Kubernetes for Beginners - Lab Guide
KNET Solutions (Online Training Centre),
Phone/WhatsApp: +919445042007
Online Training/One to One Personalized training
1. Introduction
This tutorial is (Kubernetes for beginners Lab Guide), prepared by KNET Solutions. This Book is used as Course material for UDEMY Kubernetes for Beginners Course.
The Online Course is available in 
. The Course link is UDEMY KUBERNETES BEGINNERS COURSE
This Course covers Kubernetes Introduction, Setting up your own Kubernetes in AWS VM, Kubernetes Resources, Deploying sample applications, HELM, Monitoring the Kubernetes with Prometheus, Grafana, Alert Manager.
Some book contents (IMAGE/Text) are copied from Freely available resources from internet / Opensource materials. Thanks to the original authors.
This Book is free to use.
2. Kubernetes installation (using MiniKube)
VM details
AWS VM (Minimum):
- 2vCPU/4GB RAM/20GB HDD
- Ubuntu 18.04
AWS VM (Recommended):
- 4vCPU/8GB RAM/50GB HDD
- Ubuntu 18.04
In the security groups allow the incoming traffic for the TCP port 80 and 8080.
Tools Installation
docker
conntrack & socat
kubectl
minikube installation
Note: we need to install minikube version 1.12.2 for ingress support in driver=none.
kubernetes installation
The recent kubernetes versions are,
- v1.18.x
- v1.17.x
- v1.16.x
We are running/installing minikube in root user.
it may take 5-10 mins, depends on your internet speed.
verification
verify the basic kubernetes cli commands
kubeconfig & kubectl
The Kubernetes Cluster Access credentials are stored in kubeconfig file. A file that is used to configure access to clusters is called a kubeconfig file. This is a generic way of referring to configuration files.
The file contains Kubernetes API Server address, certificates.
Kubectl is a command line tool to control your kubernetes cluster.
kubectl looks for a file named config in the $HOME/.kube directory. You can specify other kubeconfig files by setting the KUBECONFIG environment variable .
As part of our minikube installing, minikube creates $HOME/.kube file.
kubectl command overview
command (operations) :
- get
- delete
- create
- edit
- apply
- describe
- ..... etc
TYPE (Resource Types)
- pods
- deployments
- namespaces
- services
- ingress
- configmaps
- .........etc
NAME means, Name of the resource
Flags : Specifies optional flag
Example Commands:
Reference:
- https://minikube.sigs.k8s.io/docs/
- https://kubernetes.io/docs/setup/release/version-skew-policy/
- https://github.com/kubernetes/kubernetes/releases
- https://kubernetes.io/docs/reference/kubectl/overview/
- https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
3. Basic Minikube commands
Operational Commands
Status
Gets the status of a local Kubernetes cluster.
Pause/UnPause
pause and unpause only kubernetes control plane services. User plane(deployments) will continue to run, user can access.
Stop/Start
Stop your local cluster & Start a cluster(Running)
delete
Upgrade to the specific version
Addons
minikube provides handy addon command, to install the necessary/basic important system deloyments required by the user .
Example:
- kubernetes dashboard
- ingress controller
- storage driver etc
list
install
remove
Metrics Server
- Install kubernetes metrics server
- Check the pods & services of dashboard
- verify the metrics
Dashboard Demo
- Install the kubernetes dashboard (UI)
- Check the pods & services of dashboard
- port forwarding
Here 80 is a service port, 8080 is a forward port.
Open the browser and access it from your laptop. http://x.x.x.x:8080
Thats all.
Reference
- https://minikube.sigs.k8s.io/docs/
- https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
- https://github.com/kubernetes/dashboard
- https://github.com/kubernetes-sigs/metrics-server
4. Kuberenetes Resources
Sample Deployment
- create nginx-web.yaml
- Apply this yaml file
- verify the resources
- open the service nodeport assigned for this service in AWS Security Group
- Now access the NGINX Webserver default page from your Laptop
Pod
- create a nginx-pod.yaml file
- create a resource
- verify the operations
- verify the logs
- login to the nginx pod shell, and execute some commands.
- port forwarding to access from outside(not Recommended - only for debugging)
- Delete the pod
Deployment
- create a nginx deploy yaml(nginx-deploy.yaml) file
- create a resource
- verify the operations
verify the pod logs
login to the each nginx pod shell, and execute some commands.
Now delete some pod...
Now the pods will be created automatically and keep the replication number as specified in the deployment.
- delete the deployment
Services
There are 3 types of services.
Reference: https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/
expose a Service onto an external IP address. Kubernetes supports two ways of doing this: NodePorts and LoadBalancers
NodePort
Deploy the nginix-deploy.yaml file (previous step)
Create a service for nginx-svc.yaml
targetPort: is the port the container accepts traffic on, port: is the abstracted Service port, which can be any port other pods use to access the Service
The default Nodeport ports range are 30000-32767
- apply this Resource
- verify it
Note down the exposed port. open that port from your security group of the VM.
open a browser from your laptop and access it.
- delete the Resources
ClusterIP
ClusterIP: Exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType.
Deploy the nginix-deploy.yaml file (previous step)
Create a service for nginx-svc.yaml
- Apply this Resources
- create one more client deployment(client.yaml)
- Now from client pod, request the nginx service
This service is not exposed outside
LoadBalancer
On cloud providers which support external load balancers (such as amazon elb), setting the type field to LoadBalancer provisions a load balancer for your Service.
Ingress Controller deployment
- Install ingress controller
- verify the pods,svc,ingress
Now ingress controller is setup, we can consume through ingress resource.
Ingress Resource
Ingress manages external access to the services in a cluster ( HTTP & HTTPS).
Ingress may provide load balancing, SSL termination and name-based virtual hosting.
An Ingress does not expose arbitrary ports or protocols (only HTTP or HTTPS)
Prerequisites: Ingress Controller must be deployed.
References: https://kubernetes.io/docs/concepts/services-networking/ingress/
Example resource
Example1
deploy the nginx-deploy.yaml
deploy the nginx-service.yaml(ClusterIP)
Create the nginx-ingress.yaml file (ingress resource for nginx service)
- verify the resources.
- Now access the URL from your laptop
Namespace
Namespaces are a way to divide cluster resources between multiple users.
Namespaces are intended for use in environments with many users spread across multiple teams, or projects.
Kuberenetes control plane components are deployed in kube-system namespace.
The default namespace name is default.
To display , all namespaces available in the cluster
To create a namespace
Create a deployment(nginx-deployment) in a test namespace
To display the resources(pods, deployements) in the namespaces, use "-n namespace-name"
References
- https://en.wikipedia.org/wiki/YAML
- https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/
- https://kubernetes.io/docs/concepts/workloads/
- https://kubernetes.io/docs/concepts/services-networking/
- https://kubernetes.io/docs/concepts/storage/
- https://kubernetes.io/docs/concepts/configuration/
- https://matthewpalmer.net/kubernetes-app-developer/articles/kubernetes-ingress-guide-nginx-example.html
- https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
- https://kubernetes.github.io/ingress-nginx/
5. DNS Setup
DNS
Option1:
- If you haved valid internet domain name (purchased from domain name vendor such as godaddy), point the domain DNS Record to this public of this VM.
Example: mydomain.com
- we can create all deployments with this domain name. Example:
- wordpress.mydomain.com
- db.mydomain.com
- jenkins.mydomain.com
etc.
Option2:
- if you dont have valid domain name, still we can use the public ip address(18.221.195.181) as domain name, using special testing method http://54.255.208.88.xip.io
- we can create all deployments with this domain name. Example:
- wordpress.54.255.208.88.xip.io
- db.54.255.208.88.xip.io
- jenkins.54.255.208.88.xip.io
etc.
6. Deployments with Manifests file
Example1 - Simple WebServer (blue)
Minimum Resources - deployment, service, ingress
- create the webblue.yaml file
Note : CHANGE your sub domain name - host: blue.knetsks.com according to your domain name or public IP (blue.54.255.208.88.xip.io)
apply it
- verify the deployments, service, ingress
- Open the URL in your Laptop browser
Example2 - Simple WebServer (Red background)
Minimum Resources - deployment, service, ingress
Same as example1
Example3 - Simple WebServer (green background)
Minimum Resources - deployment, service, ingress
same as example1
7. HELM
Installation
For helm 3.0, we do not required any server side installation in kubernetes.
- Install helm client (3.x) & Update the helm repo
helm version : https://github.com/helm/helm/releases
- Repo Update
Helm Commands
Search Charts/Applications from the repo
Get details of specific chart
dry-run to see the resources for this chart.
Install & Uninstall
Customize the chart values
Every chart has comes with default config values. which can be customized by the user.
User can override this default values by providing the explicit values, during installation.
Identify the customization values
Refer the respective github page of the chart, and read the values.yaml file. Example : https://github.com/bitnami/charts/tree/master/bitnami/wordpress
Run the below show values command to see the values.
- create a customization values in yaml format. pass this file as input during installation
Wordpress Deployment
- create a wordpress namespace
- Read the configuration parameter for wordpress from bitname/wordpress chart.
- Create a values.yaml file
- install the Chart with this values.yaml file
- install it
- verify the deployments
- open the browser and access the below url
- delete
Jenkins deployment
- create a cicd namespace
- Read the configuration parameter for wordpress from bitnami/jenkins chart.
- Create a values.yaml file
- install the Chart with this values.yaml file
- install it
- The output shows username & password for this jenkins deployment.
- verify the deployments
- open the browser and access the below url
- Use username/password to login
Redmine deployment
- Read the configuration parameter for wordpress from bitnami/redmine.
- Create a values.yaml file
- install the Chart with this values.yaml file
- install it
8. Monitoring
Deploy the Monitoring Stack
- create a monitoring namespace
- create values.yaml file
To know, More details about configuration parameters, https://github.com/helm/charts/tree/master/stable/prometheus-operator
- Install it
- Verify the Pods, Services, Ingress
Wait, till Pods are Active
- Prometheus portal http://prometheus.knetsks.com
- Alertmanager portal http://alerts.knetsks.com
Grafana portal http://grafana.knetsks.com
default username: admin password: prom-operator
Verify the Cluster Metrics in Grafana Dashboard
The default prometheus operator installation have Kubernetes cluster metrics dashboard(infrastructure).
Todo
Monitor your Application (POD) Metrics
In the earlier chapter, we have seen the metrics of kubernetes cluster components (Infrastructure).
Now, we would like to monitor the user deployment applications such as wordpress, or other components.
Steps
- metrics exporter (a.k.a node exporter) for the application to be deployed as side car container. Usually this is supported/provided by the HELM Charts for all generic applications. If not available, we have to make it.
- Create the Prometheus Service Monitor Resource (This resource links/routes the metrics to our Promethus Monitoring Solution)
- Verify the Metrics are visible in Prometheus & Grafana UI..
- Make a Dashboard for this metrics in Grafana.
Example1: Wordpress deployment
I have deleted our existing wordpress deployment. and creating new one with metrics enabled.
1. create values.yaml file
2. install it
3. verify the metrics are exposed from the pods
verify the side-car (apacher exporter) container also running in the wordpress pods, this expose /metrics on port 9117/TCP
Do, kubectl port forwarding and verify it.
From the VM,
4. verify the metrics are exposed from the service
we should see the service expose the 9117/TCP Port also. Now we should port forward the service and check this.
Do query the metrics endpoint
So metrics are exposed from service also..
5. Now Create the service Monitor
Service monitor resource requires 2 important parameters
a) ServiceMonitorSelector, ServiceMonitorNameSpaceSelector parameters to be noted from prometheus resource.
Here "release:mon" is ServiceMonitorSelector Lablel, serviceMonitorNamespaceSelector is {}, which means default namespace. This means, prometheus can query the metrics only from default name space.
b) wordpress service label name, and metrics port name to be noted from wordpress service resource
c) Create service monitor(sm.yaml) yaml file.
Note:
- lables - "release:mon", we have refereed from prometheus resource
- matchLabels - we have referred from the kubernetes service resource
- matchNames - wordpress. we run our service in wordpress namespace.
6. Now verify the Service Monitor
7. verify it in the prometheus UI
- open prometheus UI
- type any parameter which you seen in /metrics endpoint ex: apache_accesses_total
- click "Execute", you will see the metric.
8. verify it grafana
- open grafana UI , and click EXPLORE
- type any parameter which you seen in /metrics endpoint ex: apache_accesses_total
- click "Run Query", you will see the graph.
- search the apache dashboard from grafana https://grafana.com/grafana/dashboards
- the dashboard link is, https://grafana.com/grafana/dashboards/3894
- Click + and Import
- Paste the link of dashboard and click Load
Logging
Centralized log management and analyzing is important requirements for Containerzied environment.
Logs from Kubernetes control plane components(api,scheduler,controller, etc) and user application deployments(such as wordpress, jenkins, other applications.) to be collected and visualized in centralized User Interface (dashboard).
LOKI is log aggregation system inspired by prometheus . So it works out of the box.
It requires 3 components
- loki
- promtail
- grafana
We already deployed grafana as part of monitoring stack.
loki-stack helm chart deploys loki and promtail.
1. repo update
2. install loki-stacl
loki-stack is included with loki and promtail.
3. How to verify
4. Integreate Loki with grafana
- open grafana UI (grafana.knetsks.com)
- click Configuration -> Datasources
- Add Datasource
- Select loki
- In the name specify "loki",and in URL "http://loki.monitoring:3100". Note this is service name of the loki "k get svc -n monitoring"
- Save and Test.. It should work.
5. How to view the Logs.
- open grafana UI (grafana.knetsks.com)
- click Explore , and select Loki Datasource
- click LogLabels, you can see the query filter based on "namespace", "pod", "job", "container" etc....
References
- https://github.com/grafana/loki/tree/master/production/helm/loki
- https://github.com/grafana/loki
- https://www.scaleway.com/en/docs/use-loki-to-manage-k8s-application-logs/
9. Certificate Manager Integreation
So far we used HTTP for our sevices , such as (http://grafana.knetsks.com, http://wordpress.knetsks.com) etc. Because we dont have valid certificate management system for our services.
we can deploy cert-manager and lets-encrypt , for certifiate management system. This components will take care of HTTPS(Certificates) for our services automatically.
Prerequisties:
- ingress controller (we have alredy deployed ingress-controller)
Deploy cert-manager
- create a namespace
- install custom resources
- Update the helm repo for certmanager
- create values.yaml
Note: letsencrypt-staging or letsencrypt-prod can be used as defaultIssuerName. If it is prod, certificate will be valid(no security risk in browser)
- install
- verification
Cert manager can be configured with variety of certificate issuers, such as
- SelfSigned
- CA
- Vault
- Venafi
- External
- ACME
We are going to see Automated Certificate Management Environment (ACME) method.
Lets-encrypt is Free, Opencertificate Authority (ACME). we are going to use lets-encrypt.
Integreate cert-manager with Lets-encrypt certissuer
There are two standard methods for validation(RFC 8555) of Domain name by ACME (To make sure, client is requesting the certificate for his own domain)
- http1
- dns1
HTTP01
- create a cluster issuer(cissuer.yaml) yaml
Note: Here your ingress class name is nginx. (This is default class name)
- Apply and verify it
Thats all its ready, how we can consume.
- Lets do the sample color deployment(color.yaml).
In the ingress resource, add the annotations as below,
The complete manifests file is below,
thats all.
- wordpress deployment
DNS01
There are only few DNS providers are supported by cert-manager (route53, clourflare, akami, etc) https://cert-manager.io/docs/configuration/acme/dns01/
We demonstrate with aws route53 DNS.
Note: we use aws access-key/secret key for domain name validation.
Prerequisties: you should specify the aws_access, aws_secret_key, hostedZoneID(for domain name)
- create secret (aws secret jet)
- create staging.yaml
- apply staging.yml
Thats all its ready.
How to consume
- In the ingress resource , use this annotations
- Example with wordpress helm chart values
- verification
References
10. Other topics
Installing Minikube in Laptop
The prefered option is install it in the VM.
- Create a ubuntu 18.04 VM
- Login to the VM,
- install minikube with driver None .
As mentioned in section2.
Other options are , 1. From your linux laptop, 2. Install minikube with driver=kvm2
default username/password for the minikube vm is docker & tcuser
command to delete the exited docker containers
11. References
Docker Installation
Minikube
Dashboard
Kubernetes
jenkins chart
prometheus-operator