- Configure the Network Protocol Profile on the vCenter according to: https://www.virtualthoughts.co.uk/2020/03/29/rancher-vsphere-network-protocol-profiles-and-static-ip-addresses-for-k8s-nodes/
- Ensure to create a service user with the regarding global and folder specific permissions: https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/creating-credentials/
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- Content Library: Read storage
- Extension: Register extension
- Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:
- vSphere Tagging: Assign or Unassign vSphere Tag on Object
Philip Schmid PhilipSchmid
PhilipSchmid
/ k8s-goldpinger.yaml
Created
July 13, 2023 11:36
Goldpinger to test K8s Pod to Pod connectivity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/bloomberg/goldpinger | |
| --- | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: goldpinger | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: |
PhilipSchmid
/ pod-hostpath-kubectl-run.yaml
Created
July 18, 2023 11:05
kubectl run Pod with hostPath
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl run -it --rm tshoot --overrides=' | |
| { | |
| "spec": { | |
| "containers": [ | |
| { | |
| "name": "tshoot", | |
| "image": "nicolaka/netshoot:latest", | |
| "command": ["/bin/bash"], | |
| "stdin": true, | |
| "stdinOnce": true, |
PhilipSchmid
/ 0-rancher-vsphere-setup.md
Last active
August 1, 2023 17:47
How to set up a Rancher K8s cluster on VMware (incl. vSphere StorageClass)
PhilipSchmid
/ deploy-iperf3.yaml
Last active
October 6, 2023 09:41
iperf3 Deployment for Kubernetes network performance tests
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: iperf3 | |
| spec: | |
| replicas: 2 | |
| selector: | |
| matchLabels: | |
| app: iperf3 | |
| template: |
PhilipSchmid
/ kubeadm-cilium-k8s-cluster.md
Last active
December 18, 2023 11:39
Minimal guide for setting up a kubeadm and containerd based Kubernetes 1.26 cluster with Cilium in kubeproxy-replacement mode (tested on Ubuntu 22.04)
PhilipSchmid
/ 0-minio-readme.md
Last active
December 31, 2023 16:42
Docker-Compose single-host Minio S3 setup using Traefik (Let's Encrypt with DNS-01 challenge via Cloudflare) for TLS offloading.
Tested on Ubuntu 20.04.
Run all commands shown here with root or prepend a sudo to the regarding commands which require higher privileges.
PhilipSchmid
/ useful_commands_and_sources.md
Last active
January 1, 2024 06:22
Useful (non-daily) Bash commands and sources
PhilipSchmid
/ rancher-keycloak-idp-configuration.md
Last active
January 11, 2024 06:42
Rancher v2.X KeyCloak Authentication Backend Configuration
Ranchers official documentation about how to configure the Rancher <> KeyCloak setup is fine but definitely not sufficient to successfully configure it (https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/keycloak/). That's the reason why here every single required step is documented down here.
I simply use the default master realm for the Rancher client. Nevertheless, it would sometimes absolutely make sense to use a custom KeyCloak realm.
- Login as
adminon https://keycloak.example.com/. Important: It's crucial that in KeyCloak the same username exists as you use as admin user on Rancher. Since I just use theadminaccount in this guide, this prerequisite is already achieved. - Create a new client under https://keycloak.example.com/auth/admin/master/console/#/realms/master/clients
Client ID:https://rancher.example.com/v1-saml/keycloak/saml/metadata
PhilipSchmid
/ privileged-node-debugging-pod.md
Created
February 13, 2024 19:40
Spin up a privileged K8s node debugging Pod with access to the node's filesystem
Optional: Disable PSA
k label ns default pod-security.kubernetes.io/enforce=privileged
k label ns default pod-security.kubernetes.io/audit=privileged # optional
k label ns default pod-security.kubernetes.io/warn=privileged # optionalStart tshoot pod:
echo '
PhilipSchmid
/ prometheus_alert_rules_for_certmanager.yaml
Last active
March 4, 2024 13:06
4 helpful Prometheus alerting rules for Cert-Manager & its Certificate CRs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: custom_certmanager_monitoring | |
| rules: | |
| - alert: CertManagerAbsent | |
| expr: absent(up{job="cert-manager"}) | |
| for: 1h | |
| annotations: | |
| message: "Cert Manager has dissapeared from Prometheus service discovery." | |
| labels: | |
| severity: critical | |
| - alert: CertManagerACMEProxyReachability |