KubeCamp
KubeCamp is a kubernetes cluster available to all AINS users.
Because SCCP students can be priority access to resources, there are limitations on the resources (memory, CPU, storage, etc.) available to other guest users on this Kubernetes cluster.
Please check Limitations for more information.
Getting Started
The system is utilized through the kubectl command.
Before executing the kubectl command
When you press the Create Namespace
button from the dashboard, essential resources such as namespace objects will be created in the K8s cluster.
The registration for Harbor is also conducted simultaneously, and it takes approximately 1 to 2 minutes to complete all registration processes.
You can also check the allocation status of available CPU, memory, and other resources from the management page.
You can also reset everything by deleting the existing namespace and then creating a new one.
kubectl command
All operations on the K8s cluster are performed remotely from the kubectl command.
Please download the appropriate kubectl command from following links or the official site.
- Download kubectl for linux and WSL2 (https://dl.k8s.io/release/v1.30.4/bin/linux/amd64/kubectl)
When using the macOS and installing the Docker Desktop, the kubectl command might be installed in /usr/local/bin/kubectl. If you want to download the kubectl command, please use the curl or other command line tool.
- For Intel model,
$ curl -LO https://dl.k8s.io/release/v1.30.4/bin/darwin/amd64/kubectl
- For Apple Silicon,
$ curl -LO https://dl.k8s.io/release/v1.30.4/bin/darwin/arm64/kubectl
The kubectl command is placed in ~yasu-abe/bin/kbuectl
in the CentOS environment of exercise rooms.
Preparation work
A configuration file must be prepared to run the kubectl command.
Please access the following site to obtain the configuration file.
- access the website and click the Login button
- enter your AINS ID (e.g., s13xxxxx) and password
- click the green
Grant Access
button - Copy the lines “apiVersion: v1” to “name: oidc” to ~/.kube/config file.
Confirm your ~/.kube/config file
Execute the $ kubectl version
command, then check that the output line contains the correct Server Version:
as follows:
$ kubectl version
Client Version: v1.30.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.4
If the ~/.kube/config
file has any issues, the kubectl command cannot connect to the server, or even if you can connect, you may get an error message without the server version information.
How to use the kubectl command
If you have created a configuration file in ~/.kube/config
, you can execute the command as follows
$ kubectl get node
$ kubectl top node
$ kubectl top pods --all-namespaces
$ kubectl -n <your namespace> get limits
Replace <your namespace>
with your AINS ID. (e.g., kubectl -n s13xxxxx get limits
)
Use the --kubeconfig
option if you want to manage multiple config files or place them in a location other than ~/.kube/config
.
The following examples are equivalent.
$ kubectl -n <your namespace> get limits
$ kubectl --kubeconfig ~/.kube/config -n <your namespace> get limits
When creating objects such as Service, Deployment (Pod), etc., be sure to specify the -n
option.
See the command line in Getting Started for specific examples.
Useful Links
System configuration
Component | Version | Additional Information |
---|---|---|
Kubernetes | v1.30.4 | https://k8s.io/ |
Storage Service (Rook) | v1.14.10 | https://rook.io/, also see the PV & PVC section. |
System Access
Although the connection is allowed only from the campus, it is also possible to use it from home via an Internet connection by using the VPN provided by ISTC.
Users can access the K8s cluster only with the kubectl command (port:6443) and a web browser (port:80, 443).
Access from web browsers via the HTTP protocol are redirected to HTTP.
$ curl -I http://kubecamp.u-aizu.ac.jp/signup/
HTTP/1.1 301 Moved Permanently
...
Location: https://kubecamp.u-aizu.ac.jp/signup/
It is not possible to access to each node directly, for example, a remote login via SSH.
Ingress Settings
Each user can accept access from a web browser by creating a Service object named “<your namespace>-svc
” on their namespace that accepts port 80. This service object only accepts the connection from Ingress.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
s13xxxxx-svc ClusterIP 10.233.8.213 <none> 80/TCP 16h
The web server that accepts access on kubecamp.u-aizu.ac.jp calls the user’s application without changing context-root. For example, an access to https://kubecamp.u-aizu.ac.jp/s13xxxxx/ will proxy to http://s13xxxxx-svc.s13xxxxx.svc.cluster.local/s13xxxxx/ automatically.
A web application might be configured to work with the “/” (root) context-root. In that case, a reverse proxy server can be built to change context-root to the Root URL, “/”, of the application.
To transform the context-root by a reverse proxy server is not the complete solution. It functions correctly when the application is built to refer files using relative paths. However, when the application references files using absolute paths, it will not operate correctly unless the content is dynamically rewritten.
Please see the WebSocket Socket.IO and Reverse Proxy Example tutorial for a sample service and reverse proxy configurations. The context-root transformation is also discussed in this tutorial.
Time Duration of Generating Ingress Object
A ingress object needs from one to five minutes to be generated on the kubecamp system after you prepare the “<your namespace>-svc
” service object.
All SCCP members have a read privilege to see all ingress object’s status on the system by as follows:
$ kubectl -n ingress-nginx get ingress
Persistent Volumes (PV & PVC)
Users can use the Rook/Ceph persistent volume functionality.
StorageClass (sc) NAME | PROVISIONER | RECLAIMPOLICY | VOLUMEBINDINGMODE | ALLOWVOLUMEEXPANSION | AGE |
---|---|---|---|---|---|
rook-ceph-block (default) | rook-ceph.rbd.csi.ceph.com | Delete | Immediate | true | 34d |
rook-cephfs | rook-ceph.cephfs.csi.ceph.com | Delete | Immediate | true | 34d |
You can achieve the same results by executing the command $ kubectl get sc
.
Please refer to the example in Deployment Nginx using PVC for available StorageClass names and specific usage.
Backups
No backups are taken of any files on the k8s cluster.
For files that need to be backed up, the kubectl cp command can be used to download the files inside the pod to the PC on which the kubectl command is running.
Limitations
All users are categorized into two types: SCCP members and Guests. Each type has specific settings applied to it.
Type | Max CPU Quota | Max Memory Quota | Max Storage Quota | Max Number of PVCs |
---|---|---|---|---|
SCCP | 2000m | 3000MiB | 10GiB | 20 |
Guest | 200m | 750MiB | 1GiB | 5 |
The own ResourceQuota setting can be checked as follows,
$ kubectl --kubeconfig ~/.kube/config -n <your namespace> get quota
The output is as follows,
NAME AGE REQUEST LIMIT
resource-quota 3d19h persistentvolumeclaims: 1/5, requests.cpu: 30m/200m, requests.memory: 300Mi/500Mi, requests.storage: 1Gi/1Gi limits.cpu: 30m/200m, limits.memory: 300Mi/500Mi
LimitRange
Users can change the allocation of resources such as CPU and Memory within the limits.
ResourceLimits is the default variable set to avoid the hassle of specifying resource allocation in each YAML file.
If resources: is not set in the Pods definition, such as Deployment, the following values are used.
Type | Default CPU Limit | Request CPU Limit | Default Memory Limit | Request Memory Limit | Number of LoadBalancers |
---|---|---|---|---|---|
SCCP | 50m | 50m | 100MiB | 100MiB | 0 |
Guest | 10m | 10m | 100MiB | 100MiB | 0 |
We have set it up so that 10 pods can be created for type:SCCP and 5 for type:Guest.
You are not allowed to create the LoadBalancer in any service object. Regarding the access to the deployed application, please refer the Ingress Settings section.
Services not intended for use, etc.
It is intended to run applications that you develop yourself, so it is not intended to run relatively large applications such as Wordpress.
Privacy and Data Protection
Information on the K8s cluster is intended to be widely available for educational purposes.
Policy
- Deny access to control-related information (such as pod logs, secrets, and configmaps) within another namespace.
- Deny network communication between users across namespaces (e.g., deny access to database servers in another namespace).
Implementation
- Deny create, update, and delete operations in another namespace
- Deny access to pods/logs, secret, and configmap in another namespace
- Deny the network communication to another namespace
For our SCCP members, the scope of information that can be referenced, such as clusterrole, ingress, etc., is expanded, but the same limitations will apply.
Considerations
- Other users have access to resource definitions such as deployment, statefulset, etc. Be sure to store password information in the Secret object
- Please refer to the Tutorial/Deployment DVWA for more information on how to use the Secret object.
Service Interruption
We may temporarily stop or delete applications without notice in the following cases:
- Server load is extremely high
- Application is offensive to public order and morals
- Any other serious impact on the system or the user