Smoke Test

In this lab you will complete a series of tasks to ensure your Kubernetes cluster is functioning correctly.

Data Encryption

In this section you will verify the ability to encrypt secret data at rest.

Create a generic secret:

  1. kubectl create secret generic kubernetes-the-hard-way \
  2.   --from-literal="mykey=mydata"

Print a hexdump of the kubernetes-the-hard-way secret stored in etcd:

  1. gcloud compute ssh controller-0 \
  2.   --command "sudo ETCDCTL_API=3 etcdctl get \
  3.   --endpoints=https://127.0.0.1:2379 \
  4.   --cacert=/etc/etcd/ca.pem \
  5.   --cert=/etc/etcd/kubernetes.pem \
  6.   --key=/etc/etcd/kubernetes-key.pem\
  7.   /registry/secrets/default/kubernetes-the-hard-way | hexdump -C"

output

  1. 00000000  2f 72 65 67 69 73 74 72  79 2f 73 65 63 72 65 74  |/registry/secret|
  2. 00000010  73 2f 64 65 66 61 75 6c  74 2f 6b 75 62 65 72 6e  |s/default/kubern|
  3. 00000020  65 74 65 73 2d 74 68 65  2d 68 61 72 64 2d 77 61  |etes-the-hard-wa|
  4. 00000030  79 0a 6b 38 73 3a 65 6e  63 3a 61 65 73 63 62 63  |y.k8s:enc:aescbc|
  5. 00000040  3a 76 31 3a 6b 65 79 31  3a 44 ac 6e ac 11 2f 28  |:v1:key1:D.n../(|
  6. 00000050  02 46 3d ad 9d cd 68 be  e4 cc 63 ae 13 e4 99 e8  |.F=...h...c.....|
  7. 00000060  6e 55 a0 fd 9d 33 7a b1  17 6b 20 19 23 dc 3e 67  |nU...3z..k .#.>g|
  8. 00000070  c9 6c 47 fa 78 8b 4d 28  cd d1 71 25 e9 29 ec 88  |.lG.x.M(..q%.)..|
  9. 00000080  7f c9 76 b6 31 63 6e ea  ac c5 e4 2f 32 d7 a6 94  |..v.1cn..../2...|
  10. 00000090  3c 3d 97 29 40 5a ee e1  ef d6 b2 17 01 75 a4 a3  |<=.)@Z.......u..|
  11. 000000a0  e2 c2 70 5b 77 1a 0b ec  71 c3 87 7a 1f 68 73 03  |..p[w...q..z.hs.|
  12. 000000b0  67 70 5e ba 5e 65 ff 6f  0c 40 5a f9 2a bd d6 0e  |gp^.^e.o.@Z.*...|
  13. 000000c0  44 8d 62 21 1a 30 4f 43  b8 03 69 52 c0 b7 2e 16  |D.b!.0OC..iR....|
  14. 000000d0  14 a5 91 21 29 fa 6e 03  47 e2 06 25 45 7c 4f 8f  |...!).n.G..%E|O.|
  15. 000000e0  6e bb 9d 3b e9 e5 2d 9e  3e 0a                    |n..;..-.>.|

The etcd key should be prefixed with k8s:enc:aescbc:v1:key1, which indicates the aescbc provider was used to encrypt the data with the key1 encryption key.

Deployments

In this section you will verify the ability to create and manage Deployments.

Create a deployment for the nginx web server:

  1. kubectl create deployment nginx --image=nginx

List the pod created by the nginx deployment:

  1. kubectl get pods -l app=nginx

output

  1. NAME                     READY   STATUS    RESTARTS   AGE
  2. nginx-554b9c67f9-vt5rn   1/1     Running   0          10s

Port Forwarding

In this section you will verify the ability to access applications remotely using port forwarding.

Retrieve the full name of the nginx pod:

  1. POD_NAME=$(kubectl get pods -l app=nginx -o jsonpath="{.items[0].metadata.name}")

Forward port 8080 on your local machine to port 80 of the nginx pod:

  1. kubectl port-forward $POD_NAME 8080:80

output

  1. Forwarding from 127.0.0.1:8080 -> 80
  2. Forwarding from [::1]:8080 -> 80

In a new terminal make an HTTP request using the forwarding address:

  1. curl --head http://127.0.0.1:8080

output

  1. HTTP/1.1 200 OK
  2. Server: nginx/1.17.3
  3. Date: Sat, 14 Sep 2019 21:10:11 GMT
  4. Content-Type: text/html
  5. Content-Length: 612
  6. Last-Modified: Tue, 13 Aug 2019 08:50:00 GMT
  7. Connection: keep-alive
  8. ETag: "5d5279b8-264"
  9. Accept-Ranges: bytes

Switch back to the previous terminal and stop the port forwarding to the nginx pod:

  1. Forwarding from 127.0.0.1:8080 -> 80
  2. Forwarding from [::1]:8080 -> 80
  3. Handling connection for 8080
  4. ^C

Logs

In this section you will verify the ability to retrieve container logs.

Print the nginx pod logs:

  1. kubectl logs $POD_NAME

output

  1. 127.0.0.1 - - [14/Sep/2019:21:10:11 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.52.1" "-"

Exec

In this section you will verify the ability to execute commands in a container.

Print the nginx version by executing the nginx -v command in the nginx container:

  1. kubectl exec -ti $POD_NAME -- nginx -v

output

  1. nginx version: nginx/1.17.3

Services

In this section you will verify the ability to expose applications using a Service.

Expose the nginx deployment using a NodePort service:

  1. kubectl expose deployment nginx --port 80 --type NodePort

The LoadBalancer service type can not be used because your cluster is not configured with cloud provider integration. Setting up cloud provider integration is out of scope for this tutorial.

Retrieve the node port assigned to the nginx service:

  1. NODE_PORT=$(kubectl get svc nginx \
  2.   --output=jsonpath='{range .spec.ports[0]}{.nodePort}')

Create a firewall rule that allows remote access to the nginx node port:

  1. gcloud compute firewall-rules create kubernetes-the-hard-way-allow-nginx-service \
  2.   --allow=tcp:${NODE_PORT} \
  3.   --network kubernetes-the-hard-way

Retrieve the external IP address of a worker instance:

  1. EXTERNAL_IP=$(gcloud compute instances describe worker-0 \
  2.   --format 'value(networkInterfaces[0].accessConfigs[0].natIP)')

Make an HTTP request using the external IP address and the nginx node port:

  1. curl -I http://${EXTERNAL_IP}:${NODE_PORT}

output

  1. HTTP/1.1 200 OK
  2. Server: nginx/1.17.3
  3. Date: Sat, 14 Sep 2019 21:12:35 GMT
  4. Content-Type: text/html
  5. Content-Length: 612
  6. Last-Modified: Tue, 13 Aug 2019 08:50:00 GMT
  7. Connection: keep-alive
  8. ETag: "5d5279b8-264"
  9. Accept-Ranges: bytes

Next: Cleaning Up