Updates to some advanced demos.

JoergM · JoergM · commit f318b085e2f0 · 2021-11-22T17:07:32.000+01:00
diff --git a/authentication/README.md b/authentication/README.md
@@ -11,11 +11,9 @@ There are multiple ways to authenticate to a Kubernetes Cluster. This Demo will
 To try this method log in to the diagnose container using:
 
 ```
-kubectl exec -ti diagnose-... s
+kubectl exec -ti deploy/diagnose -- sh
 ```
 
-(diagnose-... is the complete name of the pod found via shell completion or `kubectl get pods`)
-
 Every pod in kubernetes will get service account credentials injected at a well-known location which is `/var/run/secrets/kubernetes.io/serviceaccount/`. When you list this directory you will find a certificate, a file containing the namespace this pod runs in and a token to access the API. We export the last into an environment variable:
 
 ```
@@ -26,8 +24,8 @@ Now the API can be accessed with curl like this:
 
 ```
 curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
---header "Authorization: Bearer $TOKEN" \
---url https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT_HTTPS/api/
+--header "Authorization: Bearer ${TOKEN}" \
+https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/
 ```
 
 With the argument "--cacert" curl gets will be able to validate the https certificate. The header contains the token and is used to identify to the API Server. The Url contains a few more environment variables (KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS). These contain the relevant adress of the API server inside the cluster and will also be injected into containers.
@@ -48,10 +46,24 @@ kubectl get pod diagnose-... -o jsonpath={.spec.serviceAccount}
 
 ## Creating and using a service account token from outside the cluster
 
-Accessing the api of a minikube server can be done using:
+First you need to set the local IP address and port for accessing the API.
+
+If you are using minikube use: 
+
+```
+export KUBE_API_HOST=$(minikube ip):8443
+```
+
+If you are using kind set the variable using:
+
+```
+export KUBE_API_HOST=$(docker port kind-control-plane 6443)
+```
+
+Accessing the api of a server can now be done using:
 
 ```
-curl -k https://$(minikube ip):8443/api
+curl -k https://$KUBE_API_HOST/api
 ```
 
 We ignore the certificate validation for this example. If you try this you will get a status code 403 forbidden telling you that User 'system:anonymous' can not get the path /api.
@@ -62,13 +74,13 @@ To authorize we can create a new service account and use its token to authorize
 kubectl create serviceaccount foo
 export TOKEN_NAME=$(kubectl get serviceaccount foo -o=jsonpath="{.secrets[0].name}")
 export TOKEN=$(kubectl get secret $TOKEN_NAME -o=jsonpath={.data.token}|base64 -D)
-curl -k --header "Authorization: Bearer $TOKEN" https://$(minikube ip):8443/api
+curl -k --header "Authorization: Bearer $TOKEN" https://$KUBE_API_HOST/api
 ```
 
 First a service account named foo is created. Then 'kubectl get' is used with jsonpath to extract the name of the token secret. In the next step this token is extracted into an environment variable called TOKEN. Finally this TOKEN is used as a header to make the same curl command as above. This time the result is a listing of API versions. But this service account is also not allowed to do more, like listing namespaces. Try:
 
 ```
-curl -k --header "Authorization: Bearer $TOKEN" https://$(minikube ip):8443/api/v1/namespaces
+curl -k --header "Authorization: Bearer $TOKEN" https://$KUBE_API_HOST/api/v1/namespaces
 ```
 
 With the following command you can assign the admin role to the service account:
@@ -93,6 +105,7 @@ These steps are included in the script `generate_user.sh` in this directory. You
 ```
 ./generate_user.sh
 ```
+(This script currently assumes you are using minikube. So it would not work using kind.)
 
 There is now a new Kubenetes configuration generated in auth_data/config. You can use this config to authenticate by setting the KUBECONFIG environment variable:
 
diff --git a/monitoring/README.md b/monitoring/README.md
@@ -1,63 +1,59 @@
 # Monitoring
 
-## cAdvisor
+## Enable Metrics Server
 
-cAdvisor is an Agent included in every kubelet and thus installed on every node. It collects measurements of the containers running on the node as well as on the node itself. 
-
-**Hint**
-For the following urls you need the ip address of the node you want to look at. If you are using minikube you get it via
-
-```
-minikube ip
-```
-
-The following urls are useful for looking at cAdvisor directly:
+You need to enable the metrics server in order to use metrics and any connected service or command. If you are using minikube you are doning this by enabling the addon:
 
 ```
-http://<node-ip>:4194/
+minikube addons enable metrics-server
 ```
 
-for the cAdvisor interface. And:
+## Accessing the metrics API directly
 
-```
-http://<node-ip>:4194/metrics
-```
+The Metrics API is not intended to be used directly. Use kubectl top (see below) instead. But if you want to access it you can still do it like this:
 
-to retrieve the metrics in Prometheus format. This can be useful when you want to scrape node data directly from prometheus without going via Heapster.
+API Overview:
 
-## Heapster
+ ```
+ kubectl get --raw /apis/metrics.k8s.io/v1beta1/ |jq
+ ```
 
-Heapster is itself a pod that collects the measurements of all cAdvisor instances in your cluster. When you are using minikube you can enable it using:
+List all Nodes where metrics are available
 
 ```
-minikube addons enable heapster
+kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes |jq
 ```
 
-Heapster provides it's data again using the prometheus metrics format. As the addon does not provide an externally available service you have to login to the diagnose-pod ( see [../README.md](../README.md) ):
+Get Data for a specific Node:
 
 ```
-kubectl exec -ti diagnose-... sh
+kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes/minikube |jq
 ```
-
-Inside that container you can get the monitoring data using:
+This might be useful if you want to extract e.g. the CPU usage of a node with a tool like jq:
 
 ```
-curl heapster.kube-system/metrics
+kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes/minikube |jq .usage.cpu
 ```
 
-When heapster is active you can see performance information on the Kubernetes dashboard and you can also use the top command at the commandline:
+## Using kubectl top 
+
+When metrics-server is active you can see performance information on the Kubernetes dashboard and you can also use the top command at the commandline:
 
 ```
 kubectl top node
 kubectl top pod
 ```
 
-## Grafana dashboard
+## Kubernetes dashboard
 
-Where cAdvisor and Heapster work pretty much the same in most Kubernetes installations all further monitoring tools differ very often. It is usual to use a combination of Prometheus or Influx DB as timeseries database and Grafana as dashboard. 
+You can install the kubernetes dashboard in minikube as addon using:
+
+```
+minikube addons enable dashboard
+```
 
-Minikube comes with a influx/grafana combination. You can open the dashboard using:
+Start the dashboard using:
 
 ```
-minikube -n kube-system service monitoring-grafana
-``` 
+minikube dashboard
+```
diff --git a/persistent_volumes/README.md b/persistent_volumes/README.md
@@ -23,10 +23,10 @@ The persistent volume is the actual instance of the Volume claim. It can be main
 To see the persistence in action create some data inside the redis database. To get an redis-cli log into the pod using:
 
 ```
-kubectl exec -ti redis-... redis-cli
+kubectl exec -ti deploy/redis -- redis-cli
 ```
 
-where redis-... is the complete name of the redis pod. You should get a prompt and you can store a key and value like this:
+You should get a prompt and you can store a key and value like this:
 
 ```
 127.0.0.1:6379> set foo bla
@@ -39,7 +39,7 @@ OK
 Now the data is stored on the persistent volume. You can find the datafiles when logging into the redis pod by using the shell:
 
 ```
-kubectl exec -ti redis-... sh
+kubectl exec -ti deploy/redis -- sh
 /data # ls -lsa
 total 12
      4 drwxrwxrwx    2 root     root          4096 Jun  5 14:24 .
@@ -63,7 +63,7 @@ pod "redis-5ff7b8476c-clkkt" deleted
 If you now list the pods again you will find, that there is a newly created redis pod. You can now test whether the persistence worked by connecting to the redis-cli again:
 
 ```
-kubectl exec -ti redis-... redis-cli
+kubectl exec -ti deploy/redis -- redis-cli
 127.0.0.1:6379> get foo
 "bla"
 127.0.0.1:6379>
diff --git a/persistent_volumes/persistent_redis.yaml b/persistent_volumes/persistent_redis.yaml
@@ -15,7 +15,7 @@ spec:
         run: redis
     spec:
       containers:
-      - image: redis:3.2-alpine
+      - image: redis:6-alpine
         name: redis
         command: ["redis-server", "--appendonly", "yes"]  #<-- starting redis in persistent mode
         volumeMounts:
diff --git a/rbac/README.md b/rbac/README.md
@@ -15,7 +15,7 @@ kubectl get pods
 You can find whether the current user is allowed to do a certain operation by using `kubectl config can-i` like:
 
 ```
-kubectl config can-i get po
+kubectl auth can-i get po
 ```
 
 ## Creating read-only access
@@ -43,7 +43,7 @@ kubectl get pods
 
 Also try 
 ```
-kubectl config can-i get po
+kubectl auth can-i get po
 ```
 
 To test whether you are allowed to do other operations try e.g.:
diff --git a/stateful_sets/stateful_nginx.yaml b/stateful_sets/stateful_nginx.yaml
@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
       - name: nginx
-        image: nginx:1.16
+        image: nginx:stable-alpine
         volumeMounts:
         - name: content
           mountPath: /usr/share/nginx/html
