Learn Kubernetes Basics

Tasks

Tasks
Install Tools
Install and Set Up kubectl
Install Minikube
Configure Pods and Containers
Assign Memory Resources to Containers and Pods
Assign CPU Resources to Containers and Pods
Configure GMSA for Windows pods and containers
Configure Quality of Service for Pods
Assign Extended Resources to a Container
Configure a Pod to Use a Volume for Storage
Configure a Pod to Use a PersistentVolume for Storage
Configure a Pod to Use a Projected Volume for Storage
Configure a Security Context for a Pod or Container
Configure Service Accounts for Pods
Pull an Image from a Private Registry
Configure Liveness and Readiness Probes
Assign Pods to Nodes
Configure Pod Initialization
Attach Handlers to Container Lifecycle Events
Configure a Pod to Use a ConfigMap
Share Process Namespace between Containers in a Pod
Translate a Docker Compose File to Kubernetes Resources
Administer a Cluster
Administration with kubeadm
Certificate Management with kubeadm
Upgrading kubeadm HA clusters from v1.11 to v1.12
Upgrading kubeadm HA clusters from v1.12 to v1.13
Upgrading kubeadm clusters from v1.11 to v1.12
Upgrading kubeadm clusters from v1.12 to v1.13
Upgrading kubeadm clusters from v1.13 to v1.14
Manage Memory, CPU, and API Resources
Configure Default Memory Requests and Limits for a Namespace
Configure Default CPU Requests and Limits for a Namespace
Configure Minimum and Maximum Memory Constraints for a Namespace
Configure Minimum and Maximum CPU Constraints for a Namespace
Configure Memory and CPU Quotas for a Namespace
Configure a Pod Quota for a Namespace
Install a Network Policy Provider
Use Calico for NetworkPolicy
Use Cilium for NetworkPolicy
Use Kube-router for NetworkPolicy
Romana for NetworkPolicy
Weave Net for NetworkPolicy
Access Clusters Using the Kubernetes API
Access Services Running on Clusters
Advertise Extended Resources for a Node
Autoscale the DNS Service in a Cluster
Change the Reclaim Policy of a PersistentVolume
Change the default StorageClass
Cluster Management
Configure Multiple Schedulers
Configure Out Of Resource Handling
Configure Quotas for API Objects
Control CPU Management Policies on the Node
Customizing DNS Service
Debugging DNS Resolution
Declare Network Policy
Developing Cloud Controller Manager
Encrypting Secret Data at Rest
Guaranteed Scheduling For Critical Add-On Pods
IP Masquerade Agent User Guide
Kubernetes Cloud Controller Manager
Limit Storage Consumption
Namespaces Walkthrough
Operating etcd clusters for Kubernetes
Reconfigure a Node's Kubelet in a Live Cluster
Reserve Compute Resources for System Daemons
Safely Drain a Node while Respecting Application SLOs
Securing a Cluster
Set Kubelet parameters via a config file
Set up High-Availability Kubernetes Masters
Share a Cluster with Namespaces
Static Pods
Storage Object in Use Protection
Using CoreDNS for Service Discovery
Using a KMS provider for data encryption
Using sysctls in a Kubernetes Cluster
Inject Data Into Applications
Define a Command and Arguments for a Container
Define Environment Variables for a Container
Expose Pod Information to Containers Through Environment Variables
Expose Pod Information to Containers Through Files
Distribute Credentials Securely Using Secrets
Inject Information into Pods Using a PodPreset
Run Applications
Run a Stateless Application Using a Deployment
Run a Single-Instance Stateful Application
Run a Replicated Stateful Application
Update API Objects in Place Using kubectl patch
Scale a StatefulSet
Delete a StatefulSet
Force Delete StatefulSet Pods
Perform Rolling Update Using a Replication Controller
Horizontal Pod Autoscaler
Horizontal Pod Autoscaler Walkthrough
Specifying a Disruption Budget for your Application
Run Jobs
Running Automated Tasks with a CronJob
Parallel Processing using Expansions
Coarse Parallel Processing Using a Work Queue
Fine Parallel Processing Using a Work Queue
Access Applications in a Cluster
Web UI (Dashboard)
Accessing Clusters
Configure Access to Multiple Clusters
Use Port Forwarding to Access Applications in a Cluster
Use a Service to Access an Application in a Cluster
Connect a Front End to a Back End Using a Service
Create an External Load Balancer
Configure Your Cloud Provider's Firewalls
List All Container Images Running in a Cluster
Set up Ingress on Minikube with the NGINX Ingress Controller
Communicate Between Containers in the Same Pod Using a Shared Volume
Configure DNS for a Cluster
Monitor, Log, and Debug
Application Introspection and Debugging
Auditing
Core metrics pipeline
Debug Init Containers
Debug Pods and ReplicationControllers
Debug Services
Debug a StatefulSet
Debugging Kubernetes nodes with crictl
Determine the Reason for Pod Failure
Developing and debugging services locally
Events in Stackdriver
Get a Shell to a Running Container
Logging Using Elasticsearch and Kibana
Logging Using Stackdriver
Monitor Node Health
Tools for Monitoring Resources
Troubleshoot Applications
Troubleshoot Clusters
Troubleshooting
Extend Kubernetes
Use Custom Resources
Extend the Kubernetes API with CustomResourceDefinitions
Versions of CustomResourceDefinitions
Configure the Aggregation Layer
Setup an Extension API Server
Use an HTTP Proxy to Access the Kubernetes API
TLS
Certificate Rotation
Manage TLS Certificates in a Cluster
Federation
Set up Cluster Federation with Kubefed
Set up CoreDNS as DNS provider for Cluster Federation
Set up placement policies in Federation
Cross-cluster Service Discovery using Federated Services
Administer Federation Control Plane
Federated Cluster
Federated ConfigMap
Federated DaemonSet
Federated Deployment
Federated Events
Federated Horizontal Pod Autoscalers (HPA)
Federated Ingress
Federated Jobs
Federated Namespaces
Federated ReplicaSets
Federated Secrets
Manage Cluster Daemons
Perform a Rollback on a DaemonSet
Perform a Rolling Update on a DaemonSet
Install Service Catalog
Install Service Catalog using Helm
Install Service Catalog using SC
Extend kubectl with plugins
Manage HugePages
Schedule GPUs

Edit This Page

Setup an Extension API Server

Setting up an extension API server to work the aggregation layer allows the Kubernetes apiserver to be extended with additional APIs, which are not part of the core Kubernetes APIs.

Before you begin

You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using Minikube, or you can use one of these Kubernetes playgrounds:

To check the version, enter kubectl version.

Setup an extension api-server to work with the aggregation layer

The following steps describe how to set up an extension-apiserver at a high level. These steps apply regardless if you’re using YAML configs or using APIs. An attempt is made to specifically identify any differences between the two. For a concrete example of how they can be implemented using YAML configs, you can look at the sample-apiserver in the Kubernetes repo.

Alternatively, you can use an existing 3rd party solution, such as apiserver-builder, which should generate a skeleton and automate all of the following steps for you.

  1. Make sure the APIService API is enabled (check --runtime-config). It should be on by default, unless it’s been deliberately turned off in your cluster.
  2. You may need to make an RBAC rule allowing you to add APIService objects, or get your cluster administrator to make one. (Since API extensions affect the entire cluster, it is not recommended to do testing/development/debug of an API extension in a live cluster.)
  3. Create the Kubernetes namespace you want to run your extension api-service in.
  4. Create/get a CA cert to be used to sign the server cert the extension api-server uses for HTTPS.
  5. Create a server cert/key for the api-server to use for HTTPS. This cert should be signed by the above CA. It should also have a CN of the Kube DNS name. This is derived from the Kubernetes service and be of the form <service name>.<service name namespace>.svc
  6. Create a Kubernetes secret with the server cert/key in your namespace.
  7. Create a Kubernetes deployment for the extension api-server and make sure you are loading the secret as a volume. It should contain a reference to a working image of your extension api-server. The deployment should also be in your namespace.
  8. Make sure that your extension-apiserver loads those certs from that volume and that they are used in the HTTPS handshake.
  9. Create a Kubernetes service account in your namespace.
  10. Create a Kubernetes cluster role for the operations you want to allow on your resources.
  11. Create a Kubernetes cluster role binding from the service account in your namespace to the cluster role you just created.
  12. Create a Kubernetes cluster role binding from the service account in your namespace to the system:auth-delegator cluster role to delegate auth decisions to the Kubernetes core API server.
  13. Create a Kubernetes role binding from the service account in your namespace to the extension-apiserver-authentication-reader role. This allows your extension api-server to access the extension-apiserver-authentication configmap.
  14. Create a Kubernetes apiservice. The CA cert above should be base64 encoded, stripped of new lines and used as the spec.caBundle in the apiservice. This should not be namespaced. If using the kube-aggregator API, only pass in the PEM encoded CA bundle because the base 64 encoding is done for you.
  15. Use kubectl to get your resource. It should return “No resources found.” Which means that everything worked but you currently have no objects of that resource type created yet.

What's next

Feedback