├── .gitignore ├── LICENSE ├── README.md ├── admin ├── admin.sh ├── console.sh ├── flannel.yml ├── images.sh ├── master.sh ├── network.sh ├── prepare.sh └── worker.sh ├── bare-metal ├── compose.sh ├── daemon.json ├── docker.sh ├── init.sh ├── kind.sh ├── load.sh ├── minikube.sh ├── no-update.sh └── save.sh ├── calico ├── calico.yaml └── setup.sh ├── ch0 └── 00.sh ├── ch1 ├── .dockerignore ├── 01.sh ├── 02.sh ├── 03.sh ├── 04.sh ├── 05.sh ├── 06.sh ├── Dockerfile ├── Dockerfile.busybox ├── default.conf ├── hello.py ├── reg.conf ├── registry.sh ├── wordpress.sh └── wp.conf ├── ch2 ├── 09.sh ├── 10.sh ├── 11.sh ├── 12.sh ├── 13.sh ├── 14.sh ├── busy-pod.yaml ├── cm.yml ├── cronjob.yml ├── dash_proxy.sh ├── env-pod.yml ├── job.yml ├── mariadb-pod.yml ├── ngx-pod.yml ├── proxy-pod.yml ├── secret.yml ├── sleep-job.yml ├── vol-pod.yml ├── wp-pod.yml └── wp_proxy.sh ├── ch3 ├── 17.sh ├── 18.sh ├── 19.sh ├── 20.sh ├── 21.sh ├── deploy.yml ├── ds.yml ├── ingress.yml ├── kic.yml ├── kustomization.yaml ├── svc.yml ├── wp-dep.yml ├── wp-ing.yml ├── wp-kic.yml └── wp-maria.yml ├── ch4 ├── 26.sh ├── 28.sh ├── 29.sh ├── 31.sh ├── empty-dir-pod.yml ├── host-path-pv.yml ├── hpa.yml ├── kustomization.yaml ├── nfs-dynamic-pv.yml ├── nfs-static-pv.yml ├── ngx-v1.yml ├── ngx-v2.yml ├── pod-probe.yml ├── pod-resources.yml ├── quota-ns.yml ├── redis-deploy.yml ├── redis-pv-sts.yml ├── redis-sts.yml ├── storageclass.yml ├── test-ns.yml ├── wp-dep.yml ├── wp-ing.yml ├── wp-kic.yml └── wp-maria.yml ├── compose ├── reg-compose.yml ├── setup.sh ├── wp-compose.yml └── wp.conf ├── dashboard ├── admin.yml ├── cert.sh ├── dashboard.yaml ├── ingress.yml ├── insecure-dashboard.yml ├── kic.yml ├── kustomization.yaml └── setup.sh ├── gateway ├── backend.yml ├── filters.yml ├── gateway.yml ├── helm.sh ├── routes.yml ├── standard-install.yaml └── traffic.yml ├── ingress ├── common │ ├── crds │ │ ├── k8s.nginx.org_globalconfigurations.yaml │ │ ├── k8s.nginx.org_policies.yaml │ │ ├── k8s.nginx.org_transportservers.yaml │ │ ├── k8s.nginx.org_virtualserverroutes.yaml │ │ └── k8s.nginx.org_virtualservers.yaml │ ├── default-server-secret.yaml │ ├── nginx-config.yaml │ └── ns-and-sa.yaml ├── rbac │ └── rbac.yaml ├── remove.sh └── setup.sh ├── kong ├── all-in-one-dbless.yaml ├── crd.yml ├── ingress.yml ├── kic.yml ├── kustomization.yaml ├── ngx-deploy.yml └── setup.sh ├── metrics ├── components.yaml └── setup.sh ├── nfs ├── class.yaml ├── deployment.yaml ├── nfs-client.sh ├── nfs-server.sh ├── rbac.yaml └── setup.sh └── prom └── setup.sh /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | 54 | *.swp 55 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2022, Chrono 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # k8s_study 2 | * [Follow me to study Docker/Kubernetes](https://time.geekbang.org/column/intro/100114501) 3 | * [Do we must learn/study Kubernetes?](https://www.bilibili.com/video/BV13t4y1a7vN) 4 | 5 | ## Requirements 6 | 7 | ### Host Machine 8 | | CPU | Memory | Disk 9 | | -----|--------|----- 10 | | >= 2 | >= 8GB | >= 100GB 11 | 12 | ### docker/minikube VM 13 | Environment | CPU | Memory | Disk 14 | ------------|---- |--------|----- 15 | docker | >= 2| >= 2GB | >= 20GB 16 | minikube | >= 2| >= 2GB | >= 20GB 17 | 18 | ### kubernetes VM 19 | Environment | CPU | Memory | Disk 20 | ------------|---- |--------|----- 21 | master node | >= 2| >= 4GB | >= 40GB 22 | worker node | >= 1| >= 1GB | >= 20GB 23 | 24 | 25 | ## Docker 26 | 27 | * [docker](https://www.docker.com/) 28 | * [docker hub](https://hub.docker.com/) 29 | * [docker official images](https://github.com/docker-library/official-images) 30 | * [quay.io](https://quay.io/) 31 | * [bitnami](https://bitnami.com/) 32 | 33 | 34 | ## Kubernetes 35 | 36 | * [kubernetes](https://kubernetes.io/zh/) 37 | * [yaml](https://yaml.org/) 38 | * [minikube](https://minikube.sigs.k8s.io/) 39 | * [kind](https://kind.sigs.k8s.io/) 40 | * [harbor](https://goharbor.io/) 41 | * [helm](https://helm.sh/) 42 | * [metrics-server](https://github.com/kubernetes-sigs/metrics-server) 43 | * [prometheus](https://prometheus.io/) 44 | * [grafana](https://grafana.com/) 45 | * [calico](https://www.tigera.io/project-calico/) 46 | * [cilium](https://cilium.io/) 47 | * [CNCF](https://www.cncf.io/) 48 | * [CKA](https://www.cncf.io/certification/cka/) 49 | 50 | 51 | ## Docs 52 | 53 | * [docker](https://docs.docker.com/) 54 | * [docker-compose](https://docs.docker.com/compose/) 55 | * [kubernetes](https://kubernetes.io/zh/docs/home/) 56 | * [prometheus](https://prometheus.io/docs/) 57 | * [yaml](https://yaml.org/spec/1.2.2/) 58 | * [minikube](https://kubernetes.io/zh/docs/tutorials/hello-minikube/) 59 | * [kubectl](https://kubernetes.io/zh/docs/reference/kubectl/overview/) 60 | * [kubeadm](https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/) 61 | * [kubectl cheatsheet](https://kubernetes.io/zh/docs/reference/kubectl/cheatsheet/) 62 | * [kubernetes api v1.23](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/) 63 | * [pod](https://kubernetes.io/zh/docs/concepts/workloads/pods/) 64 | * [ingress](https://kubernetes.io/zh/docs/concepts/services-networking/ingress/) 65 | * [cni](https://github.com/containernetworking/cni) 66 | * [nginx-ingress-controller](https://docs.nginx.com/nginx-ingress-controller/) 67 | * [kong-ingress-controller](https://docs.konghq.com/kubernetes-ingress-controller/) 68 | * [gateway](https://gateway-api.sigs.k8s.io/) 69 | * [persistent-volumes](https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/) 70 | 71 | ## Releases 72 | 73 | * [v1.27 release](https://kubernetes.io/blog/2023/04/11/kubernetes-v1-27-release/) 74 | * [v1.26 release](https://kubernetes.io/blog/2022/12/09/kubernetes-v1-26-release/) 75 | * [v1.24 release](https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/) 76 | * [v1.23 release](https://kubernetes.io/blog/2021/12/07/kubernetes-1-23-release-announcement/) 77 | * [v1.22 release](https://kubernetes.io/blog/2021/08/04/kubernetes-1-22-release-announcement/) 78 | * [v1.21 release](https://kubernetes.io/blog/2021/04/08/kubernetes-1-21-release-announcement/) 79 | * [v1.20 release](https://kubernetes.io/blog/2020/12/08/kubernetes-1-20-release-announcement/) 80 | 81 | ## Blogs 82 | 83 | * [Gateway API v1.0: GA Release](https://kubernetes.io/blog/2023/10/31/gateway-api-ga/) 84 | * [k8s.gcr.io Image Registry Will Be Frozen From the 3rd of April 2023](https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/) 85 | * [don't panic kubernetes and docker](https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/) 86 | * [Evolving Kubernetes networking with the Gateway API](https://kubernetes.io/blog/2021/04/22/evolving-kubernetes-networking-with-the-gateway-api/) 87 | 88 | ## Linux 89 | 90 | * [ubuntu](https://ubuntu.com/) 91 | * [centos](https://www.centos.org/) 92 | * [alpine](https://alpinelinux.org/) 93 | * [fedora](https://getfedora.org/) 94 | 95 | ## Virtualization 96 | 97 | * [virtualbox(x86)](https://www.virtualbox.org/) 98 | * [vmware fusion(apple silicon)](https://communities.vmware.com/t5/Fusion-for-Apple-Silicon-Tech/ct-p/3022) 99 | * [utm](https://mac.getutm.app/) 100 | -------------------------------------------------------------------------------- /admin/admin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # chrono @ 2022-04 4 | 5 | # https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ 6 | # https://kubernetes.io/zh/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/ 7 | 8 | #sudo apt update 9 | sudo apt install -y apt-transport-https ca-certificates curl nfs-common 10 | 11 | #sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg 12 | curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add - 13 | 14 | #echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list 15 | cat </dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' 30 | 31 | 32 | -------------------------------------------------------------------------------- /admin/network.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # chrono @ 2022-04 4 | 5 | # https://github.com/flannel-io/flannel 6 | 7 | # cni flannel 8 | docker pull rancher/mirrored-flannelcni-flannel-cni-plugin:v1.0.1 9 | docker pull rancher/mirrored-flannelcni-flannel:v0.17.0 10 | 11 | kubectl apply -f flannel.yml 12 | 13 | echo "waiting network ready ..." 14 | 15 | sleep 1 16 | 17 | kubectl get node 18 | 19 | # kubectl taint node k8s-master node-role.kubernetes.io/master:NoSchedule- 20 | #kubectl taint nodes --all node-role.kubernetes.io/master- 21 | 22 | # test pod 23 | kubectl run ngx --image=nginx:alpine 24 | 25 | -------------------------------------------------------------------------------- /admin/prepare.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # chrono @ 2022-04 4 | 5 | # https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ 6 | # https://kubernetes.io/zh/docs/setup/production-environment/container-runtimes/#docker 7 | 8 | # sudo vi /etc/hostname 9 | 10 | # fix docker issue 11 | cat </dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' 42 | 43 | 44 | -------------------------------------------------------------------------------- /bare-metal/compose.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # python setuptools 6 | sudo apt install -y python3-setuptools 7 | 8 | # download or copy tarball 9 | if [ ! -f "1.29.2.tar.gz" ]; then 10 | wget https://github.com/docker/compose/archive/refs/tags/1.29.2.tar.gz 11 | fi 12 | 13 | # unzip 14 | tar xfz 1.29.2.tar.gz 15 | 16 | # install 17 | cd compose-1.29.2/ 18 | sudo python3 setup.py install 19 | 20 | # clean 21 | cd .. 22 | sudo rm -rf compose-1.29.2/ 23 | 24 | echo "install compose finished" 25 | -------------------------------------------------------------------------------- /bare-metal/daemon.json: -------------------------------------------------------------------------------- 1 | { 2 | "registry-mirrors": [ 3 | "https://hub-mirror.c.163.com", 4 | "https://docker.mirrors.ustc.edu.cn" 5 | ] 6 | } 7 | -------------------------------------------------------------------------------- /bare-metal/docker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # https://docs.docker.com/engine/install/ubuntu/ 6 | # curl -fsSL https://get.docker.com -o get-docker.sh 7 | # DRY_RUN=1 sh ./get-docker.sh 8 | 9 | # check ubuntu version 10 | #s=`grep Jammy /etc/os-release` 11 | # 12 | #if [ -z "$s" ]; then 13 | # # 20.04/18.04/... 14 | # curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun 15 | #else 16 | # # 22.04 17 | # sudo apt install -y docker.io 18 | #fi 19 | 20 | # install docker from ubuntu repo 21 | sudo apt install -y docker.io 22 | 23 | sudo service docker start 24 | sudo usermod -aG docker ${USER} 25 | 26 | echo "install docker finished." 27 | echo "please logout then login again." 28 | -------------------------------------------------------------------------------- /bare-metal/init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | sudo apt update 6 | sudo apt install -y openssh-server 7 | sudo apt install -y git vim tree curl jq 8 | 9 | echo "please install docker minikube and others." 10 | -------------------------------------------------------------------------------- /bare-metal/kind.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # https://kind.sigs.k8s.io/ 6 | # https://github.com/kubernetes-sigs/kind 7 | 8 | # check cpu arch 9 | s=`uname -a | grep 'x86'` 10 | 11 | # install kind 12 | if [ -n "$s" ]; then 13 | # x86 x86_64 14 | curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.12.0/kind-$(uname)-amd64" 15 | 16 | else 17 | # arm64 = aarch64 18 | curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.12.0/kind-$(uname)-arm64" 19 | fi 20 | 21 | sudo install kind /usr/local/bin/ 22 | 23 | # kind create cluster 24 | 25 | # install kubectl 26 | curl -LO https://dl.k8s.io/release/v1.23.4/bin/linux/arm64/kubectl 27 | sudo install kubectl /usr/local/bin/ 28 | 29 | kubectl get cluster-info 30 | 31 | -------------------------------------------------------------------------------- /bare-metal/load.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # chrono @ 2022-05 4 | # restore images from saved tar files 5 | 6 | #eg: ./load.sh ~/tmp/tar 7 | 8 | files=`ls $1` 9 | 10 | for f in $files 11 | do 12 | fname=$1/$f 13 | echo "loading $fname" 14 | 15 | #docker load -i "$fname" 16 | done 17 | 18 | echo "ok." 19 | -------------------------------------------------------------------------------- /bare-metal/minikube.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # https://minikube.sigs.k8s.io/docs/start/ 6 | # https://github.com/kubernetes/minikube 7 | 8 | # check cpu arch 9 | s=`uname -a | grep 'x86'` 10 | 11 | # install minikube 12 | if [ -n "$s" ]; then 13 | # x86 x86_64 14 | #curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 15 | #sudo install minikube-linux-amd64 /usr/local/bin/minikube 16 | curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 17 | 18 | else 19 | # arm64 = aarch64 20 | #curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-arm64 21 | #sudo install minikube-linux-arm64 /usr/local/bin/minikube 22 | curl -Lo minikube https://storage.googleapis.com/minikube/releases/latest/minikube-linux-arm64 23 | fi 24 | 25 | sudo install minikube /usr/local/bin/ 26 | 27 | # install kubectl 28 | minikube kubectl -- version --client 29 | 30 | # alias for convenice 31 | #alias kubectl='minikube kubectl --' 32 | 33 | # minikube start 34 | # minikube start --kubernetes-version=v1.23.3 35 | # minikube start --container-runtime=containerd 36 | # minikube start --image-mirror-country=cn 37 | # minikube start --registry-mirror=http://hub-mirror.c.163.com 38 | # minikube start --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers/ 39 | 40 | -------------------------------------------------------------------------------- /bare-metal/no-update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | arch=`uname -p` 6 | release=`uname -r` 7 | 8 | # disable ubuntu's auto upgrade 9 | if [ "$arch" = "aarch64" ]; then 10 | 11 | sudo sed -i 's/"1"/"0"/g' /etc/apt/apt.conf.d/10periodic 12 | sudo sed -i 's/"1"/"0"/g' /etc/apt/apt.conf.d/20auto-upgrades 13 | 14 | fi 15 | 16 | -------------------------------------------------------------------------------- /bare-metal/save.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # chrono @ 2022-05 4 | # backup all images in docker 5 | 6 | mkdir -p tar 7 | 8 | images=`docker images | grep -v TAG | awk '{print $1":"$2}'` 9 | 10 | for image in $images 11 | do 12 | fname=`echo $image | sed "s/:/_/g" - | sed "s/\//_/g" -` 13 | echo "saving $image to $fname" 14 | 15 | docker save "$image" -o "tar/$fname.tar" 16 | done 17 | 18 | echo "ok." 19 | -------------------------------------------------------------------------------- /calico/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # wget https://projectcalico.docs.tigera.io/manifests/calico.yaml 4 | 5 | # preload cni calico 6 | docker pull calico/cni:v3.23.1 7 | docker pull calico/node:v3.23.1 8 | docker pull calico/kube-controllers:v3.23.1 9 | 10 | mkdir -p cnitar 11 | 12 | # backup 13 | docker save calico/cni:v3.23.1 -o cnitar/cni.tar 14 | docker save calico/node:v3.23.1 -o cnitar/node.tar 15 | docker save calico/kube-controllers:v3.23.1 -o cnitar/ctl.tar 16 | 17 | #kubectl apply -f calico.yaml 18 | -------------------------------------------------------------------------------- /ch0/00.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # check linux info 6 | uname -a 7 | cat /etc/os-release 8 | 9 | # check hostname 10 | hostname 11 | 12 | # check hardware info 13 | cat /proc/cpuinfo 14 | cat /proc/meminfo | head 15 | 16 | # check ip info 17 | ip addr 18 | 19 | 20 | -------------------------------------------------------------------------------- /ch1/.dockerignore: -------------------------------------------------------------------------------- 1 | # docker ignore 2 | 3 | # https://docs.docker.com/engine/reference/builder/#dockerignore-file 4 | 5 | *.swp 6 | *.sh 7 | -------------------------------------------------------------------------------- /ch1/01.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | #sudo apt-get install -y docker.io 6 | #sudo service docker start 7 | #sudo usermod -aG docker ${USER} 8 | 9 | # check version 10 | docker version 11 | 12 | # check info 13 | # os/cpu/memory/overlay2/cgroups driver 14 | docker info 15 | 16 | # list container 17 | docker ps 18 | 19 | # pull image 20 | docker pull busybox 21 | 22 | # list image 23 | docker images 24 | 25 | # run busybox 26 | docker run busybox echo hello world 27 | 28 | # list container 29 | docker ps -a 30 | 31 | # official example 32 | docker run hello-world 33 | -------------------------------------------------------------------------------- /ch1/02.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # check version 6 | docker version 7 | 8 | # check info 9 | # os/cpu/memory/overlay2/cgroups driver 10 | docker info 11 | 12 | # pull image 13 | docker pull alpine 14 | 15 | # list image 16 | docker images 17 | 18 | # run container from image 19 | docker run -it alpine sh 20 | 21 | # check os info 22 | # cat /etc/os-release 23 | 24 | # same linux core as host 25 | # uname -a 26 | 27 | # try to install some apps 28 | # apk update 29 | # apk add vim 30 | # apk add curl 31 | 32 | # list container 33 | docker ps -a 34 | #docker rm xxx 35 | 36 | # pull image 37 | docker pull ubuntu:18.04 38 | 39 | # run container from image 40 | docker run -it ubuntu:18.04 sh 41 | 42 | # try to install some apps 43 | # cat /etc/os-release 44 | # apt update 45 | # apt install -y wget redis 46 | # redis-server & 47 | 48 | # pull image 49 | docker pull centos:7 50 | 51 | # run container from image 52 | docker run -it centos:7 sh 53 | 54 | # same linux core as host 55 | # uname -a 56 | 57 | # try to install some apps 58 | # yum update 59 | # yum install vim 60 | # yum install curl 61 | 62 | # run and delete after using 63 | docker run -it --rm alpine sh 64 | 65 | -------------------------------------------------------------------------------- /ch1/03.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-03 4 | 5 | # pull images 6 | docker pull alpine:3.15 7 | docker pull ubuntu:jammy 8 | docker pull nginx:1.21-alpine 9 | docker pull nginx:alpine 10 | docker pull redis 11 | 12 | # list images 13 | docker images 14 | 15 | # set and show hostname 16 | docker run -h srv alpine hostname 17 | 18 | # run nginx 19 | docker run -d nginx:alpine 20 | 21 | # list container 22 | docker ps 23 | 24 | # check logs 25 | #docker logs xxx 26 | 27 | # enter container 28 | docker exec -it xxx sh 29 | 30 | # stop container 31 | #docker stop xxx 32 | 33 | # check container 34 | docker ps 35 | docker ps -a 36 | 37 | # delete container 38 | #docker rm xxx 39 | 40 | # delete image 41 | docker rmi nginx:alpine 42 | 43 | -------------------------------------------------------------------------------- /ch1/04.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | docker build -f Dockerfile.busybox . 6 | 7 | docker images 8 | 9 | # docker inspect b61 10 | # docker run b61 11 | 12 | # check dockerignore 13 | cat .dockerignore 14 | 15 | docker build -t ngx-app . 16 | 17 | docker build -t ngx-app:1.0 . 18 | 19 | docker run -it ngx-app sh 20 | 21 | 22 | -------------------------------------------------------------------------------- /ch1/05.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | # offical image 6 | docker pull library/nginx 7 | 8 | # verified publisher image 9 | docker pull bitnami/nginx 10 | docker pull ubuntu/nginx 11 | 12 | # openresty offical image 13 | docker pull openresty/openresty 14 | 15 | # docker build -t ngx-app . 16 | docker tag ngx-app chronolaw/ngx-app:1.0 17 | 18 | # docker login 19 | docker push chronolaw/ngx-app:1.0 20 | # docker logout 21 | 22 | # save & load 23 | docker save ngx-app:latest -o ngx.tar 24 | docker rmi ngx-app:latest 25 | docker load -i ngx.tar 26 | -------------------------------------------------------------------------------- /ch1/06.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | docker run -d --rm redis 6 | 7 | echo 'aaa' > a.txt 8 | 9 | # docker cp a.txt 062:/tmp 10 | # docker exec 062 cat /tmp/a.txt 11 | # docker exec -it 062 sh 12 | # docker cp 062:/tmp/a.txt ./b.txt 13 | 14 | docker run -d --rm -v /tmp:/tmp redis 15 | 16 | docker pull python:alpine 17 | 18 | # docker run -it --rm -v `pwd`:/tmp python:alpine sh 19 | docker run --rm -v `pwd`:/tmp python:alpine python /tmp/hello.py 20 | 21 | docker run -d --rm --net=host nginx:alpine 22 | docker run -d --rm --net=host redis 23 | 24 | curl 127.1 25 | 26 | # sudo apt install net-tools 27 | #netstat -ntlp 28 | netstat -tlp 29 | 30 | docker run -d --rm nginx:alpine 31 | docker run -d --rm redis 32 | 33 | #docker inspect 5a | grep IPAddress 34 | #docker inspect ad | grep IPAddress 35 | 36 | #ip addr |grep 172.17 37 | #ping 127.17.0.3 38 | #docker exec 5a ping 172.17.0.3 39 | 40 | docker run -d -p 80:80 --rm nginx:alpine 41 | docker run -d -p 8080:80 --rm nginx:alpine 42 | 43 | curl 127.1:80 -I 44 | curl 127.1:8080 -I 45 | 46 | docker ps 47 | 48 | 49 | -------------------------------------------------------------------------------- /ch1/Dockerfile: -------------------------------------------------------------------------------- 1 | # Dockerfile 2 | # chrono @ 2022-03 3 | 4 | # https://docs.docker.com/engine/reference/builder/ 5 | 6 | # docker build -t ngx-app . 7 | # docker build -t ngx-app:1.0 . 8 | # docker run -it ngx-app sh 9 | 10 | ARG IMAGE_BASE="nginx" 11 | ARG IMAGE_TAG="1.21-alpine" 12 | 13 | FROM ${IMAGE_BASE}:${IMAGE_TAG} 14 | 15 | ENV PATH=$PATH:/tmp 16 | ENV DEBUG=OFF 17 | 18 | COPY ./default.conf /etc/nginx/conf.d/ 19 | 20 | RUN cd /usr/share/nginx/html \ 21 | && echo "hello nginx" > a.txt 22 | 23 | EXPOSE 8081 8082 8083 24 | 25 | WORKDIR /etc/nginx 26 | 27 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /ch1/Dockerfile.busybox: -------------------------------------------------------------------------------- 1 | # Dockerfile.busybox 2 | # chrono @ 2022-04 3 | 4 | # https://docs.docker.com/engine/reference/builder/ 5 | 6 | # docker build -f Dockerfile.busybox . 7 | # docker run xxx 8 | 9 | FROM busybox 10 | 11 | CMD echo "hello world" 12 | -------------------------------------------------------------------------------- /ch1/default.conf: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | # 3 | # /etc/nginx/conf.d/default.conf 4 | 5 | server { 6 | listen 80; 7 | listen 8080-8083; 8 | 9 | location / { 10 | default_type text/plain; 11 | return 200 12 | "srv : $server_addr:$server_port\nhost: $hostname\nreq : $request_method $request_uri\ndate: $time_iso8601\n"; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /ch1/hello.py: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # docker run --rm -v `pwd`:/tmp python:alpine python /tmp/hello.py 4 | 5 | print("hello") 6 | -------------------------------------------------------------------------------- /ch1/reg.conf: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | # 3 | # /etc/nginx/conf.d/default.conf 4 | 5 | # docker private addr 6 | upstream registry { 7 | server 172.17.0.2:5000; 8 | } 9 | 10 | server { 11 | listen 80; 12 | default_type application/json; 13 | 14 | # do not limite client size (413 error) 15 | client_max_body_size 0; 16 | 17 | location / { 18 | proxy_http_version 1.1; 19 | proxy_set_header Host $host; 20 | 21 | proxy_pass http://registry; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /ch1/registry.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | # https://docs.docker.com/registry/ 5 | # https://docs.docker.com/registry/spec/api/ 6 | 7 | docker pull registry 8 | 9 | docker run -d --rm -p 5000:5000 registry 10 | 11 | # docker run -d -p 5000:5000 \ 12 | # -v /tmp/registry:/var/lib/registry \ 13 | # registry 14 | 15 | docker tag nginx:alpine 127.0.0.1:5000/nginx:alpine 16 | docker push 127.0.0.1:5000/nginx:alpine 17 | 18 | # check image list 19 | curl 127.1:5000/v2/_catalog | jq 20 | 21 | # docker run -d --rm registry 22 | 23 | # nginx proxy 24 | # docker run -d --rm \ 25 | # -p 80:80 \ 26 | # -v `pwd`/reg.conf:/etc/nginx/conf.d/default.conf \ 27 | # nginx:alpine 28 | 29 | # docker tag nginx:alpine 127.0.0.1:80/nginx:alpine 30 | # docker push 127.0.0.1:80/nginx:alpine 31 | # curl 127.1/v2/_catalog | jq 32 | # curl 127.1/v2/nginx/tags/list 33 | -------------------------------------------------------------------------------- /ch1/wordpress.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | # https://hub.docker.com/_/wordpress 6 | #docker pull wordpress:5 7 | 8 | # https://hub.docker.com/_/mariadb 9 | #docker pull mariadb:10 10 | 11 | # mysql has some problem with arm64 12 | # docker pull mysql:8-oracle 13 | 14 | # docker run -d --rm \ 15 | # --net=host \ 16 | # --env MARIADB_DATABASE=db \ 17 | # --env MARIADB_USER=wp \ 18 | # --env MARIADB_PASSWORD=123 \ 19 | # --env MARIADB_ROOT_PASSWORD=123 \ 20 | # mariadb:10 21 | 22 | # docker run -d --rm \ 23 | # -p 8080:80 \ 24 | # --net=host \ 25 | # --env WORDPRESS_DB_HOST=`hostname` \ 26 | # --env WORDPRESS_DB_USER=wp \ 27 | # --env WORDPRESS_DB_PASSWORD=123 \ 28 | # --env WORDPRESS_DB_NAME=db \ 29 | # wordpress:5 30 | 31 | # docker exec -it a64 mysql -u wp -p 32 | # show databases; 33 | # use db; 34 | # show tables; 35 | 36 | # ip addr should be '172.17.0.2' 37 | docker run -d --rm \ 38 | --env MARIADB_DATABASE=db \ 39 | --env MARIADB_USER=wp \ 40 | --env MARIADB_PASSWORD=123 \ 41 | --env MARIADB_ROOT_PASSWORD=123 \ 42 | mariadb:10 43 | 44 | # ip addr should be '172.17.0.3' 45 | docker run -d --rm \ 46 | --env WORDPRESS_DB_HOST=172.17.0.2 \ 47 | --env WORDPRESS_DB_USER=wp \ 48 | --env WORDPRESS_DB_PASSWORD=123 \ 49 | --env WORDPRESS_DB_NAME=db \ 50 | wordpress:5 51 | 52 | docker run -d --rm \ 53 | -p 80:80 \ 54 | -v `pwd`/wp.conf:/etc/nginx/conf.d/default.conf \ 55 | nginx:alpine 56 | 57 | # in browser http://192.168.10.208 58 | -------------------------------------------------------------------------------- /ch1/wp.conf: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | # 3 | # /etc/nginx/conf.d/default.conf 4 | 5 | server { 6 | listen 80; 7 | default_type text/html; 8 | 9 | location / { 10 | proxy_http_version 1.1; 11 | proxy_set_header Host $host; 12 | 13 | # docker private addr 14 | proxy_pass http://172.17.0.3; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /ch2/09.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | minikube version 6 | 7 | minikube start 8 | # minikube start --kubernetes-version=v1.23.3 9 | 10 | # check node 11 | minikube node list 12 | 13 | # check minikube container 14 | docker ps 15 | 16 | # login minikube node 17 | minikube ssh 18 | 19 | minikube kubectl -- version --short 20 | 21 | # alias for convenice 22 | #alias kubectl='minikube kubectl --' 23 | 24 | #source <(kubectl completion bash) 25 | 26 | kubectl run ngx --image=nginx:alpine 27 | 28 | kubectl get pod 29 | 30 | -------------------------------------------------------------------------------- /ch2/10.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | kubectl get node 6 | 7 | kubectl get pod -n kube-system 8 | 9 | minikube ssh 10 | 11 | # docker ps |grep kube-proxy 12 | # ps -ef|grep kubelet 13 | 14 | minikube addons list 15 | 16 | kubectl run ngx --image=nginx:alpine 17 | 18 | minikube dashboard --url=true 19 | -------------------------------------------------------------------------------- /ch2/11.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | kubectl api-resources 6 | 7 | kubectl get pod --v=9 8 | 9 | kubectl apply -f ngx-pod.yml 10 | 11 | kubectl explain pod 12 | kubectl explain pod.metadata 13 | kubectl explain pod.spec 14 | kubectl explain pod.spec.containers 15 | 16 | # export out="--dry-run=client -o yaml" 17 | 18 | kubectl run ngx --image=nginx:alpine --dry-run=client -o yaml 19 | 20 | kubectl delete -f ngx-pod.yml 21 | 22 | -------------------------------------------------------------------------------- /ch2/12.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | kubectl apply -f busy-pod.yml 6 | 7 | kubectl logs busy-pod 8 | 9 | kubectl delete -f busy-pod.yaml 10 | #kubectl delete pod busy-pod 11 | 12 | kubectl apply -f ngx-pod.yml 13 | 14 | kubectl describe pod ngx-pod 15 | 16 | kubectl edit pod ngx-pod 17 | 18 | kubectl logs ngx-pod 19 | 20 | # echo 'aaa' > a.txt 21 | kubectl cp a.txt ngx-pod:/tmp 22 | 23 | kubectl exec -it ngx-pod -- sh 24 | 25 | kubectl get pod -o wide 26 | 27 | minikube ssh 28 | curl 172.17.0.4 -I 29 | -------------------------------------------------------------------------------- /ch2/13.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | export out="--dry-run=client -o yaml" 6 | 7 | kubectl explain job 8 | 9 | kubectl create job echo-job --image=busybox $out 10 | 11 | kubectl apply -f job.yml 12 | 13 | kubectl get job 14 | kubectl get pod 15 | 16 | #kubectl logs echo-job-pb5gh 17 | 18 | kubectl apply -f sleep-job.yml 19 | 20 | kubectl get job 21 | kubectl get pod 22 | 23 | kubectl delete -f sleep-job.yml 24 | 25 | kubectl create cj echo-cj --image=busybox --schedule="" $out 26 | 27 | kubectl apply -f cronjob.yml 28 | 29 | kubectl get cj 30 | kubectl get pod 31 | 32 | kubectl delete -f cronjob.yml 33 | -------------------------------------------------------------------------------- /ch2/14.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | export out="--dry-run=client -o yaml" 6 | 7 | kubectl create cm info --from-literal=k=v $out 8 | 9 | kubectl apply -f cm.yml 10 | 11 | kubectl get cm 12 | kubectl describe cm info 13 | 14 | 15 | kubectl create secret generic user --from-literal=name=root $out 16 | 17 | echo -n "123456" | base64 18 | echo -n "mysql" | base64 19 | 20 | kubectl apply -f secret.yml 21 | 22 | kubectl explain pod.spec.containers.env.valueFrom 23 | 24 | kubectl run env-pod --image=busybox $out 25 | 26 | kubectl apply -f env-pod.yml 27 | kubectl get pod 28 | kubectl exec -it env-pod -- sh 29 | 30 | kubectl apply -f vol-pod.yml 31 | kubectl get pod 32 | kubectl exec -it vol-pod -- sh 33 | -------------------------------------------------------------------------------- /ch2/busy-pod.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f busy-pod.yml 4 | # kubectl logs busy-pod 5 | # kubectl delete -f busy-pod.yaml 6 | # kubectl delete pod busy-pod 7 | 8 | # kubectl explain pod.spec 9 | # kubectl explain pod.spec.containers 10 | # kubectl explain pod.spec.containers.env 11 | 12 | apiVersion: v1 13 | kind: Pod 14 | metadata: 15 | name: busy-pod 16 | labels: 17 | owner: chrono 18 | env: demo 19 | region: north 20 | tier: back 21 | 22 | spec: 23 | containers: 24 | - image: busybox:latest 25 | name: busy 26 | imagePullPolicy: IfNotPresent 27 | env: 28 | - name: os 29 | value: "ubuntu" 30 | - name: debug 31 | value: "on" 32 | command: 33 | - /bin/echo 34 | args: 35 | - "$(os), $(debug)" 36 | #restartPolicy: Never 37 | -------------------------------------------------------------------------------- /ch2/cm.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # export out="--dry-run=client -o yaml" 4 | 5 | # kubectl create cm info --from-literal=k=v $out 6 | # kubectl apply -f cm.yml 7 | # kubectl delete -f cm.yml 8 | 9 | apiVersion: v1 10 | kind: ConfigMap 11 | metadata: 12 | name: info 13 | 14 | data: 15 | count: '10' 16 | debug: 'on' 17 | path: '/etc/systemd' 18 | greeting: | 19 | say hello to kubernetes. 20 | -------------------------------------------------------------------------------- /ch2/cronjob.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # export out="--dry-run=client -o yaml" 4 | 5 | # kubectl create cj echo-cj --image=busybox --schedule="" $out 6 | # kubectl apply -f cronjob.yml 7 | 8 | apiVersion: batch/v1 9 | kind: CronJob 10 | metadata: 11 | name: echo-cj 12 | 13 | spec: 14 | schedule: '*/1 * * * *' 15 | jobTemplate: 16 | spec: 17 | template: 18 | spec: 19 | restartPolicy: OnFailure 20 | containers: 21 | - image: busybox 22 | name: echo-cj 23 | imagePullPolicy: IfNotPresent 24 | command: ["/bin/echo"] 25 | args: ["hello", "world"] 26 | -------------------------------------------------------------------------------- /ch2/dash_proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | # in browser: 6 | # http://192.168.10.208:80/api/v1/namespaces/kubernetes-dashboard/services/http:kubernetes-dashboard:/proxy/ 7 | 8 | # minikube dashboard --port=30080 --url=true 9 | 10 | cat << "EOF" > /tmp/proxy.conf 11 | server { 12 | listen 80; 13 | default_type text/html; 14 | 15 | location / { 16 | proxy_http_version 1.1; 17 | proxy_set_header Host localhost; 18 | 19 | proxy_pass http://127.0.0.1:30080; 20 | } 21 | } 22 | EOF 23 | 24 | docker run -d --rm \ 25 | --net=host \ 26 | -v /tmp/proxy.conf:/etc/nginx/conf.d/default.conf \ 27 | nginx:alpine 28 | 29 | -------------------------------------------------------------------------------- /ch2/env-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl explain pod.spec.containers.env.valueFrom 4 | 5 | # kubectl apply -f env-pod.yml 6 | # kubectl get pod 7 | # kubectl exec -it env-pod -- sh 8 | 9 | # in Pod: 10 | # echo $COUNT 11 | # echo $GREETING 12 | # echo $USERNAME 13 | # echo $PASSWORD 14 | 15 | apiVersion: v1 16 | kind: Pod 17 | metadata: 18 | name: env-pod 19 | 20 | spec: 21 | containers: 22 | - env: 23 | - name: COUNT 24 | valueFrom: 25 | configMapKeyRef: 26 | name: info 27 | key: count 28 | - name: GREETING 29 | valueFrom: 30 | configMapKeyRef: 31 | name: info 32 | key: greeting 33 | - name: USERNAME 34 | valueFrom: 35 | secretKeyRef: 36 | name: user 37 | key: name 38 | - name: PASSWORD 39 | valueFrom: 40 | secretKeyRef: 41 | name: user 42 | key: pwd 43 | 44 | image: busybox 45 | name: busy 46 | imagePullPolicy: IfNotPresent 47 | command: ["/bin/sleep", "300"] 48 | 49 | -------------------------------------------------------------------------------- /ch2/job.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # export out="--dry-run=client -o yaml" 4 | 5 | # kubectl create job echo-job --image=busybox $out 6 | # kubectl apply -f job.yml 7 | 8 | apiVersion: batch/v1 9 | kind: Job 10 | metadata: 11 | name: echo-job 12 | 13 | spec: 14 | template: 15 | spec: 16 | restartPolicy: OnFailure 17 | containers: 18 | - image: busybox 19 | name: echo-job 20 | imagePullPolicy: IfNotPresent 21 | command: ["/bin/echo"] 22 | args: ["hello", "world"] 23 | -------------------------------------------------------------------------------- /ch2/mariadb-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f mariadb-pod.yml 4 | # kubectl delete -f mariadb-pod.yml 5 | 6 | # you can change it to secret 7 | apiVersion: v1 8 | kind: ConfigMap 9 | metadata: 10 | name: maria-cm 11 | 12 | data: 13 | DATABASE: 'db' 14 | USER: 'wp' 15 | PASSWORD: '123' 16 | ROOT_PASSWORD: '123' 17 | 18 | --- 19 | 20 | apiVersion: v1 21 | kind: Pod 22 | metadata: 23 | name: maria-pod 24 | labels: 25 | app: wordpress 26 | role: database 27 | 28 | spec: 29 | containers: 30 | - image: mariadb:10 31 | name: maria 32 | imagePullPolicy: IfNotPresent 33 | ports: 34 | - containerPort: 3306 35 | 36 | envFrom: 37 | - prefix: 'MARIADB_' 38 | configMapRef: 39 | name: maria-cm 40 | 41 | --- 42 | 43 | -------------------------------------------------------------------------------- /ch2/ngx-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f ngx-pod.yml 4 | 5 | apiVersion: v1 6 | kind: Pod 7 | metadata: 8 | name: ngx-pod 9 | labels: 10 | env: demo 11 | owner: chrono 12 | 13 | spec: 14 | containers: 15 | - image: nginx:alpine 16 | name: ngx 17 | ports: 18 | - containerPort: 80 19 | -------------------------------------------------------------------------------- /ch2/proxy-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f proxy-pod.yml 4 | 5 | apiVersion: v1 6 | kind: ConfigMap 7 | metadata: 8 | name: proxy-cm 9 | 10 | data: 11 | default.conf: | 12 | server { 13 | listen 80; 14 | default_type text/html; 15 | 16 | location / { 17 | proxy_http_version 1.1; 18 | proxy_set_header Host $host; 19 | 20 | # change to wordpress' ip addr 21 | proxy_pass http://172.17.0.6; 22 | } 23 | } 24 | 25 | --- 26 | 27 | apiVersion: v1 28 | kind: Pod 29 | metadata: 30 | name: proxy-pod 31 | labels: 32 | app: wordpress 33 | role: proxy 34 | 35 | spec: 36 | volumes: 37 | - name: proxy-cm-vol 38 | configMap: 39 | name: proxy-cm 40 | 41 | containers: 42 | - image: nginx:alpine 43 | name: ngx 44 | imagePullPolicy: IfNotPresent 45 | ports: 46 | - containerPort: 80 47 | 48 | volumeMounts: 49 | - mountPath: /etc/nginx/conf.d 50 | name: proxy-cm-vol 51 | 52 | --- 53 | 54 | # kubectl expose pod proxy-pod --port=80 $out 55 | apiVersion: v1 56 | kind: Service 57 | metadata: 58 | name: proxy-svc 59 | labels: 60 | app: wordpress 61 | 62 | spec: 63 | selector: 64 | app: wordpress 65 | role: proxy 66 | 67 | type: NodePort 68 | 69 | ports: 70 | - port: 80 71 | protocol: TCP 72 | targetPort: 80 73 | nodePort: 30080 74 | 75 | --- 76 | 77 | -------------------------------------------------------------------------------- /ch2/secret.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # export out="--dry-run=client -o yaml" 4 | 5 | #kubectl create secret generic user --from-literal=name=root $out 6 | # echo -n "123456" | base64 # MTIzNDU2 7 | # echo -n "mysql" | base64 # bXlzcWw= 8 | 9 | # kubectl apply -f secret.yml 10 | # kubectl delete -f secret.yml 11 | 12 | apiVersion: v1 13 | kind: Secret 14 | metadata: 15 | name: user 16 | 17 | data: 18 | name: cm9vdA== 19 | pwd: MTIzNDU2 20 | db: bXlzcWw= 21 | -------------------------------------------------------------------------------- /ch2/sleep-job.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f sleep-job.yml 4 | # kubectl delete -f sleep-job.yml 5 | # kubectl get pod -w 6 | 7 | apiVersion: batch/v1 8 | kind: Job 9 | metadata: 10 | name: sleep-job 11 | 12 | spec: 13 | activeDeadlineSeconds: 15 14 | backoffLimit: 2 15 | completions: 4 16 | parallelism: 2 17 | 18 | template: 19 | spec: 20 | restartPolicy: OnFailure 21 | containers: 22 | - image: busybox 23 | name: echo-job 24 | imagePullPolicy: IfNotPresent 25 | command: 26 | - sh 27 | - -c 28 | - sleep $(($RANDOM % 10 + 1)) && echo done 29 | -------------------------------------------------------------------------------- /ch2/vol-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl explain pod.spec.containers.env.valueFrom 4 | 5 | # kubectl explain pod.spec.volumes 6 | # kubectl explain pod.spec.containers.volumeMounts 7 | 8 | # kubectl apply -f vol-pod.yml 9 | # kubectl get pod 10 | # kubectl exec -it vol-pod -- sh 11 | 12 | # in Pod: 13 | # cat /tmp/cm-items/greeting 14 | # cat /tmp/sec-items/db 15 | 16 | apiVersion: v1 17 | kind: Pod 18 | metadata: 19 | name: vol-pod 20 | 21 | spec: 22 | volumes: 23 | - name: cm-vol 24 | configMap: 25 | name: info 26 | - name: sec-vol 27 | secret: 28 | secretName: user 29 | 30 | containers: 31 | - volumeMounts: 32 | - mountPath: /tmp/cm-items 33 | name: cm-vol 34 | - mountPath: /tmp/sec-items 35 | name: sec-vol 36 | 37 | image: busybox 38 | name: busy 39 | imagePullPolicy: IfNotPresent 40 | command: ["/bin/sleep", "300"] 41 | 42 | -------------------------------------------------------------------------------- /ch2/wp-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-04 2 | 3 | # kubectl apply -f wp-pod.yml 4 | # kubectl delete -f wp-pod.yml 5 | 6 | # you can change it to secret 7 | apiVersion: v1 8 | kind: ConfigMap 9 | metadata: 10 | name: wp-cm 11 | 12 | data: 13 | HOST: '172.17.0.2' 14 | USER: 'wp' 15 | PASSWORD: '123' 16 | NAME: 'db' 17 | 18 | --- 19 | 20 | apiVersion: v1 21 | kind: Pod 22 | metadata: 23 | name: wp-pod 24 | labels: 25 | app: wordpress 26 | role: website 27 | 28 | spec: 29 | containers: 30 | - image: wordpress:5 31 | name: wp-pod 32 | imagePullPolicy: IfNotPresent 33 | ports: 34 | - containerPort: 80 35 | 36 | envFrom: 37 | - prefix: 'WORDPRESS_DB_' 38 | configMapRef: 39 | name: wp-cm 40 | 41 | --- 42 | 43 | -------------------------------------------------------------------------------- /ch2/wp_proxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-04 4 | 5 | # in browser: 6 | # http://192.168.10.208:80 7 | 8 | # kubectl port-forward wp-pod 8080:80 & 9 | # kubectl port-forward proxy-pod 8080:80 & 10 | 11 | cat << "EOF" > /tmp/proxy.conf 12 | server { 13 | listen 80; 14 | default_type text/html; 15 | 16 | location / { 17 | proxy_http_version 1.1; 18 | proxy_set_header Host $host; 19 | 20 | proxy_pass http://127.0.0.1:8080; 21 | } 22 | } 23 | EOF 24 | 25 | docker run -d --rm \ 26 | --net=host \ 27 | -v /tmp/proxy.conf:/etc/nginx/conf.d/default.conf \ 28 | nginx:alpine 29 | 30 | -------------------------------------------------------------------------------- /ch3/17.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | cd ../admin 6 | 7 | # setup docker/iptabls/fstab/swap 8 | ./prepare.sh 9 | 10 | # install kubeadm 11 | ./admin.sh 12 | 13 | # pull k8s imags 14 | ./images.sh 15 | 16 | # setup master node 17 | ./master.sh 18 | 19 | # setup flannel 20 | ./network.sh 21 | 22 | # setup worker node 23 | #./worker.sh 24 | -------------------------------------------------------------------------------- /ch3/18.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | export out="--dry-run=client -o yaml" 6 | 7 | kubectl create deploy ngx-dep --image=nginx:alpine $out 8 | 9 | kubectl apply -f ngx-dep.yml 10 | 11 | kubectl get deploy 12 | kubectl get pod 13 | 14 | kubectl scale --replicas=5 deploy ngx-dep 15 | 16 | kubectl get pod -l app=nginx 17 | kubectl get pod -l 'app in (ngx, nginx, ngx-dep)' 18 | -------------------------------------------------------------------------------- /ch3/19.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | export out="--dry-run=client -o yaml" 6 | 7 | # change kind to DaemonSet 8 | kubectl create deploy redis-ds --image=redis:5-alpine $out \ 9 | | sed 's/Deployment/DaemonSet/g' - \ 10 | | sed -e '/replicas/d' - 11 | 12 | kubectl explain ds.spec 13 | kubectl explain ds.spec.template 14 | 15 | kubectl apply -f redis-ds.yml 16 | 17 | # kubectl taint node master node-role.kubernetes.io/master:NoSchedule 18 | # kubectl taint node master node-role.kubernetes.io/master:NoSchedule- 19 | 20 | kubectl get ds 21 | 22 | kubectl describe node master 23 | kubectl describe node worker 24 | 25 | -------------------------------------------------------------------------------- /ch3/20.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | export out="--dry-run=client -o yaml" 6 | 7 | kubectl expose deploy ngx-dep --port=80 $out 8 | 9 | kubectl apply -f svc.yml 10 | 11 | kubectl describe svc ngx-svc 12 | 13 | kubectl get pod -o wide 14 | 15 | kubectl exec -it ngx-dep-785b6bbbd7-7hmtv -- sh 16 | -------------------------------------------------------------------------------- /ch3/21.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | wget https://github.com/nginxinc/kubernetes-ingress/archive/refs/tags/v2.2.0.tar.gz 6 | 7 | tar xfz v2.2.0.tar.gz 8 | 9 | kubectl get ns 10 | 11 | docker pull nginx/nginx-ingress:2.2-alpine 12 | 13 | export out="--dry-run=client -o yaml" 14 | 15 | kubectl create ing ngx-ing --rule="ngx.test/=ngx-svc:80" --class=ngx-ink $out 16 | 17 | kubectl apply -f ingress.yml 18 | 19 | kubectl get ingressclass 20 | kubectl get ing 21 | 22 | kubectl describe ing ngx-ing 23 | 24 | kubectl apply -f kic.yml 25 | 26 | kubectl get ing 27 | 28 | kubectl get pod -n nginx-ingress 29 | 30 | kubectl port-forward -n nginx-ingress ngx-kic-dep-5956f8f878-fk2vw 8080:80 & 31 | 32 | curl --resolve ngx.test:8080:127.0.0.1 http://ngx.test:8080 33 | 34 | kubectl scale --replicas=5 deploy ngx-dep 35 | 36 | kubectl describe svc ngx-svc 37 | 38 | curl --resolve ngx.test:8080:127.0.0.1 ngx.test:8080 39 | 40 | -------------------------------------------------------------------------------- /ch3/deploy.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl apply -f deploy.yml 4 | 5 | --- 6 | 7 | # this cm will be mounted to /etc/nginx/conf.d 8 | apiVersion: v1 9 | kind: ConfigMap 10 | metadata: 11 | name: ngx-conf 12 | 13 | data: 14 | default.conf: | 15 | server { 16 | listen 80; 17 | location / { 18 | default_type text/plain; 19 | return 200 20 | 'srv : $server_addr:$server_port\nhost: $hostname\nuri : $request_method $host $request_uri\ndate: $time_iso8601\n'; 21 | } 22 | } 23 | 24 | --- 25 | 26 | apiVersion: apps/v1 27 | kind: Deployment 28 | metadata: 29 | name: ngx-dep 30 | labels: 31 | app: ngx-dep 32 | 33 | spec: 34 | replicas: 2 35 | selector: 36 | matchLabels: 37 | app: ngx-dep 38 | 39 | template: 40 | metadata: 41 | labels: 42 | app: ngx-dep 43 | spec: 44 | volumes: 45 | - name: ngx-conf-vol 46 | configMap: 47 | name: ngx-conf 48 | 49 | containers: 50 | - image: nginx:alpine 51 | name: nginx 52 | ports: 53 | - containerPort: 80 54 | 55 | volumeMounts: 56 | - mountPath: /etc/nginx/conf.d 57 | name: ngx-conf-vol 58 | 59 | --- 60 | 61 | -------------------------------------------------------------------------------- /ch3/ds.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # https://kubernetes.io/zh/docs/concepts/scheduling-eviction/taint-and-toleration/ 4 | # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core 5 | 6 | # kubectl apply -f ds.yml 7 | 8 | apiVersion: apps/v1 9 | kind: DaemonSet 10 | metadata: 11 | name: redis-ds 12 | labels: 13 | app: redis-ds 14 | 15 | spec: 16 | selector: 17 | matchLabels: 18 | name: redis-ds 19 | 20 | template: 21 | metadata: 22 | labels: 23 | name: redis-ds 24 | 25 | spec: 26 | containers: 27 | - name: redis5 28 | image: redis:5-alpine 29 | ports: 30 | - containerPort: 6379 31 | 32 | tolerations: 33 | # this toleration is to have the daemonset runnable on master nodes 34 | # remove it if your masters can't run pods 35 | - key: node-role.kubernetes.io/master 36 | effect: NoSchedule 37 | operator: Exists 38 | 39 | -------------------------------------------------------------------------------- /ch3/ingress.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl create ing ngx-ing --rule="ngx.test/=ngx-svc:80" $out 4 | # kubectl create ing ngx-ing --rule="ngx.test/=ngx-svc:80" --class=ngx-ink $out 5 | 6 | # https://docs.nginx.com/nginx-ingress-controller/ 7 | 8 | # curl 127.1/nginx-health 9 | # curl 127.1:8081/nginx-ready 10 | 11 | --- 12 | 13 | apiVersion: networking.k8s.io/v1 14 | kind: IngressClass 15 | metadata: 16 | name: ngx-ink 17 | 18 | spec: 19 | controller: nginx.org/ingress-controller 20 | 21 | --- 22 | 23 | apiVersion: networking.k8s.io/v1 24 | kind: Ingress 25 | metadata: 26 | name: ngx-ing 27 | 28 | # customize the behaviors of nginx 29 | annotations: 30 | nginx.org/lb-method: round_robin 31 | 32 | spec: 33 | ingressClassName: ngx-ink 34 | 35 | rules: 36 | - host: ngx.test 37 | http: 38 | paths: 39 | - path: / 40 | pathType: Prefix 41 | backend: 42 | service: 43 | name: ngx-svc 44 | port: 45 | number: 80 46 | --- 47 | 48 | -------------------------------------------------------------------------------- /ch3/kic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # https://docs.nginx.com/nginx-ingress-controller/ 4 | 5 | # metadata: name 6 | # matchLabels -> app 7 | # - -ingress-class=ngx-ink 8 | 9 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-5956f8f878-89s4z 8080:80 & 10 | # curl 127.1:8080/nginx-health 11 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-5956f8f878-89s4z 8081:8081 & 12 | # curl 127.1:8081/nginx-ready 13 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-5956f8f878-89s4z 8088:8080 & 14 | # curl 127.1:8088/stub_status 15 | 16 | # in cluster: 17 | # curl --resolve ngx.test:80:10.10.2.17 ngx.test 18 | 19 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-5956f8f878-fk2vw 8080:80 & 20 | # curl --resolve ngx.test:8080:127.0.0.1 ngx.test:8080 21 | 22 | apiVersion: apps/v1 23 | kind: Deployment 24 | metadata: 25 | name: ngx-kic-dep 26 | namespace: nginx-ingress 27 | 28 | spec: 29 | replicas: 1 30 | selector: 31 | matchLabels: 32 | app: ngx-kic-dep 33 | 34 | template: 35 | metadata: 36 | labels: 37 | app: ngx-kic-dep 38 | #annotations: 39 | #prometheus.io/scrape: "true" 40 | #prometheus.io/port: "9113" 41 | #prometheus.io/scheme: http 42 | spec: 43 | serviceAccountName: nginx-ingress 44 | containers: 45 | #- image: nginx/nginx-ingress:2.2.0 46 | - image: nginx/nginx-ingress:2.2-alpine 47 | imagePullPolicy: IfNotPresent 48 | name: nginx-ingress 49 | ports: 50 | - name: http 51 | containerPort: 80 52 | - name: https 53 | containerPort: 443 54 | - name: readiness-port 55 | containerPort: 8081 56 | - name: prometheus 57 | containerPort: 9113 58 | readinessProbe: 59 | httpGet: 60 | path: /nginx-ready 61 | port: readiness-port 62 | periodSeconds: 1 63 | securityContext: 64 | allowPrivilegeEscalation: true 65 | runAsUser: 101 #nginx 66 | capabilities: 67 | drop: 68 | - ALL 69 | add: 70 | - NET_BIND_SERVICE 71 | env: 72 | - name: POD_NAMESPACE 73 | valueFrom: 74 | fieldRef: 75 | fieldPath: metadata.namespace 76 | - name: POD_NAME 77 | valueFrom: 78 | fieldRef: 79 | fieldPath: metadata.name 80 | args: 81 | - -ingress-class=ngx-ink 82 | - -health-status 83 | - -ready-status 84 | - -nginx-status 85 | 86 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 87 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 88 | #- -v=3 # Enables extensive logging. Useful for troubleshooting. 89 | #- -report-ingress-status 90 | #- -external-service=nginx-ingress 91 | #- -enable-prometheus-metrics 92 | #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration 93 | -------------------------------------------------------------------------------- /ch3/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | # kubectl apply -k . 4 | # kubectl delete -k . 5 | 6 | resources: 7 | - wp-maria.yml 8 | - wp-dep.yml 9 | - wp-ing.yml 10 | - wp-kic.yml 11 | 12 | -------------------------------------------------------------------------------- /ch3/svc.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl expose deploy ngx-dep --port=80 $out 4 | # kubectl apply -f svc.yml 5 | # kubectl describe svc ngx-svc 6 | # kubectl get pod -o wide 7 | # kubectl exec -it ngx-dep-785b6bbbd7-7hmtv -- sh 8 | 9 | apiVersion: v1 10 | kind: Service 11 | metadata: 12 | name: ngx-svc 13 | 14 | spec: 15 | selector: 16 | app: ngx-dep 17 | 18 | ports: 19 | - port: 80 20 | protocol: TCP 21 | targetPort: 80 22 | 23 | #type: ClusterIP 24 | type: NodePort 25 | -------------------------------------------------------------------------------- /ch3/wp-dep.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl expose deploy wp-dep --port=80 $out 4 | 5 | # kubectl apply -f wp-dep.yml 6 | # kubectl delete -f wp-dep.yml 7 | 8 | --- 9 | 10 | # you can change it to secret 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: wp-cm 15 | 16 | data: 17 | HOST: 'maria-svc' 18 | USER: 'wp' 19 | PASSWORD: '123' 20 | NAME: 'db' 21 | 22 | --- 23 | 24 | apiVersion: apps/v1 25 | kind: Deployment 26 | metadata: 27 | labels: 28 | app: wp-dep 29 | name: wp-dep 30 | 31 | spec: 32 | replicas: 2 33 | selector: 34 | matchLabels: 35 | app: wp-dep 36 | 37 | template: 38 | metadata: 39 | labels: 40 | app: wp-dep 41 | spec: 42 | containers: 43 | - image: wordpress:5 44 | name: wordpress 45 | imagePullPolicy: IfNotPresent 46 | ports: 47 | - containerPort: 80 48 | 49 | envFrom: 50 | - prefix: 'WORDPRESS_DB_' 51 | configMapRef: 52 | name: wp-cm 53 | 54 | #env: 55 | #- name: WORDPRESS_CONFIG_EXTRA 56 | # value: | 57 | # define('WP_HOME', 'http://'.$_SERVER['HTTP_ORIGIN']); 58 | # define('WP_SITEURL', 'http://'.$_SERVER['HTTP_ORIGIN']); 59 | 60 | --- 61 | 62 | apiVersion: v1 63 | kind: Service 64 | metadata: 65 | labels: 66 | app: wp-dep 67 | name: wp-svc 68 | 69 | spec: 70 | ports: 71 | - name: http80 72 | port: 80 73 | protocol: TCP 74 | targetPort: 80 75 | nodePort: 30088 76 | 77 | selector: 78 | app: wp-dep 79 | type: NodePort 80 | 81 | --- 82 | 83 | -------------------------------------------------------------------------------- /ch3/wp-ing.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl create ing wp-ing --rule="wp.test/=wp-svc:80" $out 4 | # kubectl create ing wp-ing --rule="wp.test/=wp-svc:80" --class=wp-ink $out 5 | 6 | # https://docs.nginx.com/nginx-ingress-controller/ 7 | 8 | # curl 127.1/nginx-health 9 | # curl 127.1:8081/nginx-ready 10 | 11 | --- 12 | 13 | apiVersion: networking.k8s.io/v1 14 | kind: IngressClass 15 | metadata: 16 | name: wp-ink 17 | 18 | spec: 19 | controller: nginx.org/ingress-controller 20 | 21 | --- 22 | 23 | apiVersion: networking.k8s.io/v1 24 | kind: Ingress 25 | metadata: 26 | name: wp-ing 27 | 28 | # customize the behaviors of nginx 29 | annotations: 30 | nginx.org/lb-method: round_robin 31 | 32 | nginx.org/location-snippets: | 33 | #proxy_redirect ~^(http://[^:]+)(/.+)$ $1:30080$2; 34 | #proxy_redirect http://$host/ http://$host:30080/; 35 | 36 | spec: 37 | ingressClassName: wp-ink 38 | 39 | rules: 40 | - host: wp.test 41 | http: 42 | paths: 43 | - path: / 44 | pathType: Prefix 45 | backend: 46 | service: 47 | name: wp-svc 48 | port: 49 | number: 80 50 | --- 51 | 52 | -------------------------------------------------------------------------------- /ch3/wp-kic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # https://docs.nginx.com/nginx-ingress-controller/ 4 | 5 | # kubectl port-forward -n nginx-ingress wp-kic-dep-78f8c64fd4-h9n9r 8080:80 & 6 | # curl 127.1:8080/nginx-health 7 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-8859b7b86-6rl2f 8081:8081 & 8 | # curl 127.1:8081/nginx-ready 9 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-8859b7b86-6rl2f 8088:8080 & 10 | # curl 127.1:8088/stub_status 11 | 12 | # kubectl expose -n nginx-ingress deploy wp-kic-dep --port=80 --type=NodePort $out 13 | # curl --resolve wp.test:30080:192.168.10.210 wp.test:30080 14 | 15 | # sudo vi /etc/hosts, add wp.test 16 | 17 | --- 18 | 19 | apiVersion: apps/v1 20 | kind: Deployment 21 | metadata: 22 | name: wp-kic-dep 23 | namespace: nginx-ingress 24 | 25 | spec: 26 | replicas: 1 27 | selector: 28 | matchLabels: 29 | app: wp-kic-dep 30 | 31 | template: 32 | metadata: 33 | labels: 34 | app: wp-kic-dep 35 | #annotations: 36 | #prometheus.io/scrape: "true" 37 | #prometheus.io/port: "9113" 38 | #prometheus.io/scheme: http 39 | spec: 40 | serviceAccountName: nginx-ingress 41 | 42 | # use host network 43 | hostNetwork: true 44 | dnsPolicy: ClusterFirstWithHostNet 45 | 46 | containers: 47 | #- image: nginx/nginx-ingress:2.2.0 48 | - image: nginx/nginx-ingress:2.2-alpine 49 | imagePullPolicy: IfNotPresent 50 | name: nginx-ingress 51 | ports: 52 | - name: http 53 | containerPort: 80 54 | - name: https 55 | containerPort: 443 56 | - name: readiness-port 57 | containerPort: 8081 58 | - name: prometheus 59 | containerPort: 9113 60 | readinessProbe: 61 | httpGet: 62 | path: /nginx-ready 63 | port: readiness-port 64 | periodSeconds: 1 65 | securityContext: 66 | allowPrivilegeEscalation: true 67 | runAsUser: 101 #nginx 68 | capabilities: 69 | drop: 70 | - ALL 71 | add: 72 | - NET_BIND_SERVICE 73 | env: 74 | - name: POD_NAMESPACE 75 | valueFrom: 76 | fieldRef: 77 | fieldPath: metadata.namespace 78 | - name: POD_NAME 79 | valueFrom: 80 | fieldRef: 81 | fieldPath: metadata.name 82 | args: 83 | - -ingress-class=wp-ink 84 | - -health-status 85 | - -ready-status 86 | - -nginx-status 87 | - -enable-snippets 88 | 89 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 90 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 91 | #- -v=3 # Enables extensive logging. Useful for troubleshooting. 92 | #- -report-ingress-status 93 | #- -external-service=nginx-ingress 94 | #- -enable-prometheus-metrics 95 | #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration 96 | 97 | --- 98 | 99 | apiVersion: v1 100 | kind: Service 101 | metadata: 102 | name: wp-kic-svc 103 | namespace: nginx-ingress 104 | 105 | spec: 106 | ports: 107 | - port: 80 108 | protocol: TCP 109 | targetPort: 80 110 | nodePort: 30080 111 | 112 | selector: 113 | app: wp-kic-dep 114 | type: NodePort 115 | 116 | --- 117 | 118 | -------------------------------------------------------------------------------- /ch3/wp-maria.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # kubectl expose deploy maria-dep --port=3306 $out 4 | 5 | # kubectl apply -f wp-maria.yml 6 | # kubectl delete -f wp-maria.yml 7 | 8 | # kubectl exec -it maria-dep-767bbdccb5-bh9vl -- mysql -u wp -p 9 | 10 | --- 11 | 12 | # you can change it to secret 13 | apiVersion: v1 14 | kind: ConfigMap 15 | metadata: 16 | name: maria-cm 17 | 18 | data: 19 | DATABASE: 'db' 20 | USER: 'wp' 21 | PASSWORD: '123' 22 | ROOT_PASSWORD: '123' 23 | 24 | --- 25 | 26 | apiVersion: apps/v1 27 | kind: Deployment 28 | metadata: 29 | labels: 30 | app: maria-dep 31 | name: maria-dep 32 | 33 | spec: 34 | replicas: 1 35 | selector: 36 | matchLabels: 37 | app: maria-dep 38 | 39 | template: 40 | metadata: 41 | labels: 42 | app: maria-dep 43 | spec: 44 | containers: 45 | - image: mariadb:10 46 | name: mariadb 47 | imagePullPolicy: IfNotPresent 48 | ports: 49 | - containerPort: 3306 50 | 51 | envFrom: 52 | - prefix: 'MARIADB_' 53 | configMapRef: 54 | name: maria-cm 55 | 56 | --- 57 | 58 | apiVersion: v1 59 | kind: Service 60 | metadata: 61 | labels: 62 | app: maria-dep 63 | name: maria-svc 64 | 65 | spec: 66 | ports: 67 | - port: 3306 68 | protocol: TCP 69 | targetPort: 3306 70 | selector: 71 | app: maria-dep 72 | 73 | --- 74 | 75 | -------------------------------------------------------------------------------- /ch4/26.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-05 4 | 5 | # ensure nfs data path is there 6 | mkdir -p /tmp/nfs 7 | 8 | export out="--dry-run=client -o yaml" 9 | 10 | # change kind to StatefulSet, add field 'serviceName' 11 | kubectl create deploy redis-sts --image=redis:5-alpine $out \ 12 | | sed 's/Deployment/StatefulSet/g' - \ 13 | | sed '/replicas/i\ serviceName: x-svc' - 14 | 15 | kubectl apply -f redis-sts.yml 16 | 17 | # enter a sts pod 18 | kubectl exec -it redis-sts-0 -- sh 19 | 20 | echo $HOSTNAME 21 | 22 | # pod-name.svc-name 23 | ping redis-sts-0.redis-svc 24 | ping redis-sts-1.redis-svc 25 | 26 | # create a temporary pod 27 | kubectl run dummy --image=nginx:alpine 28 | 29 | # create a svc template, then add clusterIP=None 30 | kubectl expose pod dummy --port=6379 $out 31 | 32 | # create sts with pv 33 | kubectl apply -f redis-pv-sts.yml 34 | 35 | # check redis kv store 36 | kubectl exec -it redis-pv-sts-0 -- redis-cli 37 | set a 111 38 | set b 222 39 | 40 | # delete the pod 41 | kubectl delete pod redis-pv-sts-0 42 | 43 | -------------------------------------------------------------------------------- /ch4/28.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-06 4 | 5 | kubectl explain pod.spec.containers.resources 6 | 7 | kubectl explain pod.spec.containers.startupProbe 8 | kubectl explain pod.spec.containers.livenessProbe 9 | kubectl explain pod.spec.containers.readinessProbe 10 | -------------------------------------------------------------------------------- /ch4/29.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-06 4 | 5 | kubectl create ns test-ns 6 | kubectl get ns 7 | 8 | kubectl get pod -n test-ns 9 | 10 | kubectl delete ns test-ns 11 | 12 | 13 | kubectl explain quota.spec 14 | 15 | kubectl create job echo1 -n dev-ns --image=busybox -- echo hello 16 | kubectl create job echo2 -n dev-ns --image=busybox -- echo hello 17 | 18 | kubectl run ngx --image=nginx:alpine -n dev-ns 19 | 20 | kubectl explain limits.spec.limits 21 | 22 | kubectl describe limitranges -n dev-ns 23 | -------------------------------------------------------------------------------- /ch4/31.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2022-07 4 | 5 | sudo apt install net-tools -y 6 | sudo apt install tshark -y 7 | 8 | # work on MASTER node 9 | 10 | # bridge 11 | brctl show 12 | 13 | # cni0 : 10.10.0.0 14 | # flannel.1: 10.10.1.0 15 | route 16 | 17 | # 10.10.1.0 -> 9a:23:ea:5f:a4:c8 18 | ip neighbor |grep 10.10.1 19 | 20 | # 9a:23:ea:5f:a4:c8 -> 192.168.10.220 21 | bridge fdb |grep flannel 22 | 23 | # create 3 pods 24 | kubectl create deploy ngx-dep --image=nginx:alpine --replicas=3 25 | 26 | # see ip addr 27 | kubectl get pod -o wide 28 | 29 | # check eth0@ifXX 30 | kubectl exec -it ngx-dep-bfbb5f64b-77w94 -- ip addr 31 | 32 | # check the first number, get the veth 33 | ip link 34 | 35 | # dump cni0 36 | sudo tcpdump port 80 -i cni0 -w a.pcap 37 | tcpdump -r a.pcap -e -X 38 | 39 | # dump flannel.1 40 | sudo tcpdump port 80 -i flannel.1 -w a.pcap 41 | -------------------------------------------------------------------------------- /ch4/empty-dir-pod.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | 4 | # kubectl exec -it empty-dir-pod -- sh 5 | # echo aaa > /tmp/a.txt 6 | # 7 | 8 | # pod 9 | apiVersion: v1 10 | kind: Pod 11 | metadata: 12 | name: empty-dir-pod 13 | 14 | spec: 15 | 16 | volumes: 17 | - name: empty-dir-vol 18 | emptyDir: {} 19 | 20 | containers: 21 | - name: empty-dir 22 | image: nginx:alpine 23 | ports: 24 | - containerPort: 80 25 | 26 | volumeMounts: 27 | - name: empty-dir-vol 28 | mountPath: /tmp 29 | 30 | -------------------------------------------------------------------------------- /ch4/host-path-pv.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | # kubectl get pv 4 | # kubectl get pvc 5 | 6 | # kubectl exec -it host-pvc-pod -- sh 7 | # echo aaa > /tmp/a.txt 8 | # 9 | # check node's /tmp/host-10m-pv 10 | 11 | --- 12 | 13 | apiVersion: v1 14 | kind: PersistentVolume 15 | metadata: 16 | name: host-10m-pv 17 | 18 | spec: 19 | storageClassName: host-test 20 | 21 | accessModes: 22 | - ReadWriteOnce 23 | capacity: 24 | storage: 10Mi 25 | 26 | # mkdir -p /tmp/host-10m-pv/ 27 | hostPath: 28 | path: /tmp/host-10m-pv/ 29 | 30 | --- 31 | 32 | # pvc 33 | # try to find the most suitable pv 34 | # capacity/accessModes 35 | apiVersion: v1 36 | kind: PersistentVolumeClaim 37 | 38 | metadata: 39 | name: host-5m-pvc 40 | 41 | spec: 42 | 43 | storageClassName: host-test 44 | 45 | accessModes: 46 | - ReadWriteOnce 47 | 48 | resources: 49 | requests: 50 | storage: 5Mi 51 | 52 | --- 53 | 54 | # pod 55 | apiVersion: v1 56 | kind: Pod 57 | metadata: 58 | name: host-pvc-pod 59 | 60 | spec: 61 | 62 | volumes: 63 | - name: host-pvc-vol 64 | persistentVolumeClaim: 65 | claimName: host-5m-pvc 66 | 67 | containers: 68 | - name: ngx-pvc-pod 69 | image: nginx:alpine 70 | ports: 71 | - containerPort: 80 72 | 73 | volumeMounts: 74 | - name: host-pvc-vol 75 | mountPath: /tmp 76 | 77 | --- 78 | 79 | -------------------------------------------------------------------------------- /ch4/hpa.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | 3 | # kubectl autoscale deploy ngx-hpa-dep --min=1 --max=10 --cpu-percent=5 $out 4 | # kubectl apply -f hpa.yml 5 | # 6 | # wait some minutes for hpa monitor 7 | # 8 | # kubectl exec -it test -- sh 9 | # curl ngx-hpa-svc 10 | # ab -c 10 -t 60 -n 1000000 'http://ngx-hpa-svc/' 11 | # 12 | # kubectl run -it test --image=httpd:alpine -- sh 13 | 14 | --- 15 | 16 | apiVersion: apps/v1 17 | kind: Deployment 18 | metadata: 19 | name: ngx-hpa-dep 20 | 21 | spec: 22 | replicas: 1 23 | selector: 24 | matchLabels: 25 | app: ngx-hpa-dep 26 | 27 | template: 28 | metadata: 29 | labels: 30 | app: ngx-hpa-dep 31 | spec: 32 | containers: 33 | - image: nginx:alpine 34 | name: nginx 35 | ports: 36 | - containerPort: 80 37 | 38 | resources: 39 | requests: 40 | cpu: 50m 41 | memory: 10Mi 42 | limits: 43 | cpu: 100m 44 | memory: 20Mi 45 | 46 | --- 47 | 48 | apiVersion: v1 49 | kind: Service 50 | metadata: 51 | name: ngx-hpa-svc 52 | spec: 53 | ports: 54 | - port: 80 55 | protocol: TCP 56 | targetPort: 80 57 | selector: 58 | app: ngx-hpa-dep 59 | 60 | --- 61 | 62 | apiVersion: autoscaling/v1 63 | kind: HorizontalPodAutoscaler 64 | metadata: 65 | name: ngx-hpa 66 | 67 | spec: 68 | maxReplicas: 10 69 | minReplicas: 2 70 | scaleTargetRef: 71 | apiVersion: apps/v1 72 | kind: Deployment 73 | name: ngx-hpa-dep 74 | targetCPUUtilizationPercentage: 5 75 | 76 | --- 77 | 78 | apiVersion: v1 79 | kind: Pod 80 | metadata: 81 | name: test 82 | spec: 83 | containers: 84 | - image: httpd:alpine 85 | name: test 86 | 87 | --- 88 | 89 | -------------------------------------------------------------------------------- /ch4/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # kubectl apply -k . 4 | # kubectl delete -k . 5 | 6 | resources: 7 | - wp-maria.yml 8 | - wp-dep.yml 9 | - wp-ing.yml 10 | - wp-kic.yml 11 | 12 | -------------------------------------------------------------------------------- /ch4/nfs-dynamic-pv.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | # kubectl describe pv 4 | 5 | --- 6 | 7 | apiVersion: v1 8 | kind: PersistentVolumeClaim 9 | metadata: 10 | name: nfs-dyn-10m-pvc 11 | 12 | spec: 13 | 14 | # in class.yaml 15 | storageClassName: nfs-client 16 | 17 | accessModes: 18 | - ReadWriteMany 19 | 20 | resources: 21 | requests: 22 | storage: 10Mi 23 | 24 | --- 25 | 26 | # pod 27 | apiVersion: v1 28 | kind: Pod 29 | metadata: 30 | name: nfs-dyn-pod 31 | 32 | spec: 33 | 34 | volumes: 35 | - name: nfs-dyn-10m-vol 36 | persistentVolumeClaim: 37 | claimName: nfs-dyn-10m-pvc 38 | 39 | containers: 40 | - name: nfs-dyn-test 41 | image: nginx:alpine 42 | ports: 43 | - containerPort: 80 44 | 45 | volumeMounts: 46 | - name: nfs-dyn-10m-vol 47 | mountPath: /tmp 48 | 49 | --- 50 | 51 | -------------------------------------------------------------------------------- /ch4/nfs-static-pv.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | # https://kubernetes.io/zh/docs/concepts/storage/persistent-volumes/ 4 | # 5 | # 6 | # kubectl exec -it nfs-1g-pod -- sh 7 | # echo aaa > /tmp/a.txt 8 | 9 | --- 10 | 11 | apiVersion: v1 12 | kind: PersistentVolume 13 | metadata: 14 | name: nfs-1g-pv 15 | 16 | spec: 17 | 18 | storageClassName: nfs 19 | 20 | accessModes: 21 | - ReadWriteMany 22 | capacity: 23 | storage: 1Gi 24 | 25 | # you must write the right path 26 | # in nfs server 27 | # mkdir -p /tmp/nfs/1g-pv 28 | nfs: 29 | path: /tmp/nfs/1g-pv 30 | server: 192.168.10.208 31 | 32 | --- 33 | 34 | # pvc 35 | # try to find the most suitable pv 36 | # capacity/accessModes 37 | apiVersion: v1 38 | kind: PersistentVolumeClaim 39 | metadata: 40 | name: nfs-static-pvc 41 | 42 | spec: 43 | 44 | storageClassName: nfs 45 | 46 | accessModes: 47 | - ReadWriteMany 48 | 49 | resources: 50 | requests: 51 | storage: 1Gi 52 | #storage: 100Mi 53 | 54 | --- 55 | 56 | # pod 57 | apiVersion: v1 58 | kind: Pod 59 | metadata: 60 | name: nfs-static-pod 61 | 62 | spec: 63 | 64 | volumes: 65 | - name: nfs-pvc-vol 66 | persistentVolumeClaim: 67 | claimName: nfs-static-pvc 68 | 69 | containers: 70 | - name: nfs-pvc-test 71 | image: nginx:alpine 72 | ports: 73 | - containerPort: 80 74 | 75 | volumeMounts: 76 | - name: nfs-pvc-vol 77 | mountPath: /tmp 78 | 79 | --- 80 | 81 | -------------------------------------------------------------------------------- /ch4/ngx-v1.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | 3 | # kubectl apply -f ngx-deploy.yml 4 | # kubectl port-forward svc/ngx-svc 8080:80 & 5 | # curl 127.1:8080 6 | 7 | # kubectl rollout status deployment ngx-dep 8 | # kubectl rollout history deployment ngx-dep 9 | 10 | --- 11 | 12 | # this cm will be mounted to /etc/nginx/conf.d 13 | apiVersion: v1 14 | kind: ConfigMap 15 | metadata: 16 | name: ngx-conf 17 | 18 | data: 19 | default.conf: | 20 | server { 21 | listen 80; 22 | location / { 23 | default_type text/plain; 24 | return 200 25 | 'ver : $nginx_version\nsrv : $server_addr:$server_port\nhost: $hostname\n'; 26 | } 27 | } 28 | 29 | --- 30 | 31 | apiVersion: apps/v1 32 | kind: Deployment 33 | metadata: 34 | name: ngx-dep 35 | annotations: 36 | kubernetes.io/change-cause: v1, ngx=1.21 37 | 38 | spec: 39 | #minReadySeconds: 5 40 | 41 | replicas: 4 42 | selector: 43 | matchLabels: 44 | app: ngx-dep 45 | 46 | template: 47 | metadata: 48 | labels: 49 | app: ngx-dep 50 | spec: 51 | volumes: 52 | - name: ngx-conf-vol 53 | configMap: 54 | name: ngx-conf 55 | 56 | containers: 57 | - image: nginx:1.21-alpine 58 | name: nginx 59 | ports: 60 | - containerPort: 80 61 | 62 | volumeMounts: 63 | - mountPath: /etc/nginx/conf.d 64 | name: ngx-conf-vol 65 | 66 | --- 67 | 68 | apiVersion: v1 69 | kind: Service 70 | metadata: 71 | name: ngx-svc 72 | 73 | spec: 74 | selector: 75 | app: ngx-dep 76 | 77 | ports: 78 | - port: 80 79 | protocol: TCP 80 | targetPort: 80 81 | 82 | --- 83 | 84 | -------------------------------------------------------------------------------- /ch4/ngx-v2.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | 3 | # kubectl apply -f ngx-deploy.yml 4 | # kubectl port-forward svc/ngx-svc 8080:80 & 5 | # curl 127.1:8080 6 | 7 | # kubectl rollout status deployment ngx-dep 8 | # kubectl rollout history deployment ngx-dep 9 | 10 | --- 11 | 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: ngx-dep 16 | annotations: 17 | kubernetes.io/change-cause: update to v2, ngx=1.22 18 | 19 | spec: 20 | #minReadySeconds: 5 21 | 22 | replicas: 4 23 | selector: 24 | matchLabels: 25 | app: ngx-dep 26 | 27 | template: 28 | metadata: 29 | labels: 30 | app: ngx-dep 31 | spec: 32 | volumes: 33 | - name: ngx-conf-vol 34 | configMap: 35 | name: ngx-conf 36 | 37 | containers: 38 | - image: nginx:1.22-alpine 39 | name: nginx 40 | ports: 41 | - containerPort: 80 42 | 43 | volumeMounts: 44 | - mountPath: /etc/nginx/conf.d 45 | name: ngx-conf-vol 46 | 47 | --- 48 | 49 | -------------------------------------------------------------------------------- /ch4/pod-probe.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | # kubectl explain pod.spec.containers.startupProbe 4 | # kubectl explain pod.spec.containers.livenessProbe 5 | # kubectl explain pod.spec.containers.readinessProbe 6 | # 7 | # kubectl logs ngx-pod-probe -f 8 | 9 | --- 10 | 11 | # this cm will be mounted to /etc/nginx/conf.d 12 | apiVersion: v1 13 | kind: ConfigMap 14 | metadata: 15 | name: ngx-conf 16 | 17 | data: 18 | default.conf: | 19 | server { 20 | listen 80; 21 | location = /ready { 22 | return 200 'I am ready'; 23 | #return 500 'I am not ready'; 24 | } 25 | location / { 26 | default_type text/plain; 27 | return 200 "Nginx OK"; 28 | } 29 | } 30 | 31 | --- 32 | 33 | apiVersion: v1 34 | kind: Pod 35 | metadata: 36 | name: ngx-pod-probe 37 | 38 | spec: 39 | volumes: 40 | - name: ngx-conf-vol 41 | configMap: 42 | name: ngx-conf 43 | 44 | containers: 45 | - image: nginx:alpine 46 | name: ngx 47 | ports: 48 | - containerPort: 80 49 | 50 | volumeMounts: 51 | - mountPath: /etc/nginx/conf.d 52 | name: ngx-conf-vol 53 | 54 | # probes are here 55 | 56 | startupProbe: 57 | periodSeconds: 1 58 | timeoutSeconds: 1 59 | exec: 60 | command: ["cat", "/var/run/nginx.pid"] 61 | #command: ["cat", "nginx.pid"] # wrong pid file 62 | 63 | livenessProbe: 64 | periodSeconds: 10 65 | timeoutSeconds: 1 66 | #failureThreshold: 1 67 | tcpSocket: 68 | #port: 80 69 | port: 8080 70 | 71 | readinessProbe: 72 | periodSeconds: 5 73 | timeoutSeconds: 1 74 | httpGet: 75 | path: /ready 76 | port: 80 77 | 78 | --- 79 | 80 | -------------------------------------------------------------------------------- /ch4/pod-resources.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: ngx-pod-resources 8 | 9 | spec: 10 | containers: 11 | - image: nginx:alpine 12 | name: ngx 13 | ports: 14 | - containerPort: 80 15 | 16 | resources: 17 | requests: 18 | cpu: 10m 19 | memory: 100Mi 20 | limits: 21 | cpu: 20m 22 | memory: 200Mi 23 | -------------------------------------------------------------------------------- /ch4/quota-ns.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | # kubectl create ns dev-ns $out 4 | # kubectl create quota dev-qt $out 5 | # 6 | # kubectl explain quota.spec 7 | # kubectl describe -n dev-ns quota dev-qt 8 | # 9 | # kubectl explain limits.spec.limits 10 | # 11 | # kubectl run ngx --image=nginx:alpine -n dev-ns 12 | # kubectl describe pod ngx -n dev-ns 13 | 14 | --- 15 | 16 | apiVersion: v1 17 | kind: Namespace 18 | metadata: 19 | name: dev-ns 20 | 21 | --- 22 | 23 | apiVersion: v1 24 | kind: ResourceQuota 25 | metadata: 26 | name: dev-qt 27 | namespace: dev-ns 28 | 29 | spec: 30 | hard: 31 | requests.cpu: 10 32 | requests.memory: 10Gi 33 | limits.cpu: 10 34 | limits.memory: 20Gi 35 | 36 | requests.storage: 100Gi 37 | persistentvolumeclaims: 100 38 | 39 | pods: 100 40 | configmaps: 100 41 | secrets: 100 42 | services: 10 43 | services.nodeports: 5 44 | 45 | count/jobs.batch: 1 46 | count/cronjobs.batch: 1 47 | count/deployments.apps: 1 48 | 49 | --- 50 | 51 | apiVersion: v1 52 | kind: LimitRange 53 | metadata: 54 | name: dev-limits 55 | namespace: dev-ns 56 | 57 | spec: 58 | limits: 59 | - type: Container 60 | defaultRequest: 61 | cpu: 200m 62 | memory: 50Mi 63 | default: 64 | cpu: 500m 65 | memory: 100Mi 66 | - type: Pod 67 | max: 68 | cpu: 800m 69 | memory: 200Mi 70 | 71 | --- 72 | 73 | -------------------------------------------------------------------------------- /ch4/redis-deploy.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | # kubectl describe pv 4 | 5 | --- 6 | 7 | apiVersion: v1 8 | kind: PersistentVolumeClaim 9 | metadata: 10 | name: redis-50m-pvc 11 | 12 | spec: 13 | 14 | # in class.yaml 15 | storageClassName: nfs-client 16 | 17 | accessModes: 18 | - ReadWriteMany 19 | 20 | resources: 21 | requests: 22 | storage: 50Mi 23 | 24 | --- 25 | 26 | apiVersion: apps/v1 27 | kind: Deployment 28 | metadata: 29 | name: redis-dep 30 | 31 | spec: 32 | replicas: 1 33 | selector: 34 | matchLabels: 35 | app: redis-dep 36 | 37 | template: 38 | metadata: 39 | labels: 40 | app: redis-dep 41 | spec: 42 | volumes: 43 | - name: redis-50m-vol 44 | persistentVolumeClaim: 45 | claimName: redis-50m-pvc 46 | 47 | containers: 48 | - image: redis:5-alpine 49 | name: redis 50 | ports: 51 | - containerPort: 6379 52 | 53 | volumeMounts: 54 | - name: redis-50m-vol 55 | mountPath: /data 56 | 57 | --- 58 | 59 | -------------------------------------------------------------------------------- /ch4/redis-pv-sts.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | 4 | --- 5 | 6 | apiVersion: apps/v1 7 | kind: StatefulSet 8 | metadata: 9 | name: redis-pv-sts 10 | 11 | spec: 12 | # headless svc 13 | serviceName: redis-pv-svc 14 | 15 | # pvc 16 | volumeClaimTemplates: 17 | - metadata: 18 | name: redis-100m-pvc 19 | spec: 20 | storageClassName: nfs-client 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 100Mi 26 | 27 | replicas: 2 28 | selector: 29 | matchLabels: 30 | app: redis-pv-sts 31 | 32 | template: 33 | metadata: 34 | labels: 35 | app: redis-pv-sts 36 | spec: 37 | containers: 38 | - image: redis:5-alpine 39 | name: redis 40 | ports: 41 | - containerPort: 6379 42 | 43 | volumeMounts: 44 | - name: redis-100m-pvc 45 | mountPath: /data 46 | 47 | --- 48 | 49 | apiVersion: v1 50 | kind: Service 51 | metadata: 52 | name: redis-pv-svc 53 | 54 | spec: 55 | selector: 56 | app: redis-pv-sts 57 | 58 | # headless 59 | clusterIP: None 60 | 61 | ports: 62 | - port: 6379 63 | protocol: TCP 64 | targetPort: 6379 65 | 66 | --- 67 | 68 | -------------------------------------------------------------------------------- /ch4/redis-sts.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | 4 | --- 5 | 6 | apiVersion: apps/v1 7 | kind: StatefulSet 8 | metadata: 9 | name: redis-sts 10 | 11 | spec: 12 | # headless svc 13 | serviceName: redis-svc 14 | 15 | replicas: 2 16 | selector: 17 | matchLabels: 18 | app: redis-sts 19 | 20 | template: 21 | metadata: 22 | labels: 23 | app: redis-sts 24 | spec: 25 | containers: 26 | - image: redis:5-alpine 27 | name: redis 28 | ports: 29 | - containerPort: 6379 30 | 31 | --- 32 | 33 | apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: redis-svc 37 | 38 | spec: 39 | selector: 40 | app: redis-sts 41 | 42 | # headless 43 | clusterIP: None 44 | 45 | ports: 46 | - port: 6379 47 | protocol: TCP 48 | targetPort: 6379 49 | 50 | --- 51 | 52 | -------------------------------------------------------------------------------- /ch4/storageclass.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | # 3 | 4 | --- 5 | 6 | apiVersion: storage.k8s.io/v1 7 | kind: StorageClass 8 | metadata: 9 | name: managed-nfs 10 | 11 | provisioner: k8s-sigs.io/nfs-subdir-external-provisioner 12 | parameters: 13 | archiveOnDelete: "false" 14 | 15 | --- 16 | 17 | apiVersion: storage.k8s.io/v1 18 | kind: StorageClass 19 | metadata: 20 | name: retained-nfs 21 | 22 | provisioner: k8s-sigs.io/nfs-subdir-external-provisioner 23 | 24 | parameters: 25 | onDelete: "retain" 26 | 27 | reclaimPolicy: Retain 28 | 29 | --- 30 | 31 | -------------------------------------------------------------------------------- /ch4/test-ns.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | # kubectl create ns test-ns 4 | # kubectl run ngx --image=nginx:alpine 5 | 6 | --- 7 | 8 | apiVersion: v1 9 | kind: Namespace 10 | metadata: 11 | name: test-ns 12 | 13 | --- 14 | 15 | apiVersion: v1 16 | kind: Pod 17 | metadata: 18 | name: ngx 19 | namespace: test-ns 20 | 21 | spec: 22 | containers: 23 | - image: nginx:alpine 24 | name: ngx 25 | 26 | --- 27 | 28 | -------------------------------------------------------------------------------- /ch4/wp-dep.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # kubectl expose deploy wp-dep --port=80 $out 4 | 5 | # kubectl apply -f wp-dep.yml 6 | # kubectl delete -f wp-dep.yml 7 | 8 | --- 9 | 10 | # you can change it to secret 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: wp-cm 15 | 16 | data: 17 | HOST: 'maria-sts-0.maria-svc' 18 | USER: 'wp' 19 | PASSWORD: '123' 20 | NAME: 'db' 21 | 22 | --- 23 | 24 | apiVersion: apps/v1 25 | kind: Deployment 26 | metadata: 27 | labels: 28 | app: wp-dep 29 | name: wp-dep 30 | 31 | spec: 32 | replicas: 2 33 | selector: 34 | matchLabels: 35 | app: wp-dep 36 | 37 | template: 38 | metadata: 39 | labels: 40 | app: wp-dep 41 | spec: 42 | containers: 43 | - image: wordpress:5 44 | name: wordpress 45 | imagePullPolicy: IfNotPresent 46 | ports: 47 | - containerPort: 80 48 | 49 | envFrom: 50 | - prefix: 'WORDPRESS_DB_' 51 | configMapRef: 52 | name: wp-cm 53 | 54 | #env: 55 | #- name: WORDPRESS_CONFIG_EXTRA 56 | # value: | 57 | # define('WP_HOME', 'http://'.$_SERVER['HTTP_ORIGIN']); 58 | # define('WP_SITEURL', 'http://'.$_SERVER['HTTP_ORIGIN']); 59 | 60 | --- 61 | 62 | apiVersion: v1 63 | kind: Service 64 | metadata: 65 | labels: 66 | app: wp-dep 67 | name: wp-svc 68 | 69 | spec: 70 | ports: 71 | - name: http80 72 | port: 80 73 | protocol: TCP 74 | targetPort: 80 75 | nodePort: 30088 76 | 77 | selector: 78 | app: wp-dep 79 | type: NodePort 80 | 81 | --- 82 | 83 | -------------------------------------------------------------------------------- /ch4/wp-ing.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # kubectl create ing wp-ing --rule="wp.test/=wp-svc:80" $out 4 | # kubectl create ing wp-ing --rule="wp.test/=wp-svc:80" --class=wp-ink $out 5 | 6 | # https://docs.nginx.com/nginx-ingress-controller/ 7 | 8 | # curl 127.1/nginx-health 9 | # curl 127.1:8081/nginx-ready 10 | 11 | --- 12 | 13 | apiVersion: networking.k8s.io/v1 14 | kind: IngressClass 15 | metadata: 16 | name: wp-ink 17 | 18 | spec: 19 | controller: nginx.org/ingress-controller 20 | 21 | --- 22 | 23 | apiVersion: networking.k8s.io/v1 24 | kind: Ingress 25 | metadata: 26 | name: wp-ing 27 | 28 | # customize the behaviors of nginx 29 | annotations: 30 | nginx.org/lb-method: round_robin 31 | 32 | nginx.org/location-snippets: | 33 | #proxy_redirect ~^(http://[^:]+)(/.+)$ $1:30080$2; 34 | #proxy_redirect http://$host/ http://$host:30080/; 35 | 36 | spec: 37 | ingressClassName: wp-ink 38 | 39 | rules: 40 | - host: wp.test 41 | http: 42 | paths: 43 | - path: / 44 | pathType: Prefix 45 | backend: 46 | service: 47 | name: wp-svc 48 | port: 49 | number: 80 50 | --- 51 | 52 | -------------------------------------------------------------------------------- /ch4/wp-kic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # https://docs.nginx.com/nginx-ingress-controller/ 4 | 5 | # kubectl port-forward -n nginx-ingress wp-kic-dep-78f8c64fd4-h9n9r 8080:80 & 6 | # curl 127.1:8080/nginx-health 7 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-8859b7b86-6rl2f 8081:8081 & 8 | # curl 127.1:8081/nginx-ready 9 | # kubectl port-forward -n nginx-ingress ngx-kic-dep-8859b7b86-6rl2f 8088:8080 & 10 | # curl 127.1:8088/stub_status 11 | 12 | # kubectl expose -n nginx-ingress deploy wp-kic-dep --port=80 --type=NodePort $out 13 | # curl --resolve wp.test:30080:192.168.10.210 wp.test:30080 14 | 15 | # sudo vi /etc/hosts, add wp.test 16 | 17 | --- 18 | 19 | apiVersion: apps/v1 20 | kind: Deployment 21 | metadata: 22 | name: wp-kic-dep 23 | namespace: nginx-ingress 24 | 25 | spec: 26 | replicas: 1 27 | selector: 28 | matchLabels: 29 | app: wp-kic-dep 30 | 31 | template: 32 | metadata: 33 | labels: 34 | app: wp-kic-dep 35 | #annotations: 36 | #prometheus.io/scrape: "true" 37 | #prometheus.io/port: "9113" 38 | #prometheus.io/scheme: http 39 | spec: 40 | serviceAccountName: nginx-ingress 41 | 42 | # use host network 43 | hostNetwork: true 44 | dnsPolicy: ClusterFirstWithHostNet 45 | 46 | containers: 47 | #- image: nginx/nginx-ingress:2.2.0 48 | - image: nginx/nginx-ingress:2.2-alpine 49 | imagePullPolicy: IfNotPresent 50 | name: nginx-ingress 51 | ports: 52 | - name: http 53 | containerPort: 80 54 | - name: https 55 | containerPort: 443 56 | - name: readiness-port 57 | containerPort: 8081 58 | - name: prometheus 59 | containerPort: 9113 60 | readinessProbe: 61 | httpGet: 62 | path: /nginx-ready 63 | port: readiness-port 64 | periodSeconds: 1 65 | securityContext: 66 | allowPrivilegeEscalation: true 67 | runAsUser: 101 #nginx 68 | capabilities: 69 | drop: 70 | - ALL 71 | add: 72 | - NET_BIND_SERVICE 73 | env: 74 | - name: POD_NAMESPACE 75 | valueFrom: 76 | fieldRef: 77 | fieldPath: metadata.namespace 78 | - name: POD_NAME 79 | valueFrom: 80 | fieldRef: 81 | fieldPath: metadata.name 82 | args: 83 | - -ingress-class=wp-ink 84 | - -health-status 85 | - -ready-status 86 | - -nginx-status 87 | - -enable-snippets 88 | 89 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 90 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 91 | #- -v=3 # Enables extensive logging. Useful for troubleshooting. 92 | #- -report-ingress-status 93 | #- -external-service=nginx-ingress 94 | #- -enable-prometheus-metrics 95 | #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration 96 | 97 | --- 98 | 99 | apiVersion: v1 100 | kind: Service 101 | metadata: 102 | name: wp-kic-svc 103 | namespace: nginx-ingress 104 | 105 | spec: 106 | ports: 107 | - port: 80 108 | protocol: TCP 109 | targetPort: 80 110 | nodePort: 30080 111 | 112 | selector: 113 | app: wp-kic-dep 114 | type: NodePort 115 | 116 | --- 117 | 118 | -------------------------------------------------------------------------------- /ch4/wp-maria.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # kubectl apply -f wp-maria.yml 4 | # kubectl delete -f wp-maria.yml 5 | 6 | # kubectl exec -it maria-sts-767bbdccb5-bh9vl -- mysql -u wp -p 7 | 8 | --- 9 | 10 | # you can change it to secret 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: maria-cm 15 | 16 | data: 17 | DATABASE: 'db' 18 | USER: 'wp' 19 | PASSWORD: '123' 20 | ROOT_PASSWORD: '123' 21 | 22 | --- 23 | 24 | apiVersion: apps/v1 25 | kind: StatefulSet 26 | metadata: 27 | labels: 28 | app: maria-sts 29 | name: maria-sts 30 | 31 | spec: 32 | # headless svc 33 | serviceName: maria-svc 34 | 35 | # pvc 36 | volumeClaimTemplates: 37 | - metadata: 38 | name: maria-100m-pvc 39 | spec: 40 | storageClassName: nfs-client 41 | accessModes: 42 | - ReadWriteMany 43 | resources: 44 | requests: 45 | storage: 100Mi 46 | 47 | replicas: 1 48 | selector: 49 | matchLabels: 50 | app: maria-sts 51 | 52 | template: 53 | metadata: 54 | labels: 55 | app: maria-sts 56 | spec: 57 | containers: 58 | - image: mariadb:10 59 | name: mariadb 60 | imagePullPolicy: IfNotPresent 61 | ports: 62 | - containerPort: 3306 63 | 64 | envFrom: 65 | - prefix: 'MARIADB_' 66 | configMapRef: 67 | name: maria-cm 68 | 69 | volumeMounts: 70 | - name: maria-100m-pvc 71 | mountPath: /var/lib/mysql 72 | 73 | --- 74 | 75 | apiVersion: v1 76 | kind: Service 77 | metadata: 78 | labels: 79 | app: maria-sts 80 | name: maria-svc 81 | 82 | spec: 83 | selector: 84 | app: maria-sts 85 | 86 | # headless 87 | clusterIP: None 88 | 89 | ports: 90 | - port: 3306 91 | protocol: TCP 92 | targetPort: 3306 93 | 94 | --- 95 | 96 | -------------------------------------------------------------------------------- /compose/reg-compose.yml: -------------------------------------------------------------------------------- 1 | # chrono 2022-07 2 | # 3 | # docker-compose -f reg-compose.yml up -d 4 | # docker-compose -f reg-compose.yml ps 5 | # docker-compose -f reg-compose.yml down 6 | 7 | services: 8 | 9 | registry: 10 | image: registry 11 | container_name: registry 12 | restart: always 13 | 14 | ports: 15 | - 5000:5000 16 | 17 | -------------------------------------------------------------------------------- /compose/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # https://docs.docker.com/compose/install/compose-plugin/#installing-compose-on-linux-systems 4 | 5 | # intel x86_64 6 | #sudo curl -SL https://github.com/docker/compose/releases/download/v2.6.1/docker-compose-linux-x86_64 \ 7 | # -o /usr/local/bin/docker-compose 8 | 9 | # apple m1 10 | sudo curl -SL https://github.com/docker/compose/releases/download/v2.6.1/docker-compose-linux-aarch64 \ 11 | -o /usr/local/bin/docker-compose 12 | 13 | #chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose 14 | sudo chmod +x /usr/local/bin/docker-compose 15 | sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose 16 | 17 | # test docker compose 18 | docker-compose version 19 | -------------------------------------------------------------------------------- /compose/wp-compose.yml: -------------------------------------------------------------------------------- 1 | # chrono 2022-07 2 | # 3 | # docker-compose -f wp-compose.yml up -d 4 | # docker-compose -f wp-compose.yml ps 5 | # docker-compose -f wp-compose.yml exec -it mariadb sh 6 | # docker-compose -f wp-compose.yml exec -it nginx sh 7 | # docker-compose -f wp-compose.yml down 8 | 9 | volumes: 10 | maria_data: {} 11 | 12 | #networks: 13 | # wp-net: 14 | # ipam: 15 | # config: 16 | # - subnet: 172.20.0.0/24 17 | # gateway: 172.20.0.1 18 | 19 | services: 20 | 21 | mariadb: 22 | image: mariadb:10 23 | container_name: mariadb 24 | restart: always 25 | 26 | environment: 27 | MARIADB_DATABASE: db 28 | MARIADB_USER: wp 29 | MARIADB_PASSWORD: 123 30 | MARIADB_ROOT_PASSWORD: 123 31 | volumes: 32 | - maria_data:/var/lib/mysql 33 | 34 | wordpress: 35 | image: wordpress:5 36 | container_name: wordpress 37 | restart: always 38 | 39 | environment: 40 | WORDPRESS_DB_HOST: mariadb 41 | WORDPRESS_DB_USER: wp 42 | WORDPRESS_DB_PASSWORD: 123 43 | WORDPRESS_DB_NAME: db 44 | #networks: 45 | # wp-net: 46 | # ipv4_address: 172.20.0.110 47 | 48 | depends_on: 49 | - mariadb 50 | 51 | nginx: 52 | image: nginx:alpine 53 | container_name: nginx 54 | hostname: nginx 55 | restart: always 56 | ports: 57 | - 80:80 58 | volumes: 59 | - ./wp.conf:/etc/nginx/conf.d/default.conf 60 | 61 | depends_on: 62 | - wordpress 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /compose/wp.conf: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # /etc/nginx/conf.d/default.conf 4 | 5 | server { 6 | listen 80; 7 | default_type text/html; 8 | 9 | location / { 10 | proxy_http_version 1.1; 11 | proxy_set_header Host $host; 12 | 13 | #proxy_pass http://172.20.0.110; 14 | proxy_pass http://wordpress; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /dashboard/admin.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # https://github.com/kubernetes/dashboard/tree/master/docs/user/access-control 4 | # https://github.com/kubernetes/dashboard/blob/master/docs/user/access-control/creating-sample-user.md 5 | # 6 | # kubectl get secret -n kubernetes-dashboard 7 | # kubectl describe secrets -n kubernetes-dashboard admin-user-token-8rfj6 8 | 9 | --- 10 | 11 | apiVersion: v1 12 | kind: ServiceAccount 13 | metadata: 14 | name: admin-user 15 | namespace: kubernetes-dashboard 16 | 17 | --- 18 | 19 | apiVersion: rbac.authorization.k8s.io/v1 20 | kind: ClusterRoleBinding 21 | metadata: 22 | name: admin-user 23 | roleRef: 24 | apiGroup: rbac.authorization.k8s.io 25 | kind: ClusterRole 26 | name: cluster-admin 27 | subjects: 28 | - kind: ServiceAccount 29 | name: admin-user 30 | namespace: kubernetes-dashboard 31 | 32 | --- 33 | 34 | -------------------------------------------------------------------------------- /dashboard/cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # https://github.com/kubernetes/dashboard 4 | # https://github.com/kubernetes/dashboard/tree/master/docs/user/access-control 5 | 6 | # get dashboard yaml, change token ttl to 24 hours 7 | #wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.0/aio/deploy/recommended.yaml -O- \ 8 | # | sed '/args/a\ - --token-ttl=86400' \ 9 | # > dashboard.yaml 10 | 11 | # generate cert: rsa2048, sha256, 1 year 12 | openssl req -x509 -days 365 -out k8s.test.crt -keyout k8s.test.key \ 13 | -newkey rsa:2048 -nodes -sha256 \ 14 | -subj '/CN=k8s.test' -extensions EXT -config <( \ 15 | printf "[dn]\nCN=k8s.test\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:k8s.test\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 16 | 17 | # generate secret tls, in namespace kubernetes-dashboard 18 | export out="--dry-run=client -o yaml" 19 | kubectl create secret tls dash-tls -n kubernetes-dashboard --cert=k8s.test.crt --key=k8s.test.key $out > cert.yml 20 | 21 | -------------------------------------------------------------------------------- /dashboard/dashboard.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2017 The Kubernetes Authors. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | apiVersion: v1 16 | kind: Namespace 17 | metadata: 18 | name: kubernetes-dashboard 19 | 20 | --- 21 | 22 | apiVersion: v1 23 | kind: ServiceAccount 24 | metadata: 25 | labels: 26 | k8s-app: kubernetes-dashboard 27 | name: kubernetes-dashboard 28 | namespace: kubernetes-dashboard 29 | 30 | --- 31 | 32 | kind: Service 33 | apiVersion: v1 34 | metadata: 35 | labels: 36 | k8s-app: kubernetes-dashboard 37 | name: kubernetes-dashboard 38 | namespace: kubernetes-dashboard 39 | spec: 40 | ports: 41 | - port: 443 42 | targetPort: 8443 43 | selector: 44 | k8s-app: kubernetes-dashboard 45 | 46 | --- 47 | 48 | apiVersion: v1 49 | kind: Secret 50 | metadata: 51 | labels: 52 | k8s-app: kubernetes-dashboard 53 | name: kubernetes-dashboard-certs 54 | namespace: kubernetes-dashboard 55 | type: Opaque 56 | 57 | --- 58 | 59 | apiVersion: v1 60 | kind: Secret 61 | metadata: 62 | labels: 63 | k8s-app: kubernetes-dashboard 64 | name: kubernetes-dashboard-csrf 65 | namespace: kubernetes-dashboard 66 | type: Opaque 67 | data: 68 | csrf: "" 69 | 70 | --- 71 | 72 | apiVersion: v1 73 | kind: Secret 74 | metadata: 75 | labels: 76 | k8s-app: kubernetes-dashboard 77 | name: kubernetes-dashboard-key-holder 78 | namespace: kubernetes-dashboard 79 | type: Opaque 80 | 81 | --- 82 | 83 | kind: ConfigMap 84 | apiVersion: v1 85 | metadata: 86 | labels: 87 | k8s-app: kubernetes-dashboard 88 | name: kubernetes-dashboard-settings 89 | namespace: kubernetes-dashboard 90 | 91 | --- 92 | 93 | kind: Role 94 | apiVersion: rbac.authorization.k8s.io/v1 95 | metadata: 96 | labels: 97 | k8s-app: kubernetes-dashboard 98 | name: kubernetes-dashboard 99 | namespace: kubernetes-dashboard 100 | rules: 101 | # Allow Dashboard to get, update and delete Dashboard exclusive secrets. 102 | - apiGroups: [""] 103 | resources: ["secrets"] 104 | resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] 105 | verbs: ["get", "update", "delete"] 106 | # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. 107 | - apiGroups: [""] 108 | resources: ["configmaps"] 109 | resourceNames: ["kubernetes-dashboard-settings"] 110 | verbs: ["get", "update"] 111 | # Allow Dashboard to get metrics. 112 | - apiGroups: [""] 113 | resources: ["services"] 114 | resourceNames: ["heapster", "dashboard-metrics-scraper"] 115 | verbs: ["proxy"] 116 | - apiGroups: [""] 117 | resources: ["services/proxy"] 118 | resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] 119 | verbs: ["get"] 120 | 121 | --- 122 | 123 | kind: ClusterRole 124 | apiVersion: rbac.authorization.k8s.io/v1 125 | metadata: 126 | labels: 127 | k8s-app: kubernetes-dashboard 128 | name: kubernetes-dashboard 129 | rules: 130 | # Allow Metrics Scraper to get metrics from the Metrics server 131 | - apiGroups: ["metrics.k8s.io"] 132 | resources: ["pods", "nodes"] 133 | verbs: ["get", "list", "watch"] 134 | 135 | --- 136 | 137 | apiVersion: rbac.authorization.k8s.io/v1 138 | kind: RoleBinding 139 | metadata: 140 | labels: 141 | k8s-app: kubernetes-dashboard 142 | name: kubernetes-dashboard 143 | namespace: kubernetes-dashboard 144 | roleRef: 145 | apiGroup: rbac.authorization.k8s.io 146 | kind: Role 147 | name: kubernetes-dashboard 148 | subjects: 149 | - kind: ServiceAccount 150 | name: kubernetes-dashboard 151 | namespace: kubernetes-dashboard 152 | 153 | --- 154 | 155 | apiVersion: rbac.authorization.k8s.io/v1 156 | kind: ClusterRoleBinding 157 | metadata: 158 | name: kubernetes-dashboard 159 | roleRef: 160 | apiGroup: rbac.authorization.k8s.io 161 | kind: ClusterRole 162 | name: kubernetes-dashboard 163 | subjects: 164 | - kind: ServiceAccount 165 | name: kubernetes-dashboard 166 | namespace: kubernetes-dashboard 167 | 168 | --- 169 | 170 | kind: Deployment 171 | apiVersion: apps/v1 172 | metadata: 173 | labels: 174 | k8s-app: kubernetes-dashboard 175 | name: kubernetes-dashboard 176 | namespace: kubernetes-dashboard 177 | spec: 178 | replicas: 1 179 | revisionHistoryLimit: 10 180 | selector: 181 | matchLabels: 182 | k8s-app: kubernetes-dashboard 183 | template: 184 | metadata: 185 | labels: 186 | k8s-app: kubernetes-dashboard 187 | spec: 188 | securityContext: 189 | seccompProfile: 190 | type: RuntimeDefault 191 | containers: 192 | - name: kubernetes-dashboard 193 | image: kubernetesui/dashboard:v2.6.0 194 | imagePullPolicy: Always 195 | ports: 196 | - containerPort: 8443 197 | protocol: TCP 198 | args: 199 | - --token-ttl=86400 200 | - --auto-generate-certificates 201 | - --namespace=kubernetes-dashboard 202 | # Uncomment the following line to manually specify Kubernetes API server Host 203 | # If not specified, Dashboard will attempt to auto discover the API server and connect 204 | # to it. Uncomment only if the default does not work. 205 | # - --apiserver-host=http://my-address:port 206 | volumeMounts: 207 | - name: kubernetes-dashboard-certs 208 | mountPath: /certs 209 | # Create on-disk volume to store exec logs 210 | - mountPath: /tmp 211 | name: tmp-volume 212 | livenessProbe: 213 | httpGet: 214 | scheme: HTTPS 215 | path: / 216 | port: 8443 217 | initialDelaySeconds: 30 218 | timeoutSeconds: 30 219 | securityContext: 220 | allowPrivilegeEscalation: false 221 | readOnlyRootFilesystem: true 222 | runAsUser: 1001 223 | runAsGroup: 2001 224 | volumes: 225 | - name: kubernetes-dashboard-certs 226 | secret: 227 | secretName: kubernetes-dashboard-certs 228 | - name: tmp-volume 229 | emptyDir: {} 230 | serviceAccountName: kubernetes-dashboard 231 | nodeSelector: 232 | "kubernetes.io/os": linux 233 | # Comment the following tolerations if Dashboard must not be deployed on master 234 | tolerations: 235 | - key: node-role.kubernetes.io/master 236 | effect: NoSchedule 237 | 238 | --- 239 | 240 | kind: Service 241 | apiVersion: v1 242 | metadata: 243 | labels: 244 | k8s-app: dashboard-metrics-scraper 245 | name: dashboard-metrics-scraper 246 | namespace: kubernetes-dashboard 247 | spec: 248 | ports: 249 | - port: 8000 250 | targetPort: 8000 251 | selector: 252 | k8s-app: dashboard-metrics-scraper 253 | 254 | --- 255 | 256 | kind: Deployment 257 | apiVersion: apps/v1 258 | metadata: 259 | labels: 260 | k8s-app: dashboard-metrics-scraper 261 | name: dashboard-metrics-scraper 262 | namespace: kubernetes-dashboard 263 | spec: 264 | replicas: 1 265 | revisionHistoryLimit: 10 266 | selector: 267 | matchLabels: 268 | k8s-app: dashboard-metrics-scraper 269 | template: 270 | metadata: 271 | labels: 272 | k8s-app: dashboard-metrics-scraper 273 | spec: 274 | securityContext: 275 | seccompProfile: 276 | type: RuntimeDefault 277 | containers: 278 | - name: dashboard-metrics-scraper 279 | image: kubernetesui/metrics-scraper:v1.0.8 280 | ports: 281 | - containerPort: 8000 282 | protocol: TCP 283 | livenessProbe: 284 | httpGet: 285 | scheme: HTTP 286 | path: / 287 | port: 8000 288 | initialDelaySeconds: 30 289 | timeoutSeconds: 30 290 | volumeMounts: 291 | - mountPath: /tmp 292 | name: tmp-volume 293 | securityContext: 294 | allowPrivilegeEscalation: false 295 | readOnlyRootFilesystem: true 296 | runAsUser: 1001 297 | runAsGroup: 2001 298 | serviceAccountName: kubernetes-dashboard 299 | nodeSelector: 300 | "kubernetes.io/os": linux 301 | # Comment the following tolerations if Dashboard must not be deployed on master 302 | tolerations: 303 | - key: node-role.kubernetes.io/master 304 | effect: NoSchedule 305 | volumes: 306 | - name: tmp-volume 307 | emptyDir: {} 308 | -------------------------------------------------------------------------------- /dashboard/ingress.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # kubectl create ing dash-ing --rule="k8s.test/=kubernetes-dashboard:443" --class=dash-ink -n kubernetes-dashboard $out 4 | # login kic pod, check /etc/nginx/conf.d/xxx.conf 5 | 6 | --- 7 | 8 | apiVersion: networking.k8s.io/v1 9 | kind: IngressClass 10 | 11 | metadata: 12 | name: dash-ink 13 | namespace: kubernetes-dashboard 14 | spec: 15 | controller: nginx.org/ingress-controller 16 | 17 | --- 18 | 19 | apiVersion: networking.k8s.io/v1 20 | kind: Ingress 21 | 22 | metadata: 23 | name: dash-ing 24 | namespace: kubernetes-dashboard 25 | annotations: 26 | # enable proxy_pass https://xxx 27 | nginx.org/ssl-services: "kubernetes-dashboard" 28 | 29 | # customize port 30 | #nginx.org/listen-ports-ssl: '8443' 31 | 32 | spec: 33 | ingressClassName: dash-ink 34 | 35 | # kubectl explain ingress.spec.tls 36 | tls: 37 | - hosts: 38 | - k8s.test 39 | # must in ns kubernetes-dashboard 40 | secretName: dash-tls 41 | 42 | rules: 43 | - host: k8s.test 44 | http: 45 | paths: 46 | - path: / 47 | pathType: Prefix 48 | backend: 49 | service: 50 | # same as dashboard.yml 51 | name: kubernetes-dashboard 52 | port: 53 | number: 443 54 | 55 | 56 | -------------------------------------------------------------------------------- /dashboard/insecure-dashboard.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # containerPort: 9090 4 | # --insecure-port=9090 5 | # --insecure-bind-address=0.0.0.0 6 | # --enable-insecure-login=true 7 | # --enable-skip-login=true 8 | # --auto-generate-certificates=false 9 | # livenessProbe: 10 | 11 | # Copyright 2017 The Kubernetes Authors. 12 | # 13 | # Licensed under the Apache License, Version 2.0 (the "License"); 14 | # you may not use this file except in compliance with the License. 15 | # You may obtain a copy of the License at 16 | # 17 | # http://www.apache.org/licenses/LICENSE-2.0 18 | # 19 | # Unless required by applicable law or agreed to in writing, software 20 | # distributed under the License is distributed on an "AS IS" BASIS, 21 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 | # See the License for the specific language governing permissions and 23 | # limitations under the License. 24 | 25 | apiVersion: v1 26 | kind: Namespace 27 | metadata: 28 | name: kubernetes-dashboard 29 | 30 | --- 31 | 32 | apiVersion: v1 33 | kind: ServiceAccount 34 | metadata: 35 | labels: 36 | k8s-app: kubernetes-dashboard 37 | name: kubernetes-dashboard 38 | namespace: kubernetes-dashboard 39 | 40 | --- 41 | 42 | kind: Service 43 | apiVersion: v1 44 | metadata: 45 | labels: 46 | k8s-app: kubernetes-dashboard 47 | name: kubernetes-dashboard 48 | namespace: kubernetes-dashboard 49 | spec: 50 | #ports: 51 | # - port: 443 52 | # targetPort: 8443 53 | type: NodePort 54 | ports: 55 | - port: 9090 56 | targetPort: 9090 57 | nodePort: 30090 58 | selector: 59 | k8s-app: kubernetes-dashboard 60 | 61 | --- 62 | 63 | apiVersion: v1 64 | kind: Secret 65 | metadata: 66 | labels: 67 | k8s-app: kubernetes-dashboard 68 | name: kubernetes-dashboard-certs 69 | namespace: kubernetes-dashboard 70 | type: Opaque 71 | 72 | --- 73 | 74 | apiVersion: v1 75 | kind: Secret 76 | metadata: 77 | labels: 78 | k8s-app: kubernetes-dashboard 79 | name: kubernetes-dashboard-csrf 80 | namespace: kubernetes-dashboard 81 | type: Opaque 82 | data: 83 | csrf: "" 84 | 85 | --- 86 | 87 | apiVersion: v1 88 | kind: Secret 89 | metadata: 90 | labels: 91 | k8s-app: kubernetes-dashboard 92 | name: kubernetes-dashboard-key-holder 93 | namespace: kubernetes-dashboard 94 | type: Opaque 95 | 96 | --- 97 | 98 | kind: ConfigMap 99 | apiVersion: v1 100 | metadata: 101 | labels: 102 | k8s-app: kubernetes-dashboard 103 | name: kubernetes-dashboard-settings 104 | namespace: kubernetes-dashboard 105 | 106 | --- 107 | 108 | kind: Role 109 | apiVersion: rbac.authorization.k8s.io/v1 110 | metadata: 111 | labels: 112 | k8s-app: kubernetes-dashboard 113 | name: kubernetes-dashboard 114 | namespace: kubernetes-dashboard 115 | rules: 116 | # Allow Dashboard to get, update and delete Dashboard exclusive secrets. 117 | - apiGroups: [""] 118 | resources: ["secrets"] 119 | resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] 120 | verbs: ["get", "update", "delete"] 121 | # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. 122 | - apiGroups: [""] 123 | resources: ["configmaps"] 124 | resourceNames: ["kubernetes-dashboard-settings"] 125 | verbs: ["get", "update"] 126 | # Allow Dashboard to get metrics. 127 | - apiGroups: [""] 128 | resources: ["services"] 129 | resourceNames: ["heapster", "dashboard-metrics-scraper"] 130 | verbs: ["proxy"] 131 | - apiGroups: [""] 132 | resources: ["services/proxy"] 133 | resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] 134 | verbs: ["get"] 135 | 136 | --- 137 | 138 | kind: ClusterRole 139 | apiVersion: rbac.authorization.k8s.io/v1 140 | metadata: 141 | labels: 142 | k8s-app: kubernetes-dashboard 143 | name: kubernetes-dashboard 144 | rules: 145 | # Allow Metrics Scraper to get metrics from the Metrics server 146 | - apiGroups: ["metrics.k8s.io"] 147 | resources: ["pods", "nodes"] 148 | verbs: ["get", "list", "watch"] 149 | 150 | --- 151 | 152 | apiVersion: rbac.authorization.k8s.io/v1 153 | kind: RoleBinding 154 | metadata: 155 | labels: 156 | k8s-app: kubernetes-dashboard 157 | name: kubernetes-dashboard 158 | namespace: kubernetes-dashboard 159 | roleRef: 160 | apiGroup: rbac.authorization.k8s.io 161 | kind: Role 162 | name: kubernetes-dashboard 163 | subjects: 164 | - kind: ServiceAccount 165 | name: kubernetes-dashboard 166 | namespace: kubernetes-dashboard 167 | 168 | --- 169 | 170 | apiVersion: rbac.authorization.k8s.io/v1 171 | kind: ClusterRoleBinding 172 | metadata: 173 | name: kubernetes-dashboard 174 | roleRef: 175 | apiGroup: rbac.authorization.k8s.io 176 | kind: ClusterRole 177 | name: kubernetes-dashboard 178 | subjects: 179 | - kind: ServiceAccount 180 | name: kubernetes-dashboard 181 | namespace: kubernetes-dashboard 182 | 183 | --- 184 | 185 | kind: Deployment 186 | apiVersion: apps/v1 187 | metadata: 188 | labels: 189 | k8s-app: kubernetes-dashboard 190 | name: kubernetes-dashboard 191 | namespace: kubernetes-dashboard 192 | spec: 193 | replicas: 1 194 | revisionHistoryLimit: 10 195 | selector: 196 | matchLabels: 197 | k8s-app: kubernetes-dashboard 198 | template: 199 | metadata: 200 | labels: 201 | k8s-app: kubernetes-dashboard 202 | spec: 203 | securityContext: 204 | seccompProfile: 205 | type: RuntimeDefault 206 | containers: 207 | - name: kubernetes-dashboard 208 | image: kubernetesui/dashboard:v2.6.0 209 | imagePullPolicy: Always 210 | ports: 211 | #- containerPort: 8443 212 | # protocol: TCP 213 | - containerPort: 9090 214 | protocol: TCP 215 | args: 216 | - --insecure-port=9090 217 | - --insecure-bind-address=0.0.0.0 218 | - --enable-insecure-login=true 219 | - --enable-skip-login=true 220 | - --auto-generate-certificates=false 221 | 222 | - --namespace=kubernetes-dashboard 223 | # Uncomment the following line to manually specify Kubernetes API server Host 224 | # If not specified, Dashboard will attempt to auto discover the API server and connect 225 | # to it. Uncomment only if the default does not work. 226 | # - --apiserver-host=http://my-address:port 227 | volumeMounts: 228 | - name: kubernetes-dashboard-certs 229 | mountPath: /certs 230 | # Create on-disk volume to store exec logs 231 | - mountPath: /tmp 232 | name: tmp-volume 233 | livenessProbe: 234 | #httpGet: 235 | # scheme: HTTPS 236 | # path: / 237 | # port: 8443 238 | httpGet: 239 | scheme: HTTP 240 | path: / 241 | port: 9090 242 | initialDelaySeconds: 30 243 | timeoutSeconds: 30 244 | securityContext: 245 | allowPrivilegeEscalation: false 246 | readOnlyRootFilesystem: true 247 | runAsUser: 1001 248 | runAsGroup: 2001 249 | volumes: 250 | - name: kubernetes-dashboard-certs 251 | secret: 252 | secretName: kubernetes-dashboard-certs 253 | - name: tmp-volume 254 | emptyDir: {} 255 | serviceAccountName: kubernetes-dashboard 256 | nodeSelector: 257 | "kubernetes.io/os": linux 258 | # Comment the following tolerations if Dashboard must not be deployed on master 259 | tolerations: 260 | - key: node-role.kubernetes.io/master 261 | effect: NoSchedule 262 | 263 | --- 264 | 265 | kind: Service 266 | apiVersion: v1 267 | metadata: 268 | labels: 269 | k8s-app: dashboard-metrics-scraper 270 | name: dashboard-metrics-scraper 271 | namespace: kubernetes-dashboard 272 | spec: 273 | ports: 274 | - port: 8000 275 | targetPort: 8000 276 | selector: 277 | k8s-app: dashboard-metrics-scraper 278 | 279 | --- 280 | 281 | kind: Deployment 282 | apiVersion: apps/v1 283 | metadata: 284 | labels: 285 | k8s-app: dashboard-metrics-scraper 286 | name: dashboard-metrics-scraper 287 | namespace: kubernetes-dashboard 288 | spec: 289 | replicas: 1 290 | revisionHistoryLimit: 10 291 | selector: 292 | matchLabels: 293 | k8s-app: dashboard-metrics-scraper 294 | template: 295 | metadata: 296 | labels: 297 | k8s-app: dashboard-metrics-scraper 298 | spec: 299 | securityContext: 300 | seccompProfile: 301 | type: RuntimeDefault 302 | containers: 303 | - name: dashboard-metrics-scraper 304 | image: kubernetesui/metrics-scraper:v1.0.8 305 | ports: 306 | - containerPort: 8000 307 | protocol: TCP 308 | livenessProbe: 309 | httpGet: 310 | scheme: HTTP 311 | path: / 312 | port: 8000 313 | initialDelaySeconds: 30 314 | timeoutSeconds: 30 315 | volumeMounts: 316 | - mountPath: /tmp 317 | name: tmp-volume 318 | securityContext: 319 | allowPrivilegeEscalation: false 320 | readOnlyRootFilesystem: true 321 | runAsUser: 1001 322 | runAsGroup: 2001 323 | serviceAccountName: kubernetes-dashboard 324 | nodeSelector: 325 | "kubernetes.io/os": linux 326 | # Comment the following tolerations if Dashboard must not be deployed on master 327 | tolerations: 328 | - key: node-role.kubernetes.io/master 329 | effect: NoSchedule 330 | volumes: 331 | - name: tmp-volume 332 | emptyDir: {} 333 | -------------------------------------------------------------------------------- /dashboard/kic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # https://docs.nginx.com/nginx-ingress-controller/ 4 | # 5 | # in kic pod: 6 | # curl 127.1/nginx-health 7 | # curl 127.1:8080/stub_status 8 | # curl 127.1:8081/nginx-ready 9 | 10 | --- 11 | 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: dash-kic-dep 16 | namespace: nginx-ingress 17 | 18 | spec: 19 | replicas: 1 20 | selector: 21 | matchLabels: 22 | app: dash-kic-dep 23 | 24 | template: 25 | metadata: 26 | labels: 27 | app: dash-kic-dep 28 | #annotations: 29 | #prometheus.io/scrape: "true" 30 | #prometheus.io/port: "9113" 31 | #prometheus.io/scheme: http 32 | spec: 33 | serviceAccountName: nginx-ingress 34 | 35 | # use host network 36 | #hostNetwork: true 37 | #dnsPolicy: ClusterFirstWithHostNet 38 | 39 | containers: 40 | #- image: nginx/nginx-ingress:2.2.0 41 | - image: nginx/nginx-ingress:2.2-alpine 42 | imagePullPolicy: IfNotPresent 43 | name: nginx-ingress 44 | ports: 45 | - name: http 46 | containerPort: 80 47 | - name: https 48 | containerPort: 443 49 | - name: readiness-port 50 | containerPort: 8081 51 | - name: prometheus 52 | containerPort: 9113 53 | readinessProbe: 54 | httpGet: 55 | path: /nginx-ready 56 | port: readiness-port 57 | periodSeconds: 1 58 | securityContext: 59 | allowPrivilegeEscalation: true 60 | runAsUser: 101 #nginx 61 | capabilities: 62 | drop: 63 | - ALL 64 | add: 65 | - NET_BIND_SERVICE 66 | env: 67 | - name: POD_NAMESPACE 68 | valueFrom: 69 | fieldRef: 70 | fieldPath: metadata.namespace 71 | - name: POD_NAME 72 | valueFrom: 73 | fieldRef: 74 | fieldPath: metadata.name 75 | args: 76 | - -ingress-class=dash-ink 77 | - -health-status 78 | - -ready-status 79 | - -nginx-status 80 | - -enable-snippets 81 | 82 | - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config 83 | - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret 84 | #- -v=3 # Enables extensive logging. Useful for troubleshooting. 85 | #- -report-ingress-status 86 | #- -external-service=nginx-ingress 87 | #- -enable-prometheus-metrics 88 | #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration 89 | 90 | --- 91 | 92 | apiVersion: v1 93 | kind: Service 94 | metadata: 95 | name: dash-kic-svc 96 | namespace: nginx-ingress 97 | 98 | spec: 99 | ports: 100 | - port: 443 101 | protocol: TCP 102 | targetPort: 443 103 | nodePort: 30443 104 | 105 | selector: 106 | app: dash-kic-dep 107 | type: NodePort 108 | 109 | --- 110 | 111 | -------------------------------------------------------------------------------- /dashboard/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # kubectl apply -k . 4 | # kubectl delete -k . 5 | 6 | resources: 7 | - dashboard.yaml 8 | - admin.yml 9 | - cert.yml 10 | - ingress.yml 11 | - kic.yml 12 | -------------------------------------------------------------------------------- /dashboard/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # https://github.com/kubernetes/dashboard 4 | # https://github.com/kubernetes/dashboard/tree/master/docs/user/access-control 5 | 6 | # get dashboard yaml, change token ttl to 24 hours 7 | #wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.0/aio/deploy/recommended.yaml -O- \ 8 | # | sed '/args/a\ - --token-ttl=86400' \ 9 | # > dashboard.yaml 10 | 11 | # generate cert: rsa2048, sha256, 1 year 12 | openssl req -x509 -days 365 -out k8s.test.crt -keyout k8s.test.key \ 13 | -newkey rsa:2048 -nodes -sha256 \ 14 | -subj '/CN=k8s.test' -extensions EXT -config <( \ 15 | printf "[dn]\nCN=k8s.test\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:k8s.test\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 16 | 17 | # generate secret tls, in namespace kubernetes-dashboard 18 | export out="--dry-run=client -o yaml" 19 | kubectl create secret tls dash-tls -n kubernetes-dashboard --cert=k8s.test.crt --key=k8s.test.key $out > cert.yml 20 | 21 | # create and check 22 | kubectl apply -f cert.yml 23 | kubectl get secrets -n kubernetes-dashboard 24 | 25 | # create ingress 26 | kubectl apply -f ingress.yml -f kic.yml 27 | 28 | # in mac, test dashboard nodeport 29 | # curl https://k8s.test:32368 -kv 30 | 31 | # kubectl get pod -n kubernetes-dashboard -o wide 32 | # in kic pod, test dashboard endpoint 33 | # curl --resolve k8s.test:8443:10.10.0.26 https://k8s.test:8443 -k 34 | 35 | # test with curl, map local 8443 to kic 443 36 | # kubectl port-forward -n nginx-ingress dash-kic-dep-5d8f57df4f-64q8s 8443:443 & 37 | # curl --resolve k8s.test:8443:127.0.0.1 https://k8s.test:8443 -kv 38 | 39 | # create a admin user 40 | kubectl apply -f admin.yml 41 | 42 | # get access token 43 | # kubectl get secret -n kubernetes-dashboard 44 | # kubectl describe secrets -n kubernetes-dashboard admin-user-token-hnb4d 45 | 46 | # in Chrome/Safari 47 | # https://k8s.test:30443 48 | 49 | -------------------------------------------------------------------------------- /gateway/backend.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2023-11 2 | 3 | # kubectl apply -f backend.yml 4 | # sed 's/ngx/red/g' backend.yml | kubectl apply -f - 5 | # sed 's/ngx/green/g' backend.yml | kubectl apply -f - 6 | # sed 's/ngx/blue/g' backend.yml | kubectl apply -f - 7 | # sed 's/ngx/black/g' backend.yml | kubectl apply -f - 8 | 9 | --- 10 | 11 | # this cm will be mounted to /etc/nginx/conf.d 12 | apiVersion: v1 13 | kind: ConfigMap 14 | metadata: 15 | name: ngx-conf 16 | 17 | data: 18 | default.conf: | 19 | server { 20 | listen 80; 21 | location / { 22 | default_type text/plain; 23 | return 200 24 | 'ngx\nsrv : $server_addr:$server_port\nhost: $hostname\nuri : $request_method $host $request_uri\n'; 25 | } 26 | } 27 | 28 | --- 29 | 30 | apiVersion: apps/v1 31 | kind: Deployment 32 | metadata: 33 | name: ngx-dep 34 | labels: 35 | app: ngx-dep 36 | 37 | spec: 38 | replicas: 1 39 | selector: 40 | matchLabels: 41 | app: ngx-dep 42 | 43 | template: 44 | metadata: 45 | labels: 46 | app: ngx-dep 47 | spec: 48 | volumes: 49 | - name: ngx-conf-vol 50 | configMap: 51 | name: ngx-conf 52 | 53 | containers: 54 | - image: nginx:alpine 55 | name: nginx 56 | ports: 57 | - containerPort: 80 58 | 59 | volumeMounts: 60 | - mountPath: /etc/nginx/conf.d 61 | name: ngx-conf-vol 62 | 63 | --- 64 | 65 | apiVersion: v1 66 | kind: Service 67 | metadata: 68 | name: ngx-svc 69 | 70 | spec: 71 | selector: 72 | app: ngx-dep 73 | 74 | ports: 75 | - port: 80 76 | protocol: TCP 77 | targetPort: 80 78 | 79 | --- 80 | -------------------------------------------------------------------------------- /gateway/filters.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2023-11 2 | 3 | # curl -i $(minikube ip):32686 -H 'host: filter.test' 4 | 5 | --- 6 | 7 | # https://docs.konghq.com/hub/kong-inc/rate-limiting/ 8 | 9 | apiVersion: configuration.konghq.com/v1 10 | kind: KongPlugin 11 | metadata: 12 | name: kong-rate-limiting-plugin 13 | 14 | plugin: rate-limiting 15 | config: 16 | minute: 2 17 | 18 | --- 19 | 20 | apiVersion: gateway.networking.k8s.io/v1 21 | kind: HTTPRoute 22 | metadata: 23 | name: ngx-filter-route 24 | 25 | annotations: 26 | konghq.com/plugins: | 27 | kong-rate-limiting-plugin 28 | 29 | spec: 30 | parentRefs: 31 | - name: kong-gtw 32 | hostnames: 33 | - "filter.test" 34 | 35 | rules: 36 | 37 | - backendRefs: 38 | - name: black-svc 39 | port: 80 40 | 41 | filters: 42 | - type: ResponseHeaderModifier 43 | responseHeaderModifier: 44 | add: 45 | - name: A-New-Header 46 | value: k8s-gtw-api 47 | 48 | --- 49 | 50 | -------------------------------------------------------------------------------- /gateway/gateway.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2023-11 2 | 3 | # minikube start --kubernetes-version=v1.28.3 4 | # kubectl version 5 | 6 | # install gateway api into k8s 7 | # wget https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml 8 | # kubectl apply -f standard-install.yaml 9 | 10 | # create gc/gtw 11 | # kubectl apply -f gateway.yml 12 | 13 | # helm install kong 14 | 15 | # kubectl get svc -n kong kong-gateway-proxy 16 | # curl -i $(minikube ip):32191 17 | 18 | --- 19 | 20 | apiVersion: gateway.networking.k8s.io/v1 21 | kind: GatewayClass 22 | metadata: 23 | name: kong-gc 24 | annotations: 25 | konghq.com/gatewayclass-unmanaged: 'true' 26 | 27 | spec: 28 | controllerName: konghq.com/kic-gateway-controller 29 | 30 | --- 31 | 32 | apiVersion: gateway.networking.k8s.io/v1 33 | kind: Gateway 34 | metadata: 35 | name: kong-gtw 36 | spec: 37 | gatewayClassName: kong-gc 38 | listeners: 39 | - name: proxy 40 | port: 80 41 | protocol: HTTP 42 | 43 | --- 44 | 45 | -------------------------------------------------------------------------------- /gateway/helm.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # chrono @ 2023-11 4 | 5 | # https://github.com/helm/helm/releases 6 | 7 | # VER=v3.13.2 8 | # ARCH=arm64 9 | # wget https://get.helm.sh/helm-${VER}-linux-${ARCH}.tar.gz 10 | # tar xfz helm-${VER}-linux-${ARCH}.tar.gz 11 | # sudo install linux-${ARCH}/helm /usr/local/bin 12 | 13 | # install helm 14 | curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash 15 | 16 | # install kong gateway 17 | helm repo add kong https://charts.konghq.com 18 | helm repo update 19 | 20 | helm repo list 21 | helm search repo kong 22 | 23 | #helm install kong kong/ingress -n kong --create-namespace 24 | 25 | # enable http queries 26 | # traditional_compatible or expressions 27 | helm install \ 28 | kong kong/ingress \ 29 | -n kong \ 30 | --create-namespace \ 31 | --set gateway.env.router_flavor=expressions 32 | 33 | 34 | -------------------------------------------------------------------------------- /gateway/routes.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2023-11 2 | 3 | # sed 's/ngx/red/g' backend.yml | kubectl apply -f - 4 | # sed 's/ngx/green/g' backend.yml | kubectl apply -f - 5 | # sed 's/ngx/blue/g' backend.yml | kubectl apply -f - 6 | # sed 's/ngx/black/g' backend.yml | kubectl apply -f - 7 | 8 | # kubectl apply -f routes.yml 9 | # kubectl get svc -n kong kong-gateway-proxy 10 | # curl -i $(minikube ip):32686 11 | 12 | # curl -i $(minikube ip):32686 -H 'host: gtw.test' 13 | # curl -i $(minikube ip):32686/hello -H 'host: gtw.ops' 14 | # curl -i $(minikube ip):32686 -H 'host: gtw.dev' -H 'area: north' 15 | 16 | # curl -i $(minikube ip):32686 -H 'host: gtw.io' 17 | # curl -i $(minikube ip):32686?user=admin -H 'host: gtw.io' 18 | # curl -i $(minikube ip):32686/leaf888 -H 'host: gtw.ai' 19 | 20 | --- 21 | 22 | apiVersion: gateway.networking.k8s.io/v1 23 | kind: HTTPRoute 24 | metadata: 25 | name: ngx-host-route 26 | spec: 27 | parentRefs: 28 | - name: kong-gtw 29 | hostnames: 30 | - "gtw.test" 31 | rules: 32 | - backendRefs: 33 | - name: red-svc 34 | port: 80 35 | 36 | --- 37 | 38 | apiVersion: gateway.networking.k8s.io/v1 39 | kind: HTTPRoute 40 | metadata: 41 | name: ngx-path-route 42 | spec: 43 | parentRefs: 44 | - name: kong-gtw 45 | hostnames: 46 | - "gtw.ops" 47 | rules: 48 | - matches: 49 | - path: 50 | type: PathPrefix 51 | value: /hello 52 | backendRefs: 53 | - name: green-svc 54 | port: 80 55 | 56 | --- 57 | 58 | apiVersion: gateway.networking.k8s.io/v1 59 | kind: HTTPRoute 60 | metadata: 61 | name: ngx-header-route 62 | spec: 63 | parentRefs: 64 | - name: kong-gtw 65 | hostnames: 66 | - "gtw.dev" 67 | rules: 68 | - matches: 69 | - headers: 70 | - type: Exact 71 | name: area 72 | value: north 73 | backendRefs: 74 | - name: blue-svc 75 | port: 80 76 | 77 | --- 78 | 79 | apiVersion: gateway.networking.k8s.io/v1 80 | kind: HTTPRoute 81 | metadata: 82 | name: ngx-multi-route 83 | spec: 84 | parentRefs: 85 | - name: kong-gtw 86 | hostnames: 87 | - "gtw.io" 88 | - "gtw.ai" 89 | rules: 90 | 91 | # default backend 92 | - backendRefs: 93 | - name: black-svc 94 | port: 80 95 | 96 | # http query match 97 | - matches: 98 | - queryParams: 99 | - type: Exact 100 | name: user 101 | value: admin 102 | backendRefs: 103 | - name: red-svc 104 | port: 80 105 | 106 | # http path regex match 107 | - matches: 108 | - path: 109 | type: RegularExpression 110 | value: /leaf\d+$ 111 | backendRefs: 112 | - name: green-svc 113 | port: 80 114 | 115 | --- 116 | 117 | -------------------------------------------------------------------------------- /gateway/traffic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2023-11 2 | 3 | # curl -i $(minikube ip):32686 -H 'host: canary.test' 4 | # curl -i $(minikube ip):32686/login -H 'host: canary.test' 5 | 6 | # curl -i $(minikube ip):32686 -H 'host: blue-green.test' 7 | 8 | --- 9 | 10 | apiVersion: gateway.networking.k8s.io/v1 11 | kind: HTTPRoute 12 | metadata: 13 | name: ngx-canary-route 14 | spec: 15 | parentRefs: 16 | - name: kong-gtw 17 | hostnames: 18 | - "canary.test" 19 | 20 | rules: 21 | 22 | # most traffic 23 | - backendRefs: 24 | - name: blue-svc 25 | port: 80 26 | 27 | # less traffic 28 | - matches: 29 | - headers: 30 | - name: traffic 31 | value: canary 32 | - path: 33 | type: Exact 34 | value: /login 35 | backendRefs: 36 | - name: green-svc 37 | port: 80 38 | 39 | --- 40 | 41 | apiVersion: gateway.networking.k8s.io/v1 42 | kind: HTTPRoute 43 | metadata: 44 | name: ngx-blue-green-route 45 | spec: 46 | parentRefs: 47 | - name: kong-gtw 48 | hostnames: 49 | - "blue-green.test" 50 | rules: 51 | 52 | - backendRefs: 53 | 54 | # blue version 55 | - name: blue-svc 56 | port: 80 57 | weight: 50 58 | 59 | # green version 60 | - name: green-svc 61 | port: 80 62 | weight: 50 63 | 64 | --- 65 | 66 | -------------------------------------------------------------------------------- /ingress/common/crds/k8s.nginx.org_globalconfigurations.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: globalconfigurations.k8s.nginx.org 8 | spec: 9 | group: k8s.nginx.org 10 | names: 11 | kind: GlobalConfiguration 12 | listKind: GlobalConfigurationList 13 | plural: globalconfigurations 14 | shortNames: 15 | - gc 16 | singular: globalconfiguration 17 | scope: Namespaced 18 | versions: 19 | - name: v1alpha1 20 | schema: 21 | openAPIV3Schema: 22 | description: GlobalConfiguration defines the GlobalConfiguration resource. 23 | type: object 24 | properties: 25 | apiVersion: 26 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 27 | type: string 28 | kind: 29 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 30 | type: string 31 | metadata: 32 | type: object 33 | spec: 34 | description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource. 35 | type: object 36 | properties: 37 | listeners: 38 | type: array 39 | items: 40 | description: Listener defines a listener. 41 | type: object 42 | properties: 43 | name: 44 | type: string 45 | port: 46 | type: integer 47 | protocol: 48 | type: string 49 | served: true 50 | storage: true 51 | status: 52 | acceptedNames: 53 | kind: "" 54 | plural: "" 55 | conditions: [] 56 | storedVersions: [] 57 | -------------------------------------------------------------------------------- /ingress/common/crds/k8s.nginx.org_policies.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: policies.k8s.nginx.org 8 | spec: 9 | group: k8s.nginx.org 10 | names: 11 | kind: Policy 12 | listKind: PolicyList 13 | plural: policies 14 | shortNames: 15 | - pol 16 | singular: policy 17 | scope: Namespaced 18 | versions: 19 | - additionalPrinterColumns: 20 | - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. 21 | jsonPath: .status.state 22 | name: State 23 | type: string 24 | - jsonPath: .metadata.creationTimestamp 25 | name: Age 26 | type: date 27 | name: v1 28 | schema: 29 | openAPIV3Schema: 30 | description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. 31 | type: object 32 | properties: 33 | apiVersion: 34 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 35 | type: string 36 | kind: 37 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 38 | type: string 39 | metadata: 40 | type: object 41 | spec: 42 | description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. 43 | type: object 44 | properties: 45 | accessControl: 46 | description: AccessControl defines an access policy based on the source IP of a request. 47 | type: object 48 | properties: 49 | allow: 50 | type: array 51 | items: 52 | type: string 53 | deny: 54 | type: array 55 | items: 56 | type: string 57 | egressMTLS: 58 | description: EgressMTLS defines an Egress MTLS policy. 59 | type: object 60 | properties: 61 | ciphers: 62 | type: string 63 | protocols: 64 | type: string 65 | serverName: 66 | type: boolean 67 | sessionReuse: 68 | type: boolean 69 | sslName: 70 | type: string 71 | tlsSecret: 72 | type: string 73 | trustedCertSecret: 74 | type: string 75 | verifyDepth: 76 | type: integer 77 | verifyServer: 78 | type: boolean 79 | ingressClassName: 80 | type: string 81 | ingressMTLS: 82 | description: IngressMTLS defines an Ingress MTLS policy. 83 | type: object 84 | properties: 85 | clientCertSecret: 86 | type: string 87 | verifyClient: 88 | type: string 89 | verifyDepth: 90 | type: integer 91 | jwt: 92 | description: JWTAuth holds JWT authentication configuration. 93 | type: object 94 | properties: 95 | realm: 96 | type: string 97 | secret: 98 | type: string 99 | token: 100 | type: string 101 | oidc: 102 | description: OIDC defines an Open ID Connect policy. 103 | type: object 104 | properties: 105 | authEndpoint: 106 | type: string 107 | clientID: 108 | type: string 109 | clientSecret: 110 | type: string 111 | jwksURI: 112 | type: string 113 | redirectURI: 114 | type: string 115 | scope: 116 | type: string 117 | tokenEndpoint: 118 | type: string 119 | rateLimit: 120 | description: RateLimit defines a rate limit policy. 121 | type: object 122 | properties: 123 | burst: 124 | type: integer 125 | delay: 126 | type: integer 127 | dryRun: 128 | type: boolean 129 | key: 130 | type: string 131 | logLevel: 132 | type: string 133 | noDelay: 134 | type: boolean 135 | rate: 136 | type: string 137 | rejectCode: 138 | type: integer 139 | zoneSize: 140 | type: string 141 | waf: 142 | description: WAF defines an WAF policy. 143 | type: object 144 | properties: 145 | apPolicy: 146 | type: string 147 | enable: 148 | type: boolean 149 | securityLog: 150 | description: SecurityLog defines the security log of a WAF policy. 151 | type: object 152 | properties: 153 | apLogConf: 154 | type: string 155 | enable: 156 | type: boolean 157 | logDest: 158 | type: string 159 | status: 160 | description: PolicyStatus is the status of the policy resource 161 | type: object 162 | properties: 163 | message: 164 | type: string 165 | reason: 166 | type: string 167 | state: 168 | type: string 169 | served: true 170 | storage: true 171 | subresources: 172 | status: {} 173 | - name: v1alpha1 174 | schema: 175 | openAPIV3Schema: 176 | description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. 177 | type: object 178 | properties: 179 | apiVersion: 180 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 181 | type: string 182 | kind: 183 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 184 | type: string 185 | metadata: 186 | type: object 187 | spec: 188 | description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. 189 | type: object 190 | properties: 191 | accessControl: 192 | description: AccessControl defines an access policy based on the source IP of a request. 193 | type: object 194 | properties: 195 | allow: 196 | type: array 197 | items: 198 | type: string 199 | deny: 200 | type: array 201 | items: 202 | type: string 203 | egressMTLS: 204 | description: EgressMTLS defines an Egress MTLS policy. 205 | type: object 206 | properties: 207 | ciphers: 208 | type: string 209 | protocols: 210 | type: string 211 | serverName: 212 | type: boolean 213 | sessionReuse: 214 | type: boolean 215 | sslName: 216 | type: string 217 | tlsSecret: 218 | type: string 219 | trustedCertSecret: 220 | type: string 221 | verifyDepth: 222 | type: integer 223 | verifyServer: 224 | type: boolean 225 | ingressMTLS: 226 | description: IngressMTLS defines an Ingress MTLS policy. 227 | type: object 228 | properties: 229 | clientCertSecret: 230 | type: string 231 | verifyClient: 232 | type: string 233 | verifyDepth: 234 | type: integer 235 | jwt: 236 | description: JWTAuth holds JWT authentication configuration. 237 | type: object 238 | properties: 239 | realm: 240 | type: string 241 | secret: 242 | type: string 243 | token: 244 | type: string 245 | rateLimit: 246 | description: RateLimit defines a rate limit policy. 247 | type: object 248 | properties: 249 | burst: 250 | type: integer 251 | delay: 252 | type: integer 253 | dryRun: 254 | type: boolean 255 | key: 256 | type: string 257 | logLevel: 258 | type: string 259 | noDelay: 260 | type: boolean 261 | rate: 262 | type: string 263 | rejectCode: 264 | type: integer 265 | zoneSize: 266 | type: string 267 | served: true 268 | storage: false 269 | status: 270 | acceptedNames: 271 | kind: "" 272 | plural: "" 273 | conditions: [] 274 | storedVersions: [] 275 | -------------------------------------------------------------------------------- /ingress/common/crds/k8s.nginx.org_transportservers.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: transportservers.k8s.nginx.org 8 | spec: 9 | group: k8s.nginx.org 10 | names: 11 | kind: TransportServer 12 | listKind: TransportServerList 13 | plural: transportservers 14 | shortNames: 15 | - ts 16 | singular: transportserver 17 | scope: Namespaced 18 | versions: 19 | - additionalPrinterColumns: 20 | - description: Current state of the TransportServer. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. 21 | jsonPath: .status.state 22 | name: State 23 | type: string 24 | - jsonPath: .status.reason 25 | name: Reason 26 | type: string 27 | - jsonPath: .metadata.creationTimestamp 28 | name: Age 29 | type: date 30 | name: v1alpha1 31 | schema: 32 | openAPIV3Schema: 33 | description: TransportServer defines the TransportServer resource. 34 | type: object 35 | properties: 36 | apiVersion: 37 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 38 | type: string 39 | kind: 40 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 41 | type: string 42 | metadata: 43 | type: object 44 | spec: 45 | description: TransportServerSpec is the spec of the TransportServer resource. 46 | type: object 47 | properties: 48 | action: 49 | description: Action defines an action. 50 | type: object 51 | properties: 52 | pass: 53 | type: string 54 | host: 55 | type: string 56 | ingressClassName: 57 | type: string 58 | listener: 59 | description: TransportServerListener defines a listener for a TransportServer. 60 | type: object 61 | properties: 62 | name: 63 | type: string 64 | protocol: 65 | type: string 66 | serverSnippets: 67 | type: string 68 | sessionParameters: 69 | description: SessionParameters defines session parameters. 70 | type: object 71 | properties: 72 | timeout: 73 | type: string 74 | streamSnippets: 75 | type: string 76 | upstreamParameters: 77 | description: UpstreamParameters defines parameters for an upstream. 78 | type: object 79 | properties: 80 | connectTimeout: 81 | type: string 82 | nextUpstream: 83 | type: boolean 84 | nextUpstreamTimeout: 85 | type: string 86 | nextUpstreamTries: 87 | type: integer 88 | udpRequests: 89 | type: integer 90 | udpResponses: 91 | type: integer 92 | upstreams: 93 | type: array 94 | items: 95 | description: Upstream defines an upstream. 96 | type: object 97 | properties: 98 | failTimeout: 99 | type: string 100 | healthCheck: 101 | description: HealthCheck defines the parameters for active Upstream HealthChecks. 102 | type: object 103 | properties: 104 | enable: 105 | type: boolean 106 | fails: 107 | type: integer 108 | interval: 109 | type: string 110 | jitter: 111 | type: string 112 | match: 113 | description: Match defines the parameters of a custom health check. 114 | type: object 115 | properties: 116 | expect: 117 | type: string 118 | send: 119 | type: string 120 | passes: 121 | type: integer 122 | port: 123 | type: integer 124 | timeout: 125 | type: string 126 | loadBalancingMethod: 127 | type: string 128 | maxConns: 129 | type: integer 130 | maxFails: 131 | type: integer 132 | name: 133 | type: string 134 | port: 135 | type: integer 136 | service: 137 | type: string 138 | status: 139 | description: TransportServerStatus defines the status for the TransportServer resource. 140 | type: object 141 | properties: 142 | message: 143 | type: string 144 | reason: 145 | type: string 146 | state: 147 | type: string 148 | served: true 149 | storage: true 150 | subresources: 151 | status: {} 152 | status: 153 | acceptedNames: 154 | kind: "" 155 | plural: "" 156 | conditions: [] 157 | storedVersions: [] 158 | -------------------------------------------------------------------------------- /ingress/common/crds/k8s.nginx.org_virtualserverroutes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | annotations: 5 | controller-gen.kubebuilder.io/version: v0.8.0 6 | creationTimestamp: null 7 | name: virtualserverroutes.k8s.nginx.org 8 | spec: 9 | group: k8s.nginx.org 10 | names: 11 | kind: VirtualServerRoute 12 | listKind: VirtualServerRouteList 13 | plural: virtualserverroutes 14 | shortNames: 15 | - vsr 16 | singular: virtualserverroute 17 | scope: Namespaced 18 | versions: 19 | - additionalPrinterColumns: 20 | - description: Current state of the VirtualServerRoute. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller. 21 | jsonPath: .status.state 22 | name: State 23 | type: string 24 | - jsonPath: .spec.host 25 | name: Host 26 | type: string 27 | - jsonPath: .status.externalEndpoints[*].ip 28 | name: IP 29 | type: string 30 | - jsonPath: .status.externalEndpoints[*].ports 31 | name: Ports 32 | type: string 33 | - jsonPath: .metadata.creationTimestamp 34 | name: Age 35 | type: date 36 | name: v1 37 | schema: 38 | openAPIV3Schema: 39 | description: VirtualServerRoute defines the VirtualServerRoute resource. 40 | type: object 41 | properties: 42 | apiVersion: 43 | description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 44 | type: string 45 | kind: 46 | description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 47 | type: string 48 | metadata: 49 | type: object 50 | spec: 51 | description: VirtualServerRouteSpec is the spec of the VirtualServerRoute resource. 52 | type: object 53 | properties: 54 | host: 55 | type: string 56 | ingressClassName: 57 | type: string 58 | subroutes: 59 | type: array 60 | items: 61 | description: Route defines a route. 62 | type: object 63 | properties: 64 | action: 65 | description: Action defines an action. 66 | type: object 67 | properties: 68 | pass: 69 | type: string 70 | proxy: 71 | description: ActionProxy defines a proxy in an Action. 72 | type: object 73 | properties: 74 | requestHeaders: 75 | description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. 76 | type: object 77 | properties: 78 | pass: 79 | type: boolean 80 | set: 81 | type: array 82 | items: 83 | description: Header defines an HTTP Header. 84 | type: object 85 | properties: 86 | name: 87 | type: string 88 | value: 89 | type: string 90 | responseHeaders: 91 | description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. 92 | type: object 93 | properties: 94 | add: 95 | type: array 96 | items: 97 | description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. 98 | type: object 99 | properties: 100 | always: 101 | type: boolean 102 | name: 103 | type: string 104 | value: 105 | type: string 106 | hide: 107 | type: array 108 | items: 109 | type: string 110 | ignore: 111 | type: array 112 | items: 113 | type: string 114 | pass: 115 | type: array 116 | items: 117 | type: string 118 | rewritePath: 119 | type: string 120 | upstream: 121 | type: string 122 | redirect: 123 | description: ActionRedirect defines a redirect in an Action. 124 | type: object 125 | properties: 126 | code: 127 | type: integer 128 | url: 129 | type: string 130 | return: 131 | description: ActionReturn defines a return in an Action. 132 | type: object 133 | properties: 134 | body: 135 | type: string 136 | code: 137 | type: integer 138 | type: 139 | type: string 140 | dos: 141 | type: string 142 | errorPages: 143 | type: array 144 | items: 145 | description: ErrorPage defines an ErrorPage in a Route. 146 | type: object 147 | properties: 148 | codes: 149 | type: array 150 | items: 151 | type: integer 152 | redirect: 153 | description: ErrorPageRedirect defines a redirect for an ErrorPage. 154 | type: object 155 | properties: 156 | code: 157 | type: integer 158 | url: 159 | type: string 160 | return: 161 | description: ErrorPageReturn defines a return for an ErrorPage. 162 | type: object 163 | properties: 164 | body: 165 | type: string 166 | code: 167 | type: integer 168 | headers: 169 | type: array 170 | items: 171 | description: Header defines an HTTP Header. 172 | type: object 173 | properties: 174 | name: 175 | type: string 176 | value: 177 | type: string 178 | type: 179 | type: string 180 | location-snippets: 181 | type: string 182 | matches: 183 | type: array 184 | items: 185 | description: Match defines a match. 186 | type: object 187 | properties: 188 | action: 189 | description: Action defines an action. 190 | type: object 191 | properties: 192 | pass: 193 | type: string 194 | proxy: 195 | description: ActionProxy defines a proxy in an Action. 196 | type: object 197 | properties: 198 | requestHeaders: 199 | description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. 200 | type: object 201 | properties: 202 | pass: 203 | type: boolean 204 | set: 205 | type: array 206 | items: 207 | description: Header defines an HTTP Header. 208 | type: object 209 | properties: 210 | name: 211 | type: string 212 | value: 213 | type: string 214 | responseHeaders: 215 | description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. 216 | type: object 217 | properties: 218 | add: 219 | type: array 220 | items: 221 | description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. 222 | type: object 223 | properties: 224 | always: 225 | type: boolean 226 | name: 227 | type: string 228 | value: 229 | type: string 230 | hide: 231 | type: array 232 | items: 233 | type: string 234 | ignore: 235 | type: array 236 | items: 237 | type: string 238 | pass: 239 | type: array 240 | items: 241 | type: string 242 | rewritePath: 243 | type: string 244 | upstream: 245 | type: string 246 | redirect: 247 | description: ActionRedirect defines a redirect in an Action. 248 | type: object 249 | properties: 250 | code: 251 | type: integer 252 | url: 253 | type: string 254 | return: 255 | description: ActionReturn defines a return in an Action. 256 | type: object 257 | properties: 258 | body: 259 | type: string 260 | code: 261 | type: integer 262 | type: 263 | type: string 264 | conditions: 265 | type: array 266 | items: 267 | description: Condition defines a condition in a MatchRule. 268 | type: object 269 | properties: 270 | argument: 271 | type: string 272 | cookie: 273 | type: string 274 | header: 275 | type: string 276 | value: 277 | type: string 278 | variable: 279 | type: string 280 | splits: 281 | type: array 282 | items: 283 | description: Split defines a split. 284 | type: object 285 | properties: 286 | action: 287 | description: Action defines an action. 288 | type: object 289 | properties: 290 | pass: 291 | type: string 292 | proxy: 293 | description: ActionProxy defines a proxy in an Action. 294 | type: object 295 | properties: 296 | requestHeaders: 297 | description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. 298 | type: object 299 | properties: 300 | pass: 301 | type: boolean 302 | set: 303 | type: array 304 | items: 305 | description: Header defines an HTTP Header. 306 | type: object 307 | properties: 308 | name: 309 | type: string 310 | value: 311 | type: string 312 | responseHeaders: 313 | description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. 314 | type: object 315 | properties: 316 | add: 317 | type: array 318 | items: 319 | description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. 320 | type: object 321 | properties: 322 | always: 323 | type: boolean 324 | name: 325 | type: string 326 | value: 327 | type: string 328 | hide: 329 | type: array 330 | items: 331 | type: string 332 | ignore: 333 | type: array 334 | items: 335 | type: string 336 | pass: 337 | type: array 338 | items: 339 | type: string 340 | rewritePath: 341 | type: string 342 | upstream: 343 | type: string 344 | redirect: 345 | description: ActionRedirect defines a redirect in an Action. 346 | type: object 347 | properties: 348 | code: 349 | type: integer 350 | url: 351 | type: string 352 | return: 353 | description: ActionReturn defines a return in an Action. 354 | type: object 355 | properties: 356 | body: 357 | type: string 358 | code: 359 | type: integer 360 | type: 361 | type: string 362 | weight: 363 | type: integer 364 | path: 365 | type: string 366 | policies: 367 | type: array 368 | items: 369 | description: PolicyReference references a policy by name and an optional namespace. 370 | type: object 371 | properties: 372 | name: 373 | type: string 374 | namespace: 375 | type: string 376 | route: 377 | type: string 378 | splits: 379 | type: array 380 | items: 381 | description: Split defines a split. 382 | type: object 383 | properties: 384 | action: 385 | description: Action defines an action. 386 | type: object 387 | properties: 388 | pass: 389 | type: string 390 | proxy: 391 | description: ActionProxy defines a proxy in an Action. 392 | type: object 393 | properties: 394 | requestHeaders: 395 | description: ProxyRequestHeaders defines the request headers manipulation in an ActionProxy. 396 | type: object 397 | properties: 398 | pass: 399 | type: boolean 400 | set: 401 | type: array 402 | items: 403 | description: Header defines an HTTP Header. 404 | type: object 405 | properties: 406 | name: 407 | type: string 408 | value: 409 | type: string 410 | responseHeaders: 411 | description: ProxyResponseHeaders defines the response headers manipulation in an ActionProxy. 412 | type: object 413 | properties: 414 | add: 415 | type: array 416 | items: 417 | description: AddHeader defines an HTTP Header with an optional Always field to use with the add_header NGINX directive. 418 | type: object 419 | properties: 420 | always: 421 | type: boolean 422 | name: 423 | type: string 424 | value: 425 | type: string 426 | hide: 427 | type: array 428 | items: 429 | type: string 430 | ignore: 431 | type: array 432 | items: 433 | type: string 434 | pass: 435 | type: array 436 | items: 437 | type: string 438 | rewritePath: 439 | type: string 440 | upstream: 441 | type: string 442 | redirect: 443 | description: ActionRedirect defines a redirect in an Action. 444 | type: object 445 | properties: 446 | code: 447 | type: integer 448 | url: 449 | type: string 450 | return: 451 | description: ActionReturn defines a return in an Action. 452 | type: object 453 | properties: 454 | body: 455 | type: string 456 | code: 457 | type: integer 458 | type: 459 | type: string 460 | weight: 461 | type: integer 462 | upstreams: 463 | type: array 464 | items: 465 | description: Upstream defines an upstream. 466 | type: object 467 | properties: 468 | buffer-size: 469 | type: string 470 | buffering: 471 | type: boolean 472 | buffers: 473 | description: UpstreamBuffers defines Buffer Configuration for an Upstream. 474 | type: object 475 | properties: 476 | number: 477 | type: integer 478 | size: 479 | type: string 480 | client-max-body-size: 481 | type: string 482 | connect-timeout: 483 | type: string 484 | fail-timeout: 485 | type: string 486 | healthCheck: 487 | description: HealthCheck defines the parameters for active Upstream HealthChecks. 488 | type: object 489 | properties: 490 | connect-timeout: 491 | type: string 492 | enable: 493 | type: boolean 494 | fails: 495 | type: integer 496 | grpcService: 497 | type: string 498 | grpcStatus: 499 | type: integer 500 | headers: 501 | type: array 502 | items: 503 | description: Header defines an HTTP Header. 504 | type: object 505 | properties: 506 | name: 507 | type: string 508 | value: 509 | type: string 510 | interval: 511 | type: string 512 | jitter: 513 | type: string 514 | mandatory: 515 | type: boolean 516 | passes: 517 | type: integer 518 | path: 519 | type: string 520 | persistent: 521 | type: boolean 522 | port: 523 | type: integer 524 | read-timeout: 525 | type: string 526 | send-timeout: 527 | type: string 528 | statusMatch: 529 | type: string 530 | tls: 531 | description: UpstreamTLS defines a TLS configuration for an Upstream. 532 | type: object 533 | properties: 534 | enable: 535 | type: boolean 536 | keepalive: 537 | type: integer 538 | lb-method: 539 | type: string 540 | max-conns: 541 | type: integer 542 | max-fails: 543 | type: integer 544 | name: 545 | type: string 546 | next-upstream: 547 | type: string 548 | next-upstream-timeout: 549 | type: string 550 | next-upstream-tries: 551 | type: integer 552 | ntlm: 553 | type: boolean 554 | port: 555 | type: integer 556 | queue: 557 | description: UpstreamQueue defines Queue Configuration for an Upstream. 558 | type: object 559 | properties: 560 | size: 561 | type: integer 562 | timeout: 563 | type: string 564 | read-timeout: 565 | type: string 566 | send-timeout: 567 | type: string 568 | service: 569 | type: string 570 | sessionCookie: 571 | description: SessionCookie defines the parameters for session persistence. 572 | type: object 573 | properties: 574 | domain: 575 | type: string 576 | enable: 577 | type: boolean 578 | expires: 579 | type: string 580 | httpOnly: 581 | type: boolean 582 | name: 583 | type: string 584 | path: 585 | type: string 586 | secure: 587 | type: boolean 588 | slow-start: 589 | type: string 590 | subselector: 591 | type: object 592 | additionalProperties: 593 | type: string 594 | tls: 595 | description: UpstreamTLS defines a TLS configuration for an Upstream. 596 | type: object 597 | properties: 598 | enable: 599 | type: boolean 600 | type: 601 | type: string 602 | use-cluster-ip: 603 | type: boolean 604 | status: 605 | description: VirtualServerRouteStatus defines the status for the VirtualServerRoute resource. 606 | type: object 607 | properties: 608 | externalEndpoints: 609 | type: array 610 | items: 611 | description: ExternalEndpoint defines the IP and ports used to connect to this resource. 612 | type: object 613 | properties: 614 | ip: 615 | type: string 616 | ports: 617 | type: string 618 | message: 619 | type: string 620 | reason: 621 | type: string 622 | referencedBy: 623 | type: string 624 | state: 625 | type: string 626 | served: true 627 | storage: true 628 | subresources: 629 | status: {} 630 | status: 631 | acceptedNames: 632 | kind: "" 633 | plural: "" 634 | conditions: [] 635 | storedVersions: [] 636 | -------------------------------------------------------------------------------- /ingress/common/default-server-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: default-server-secret 5 | namespace: nginx-ingress 6 | type: kubernetes.io/tls 7 | data: 8 | tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 9 | tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= 10 | -------------------------------------------------------------------------------- /ingress/common/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | -------------------------------------------------------------------------------- /ingress/common/ns-and-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: nginx-ingress 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: nginx-ingress 10 | namespace: nginx-ingress -------------------------------------------------------------------------------- /ingress/rbac/rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: nginx-ingress 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - services 10 | - endpoints 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - apiGroups: 16 | - "" 17 | resources: 18 | - secrets 19 | verbs: 20 | - get 21 | - list 22 | - watch 23 | - apiGroups: 24 | - "" 25 | resources: 26 | - configmaps 27 | verbs: 28 | - get 29 | - list 30 | - watch 31 | - update 32 | - create 33 | - apiGroups: 34 | - "" 35 | resources: 36 | - pods 37 | verbs: 38 | - list 39 | - watch 40 | - apiGroups: 41 | - "" 42 | resources: 43 | - events 44 | verbs: 45 | - create 46 | - patch 47 | - list 48 | - apiGroups: 49 | - networking.k8s.io 50 | resources: 51 | - ingresses 52 | verbs: 53 | - list 54 | - watch 55 | - get 56 | - apiGroups: 57 | - networking.k8s.io 58 | resources: 59 | - ingresses/status 60 | verbs: 61 | - update 62 | - apiGroups: 63 | - k8s.nginx.org 64 | resources: 65 | - virtualservers 66 | - virtualserverroutes 67 | - globalconfigurations 68 | - transportservers 69 | - policies 70 | verbs: 71 | - list 72 | - watch 73 | - get 74 | - apiGroups: 75 | - k8s.nginx.org 76 | resources: 77 | - virtualservers/status 78 | - virtualserverroutes/status 79 | - policies/status 80 | - transportservers/status 81 | verbs: 82 | - update 83 | - apiGroups: 84 | - networking.k8s.io 85 | resources: 86 | - ingressclasses 87 | verbs: 88 | - get 89 | - apiGroups: 90 | - cis.f5.com 91 | resources: 92 | - ingresslinks 93 | verbs: 94 | - list 95 | - watch 96 | - get 97 | - apiGroups: 98 | - cert-manager.io 99 | resources: 100 | - certificates 101 | verbs: 102 | - list 103 | - watch 104 | - get 105 | - update 106 | - create 107 | - delete 108 | --- 109 | kind: ClusterRoleBinding 110 | apiVersion: rbac.authorization.k8s.io/v1 111 | metadata: 112 | name: nginx-ingress 113 | subjects: 114 | - kind: ServiceAccount 115 | name: nginx-ingress 116 | namespace: nginx-ingress 117 | roleRef: 118 | kind: ClusterRole 119 | name: nginx-ingress 120 | apiGroup: rbac.authorization.k8s.io 121 | -------------------------------------------------------------------------------- /ingress/remove.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # remove ingress 4 | kubectl delete namespace nginx-ingress 5 | kubectl delete clusterrole nginx-ingress 6 | kubectl delete clusterrolebinding nginx-ingress 7 | 8 | kubectl delete -f common/crds/ 9 | 10 | -------------------------------------------------------------------------------- /ingress/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | kubectl apply -f common/ns-and-sa.yaml 4 | kubectl apply -f rbac 5 | 6 | kubectl apply -f common 7 | kubectl apply -f common/crds 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /kong/crd.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-12 2 | 3 | # https://docs.konghq.com/kubernetes-ingress-controller/2.7.x/references/annotations/ 4 | # https://docs.konghq.com/kubernetes-ingress-controller/2.7.x/guides/using-kongplugin-resource/ 5 | 6 | # kubectl apply -f crd.yml 7 | 8 | # curl $(minikube ip):30767 -H 'host: kong.test' -i 9 | # curl $(minikube ip):30767 -H 'host: kong.dev' -i 10 | # curl $(minikube ip):30767 -H 'host: kong.ops' -i 11 | 12 | # curl $(minikube ip):30767 -H 'host: kong.ops' -d '1234567890' -i 13 | 14 | --- 15 | 16 | apiVersion: configuration.konghq.com/v1 17 | kind: KongPlugin 18 | metadata: 19 | name: kong-add-resp-header-plugin 20 | 21 | plugin: response-transformer 22 | config: 23 | add: 24 | headers: 25 | - Resp-New-Header:kong-kic 26 | 27 | --- 28 | 29 | apiVersion: configuration.konghq.com/v1 30 | kind: KongPlugin 31 | metadata: 32 | name: kong-request-size-limiting-plugin 33 | 34 | plugin: request-size-limiting 35 | config: 36 | allowed_payload_size: 8 37 | size_unit: bytes 38 | 39 | --- 40 | 41 | apiVersion: configuration.konghq.com/v1 42 | kind: KongPlugin 43 | metadata: 44 | name: kong-rate-limiting-plugin 45 | 46 | plugin: rate-limiting 47 | config: 48 | minute: 2 49 | 50 | --- 51 | 52 | apiVersion: configuration.konghq.com/v1 53 | kind: KongPlugin 54 | metadata: 55 | name: kong-key-auth-plugin 56 | 57 | plugin: key-auth 58 | config: 59 | key_names: 60 | - kong-apikey 61 | 62 | --- 63 | 64 | apiVersion: networking.k8s.io/v1 65 | kind: Ingress 66 | metadata: 67 | name: kong-ing 68 | annotations: 69 | konghq.com/host-aliases: "kong.dev, kong.ops" 70 | konghq.com/plugins: | 71 | kong-add-resp-header-plugin, 72 | kong-request-size-limiting-plugin 73 | #kong-rate-limiting-plugin 74 | 75 | spec: 76 | ingressClassName: kong-ink 77 | 78 | rules: 79 | - host: kong.test 80 | http: 81 | paths: 82 | - path: / 83 | pathType: Prefix 84 | backend: 85 | service: 86 | name: ngx-svc 87 | port: 88 | number: 80 89 | --- 90 | -------------------------------------------------------------------------------- /kong/ingress.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # kubectl create ing kong-ing --rule="kong.test/=ngx-svc:80" $out 4 | # kubectl create ing kong-ing --rule="kong.test/=ngx-svc:80" --class=kong-ink $out 5 | # 6 | # kubectl port-forward -n kong ingress-kong-dep-dc785bd49-2f7dw 8000 & 7 | # 8 | # curl --resolve kong.dev:8000:127.0.0.1 kong.dev:8000 -v 9 | # curl --resolve kong.ops:8000:127.0.0.1 kong.ops:8000 -v 10 | 11 | --- 12 | 13 | apiVersion: networking.k8s.io/v1 14 | kind: IngressClass 15 | metadata: 16 | name: kong-ink 17 | 18 | spec: 19 | controller: ingress-controllers.konghq.com/kong 20 | 21 | --- 22 | 23 | apiVersion: networking.k8s.io/v1 24 | kind: Ingress 25 | metadata: 26 | name: kong-ing 27 | 28 | spec: 29 | ingressClassName: kong-ink 30 | 31 | rules: 32 | - host: kong.test 33 | http: 34 | paths: 35 | - path: / 36 | pathType: Prefix 37 | backend: 38 | service: 39 | name: ngx-svc 40 | port: 41 | number: 80 42 | --- 43 | 44 | -------------------------------------------------------------------------------- /kong/kic.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-12 2 | 3 | # https://docs.konghq.com/kubernetes-ingress-controller/latest/references/annotations/ 4 | # - name: CONTROLLER_INGRESS_CLASS 5 | # value: kong-ink 6 | # - name: CONTROLLER_PUBLISH_SERVICE 7 | # value: kong/ingress-kong-proxy 8 | # - name: KONG_ROUTER_FLAVOR 9 | # value: traditional_compatible 10 | 11 | # kubectl port-forward -n kong ingress-kong-dep-5656d6cfc4-lw472 8000:8000 & 12 | # curl --resolve kong.test:8000:127.0.0.1 kong.test:8000 13 | # curl --resolve kong.test:8000:127.0.0.1 kong.test:8000 -I 14 | # 15 | # curl --resolve kong.dev:8000:127.0.0.1 kong.dev:8000 -v 16 | # curl --resolve kong.ops:8000:127.0.0.1 kong.ops:8000 -v 17 | 18 | --- 19 | 20 | apiVersion: apps/v1 21 | kind: Deployment 22 | metadata: 23 | labels: 24 | app: ingress-kong-dep 25 | name: ingress-kong-dep 26 | namespace: kong 27 | spec: 28 | replicas: 1 29 | selector: 30 | matchLabels: 31 | app: ingress-kong-dep 32 | template: 33 | metadata: 34 | labels: 35 | app: ingress-kong-dep 36 | spec: 37 | automountServiceAccountToken: false 38 | containers: 39 | - env: 40 | - name: KONG_PROXY_LISTEN 41 | value: 0.0.0.0:8000, 0.0.0.0:8443 ssl http2 42 | - name: KONG_PORT_MAPS 43 | value: 80:8000, 443:8443 44 | - name: KONG_ADMIN_LISTEN 45 | value: 127.0.0.1:8444 ssl 46 | - name: KONG_STATUS_LISTEN 47 | value: 0.0.0.0:8100 48 | - name: KONG_DATABASE 49 | value: "off" 50 | - name: KONG_NGINX_WORKER_PROCESSES 51 | value: "2" 52 | - name: KONG_KIC 53 | value: "on" 54 | - name: KONG_ADMIN_ACCESS_LOG 55 | value: /dev/stdout 56 | - name: KONG_ADMIN_ERROR_LOG 57 | value: /dev/stderr 58 | - name: KONG_PROXY_ERROR_LOG 59 | value: /dev/stderr 60 | - name: KONG_ROUTER_FLAVOR 61 | value: traditional_compatible 62 | #value: traditional 63 | image: kong:3.1 64 | lifecycle: 65 | preStop: 66 | exec: 67 | command: 68 | - /bin/bash 69 | - -c 70 | - kong quit 71 | livenessProbe: 72 | failureThreshold: 3 73 | httpGet: 74 | path: /status 75 | port: 8100 76 | scheme: HTTP 77 | initialDelaySeconds: 5 78 | periodSeconds: 10 79 | successThreshold: 1 80 | timeoutSeconds: 1 81 | name: proxy 82 | ports: 83 | - containerPort: 8000 84 | name: proxy 85 | protocol: TCP 86 | - containerPort: 8443 87 | name: proxy-ssl 88 | protocol: TCP 89 | - containerPort: 8100 90 | name: metrics 91 | protocol: TCP 92 | readinessProbe: 93 | failureThreshold: 3 94 | httpGet: 95 | path: /status 96 | port: 8100 97 | scheme: HTTP 98 | initialDelaySeconds: 5 99 | periodSeconds: 10 100 | successThreshold: 1 101 | timeoutSeconds: 1 102 | - env: 103 | # add IngressClass here! 104 | - name: CONTROLLER_INGRESS_CLASS 105 | value: kong-ink 106 | 107 | - name: CONTROLLER_KONG_ADMIN_URL 108 | value: https://127.0.0.1:8444 109 | - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY 110 | value: "true" 111 | - name: CONTROLLER_PUBLISH_SERVICE 112 | value: kong/ingress-kong-svc 113 | - name: POD_NAME 114 | valueFrom: 115 | fieldRef: 116 | apiVersion: v1 117 | fieldPath: metadata.name 118 | - name: POD_NAMESPACE 119 | valueFrom: 120 | fieldRef: 121 | apiVersion: v1 122 | fieldPath: metadata.namespace 123 | image: kong/kubernetes-ingress-controller:2.7.0 124 | imagePullPolicy: IfNotPresent 125 | livenessProbe: 126 | failureThreshold: 3 127 | httpGet: 128 | path: /healthz 129 | port: 10254 130 | scheme: HTTP 131 | initialDelaySeconds: 5 132 | periodSeconds: 10 133 | successThreshold: 1 134 | timeoutSeconds: 1 135 | name: ingress-controller 136 | ports: 137 | - containerPort: 8080 138 | name: webhook 139 | protocol: TCP 140 | - containerPort: 10255 141 | name: cmetrics 142 | protocol: TCP 143 | readinessProbe: 144 | failureThreshold: 3 145 | httpGet: 146 | path: /readyz 147 | port: 10254 148 | scheme: HTTP 149 | initialDelaySeconds: 5 150 | periodSeconds: 10 151 | successThreshold: 1 152 | timeoutSeconds: 1 153 | volumeMounts: 154 | - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 155 | name: kong-serviceaccount-token 156 | readOnly: true 157 | serviceAccountName: kong-serviceaccount 158 | volumes: 159 | - name: kong-serviceaccount-token 160 | secret: 161 | items: 162 | - key: token 163 | path: token 164 | - key: ca.crt 165 | path: ca.crt 166 | - key: namespace 167 | path: namespace 168 | secretName: kong-serviceaccount-token 169 | 170 | --- 171 | 172 | apiVersion: v1 173 | kind: Service 174 | metadata: 175 | name: ingress-kong-svc 176 | namespace: kong 177 | spec: 178 | ports: 179 | - name: proxy 180 | port: 80 181 | protocol: TCP 182 | targetPort: 8000 183 | - name: proxy-ssl 184 | port: 443 185 | protocol: TCP 186 | targetPort: 8443 187 | selector: 188 | app: ingress-kong-dep 189 | type: NodePort 190 | 191 | --- 192 | 193 | -------------------------------------------------------------------------------- /kong/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | # 3 | # kubectl apply -k . 4 | # kubectl delete -k . 5 | 6 | resources: 7 | - ngx-deploy.yml 8 | - ingress.yml 9 | - kic.yml 10 | 11 | -------------------------------------------------------------------------------- /kong/ngx-deploy.yml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-07 2 | 3 | # kubectl apply -f ngx-deploy.yml 4 | 5 | --- 6 | 7 | # this cm will be mounted to /etc/nginx/conf.d 8 | apiVersion: v1 9 | kind: ConfigMap 10 | metadata: 11 | name: ngx-conf 12 | 13 | data: 14 | default.conf: | 15 | server { 16 | listen 80; 17 | location / { 18 | default_type text/plain; 19 | return 200 20 | 'srv : $server_addr:$server_port\nhost: $hostname\nuri : $request_method $host $request_uri\n'; 21 | } 22 | } 23 | 24 | --- 25 | 26 | apiVersion: apps/v1 27 | kind: Deployment 28 | metadata: 29 | name: ngx-dep 30 | labels: 31 | app: ngx-dep 32 | 33 | spec: 34 | replicas: 2 35 | selector: 36 | matchLabels: 37 | app: ngx-dep 38 | 39 | template: 40 | metadata: 41 | labels: 42 | app: ngx-dep 43 | spec: 44 | volumes: 45 | - name: ngx-conf-vol 46 | configMap: 47 | name: ngx-conf 48 | 49 | containers: 50 | - image: nginx:alpine 51 | name: nginx 52 | ports: 53 | - containerPort: 80 54 | 55 | volumeMounts: 56 | - mountPath: /etc/nginx/conf.d 57 | name: ngx-conf-vol 58 | 59 | --- 60 | 61 | apiVersion: v1 62 | kind: Service 63 | metadata: 64 | name: ngx-svc 65 | 66 | spec: 67 | selector: 68 | app: ngx-dep 69 | 70 | ports: 71 | - port: 80 72 | protocol: TCP 73 | targetPort: 80 74 | 75 | --- 76 | 77 | -------------------------------------------------------------------------------- /kong/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # https://github.com/Kong/kubernetes-ingress-controller 4 | 5 | #wget https://github.com/Kong/kubernetes-ingress-controller/archive/refs/tags/v2.7.0.tar.gz 6 | 7 | kubectl apply -f all-in-one-dbless.yaml 8 | 9 | kubectl get ns 10 | kubectl get pod -n kong 11 | 12 | kubectl exec -it -n kong ingress-kong-7c4bd5dc74-vgg9n -- sh 13 | wget -O- 127.1:8100/status 14 | 15 | # nodeport svc 16 | curl 192.168.10.210:30777 -I 17 | curl 192.168.10.210:30777 |jq 18 | 19 | # replace 30612 to real nodeport 20 | curl $(minikube ip):30777 -H 'host: kong.test' -i 21 | curl $(minikube ip):30777 -H 'host: kong.dev' -i 22 | curl $(minikube ip):30777 -H 'host: kong.ops' -i 23 | 24 | # port-forward 25 | kubectl port-forward -n kong ingress-kong-dep-dc785bd49-2f7dw 8000 & 26 | 27 | curl --resolve kong.dev:8000:127.0.0.1 kong.dev:8000 -v 28 | curl --resolve kong.ops:8000:127.0.0.1 kong.ops:8000 -v 29 | -------------------------------------------------------------------------------- /metrics/components.yaml: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-06 2 | # 3 | # https://github.com/kubernetes-sigs/metrics-server 4 | # wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml 5 | # 6 | # add args: 7 | # - --kubelet-insecure-tls 8 | # 9 | # kubectl apply -f components.yaml 10 | # kubectl get pod -n kube-system 11 | 12 | apiVersion: v1 13 | kind: ServiceAccount 14 | metadata: 15 | labels: 16 | k8s-app: metrics-server 17 | name: metrics-server 18 | namespace: kube-system 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: ClusterRole 22 | metadata: 23 | labels: 24 | k8s-app: metrics-server 25 | rbac.authorization.k8s.io/aggregate-to-admin: "true" 26 | rbac.authorization.k8s.io/aggregate-to-edit: "true" 27 | rbac.authorization.k8s.io/aggregate-to-view: "true" 28 | name: system:aggregated-metrics-reader 29 | rules: 30 | - apiGroups: 31 | - metrics.k8s.io 32 | resources: 33 | - pods 34 | - nodes 35 | verbs: 36 | - get 37 | - list 38 | - watch 39 | --- 40 | apiVersion: rbac.authorization.k8s.io/v1 41 | kind: ClusterRole 42 | metadata: 43 | labels: 44 | k8s-app: metrics-server 45 | name: system:metrics-server 46 | rules: 47 | - apiGroups: 48 | - "" 49 | resources: 50 | - nodes/metrics 51 | verbs: 52 | - get 53 | - apiGroups: 54 | - "" 55 | resources: 56 | - pods 57 | - nodes 58 | verbs: 59 | - get 60 | - list 61 | - watch 62 | --- 63 | apiVersion: rbac.authorization.k8s.io/v1 64 | kind: RoleBinding 65 | metadata: 66 | labels: 67 | k8s-app: metrics-server 68 | name: metrics-server-auth-reader 69 | namespace: kube-system 70 | roleRef: 71 | apiGroup: rbac.authorization.k8s.io 72 | kind: Role 73 | name: extension-apiserver-authentication-reader 74 | subjects: 75 | - kind: ServiceAccount 76 | name: metrics-server 77 | namespace: kube-system 78 | --- 79 | apiVersion: rbac.authorization.k8s.io/v1 80 | kind: ClusterRoleBinding 81 | metadata: 82 | labels: 83 | k8s-app: metrics-server 84 | name: metrics-server:system:auth-delegator 85 | roleRef: 86 | apiGroup: rbac.authorization.k8s.io 87 | kind: ClusterRole 88 | name: system:auth-delegator 89 | subjects: 90 | - kind: ServiceAccount 91 | name: metrics-server 92 | namespace: kube-system 93 | --- 94 | apiVersion: rbac.authorization.k8s.io/v1 95 | kind: ClusterRoleBinding 96 | metadata: 97 | labels: 98 | k8s-app: metrics-server 99 | name: system:metrics-server 100 | roleRef: 101 | apiGroup: rbac.authorization.k8s.io 102 | kind: ClusterRole 103 | name: system:metrics-server 104 | subjects: 105 | - kind: ServiceAccount 106 | name: metrics-server 107 | namespace: kube-system 108 | --- 109 | apiVersion: v1 110 | kind: Service 111 | metadata: 112 | labels: 113 | k8s-app: metrics-server 114 | name: metrics-server 115 | namespace: kube-system 116 | spec: 117 | ports: 118 | - name: https 119 | port: 443 120 | protocol: TCP 121 | targetPort: https 122 | selector: 123 | k8s-app: metrics-server 124 | --- 125 | apiVersion: apps/v1 126 | kind: Deployment 127 | metadata: 128 | labels: 129 | k8s-app: metrics-server 130 | name: metrics-server 131 | namespace: kube-system 132 | spec: 133 | selector: 134 | matchLabels: 135 | k8s-app: metrics-server 136 | strategy: 137 | rollingUpdate: 138 | maxUnavailable: 0 139 | template: 140 | metadata: 141 | labels: 142 | k8s-app: metrics-server 143 | spec: 144 | containers: 145 | - args: 146 | - --kubelet-insecure-tls # access to kubelet 147 | - --cert-dir=/tmp 148 | - --secure-port=4443 149 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 150 | - --kubelet-use-node-status-port 151 | - --metric-resolution=15s 152 | 153 | image: k8s.gcr.io/metrics-server/metrics-server:v0.6.1 154 | imagePullPolicy: IfNotPresent 155 | livenessProbe: 156 | failureThreshold: 3 157 | httpGet: 158 | path: /livez 159 | port: https 160 | scheme: HTTPS 161 | periodSeconds: 10 162 | name: metrics-server 163 | ports: 164 | - containerPort: 4443 165 | name: https 166 | protocol: TCP 167 | readinessProbe: 168 | failureThreshold: 3 169 | httpGet: 170 | path: /readyz 171 | port: https 172 | scheme: HTTPS 173 | initialDelaySeconds: 20 174 | periodSeconds: 10 175 | resources: 176 | requests: 177 | cpu: 100m 178 | memory: 200Mi 179 | securityContext: 180 | allowPrivilegeEscalation: false 181 | readOnlyRootFilesystem: true 182 | runAsNonRoot: true 183 | runAsUser: 1000 184 | volumeMounts: 185 | - mountPath: /tmp 186 | name: tmp-dir 187 | nodeSelector: 188 | kubernetes.io/os: linux 189 | priorityClassName: system-cluster-critical 190 | serviceAccountName: metrics-server 191 | volumes: 192 | - emptyDir: {} 193 | name: tmp-dir 194 | --- 195 | apiVersion: apiregistration.k8s.io/v1 196 | kind: APIService 197 | metadata: 198 | labels: 199 | k8s-app: metrics-server 200 | name: v1beta1.metrics.k8s.io 201 | spec: 202 | group: metrics.k8s.io 203 | groupPriorityMinimum: 100 204 | insecureSkipTLSVerify: true 205 | service: 206 | name: metrics-server 207 | namespace: kube-system 208 | version: v1beta1 209 | versionPriority: 100 210 | -------------------------------------------------------------------------------- /metrics/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | 4 | # https://github.com/kubernetes-sigs/metrics-server 5 | # wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml 6 | # sed '/args:/a\ - --kubelet-insecure-tls' components.yaml 7 | 8 | # download and change yaml 9 | # wget -O- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml \ 10 | # | sed '/args:/a\ - --kubelet-insecure-tls' - > components.yaml 11 | 12 | # use ali registry to speed up 13 | repo=registry.aliyuncs.com/google_containers 14 | 15 | name=k8s.gcr.io/metrics-server/metrics-server:v0.6.1 16 | 17 | # remove prefix 18 | #src_name=${name#k8s.gcr.io/} 19 | #src_name=${name#metrics-server/} 20 | src_name=metrics-server:v0.6.1 21 | 22 | docker pull $repo/$src_name 23 | 24 | # rename to fit k8s 25 | docker tag $repo/$src_name $name 26 | docker rmi $repo/$src_name 27 | 28 | # add args: - --kubelet-insecure-tls 29 | kubectl apply -f components.yaml 30 | -------------------------------------------------------------------------------- /nfs/class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: nfs-client 5 | provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME' 6 | parameters: 7 | archiveOnDelete: "false" 8 | -------------------------------------------------------------------------------- /nfs/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: nfs-client-provisioner 5 | labels: 6 | app: nfs-client-provisioner 7 | # replace with namespace where provisioner is deployed 8 | namespace: default 9 | spec: 10 | replicas: 1 11 | strategy: 12 | type: Recreate 13 | selector: 14 | matchLabels: 15 | app: nfs-client-provisioner 16 | template: 17 | metadata: 18 | labels: 19 | app: nfs-client-provisioner 20 | spec: 21 | serviceAccountName: nfs-client-provisioner 22 | containers: 23 | - name: nfs-client-provisioner 24 | image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 25 | volumeMounts: 26 | - name: nfs-client-root 27 | mountPath: /persistentvolumes 28 | env: 29 | - name: PROVISIONER_NAME 30 | value: k8s-sigs.io/nfs-subdir-external-provisioner 31 | - name: NFS_SERVER 32 | value: 10.3.243.101 33 | - name: NFS_PATH 34 | value: /ifs/kubernetes 35 | volumes: 36 | - name: nfs-client-root 37 | nfs: 38 | server: 10.3.243.101 39 | path: /ifs/kubernetes 40 | -------------------------------------------------------------------------------- /nfs/nfs-client.sh: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # client 4 | sudo apt -y install nfs-common 5 | 6 | # check nfs 7 | showmount -e 192.168.10.208 8 | 9 | # mount test 10 | mkdir -p /tmp/test 11 | sudo mount -t nfs 192.168.10.208:/tmp/nfs /tmp/test 12 | 13 | # umount 14 | #sudo umount /tmp/test 15 | -------------------------------------------------------------------------------- /nfs/nfs-server.sh: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # server 4 | sudo apt -y install nfs-kernel-server 5 | 6 | # nfs dir 7 | mkdir -p /tmp/nfs 8 | 9 | # config 10 | cat << EOF | sudo tee -a /etc/exports 11 | /tmp/nfs 192.168.10.0/24(rw,sync,no_subtree_check,no_root_squash,insecure) 12 | EOF 13 | 14 | # start 15 | sudo exportfs -ra 16 | sudo exportfs -v 17 | 18 | #sudo systemctl start rpcbind 19 | #sudo systemctl enable rpcbind 20 | #sudo systemctl status rpcbind 21 | 22 | # start svc 23 | sudo systemctl start nfs-server 24 | sudo systemctl enable nfs-server 25 | sudo systemctl status nfs-server 26 | 27 | # check 28 | showmount -e 127.0.0.1 29 | -------------------------------------------------------------------------------- /nfs/rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: nfs-client-provisioner 5 | # replace with namespace where provisioner is deployed 6 | namespace: default 7 | --- 8 | kind: ClusterRole 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | metadata: 11 | name: nfs-client-provisioner-runner 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["nodes"] 15 | verbs: ["get", "list", "watch"] 16 | - apiGroups: [""] 17 | resources: ["persistentvolumes"] 18 | verbs: ["get", "list", "watch", "create", "delete"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumeclaims"] 21 | verbs: ["get", "list", "watch", "update"] 22 | - apiGroups: ["storage.k8s.io"] 23 | resources: ["storageclasses"] 24 | verbs: ["get", "list", "watch"] 25 | - apiGroups: [""] 26 | resources: ["events"] 27 | verbs: ["create", "update", "patch"] 28 | --- 29 | kind: ClusterRoleBinding 30 | apiVersion: rbac.authorization.k8s.io/v1 31 | metadata: 32 | name: run-nfs-client-provisioner 33 | subjects: 34 | - kind: ServiceAccount 35 | name: nfs-client-provisioner 36 | # replace with namespace where provisioner is deployed 37 | namespace: default 38 | roleRef: 39 | kind: ClusterRole 40 | name: nfs-client-provisioner-runner 41 | apiGroup: rbac.authorization.k8s.io 42 | --- 43 | kind: Role 44 | apiVersion: rbac.authorization.k8s.io/v1 45 | metadata: 46 | name: leader-locking-nfs-client-provisioner 47 | # replace with namespace where provisioner is deployed 48 | namespace: default 49 | rules: 50 | - apiGroups: [""] 51 | resources: ["endpoints"] 52 | verbs: ["get", "list", "watch", "create", "update", "patch"] 53 | --- 54 | kind: RoleBinding 55 | apiVersion: rbac.authorization.k8s.io/v1 56 | metadata: 57 | name: leader-locking-nfs-client-provisioner 58 | # replace with namespace where provisioner is deployed 59 | namespace: default 60 | subjects: 61 | - kind: ServiceAccount 62 | name: nfs-client-provisioner 63 | # replace with namespace where provisioner is deployed 64 | namespace: default 65 | roleRef: 66 | kind: Role 67 | name: leader-locking-nfs-client-provisioner 68 | apiGroup: rbac.authorization.k8s.io 69 | -------------------------------------------------------------------------------- /nfs/setup.sh: -------------------------------------------------------------------------------- 1 | # chrono @ 2022-05 2 | 3 | # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner 4 | 5 | # docker pull k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 6 | # docker pull chronolaw/nfs-subdir-external-provisioner:v4.0.2 7 | 8 | #kubecal apply -f rbac.yaml 9 | #kubecal apply -f class.yaml 10 | #kubecal apply -f deployment.yaml 11 | 12 | # change namespace 13 | # default => kube-system 14 | sed 's/default/kube-system/g' rbac.yaml | \ 15 | kubectl apply -f - 16 | 17 | kubectl apply -f class.yaml 18 | 19 | # change: namespace/image/NFS_SERVER/NFS_PATH 20 | # default => kube-system 21 | # k8s.gcr.io/sig-storage => chronolaw 22 | # 10.3.243.101 => 192.168.10.208 23 | # /ifs/kubernetes => /tmp/nfs 24 | sed 's/default/kube-system/g' deployment.yaml | \ 25 | sed 's/k8s.gcr.io\/sig-storage/chronolaw/g' | \ 26 | sed 's/10.3.243.101/192.168.10.208/g' | \ 27 | sed 's/\/ifs\/kubernetes/\/tmp\/nfs/g' | \ 28 | kubectl apply -f - 29 | 30 | -------------------------------------------------------------------------------- /prom/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # https://github.com/prometheus-operator/kube-prometheus/ 4 | 5 | wget https://github.com/prometheus-operator/kube-prometheus/archive/refs/tags/v0.11.0.tar.gz 6 | tar xfz v0.11.0.tar.gz 7 | 8 | cd kube-prometheus-0.11.0/manifests 9 | 10 | # use NodePort Service 11 | sed '/spec/a\ type: NodePort' -i grafana-service.yaml 12 | sed '/spec/a\ type: NodePort' -i prometheus-service.yaml 13 | sed 's/k8s.gcr.io\/kube-state-metrics/chronolaw/' -i kubeStateMetrics-deployment.yaml 14 | sed 's/k8s.gcr.io\/prometheus-adapter/chronolaw/' -i prometheusAdapter-deployment.yaml 15 | 16 | # in kube-prometheus-0.11.0 17 | cd .. 18 | 19 | kubectl create -f manifests/setup 20 | 21 | kubectl get pod -n monitoring 22 | 23 | # waiting 24 | 25 | #kubectl create -f manifests 26 | #kubectl get deploy -n monitoring 27 | 28 | --------------------------------------------------------------------------------