Kubectl : How to create manifest of persistentvolume from command line? - kubernetes

Is it possible to create (start the manifest) of a pv/pvc from command line?
ie. Creating a deployment
kubectl create deployment abc --image=logger:1 --dry-run=client -o yaml > abc.yml
ie. Creating a pod
kubectl run pod xyz --image=logger:1 --dry-run=client -o yaml > xyz.yml
What I'm trying to do
kubectl create persitentvolume --name my-pv spec.capacity.storage=1Gi --dry-run=client -o yaml > my-pv.yml
References used :
https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands

We cannot create the manifest file for `pv` using the command line. For only the following objects created using the command line(imperatively) is possible.
--->kubectl create [press tab] [press tab]
clusterrole cronjob namespace quota secret
clusterrolebinding deployment poddisruptionbudget role service
configmap job priorityclass rolebinding serviceaccount
or you can use --help with kubectl create to check the available options.
Available Commands:
clusterrole Create a cluster role
clusterrolebinding Create a cluster role binding for a particular cluster role
configmap Create a config map from a local file, directory or literal value
cronjob Create a cron job with the specified name
deployment Create a deployment with the specified name
ingress Create an ingress with the specified name
job Create a job with the specified name
namespace Create a namespace with the specified name
poddisruptionbudget Create a pod disruption budget with the specified name
priorityclass Create a priority class with the specified name
quota Create a quota with the specified name
role Create a role with single rule
rolebinding Create a role binding for a particular role or cluster role
secret Create a secret using specified subcommand
service Create a service using a specified subcommand
serviceaccount Create a service account with the specified name
token Request a service account token
Note:
Info above is for v1.24.2 or below. This might differ with future releases.
kubectl create token is added in version 1.24.

Related

Difference between two deployment commands in Kubernetes

What is the difference between $kubectl create deploy and $kubectl create deployment? Google Cloud Fundamental's Lab is using kubectl create deploy command, but in the Kubernetes documentation/Interactive Tutorial (https://kubernetes.io/docs/tutorials/kubernetes-basics/deploy-app/deploy-interactive/), it is using the command kubectl create deployment. So just wanted to ask this group, which one is the correct/latest?
The kubectl create deploy and kubectl create deployment commands both create a deployment in Kubernetes. The only difference is that the kubectl create deploy command is a shorthand version of the kubectl create deployment command. The kubectl create deployment command is the more verbose version and provides more options for creating a deployment.
The two commands are effectively interchangeable and both will create a Kubernetes deployment.Ultimately, it is up to the user to decide which syntax to use, as long as the deployment is created successfully.
As #gohmc and #fcmam5 said, The kubectl api-resources command prints a list of all of the available API resources in the Kubernetes cluster. The list includes the resource name, the kind of resource it is, and the API version it belongs to. Here is an example of the output of the command:
NAME KIND APIVERSION
bindings Binding v1
configmaps ConfigMap v1
endpoints Endpoints v1
events Event v1beta1
limitranges LimitRange v1
namespaces Namespace v1
pods Pod v1
replicationcontrollers ReplicationController v1
resourcequotas ResourceQuota v1
secrets Secret v1
services Service v1
As per this SO, you can also kubectl api-resources -o wide shows all the resources, verbs and associated API-group.
For more information refer to this kubernetes cheatsheet
They meant the same. You can find the SHORTNAMES for K8s resource with kubectl api-resources.
These deploy is a short-name for deployment, same as po for pod, you can see the full list of commands and their shortened versions with:
kubectl api-resources

Make secrete available for all namespaces in kubernetes

When you create a new namespace in Kubernetes there always will be a default-token secret available in it.
$ kubectl create namespace test
$ kubectl get secrets -n test
NAME TYPE DATA AGE
default-token-wh7hv kubernetes.io/service-account-token 3 6m10s
Question:
How can I create a secret that will be always available (as in above example) in newly created namespace?
default-token is used within the cluster and managed by the cluster.
ServiceAccounts are intended to provide an identity for a Kubernetes Pod to be used by its container to authenticate and authorize them when performing API-requests to the Kubernetes API-server. Default ServiceAccount will be created when you create namespace.
Secret resources reside in a namespace. Secrets can only be referenced by Pods in that same namespace.
If you want a way to create your own secret when additional ns created for that you will need an extra utility.
You can write a code to communicate with K8s API
Check the namespace list periodically.
Create a secret when an additional namespace created.

why i can't create pods a a user with enough permissions in kubernetes

I am following a tutorial regarding RBAC, I think I understand the main idea but I don't get why this is failing:
kc auth can-i "*" pod/compute --as deploy#test.com
no
kc create clusterrole deploy --verb="*" --resource=pods --resource-name=compute
clusterrole.rbac.authorization.k8s.io/deploy created
kc create clusterrolebinding deploy --user=deploy#test.com --clusterrole=deploy
clusterrolebinding.rbac.authorization.k8s.io/deploy created
# this tells me that deploy#test.com should be able to create a pod named compute
kc auth can-i "*" pod/compute --as deploy#test.com
yes
# but it fails when trying to do so
kc run compute --image=nginx --as deploy#test.com
Error from server (Forbidden): pods is forbidden: User "deploy#test.com" cannot create resource "pods" in API group "" in the namespace "default"
the namespace name should be irrelevant afaik, since this is a clusterrole.
Restricting the create permission to a specific resource name is not supported.
This is from the Kubernetes documentation:
Note: You cannot restrict create or deletecollection requests by resourceName. For create, this limitation is because the object name is not known at authorization time.
This means the ClusterRole you created doesn't allow you to create any Pod.
You need to have another ClusterRole assigned where you don't specify the resource name.

Create PersistentVolumeClaim imperative way?

Why can't we create PV or PVC in imperative way?
Trying using create command, but it doesn't show any of them.
kubectl create --help
Available Commands:
clusterrole Create a ClusterRole.
clusterrolebinding Create a ClusterRoleBinding for a particular ClusterRole
configmap Create a configmap from a local file, directory or literal value
cronjob Create a cronjob with the specified name.
deployment Create a deployment with the specified name.
ingress Create an ingress with the specified name.
job Create a job with the specified name.
namespace Create a namespace with the specified name
poddisruptionbudget Create a pod disruption budget with the specified name.
priorityclass Create a priorityclass with the specified name.
quota Create a quota with the specified name.
role Create a role with single rule.
rolebinding Create a RoleBinding for a particular Role or ClusterRole
secret Create a secret using specified subcommand
service Create a service using specified subcommand.
serviceaccount Create a service account with the specified name
As described in the documentation kubectl uses imperative commands built into the kubectl command-line tool in order to help you creating objects quickly.
After some checks it seems like this is not available because it has not been implemented yet. You can see the full list of the create options at kubectl/pkg/cmd/create.
For example, #78153 was responsible for kubectl create ingress functionality.
You would probably get more information and perhaps reasons why this is not implemented by asking the developers and opening a new issue.

Can I use Role and ServiceAccounts with several namespaces?

I'm trying to connect my k8s cluster to my ceph cluster with this manual:
https://akomljen.com/using-existing-ceph-cluster-for-kubernetes-persistent-storage/
I want to deploy rbd-provision pods into kube-system namespace like this https://paste.ee/p/C1pB4
After deploying pvc I get errors because my pvc is in default namespace. Can I do with that anything? I read docs and if I'm right I can't use ServiceAccount with 2 ns, or can?
No. Service account is namespaced object and it is limited to particular namespace only
Service accounts can be granted permissions in another namespace.
For example, within the namespace "acme", grant the permissions in the view ClusterRole to the service account in the namespace "acme" named "myapp" :
kubectl create rolebinding myapp-view-binding \
--clusterrole=view --serviceaccount=acme:myapp \
--namespace=acme