Sebastiaan van Steenis superseb

Get kube-admin kubeconfig and certificates from cluster.rkestate

See how to retrieve cluster.rkestate from controlplane node here: https://gist.github.com/superseb/e9f2628d1033cb20e54f6ee268683a7a

Get kube-admin kubeconfig from `cluster.rkestate`

cat cluster.rkestate | jq -r '.currentState.certificatesBundle."kube-admin".config' > kube-admin-kubeconfig.yml

RKE2 commands

Updated on May 29 to accommodate etcd container not having /bin/sh available anymore.

Install

curl -sL https://get.rke2.io | sh
systemctl daemon-reload
systemctl start rke2-server

Identify RKE / Rancher Launched Kubernetes / Imported clusters

This will describe how to identify clusters that are created by RKE, created by Rancher or managed by Rancher

RKE

Clusters created by RKE CLI have:

Cluster state stored as Configmap called full-cluster-state in namespace kube-system (cluster-state before RKE v0.2.0)
kubectl -n kube-system get configmap full-cluster-state

Rancher 2 HA using Helm and self signed certificate (certificate from files)

This will only cover the part of installing Rancher on a RKE built cluster, see https://rancher.com/docs/rancher/v2.x/en/installation/ha/ how to get there.

Note: make sure kubeconfig is configured correctly

The commands are for Linux, if you are using Mac then you can use md5 instead of md5sum and base64 -D instead of base64 -d.

Generate certificates

WIP Local prometheus to graph etcd

Ability to graph etcd metrics locally to identify issues

Prometheus

scrape_configs:
- job_name: etcd
 static_configs:

EKS in Rancher debug

# Configure CLUSTERID (can be found in UI)
CLUSTERID=c-tc6mc

# Get service account token, endpoint and ca certificate
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster  | @base64d' | docker run -i oildex/jq:1.6 jq -r '.rootCACert | @base64d' > ca.crt
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.cluster  | @base64d' | docker run -i oildex/jq:1.6 jq -r '.serviceAccountToken' > token
docker exec $(docker  ps | grep -E "rancher/rancher:|rancher/rancher |rancher/rancher@|rancher_rancher" | awk '{ print $1 }') kubectl  -n cattle-system get secret "c-${CLUSTERID}" -o json | docker run -i oildex/jq:1.6 jq -r '.data.clust

	#!/bin/bash
	if [ "$#" -lt 0 ]; then
	echo "Usage: $0"
	exit 1
	fi

	echo "Generating nip.io based on found external IP"
	FOUNDIP=$(docker run --rm --net=host appropriate/curl https://api.ipify.org)
	APIFQDN="minio-api.${FOUNDIP}.nip.io"
	FQDN="minio.${FOUNDIP}.nip.io"

	TMPDIR=$(mktemp -d $MKTEMP_BASEDIR)
	# k3s
	if $(command -v k3s >/dev/null 2>&1); then
	mkdir -p $TMPDIR/k3s/crictl
	mkdir -p $TMPDIR/k3s/logs
	mkdir -p $TMPDIR/k3s/podlogs
	mkdir -p $TMPDIR/k3s/kubectl
	k3s check-config > $TMPDIR/k3s/check-config 2>&1
	k3s kubectl get nodes -o json > $TMPDIR/k3s/kubectl/nodes 2>&1
	k3s kubectl version > $TMPDIR/k3s/kubectl/version 2>&1

	{
	"K8sVersionServiceOptions": {
	"v1.10": {
	"etcd": null,
	"kubeapi": {
	"allow-privileged": "true",
	"anonymous-auth": "false",
	"bind-address": "0.0.0.0",
	"enable-admission-plugins": "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction",
	"insecure-port": "0",

	#!/usr/bin/env bash
	CONTID=$(docker ps \| grep -E "rancher/rancher:\|rancher/rancher \|rancher/rancher@\|rancher_rancher" \| awk '{ print $1 }')
	docker exec $CONTID kubectl get listenconfigs cli-config -o jsonpath={.caCerts} > /tmp/cacerts
	curl --cacert /tmp/cacerts https://localhost