# Workloads

Run some workload on the K8s...

# podinfo

Install podinfo helm chart (opens new window) and modify the default values (opens new window).

helm repo add --force-update sp https://stefanprodan.github.io/podinfo
helm upgrade --install --version 6.0.0 --namespace podinfo-keycloak --create-namespace --values - podinfo sp/podinfo << EOF
serviceMonitor:
  enabled: true
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-keycloak.${CLUSTER_FQDN}/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-keycloak.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
  hosts:
    - host: podinfo-keycloak.${CLUSTER_FQDN}
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
      hosts:
        - podinfo-keycloak.${CLUSTER_FQDN}
EOF

Install podinfo secured by oauth2:

helm upgrade --install --version 6.0.0 --namespace podinfo-dex --create-namespace --values - podinfo sp/podinfo << EOF
# https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml
serviceMonitor:
  enabled: true
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
  hosts:
    - host: podinfo-dex.${CLUSTER_FQDN}
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
      hosts:
        - podinfo-dex.${CLUSTER_FQDN}
EOF

Install podinfo and use Application Load Balancer:

helm upgrade --install --version 6.0.0 --namespace default --values - podinfo-alb sp/podinfo << EOF
ui:
  message: "Running using Application Load Balancer"
service:
  type: NodePort
serviceMonitor:
  enabled: true
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
  hosts:
    - host: podinfo-alb.${CLUSTER_FQDN}
      paths:
        - path: /
          pathType: ImplementationSpecific
EOF

# Polaris

Install polaris helm chart (opens new window) and modify the default values (opens new window).

helm repo add --force-update fairwinds-stable https://charts.fairwinds.com/stable
helm upgrade --install --version 4.0.4 --namespace polaris --create-namespace --values - polaris fairwinds-stable/polaris << EOF
dashboard:
  ingress:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
      nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
    hosts:
      - polaris.${CLUSTER_FQDN}
    tls:
      - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
        hosts:
          - polaris.${CLUSTER_FQDN}
EOF

# kubei

Kubei installation is done through the K8s manifest (not helm chart).

kubectl apply -f https://raw.githubusercontent.com/Portshift/kubei/master/deploy/kubei.yaml

kubectl apply -f - << EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: kubei
  name: kubei
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
    nginx.ingress.kubernetes.io/app-root: /view
spec:
  rules:
    - host: kubei.${CLUSTER_FQDN}
      http:
        paths:
        - path: /
          pathType: ImplementationSpecific
          backend:
            service:
              name: kubei
              port:
                number: 8080
  tls:
    - hosts:
        - kubei.${CLUSTER_FQDN}
      secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
EOF

# kube-bench

Install kube-bench (opens new window) according the https://github.com/aquasecurity/kube-bench/blob/main/docs/asff.md (opens new window):

curl -s https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-eks.yaml | \
  sed "s@image: .*@image: aquasec/kube-bench:latest@" | \
  kubectl apply -f -

# kubernetes-dashboard

Install kubernetes-dashboard helm chart (opens new window) and modify the default values (opens new window).

helm repo add --force-update kubernetes-dashboard https://kubernetes.github.io/dashboard/
helm upgrade --install --version 4.5.0 --namespace kubernetes-dashboard --create-namespace --values - kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard << EOF
extraArgs:
  - --enable-skip-login
  - --enable-insecure-login
  - --disable-settings-authorizer
protocolHttp: true
ingress:
 enabled: true
 annotations:
   nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
   nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
 hosts:
   - kubernetes-dashboard.${CLUSTER_FQDN}
 tls:
   - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
     hosts:
       - kubernetes-dashboard.${CLUSTER_FQDN}
settings:
  clusterName: ${CLUSTER_FQDN}
  itemsPerPage: 50
metricsScraper:
  enabled: true
serviceAccount:
  name: kubernetes-dashboard-admin
EOF

Create clusterrolebinding to allow the kubernetes-dashboard to access the K8s API:

kubectl get clusterrolebinding kubernetes-dashboard-admin &> /dev/null || kubectl create clusterrolebinding kubernetes-dashboard-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:kubernetes-dashboard-admin

# kubeview

Install kubeview helm chart (opens new window) and modify the default values (opens new window).

helm repo add --force-update kubeview https://benc-uk.github.io/kubeview/charts
helm upgrade --install --version 0.1.20 --namespace kubeview --create-namespace --values - kubeview kubeview/kubeview << EOF
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
  hosts:
    - host: kubeview.${CLUSTER_FQDN}
      paths: [ "/" ]
  tls:
    - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
      hosts:
        - kubeview.${CLUSTER_FQDN}
EOF

# kube-ops-view

Install kube-ops-view helm chart (opens new window) and modify the default values (opens new window).

helm repo add --force-update stable https://charts.helm.sh/stable
helm upgrade --install --version 1.2.4 --namespace kube-ops-view --create-namespace --values - kube-ops-view stable/kube-ops-view << EOF
ingress:
  enabled: true
  hostname: kube-ops-view.${CLUSTER_FQDN}
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/auth
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.${CLUSTER_FQDN}/oauth2/start?rd=\$scheme://\$host\$request_uri
  tls:
    - secretName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
      hosts:
        - kube-ops-view.${CLUSTER_FQDN}
rbac:
  create: true
EOF

# S3 upload test

The namespace s3-test and the s3-test service account was created by eksctl.

Test S3 access, upload and delete operations:

kubectl apply -f - << EOF
apiVersion: v1
kind: Pod
metadata:
  name: s3-test
  namespace: s3-test
spec:
  serviceAccountName: s3-test
  containers:
  - name: aws-cli
    image: amazon/aws-cli:2.4.29
    securityContext:
      runAsUser: 1000
      runAsGroup: 3000
    command:
      - /bin/bash
      - -c
      - |
        set -x
        export HOME=/tmp
        aws s3 ls --region "${AWS_DEFAULT_REGION}" "s3://${CLUSTER_FQDN}/"
        aws s3 cp --region "${AWS_DEFAULT_REGION}" /etc/hostname "s3://${CLUSTER_FQDN}/"
        aws s3 ls --region "${AWS_DEFAULT_REGION}" "s3://${CLUSTER_FQDN}/"
        aws s3 rm "s3://${CLUSTER_FQDN}/hostname"
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
  restartPolicy: Never
EOF

kubectl wait --namespace s3-test --for=condition=Ready pod s3-test && sleep 5
kubectl logs -n s3-test s3-test
kubectl delete pod -n s3-test s3-test

Output:

pod/s3-test created
pod/s3-test condition met
+ export HOME=/tmp
+ HOME=/tmp
+ aws s3 ls --region eu-west-1 s3://kube1.k8s.mylabs.dev/
+ aws s3 cp --region eu-west-1 /etc/hostname s3://kube1.k8s.mylabs.dev/
upload: ../etc/hostname to s3://kube1.k8s.mylabs.dev/hostname
+ aws s3 ls --region eu-west-1 s3://kube1.k8s.mylabs.dev/
2021-11-29 18:01:17          8 hostname
+ aws s3 rm s3://kube1.k8s.mylabs.dev/hostname
delete: s3://kube1.k8s.mylabs.dev/hostname
pod "s3-test" deleted