Resource

Ingress Documentation[1]

• Tool: KOPS
• Tool: ALB
• Environment configuration

export NAME=bbbxlpworkflow.com
export KOPS_STATE_STORE=s3://bbb-xlpworkflow-state-store
export KB=kubernetes-dashboard
kops export kubecfg --admin

• https://www.poeticoding.com/create-a-high-availability-kubernetes-cluster-on-aws-with-kops/

Structure

Blog/Kubernetes Ingress with AWS ALB Ingress Controller

• ALB is highly integrated with AWS.
• Blog/Choosing the Right Load Balancer on Amazon: AWS Application Load Balancer vs. NGINX Plus
  • Important Note: on AWS, there are several ways to do Ingress, not necessarily ALB.

Working Progress

Topic: DNS

Question: Can I not use Route 53? [2]

• Video: How to Use GoDaddy Domains with AWS Route 53 Hosted Zones[3]

Test DNS

Question: How does subdomain work?

• Subdomains of a domain share the postfix.

Question: how to switch between multiple clusters ? [4]

• Issue: cannot find how to export config
  • kops export kubecfg dev.yourdomain.com --admin
  • Notice: need admin! Otherwise will have credential fault : not logged in
  • Tutorial:deploying-kubernetes-to-aws-using-kops [5]
  • Tutorial: how-to-import-state-created-on-another-server[6]

Topic: Credentials

• Question: Not sure where is id_rsa in Video: [7]
  • Where is .crt and .key [8] ?
  • https://www.notion.so/K8S-a1f3e06e28374728877a0ccabd3620da#ea145f73d3894fc0926d0b0f5c5fd445
  • Notice: need correct url when describing s3 bucket []
  • aws s3 ls s3://bbb-xlpworkflow-state-store/bbbxlpworkflow.com/pki/

Deadlock: Kops set secret needs context but need context to access kubectl

• Solved:
  • kops create secret sshpublickey admin -i ~/.ssh/id_rsa.pub --name bbbxlpworkflow.com
  • kops get secrets --name bbbxlpworkflow.com

Issue: Unable to connect to server: dial tcp 203.0.113.123:443: i/o timeout

Issue: How to manage instance in Kops ?

• https://stackoverflow.com/questions/53204326/kops-pause-cluster-should-bring-ec2-instance-cluster-in-stopped-state
• kops edit ig <ig-name> and set the max, min argument of master and slave node.

Issue: cannot kubectl get nodes

• reason network fail
• Kops used kubenet as default
• use Calio network and worked, by modifying the networking in the kops cluster config file
  • Topology

Issue: cannot login

• https://kops.sigs.k8s.io/cli/kops_export_kubeconfig
• https://serverfault.com/questions/1053613/kubectl-error-you-must-be-logged-in-to-the-server-unauthorized-when-using-kube
• Possible Solution:
  • These need eksctl [9] [10]
  • Current solution: download json file [11]
    • Tutorial : IAM in KOPS
    • There are two ways: edit in cluster level and edit in node level. To notice, when updating IAM in kops , special command is required. [12]
  • Limitation : can only bind policy to instance role
    • Question: what is the difference btw service account and ROLE?
    • Tutorial: https://medium.com/devops-dudes/the-difference-between-an-aws-role-and-an-instance-profile-ae81abd700d
      • Note: For any authentication system, there are 2 key parts
        1. Who am I (Profiles)
        2. What am I permitted to do ? (Roles)
      • AWS IAM user includes both and other tools often require both to be setup.

Issue: Resource Unavailable

• Use kubectl describe to inspect
• Reason: minimum replica unavailable
• Try to update cluster but new pods are not added
• Try kubectl apply -f file.yml but did not redeploy.
• Solved by

kubectl patch -n kube-system deployment aws-load-balancer-controller -p "{\"spec\": {\"template\": {\"metadata\": { \"labels\": { \"redeploy\": \"$(date +%s)\"}}}}}"

• • Why ?

Topic: Ingress Specification

Question: How to write host and path precisely?

Topic : Configuring Load Balancer

In AWS, we can use its Elastic Loadbalacer or use the ALB controller to create Loadbalancer

• Manually:
  
• Automatically :

Issue: After log out, cannot log in

kops error: You must be logged in to the server (Unauthorized) Solution: https://stackoverflow.com/questions/59987859/kubectl-error-you-must-be-logged-in-to-the-server-unauthorized

Issue: Controller cannot build ingress

• ALB need Nodeport [13] But still not solved.

Progress: ALB controller can be built

Issue: cannot reach service, seems alb OK, can dig

• @Aug 6, 2021, 2:38 PM
• cannot dig echoserver.com → check Route53 → found dont have record
• As the ingress is built, the aws-generated load balancer domain can be dug. ; But to dig any DNS, need to bind the domain in AWS Route53
• Bind DNS to LB in AWS Route53

Progress: Debugging Traffic

Tutorial

• Pod Level
  • Your application will most likely have some other output, but the general idea here is to make sure the logs look good.
• Service Level:
  • Need to check ENDPOINTS , which indicate that the pods are connected
  • Log: KB dashboard service pods succeed. the endpoints matches

• • Need health check
• Ingress :
  • Issue: cannot find the backend pods
• ELB:
  • Question: what's the difference between alb and elb?
  • Issue: try to curl the dashboard ELB's dns, get Client sent an HTTP request to an HTTPS server
    • try to open 443→ but node security group not allow → so I need to fix in cli or aws..?
    • → try other option: (which is also necessary before moving to HTTPS) change bach to HTTP → fail by now
• From HTTP to HTTPS
  • https://medium.com/@ManagedKube/kubernetes-troubleshooting-ingress-and-services-traffic-flows-547ea867b120
  • Question: what exactly is the effect when we cannot use HTTPS? is it not going

Progress8.14

• ALB 2048 succeed;
• Nginx COntroller apple service, curl http://domain/dashboard , 404 not found
• Nginx Controller dashboard service, curl http://domain/dashboard , 404 not found ; curl https://domain, get curl: (60) SSL certificate problem: self signed certificate
• When added default service, get 502 bad gateway

Topic: Service accounts

Until recently, the only way for a Pod to use the AWS API was to either provision static credentials or assign additional IAM Policies to the Nodes Pods were running on. kOps addons rely on the latter, which has several issues..

• ALB requirements [14]
• Solution

Other Questions:

• How does the request flow into k8s thru LB?
• How does the https resource placed on the web??
• Master vs node, still not clear their responsibility... Like how does their IAM policy differ? like in the ALB case?
• Do we need to manually configure the master nodes every time??

Meta

This contains the issue of the system.

• A type of object can only place in one place. Need a way to let it distribute to multiple pages.
• When saving code data, it is better to copy the code instead of screenshot?

Namespace Management of K8s Installation Task

Definition

• Tree form vs Argumentation form; static vs adaptive form;

Weak Structure

Since there are lots of data popping out from the task and the workflow is not investigated yet, it is infeasible to structure them perfectly at the first time. Therefore, the bottom-up approach is preferred over the top-down approach of structuring. The unstructured data will be annotated and organized locally before all parts are merged.

Time Centric Data

Although all the data emerge chronologically, merging all the data in one channel will increase noise (e.g. user contributions in MediaWiki). In order to grasp the semantics of time-centric data, we need to assign specific annotations on data items so that we can filter them out. The structured data types declared in a task are good annotations.

Structured Data

• The concerning knowledge in K8s domain should be modeled properly. By annotating the model, we could manage the domain by managing model in PKC. (Topic: how to model more complex knowledge using page and relations?)
  • For example, we can annotate a specific time of a video and assign the proper name to this annotation. In the future, we can use NLP and HCI to collect the semantics of it.
• Question: Something that I think I should know for the task. Due to time limitations, the question should be answered with priority.
  • A question should be related to information resources or knowledge so that it is resolved. Or it could turn into a topic for development.
• Topic: A developing section of knowledge.
• Issue: Something which went wrong in a project or a task which needs to be fixed. Due to time limitations, the issue should have priority.
• Tutorial, Article:
  • link to the content
  • annotations
  • notes: given the article and the viewpoint of the current task, return its summary. The summary will probably contribute to knowledge.