[Intranet] Yasuhiro ABE, The University of Aizu.

kubectl is an essential command-line tool for managing Kubernetes clusters, allowing users to deploy applications, inspect and manage cluster resources, and view logs.

This document explains how to setup the kubectl command for use.

1. For users of kubecamp.u-aizu.ac.jp

1.1. For whom used the kubectl command in the past

If you have already placed your ~/.kube/config file, please update the right value of the id-token: key.

If you haven’t do, please replace the shown configuration text to your ~/.kube/config file.

1.2. Detail Information

Please see the https://kubecamp.u-aizu.ac.jp/signup/docs/en/index.html#kubectl-command document for details.

2. For users of inovtst9.u-aizu.ac.jp

We are setting up users on inovtst9.u-aizu.ac.jp in the same way as KubeCamp from AY2024.

There is no dashboard, so download config file template and setup manually.

2.1. For Whom used the kubectl command in the past

If you have already completed the preparation work once, please use the following steps as a guide. If you are not familiar with the procedure, please refer to the appropriate section below.

Get ID Token from https://opm00h.u-aizu.ac.jp/dexc
Edit ~/.kube/config file, then update the id-token: by the obtained ID Token

        id-token:

Note: Please keep in mind that the once white space should be put after colon (:)

After editing the file is complete, execute the following command to confirm the setting.

$ kubectl get node

You also can usekubectl version for confirmation.

If the .kube/confi file are properly configured, you will see the following output.

NAME       STATUS   ROLES           AGE      VERSION
u109ls01   Ready    control-plane   2y192d   v1.28.6
u109ls02   Ready    control-plane   2y192d   v1.28.6
u109ls03   Ready    <none>          2y192d   v1.28.6
u109ls04   Ready    <none>          2y192d   v1.28.6

Regarding the error messages of executing kubectl, please see the Common issues when executing the kubectl command.

On Emacs, to remove an old id-token, enclose the relevant section (C-Space at the beginning, then move to the end of the line), then C-w.

[ View on the Asciinema Site ]

2.2. References

kubernetes.io::install kubectl on linux (kubectlコマンドの取得方法)
Wikipedia::Json Web Token
jwt.io

2.3. Getting started

The kubectl command is a client for operating kubernetes (k8s) clusters. Our k8s cluster has OIDC authentication enabled, so authentication with the AINS ID is required for operation.

The ID Token described here is valid for 24 hours (86400 seconds). Please refer to this page to prepare for every SCCP class to update the ID Token.

2.4. Obtaining "ID Token" from OIDC Provider

Json Web Token is a specification for signed user information (token). In this SCCP environment, JWTs are generated by logging in with AINS-ID to the following services.

https://opm00h.u-aizu.ac.jp/dexc

2.4.1. First page

First make sure that Extra scopes is entered as groups.

2.4.2. Second Login page

Plaese input your AINS-ID and password.

2.4.3. Grant access page

Please push the green button, "Grant Access".

2.4.4. Final page

The ID Token information will be output to the screen. The contents of the ID Token will tell you what mailing lists you are subscribed to.

Do not close the web browser window because the ~/.kube/config file will be prepared using this ID Token information.

If you want to use the kubecamp.u-aizu.ac.jp, please copy the configuration text to your ~/.kube/config file.

2.5. [First time only] Creation of ~/.kube/config file using obtained "ID Token"

This procedure should be performed only the first time ~/.kube/config does not exist.

The template for the config file is located at the following URL.

config (For 192.168.100.51)

On a work ThinkPad with kubectl command installed, create the following file ~/.kube/config using ID Token.

$ mkdir -p ~/.kube
$ cd ~/.kube
$ wget -Oconfig https://web-int.u-aizu.ac.jp/%7Eyasu-abe/ja/sccp/manual/setupk8s.config-192.168.100.51.txt

Rewrite "s12xxxxxxxx" ("user:", "name:"(x2), "current-context:", total 4 places) with your AINS-ID using an editor, and enter the ID Token obtained from the OIDC Provider in the "id-token:" value.

2.6. Remaining Setup tasks (required each time)

Since ~/.kube/config has already been created, there is no need to download it again.

On every class, please visit https://opm00h.u-aizu.ac.jp/dexc to obtain the ID Token and rewrite it before using the kubectl command again next time.

3. Confirmation process

To check your ~/.kube/config file is properly configured, please execute the following command.

$ kubectl -v=8 get node

If succesfully configured, then you will get the following results.

I0310 08:48:24.981665  437160 loader.go:395] Config loaded from file:  /home/professor/yasu-abe/.kube/config
I0310 08:48:24.993015  437160 round_trippers.go:463] GET https://inovtst9.u-aizu.ac.jp:6443/api/v1/nodes?limit=500
I0310 08:48:24.993038  437160 round_trippers.go:469] Request Headers:
I0310 08:48:24.993053  437160 round_trippers.go:473]     Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=T
able;v=v1beta1;g=meta.k8s.io,application/json
I0310 08:48:24.993068  437160 round_trippers.go:473]     User-Agent: kubectl/v1.28.6 (linux/amd64) kubernetes/be3af46
I0310 08:48:25.011855  437160 round_trippers.go:574] Response Status: 200 OK in 18 milliseconds
I0310 08:48:25.011893  437160 round_trippers.go:577] Response Headers:
I0310 08:48:25.011914  437160 round_trippers.go:580]     X-Kubernetes-Pf-Flowschema-Uid: f4b25b5a-17c2-4d04-8328-ccdf93bfaa7b
I0310 08:48:25.011930  437160 round_trippers.go:580]     X-Kubernetes-Pf-Prioritylevel-Uid: 4b38613e-0027-4522-8106-69dac0750cfe
I0310 08:48:25.011944  437160 round_trippers.go:580]     Date: Sun, 10 Mar 2024 08:48:25 GMT
I0310 08:48:25.011957  437160 round_trippers.go:580]     Audit-Id: 26415666-b579-45c0-a189-505f0d78b894
I0310 08:48:25.011970  437160 round_trippers.go:580]     Cache-Control: no-cache, private
I0310 08:48:25.011983  437160 round_trippers.go:580]     Content-Type: application/json
I0310 08:48:25.012532  437160 request.go:1212] Response Body: {"kind":"Table","apiVersion":"meta.k8s.io/v1","metadata":{"resourceVe
rsion":"295544101"},"columnDefinitions":[{"name":"Name","type":"string","format":"name","description":"Name must be unique within a
 namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropr
iate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More
info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names","priority":0},{"name":"Status","type":"string"
,"format":"","description":"The status of the node","priority":0},{"name":"Roles","type":"string","format":"","description":"The ro
les of the node","priority":0},{"name":"Age","type":"string","format":"","description":"CreationTimestamp is a timestamp representi
ng the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
 Clients may not set this value. It is [truncated 19026 chars]
NAME       STATUS   ROLES           AGE      VERSION
u109ls01   Ready    control-plane   2y192d   v1.28.6
u109ls02   Ready    control-plane   2y192d   v1.28.6
u109ls03   Ready    <none>          2y192d   v1.28.6
u109ls04   Ready    <none>          2y192d   v1.28.6

4. Points to note for apply/create/delete operations

You can only operate within the same NAMESPACE as your ID. Feel free to any experimental activities, your operation never breaks or modifies the entire system or other people’s settings.

If namespace is not specified (*) or another namespace is specified, the following error message is displayed.

*: If namespace is not specified, it works as if "-n default" is specified.

$ kubectl apply -f https://kubernetes.io/examples/service/load-balancer-example.yaml
Error from server (Forbidden): error when creating "https://kubernetes.io/examples/service/load-balancer-example.yaml": deployments.apps is forbidden: User "yasu-abe@u-aizu.ac.jp" cannot create resource "deployments" in API group "apps" in the namespace "default"

4.1. FYI, to omit "-n <ns>" from your command line

It is painful to specify namespace with kubectl -n <namespace> every time. If you use bash or zsh, set up alias or function for your effort.

k8s.envrc.txt (Download)

## ~/k8s.envrc file
alias kubectl="kubectl -n $(id -un)"
alias kc=kubectl
alias kcg="kc get"
alias kcga="kcg all"
alias kcgns="kcg ns"
alias kcd="kc describe"
alias kcang="kcan get"

function kcan {
  kc "$@" --all-namespaces
}

function chkc {
  alias kubectl="kubectl -n $1"
}

In this example, "$(id -un)" is specified instead of namespace.
This replaces the output of the **id -un** command." The "id -un" command returns the user name.

If you have prepared a k8s.envrc file in your home directory, the following operation will apply the settings each time you log in.

$ . ~/k8s.envrc

5. [Advanced User’s Guide] Permitted Permissions and How to Check

To manage k8s system, there are two types of settings: system-wide (ClusterRoleBinding) and per individual Namespace (RoleBinding).

5.1. ClusterRoleBinding

The system-wide permission settings create a ClusterRole dex-admin so that members of this SCCP can observe the internals of the k8s system.

The following configuration allows users to use the get/list/watch commands for many resources.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dex-admin
rules:
- apiGroups:
  - '*'
  resources:
  - clusterroles
  - cronjobs
  - customresourcedefinitions
  - daemonsets
  - deployments
  - horizontalpodautoscalers
  - ingresses
  - jobs
  - namespaces
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  - replicasets
  - replicationcontrollers
  - roles
  - services
  - statefulsets
  - storageclasses
  verbs: ["get", "list", "watch"]
- nonResourceURLs:
  - '*'
  verbs: ["get", "list", "watch"]

Next, this dex-admin privilege is configured to be granted to users who are on the SCCP mailing list.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin:12-4009-OT03-001-sem10
subjects:
- kind: Group
  name: 12-4009-OT03-001-sem10@course
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: dex-admin
  apiGroup: rbac.authorization.k8s.io

To check with the kubectl command, do the following

$ kubectl get ClusterRole dex-admin
$ kubectl get ClusterRoleBinding | grep ^admin

## the part of "admin:12-4009-OT03-001-sem10" will need to be modified.
$ kubectl get ClusterRoleBinding admin:12-4009-OT03-001-sem10

5.2. RoleBinding

The other authorization is for the namespace with the same name as the AINS ID name. Simply creating a namespace with the same name as the ID does not grant any privileges.

First, a namespace is created with the same name as the User name, and then a Role is created.

---
apiVersion: v1
kind: Namespace
metadata:
  name: yasu-abe
  labels:
    name: yasu-abe
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: yasu-abe
  name: sccp-user
rules:
- apiGroups: ["*"] # "" indicates the core API group
  resources: ["*"]
  verbs: ["create", "patch", "delete", "get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sccp-user
  namespace: yasu-abe
subjects:
- kind: User
  name: yasu-abe@u-aizu.ac.jp
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: sccp-user
  apiGroup: rbac.authorization.k8s.io

You can check your role by the following commands.

$ kubectl get -n $(id -un) role sccp-user -o yaml
$ kubectl get -n $(id -un) rolebinding sccp-user -o yaml

As shown in this setting, any element, including the namespace itself, is allowed to be deleted. You can delete your own namespace, but you must have system administrator privileges to create it.

It means that you cannot re-create your namespace by yourself. You may try to delete your namespace, but please contact me so I will re-create it.