Jump to content

Kubernetes/Kubernetes Workshop/Step 6

From Wikitech

Step 6: A “real” cluster

So far we have used minikube as our testcluster. In this step we will first setup a “real” kubernetes cluster.

There are a number of tools to setup up kubernetes clusters, including kubeadm and rancher. There is also a completely manual way as well (kubernetes the hard way™) and many methods that are in between. Here we will use kubespray to setup a cluster. Kubespray uses ansible to configure a set of machines into a kubernetes cluster. The machines can be bare metal or VMs, in our lab case we use VMs that are hosted at Wikimedia’s cloud service Horizon. You will need access to a project under Horizon with the ability to create 3 VMs with a total of 6 CPus and of 12 GB. We have also tested at Digitalocean with smaller machines - 1 CPU, 2GB each and that worked as well, at least for our simple tests.

Hands-on: create a cluster with kubespray

We will use kubespray largely as a black box to create a cluster, we will not go into any advanced use cases.

Log into horizon.wmflabs.org, select your project and launch 3x VMs:

  • name: node1, node2 and node3. These names are relevant, with other names you will get puppet errors, as kubespray changes the hostname to node1, node2 and node3.
  • source: debian.buster
  • flavor: g2.cores2.ram4.disk40
  • Security group default: we will need SSH access
  • Server groups: none

Once launched you will have to be able to ssh into each VM by its IP address, a kubespray requirement! You should do this from a 4th VM in Horizon, which is probably the most straightforward way to do, as connectivity works and anything that needs to get installed will not be done on your local machine. You can also do it from your local machine, to make it work from my laptop I had to add 172.16.*.* in the wmflabs stanza in .ssh/config on my laptop.

Host 172.16.* *.wmflabs *.wikimedia.cloud
   User <Username>
   ProxyJump bastion.wmcloud.org:22
   IdentityFile ~/.ssh/labs.key

Try each host and accept the host key.

  • ssh and ssh and in this test case. Remember your IPs may differ and you should interpret all mentions of IPs with that in mind and substitute the IPs you got.

Clone kubespray to the VM or your local machine:

  • git clone https://github.com/kubernetes-sigs/kubespray.git

Add the required software:

  • cd kubespray; pip3 install -r requirements.txt

Add your hosts to the mycluster inventory configuration by running the inventory.py script:

  • cp -rfp inventory/sample inventory/mycluster
  • IPS=(;CONFIG_FILE=inventory/mycluster/hosts.yml python3 contrib/inventory_builder/inventory.py ${IPS[@]}


     hosts: {}

Install Kubernetes - this will take  a while:

  • ansible-playbook -i inventory/mycluster/hosts.yml -u <your user> -b cluster.yml # <your user> = your shell user name that you used before to login

Test access:

  • ssh
  • sudo su -
  • kubectl get nodes
kubectl get nodes
node1   Ready    master   11m     v1.19.2
node2   Ready    master   11m     v1.19.2
node3   Ready    <none>   9m46s   v1.19.2

kubectl get nodes -o wide
node1   Ready    master   10m     v1.19.2   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12
node2   Ready    master   10m     v1.19.2   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12
node3   Ready    <none>   8m56s   v1.19.2   <none>        Debian GNU/Linux 10 (buster)   4.19.0-6-amd64   docker://19.3.12

Kubespray has built a kubernetes cluster with 3 nodes - 2 control plane and 1 worker node.

The 2 control plane nodes run the etcd database, the api-server, the scheduler and the controller-manager. The worker nodes run the kubelet and the kube-proxy. Note that the control plane nodes are also worker nodes in this limited configuration, i.e. kubernetes can also schedule pods to run on the control plane nodes.

Modified Kubernetes Architecture Chart

For an overview of the kubernetes architecture watch Joe Breda’s talk: https://drive.google.com/file/d/192ewPeKLzXM4EUsO3ksfiIGcvzlpec6f/view, if you are with limited time start at 13:30 forward, else watch it all.

You can verify what is running on the individual nodes by ssh’ing into them and check for the processes of etcd, apiserver, scheduler, controller-manager and kubelet, kube-proxy. Check all three nodes and see what the differences are…

Hands-on: run a simple workload

You can run a simple workload on this kubernetes cluster by ssh’ing into node1 and running the steps for our checksum generating program.

Create the yaml file on node1 and run kubectl create -f cron_mywpchksumbot.yaml as root.

Don’t forget to substitute the <userid> for the username you have used on dockerhub.


apiVersion: batch/v1beta1
kind: CronJob
 name: cronpywpchksumbot
 schedule: "*/5 * * * *"
         - name: pywpchksumbot
           image: <userid>/pywpchksumbot
           imagePullPolicy: IfNotPresent
         restartPolicy: OnFailure

See if the process is posting the checksums on the IRC channel.(##demok8sws connect on Libera.chat)

Stop the process: kubectl delete cronjob --all

Hands-on: run a simple service workload

Now let’s run a simple service again, our baseapache image.


apiVersion: apps/v1
kind: Deployment
 name: baseapache
   app: baseapache
 replicas: 1
   type: RollingUpdate
     app: baseapache
       app: baseapache
      - name: baseapache
        image: <userid>/baseapache:latest
        imagePullPolicy: Always

On node1 (as root)

  • kubectl create -f baseapache.yaml
  • kubectl get pods -o wide

Create the corresponding service.


kind: Service
apiVersion: v1
 name: baseapache
   app: baseapache
 - protocol: TCP
   port: 80
   targetPort: 80
  • kubectl create -f baseapacheservice.yaml
  • On node3 we can use curl to get the page
    • curl
    • The IP ^^^ comes from kubectl get svc on node1

SSH into the node and let’s see what we can find out about the pod:

  • ps -ef | grep apache2
  • who is the parent process for apache2?
  • In the parent process there is a workdir on the command line, take a look at that:

Docker uses the overlay filesystem to represent the layers in a docker image. For example when we use “FROM ubuntu” in our baseapache docker image that means that we base our image on the ubuntu image and that any changes get captured in one or more layers. You can see the layers with “docker inspect <imagename>”. Try it on node3 (or wherever the image is running)

  • docker image inspect <userid>/baseapache

We can use the filesystem ids in the baseapache docker image to identify the filesystem that is used by that pod.

  • docker image inspect <userid>/baseapache
    • Get the “MergedDir” id (after /var/lib/docker/overlay2/
    • Grep in /var/lib/docker/overlay2/l for the id: ls -l | grep <id> and get the mapped string as the new id
    • Find the mounted filesystem by mount -l | grep <new id>
      • That is the filesystem used by the container
      • cat /var/lib/docker/overlay2/<hex string found>/merged/var/www/html/index.html
    • We can use the filesystem to look at apache logs (substitute the right filesystem id
      • tail -f /var/lib/docker/overlay2/0a17a81f309e6d7e4e5afdb83bea72519d31beb2ea99d725390a60b8528c6cf4/merged/var/log/apache2/access.log
    • We can edit the index.html file here, which would change the container image in a non-controlled way: not recommended, but nevertheless possible
      • Edit the index.html file
      • curl again to see the change

Hands-on: Browser access to our service

In WMCS one can define web proxies to allow external access to a service. Two configuration need to be created and adjusted:

  • Web proxy under Menu item DNS
  • Security group under Menu item Network

With "kubectl get svc" get the port mapped for our service:

root@node1:~# kubectl get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
baseapache   NodePort   <none>        80:31818/TCP   14m

Here 31818 is the port that we are looking for. A "curl" should work and give us a response from our service

Define a webproxy for that port:

Note that the name baseapache might be taken by another instance of this tutorial. You will get an Error: Duplicate Recordset message in that case

In addition the firewall for the project needs to allow the port, add a rule to the security group that you are using, might be called the Default group if you did not select anything specific when creating the VMs.

Now external access should work. A browser pointed at http://baseapache.wmcloud.org should get you an answer from the service.

You can add more web proxies for other services that might run on the kubernetes cluster by following the same sequence.

Hands-on: use kubectl locally

Often we want to use kubectl from our local workstation to create and delete deployments. To do so we need to change the config file (in ~/.kube/config) and point it to the new cluster. Our local workstation then needs access to the api-server on the cluster. Since the cluster runs in the WMCS cloud behind a bastion host the only way I have found to do that is to setup an SSH tunnel.

  • Make a backup copy of the local config file
  • Copy the config file from node1
  • Setup the SSH tunnel: ( is the IP for node1)
    • ssh -L 6443:
  • Set the server: field to in the config file
  • Test via: kubectl get nodes
  • On our digitalocean test this can work directly, without any ssh forwarding. Copy the config file as detailed above, but use the IP address of node1 in the config file instead of and make sure port 6443 is accessible in the associated firewall

Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.

Hands-on: use kubectl locally with Floating IPs

Horizon has Floating IPs that can be forwarded to a local IP. If we take a floating IP and forward it to one of the API servers and open the firewall for port 6443 we can access the k8s cluster directly. Just copy the .kube/config fiel from node1 and use it locally, substitute the address with the floating IP address. This can be useful if you want to test another application's access to the cluster, for example GitLab runners.

PS: Floating IPs have to requested and take some time to approve

Hands-on: use Google’s Google Kubernetes Engine (GKE)

Let’s try running our database at Google’s GKE .

  • Login into the Google Cloud console: gkeuser.wikimedia@gmail.com/1Jdr5&VWsffd
  • Click on Kubernetes Engine/Clusters, then Create Cluster
    • Defaults here are ok: name, zone and version
    • You can change the default node type to an N1 machine to save some money. It will probably only be pennies as the plan is to delete the cluster right after testing…
  • Click connect
    • In a terminal, install the gcloud CLI - cloud shell will not work for what we want to do...
      • https://cloud.google.com/sdk/docs/quickstart
      • You can do this on a VM on your machine, a VM in the cloud (Horizon works) or your local machine
    • gcloud auth login with user above
    • gcloud container clusters get-credentials cluster-2 --zone us-central1-c --project constant-host-290520 or similar
    • kubectl get nodes should now work

First let’s see if our IRC bot works.

  • kubectl create -f cron_pywpchksumbot.yaml
  • Check the IRC channel

Now let’s run our database deployment on the machine, bookdb (deployment and service), bookapp (configmap, secrets, deployment and service) and check its proper functioning.

Btw GKE has a networking part that is integrated with kubernetes, something that we have not configured yet, so the bookdbapp gets an outside address and is accessible through the Internet.

At the end delete the cluster.