Kubernetes: cannot see network policies created with calico - kubernetes

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
By using kubectl get networkpolicy, I can see only the policies created by networking.k8s.io/v1 and not those created by projectcalico.org/v3. Any suggestion how to see the latter ones?

kubectl get XXX does not display all the resources in the cluster, in your case you cannot see CRD
You can find your object with kubectl get crds
Then kubectl get <crd name> -A
In your case it would be:
# Get all the CRD from the desired type
kubectl get projectcalico.org/v3 -A
# Now grab the desired name and do whatever you want with it
kubectl describe <CRD>/<resource name> -n <namespace>

Related

Install calico GlobalNetworkPolicy via helm chart

I am trying to install a calico GlobalNetworkPolicy that will be applicable to all the pods in the cluster regardless of namespace , and to apply GlobalNetworkPolicy as per docs here -
Calico network policies and Calico global network policies are applied
using calicoctl
i.e calicoctl command (assuming calicoctl binary installed in the host) ->
calicoctl apply -f global-policy.yaml
OR if we have a calicoctl pod running ->
kubectl exec -ti -n kube-system calicoctl -- /calicoctl apply -f global-deny.yaml -o wide
global-policy.yaml ->
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: default-deny
spec:
selector: projectcalico.org/namespace == "kube-system"
types:
- Ingress
- Egress
Question -> How do I install such a policy via helm chart ? As helm implicitly calls via kubectl and that causes error on install.
Error using kubectl or helm =>
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "default-deny" namespace: "" from "": no matches for kind "GlobalNetworkPolicy" in version "projectcalico.org/v3"
As per the Doc given by you Calico global network policy is a non-namespaced resource and can be applied to any kind of endpoint (pods, VMs, host interfaces) independent of namespace.
But you are using namespace in the Yaml, that might be the reason for the error. Kindly remove the name space and try again.
Because global network policies use kind: GlobalNetworkPolicy, they are grouped separately from kind: NetworkPolicy. For example, global network policies will not be returned from calicoctl get networkpolicy, and are rather returned from calicoctl get globalnetworkpolicy.
Below is the reference yaml from Doc :
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-tcp-port-6379
Refer For more information on Global Network Policy, Calico Install Via Helm and Calico command line tools.

Terraform kubectl provider manifest to specific namespace

I am learning how to translate kubectl deployments to terraform. I am currently facing issues getting services to work as intended with terraform provider kubectl once I specify a namespace.
I have confirmed the terraform script works when doing the equivalent kubectl apply to the default namespace.
What is the proper methodology in terraform using the kubectl provider to apply -n namespace?
The two different approaches I have tried are:
resource "kubectl_manifest" "example" {
override_namespace = kubernetes_namespace_v1.namespace.metadata[0].name
yaml_body = file("${path.cwd},deploy.yaml")
}
And also:
resource "kubectl_manifest" "example" {
yaml_body = file("${path.cwd},deploy.yaml")
}
with adding the namespace to the deploy.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
namespace: namespace
...
---
apiVersion: v1
kind: Service
metadata:
name: example
namespace: namespace
Then when I try to confirm that the service is functioning as intended via:
kubectl logs example-6878fd468-9vgkm
Error from server (NotFound): pods "example-6878fd468-9vgkm" not found
Your terraform description is fine. You need to specify the -n switch to your kubectl logs command as well, to detect the pod in the right namespace.
kubectl logs example-6878fd468-9vgkm -nexample

Kubernetes - ScaledObject - Keda - RabbitMQ

i have created a ScaledObject and TriggerAuthentication using Keda, in order to horizontally autoscale my pods based on a RabbitMQ length.
but for some reason, when i try to query my ScaledObjects like this:
kubectl get ScaledObjects -n mynamespace
i am not getting anything.
but when i am applying the yaml file which contains all of the information about the ScaledObject, the output is this:
scaledobject.keda.sh/rabbitmq-scaledobject unchanged
i am also able to edit this scaled object using this command:
kubectl edit scaledobject.keda.sh/rabbitmq-scaledobject -n mynamespace
but i am not sure why it is not listed when doing this command:
kubectl get ScaledObjects -n mynamespace
the autoscaler does work, i am just wondering why it is not listed..
Thanks in Advance,
Yaniv
This might be a case of having more than one Custom Resource defined with the same kind but a different apiVersion.
For example, these two versions of Keda create the ScaledObject with different apiVersion:
1.4:
apiVersion: keda.k8s.io/v1alpha1
kind: ScaledObject
2.0:
apiVersion: keda.sh/v1alpha1
kind: ScaledObject
So when you run kubectl get ScaledObjects -n mynamespace, it might be defaulting to the one you are not using.

How to create K8S deployment in specific namespace?

I am using kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml to create deployment.
I want to create deployment in my namespace examplenamespace.
How can I do this?
There are three possible solutions.
Specify namespace in the kubectl command:
kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml -n my-namespace
Specify namespace in your yaml files:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
namespace: my-namespace
Change default namespace in ~/.kube/config:
apiVersion: v1
kind: Config
clusters:
- name: "k8s-dev-cluster-01"
cluster:
server: "https://example.com/k8s/clusters/abc"
namespace: "my-namespace"
By adding -n namespace to command you already have. It also works with other types of resources.
kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml -n namespacename
First you need to create the namespace likes this
kubectl create ns nameOfYourNamespace
Then you create your deployment under your namespace
kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml -n examplenamespace
The ns at
kubectl create ns nameOfYourNamespace
stands for namespace
The -n
kubectl apply -f https://k8s.io/examples/controllers/nginx-deployment.yaml -n examplenamespace
stands for --namespace
So you first create your namespace in order Kubernetes know what namespaces dealing with.
Then when you are about to apply your changes you add the -n flag that stands for --namespace so Kubernetes know under what namespace will deploy/ create the proper resources

Create Daemonset using kubectl?

I took the CKA exam and I needed to work with Daemonsets for quite a while there. Since it is much faster to do everything with kubectl instead of creating yaml manifests for k8s resources, I was wondering if it is possible to create Daemonset resources using kubectl.
I know that it is NOT possible to create it using regular kubectl create daemonset at least for now. And there is no description of it in the documentation. But maybe there is a way to do that in some different way?
The best thing I could do right now is to create Deployment first like kubectl create deployment and edit it's output manifest. Any options here?
The fastest hack is to create a deployment file using
kubectl create deploy nginx --image=nginx --dry-run -o yaml > nginx-ds.yaml
Now replace the line kind: Deployment with kind: DaemonSet in nginx-ds.yaml and remove the line replicas: 1
However, the following command will give a clean daemonset manifest considering that "apps/v1" is the api used for DaemonSet in your cluster
kubectl create deploy nginx --image=nginx --dry-run -o yaml | \
sed '/null\|{}\|replicas/d;/status/,$d;s/Deployment/DaemonSet/g' > nginx-ds.yaml
You have your nginx DaemonSet.
CKA allows access to K8S documentation. So, it should be possible to get a sample YAML for different resources from there. Here is the one for the Daemonset from K8S documentation.
Also, not sure if the certification environment has access to resources in the kube-system namespace. If yes, then use the below command to get a sample yaml for Daemonset.
kubectl get daemonsets kube-flannel-ds-amd64 -o yaml -n=kube-system > daemonset.yaml
It's impossible. At least for Kubernetes 1.12. The only option is to get a sample Daemonset yaml file and go from there.
The fastest way to create
kubectl create deploy nginx --image=nginx --dry-run -o yaml > nginx-ds.yaml
Now replace the line kind: Deployment with kind: DaemonSet in nginx-ds.yaml and remove the line replicas: 1 , strategy {} and status {} as well.
Otherwise it shows error for some required fields like this
error: error validating "nginx-ds.yaml": error validating data: [ValidationError(DaemonSet.spec): unknown field "strategy" in io.k8s.api.apps.v1.DaemonSetSpec, ValidationError(DaemonSet.status): missing required field "currentNumberScheduled" in io.k8s.api.apps.v1.DaemonSetStatus,ValidationError(DaemonSet.status): missing required field "numberMisscheduled" in io.k8s.api.apps.v1.DaemonSetStatus, ValidationError(DaemonSet.status): missing required field "desiredNumberScheduled" in io.k8s.api.apps.v1.DaemonSetStatus, ValidationError(DaemonSet.status): missing required field "numberReady" in io.k8s.api.apps.v1.DaemonSetStatus]; if you choose to ignore these errors, turn validation off with --validate=false
There is no such option to create a DaemonSet using kubectl. But still, you can prepare a Yaml file with basic configuration for a DaemonSet, e.g. daemon-set-basic.yaml, and create it using kubectl create -f daemon-set-basic.yaml
You can edit new DaemonSet using kubectl edit daemonset <name-of-the-daemon-set>. Or modify the Yaml file and apply changes by kubectl apply -f daemon-set-basic.yaml. Note, if you want to update configuration modifying file and using apply command, it is better to use apply instead of create when you create the DaemonSet.
Here is the example of a simple DaemonSet:
kind: DaemonSet
metadata:
name: fluentd-elasticsearch
labels:
k8s-app: fluentd-logging
spec:
selector:
matchLabels:
name: fluentd-elasticsearch
template:
metadata:
labels:
name: fluentd-elasticsearch
spec:
containers:
- name: fluentd-elasticsearch
image: k8s.gcr.io/fluentd-elasticsearch:1.20
You could take advantage of Kubernetes architecture to obtain definition of DaemonSet from existing cluster. Have a look at kube-proxy, which is a network component that runs on each node in your cluster.
kube-proxy is deployed as DaemonSet so you can extract its definition with below command.
$ kubectl get ds kube-proxy -n kube-system -o yaml > kube-proxy.ds.yaml
Warning!
By extracting definition of DaemonSet from kube-proxy be aware that:
You will have to do pliantly of clean up!
You will have to change apiVersion from extensions/v1beta1 to apps/v1
I used this by the following commands:
Either create Replicaset or deployment from Kubernetes imperative command
kubectl create deployment <daemonset_name> --image= --dry-run -o yaml > file.txt
Edit the kind and replace DaemonSet, remove replicas and strategy fields into it.
kubectl apply -f file.txt
During CKA examination you are allowed to access Kubernetes Documentation for DaemonSets. You could use the link and get examples of DaemonSet yaml files. However you could use the way you mentioned, change a deployment specification to DaemonSet specification. You need to change the kind to Daemonset, remove strategy, replicas and status fields. That would do.
Using command to deployment create and modifying it, one can create daemonset very quickly.
Below is one line command to create daemonset
kubectl create deployment elasticsearch --namespace=kube-system --image=k8s.gcr.io/fluentd-elasticsearch:1.20 --dry-run -o yaml | grep -v "creationTimestamp\|status" | awk '{gsub(/Deployment/, "DaemonSet"); print }'