...
Kindly be aware that pods running on shared nodes do not achieve full isolation as they share the same computing resources (virtual machine) and rely on the security capabilities of the container runtime, such as Docker or Containerd.
Accessing the CaaS
Accessing the platform requires the correct configuration of kubectl, the Kubernetes management client.
To simplify the configuration and authentication process, two distinct plugins for kubectl have been developed: kubectl-openstack and kubectl-iam. These plugins are differentiated based on the type of authentication required.
kubectl-openstack: This plugin is required for all users registered with CloudVeneto and is based on the OpenStack authentication model, using the Keystone token.
kubectl-iam: This plugin is required for all INFN-PD users not registered to CloudVeneto. Supported IAM services are: "https://iam.cloud.infn.it" and "https://iam.quantumtea.it". QUESTO PUNTO VA CHIARITO
Configuring kubectl with the kubectl-openstack plugin
Prerequisites
- install kubectl (guide)
- have an OpenStack password configured through the CloudVeneto dashboard.
Plugin installation
Download the kubectl-openstack file and copy it to /usr/local/bin/ . You may need to make the file executable (chmod 755 kubectl-openstack).
Usage
To view the syntax and the list of parameters use the help:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl-openstack --help
Usage: kubectl-openstack [FLAG] -user <USERNAME> -password <PASSOWRD> -project <PROJECT>
Options:
-force
overwrite the existing configuration
-password string
your CloudVeneto password
-project string
your CloudVeneto project
-user string
your CloudVeneto username |
After configuring kubectl with the kubectl-openstack plugin, the kubeconfig file (/home/<username>/.kube/config) is either created or updated if it already exists. This file contains the Keystone token and various parameters essential for kubectl to manage authentication.
In scenarios where you belong to multiple CloudVeneto projects, you can utilize the 'kubectl-openstack' command to configure kubectl for all your projects seamlessly.
The following example configures kubectl selecting CMS as project:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl-openstack -user zangrand@infn.it -password ******** -project CMS
kubectl configured correctly |
Now you can access the CaaS:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl get pods
No resources found in cms namespace. |
Before to run the first pod you must create a node.
Configuring kubectl with the kubectl-iam plugin
Prerequisites
- install kubectl (guide)
- be INFN-PD affiliated and registered in one of the supported IAM services: "https://iam.cloud.infn.it" or "https://iam.quantumtea.it".
Plugin installation
Download the kubectl-iam file and copy it to /usr/local/bin/ . You may need to make the file executable (chmod 755 kubectl-iam)
Usage
To view the syntax and the list of parameters use the help:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl-iam --help
Usage: ./kubectl-iam [FLAG] -iam-url <URL> -group <GROUP>
Options:
-force
overwrite the existing configuration
-group string
your IAM group
-iam-url string
the IAM url (default "https://iam.cloud.infn.it") |
After configuring kubectl with the kubectl-iam plugin, the kubeconfig file (/home/<username>/.kube/config) is either created or updated if it already exists. This file contains the IAM token and various parameters essential for kubectl to manage authentication.
In scenarios where you belong to multiple CloudVeneto projects, you can utilize the 'kubectl-iam' command to configure kubectl for all your projects seamlessly.
The following example configures kubectl using IAM credentials:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl-iam -iam-url https://iam.quantumtea.it -group QST
please open the link in your web browser: https://iam.quantumtea.it/device?user_code=BB3FXJ
or scan the QR code
█████████████████████████████████████████
█████████████████████████████████████████
████ ▄▄▄▄▄ ██ █▀██▀▄█ ▄ ▄▄▄██ ▄▄▄▄▄ ████
████ █ █ █ █ ▀▄█▄▀▄█▀█▄▄██ █ █ █ ████
████ █▄▄▄█ █ ▀▀██▄▄▄▄█▀▀▄ █▀█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀ █ █ █ █▄▀ ▀ ▀ █▄▄▄▄▄▄▄████
████▄█ ▄▄▄▀▀▀▄ █ ▄█ ▀▀▄▀██ ▄ ▀▀████
████▀▄ ▀█▄█▀███▀ ▄ ▀█▀▀▀▀▄▀▀█ ▀ ▀████
████▄▄▄▀▀▀▄▀▀▄▀ ▀▄ ▄▀▀█▄ ▄▄▄▄▀▄▄ ▀ ████
████▀▄ ▄█ ▄█▀ ███ ▄▄▀█▄ ▀██ █ ▄█████
█████▀▄█▄▄▄ ██▀▄█▀▀▄▀▄▀▀ ▀▄ ▄▀ ▄ ▀▀ ████
████ ▀ ▄▄█▄ ▀ ▄▄ ▀ ▀█▄█ ▀▄██ ▀ ▀█████
████▀ ▀█ ▄▄▀▀▀▀ █▀ ▀▀▄▄▀▄ ▀▄▀██▄▀▄▀████
████ █ ▀▀▀▄▀ ▄▀▀▀ ▄█▀█▄ ▀▀▄██▀▄ ▄ ▀ █████
████▄████▄▄▄▀ ▄▀█▀ █ ▀█ █ ▄▄▄ █▀█▀████
████ ▄▄▄▄▄ █▀▄▀█▄██▄ ▀█ █ █▄█ ▀ ▀████
████ █ █ █ ▄██ ▄▀▄█▀██ ▄▀ ▄▄ ▀▀▀████
████ █▄▄▄█ █▄██▄▀▄▄ ▄█▀▀█ ▄█▄▀▄▄▀ ██████
████▄▄▄▄▄▄▄█▄█▄▄█▄▄▄█▄▄▄▄█▄▄▄██▄█▄█▄█████
█████████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
..................................................................................
kubectl configured correctly
|
How to Create and Manage Kubernetes Cluster Nodes (ONLY with kubectl-openstack plugin)
Prerequisites
Before you can create and manage nodes in your Kubernetes cluster, make sure you have completed the following prerequisites:
Configure kubectl with the kubectl-openstack plugin: Ensure that your kubectl is correctly configured with the kubectl-openstack plugin.
- Currently users accessing with IAM credentials cannot create nodes
- Verify the existence of the 'K8S' security group in the CloudVeneto project with the following rules, or create it:
Egress | IPv4 | Any | Any | 0.0.0.0/0 |
| Egress | IPv6 | Any | Any | ::/0 |
| Ingress | IPv4 | ICMP | Any | 0.0.0.0/0 |
| Ingress | IPv4 | TCP | 22 (SSH) | 0.0.0.0/0 |
| Ingress | IPv4 | TCP | Any | 192.168.60.0/24 |
| Ingress | IPv4 | UDP | Any | 192.168.60.0/24 |
| Ingress | IPv4 | TCP | Any | 10.64.0.0/16 |
| Ingress | IPv4 | UDP | Any | 10.64.0.0/16 |
Creating a New Node
To create a new node in your Kubernetes cluster, you'll use kubectl, the standard Kubernetes command-line interface. Specifically, you will utilize the kubectl apply command, which takes a YAML file as input.
The YAML file required to create a new node should follow this structure:
| Code Block | ||||
|---|---|---|---|---|
| ||||
---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
name: NODE_NAME
spec:
flavor: FLAVOR_NAME
keyPair: KEYPAIR_NAME
policy: [shared | private ] |
NODE_NAME: <Unique node name>FLAVOR_NAME: <CloudVeneto flavor name>KEYPAIR_NAME: <User-defined SSH keypair name>shared | private: <Choose one: shared or private>
In the following example, we request the creation of two nodes (osn-01 and osn-02), the first being shared and the second private, with different flavors (cloudveneto.medium and cloudveneto.large).
Both nodes use the same SSH keypair (my-key):
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
name: osn-01
spec:
flavor: cloudveneto.medium
keyPair: my-key
policy: shared
---
apiVersion: osnode.infn.it/v1
kind: OpenStackNode
metadata:
name: osn-02
spec:
flavor: cloudveneto.large
keyPair: my-key
policy: private
|
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl apply -f osnode.yml
openstacknode.osnode.infn.it/osn-01 created
openstacknode.osnode.infn.it/osn-02 created |
Verifying Node Status
To check the status of one or more nodes in your Kubernetes cluster, you can use the following commands:
To list all nodes and their basic information:
Code Block language bash theme Midnight $ kubectl get osn NAME PHASE OWNER POLICY PROVIDER VM IPV4 AGE osn-01 Running zangrand-at-infn.it private CloudVeneto 10.64.53.40 169m osn-02 Running zangrand-at-infn.it shared CloudVeneto 10.64.53.67 169mTo list all nodes with additional details, including flavor, status, and IP address:
Code Block language bash theme Midnight $ kubectl get osn -o wide NAME PHASE OWNER POLICY PROVIDER VM FLAVOR VM STATUS VM IPV4 AGE osn-01 Running zangrand-at-infn.it private CloudVeneto cloudveneto.medium ACTIVE 10.64.53.40 169m osn-02 Running zangrand-at-infn.it shared CloudVeneto cloudveneto.medium ACTIVE 10.64.53.67 169mTo view detailed information about a specific node (replace
osn-01with the desired node name):Code Block language bash theme Midnight $ kubectl get osn -o wide osn-01 NAME PHASE OWNER POLICY PROVIDER VM FLAVOR VM STATUS VM IPV4 AGE osn-01 Running zangrand-at-infn.it private CloudVeneto cloudveneto.medium ACTIVE 10.64.53.40 169m
Removing Nodes
To remove one or more nodes and their associated VMs from CloudVeneto, use the following command:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl delete osn <node_name_1> <node_name_2> ... |
For example, to remove osn-01 and osn-02, you would run:
| Code Block | ||||
|---|---|---|---|---|
| ||||
$ kubectl delete osn osn-01 osn-02
openstacknode.osnode.infn.it "osn-01" deleted
openstacknode.osnode.infn.it "osn-02" deleted |
...