service-account – A Passionate Techie

We will need python:

yum install python36

yum install ansible

Make sure ansible version >=2.4.0

Download gce.ini and gce.py from: https://github.com/ansible/ansible.git

Create service_account in gce:
IAM -> Service ACCounts -> add

Give it a name, give a role Project -> Owner. It will auto create “Service Account ID”.
Click on “Furnish a new private key”
Download pkcs12 file.

Edit gce.ini add the value to the following parameter

gce_service_account_email_address = <service account email id>
Here enter the email id which you can see on the service accounts dashboard in the column “Service Account ID” in front of “Compute Engine default service account”

Make sure you create a key for this user and download the pkcs12 key.

Execute the following to convert p12 to pem:

openssl pkcs12 -in test.p12 -passin pass:notasecret -nodes -nocerts | openssl rsa -out my_project.pem

In the gce.ini add:
gce_service_account_pem_file_path = my_project.pem

Here paste the project ID in the project dashboard.
gce_project_id = <project ID>

You may get the following error:
libcloud.common.google.GoogleBaseError: {‘domain’: ‘global’, ‘reason’: ‘forbidden’, ‘message’: “Required ‘compute.zones.list’ permission for ‘projects/xxxxxxx'”}

Do the following:

Billing is enabled on the project
The product name for the project is filled in
The compute API is enabled

You need to grant “Compute Engine/Compute Instance Admin” and “Project/Service Account Actor” to your service account.
You can add user specific roles in IAM and project specific API permissions in “APIs and Services”

pip install apache-libcloud==1.5.0
pip install PyCrypto

If it gives following error:
Error: gcc -pthread -fno-strict-aliasing -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong –param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -std=c99 -O3 -fomit-frame-pointer -Isrc/ -I/usr/include/python2.7 -c src/MD2.c -o build/temp.linux-x86_64-2.7/src/MD2.o
src/MD2.c:31:20: fatal error: Python.h: No such file or directory
#include “Python.h”
^
compilation terminated.
error: command ‘gcc’ failed with exit status 1

Then execute the following:

yum install python36-devel

Then execute:

ansible all -i gce.py -m setup

The pods in kubernetes are in pending state when we execute kubectl get pods
Execute the following command to see the root cause:
kubectl get events
You will see output as follows:
LAST SEEN FIRST SEEN COUNT NAME KIND SUBOBJECT TYPE REASON SOURCE MESSAG E
1m 14h 3060 hello-nginx-5d47cdc4b7-8btwf.14ecd67c4676131c Pod Warning FailedScheduling default-scheduler No nod es are available that match all of the predicates: PodToleratesNodeTaints (1).This error usually comes when we try to create pod on the master node:
Execute the following command:
```
kubectl taint nodes  node-role.kubernetes.io/master:NoSchedule-
```
helm install stable/mysql: Error: no available release name found
Execute the helm ls command to get the root cause:
The error I received is
Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list configmaps in the namespace “kube-system”
The default serviceaccount does not have API permissions. Helm likely needs to be assigned a service account, and that service account given API permissions.
The commands used to solve are:
```
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'      
helm init --service-account tiller --upgrade
```
After that if you get the following error: Error: forwarding ports: error upgrading connection: unable to upgrade connection: pod not found (“tiller-deploy-cffb976df-m5z6f_kube-system”)
Then execute helm init –upgrade
kubernetes pods keep crashing with “CrashLoopBackOff” but I can’t find any logI had the need to keep a pod running for subsequent kubectl exec calls and as the comments above pointed out my pod was getting killed by my k8s cluster because it had completed running all its tasks. I managed to keep my pod running by simply kicking the pod with a command that would not stop automatically as in:
```
kubectl run YOUR_POD_NAME -n YOUR_NAMESPACE --image SOME_PUBLIC_IMAGE:latest --command tailf /dev/null
```

Create busybox kubernetes pod

kubectl run -i --tty busybox --image=busybox --restart=Never -- sh

Kubernetes pods cannot connect to internet kubeadm:
If your pods cannot connect to the internet, you caan check the following:
Spin up a busybox
Execute: ping 8.8.8.8
ping google.com
route -n You will get an ip for gateway. Check if you can ping the gateway
In the kubernetes master node check the ip of kube-dns pod with command:
kubectl get pods -n kube-system -o wide | grep kube-dns this will return an IP in output. In your pod container check if this IP is present as nameserver.
ifconfig note the IP address range assigned to the container.
In the kubernetes master node execute ifconfig check that the IP address noted previously belong to which bridge’s IP range.
If it belongs to some other interface than expected you can check it by executing:
brctl show check if the bridge has an interface attached to it.
If not this is the reason the pods do not have an internet connection.
You can attach the interface with this command:
brctl addif mybridge eth0
This issue can be in the weave network, try to do a kubeadm reset and add a flannel network

	gamejudilebaran.word… on Chef: Roles and Environme…
	WARN: Waiting for se… on OSSEC start problem due to…
	aratik711 on Ansible issues
	aratik711 on Chef: Roles and Environme…
	situs judi on Chef: Roles and Environme…

Tag: service-account

Kubernetes Issues

Rate this:

Share this:

Rate this:

Share this: