lab 6.6 Num 2 -load balancer external ip shown as pending

ashdev

And when i said it should describe the service, the service had no endpoints. I created the service like this:
kubectl create service loadbalancer reviewsix --tcp=80

Was that the wrong thing to do? I was just following what was done in the previous labs

chrispokorni

HI @ashdev,

There are other methods to expose a Deployment with a Service object, which may be better suited for this scenario. You can find those in prior labs as well.

Regards,
-Chris

ashdev

@chrispokorni said:
HI @ashdev,

There are other methods to expose a Deployment with a Service object, which may be better suited for this scenario. You can find those in prior labs as well.

Regards,
-Chris

But that's what the lab asked for. Aren't the labs mimicking the CKAD exam? What if in the exam I am asked to make and use a load balancer?

serewicz

Hello,

Also as there is no external load balancer waiting to receive the API call the external will always show as pending.

Regards,

serewicz

Hello again,

Review the previous labs. You will find the steps to create then expose the newly created deployment. Then test that it works. If you create the service in some other manner, and it works, then you have accomplished the objective of this item.

Regards,

ashdev

@serewicz said:
Hello again,

Review the previous labs. You will find the steps to create then expose the newly created deployment. Then test that it works. If you create the service in some other manner, and it works, then you have accomplished the objective of this item.

Regards,

But what was used in the previous labs was a nodeport. This lab is asking for a load balancer. Are you saying I should ignore that?

@serewicz said:
Hello,

Also as there is no external load balancer waiting to receive the API call the external will always show as pending.

Regards,

If there was no external load balancer then why were we asked to use it? What is the objective of this exercise?

serewicz

Hello,

If you reference Chapter 2 you will find it mentions services and why they are used. As well as the three types of services ClusterIP, NodePort and LoadBalancer are mentioned. You can configure all three and test that they work, without needing an external load balancer (LB).

Should you need to troubleshoot an external LB you would need to know if your loadBalancer service is working or if the problem is with the LB. If you didn't know how to configure the loadBalancer service then how would you know what to do and what it looks like when it is not getting a response from the external LB you are trying to use?

Regards

ashdev

@serewicz

Thank you. I just created the loadbalancer like in the expose command in previous labs.

I might not be understanding Num 8 and 9 properly. Let me say what i think they are asking me to do.

The pod created has a problem. The id of the nginx user does not match the id(specified in the security context) that can read the configuration files. We are asked to log into the container, find the id of the nginx user then go back into the security-review yaml file and replace what is specified in the security context(2100 and 3000) with the id of the nginx user. This is what i understand is being said by 8 and 9.

I tried to shell into the container to find the proper id but i can't because the pod is in an error state. What do i do?

serewicz

Hello,

The idea is to fix the problem. First you must find the problem. What other commands have been covered that allow you to look at the state and the output of a non-working pod? Perhaps revisit some of the earlier material. The point of the review is to ensure you can use the information provided as necessary. Have you read chapter three Build, Testing page?

Regards,

ashdev

@serewicz I used logs and following the examples in the labs for Section 6 I removed the security contexts in the pod and it was working. But I am not sure that is the solution because Num 9 Specifically says: "Edit the pod such that the securityContext is in place and allows the web server to read the proper configuration files"
If what it is saying is what i'm thinking, then the pod should work with security context in place and not without. Am I on the right track with that line of thinking?

serewicz

Hello,

As you look at the pod logs you should note what the application requires. For example, let's say as a developer you make an update applicationA, which now needs a UID of 4153 to run. All the files are owned by that UID, SELinux settings and so forth. So changing your application is not the easy choice. The existing pod securityContext in is set to 4100. You could A.) remove the securityContext, which could lead to a security issue, you could B.) rewrite your entire application to use the existing securityContext, OR you could C.) __________?

Regards,

ashdev

change the security context to 4153 but the logs did not tell me the UID the application needs to run. @serewicz

serewicz

Hello,

Indeed. You would have to do something to find that information. How could you find proper UID to use?

Regards,

ashdev

@serewicz said:
Hello,

Indeed. You would have to do something to find that information. How could you find proper UID to use?

Regards,

I am trying to use the steps here: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
I commented out the securitycontext so that the container would run as normal and then i would shell into it, run the ps command and find a uid to use. But when i tried shelling into my container, the first thing i noticed was on the command line its a hashtag not a dollar sign and the ps command does not work.

serewicz

Hello,

Could there be another way to figure out the nginx UID?

Regards,

ashdev

@serewicz said:
Hello,

Could there be another way to figure out the nginx UID?

Regards,

Not that I know about. Is it in previous labs?

serewicz

Hello,

Basic commands of Linux are a prereq. For example the id command. id nginx will show you a particular output.

Regards

ashdev

@serewicz
so i found the uid to be 101 for the container. I tried changing the securitycontext to that of the uid, the container was still failing. I tried adding capabailities like NET_ADMIN from lab 6.1 with the uid of the container and with the security context already there but in both instances, the container was still failing. I do not know how to go forward with making the container run with the security context in place.

nkerr

@serewicz
I notice the wording in my requirements are a little different for 6.6 than mentioned above and confusing.
step 8 tells me to find the user (nginx).
step 9 says "Edit the yaml and re-create the pod such that the pod runs without error."
This is nondescript and basically insinuates that I can remove any security policy from the container to achieve step 9 right?
Obviously this requires basic Linux knowledge, but the error was "/var/cache/nginx/client_temp" failed (13: Permission denied)"
Aside from adding a capability that I may be missing, I'm guessing at this point the answer is to make the user root, because upon further inspection /var/cache/nginx is owned by root.
So far I'm not sure if I've missed the answer, or wasted alot of time overlooking the answer being as obvious as it seems (one of the above mentioned solutions).

liorzivi

@serewicz I also encountered the same problem, changed security context to be of nginx user and added all permissions that nginx user has:
add: ["CHOWN","DAC_OVERRIDE","FOWNER","FSETID","KILL","SETGID","SETUID","SETPCAP","NET_BIND_SERVICE"]
but it is still not working.

Is there no published solutions to look at ?