IT Kiddie에 있는 기출 문제를 학습했으며, 해당 기출에서 거의 대다수 나온 느낌이다. CKA시험 첫번째에는 mockexam+lightlab만 3번정도 풀어보고 56점을 받았는데, 해당 기출을 보고나서 합격했다. 빠르게 자격증 취득을 위해서는 위 기출을 참조하는게 좋을듯하다.
4.후기
시험 팁이랄건 없지만, 생각보다 환경검사하는데 시간을 오래써서 30분전 입장이 가능하니,
입장하여 환경검사를 하는게 좋은듯하다. (물론 환경검사 하는 시간은 시험시간에 포함되지않는다)
*시험보는장소에 화재감지기가 있었는데 그게 뭔지, CCTV인건지 확인하는등 매우 깐깐하게 환경검사를한다.
시험 볼때 핸드폰이 있으면 QR을 찍는? 행위를 하는것같은데 맘편하게 핸드폰을 다른데 두고 시험보는게 좋은것같다.
그리고, CKA시험시 시간을 아끼기 위해 가능하면 yaml파일보단 명령어로 쓰는 연습을 하면 좋고( ex) service생성시 expose명령어로 생성 ), yaml로만 생성해야되는 ingress나, gateway 같은건 docs에서 카피 할 yaml의 위치를 알고있으면 빠른 문제 풀이가 가능하다.
기본 설정만으로 CIS Kubernetes Benchmark v1.7 / v1.8 통과 가능
FIPS 140-2 규정 준수 지원
빌드 파이프라인에서 Trivy 기반 CVE 정기 점검
아키텍처 특징
컨트롤 플레인 컴포넌트를 kubelet이 관리하는 Static Pod로 실행
기본 컨테이너 런타임은 containerd
불필요한 구성 요소를 제거한 하드닝된 Kubernetes
운영방식
단독 실행 가능
Rancher 플랫폼과 통합 운영 가능
구성요소
K8s
API Server , Controller Manager , Scheduler
Proxy , Kubelet
etcd
runc
containerd/cri
CNI: Canal
CoreDNS
Ingress NGINX Controller and/or Traefik
Metrics Server
Helm
RKE2 실습
실습환경배포
PS C:\Users\bom\Desktop\스터디\7week\k8s-rke2> pwd
Path
----
C:\Users\bom\Desktop\스터디\7week\k8s-rke2
PS C:\Users\bom\Desktop\스터디\7week\k8s-rke2> vagrant up
Bringing machine 'k8s-node1' up with 'virtualbox' provider...
Bringing machine 'k8s-node2' up with 'virtualbox' provider...
==> k8s-node1: Preparing master VM for linked clones...
k8s-node1: This is a one time operation. Once the master VM is prepared,
k8s-node1: it will be used as a base for linked clones, making the creation
k8s-node1: of new VMs take milliseconds on a modern system.
==> k8s-node1: Importing base box 'bento/rockylinux-9'...
###################중략####################
PS C:\Users\bom\Desktop\스터디\7week\k8s-rke2> vagrant status
Current machine states:
k8s-node1 running (virtualbox)
k8s-node2 running (virtualbox)
설치
RKE 서버 노드 설치
PS C:\Users\bom\Desktop\스터디\7week\k8s-rke2> vagrant ssh k8s-node1
This system is built by the Bento project by Chef Software
More information can be found at https://github.com/chef/bento
Use of this system is acceptance of the OS vendor EULA and License Agreements.
[root@k8s-node1 ~]# vi install.sh
[root@k8s-node1 ~]# ll
total 28
-rw-r--r--. 1 root root 25291 Feb 18 14:14 install.sh
[root@k8s-node1 ~]# chmod +x install.sh
[root@k8s-node1 ~]# INSTALL_RKE2_CHANNEL=v1.33 ./install.sh
[root@k8s-node1 ~]# rke2 --version
rke2 version v1.33.8+rke2r1 (eb75e3c1774cee5a584259d6fee77eb8cfa9b430)
go version go1.24.12 X:boringcrypto
[root@k8s-node1 ~]# dnf repolist
repo id repo name
appstream Rocky Linux 9 - AppStream
baseos Rocky Linux 9 - BaseOS
extras Rocky Linux 9 - Extras
rancher-rke2-1.33-stable Rancher RKE2 1.33 (v1.33)
rancher-rke2-common-stable Rancher RKE2 Common (v1.33)
[root@k8s-node1 ~]# cat /etc/yum.repos.d/rancher-rke2.repo
[rancher-rke2-common-stable]
name=Rancher RKE2 Common (v1.33)
baseurl=https://rpm.rancher.io/rke2/stable/common/centos/9/noarch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
[rancher-rke2-1.33-stable]
name=Rancher RKE2 1.33 (v1.33)
baseurl=https://rpm.rancher.io/rke2/stable/1.33/centos/9/x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
[root@k8s-node1 ~]# cat /etc/rancher/rke2/config.yaml
write-kubeconfig-mode: "0644"
debug: true
cni: canal
bind-address: 192.168.10.11
advertise-address: 192.168.10.11
node-ip: 192.168.10.11
disable-cloud-controller: true
disable:
- servicelb
- rke2-coredns-autoscaler
- rke2-ingress-nginx
- rke2-snapshot-controller
- rke2-snapshot-controller-crd
- rke2-snapshot-validation-webhook
[root@k8s-node2 agent]# systemctl stop rke2-agent
[root@k8s-node2 agent]# ls -l /usr/bin/rke2*
-rwxr-xr-x. 1 root root 124432768 Feb 14 04:11 /usr/bin/rke2
-rwxr-xr-x. 1 root root 3373 Feb 18 02:48 /usr/bin/rke2-killall.sh
-rwxr-xr-x. 1 root root 5606 Feb 18 02:48 /usr/bin/rke2-uninstall.sh
[root@k8s-node2 agent]# cat /usr/bin/rke2-uninstall.sh
#!/bin/sh
set -ex
# helper function for timestamped logging
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*"
}
# helper function for logging error and exiting with a message
error() {
log "ERROR: $*" >&2
exit 1
}
[root@k8s-node2 agent]# tree /etc/rancher
/etc/rancher [error opening dir]
0 directories, 0 files
[root@k8s-node2 agent]# tree /var/lib/rancher
/var/lib/rancher [error opening dir]
워커노드 재추가
[root@k8s-node2 agent]# curl -sfL https://get.rke2.io | INSTALL_RKE2_TYPE="agent" INSTALL_RKE2_CHANNEL=v1.33 sh -
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[INFO] using stable RPM repositories
[INFO] using 1.33 series from channel stable
Rancher RKE2 Common (v1.33) 2.3 kB/s | 659 B 00:00
Rancher RKE2 1.33 (v1.33) 1.5 kB/s | 659 B 00:00
Dependencies resolved.
==========================================================================================================================================
Package Architecture Version Repository Size
==========================================================================================================================================
Installing:
rke2-agent x86_64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 8.3 k
Installing dependencies:
rke2-common x86_64 1.33.8~rke2r1-0.el9 rancher-rke2-1.33-stable 27 M
rke2-selinux noarch 0.22-1.el9 rancher-rke2-common-stable 22 k
Transaction Summary
==========================================================================================================================================
Install 3 Packages
[root@k8s-node2 agent]# TOKEN=K106e21a8fb999718d131eb1dce5e2a55218ca993338cdff4de2c72137794588cb2::server:56d69e65a53934b4010ecd46aafe8722
[root@k8s-node2 agent]# echo $TOKEN
K106e21a8fb999718d131eb1dce5e2a55218ca993338cdff4de2c72137794588cb2::server:56d69e65a53934b4010ecd46aafe8722
[root@k8s-node2 agent]# cat << EOF > /etc/rancher/rke2/config.yaml
server: https://192.168.10.11:9345
token: $TOKEN
EOF
[root@k8s-node2 agent]# cat /etc/rancher/rke2/config.yaml
server: https://192.168.10.11:9345
token: K106e21a8fb999718d131eb1dce5e2a55218ca993338cdff4de2c72137794588cb2::server:56d69e65a53934b4010ecd46aafe8722
[root@k8s-node2 agent]# systemctl enable --now rke2-agent.service
Created symlink /etc/systemd/system/multi-user.target.wants/rke2-agent.service → /usr/lib/systemd/system/rke2-agent.service.
[root@k8s-node2 agent]# systemctl enable --now rke2-agent.service
Created symlink /etc/systemd/system/multi-user.target.wants/rke2-agent.service → /usr/lib/systemd/system/rke2-agent.service.
[root@k8s-node2 agent]# journalctl -u rke2-agent -f
샘플앱 배포진행
[root@k8s-node1 ~]# kubectl get deploy,pod,svc,ep -owide
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
deployment.apps/webpod 0/2 2 0 3s webpod traefik/whoami app=webpod
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/webpod-697b545f57-4nnh7 0/1 ContainerCreating 0 3s <none> k8s-node2 <none> <none>
pod/webpod-697b545f57-tftg7 0/1 Pending 0 3s <none> k8s-node1 <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 27m <none>
service/webpod NodePort 10.43.182.94 <none> 80:30000/TCP 3s app=webpod
NAME ENDPOINTS AGE
endpoints/kubernetes 192.168.10.11:6443 27m
endpoints/webpod <none> 3s
업그레이드
인증서 관리 및 수동갱신
인증서 관리 요약
클라이언트/서버 인증서 유효기간: 발급일 기준 365일
자동 갱신 조건:
인증서가 만료되었거나
만료 120일 이내로 남았을 경우
→ RKE2 재시작 시 자동 갱신
자동 갱신 방식: 기존 키를 재사용하여 유효기간만 연장
새 키 + 새 인증서로 교체하려면: rotate 명령어로 수동 교체 필요
만료 120일 이내 진입 시: Kubernetes 이벤트 CertificateExpirationWarning 발생
노드인증서와 만료일 확인
[[k8s-node1]
[root@k8s-node1 ~]# rke2 certificate check --output table
INFO[0000] Server detected, checking agent and server certificates
FILENAME SUBJECT USAGES EXPIRES RESIDUAL TIME STATUS
client-controller.crt system:kube-controller-manager ClientAuth Feb 18, 2027 05:17 UTC 1 year OK client-controller.crt rke2-client-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK kube-controller-manager.crt kube-controller-manager ServerAuth Feb 18, 2027 05:17 UTC 1 year OK kube-controller-manager.crt rke2-server-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK client-scheduler.crt system:kube-scheduler ClientAuth Feb 18, 2027 05:17 UTC 1 year OK
[[k8s-node2]
[root@k8s-node2 agent]# rke2 certificate check --output table INFO[0000] Server detected, checking agent and server certificates
FILENAME SUBJECT USAGES EXPIRES RESIDUAL TIME STATUS
client-kube-proxy.crt system:kube-proxy ClientAuth Feb 18, 2027 05:46 UTC 1 year OK client-kube-proxy.crt rke2-client-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK client-kubelet.crt system:node:k8s-node2 ClientAuth Feb 18, 2027 05:46 UTC 1 year OK client-kubelet.crt rke2-client-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK serving-kubelet.crt k8s-node2 ServerAuth Feb 18, 2027 05:46 UTC 1 year OK serving-kubelet.crt rke2-server-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK client-rke2-controller.crt system:rke2-controller ClientAuth Feb 18, 2027 05:46 UTC 1 year OK client-rke2-controller.crt rke2-client-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK
- 인증서 수동 교체 : rke2 certificate rotate 명령 사용.
```bash
[root@k8s-node1 ~]# systemctl stop rke2-server
[root@k8s-node1 ~]# rke2 certificate rotate
INFO[0000] Server detected, rotating agent and server certificates
INFO[0000] Rotating dynamic listener certificate
INFO[0000] Rotating certificates for rke2-controller
INFO[0000] Rotating certificates for api-server
INFO[0000] Rotating certificates for admin
INFO[0000] Rotating certificates for auth-proxy
INFO[0000] Rotating certificates for cloud-controller
INFO[0000] Rotating certificates for etcd
INFO[0000] Rotating certificates for scheduler
INFO[0000] Rotating certificates for supervisor
INFO[0000] Rotating certificates for kube-proxy
INFO[0000] Rotating certificates for controller-manager
INFO[0000] Rotating certificates for kubelet
INFO[0000] Successfully backed up certificates to /var/lib/rancher/rke2/server/tls-1771393856, please restart rke2 server or agent to rotate certificates
[root@k8s-node1 ~]# systemctl start rke2-server
[root@k8s-node1 ~]# rke2 certificate check --output table
INFO[0000] Server detected, checking agent and server certificates
FILENAME SUBJECT USAGES EXPIRES RESIDUAL TIME STATUS
-------- ------- ------ ------- ------------- ------
client-auth-proxy.crt system:auth-proxy ClientAuth Feb 18, 2027 05:52 UTC 1 year OK
client-auth-proxy.crt rke2-request-header-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK
client-rke2-cloud-controller.crt rke2-cloud-controller-manager ClientAuth Feb 18, 2027 05:52 UTC 1 year OK
client-rke2-cloud-controller.crt rke2-client-ca@1771391877 CertSign Feb 16, 2036 05:17 UTC 10 years OK
[root@k8s-node1 ~]# diff /etc/rancher/rke2/rke2.yaml ~/.kube/config
18,19c18,19
< client-certificate-data: LS0tLS1CRUdJTiBDRVJUS //중략
> client-certificate-data: LS0tLS1CRUdJTiBDRVJUS //중
```
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl get crd | grep cert
certificaterequests.cert-manager.io 2026-02-18T06:48:49Z
certificates.cert-manager.io 2026-02-18T06:48:49Z
challenges.acme.cert-manager.io 2026-02-18T06:48:49Z
clusterissuers.cert-manager.io 2026-02-18T06:48:49Z
issuers.cert-manager.io 2026-02-18T06:48:49Z
orders.acme.cert-manager.io 2026-02-18T06:48:49Z
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl get deploy,pod,svc,ep,cm,secret,sa -n cert-manager
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 3m36s
deployment.apps/cert-manager-cainjector 1/1 1 1 3m36s
deployment.apps/cert-manager-webhook 1/1 1 1 3m36s
NAME READY STATUS RESTARTS AGE
pod/cert-manager-598d877b78-d2m7f 1/1 Running 0 3m36s
pod/cert-manager-cainjector-6b5777d564-pxjt2 1/1 Running 0 3m36s
pod/cert-manager-webhook-5d9fc6b4ff-q2tzg 1/1 Running 0 3m36s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.96.105.201 <none> 9402/TCP 3m37s
service/cert-manager-cainjector ClusterIP 10.96.22.45 <none> 9402/TCP 3m37s
service/cert-manager-webhook ClusterIP 10.96.245.210 <none> 443/TCP,9402/TCP 3m37s
NAME ENDPOINTS AGE
endpoints/cert-manager 10.244.0.7:9402 3m37s
endpoints/cert-manager-cainjector 10.244.0.6:9402 3m37s
endpoints/cert-manager-webhook 10.244.0.8:10250,10.244.0.8:9402 3m37s
NAME DATA AGE
configmap/kube-root-ca.crt 1 3m38s
NAME TYPE DATA AGE
secret/cert-manager-webhook-ca Opaque 3 3m22s
NAME AGE
serviceaccount/cert-manager 3m38s
serviceaccount/cert-manager-cainjector 3m38s
serviceaccount/cert-manager-webhook 3m38s
serviceaccount/default 3m38s
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl get issuers.cert-manager.io -A
NAMESPACE NAME READY AGE
capd-system capd-selfsigned-issuer True 3m17s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-selfsigned-issuer True 3m18s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-selfsigned-issuer True 3m17s
capi-system capi-selfsigned-issuer True 3m19s
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl get certificaterequests.cert-manager.io -A -owide
NAMESPACE NAME APPROVED DENIED READY ISSUER REQUESTER STATUS AGE
capd-system capd-serving-cert-1 True True capd-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 3m19s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-serving-cert-1 True True capi-kubeadm-bootstrap-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 3m21s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-serving-cert-1 True True capi-kubeadm-control-plane-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 3m20s
capi-system capi-serving-cert-1 True True capi-selfsigned-issuer system:serviceaccount:cert-manager:cert-manager Certificate fetched from issuer successfully 3m22s
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl get certificates.cert-manager.io -A -owide
NAMESPACE NAME READY SECRET ISSUER STATUS AGE
capd-system capd-serving-cert True capd-webhook-service-cert capd-selfsigned-issuer Certificate is up to date and has not expired 3m24s
capi-kubeadm-bootstrap-system capi-kubeadm-bootstrap-serving-cert True capi-kubeadm-bootstrap-webhook-service-cert capi-kubeadm-bootstrap-selfsigned-issuer Certificate is up to date and has not expired 3m25s
capi-kubeadm-control-plane-system capi-kubeadm-control-plane-serving-cert True capi-kubeadm-control-plane-webhook-service-cert capi-kubeadm-control-plane-selfsigned-issuer Certificate is up to date and has not expired 3m24s
capi-system capi-serving-cert True capi-webhook-service-cert capi-selfsigned-issuer Certificate is up to date and has not expired 3m26s
워크로드 클러스터 생성
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ export SERVICE_CIDR=["10.20.0.0/16"]
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ export POD_CIDR=["10.10.0.0/16"]
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ export SERVICE_DOMAIN="myk8s-1.local"
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ export POD_SECURITY_STANDARD_ENABLED="false"
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ clusterctl generate cluster capi-quickstart --flavor development \
--kubernetes-version v1.34.3 \
--control-plane-machine-count=3 \
--worker-machine-count=3 \
> capi-quickstart.yaml
New clusterctl version available: v1.12.2 -> v1.12.3
sigs.k8s.io/cluster-api
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl apply -f capi-quickstart.yaml
clusterclass.cluster.x-k8s.io/quick-start created
dockerclustertemplate.
infrastructure.cluster.x-k8s.io/quick-start-cluster created
kubeadmcontrolplanetemplate.controlplane.cluster.x-k8s.io/quick-start-control-plane created
dockermachinetemplate.infrastructure.cluster.x-k8s.io/quick-start-control-plane created
dockermachinetemplate.infrastructure.cluster.x-k8s.io/quick-start-default-worker-machinetemplate created
dockermachinepooltemplate.infrastructure.cluster.x-k8s.io/quick-start-default-worker-machinepooltemplate created
kubeadmconfigtemplate.bootstrap.cluster.x-k8s.io/quick-start-default-worker-bootstraptemplate created
cluster.cluster.x-k8s.io/capi-quickstart created
##생성 확인 & kubeconfig 자격 증명 & CNI 플러그인 설치 후 확인
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ clusterctl get kubeconfig capi-quickstart > capi-quickstart.kubeconfig
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ kubectl --kubeconfig=capi-quickstart.kubeconfig apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
01fa53373460 kindest/node:v1.35.0 "/usr/local/bin/entr…" 21 minutes ago Up 21 minutes 0.0.0.0:30000-30001->30000-30001/tcp, 127.0.0.1:38469->6443/tcp myk8s-control-plane
098bc8adc657 kindest/node:v1.35.0 "/usr/local/bin/entr…" 3 minutes ago Up 3 minutes capi-quickstart-md-0-67fkn-9ajzs-lcjv4
4f137h6yy154 kindest/node:v1.35.0 "/usr/local/bin/entr…"
(⎈|kind-myk8s:N/A) zosys@4:~/capi-docker$ clusterctl describe cluster capi-quickstart
NAME REPLICAS AVAILABLE READY UP TO DATE STATUS REASON SINCE MESSAGE
Cluster/capi-quickstart 6/6 6 6 0 True Available
워크로드 LB확인
(⎈|kind-myk8s:N/A) zosys@4:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a8f3c1d9b2e7 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour 127.0.0.1:32775->6443/tcp capi-quickstart-j9fdm-6zg8v
b7e2d4a1c9f3 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour 127.0.0.1:32774->6443/tcp capi-quickstart-j9fdm-27w2s
c3d9e7f1a2b6 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour capi-quickstart-md-0-p7lv8-t7r9t-nhfpb
d4a1b8c7e2f9 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour capi-quickstart-md-0-p7lv8-t7r9t-rmcls
e9f2a7b4c1d8 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour capi-quickstart-md-0-p7lv8-t7r9t-t5ds2
f1a2b3c4d5e6 kindest/node:v1.34.3 "/usr/local/bin/entr…" About an hour ago Up About an hour 127.0.0.1:32773->6443/tcp capi-quickstart-j9fdm-ggm9z
9c8b7a6d5e4f kindest/haproxy:v20230606-42a2262b "haproxy -W -db -f /…" About an hour ago Up About an hour 0.0.0.0:32770->6443/tcp, 0.0.0.0:32771->8404/tcp capi-quickstart-lb
7e6d5c4b3a2f kindest/node:v1.35.0 "/usr/local/bin/entr…" 2 hours ago Up 2 hours 0.0.0.0:30000-30001->30000-30001/tcp, 127.0.0.1:54601->6443/tcp myk8s-control-plane
(⎈|kind-myk8s:N/A) zosys@4:~$ docker inspect capi-quickstart-lb | jq
...
"Entrypoint": [
"haproxy",
"-W",
"-db",
"-f",
"/usr/local/etc/haproxy/haproxy.cfg"
(⎈|kind-myk8s:N/A) zosys@4:~$ curl -sk https://127.0.0.1:32770/version | jq
{
"major": "1",
"minor": "34"
}
(⎈|kind-myk8s:N/A) zosys@4:~$ cat haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
daemon
maxconn 100000
resolvers docker
nameserver dns 127.0.0.11:53
defaults
log global
mode tcp
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
default-server init-addr none
frontend stats
mode http
bind *:8404
stats enable
stats uri /stats
stats refresh 1s
stats admin if TRUE
frontend control-plane
bind *:6443
default_backend kube-apiservers
#############################################
root@k8s-node1:~# pip list | grep -i netaddr
root@k8s-node1:~# pip install netaddr
Looking in indexes: http://192.168.10.10/pypi
Collecting netaddr
Downloading http://192.168.10.10/pypi/netaddr/netaddr-1.3.0-py3-none-any.whl (2.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.3/2.3 MB 46.0 MB/s eta 0:00:00
Installing collected packages: netaddr
Successfully installed netaddr-1.3.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
root@k8s-node1:~# pip list | grep -i netaddr
netaddr 1.3.0
root@k8s-node1:~# pip install httpx
Looking in indexes: http://192.168.10.10/pypi
ERROR: Could not find a version that satisfies the requirement httpx (from versions: none)
ERROR: No matching distribution found for httpx
```
Kubespray는 Ansible 기반으로 k8s cluster를 자동으로 설치/업그레이드/관리하기 위한 오프소스 배포 도구이다 ( kubeadm 처럼 k8s 관련 도구 중 1 )
역할 및 기능 ( 클러스터 운영 전반을 지원 )
신규 클러스터 생성
( Control Plane ) 클러스터 업그레이드
클러스터 스케일링
노드 관리 - 노드 추가, 노드 제거
클러스터 재설정
설정 관리
백업 / 복구, 업그레이드시 ETCD 스냅샷 수행
Kubespray 한 버전당 Kubernetes 3개 minor 지원
항상 1~2 버전 늦춰서 안정화 후 포함
운영 시 버전 추천
Dev 환경 : Kubespray 최신 + K8s N-1
Prd 환경 : Kubespray 최신-1 + K8s N-2
kubespray 소개 및 사용 이유 : Ansible 기반이기에 ssh만 연결된다면 관리에 용이하다. 퍼블릭/폐쇄망의 서버환경에서도 쿠버네티스가 사용가능하다.
컨트롤 플레인과 ETCD에 대한 HA환경을 지원한다.
Client Side LB를 지원하여 분산 접속을 가능하게끔 지원한다.(kubeadm의 경우 직접세팅필요)
Certificate에 대해서도 Auto Renew를 제공해서 자동으로 갱신처리한다.
BestPractice의 설정들을 Playbook형태로 제공을 해준다.
다양한 Linux배포판을 지원한다.
b. 실습 환경
사전 환경 설정
# 파일 다운로드
wget https://raw.githubusercontent.com/gasida/vagrant-lab/refs/heads/main/k8s-kubespary/Vagrantfile
wget https://raw.githubusercontent.com/gasida/vagrant-lab/refs/heads/main/k8s-kubespary/init_cfg.sh
## file 확인
ll
total 16
-rw-r--r--@ 1 howoo staff 982B Jan 28 15:42 Vagrantfile
-rw-r--r--@ 1 howoo staff 1.3K Jan 28 15:43 init_cfg.sh
## 실습 환경 배포
vagrant up
.
.
.
k8s-ctr: Running: /var/folders/s_/d0ls80f161x0q83j7lx_k5wh0000gn/T/vagrant-shell20260128-6889-zu7q2i.sh
k8s-ctr: >>>> Initial Config Start <<<<
k8s-ctr: [TASK 1] Change Timezone and Enable NTP
k8s-ctr: [TASK 2] Disable firewalld and selinux
k8s-ctr: [TASK 3] Disable and turn off SWAP & Delete swap partitions
k8s-ctr: [TASK 4] Config kernel & module
k8s-ctr: [TASK 5] Setting Local DNS Using Hosts file
k8s-ctr: [TASK 6] Delete default routing - enp0s9 NIC
k8s-ctr: >>>> Initial Config End <<<<
howoo@ttokkang-ui-MacBookAir ~/Desktop/work/Gasida_series/idc_k8s/k8s-kubespary vagrant status
Current machine states:
k8s-ctr running (virtualbox)
The VM is running. To stop this VM, you can run `vagrant halt` to
shut it down forcefully, or you can run `vagrant suspend` to simply
suspend the virtual machine. In either case, to restart it again,
simply run `vagrant up`.
## ssh 접속 후 설정
vagrant status
Current machine states:
k8s-ctr running (virtualbox)
------------------------------
root@k8s-ctr:~# uname -a
Linux k8s-ctr 6.12.0-55.39.1.el10_0.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Oct 15 11:18:23 EDT 2025 aarch64 GNU/Linux
root@k8s-ctr:~# which python && python -V
/usr/bin/python
Python 3.12.9
root@k8s-ctr:~# which python3 && python3 -V
/usr/bin/python3
Python 3.12.9
oot@k8s-ctr:~# dnf install -y python3-pip git
Rocky Linux 10 - BaseOS 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'baseos':
- Curl error (6): Could not resolve hostname for https://mirrors.rockylinux.org/mirrorlist?arch=aarch64&repo=BaseOS-10 [Could not resolve host: mirrors.rockylinux.org]
Error: Failed to download metadata for repo 'baseos': Cannot prepare internal mirrorlist: Curl error (6): Could not resolve hostname for https://mirrors.rockylinux.org/mirrorlist?arch=aarch64&repo=BaseOS-10 [Could not resolve host: mirrors.rockylinux.org]
root@k8s-ctr:~# vim /etc/resolv.conf
root@k8s-ctr:~# dnf install -y python3-pip git
Rocky Linux 10 - BaseOS 531 kB/s | 12 MB 00:23
Rocky Linux 10 - AppStream 123 kB/s | 2.1 MB 00:17
Rocky Linux 10 - Extras 384 B/s | 6.2 kB 00:16
Dependencies resolved.
.
.
.
Complete!
root@k8s-ctr:~# which pip && pip -V
/usr/bin/pip
pip 23.3.2 from /usr/lib/python3.12/site-packages/pip (python 3.12)
root@k8s-ctr:~# which pip3 && pip3 -V
/usr/bin/pip3
pip 23.3.2 from /usr/lib/python3.12/site-packages/pip (python 3.12)
root@k8s-ctr:~# echo "root:qwe123" | chpasswd
root@k8s-ctr:~# cat << EOF >> /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
EOF
root@k8s-ctr:~# systemctl restart sshd
root@k8s-ctr:~# ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:OdD1TkSOOxJl5wHu/WPmZQtqdOE3GS053Kjwxxvb8xU root@k8s-ctr
The key's randomart image is:
+---[RSA 3072]----+
| =o= |
| . = B . |
| . o o =. +.|
| . +.= .*.o|
| S +o+o.Eo|
| o oo+++.|
| . .o*==|
| ..++=+|
| .. ..+|
+----[SHA256]-----+
root@k8s-ctr:~# ls -al ~/.ssh/
total 8
drwx------. 2 root root 38 Jan 28 15:52 .
dr-xr-x---. 3 root root 119 Jan 28 15:49 ..
-rw-------. 1 root root 2602 Jan 28 15:52 id_rsa
-rw-r--r--. 1 root root 566 Jan 28 15:52 id_rsa.pub
root@k8s-ctr:~# ssh-copy-id -o StrictHostKeyChecking=no root@192.168.10.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.10.10's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -o 'StrictHostKeyChecking=no' 'root@192.168.10.10'"
and check to make sure that only the key(s) you wanted were added.
root@k8s-ctr:~# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfVlv8LgLkkE5XoaKF4C6cPFxHBU2SVTnC20NamU03ITKSdZl/T7TJrIF2UBt/P1lQgCB5LImQYJVY06nSygYgIQd7BBxeXvpZ0kgYA2sXn1FRsuu3feTaJZQ1dAee0ZhMJfL7JEAKSLyvdnynCbvOXwVcgvW8EnOA1U+DFdQBBKLlGlMC89YLVKAz9KRTArAM4XsFKlYYR6OPYTDderiNNITQMEiT6BpJE43P+ai1nnIjc2IOzWItsziSnROzPoedfQcNC9lbqyg/lco+5D+MCT32rcs1mxLdI1tvPSMC9RqNpEUNk5t1FRFl6Fn5PJ7fk7aOOpW3H74uoxNqmmXDcjBOnsnX9f+Igv4VPZkigYk/glMbxsTOfgUwVBSH39UaiW7JWdq+taa2VNf9QVf3Ucdde6mGg4V9HNqHzvP9B7deo4YSaSpAFzJd1Vwle9cQzc3tiMBPUOZRxM0NOjWaAux5k0iu+In++iFVeFcLDRvHN+2JSwiKONRPP1ofgY0= root@k8s-ctr
root@k8s-ctr:~# ssh root@192.168.10.10 hostname
k8s-ctr
root@k8s-ctr:~# ssh -o StrictHostKeyChecking=no root@k8s-ctr hostname
Warning: Permanently added 'k8s-ctr' (ED25519) to the list of known hosts.
k8s-ctr
root@k8s-ctr:~# ssh root@k8s-ctr hostname
k8s-ctr
# 환경 설정
**pip3 install -r /root/kubespray/requirements.txt
.
.
.
Downloading ansible-10.7.0-py3-none-any.whl (51.6 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 51.6/51.6 MB 6.1 MB/s eta 0:00:00
Downloading cryptography-46.0.2-cp311-abi3-manylinux_2_34_aarch64.whl (4.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4.3/4.3 MB 6.7 MB/s eta 0:00:00
Downloading jmespath-1.0.1-py3-none-any.whl (20 kB)
Downloading netaddr-1.3.0-py3-none-any.whl (2.3 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.3/2.3 MB 6.0 MB/s eta 0:00:00
Downloading ansible_core-2.17.14-py3-none-any.whl (2.2 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.2/2.2 MB 5.6 MB/s eta 0:00:00
Downloading cffi-2.0.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.whl (220 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 220.1/220.1 kB 6.5 MB/s eta 0:00:00
Downloading jinja2-3.1.6-py3-none-any.whl (134 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 134.9/134.9 kB 9.8 MB/s eta 0:00:00
Downloading resolvelib-1.0.1-py2.py3-none-any.whl (17 kB)
Downloading pycparser-3.0-py3-none-any.whl (48 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 48.2/48.2 kB 3.6 MB/s eta 0:00:00
Downloading markupsafe-3.0.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl (24 kB)
Installing collected packages: resolvelib, pycparser, netaddr, MarkupSafe, jmespath, jinja2, cffi, cryptography, ansible-core, ansible
Successfully installed MarkupSafe-3.0.3 ansible-10.7.0 ansible-core-2.17.14 cffi-2.0.0 cryptography-46.0.2 jinja2-3.1.6 jmespath-1.0.1 netaddr-1.3.0 pycparser-3.0 resolvelib-1.0.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
root@k8s-ctr:~/kubespray# which ansible
/usr/local/bin/ansible
root@k8s-ctr:~/kubespray# ansible --version
ansible [core 2.17.14]
config file = /root/kubespray/ansible.cfg
configured module search path = ['/root/kubespray/library']
ansible python module location = /usr/local/lib/python3.12/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.12.9 (main, Aug 14 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] (/usr/bin/python3)
jinja version = 3.1.6
libyaml = True
root@k8s-ctr:~/kubespray# pip list
Package Version
------------------------- -----------
ansible 10.7.0
ansible-core 2.17.14
attrs 23.2.0
.
.
.**
Kubespray를 통한 K8s 배포
root@k8s-ctr:~/kubespray# cp -rfp /root/kubespray/inventory/sample /root/kubespray/inventory/mycluster
root@k8s-ctr:~/kubespray# tree inventory/mycluster/
inventory/mycluster/
├── group_vars
│ ├── all
│ │ ├── all.yml
.
.
.
root@k8s-ctr:~/kubespray# cat << EOF > /root/kubespray/inventory/mycluster/inventory.ini
k8s-ctr ansible_host=192.168.10.10 ip=192.168.10.10
[kube_control_plane]
k8s-ctr
[etcd:children]
kube_control_plane
[kube_node]
k8s-ctr
EOF
# 테스트할 기능 관련 수정
root@k8s-ctr:~/kubespray# sed -i 's|kube_network_plugin: calico|kube_network_plugin: flannel|g' inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
root@k8s-ctr:~/kubespray# sed -i 's|kube_proxy_mode: ipvs|kube_proxy_mode: iptables|g' inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
root@k8s-ctr:~/kubespray# sed -i 's|enable_nodelocaldns: true|enable_nodelocaldns: false|g' inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
root@k8s-ctr:~/kubespray# sed -i 's|auto_renew_certificates: false|auto_renew_certificates: true|g' inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
root@k8s-ctr:~/kubespray# sed -i 's|# auto_renew_certificates_systemd_calendar|auto_renew_certificates_systemd_calendar|g' inventory/mycluster/group_vars/k8s_cluster/k8s-cluster.yml
# flannel 설정 수정
root@k8s-ctr:~/kubespray# echo "flannel_interface: enp0s9" >> inventory/mycluster/group_vars/k8s_cluster/k8s-net-flannel.yml
root@k8s-ctr:~/kubespray# grep "^[^#]" inventory/mycluster/group_vars/k8s_cluster/k8s-net-flannel.yml
flannel_interface: enp0s9
root@k8s-ctr:~/kubespray# sed -i 's|helm_enabled: false|helm_enabled: true|g' inventory/mycluster/group_vars/k8s_cluster/addons.yml
root@k8s-ctr:~/kubespray# sed -i 's|metrics_server_enabled: false|metrics_server_enabled: true|g' inventory/mycluster/group_vars/k8s_cluster/addons.yml
root@k8s-ctr:~/kubespray# sed -i 's|node_feature_discovery_enabled: false|node_feature_discovery_enabled: true|g' inventory/mycluster/group_vars/k8s_cluster/addons.yml
root@k8s-ctr:~/kubespray# ls -al ./*.txt
-rw-r--r--. 1 root root 631 Jan 28 16:04 ./df-1.txt
-rw-r--r--. 1 root root 3241 Jan 28 16:04 ./findmnt-1.txt
-rw-r--r--. 1 root root 1459 Jan 28 16:04 ./ip_addr-1.txt
-rw-r--r--. 1 root root 181 Jan 28 15:54 ./requirements.txt
-rw-r--r--. 1 root root 696 Jan 28 16:04 ./ss-1.txt
-rw-r--r--. 1 root root 44424 Jan 28 16:04 ./sysctl-1.txt
## 배포
ansible-playbook -i inventory/mycluster/inventory.ini -v cluster.yml -e kube_version="1.33.3" **--list-tasks** # 배포 전, Task 목록 확인
ANSIBLE_FORCE_COLOR=true **ansible-playbook -i inventory/mycluster/inventory.ini -v cluster.yml -e kube_version="1.33.3" | tee kubespray_install.log**
.
.
.
download : Download_file | Download item -------------------------------- 7.34s
container-engine/nerdctl : Download_file | Download item ---------------- 7.22s
container-engine/runc : Download_file | Download item ------------------- 7.17s
alias, 명령어 자동 완성
# Source the completion
source <(kubectl completion bash)
source <(kubeadm completion bash)
# Alias kubectl to k
alias k=kubectl
complete -o default -F __start_kubectl k
# k9s 설치 : https://github.com/derailed/k9s
CLI_ARCH=amd64
if [ "$(uname -m)" = "aarch64" ]; then CLI_ARCH=arm64; fi
wget https://github.com/derailed/k9s/releases/latest/download/k9s_linux_${CLI_ARCH}.tar.gz
tar -xzf k9s_linux_*.tar.gz
ls -al k9s
chown root:root k9s
mv k9s /usr/local/bin/
chmod +x /usr/local/bin/k9s
k9s
환경 설정 및 적용
root@k8s-ctr:~/kubespray# sysctl fs.file-max
fs.file-max = 9223372036854775807
root@k8s-ctr:~/kubespray# cat /proc/sys/fs/file-max
9223372036854775807
root@k8s-ctr:~/kubespray# ulimit -n
1024
root@k8s-ctr:~/kubespray# systemctl show kubelet | grep LimitNOFILE
LimitNOFILE=524288
LimitNOFILESoft=1024
root@k8s-ctr:~/kubespray# cat << EOF >> inventory/mycluster/group_vars/all/containerd.yml
containerd_default_base_runtime_spec_patch:
process:
rlimits: []
EOF
**ansible-playbook -i inventory/mycluster/inventory.ini -v cluster.yml --tags "container-engine" --limit k8s-ctr -e kube_version="1.33.3"
root@k8s-ctr:~/kubespray# kubectl delete pod ubuntu
pod "ubuntu" deleted
root@k8s-ctr:~/kubespray# cat << EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
containers:
- name: ubuntu
image: ubuntu
command: ["sh", "-c", "sleep infinity"]
securityContext:
privileged: true
EOF
pod/ubuntu created
root@k8s-ctr:~/kubespray# kubectl exec -it ubuntu -- sh -c 'ulimit -a'
time(seconds) unlimited
file(blocks) unlimited
data(kbytes) unlimited
stack(kbytes) 8192
coredump(blocks) unlimited
memory(kbytes) unlimited
locked memory(kbytes) unlimited
process unlimited
nofiles 1048576
vmemory(kbytes) unlimited
locks unlimited
rtprio 0
ansible-playbook -i inventory/mycluster/inventory.ini -v cluster.yml --tags "container-engine" --list-tasks
.
.
.
play #15 (k8s_cluster): Apply resolv.conf changes now that cluster DNS is up TAGS: []
tasks:
## Script 확인
.
.
.
/registry/services/specs/node-feature-discovery/node-feature-discovery-master
compact_rev_key
root@k8s-ctr:~# etcdctl.sh member list -w table
+------------------+---------+-------+----------------------------+----------------------------+------------+
| ID | STATUS | NAME | PEER ADDRS | CLIENT ADDRS | IS LEARNER |
+------------------+---------+-------+----------------------------+----------------------------+------------+
| a997582217e26c7f | started | etcd1 | https://192.168.10.10:2380 | https://192.168.10.10:2379 | false |
+------------------+---------+-------+----------------------------+----------------------------+------------+
# 설치된 정보 확인
root@k8s-ctr:~/kubespray# cat sysctl-1.txt | grep net.ipv4.ip_local_reserved_ports
net.ipv4.ip_local_reserved_ports =
root@k8s-ctr:~/kubespray# cat sysctl-2.txt | grep net.ipv4.ip_local_reserved_ports
net.ipv4.ip_local_reserved_ports = 30000-32767
root@k8s-ctr:~/kubespray# sysctl net.ipv4.ip_local_reserved_ports
net.ipv4.ip_local_reserved_ports = 30000-32767
# node별 최대 파드 배치 개수 확인
root@k8s-ctr:~/kubespray# kubectl describe node
kube-system metrics-server-7cd7f9897-f9ngp 100m (2%) 100m (2%) 200Mi (6%) 200Mi (6%) 2d3h
node-feature-discovery node-feature-discovery-gc-6c9b8f4657-drclc 0 (0%) 0 (0%) 0 (0%) 0 (0%) 2d3h
node-feature-discovery node-feature-discovery-master-6989794b78-gfvcx 0 (0%) 0 (0%) 0 (0%) 0 (0%) 2d3h
node-feature-discovery node-feature-discovery-worker-q44fg 0 (0%) 0 (0%) 0 (0%) 0 (0%) 2d3h
Allocated resources:
(Total limits may be over 100 percent, i.e., overcommitted.)
Resource Requests Limits
-------- -------- ------
cpu 920m (27%) 400m (11%)
memory 349220Ki (11%) 1024288000 (33%)
ephemeral-storage 0 (0%) 0 (0%)
hugepages-1Gi 0 (0%) 0 (0%)
hugepages-2Mi 0 (0%) 0 (0%)
hugepages-32Mi 0 (0%) 0 (0%)
hugepages-64Ki 0 (0%) 0 (0%)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Starting 10m kube-proxy
Normal Starting 11m kubelet Starting kubelet.
Warning InvalidDiskCapacity 11m kubelet invalid capacity 0 on image filesystem
Normal NodeHasSufficientMemory 11m (x8 over 11m) kubelet Node k8s-ctr status is now: NodeHasSufficientMemory
Normal NodeHasNoDiskPressure 11m (x8 over 11m) kubelet Node k8s-ctr status is now: NodeHasNoDiskPressure
Normal NodeHasSufficientPID 11m (x7 over 11m) kubelet Node k8s-ctr status is now: NodeHasSufficientPID
Normal NodeAllocatableEnforced 11m kubelet Updated Node Allocatable limit across pods
Warning Rebooted 10m kubelet Node k8s-ctr has been rebooted, boot id: 1926a28f-f34f-4605-b1bd-98e6b897d174
Normal RegisteredNode 10m node-controller Node k8s-ctr event: Registered Node k8s-ctr in Controller
root@k8s-ctr:~/kubespray# kubectl describe node | grep pods
pods: 110
pods: 110
Normal NodeAllocatableEnforced 11m kubelet Updated Node Allocatable limit across pods
# 설치된 정보 확인
root@k8s-ctr:~/kubespray# ls -al | grep block
root@k8s-ctr:~/kubespray# kubectl get pod -n kube-system -l tier=control-plane
NAME READY STATUS RESTARTS AGE
kube-apiserver-k8s-ctr 1/1 Running 5 (14m ago) 2d3h
kube-controller-manager-k8s-ctr 1/1 Running 6 (14m ago) 2d3h
kube-scheduler-k8s-ctr 1/1 Running 5 (14m ago) 2d3h
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Jan 26, 2036 07:13 UTC 9y no
front-proxy-ca Jan 26, 2036 07:13 UTC 9y no**
