Difference between revisions of "Kubernetes"
From Fixme.ch
(→Certificate expiration) |
|||
| Line 25: | Line 25: | ||
<pre> | <pre> | ||
| + | # Service state | ||
systemctl stop kubelet.service | systemctl stop kubelet.service | ||
systemctl restart docker.service | systemctl restart docker.service | ||
| + | # Backup | ||
rsync -av /etc/kubernetes/ /root/kubernetes-$(date +%s)/ | rsync -av /etc/kubernetes/ /root/kubernetes-$(date +%s)/ | ||
rsync -av /var/lib/etcd/ /root/etcd-$(date +%s)/ | rsync -av /var/lib/etcd/ /root/etcd-$(date +%s)/ | ||
| Line 37: | Line 39: | ||
rm {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} | rm {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt} | ||
| + | # Regen certificates | ||
cd | cd | ||
kubeadm init phase certs all --apiserver-advertise-address 62.220.135.205 --ignore-preflight-errors=all | kubeadm init phase certs all --apiserver-advertise-address 62.220.135.205 --ignore-preflight-errors=all | ||
| Line 42: | Line 45: | ||
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config | cp -i /etc/kubernetes/admin.conf $HOME/.kube/config | ||
| + | # Check states | ||
kubeadm join 62.220.135.205:6443 --token XXX --discovery-token-ca-cert-hash YYY --ignore-preflight-errors=all | kubeadm join 62.220.135.205:6443 --token XXX --discovery-token-ca-cert-hash YYY --ignore-preflight-errors=all | ||
kubectl get nodes | kubectl get nodes | ||
kubectl get all | kubectl get all | ||
</pre> | </pre> | ||
Revision as of 22:56, 18 July 2021
Kubernetes @ FIXME
Information
- Endpoint: k8s.fixme.ch
- Credentials are available in file k8s:/etc/kubernetes/admin.conf.
- Currently running on Bellatrix
- Backup: https://git.fixme.ch/Comite/fixme-kube-backup (restricted for secret access)
Services
- Some services that are deployed on our instance
- Chat
- Etherpad
- Power monitoring
- Fablab wiki
- Led API endpoint
- Trigger
- MQTT gateway
- gitlab: ongoing
Certificate expiration
Sometimes K8S is in the sauce, something like this might help regenerate the certs
# Service state
systemctl stop kubelet.service
systemctl restart docker.service
# Backup
rsync -av /etc/kubernetes/ /root/kubernetes-$(date +%s)/
rsync -av /var/lib/etcd/ /root/etcd-$(date +%s)/
cd /etc/kubernetes
rm {admin.conf,controller-manager.conf,kubelet.conf,scheduler.conf}
cd /etc/kubernetes/pki
rm {apiserver.crt,apiserver-etcd-client.key,apiserver-kubelet-client.crt,front-proxy-ca.crt,front-proxy-client.crt,front-proxy-client.key,front-proxy-ca.key,apiserver-kubelet-client.key,apiserver.key,apiserver-etcd-client.crt}
# Regen certificates
cd
kubeadm init phase certs all --apiserver-advertise-address 62.220.135.205 --ignore-preflight-errors=all
kubeadm init phase kubeconfig all
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# Check states
kubeadm join 62.220.135.205:6443 --token XXX --discovery-token-ca-cert-hash YYY --ignore-preflight-errors=all
kubectl get nodes
kubectl get all
