From 4e225fdaf5b34b1fb63154b8e9baeae9593671ef Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sun, 2 Jun 2019 14:06:13 -0500 Subject: [PATCH 1/2] Add 2-day admin curriculum --- slides/kadm-twoday.yml | 68 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 slides/kadm-twoday.yml diff --git a/slides/kadm-twoday.yml b/slides/kadm-twoday.yml new file mode 100644 index 00000000..79444599 --- /dev/null +++ b/slides/kadm-twoday.yml @@ -0,0 +1,68 @@ +title: | + Kubernetes + for administrators + and operators + +#chat: "[Slack](https://dockercommunity.slack.com/messages/C7GKACWDV)" +#chat: "[Gitter](https://gitter.im/jpetazzo/workshop-yyyymmdd-city)" +chat: "In person!" + +gitrepo: github.com/jpetazzo/container.training + +slides: http://container.training/ + +exclude: +- self-paced + +chapters: +- shared/title.md +- logistics.md +- k8s/intro.md +- shared/about-slides.md +- shared/toc.md +# DAY 1 +- - k8s/prereqs-admin.md + - k8s/architecture.md + - k8s/deploymentslideshow.md + - k8s/dmuc.md +- - k8s/multinode.md + - k8s/cni.md +- - k8s/apilb.md + - k8s/setup-managed.md + - k8s/setup-selfhosted.md + - k8s/cluster-upgrade.md + - k8s/staticpods.md +- - k8s/cluster-backup.md + - k8s/cloud-controller-manager.md + - k8s/healthchecks.md + - k8s/healthchecks-more.md +# DAY 2 +- - k8s/logs-cli.md + - k8s/logs-centralized.md + - k8s/authn-authz.md + - k8s/csr-api.md +- - k8s/openid-connect.md + - k8s/control-plane-auth.md + ###- k8s/bootstrap.md + - k8s/netpol.md + - k8s/podsecuritypolicy.md +- - k8s/resource-limits.md + - k8s/metrics-server.md + - k8s/cluster-sizing.md + - k8s/horizontal-pod-autoscaler.md +- - k8s/prometheus.md + - k8s/extending-api.md + - k8s/operators.md + ###- k8s/operators-design.md +# CONCLUSION +- - k8s/lastwords-admin.md + - k8s/links.md + - shared/thankyou.md + - | + # (All content after this slide is bonus material) +# EXTRA +- - k8s/volumes.md + - k8s/configuration.md + - k8s/statefulsets.md + - k8s/local-persistent-volumes.md + - k8s/portworx.md From f809faadb9566e4dd52c7ac3b4fd85625de50f96 Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Sun, 2 Jun 2019 19:39:09 -0500 Subject: [PATCH 2/2] Merge YAML files to master branch I'd like to use these YAML files without having to tell people to explicitly check a specific branch. So I'm merging the YAML files right away. I'm not merging the Markdown content so that it can be reviewed further. --- k8s/elasticsearch-cluster.yaml | 21 ++++ k8s/elasticsearch-operator.yaml | 94 ++++++++++++++++++ k8s/filebeat.yaml | 167 ++++++++++++++++++++++++++++++++ k8s/local-path-storage.yaml | 110 +++++++++++++++++++++ 4 files changed, 392 insertions(+) create mode 100644 k8s/elasticsearch-cluster.yaml create mode 100644 k8s/elasticsearch-operator.yaml create mode 100644 k8s/filebeat.yaml create mode 100644 k8s/local-path-storage.yaml diff --git a/k8s/elasticsearch-cluster.yaml b/k8s/elasticsearch-cluster.yaml new file mode 100644 index 00000000..23d8108d --- /dev/null +++ b/k8s/elasticsearch-cluster.yaml @@ -0,0 +1,21 @@ +apiVersion: enterprises.upmc.com/v1 +kind: ElasticsearchCluster +metadata: + name: es +spec: + kibana: + image: docker.elastic.co/kibana/kibana-oss:6.1.3 + image-pull-policy: Always + cerebro: + image: upmcenterprises/cerebro:0.7.2 + image-pull-policy: Always + elastic-search-image: upmcenterprises/docker-elasticsearch-kubernetes:6.1.3_0 + image-pull-policy: Always + client-node-replicas: 2 + master-node-replicas: 3 + data-node-replicas: 3 + network-host: 0.0.0.0 + use-ssl: false + data-volume-size: 10Gi + java-options: "-Xms512m -Xmx512m" + diff --git a/k8s/elasticsearch-operator.yaml b/k8s/elasticsearch-operator.yaml new file mode 100644 index 00000000..0049541e --- /dev/null +++ b/k8s/elasticsearch-operator.yaml @@ -0,0 +1,94 @@ +# This is mirrored from https://github.com/upmc-enterprises/elasticsearch-operator/blob/master/example/controller.yaml but using the elasticsearch-operator namespace instead of operator +--- +apiVersion: v1 +kind: Namespace +metadata: + name: elasticsearch-operator +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elasticsearch-operator + namespace: elasticsearch-operator +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: elasticsearch-operator +rules: +- apiGroups: ["extensions"] + resources: ["deployments", "replicasets", "daemonsets"] + verbs: ["create", "get", "update", "delete", "list"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get", "update", "delete", "list"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "create", "delete", "deletecollection"] +- apiGroups: [""] + resources: ["persistentvolumes", "persistentvolumeclaims", "services", "secrets", "configmaps"] + verbs: ["create", "get", "update", "delete", "list"] +- apiGroups: ["batch"] + resources: ["cronjobs", "jobs"] + verbs: ["create", "get", "deletecollection", "delete"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "get", "watch"] +- apiGroups: ["apps"] + resources: ["statefulsets", "deployments"] + verbs: ["*"] +- apiGroups: ["enterprises.upmc.com"] + resources: ["elasticsearchclusters"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: elasticsearch-operator + namespace: elasticsearch-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: elasticsearch-operator +subjects: +- kind: ServiceAccount + name: elasticsearch-operator + namespace: elasticsearch-operator +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: elasticsearch-operator + namespace: elasticsearch-operator +spec: + replicas: 1 + template: + metadata: + labels: + name: elasticsearch-operator + spec: + containers: + - name: operator + image: upmcenterprises/elasticsearch-operator:0.2.0 + imagePullPolicy: Always + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: 8000 + name: http + livenessProbe: + httpGet: + path: /live + port: 8000 + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + path: /ready + port: 8000 + initialDelaySeconds: 10 + timeoutSeconds: 5 + serviceAccount: elasticsearch-operator diff --git a/k8s/filebeat.yaml b/k8s/filebeat.yaml new file mode 100644 index 00000000..690e9613 --- /dev/null +++ b/k8s/filebeat.yaml @@ -0,0 +1,167 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-config + namespace: kube-system + labels: + k8s-app: filebeat +data: + filebeat.yml: |- + filebeat.config: + inputs: + # Mounted `filebeat-inputs` configmap: + path: ${path.config}/inputs.d/*.yml + # Reload inputs configs as they change: + reload.enabled: false + modules: + path: ${path.config}/modules.d/*.yml + # Reload module configs as they change: + reload.enabled: false + + # To enable hints based autodiscover, remove `filebeat.config.inputs` configuration and uncomment this: + #filebeat.autodiscover: + # providers: + # - type: kubernetes + # hints.enabled: true + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: filebeat-inputs + namespace: kube-system + labels: + k8s-app: filebeat +data: + kubernetes.yml: |- + - type: docker + containers.ids: + - "*" + processors: + - add_kubernetes_metadata: + in_cluster: true +--- +apiVersion: extensions/v1beta1 +kind: DaemonSet +metadata: + name: filebeat + namespace: kube-system + labels: + k8s-app: filebeat +spec: + template: + metadata: + labels: + k8s-app: filebeat + spec: + serviceAccountName: filebeat + terminationGracePeriodSeconds: 30 + containers: + - name: filebeat + image: docker.elastic.co/beats/filebeat-oss:7.0.1 + args: [ + "-c", "/etc/filebeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch-es.default.svc.cluster.local + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + securityContext: + runAsUser: 0 + # If using Red Hat OpenShift uncomment this: + #privileged: true + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/filebeat.yml + readOnly: true + subPath: filebeat.yml + - name: inputs + mountPath: /usr/share/filebeat/inputs.d + readOnly: true + - name: data + mountPath: /usr/share/filebeat/data + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + volumes: + - name: config + configMap: + defaultMode: 0600 + name: filebeat-config + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: inputs + configMap: + defaultMode: 0600 + name: filebeat-inputs + # data folder stores a registry of read status for all files, so we don't send everything again on a Filebeat pod restart + - name: data + hostPath: + path: /var/lib/filebeat-data + type: DirectoryOrCreate +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: filebeat +subjects: +- kind: ServiceAccount + name: filebeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: filebeat + labels: + k8s-app: filebeat +rules: +- apiGroups: [""] # "" indicates the core API group + resources: + - namespaces + - pods + verbs: + - get + - watch + - list +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: filebeat + namespace: kube-system + labels: + k8s-app: filebeat +--- diff --git a/k8s/local-path-storage.yaml b/k8s/local-path-storage.yaml new file mode 100644 index 00000000..7374a02a --- /dev/null +++ b/k8s/local-path-storage.yaml @@ -0,0 +1,110 @@ +# This is a local copy of: +# https://github.com/rancher/local-path-provisioner/blob/master/deploy/local-path-storage.yaml +--- +apiVersion: v1 +kind: Namespace +metadata: + name: local-path-storage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: local-path-provisioner-service-account + namespace: local-path-storage +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: local-path-provisioner-role + namespace: local-path-storage +rules: +- apiGroups: [""] + resources: ["nodes", "persistentvolumeclaims"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["endpoints", "persistentvolumes", "pods"] + verbs: ["*"] +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: local-path-provisioner-bind + namespace: local-path-storage +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: local-path-provisioner-role +subjects: +- kind: ServiceAccount + name: local-path-provisioner-service-account + namespace: local-path-storage +--- +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: local-path-provisioner + namespace: local-path-storage +spec: + replicas: 1 + selector: + matchLabels: + app: local-path-provisioner + template: + metadata: + labels: + app: local-path-provisioner + spec: + serviceAccountName: local-path-provisioner-service-account + containers: + - name: local-path-provisioner + image: rancher/local-path-provisioner:v0.0.8 + imagePullPolicy: Always + command: + - local-path-provisioner + - --debug + - start + - --config + - /etc/config/config.json + volumeMounts: + - name: config-volume + mountPath: /etc/config/ + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumes: + - name: config-volume + configMap: + name: local-path-config +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: local-path +provisioner: rancher.io/local-path +volumeBindingMode: WaitForFirstConsumer +reclaimPolicy: Delete +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: local-path-config + namespace: local-path-storage +data: + config.json: |- + { + "nodePathMap":[ + { + "node":"DEFAULT_PATH_FOR_NON_LISTED_NODES", + "paths":["/opt/local-path-provisioner"] + } + ] + } +