- "1950Mi"
- -mem-alloc-size
- "100Mi"
- -mem-alloc-sleep
- "1s"
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30

13
files/LFS258/SOLUTIONS/s_04/low-resource-range.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: LimitRange
metadata:
name: low-resource-range
spec:
limits:
- default:
cpu: 1
memory: 500Mi
defaultRequest:
cpu: 0.5
memory: 100Mi
type: Container

20
files/LFS258/SOLUTIONS/s_05/curlpod.json Normal file
View File

@@ -0,0 +1,20 @@
{
"kind": "Pod",
"apiVersion": "v1",
"metadata":{
"name": "curlpod",
"namespace": "default",
"labels": {
"name": "examplepod"
}
},
"spec": {
"containers": [{
"name": "nginx",
"image": "nginx",
"ports": [{"containerPort": 80}]
}]
}
}

19
files/LFS258/SOLUTIONS/s_06/cron-job.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: date
spec:
schedule: "*/1 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: dateperminute
image: busybox
args:
- /bin/sh
- -c
- date; sleep 30
restartPolicy: OnFailure

18
files/LFS258/SOLUTIONS/s_06/cronjob.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: sleepy
spec:
schedule: "*/2 * * * *"
jobTemplate:
spec:
template:
spec:
containers:
- name: resting
image: busybox
command: ["/bin/sleep"]
args: ["5"]
restartPolicy: Never

14
files/LFS258/SOLUTIONS/s_06/job.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: batch/v1
kind: Job
metadata:
name: sleepy
spec:
template:
spec:
containers:
- name: resting
image: busybox
command: ["/bin/sleep"]
args: ["3"]
restartPolicy: Never

19
files/LFS258/SOLUTIONS/s_07/ds.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ds-one
spec:
selector:
matchLabels:
system: DaemonSetOne
template:
metadata:
labels:
system: DaemonSetOne
spec:
containers:
- name: nginx
image: nginx:1.11.1
ports:
- containerPort: 80

38
files/LFS258/SOLUTIONS/s_07/ds2.yaml Normal file
View File

@@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
creationTimestamp: 2017-10-25T19:59:25Z
generation: 3
labels:
system: DaemonSetOne
name: ds-two
namespace: default
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
system: DaemonSetOne
template:
metadata:
creationTimestamp: null
labels:
system: DaemonSetOne
spec:
containers:
- image: nginx:1.11.1
imagePullPolicy: IfNotPresent
name: nginx
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
templateGeneration: 3
updateStrategy:
type: RollingUpdate

19
files/LFS258/SOLUTIONS/s_07/rs.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: ReplicaSet
metadata:
name: rs-one
spec:
replicas: 2
selector:
matchLabels:
system: ReplicaOne
template:
metadata:
labels:
system: ReplicaOne
spec:
containers:
- name: nginx
image: nginx:1.15.1
ports:
- containerPort: 80

14
files/LFS258/SOLUTIONS/s_08/PVol.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: pvvol-1
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
nfs:
path: /opt/sfw
server: k8scp #<-- Edit to match cp node
readOnly: false

9
files/LFS258/SOLUTIONS/s_08/car-map.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: fast-car
namespace: default
data:
car.make: Ford
car.model: Mustang
car.trim: Shelby

48
files/LFS258/SOLUTIONS/s_08/nfs-pod.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
generation: 1
labels:
run: nginx
name: nginx-nfs #<-- Edit name
namespace: default
spec:
replicas: 1
selector:
matchLabels:
run: nginx
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: nginx
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: nginx
volumeMounts:
- name: nfs-vol
mountPath: /opt
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumes: #<<-- These four lines
- name: nfs-vol
persistentVolumeClaim:
claimName: pvc-one
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30

10
files/LFS258/SOLUTIONS/s_08/pvc.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-one
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 200Mi

14
files/LFS258/SOLUTIONS/s_08/simpleshell.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: shell-demo
spec:
containers:
- name: nginx
image: nginx
env:
- name: ilike
valueFrom:
configMapKeyRef:
name: colors
key: favorite

8
files/LFS258/SOLUTIONS/s_08/storage-quota.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: ResourceQuota
metadata:
name: storagequota
spec:
hard:
persistentvolumeclaims: "10"
requests.storage: "500Mi"

11
files/LFS258/SOLUTIONS/s_09/nettool.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
containers:
- name: ubuntu
image: ubuntu:latest
command: [ "sleep" ]
args: [ "infinity" ]

41
files/LFS258/SOLUTIONS/s_09/nginx-one.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: apps/v1
# Determines YAML versioned schema.
kind: Deployment
# Describes the resource defined in this file.
metadata:
name: nginx-one
labels:
system: secondary
# Required string which defines object within namespace.
namespace: accounting
# Existing namespace resource will be deployed into.
spec:
selector:
matchLabels:
system: secondary
# Declaration of the label for the deployment to manage
replicas: 2
# How many Pods of following containers to deploy
template:
metadata:
labels:
system: secondary
# Some string meaningful to users, not cluster. Keys
# must be unique for each object. Allows for mapping
# to customer needs.
spec:
containers:
# Array of objects describing containerized application with a Pod.
# Referenced with shorthand spec.template.spec.containers
- image: nginx:1.20.1
# The Docker image to deploy
imagePullPolicy: Always
name: nginx
# Unique name for each container, use local or Docker repo image
ports:
- containerPort: 8080
protocol: TCP
# Optional resources this container may need to function.
nodeSelector:
system: secondOne
# One method of node affinity.

14
files/LFS258/SOLUTIONS/s_10/db1-vol.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: dbvol-1
spec:
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
path: /opt/sfw
server: k8scp #<-- Edit to match cp node
readOnly: false

14
files/LFS258/SOLUTIONS/s_10/db2-vol.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: dbvol-2
spec:
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
nfs:
path: /opt/sfw
server: k8scp #<-- Edit to match cp node
readOnly: false

37
files/LFS258/SOLUTIONS/s_11/ingress.rbac.yaml Normal file
View File

@@ -0,0 +1,37 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system

16
files/LFS258/SOLUTIONS/s_11/ingress.rule.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: www.example.com
http:
paths:
- backend:
serviceName: secondapp
servicePort: 80
path: /

22
files/LFS258/SOLUTIONS/s_11/ingress.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
annotations:
kubernetes.io/ingress.class: nginx
namespace: default
spec:
rules:
- host: www.external.com
http:
paths:
- backend:
service:
name: web-one
port:
number: 80
path: /
pathType: ImplementationSpecific
status:
loadBalancer: {}

9
files/LFS258/SOLUTIONS/s_11/setupLinkerd.txt Normal file
View File

@@ -0,0 +1,9 @@
curl -sL run.linkerd.io/install | sh
export PATH=$PATH:/home/student/.linkerd2/bin
linkerd check --pre
linkerd install | kubectl apply -f -
linkerd check
linkerd viz install | kubectl apply -f -
linkerd viz check
linkerd viz dashboard &

58
files/LFS258/SOLUTIONS/s_11/traefik-ds.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
hostNetwork: True
containers:
- image: traefik:1.7.13
name: traefik-ingress-lb
ports:
- name: http
containerPort: 80
hostPort: 80
- name: admin
containerPort: 8080
hostPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin

19
files/LFS258/SOLUTIONS/s_12/taint.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: taint-deployment
spec:
replicas: 8
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.20.1
ports:
- containerPort: 80

28
files/LFS258/SOLUTIONS/s_12/vip.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: vip
spec:
containers:
- name: vip1
image: busybox
args:
- sleep
- "1000000"
- name: vip2
image: busybox
args:
- sleep
- "1000000"
- name: vip3
image: busybox
args:
- sleep
- "1000000"
- name: vip4
image: busybox
args:
- sleep
- "1000000"
nodeSelector:
status: vip

41
files/LFS258/SOLUTIONS/s_14/crd.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
# name must match the spec fields below, and be in the form: <plural>.<group>
name: crontabs.stable.example.com
spec:
# group name to use for REST API: /apis/<group>/<version>
group: stable.example.com
# list of versions supported by this CustomResourceDefinition
versions:
- name: v1
# Each version can be enabled/disabled by Served flag.
served: true
# One and only one version must be marked as the storage version.
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
cronSpec:
type: string
image:
type: string
replicas:
type: integer
# either Namespaced or Cluster
scope: Namespaced
names:
# plural name to be used in the URL: /apis/<group>/<version>/<plural>
plural: crontabs
# singular name to be used as an alias on the CLI and for display
singular: crontab
# kind is normally the CamelCased singular type. Your resource manifests use this.
kind: CronTab
# shortNames allow shorter string to match your resource on the CLI
shortNames:
- ct

10
files/LFS258/SOLUTIONS/s_14/new-crontab.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: "stable.example.com/v1"
# This is from the group and version of new CRD
kind: CronTab
# The kind from the new CRD
metadata:
name: new-cron-object
spec:
cronSpec: "*/5 * * * *"
image: some-cron-image
#Does not exist

10
files/LFS258/SOLUTIONS/s_15/role-dev.yaml Normal file
View File

@@ -0,0 +1,10 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["list", "get", "watch", "create", "update", "patch", "delete"]
# You can use ["*"] for all verbs

9
files/LFS258/SOLUTIONS/s_15/role-prod.yaml Normal file
View File

@@ -0,0 +1,9 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: production
name: dev-prod
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch"] # You can also use ["*"]

9
files/LFS258/SOLUTIONS/s_15/role.yaml Normal file
View File

@@ -0,0 +1,9 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["deployments", "replicasets", "pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]

13
files/LFS258/SOLUTIONS/s_15/rolebind.yaml Normal file
View File

@@ -0,0 +1,13 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: developer-role-binding
namespace: development
subjects:
- kind: User
name: DevDan
apiGroup: ""
roleRef:
kind: Role
name: developer
apiGroup: ""

13
files/LFS258/SOLUTIONS/s_15/rolebindprod.yaml Normal file
View File

@@ -0,0 +1,13 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: production-role-binding #<-- Edit to production
namespace: production #<-- Also here
subjects:
- kind: User
name: DevDan
apiGroup: ""
roleRef:
kind: Role
name: dev-prod #<-- Also this
apiGroup: ""

55
files/LFS258/SOLUTIONS/s_16/haproxy.cfg Normal file
View File

@@ -0,0 +1,55 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend proxynode
bind *:80
bind *:6443
stats uri /proxystats
default_backend k8sServers
backend k8sServers
balance roundrobin
server cp1 10.128.0.24:6443 check #<-- Edit with your IP addresses.
# server cp2 10.128.0.30:6443 check
# server cp3 10.128.0.66:6443 check
listen stats
bind :9999
mode http
stats enable
stats hide-version
stats uri /stats

9
files/LFS258/SOLUTIONS/s_A/review1.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: Pod
metadata:
name: break1
spec:
containers:
- name: mountain-region
image: nginx:1.11-apline

53
files/LFS258/SOLUTIONS/s_A/review2.yaml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
labels:
app: break2
name: break2
namespace: default
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: break2
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: break2
spec:
containers:
- image: nginx
imagePullPolicy: Always
name: brokenapp
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
- name: goproxy
image: k8s.gcr.io/goproxy:0.1
readinessProbe:
tcpSocket:
port: 808
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 808
initialDelaySeconds: 15
periodSeconds: 20
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:

28
files/LFS258/SOLUTIONS/s_A/review3.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: design-pod1
spec:
containers:
- image: vish/stress
name: design-pod1
resources:
limits:
cpu: "2.22"
memory: "567Mi"
requests:
cpu: "0.3"
memory: "456Mi"
args:
- -cpus
- "1"
- -mem-total
- "1036Mi"
- -mem-alloc-size
- "500Mi"
- -mem-alloc-sleep
- "1s"
#Domain CPU requirements

28
files/LFS258/SOLUTIONS/s_A/review4.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: design-pod1
spec:
containers:
- image: vish/stress
name: design-pod1
resources:
limits:
cpu: "2.22"
memory: "567Mi"
requests:
cpu: "0.3"
memory: "456Mi"
args:
- -cpus
- "1"
- -mem-total
- "1036Mi"
- -mem-alloc-size
- "500Mi"
- -mem-alloc-sleep
- "1s"
#Domain CPU requirements

46
files/LFS258/SOLUTIONS/s_A/review5.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: List
items:
- apiVersion: v1
kind: Pod
metadata:
labels:
review: tux
name: label-pod1
spec:
containers:
- image: nginx
name: design-a
- apiVersion: v1
kind: Pod
metadata:
labels:
review: tux
name: label-pod2
spec:
containers:
- image: nginx
name: design-b
- apiVersion: v1
kind: Pod
metadata:
labels:
linux: rocks
name: label-pod3
spec:
containers:
- image: nginx
name: design-c
- apiVersion: v1
kind: Pod
metadata:
labels:
domain: review
name: label-pod4
spec:
containers:
- image: nginx
name: design-d
# Create pods with selectors

13
files/LFS258/SOLUTIONS/s_A/review6.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: securityreview
spec:
securityContext:
runAsUser: 2100
containers:
- name: webguy
image: nginx
securityContext:
runAsUser: 3000
allowPrivilegeEscalation: false

53
files/LFS258/SOLUTIONS/s_A/review7.yaml Normal file
View File

@@ -0,0 +1,53 @@
apiVersion: extensions/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
generation: 1
labels:
run: igottrouble
name: igottrouble
spec:
replicas: 0
selector:
matchLabels:
run: ugottrouble
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
run: igottrouble
spec:
containers:
- image: vish/stress
imagePullPolicy: Always
name: igottrouble
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "2.5"
memory: "500Mi"
args:
- -cpus
- "2"
- -mem-total
- "1950Mi"
- -mem-alloc-size
- "100Mi"
- -mem-alloc-sleep
- "1s"
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30

6
files/kubeadm-config.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: 1.22.1
controlPlaneEndpoint: "k8s-master:6443"
networking:
podSubnet: 10.20.0.0/16

77
files/kubeadm-crio.yaml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
bindPort: 6443
nodeRegistration:
criSocket: unix:///var/run/crio/crio.sock
name: k8s-master
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: 1.22.1
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
podSubnet: 10.20.0.0/16
scheduler: {}
---
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 0s
cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
kind: KubeletConfiguration
logging: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
resolvConf: /run/systemd/resolve/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s

35
install_crio.yml Normal file
View File

@@ -0,0 +1,35 @@
- name: Add keyring of CRI-O repo
apt_key:
url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o/Debian_11/Release.key
state: present
- name: Add keyring of CRI-O repo
apt_key:
url: https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.22/Debian_11/Release.key
state: present
- name: Add CRI-O Repo
apt_repository:
repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_11/ /"
state: present
filename: "devel:kubic:libcontainers:stable.list"
- name: Add CRI-O Repo
apt_repository:
repo: "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.22/Debian_11/ /"
state: present
filename: "devel:kubic:libcontainers:stable:cri-o:Debian_11.list"
- name: Install CRI-O
apt:
name: "{{ item }}"
update_cache: true
loop:
- cri-o
- cri-o-runc
- name: Enable CRI-O Service
systemd:
name: crio
state: started
enabled: true

68
install_kubernetes.yml Normal file
View File

@@ -0,0 +1,68 @@
- name: Install prerequisits
apt:
name: "{{ item }}"
update_cache: true
loop:
- apt-transport-https
- ca-certificates
- curl
- name: Enable modules
community.general.modprobe:
name: "{{ item }}"
state: present
loop:
- overlay
- br_netfilter
- name: Enable modules persistantly
lineinfile:
path: /etc/modules
line: "{{ item }}"
state: present
insertafter: EOF
loop:
- overlay
- br_netfilter
- name: Set br_netfilter sysctl parameters
ansible.posix.sysctl:
name: "{{ item }}"
state: present
value: '1'
sysctl_set: true
sysctl_file: /etc/sysctl.d/99-kubernetes-cri.conf
loop:
- net.bridge.bridge-nf-call-iptables
- net.ipv4.ip_forward
- net.bridge.bridge-nf-call-ip6tables
- name: Install kubernetes repo key
apt_key:
url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
state: present
- name: Install kubernetes repo
apt_repository:
repo: "deb https://apt.kubernetes.io/ kubernetes-xenial main"
state: present
filename: kubernetes
- name: Install kubeadm
apt:
name: "{{ item }}"
allow_downgrade: true
state: present
loop:
- "kubectl=1.22.1-00"
- "kubelet=1.22.1-00"
- "kubeadm=1.22.1-00"
- name: Hold kubeadm
dpkg_selections:
name: "{{ item }}"
selection: hold
loop:
- kubeadm
- kubelet
- kubectl

11
inventory
View File

@@ -1,8 +1,15 @@
[k8s]
[k8s_nodes]
k8s-node01 ansible_user=tim
k8s-node02 ansible_user=tim
k8s-node03 ansible_user=tim
k8s-node04 ansible_user=tim
[k8s_master]
k8s-master ansible_user=pi
k8s-master ansible_user=tim
[k8s:children]
k8s_master
k8s_master
k8s_nodes

34
k8s_master.yml Normal file
View File

@@ -0,0 +1,34 @@
- name: Get Calico Definition
get_url:
url: https://docs.projectcalico.org/manifests/calico.yaml
dest: /tmp/calico.yml
delegate_to: k8s-master
run_once: true
- name: Copy kubeadm-crio.yaml to k8s-master
ansible.builtin.copy:
src: "files/{{ item }}"
dest: "/root/{{ item }}"
owner: root
group: root
mode: '0644'
loop:
- "kubeadm-crio.yaml"
- "kubeadm-config.yaml"
delegate_to: k8s-master
run_once: true
- name: Init Cluster
shell: >
kubeadm init --config=/root/kubeadm-config.yaml --upload-certs | tee kubeadm-init.out
register: kubeadm_init
delegate_to: k8s-master
run_once: true
- debug:
msg: "{{ kubeadm_init.stdout }}"
run_once: true
- name: enable Calico
shell: kubectl apply -f /tmp/calico.yaml

0
k8s_nodes.yml Normal file
View File

0
kube-crio.yaml Normal file
View File

26
setup.yml
View File

@@ -1,10 +1,28 @@
---
- name: Install and deplo a k8s cluster
hosts: k8s
become: True
vars:
enable_display: true
install_crio: true
install_kubernetes: true
etchostsupdate: true
tasks:
- name: Update all packages with APT
apt:
update_cache: True
upgrade: dist
- include_tasks:
file: tweak_rpi4.yaml
- include_tasks:
file: etchostsupdate.yaml
when: etchostsupdate
- include_tasks:
file: enable_display.yml
when: enable_display
- include_tasks:
file: install_crio.yml
when: install_crio
- include_tasks:
file: install_kubernetes.yml
when: install_kubernetes
- include_tasks:
file: k8s_master.yml

16
templates/etchosts.j2 Normal file
View File

@@ -0,0 +1,16 @@
# {{ ansible_managed }}
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
# The following lines are desirable for IPv6 capable hosts.
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# Network nodes as generated through Ansible.
{% for host in play_hosts %}
{% if 'ansible_eth0' in hostvars[host] %}
{{ hostvars[host]['ansible_eth0']['ipv4']['address'] }} {{ host }}
{% endif %}
{% endfor %}

25
tweak_rpi4.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: Enable container features
replace:
path: /boot/cmdline.txt
regexp: '^([\w](?!.*\b{{ item }}\b).*)$'
replace: '\1 {{ item }}'
with_items:
- "cgroup_enable=cpuset"
- "cgroup_memory=1"
- "cgroup_enable=memory"
- "wapaccount=1"
register: cmdline
- name: Set Swappoff in conf file
lineinfile:
path: /etc/dphys-swapfile
line: CONF_SWAPSIZE=0
state: present
insertafter: EOF
register: swap
- name: Unconditionally reboot the machine with all defaults
reboot:
when: cmdline.changed or swap.changed