Bikram Gupta bikram20

## gist:4f4dbbaf5fcc874d5daee2e3b780d919
# Requires that you have helm3 installed on your local machine and cluster is accessible (kubeconfig).
# You do NOT need the following instructions, if you are comfortable using helm!!


# Reference: https://github.com/kubernetes/dashboard/releases/tag/v3.0.0-alpha0
# Helm Instructions: https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard
# Dashboard 3.0 alpha version is supported on k8s 1.27 only. However we will go ahead and install on 1.28.


# Verify your DOKS k8s version

## gist:64a9da19b12b0d1e2b5dcb7916d37854
This is an e2e demonstration of getting Velero to do a backup/restore in DigitalOcean kubernetes. This will not work on other providers because we install Digitalocean specific provider for velero. Likewise, we require Spaces as the backup destination in the first release. Backblaze may work, if it is similar to Spaces and no complex permissions.

In v1, we will only support DO Kubernetes, with destinations being Spaces and DO Volumes.


Commands needed: kubectl, velero
Credentials needed: S3/Spaces (for velero to save backups), DO Cloud API (for velero to take volume snapshots from k8s), Kubeconfig (for velero to access k8s cluster)

This diagram shows how velero works: https://github.com/digitalocean/Kubernetes-Starter-Kit-Developers/blob/main/05-setup-backup-restore/assets/images/velero_bk_res_wf.png

## gist:f8394e222612961fd4c689f4d77ebd47
# Install a Docker 1-click droplet. Choose at least 4cpu/8gb, as we will run multiple applications

# Create a non-root user
sudo adduser ubuntu --disabled-password
sudo usermod -aG docker ubuntu
cp -r /root/.docker /home/ubuntu/
chown -R ubuntu:ubuntu /home/ubuntu/.docker
su - ubuntu

#################################################################################

## Droplet-DOKS Internal communication
Problem:
When you expose a service as a LB in DO kubernetes, the service gets a public IP. There is no internal LB. So when you need an application on a droplet (in the same VPC as the cluster) needing to communicate with a service in the cluster, the traffic traverses over public network.

You may like to instead keep that droplet --- cluster traffic inside the VPC itself.

Solution:
It is done by exposing the service as a NodePort (not LB), and making the firewall unmanaged for the nodeport (through an annotation).
This ensures that the service is ONLY accessible over Nodeport in the private VPC network. In the 2nd step, we use the external-DNS to program the Nodeport to a FQDN in DO DNS. As the droplets in the VPC rely on DO DNS, they get the updates for the NodePort through DNS.


## DOKS-Cluster-Network-Analysis-from-Outside

# Use "brew install nmap" or any other way to get nmap.
# Have doctl and kubectl configured.
#

bgupta@C02CC1EGMD6M employeeapp % doctl compute droplet list  --tag-name 'k8s' --format 'Name'
Name
pool-4fz85fgrm-8rqqw
pool-4fz85fgrm-8yde3
bgupta@C02CC1EGMD6M employeeapp % doctl compute droplet list  --tag-name 'k8s' --format 'Name','PublicIPv4'

## gist:0470dd3081cc0994526b83bf7f5bd2a5
# setup.sh

!/usr/bin/bash

kind create cluster --name cluster1 --config cluster1.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
token=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)
echo "Cluster1 token:" $token
echo $token > cluster1.token

## gist:6b19164a0f5437ee1df3d5ffd8a0bc85
# Excellent site - https://openshift.tips/

# Tail 10 lines for journal log of the node. Various options.
oc adm node-log <nodename> --tail=10
oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 -u kubelet.service
oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 --grep=calico

# Path is w.r.t. /var/log
oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 --path=calico/log

## gist:89ce7b6179ff901342daf685325470d9
# To create pods and policies

LOAD_COUNT=1

for cnt in $(seq 1 $LOAD_COUNT)
do
kubectl create ns policy-demo${cnt}
kubectl create deployment --namespace=policy-demo${cnt} nginx --image=nginx
kubectl scale deployment --namespace=policy-demo${cnt} nginx --replicas=2
kubectl expose --namespace=policy-demo${cnt} deployment nginx --port=80

## gist:3b85438c691ecf3a0626f24b26aa9fd3
package kubernetes.admission

block_latest_image_tag[explanation] {
   input.request.kind.kind == "Pod"
   containers := input.request.object.spec.containers
   image_name := containers[_].image
   is_image_tag_latest(image_name)
   explanation := sprintf("resources should not use latest tag: %v", [image_name])
}
	# Requires that you have helm3 installed on your local machine and cluster is accessible (kubeconfig).
	# You do NOT need the following instructions, if you are comfortable using helm!!


	# Reference: https://github.com/kubernetes/dashboard/releases/tag/v3.0.0-alpha0
	# Helm Instructions: https://artifacthub.io/packages/helm/k8s-dashboard/kubernetes-dashboard
	# Dashboard 3.0 alpha version is supported on k8s 1.27 only. However we will go ahead and install on 1.28.


	# Verify your DOKS k8s version
	This is an e2e demonstration of getting Velero to do a backup/restore in DigitalOcean kubernetes. This will not work on other providers because we install Digitalocean specific provider for velero. Likewise, we require Spaces as the backup destination in the first release. Backblaze may work, if it is similar to Spaces and no complex permissions.

	In v1, we will only support DO Kubernetes, with destinations being Spaces and DO Volumes.


	Commands needed: kubectl, velero
	Credentials needed: S3/Spaces (for velero to save backups), DO Cloud API (for velero to take volume snapshots from k8s), Kubeconfig (for velero to access k8s cluster)

	This diagram shows how velero works: https://github.com/digitalocean/Kubernetes-Starter-Kit-Developers/blob/main/05-setup-backup-restore/assets/images/velero_bk_res_wf.png
	# Install a Docker 1-click droplet. Choose at least 4cpu/8gb, as we will run multiple applications

	# Create a non-root user
	sudo adduser ubuntu --disabled-password
	sudo usermod -aG docker ubuntu
	cp -r /root/.docker /home/ubuntu/
	chown -R ubuntu:ubuntu /home/ubuntu/.docker
	su - ubuntu

	#################################################################################
	Problem:
	When you expose a service as a LB in DO kubernetes, the service gets a public IP. There is no internal LB. So when you need an application on a droplet (in the same VPC as the cluster) needing to communicate with a service in the cluster, the traffic traverses over public network.

	You may like to instead keep that droplet --- cluster traffic inside the VPC itself.

	Solution:
	It is done by exposing the service as a NodePort (not LB), and making the firewall unmanaged for the nodeport (through an annotation).
	This ensures that the service is ONLY accessible over Nodeport in the private VPC network. In the 2nd step, we use the external-DNS to program the Nodeport to a FQDN in DO DNS. As the droplets in the VPC rely on DO DNS, they get the updates for the NodePort through DNS.

	# Use "brew install nmap" or any other way to get nmap.
	# Have doctl and kubectl configured.
	#

	bgupta@C02CC1EGMD6M employeeapp % doctl compute droplet list --tag-name 'k8s' --format 'Name'
	Name
	pool-4fz85fgrm-8rqqw
	pool-4fz85fgrm-8yde3
	bgupta@C02CC1EGMD6M employeeapp % doctl compute droplet list --tag-name 'k8s' --format 'Name','PublicIPv4'
	# setup.sh

	!/usr/bin/bash

	kind create cluster --name cluster1 --config cluster1.yaml
	kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
	kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
	token=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"\|base64 --decode)
	echo "Cluster1 token:" $token
	echo $token > cluster1.token
	# Excellent site - https://openshift.tips/

	# Tail 10 lines for journal log of the node. Various options.
	oc adm node-log <nodename> --tail=10
	oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 -u kubelet.service
	oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 --grep=calico

	# Path is w.r.t. /var/log
	oc adm node-logs ip-10-0-137-133.us-west-2.compute.internal --tail=10 --path=calico/log
	# To create pods and policies

	LOAD_COUNT=1

	for cnt in $(seq 1 $LOAD_COUNT)
	do
	kubectl create ns policy-demo${cnt}
	kubectl create deployment --namespace=policy-demo${cnt} nginx --image=nginx
	kubectl scale deployment --namespace=policy-demo${cnt} nginx --replicas=2
	kubectl expose --namespace=policy-demo${cnt} deployment nginx --port=80
	package kubernetes.admission

	block_latest_image_tag[explanation] {
	input.request.kind.kind == "Pod"
	containers := input.request.object.spec.containers
	image_name := containers[_].image
	is_image_tag_latest(image_name)
	explanation := sprintf("resources should not use latest tag: %v", [image_name])
	}