[ Language select: 日本語 ]

KubeCamp

KubeCamp is a kubernetes cluster available to all AINS users.

Because SCCP students can be priority access to resources, there are limitations on the resources (memory, CPU, storage, etc.) available to other guest users on this Kubernetes cluster.

Please check Limitations for more information.

Getting Started

The system is utilized through the kubectl command.

Before executing the kubectl command

When you press the Create Namespace button from the dashboard, essential resources such as namespace objects will be created in the K8s cluster.

The registration for Harbor is also conducted simultaneously, and it takes approximately 1 to 2 minutes to complete all registration processes.

You can also check the allocation status of available CPU, memory, and other resources from the management page.

You can also reset everything by deleting the existing namespace and then creating a new one.

kubectl command

All operations on the K8s cluster are performed remotely from the kubectl command.

Please download the appropriate kubectl command from following links or the official site.

When using the macOS and installing the Docker Desktop, the kubectl command might be installed in /usr/local/bin/kubectl. If you want to download the kubectl command, please use the curl or other command line tool.

The kubectl command is placed in ~yasu-abe/bin/kbuectl in the CentOS environment of exercise rooms.

Preparation work

A configuration file must be prepared to run the kubectl command.

Please access the following site to obtain the configuration file.

  1. access the website and click the Login button
  2. enter your AINS ID (e.g., s13xxxxx) and password
  3. click the green Grant Access button
  4. Copy the lines “apiVersion: v1” to “name: oidc” to ~/.kube/config file.

Setup kubectl config file

Confirm your ~/.kube/config file

Execute the $ kubectl version command, then check that the output line contains the correct Server Version: as follows:

  $ kubectl version
  Client Version: v1.30.4
  Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
  Server Version: v1.30.4

If the ~/.kube/config file has any issues, the kubectl command cannot connect to the server, or even if you can connect, you may get an error message without the server version information.

How to use the kubectl command

If you have created a configuration file in ~/.kube/config, you can execute the command as follows

  $ kubectl get node
  $ kubectl top node
  $ kubectl top pods --all-namespaces
  $ kubectl -n <your namespace> get limits

Replace <your namespace> with your AINS ID. (e.g., kubectl -n s13xxxxx get limits)

Use the --kubeconfig option if you want to manage multiple config files or place them in a location other than ~/.kube/config.

The following examples are equivalent.

  $ kubectl                             -n <your namespace> get limits
  $ kubectl --kubeconfig ~/.kube/config -n <your namespace> get limits

When creating objects such as Service, Deployment (Pod), etc., be sure to specify the -n option.

See the command line in Getting Started for specific examples.

System configuration

Component Version Additional Information
Kubernetes v1.30.4 https://k8s.io/
Storage Service (Rook) v1.14.10 https://rook.io/, also see the PV & PVC section.

System Access

Although the connection is allowed only from the campus, it is also possible to use it from home via an Internet connection by using the VPN provided by ISTC.

KubeCamp System Overview

Users can access the K8s cluster only with the kubectl command (port:6443) and a web browser (port:80, 443).

Access from web browsers via the HTTP protocol are redirected to HTTP.

  $ curl -I http://kubecamp.u-aizu.ac.jp/signup/
  HTTP/1.1 301 Moved Permanently
  ...
  Location: https://kubecamp.u-aizu.ac.jp/signup/

It is not possible to access to each node directly, for example, a remote login via SSH.

Ingress Settings

Each user can accept access from a web browser by creating a Service object named “<your namespace>-svc” on their namespace that accepts port 80. This service object only accepts the connection from Ingress.

  NAME           TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
  s13xxxxx-svc   ClusterIP   10.233.8.213   <none>        80/TCP    16h

The web server that accepts access on kubecamp.u-aizu.ac.jp calls the user’s application without changing context-root. For example, an access to https://kubecamp.u-aizu.ac.jp/s13xxxxx/ will proxy to http://s13xxxxx-svc.s13xxxxx.svc.cluster.local/s13xxxxx/ automatically.

A web application might be configured to work with the “/” (root) context-root. In that case, a reverse proxy server can be built to change context-root to the Root URL, “/”, of the application.

To transform the context-root by a reverse proxy server is not the complete solution. It functions correctly when the application is built to refer files using relative paths. However, when the application references files using absolute paths, it will not operate correctly unless the content is dynamically rewritten.

Please see the WebSocket Socket.IO and Reverse Proxy Example tutorial for a sample service and reverse proxy configurations. The context-root transformation is also discussed in this tutorial.

Time Duration of Generating Ingress Object

A ingress object needs from one to five minutes to be generated on the kubecamp system after you prepare the “<your namespace>-svc” service object.

All SCCP members have a read privilege to see all ingress object’s status on the system by as follows:

$ kubectl -n ingress-nginx get ingress

Persistent Volumes (PV & PVC)

Users can use the Rook/Ceph persistent volume functionality.

StorageClass (sc) NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
rook-ceph-block (default) rook-ceph.rbd.csi.ceph.com Delete Immediate true 34d
rook-cephfs rook-ceph.cephfs.csi.ceph.com Delete Immediate true 34d

You can achieve the same results by executing the command $ kubectl get sc.

Please refer to the example in Deployment Nginx using PVC for available StorageClass names and specific usage.

Backups

No backups are taken of any files on the k8s cluster.

For files that need to be backed up, the kubectl cp command can be used to download the files inside the pod to the PC on which the kubectl command is running.

Limitations

All users are categorized into two types: SCCP members and Guests. Each type has specific settings applied to it.

Type Max CPU Quota Max Memory Quota Max Storage Quota Max Number of PVCs
SCCP 2000m 3000MiB 10GiB 20
Guest 200m 750MiB 1GiB 5

The own ResourceQuota setting can be checked as follows,

  $ kubectl --kubeconfig ~/.kube/config -n <your namespace> get quota

The output is as follows,

  NAME             AGE     REQUEST                                                                                                        LIMIT
  resource-quota   3d19h   persistentvolumeclaims: 1/5, requests.cpu: 30m/200m, requests.memory: 300Mi/500Mi, requests.storage: 1Gi/1Gi   limits.cpu: 30m/200m, limits.memory: 300Mi/500Mi

LimitRange

Users can change the allocation of resources such as CPU and Memory within the limits.

ResourceLimits is the default variable set to avoid the hassle of specifying resource allocation in each YAML file.

If resources: is not set in the Pods definition, such as Deployment, the following values are used.

Type Default CPU Limit Request CPU Limit Default Memory Limit Request Memory Limit Number of LoadBalancers
SCCP 50m 50m 100MiB 100MiB 0
Guest 10m 10m 100MiB 100MiB 0

We have set it up so that 10 pods can be created for type:SCCP and 5 for type:Guest.

You are not allowed to create the LoadBalancer in any service object. Regarding the access to the deployed application, please refer the Ingress Settings section.

Services not intended for use, etc.

It is intended to run applications that you develop yourself, so it is not intended to run relatively large applications such as Wordpress.

Privacy and Data Protection

Information on the K8s cluster is intended to be widely available for educational purposes.

Policy

Implementation

For our SCCP members, the scope of information that can be referenced, such as clusterrole, ingress, etc., is expanded, but the same limitations will apply.

Considerations

Service Interruption

We may temporarily stop or delete applications without notice in the following cases: