Containers

Containerising the Nutanix CLI (nCLI)

April 29, 2018 - - 0 Comment

Containerising the Nutanix CLI is my first post related to Nutanix technology since I joined the HCI leader a week ago. As company laptop I chose the Apple MBP, I want to try it for first time. So far so good, even I can have Docker “natively” running on it.

Always when I get a new computer I try to keep everything as much organised as I can. For my daily job I need to connect into many Nutanix clusters, so I prefer to use the Nutanix CLI (a.k.a. nCLI) and avoid jumping into the CVM(s).

As I said, I try to keep everything clean and organised, reason I have decided to run the nCLI as a container and not be messing up with the Java JRE and PATHS.

Containerising the Nutanix CLI

Containerising the Nutanix CLI is a straightforward task. I have not created a Docker image yet because I’m pending to confirm if the nCLI can be repackaged. But this is not a problem at all, you can build your own Docker image following the steps on my GitHub repo.

https://github.com/pipoe2h/docker-nutanix-cli

They are pretty straightforward. In a nutshell:

  • Download the ncli.zip from Prism.
  • Clone the GitHub repo.
  • Build the Docker image.
  • Run the nCLI as a container.

Disclaimer: Containerised nCLI is not officially supported by Nutanix. Please use at your own risk.

Kubernetes Dashboard. Installation Deep Dive

February 18, 2018 - - 24 Comments

The deployment of applications and add-ons in Kubernetes are straightforward until those need to consume the Kubernetes API, that is the case of the Kubernetes Dashboard add-on. On version 1.7 of Kubernetes the RBAC service was introduced and many of those applications and add-ons started to crash.

This post will walk you through the process to deploy, configure and access to the Kubernetes Dashboard.

Kubernetes Dashboard Prerequisites

  • Running a Kubernetes platform 1.7.x and above.
  • Internet connection (pull Kubernetes Dashboard manifest and image)

If you don’t have a Kubernetes platform running at this time take a look to my post¬†Hands-on Kubernetes: Deployment

Deploying Kubernetes Dashboard

On a node with kubectl command line installed run the following command. The manifest includes all the Kubernetes components to create for the add-on.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

 

Check if your dashboard is running listing the pods in the namespace kube-system with the following command. You should see a kubernetes-dashboard-… pod with the status “running”.

kubectl -n kube-system get pod

Opening the dashboard

Access the dashboard at:

https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

 

You likely got an error trying to access the dashboard.

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

At this point you will start to look for a solution on Internet. The solutions you mostly will find are the ones below, kubectl proxy and NodePort, but they are not recommended for production.

kubectl proxy

This access mode is not recommended to be used as the method to publicly expose your dashboard. The proxy only allows HTTP connection.

To use this method you need to install kubectl in your computer and run the following command. The proxy will start to serve the dashboard on http://localhost:8001 by default.

kubectl proxy

 

Personally I don’t recommend to use this connection method. If you are sharing a jump server or even on your own computer, a sniffer will able to capture your kubeconfig file or token since they are sent as plain text via HTTP.

You can find more information Accessing Dashboard 1.7.X and above.

NodePort

If you are running a single node setup (unlikely in production), you can configure the Kubernetes Dashboard service to use NodePort as the type to publish the service.

I’m not going to explain how to set the service type since the Kubernetes Dashboard site has a clear procedure (Accessing Dashboard 1.7.X and above)

API Server

This is the method which I recommend to use for production systems as well as for dev and test. It is important to keep the same security mechanisms end to end and get familiar with Kubernetes RBAC.

To use the API server you need to install the user certificates in the browser. I’m going to use the kubeconfig file generated by kubeadm, I want to keep this post as short as I can.

Tip: For production systems each user should have its own certificates. Bitnami have a great doc about how to configure it (Create User With Limited Namespace Access)

Let’s see how we can extract the certificates from the kubeconfig file:

  1. Locate your kubeconfig or config file which you use to run kubectl commands. If you have used my Vagrant file above, you can find it on /home/vagrant/.kube/config or /etc/kubernetes/admin.conf
  2. You need to export a single file (.p12) with the following two certificates: the client-certificate-data, and the client-key-data. My example runs the command on /home/vagrant. If you run this command on macOS, be sure to change the base64 -d to base64 -D.
    grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
    grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
    openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

     

  3. Import the kubecfg.p12 certificate, reopen your browser, and visit the Kubernetes Dashboard URL. Accept any warning and you should see the authentication page. You can skip the login and check you are not able to perform any task.
  4. The following steps have been copied from the Kubernetes Dashboard wiki page (Creating-sample-user)
    1. Create service account
      cat <<EOF | kubectl create -f -
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: admin-user
        namespace: kube-system
      EOF
    2. Create ClusterRoleBinding
      cat <<EOF | kubectl create -f -
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: admin-user
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: admin-user
        namespace: kube-system
      EOF
    3. Get the Bearer Token. Once you run the following command, copy the token value which you will use on the following step.
      kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
    4. Come back to your browser and choose token on the login page. You will need to paste the token value you have copied on the previous step.
    5. Click “SIGN IN” and you should be able to see your Kubernetes Dashboard fully operational.

Summary

API Server should be your choice when production systems. If you want your users to have each one their own certificates, which I encourage you to do, don’t miss the Bitnami post mentioned above.

Note: You will find on GitHub and other blogs the option to give cluster-admin access to system:anonymous. This is an easy way to not export certificates and create a cluster-admin service account. I highly discourage you to use this approach on any enterprise environment.