It’s time to know all this hard work has paid off, some quick verification of typical functionalities that kubernetes offers.
Create a secret
kubectl create secret generic kubernetes-the-hard-way \
--from-literal="mykey=mydata"On master node, connect directly to etcd to get the raw data from the data store in hexadecimal format so it's readable.
sudo ETCDCTL_API=3 etcdctl get \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/etcd/ca.pem \
--cert=/etc/etcd/kubernetes.pem \
--key=/etc/etcd/kubernetes-key.pem\
/registry/secrets/default/kubernetes-the-hard-way | hexdump -CExpected output should look like this
00000000 2f 72 65 67 69 73 74 72 79 2f 73 65 63 72 65 74 |/registry/secret|
00000010 73 2f 64 65 66 61 75 6c 74 2f 6b 75 62 65 72 6e |s/default/kubern|
00000020 65 74 65 73 2d 74 68 65 2d 68 61 72 64 2d 77 61 |etes-the-hard-wa|
00000030 79 0a 6b 38 73 3a 65 6e 63 3a 61 65 73 63 62 63 |y.k8s:enc:aescbc|
00000040 3a 76 31 3a 6b 65 79 31 3a b0 2e a0 b5 d3 e4 7c |:v1:key1:......||
00000050 34 17 0f 1d 56 d0 45 51 d1 f8 f9 82 c7 41 4f 22 |4...V.EQ.....AO"|
00000060 2e da 01 fe a1 b4 c8 99 0f 9e 3a 5a f6 ff 90 50 |..........:Z...P|
00000070 d3 5a 99 76 23 93 2b ef c4 8a 5b 15 bd 2e 06 dd |.Z.v#.+...[.....|
00000080 2f 64 9f 0f fb 96 a4 0b b5 de 28 08 e4 90 3d 05 |/d........(...=.|
00000090 b9 58 ef 32 76 ec 03 00 e7 31 67 eb 03 3b 89 87 |.X.2v....1g..;..|
000000a0 ad eb 18 3d 9e 7b e1 b5 27 53 bf c0 e8 37 92 d1 |...=.{..'S...7..|
000000b0 00 fd cd 28 9c 6b a9 f9 e9 ee 55 50 d3 de 4b 0d |...(.k....UP..K.|
000000c0 9a 1a 0a 1a 8b d9 6f dd 3d 04 d5 6e fb fe 81 4b |......o.=..n...K|
000000d0 5b f2 f9 06 eb 1d 58 ba 00 cf 4a 3d 71 19 52 ea |[.....X...J=q.R.|
000000e0 5d 16 6f 2a 14 75 14 1e 26 a1 cf 02 1e 01 18 3c |].o*.u..&......<|
000000f0 3a 1e 08 4d 5d 73 a4 95 05 57 6e 34 18 46 6e 0a |:..M]s...Wn4.Fn.|
00000100 d3 1b f1 b5 88 81 c3 d3 ba a1 64 5c 56 95 af 2a |..........d\V..*|
00000110 42 34 67 05 16 b8 6c 89 8a 07 9f c5 61 f6 ce 79 |B4g...l.....a..y|
00000120 a8 7e 5c 29 57 f2 c4 23 b6 ae de f0 67 e5 fc c5 |.~\)W..#....g...|
00000130 5b 01 c0 d7 57 bf 72 42 36 74 0f 1f a9 42 21 50 |[...W.rB6t...B!P|
00000140 85 5c a4 35 b9 5a 54 ee 74 6e 4b b4 ec 2d ce 07 |.\.5.ZT.tnK..-..|
00000150 15 3b e9 4b 57 cd af 92 36 0a |.;.KW...6.|
0000015a
The etcd key should be prefixed with k8s:enc:aescbc:v1:key1, which indicates the aescbc provider was used to encrypt the data with the key1 encryption key.
Create a deployment
kubectl create deployment nginx --image=arm32v5/nginx
deployment.apps/nginx createdSee the pods created
kubectl get pods -l app=nginx
NAME READY STATUS RESTARTS AGE
nginx-54cb54645d-r9h5g 1/1 Running 0 2m53skubectl port-forward nginx-54cb54645d-r9h5g 8080:80
Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80On another terminal
curl -I http://127.0.0.1:8080
HTTP/1.1 200 OK
Server: nginx/1.19.5
Date: Mon, 14 Dec 2020 23:10:50 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 24 Nov 2020 13:02:03 GMT
Connection: keep-alive
ETag: "5fbd044b-264"
Accept-Ranges: bytesBack to the previous terminal, Ctrl+C to cancel the port forwarding.
Let's see the logs generated by the nginx pod previously created.
kubectl logs nginx-54cb54645d-r9h5g
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
127.0.0.1 - - [14/Dec/2020:23:10:50 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.72.0" "-"kubectl exec -ti nginx-54cb54645d-r9h5g -- nginx -v
nginx version: nginx/1.19.5Create a service type NodePort
kubectl expose deployment nginx --port 80 --type NodePort
service/nginx exposedSee the IP and port
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.32.0.1 <none> 443/TCP 15d
nginx NodePort 10.32.0.110 <none> 80:31127/TCP 24sNodePort is 31127
On master node (there is no route from my local computer to the internal IPs of the CNAT, if there is such route, no need to go to master node to run this command) both worker nodes should return the same information.
Test node p1
pi@rpi-k8s-master:~ $ curl -I http://172.19.181.1:31127/
HTTP/1.1 200 OK
Server: nginx/1.19.5
Date: Mon, 14 Dec 2020 23:18:35 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 24 Nov 2020 13:02:03 GMT
Connection: keep-alive
ETag: "5fbd044b-264"
Accept-Ranges: bytesTest node p2
pi@rpi-k8s-master:~ $ curl -I http://172.19.181.2:31127/
HTTP/1.1 200 OK
Server: nginx/1.19.5
Date: Mon, 14 Dec 2020 23:18:40 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 24 Nov 2020 13:02:03 GMT
Connection: keep-alive
ETag: "5fbd044b-264"
Accept-Ranges: bytes