How to deploy an application in GKE from a public CI server - kubernetes

I'm trying to deploy an application in a GKE 1.6.2 cluster running ContainerOS but the instructions on the website / k8s are not accurate anymore.
The error that I'm getting is:
Error from server (Forbidden): User "circleci#gophers-slack-bot.iam.gserviceaccount.com"
cannot get deployments.extensions in the namespace "gopher-slack-bot".:
"No policy matched.\nRequired \"container.deployments.get\" permission."
(get deployments.extensions gopher-slack-bot)
The repository for the application is available here available here.
Thank you.

I had a few breaking changes in the past with using the gcloud tool to authenticate kubectl to a cluster, so I ended up figuring out how to auth kubectl to a specific namespace independent of GKE. Here's what works for me:
On CircleCI:
setup_kubectl() {
echo "$KUBE_CA_PEM" | base64 --decode > kube_ca.pem
kubectl config set-cluster default-cluster --server=$KUBE_URL --certificate-authority="$(pwd)/kube_ca.pem"
kubectl config set-credentials default-admin --token=$KUBE_TOKEN
kubectl config set-context default-system --cluster=default-cluster --user=default-admin --namespace default
kubectl config use-context default-system
}
And here's how I get each of those env vars from kubectl.
kubectl get serviceaccounts $namespace -o json
The service account will contain the name of it's secret. In my case, with the default namespace, it's
"secrets": [
{
"name": "default-token-655ls"
}
]
Using the name, I get the contents of the secret
kubectl get secrets $secret_name -o json
The secret will contain ca.crt and token fields, which match the $KUBE_CA_PEM and $KUBE_TOKEN in the shell script above.
Finally, use kubectl cluster-info to get the $KUBE_URL value.
Once you run setup_kubectl on CI, your kubectl utility will be authenticated to the namespace you're deploying to.

In Kubernetes 1.6 and GKE, we introduce role based cess control. The authors of your took need to give the service account the ability to get deployments (along with probably quite a few others) to its account creation.
https://kubernetes.io/docs/admin/authorization/rbac/

Related

Google Cloud Run for Anthos: Using Managed SSL

[ Note to reader: This is a long question, please bear with me ]
I've been messing with Cloud Run for Anthos as a side project, and have got a service up and running on http (not https) -- it performs as expected, scaling up and scaling down as traffic requires.
I now want to add SSL to it, so traffic comes on SSL only. And I've been banging my head against a wall on this trying to get it to work. Mainly centering on this link
I have setup the cluster default domain (it shows up on the Cloud Run for Anthos page) and my service is accessible via http://myservice.mynamespace.mydomain.com (not my real domain, obviously)
I've patched the knative configs, enabling autoTLS and setting mydomain as needed:
kubectl patch configmap config-domain --namespace knative-serving --patch '{"data": {"mydomain.com": ""}}'
kubectl patch configmap config-domain --namespace knative-serving --patch '{"data": {"nip.io": null}}'
kubectl patch configmap config-domainmapping --namespace knative-serving --patch '{"data": {"autoTLS": "Enabled"}}'
kubectl patch configmap config-network --namespace knative-serving --patch '{"data": {"autoTLS": "Enabled"}}'
kubectl patch configmap config-network --namespace knative-serving --patch '{"data": {"httpProtocol": "Enabled"}}'
The documentation talks about using gcloud domain mapping:
gcloud run domain-mappings describe --domain DOMAIN
Yet, this only is available on beta
ERROR: (gcloud.run.domain-mappings.describe) This command group is in beta for fully managed Cloud Run; use `gcloud beta run domain-mappings`.
Using beta, however, also fails
ERROR: (gcloud.beta.run.domain-mappings.describe) NOT_FOUND: Resource 'mydomain.com' of kind 'DOMAIN_MAPPING' in region 'europe-west2' in project 'my-project' does not exist
Making my cluster zonal or regional makes no difference.
The documentation also mentions using kcert
kubectl get kcert
Yet this does not show anything until after I have deployed my service.
$ kubectl get kcert --all-namespaces
NAMESPACE NAME READY REASON
default route-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
And this NEVER shows ready. Trying to hit http://myservice.mynamespace.mydomain.com remains fine, but hitting https://myservice.mynamespace.mydomain.com returns:
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to myservice.mynamespace.mydomain.com:443
Can anyone guide me into why I can't get SSL working on this?
Related question -- is it possible to use the already-configured cert-manager cluster issuer instead? Such as described here?

Why is kubectl describe secret not working?

I created a secret in kubernetes using the command below -
kubectl create secret generic -n mynamespace test --from-file=a.txt
Now I try to view it using below commands but am unsuccessful -
kubectl describe secrets/test
kubectl get secret test -o json
This is the error I get in either case -
Error from server (NotFound): secrets "test" not found
What can be the cause? I am using GCP for the kubernetes setup. Can the trial version of GCP be the cause for it?
Try to access the secret in the namespace where it was created in:
kubectl -n mynamespace describe secrets/test
kubectl -n mynamespace get secret test -o json
You create your secret on a specific namespace and not the default one and when you use kubectl describe it will be bind to the default one.
Good thinks to know when you use a specific namespace for your secret is that they can only be referenced by pods in that same namespace.

How to configure kubectl in kubernetes cluster

I have provisioned a kuberenetes cluster using this saltstack repo:
https://github.com/valentin2105/Kubernetes-Saltstack
Now, I am not able to configure my kubectl CLI to access the cluster.
Is there a way to reset the credentials?
Is there a way to get configure properly the .kube/config with the right context, user, credentials and cluster name retrieving the info from the servers?
I am new to kubernetes, so maybe I am missing something here.
To be able to set your cluster you can do as follow:
kubectl config set-cluster k8s-cluster --server=${CLUSTER} [--insecure-skip-tls-verify=true]
--server=${CLUSTER} where ${CLUSTER} is your cluster adress
--insecure-skip-tls-verify=true is used if you are using http over https
Then you need to set your context ( depending on your kubernetes configuration
kubectl config set-context k8s-context --cluster=k8s-cluster --namespace=${NS}
--namespace=${NS} to specify the default namespace ( which skips the -n while typing kubectl commands for that namespace )
If you are using a RBAC, you might need to specify your user and pass your connection token or your login password:
For this advanced usage you can see the docs https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-context-and-configuration
Now and finally to use your context you only have to:
kubectl config use-context ${USER}

Login to GKE via service account with token

I am trying to access my Kubernetes cluster on google cloud with the service account, but I am not able to make this works. I have a running system with some pods and ingress. I want to be able to update images of deployments.
I would like to use something like this (remotely):
kubectl config set-cluster cluster --server="<IP>" --insecure-skip-tls-verify=true
kubectl config set-credentials foo --token="<TOKEN>"
kubectl config set-context my-context --cluster=cluster --user=foo --namespace=default
kubectl config use-context cluster
kubectl set image deployment/my-deployment boo=eu.gcr.io/project-123456/image:v1
So I created the service account and then get the secret token:
kubectl create serviceaccount foo
kubectl get secret foo-token-gqvgn -o yaml
But, when I try to update the image in any deployment, I receive:
error: You must be logged in to the server (Unauthorized)
IP address for API I use the address, which is shown in GKE administration as cluster endpoint IP.
Any suggestions? Thanks.
I have tried to recreate your problem.
Steps I have followed
kubectl create serviceaccount foo
kubectl get secret foo-token-* -o yaml
Then, I have tried to do what you have done
What I have used as token is base64 decoded Token.
Then I tried this:
$ kubectl get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:foo" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:default:foo"
This gave me error as expected. Because, I need to grant permission to this ServiceAccount.
How can I grant permission to this ServiceAccount? I need to create ClusterRole & ClusterRoleBinding with necessary permission.
Read more to learn more role-based-access-control
I can do another thing
$ kubectl config set-credentials foo --username="admin" --password="$PASSWORD"
This will grant you admin authorization.
You need to provide cluster credential.
Username: admin
Password: -----
You will get this info in GKE -> Kubernetes Engine -> {cluster} -> Show credential

How to format the output of kubectl describe to JSON

kubectl get command has this flag -o to format the output.
Is there a similar way to format the output of the kubectl describe command?
For example:
kubectl describe -o="jsonpath={...}" pods my-rc
would print a JSON format for the list of pods in my-rc replication controller. But -o is not accepted for the describe command.
kubectl describe doesn't support -o or equivalent. It's meant to be human-readable rather than script-friendly. You can achieve what you described with kubectl get pods -l <selector_of_your_rc> -o <output_format>, for example:
$ kubectl get pods -l app=guestbook,tier=frontend -o name
pod/frontend-a4kjz
pod/frontend-am1ua
pod/frontend-yz2dq
In my case, I needed to get the load balancer address from the service. I did it using kubectl get service:
$ kubectl -n <namespace> -ojson get service <service>
{
"apiVersion": "v1",
"kind": "Service",
[...]
"status": {
"loadBalancer": {
"ingress": [
{
"hostname": "internal-xxxxxxxxxxxxxxxxxxxxxxxxxxx-yyyyyyyyyy.us-east-1.elb.amazonaws.com"
}
[...]
}
Based on the output of kubectl help describe, it looks like it does not support structured output:
$ kubectl help describe
Show details of a specific resource or group of resources.
This command joins many API calls together to form a detailed description of a
given resource or group of resources.
$ kubectl describe TYPE NAME_PREFIX
will first check for an exact match on TYPE and NAME_PREFIX. If no such resource
exists, it will output details for every resource that has a name prefixed with NAME_PREFIX
Possible resource types include (case insensitive): pods (po), services (svc), deployments,
replicasets (rs), replicationcontrollers (rc), nodes (no), events (ev), limitranges (limits),
persistentvolumes (pv), persistentvolumeclaims (pvc), resourcequotas (quota), namespaces (ns),
serviceaccounts, ingresses (ing), horizontalpodautoscalers (hpa), daemonsets (ds), configmaps,
componentstatuses (cs), endpoints (ep), and secrets.
Usage:
kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME) [flags]
Examples:
# Describe a node
kubectl describe nodes kubernetes-minion-emt8.c.myproject.internal
# Describe a pod
kubectl describe pods/nginx
# Describe a pod identified by type and name in "pod.json"
kubectl describe -f pod.json
# Describe all pods
kubectl describe pods
# Describe pods by label name=myLabel
kubectl describe po -l name=myLabel
# Describe all pods managed by the 'frontend' replication controller (rc-created pods
# get the name of the rc as a prefix in the pod the name).
kubectl describe pods frontend
Flags:
-f, --filename=[]: Filename, directory, or URL to a file containing the resource to describe
-l, --selector="": Selector (label query) to filter on
Global Flags:
--alsologtostderr[=false]: log to standard error as well as files
--certificate-authority="": Path to a cert. file for the certificate authority.
--client-certificate="": Path to a client certificate file for TLS.
--client-key="": Path to a client key file for TLS.
--cluster="": The name of the kubeconfig cluster to use
--context="": The name of the kubeconfig context to use
--insecure-skip-tls-verify[=false]: If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure.
--kubeconfig="": Path to the kubeconfig file to use for CLI requests.
--log-backtrace-at=:0: when logging hits line file:N, emit a stack trace
--log-dir="": If non-empty, write log files in this directory
--log-flush-frequency=5s: Maximum number of seconds between log flushes
--logtostderr[=true]: log to standard error instead of files
--match-server-version[=false]: Require server version to match client version
--namespace="": If present, the namespace scope for this CLI request.
--password="": Password for basic authentication to the API server.
-s, --server="": The address and port of the Kubernetes API server
--stderrthreshold=2: logs at or above this threshold go to stderr
--token="": Bearer token for authentication to the API server.
--user="": The name of the kubeconfig user to use
--username="": Username for basic authentication to the API server.
--v=0: log level for V logs
--vmodule=: comma-separated list of pattern=N settings for file-filtered logging
There is a straightforward way, which might help.
You can run below command to get the yaml file of the service. Then copy paste to a new file.
kubectl edit svc {xx-servcice} -n {namespace} -o yaml
kubectl doesn't not support -o yaml/json for describe, but you can still use some other commands to get the info in describe, such as :
kubectl get events
As #janekuto suggested
describe cannot be used to display data in json format
Please see my answer here. jq is really a powerful utility to play around with json display of kubectl. You can do so much with jq without putting too much efforts.
kubectl - format the resource quota values in json format