porthole/jmphost
KAVVA, JAGAN MOHAN REDDY (jk330k) a064ce4523 Enforce the use of the correct kubectl client version
Webhook integration with Openstack requires to match
the same version as the server.  This enhancement
allows user to select a specific support version, or
use the latest version, if desire to install.

Change-Id: Ifdfb140b1c76216410bb64f648957a4fa25981fa
2020-01-06 19:31:09 +00:00
..
funs_uc.sh The script creates and sets up of user K8S profile 2019-09-26 10:51:29 -04:00
README.md Editorial changes to documentation files 2019-12-16 09:21:19 -06:00
setup-access.sh Enforce the use of the correct kubectl client version 2020-01-06 19:31:09 +00:00

Jump Host Installation

This procedure installs the Kubernetes client and corresponding dependencies, enabling remote access to the Kubernetes cluster. The procedure also creates a generic kubectl configuration file having the appropriate attributes.

This revision covers the implementation as described. k8s-keystone-auth

1. Prerequisites

  • Ubuntu OS version 14.x or higher
  • Connectivity to the Internet
  • The installer has sudo ability without prompting for password
  • Installer's Git profile setup accordingly

2. Installation

2.1 Clone Porthole Main Project

$git clone https://review.opendev.org/airship/porthole

2.2 Run Setup

$cd $porthole
$sudo -s
$cd jmphost
$./setup-access.sh "site" "userid" "namespace"

[Kubectl binary] is not found on this system..
Checking user[johnSmith] sudo ability
Looking good. You [johnSmith] are root now
deb https://apt.kubernetes.io/ kubernetes-xenial main
OK
........................
........................
........................
........................
Installing [kubectl] dependency required...
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
libclamav6
Use 'apt-get autoremove' to remove it.
The following NEW packages will be installed:
kubectl
0 upgraded, 1 newly installed, 0 to remove and 104 not upgraded.
Need to get 9,231 kB of archives.
After this operation, 46.7 MB of additional disk space will be used.
Fetched 9,231 kB in 12s (732 kB/s)
Selecting previously unselected package kubectl.
(Reading database ... 114982 files and directories currently installed.)
Preparing to unpack .../kubectl_1.16.0-00_amd64.deb ...
Unpacking kubectl (1.16.0-00) ...
Setting up kubectl (1.16.0-00) ...
........................
........................
W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main amd64 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-amd64_Packages)
W: Duplicate sources.list entry https://apt.kubernetes.io/ kubernetes-xenial/main i386 Packages (/var/lib/apt/lists/apt.kubernetes.io_dists_kubernetes-xenial_main_binary-i386_Packages)
........................
W: You may want to run apt-get update to correct these problems

---
apiVersion: v1
namespace: utility
Authentication via API WebHook Ingress service endpoint
clusters:
  - cluster:
   server: https://<FQDN-WEBHOOK-APISERVER>
  name: <CLUSTER_NAME>
contexts:
- context:
   cluster: <CLUSTER_NAME>
   user: <USERID>
  name: <USERID>@<CLUSTER_NAME>
current-context: <USERID>@<CLUSTER_NAME>
kind: Config
preferences: {}
users:
- name: <USERID>
  user:
    exec:
      command: "/usr/local/uc/bin/client-keystone-auth"
      apiVersion: "client.authentication.k8s.io/v1beta1"
   env:
   - name: "OS_DOMAIN_NAME"
     value: default
   - name: "OS_INTERFACE"
     value: public
   - name: "OS_USERNAME"
     value: <USER_ID>
   - name: "OS_PASSWORD"
     value: "<USER-PASSWORD>"
   - name: "OS_PROJECT_NAME"
     value: <admin-project>
   - name: "OS_REGION_NAME"
     value: <SITE>
   - name: "OS_IDENTITY_API_VERSION"
     value: "3"
   args:
   - "--keystone-url=https://<FQDN TO UCP KEYSTONE>/v3"

3. Validation

To test, perform these steps.

  1. Log out and log back in as the user.

  2. Update the configuration file with the user's credentials.

    • Replace "OS_USERNAME" and "OS_PASSWORD" with UCP Keystone credentials.

    • Set the "OS_PROJECT_NAME" value accordingly.

3.1 List Pods

$kubectl get pods -n utility

NAME                                                          READY   STATUS      RESTARTS   AGE
clcp-calicoctl-utility-6457864fc8-zpfxk                       1/1     Running     0          4h27m
clcp-tenant-ceph-utility-7b8f6d45f8-5q4ts                     1/1     Running     0          99m
clcp-tenant-ceph-utility-config-ceph-ns-key-generator-hd9rb   0/1     Completed   0          99m
clcp-ucp-ceph-utility-6f4bbd4569-vrm7c                        1/1     Running     0          4h11m
clcp-ucp-ceph-utility-config-ceph-ns-key-generator-pvfcl      0/1     Completed   0          4h12m
clcp-ucp-ceph-utility-config-test                             0/1     Completed   0          4h12m

3.2 Execute into the Pod

$kubectl exec -it [pod-name] -n utility /bin/bash

rpc error: code = 2 desc = oci runtime error: exec failed: container_linux.go:247: starting container process caused "exec: \"/bin/\": permission denied"

command terminated with exit code 126

The "permission denied" error is expected in this case because the user ID entered in the configuration file is not a member in the UCP Keystone RBAC to execute into the pod.