쿠버네티스 설치 & 운영 가이드

microk8s 설치
https://microk8s.io/

microk8s is running
high-availability: no
  datastore master nodes: 127.0.0.1:19001
  datastore standby nodes: none
addons:
  enabled:
        argocd               # (community) Argo CD is a declarative continuous deployment for Kubernetes.
        cert-manager         # (core) Cloud native certificate management
        community            # (core) The community addons repository
        dashboard            # (core) The Kubernetes dashboard
        dns                  # (core) CoreDNS
        ha-cluster           # (core) Configure high availability on the current node
        helm                 # (core) Helm - the package manager for Kubernetes
        helm3                # (core) Helm 3 - the package manager for Kubernetes
        hostpath-storage     # (core) Storage class; allocates storage from host directory
        ingress              # (core) Ingress controller for external access
        metallb              # (core) Loadbalancer for your Kubernetes cluster
        metrics-server       # (core) K8s Metrics Server for API access to service metrics
        observability        # (core) A lightweight observability stack for logs, traces and metrics
        storage              # (core) Alias to hostpath-storage add-on, deprecated
  disabled:
        cilium               # (community) SDN, fast with full network policy
        cloudnative-pg       # (community) PostgreSQL operator CloudNativePG
        dashboard-ingress    # (community) Ingress definition for Kubernetes dashboard
        easyhaproxy          # (community) EasyHAProxy can configure HAProxy automatically based on ingress labels
        falco                # (community) Cloud-native runtime threat detection tool for Linux and K8s
        fluentd              # (community) Elasticsearch-Fluentd-Kibana logging and monitoring
        gopaddle             # (community) DevSecOps and Multi-Cloud Kubernetes Platform
        inaccel              # (community) Simplifying FPGA management in Kubernetes
        istio                # (community) Core Istio service mesh services
        jaeger               # (community) Kubernetes Jaeger operator with its simple config
        kata                 # (community) Kata Containers is a secure runtime with lightweight VMS
        keda                 # (community) Kubernetes-based Event Driven Autoscaling
        knative              # (community) Knative Serverless and Event Driven Applications
        kubearmor            # (community) Cloud-native runtime security enforcement system for k8s
        kwasm                # (community) WebAssembly support for WasmEdge (Docker Wasm) and Spin (Azure AKS WASI)
        linkerd              # (community) Linkerd is a service mesh for Kubernetes and other frameworks
        microcks             # (community) Open source Kubernetes Native tool for API Mocking and Testing
        multus               # (community) Multus CNI enables attaching multiple network interfaces to pods
        nfs                  # (community) NFS Server Provisioner
        ngrok                # (community) ngrok Ingress Controller instantly adds connectivity, load balancing, authentication, and observability to your services
        openebs              # (community) OpenEBS is the open-source storage solution for Kubernetes
        openfaas             # (community) OpenFaaS serverless framework
        osm-edge             # (community) osm-edge is a lightweight SMI compatible service mesh for the edge-computing.
        parking              # (community) Static webserver to park a domain. Works with EasyHAProxy.
        portainer            # (community) Portainer UI for your Kubernetes cluster
        shifu                # (community) Kubernetes native IoT software development framework.
        sosivio              # (community) Kubernetes Predictive Troubleshooting, Observability, and Resource Optimization
        stunner              # (community) A Kubernetes media gateway for WebRTC
        traefik              # (community) traefik Ingress controller
        trivy                # (community) Kubernetes-native security scanner
        cis-hardening        # (core) Apply CIS K8s hardening
        gpu                  # (core) Alias to nvidia add-on
        host-access          # (core) Allow Pods connecting to Host services smoothly
        kube-ovn             # (core) An advanced network fabric for Kubernetes
        mayastor             # (core) OpenEBS MayaStor
        minio                # (core) MinIO object storage
        nvidia               # (core) NVIDIA hardware (GPU and network) support
        prometheus           # (core) Prometheus operator for monitoring and logging
        rbac                 # (core) Role-Based Access Control for authorisation
        registry             # (core) Private image registry exposed on localhost:32000
        rook-ceph            # (core) Distributed Ceph storage using Rook

sudo microk8s refresh-certs --cert
이와같이 인증서 정보를 업데이트 해줘야 합니다.~  인증서 자체는 내부 기존의 설정된 IP를 가지고 있기 때문에 변경된 IP로 인증서를 업데이트 해줘야 합니다.
 
# Loadbalancer 설치
microk8s enable metallb
범위 설정 :  192.168.219.2-192.168.219.50 <- 적절하게 설정함.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
 
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-user-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: admin-user
type: kubernetes.io/service-account-token

microk8s kubectl create secret docker-registry ap-northeast-2-ecr-registry   --docker-server=012634413971.dkr.ecr.ap-northeast-2.amazonaws.com   --docker-username=AWS   --docker-password=$(aws ecr get-login-password --region ap-northeast-2)   --docker-email=walter.jung@luxrobo.com -n app

apiVersion: v1
kind: Secret
stringData:
  enableOCI: "true"
  name: helm-ecr # can be anything
  type: helm
  url: 012634413971.dkr.ecr.ap-northeast-2.amazonaws.com
  username: AWS
  password: ""
metadata:
  labels:
    argocd-ecr-updater: enabled
    argocd.argoproj.io/secret-type: repository
  name: helm-ecr

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: walter.jung@luxrobo.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        route53:
          region: ap-northeast-2
          accessKeyID: AKIAIOSFODNN7EXAMPLE
          secretAccessKeySecretRef:
            name: route53-credentials
            key: secret-access-key

ex)
echo -n 'AKIAIOSFODNN7EXAMPLE' | base64
# 출력: QUtJQUlPU0ZPRFNOQzdFWEFNUExF
 
echo -n 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' | base64
# 출력: d0phbHJYRXJuRkVNSS9LN01ERU5HL2JPdFJmaUNZRVhBTVBMRTlLWQ==
 
apiVersion: v1
kind: Secret
metadata:
  name: route53-credentials
  namespace: cert-manager
type: Opaque
data:
  access-key-id: <base64-encoded-access-key-id>
  secret-access-key: <base64-encoded-secret-access-key>

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: kube-system
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: walter.jung@luxrobo.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
      - http01:
          ingress:
            class: public