64
bewerkingen
(→To do) |
k (Minnozz heeft pagina HSNWiki:Kubernetes hernoemd naar Projects:Kubernetes over een doorverwijzing) |
||
(8 tussenliggende versies door 3 gebruikers niet weergegeven) | |||
Regel 1.095: | Regel 1.095: | ||
** On the master, "kubeadm upgrade plan", then "kubeadm upgrade apply v1.14.x" | ** On the master, "kubeadm upgrade plan", then "kubeadm upgrade apply v1.14.x" | ||
** Upgrade CNI controller by re-running the same <code>kubectl apply</code> as earlier | ** Upgrade CNI controller by re-running the same <code>kubectl apply</code> as earlier | ||
** Unhold the kubelet | ** Unhold the kubelet and kubectl packages on the master, upgrade them and re-hold them, then restart the kubelet | ||
** For each worker, unhold the kubeadm package, upgrade it, rehold it; cordon (drain) the node; upgrade the node config; install the new kubelet version and restart it; uncordon the node. | ** For each worker, unhold the kubeadm package, upgrade it, rehold it; cordon (drain) the node; upgrade the node config; install the new kubelet version and restart it; uncordon the node. | ||
*** Here too, this only worked for me after unholding the kubelet and upgrading it as well. | |||
* Try getting information on a pod from inside it using the Kubernetes API | * Try getting information on a pod from inside it using the Kubernetes API | ||
** https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod | |||
** <code>wget --ca-certificate=/run/secrets/kubernetes.io/serviceaccount/ca.crt -qO- https://kubernetes.default.svc.cluster.local/api/</code> | |||
** Doesn't need using the Kubernetes API, can be done using env vars: https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/ | |||
* Play with native cronjobs | * Play with native cronjobs | ||
* Play with Statefulset / Daemonset | * Play with Statefulset / Daemonset | ||
Regel 1.105: | Regel 1.109: | ||
** Allow K8s API communication from a pod, but only to receive information about itself | ** Allow K8s API communication from a pod, but only to receive information about itself | ||
** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ** Basically: Make it impossible to root a node even with "broad" privileges on the Kubernetes API server | ||
** https://kubernetes.io/docs/concepts/policy/pod-security-policy/ | |||
* Limiting pods in memory, CPU, I/O | * Limiting pods in memory, CPU, I/O | ||
* Limiting pods in network communication | * Limiting pods in network communication | ||
[[Categorie:Projects]] |