├── README.md └── docs ├── chap01 ├── 1.4.md └── 1.5.md ├── chap02 ├── 2.6.md ├── 2.7.md └── 2.9.md ├── chap04 └── 4.6.md ├── chap05 ├── 5.1.md └── 5.2-5.5.md ├── chap06 ├── 6.2.md └── 6.3.md ├── chap07 ├── 7.2.md ├── 7.3.md ├── 7.6.md └── 7.7.md ├── chap08 ├── 8.1-8.5.md ├── 8.6.md ├── 8.7.md ├── 8.8.md ├── 8.9.md ├── ceph-csi-cephfs │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── csidriver-crd.yaml │ │ ├── csiplugin-configmap.yaml │ │ ├── nodeplugin-clusterrole.yaml │ │ ├── nodeplugin-clusterrolebinding.yaml │ │ ├── nodeplugin-daemonset.yaml │ │ ├── nodeplugin-http-service.yaml │ │ ├── nodeplugin-psp.yaml │ │ ├── nodeplugin-role.yaml │ │ ├── nodeplugin-rolebinding.yaml │ │ ├── nodeplugin-rules-clusterrole.yaml │ │ ├── nodeplugin-serviceaccount.yaml │ │ ├── provisioner-clusterrole.yaml │ │ ├── provisioner-clusterrolebinding.yaml │ │ ├── provisioner-deployment.yaml │ │ ├── provisioner-http-service.yaml │ │ ├── provisioner-psp.yaml │ │ ├── provisioner-role.yaml │ │ ├── provisioner-rolebinding.yaml │ │ ├── provisioner-rules-clusterrole.yaml │ │ └── provisioner-serviceaccount.yaml │ └── values.yaml └── ceph-csi-rbd │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── csidriver-crd.yaml │ ├── csiplugin-configmap.yaml │ ├── encryptionkms-configmap.yaml │ ├── nodeplugin-clusterrole.yaml │ ├── nodeplugin-clusterrolebinding.yaml │ ├── nodeplugin-daemonset.yaml │ ├── nodeplugin-http-service.yaml │ ├── nodeplugin-psp.yaml │ ├── nodeplugin-role.yaml │ ├── nodeplugin-rolebinding.yaml │ ├── nodeplugin-rules-clusterrole.yaml │ ├── nodeplugin-serviceaccount.yaml │ ├── provisioner-clusterrole.yaml │ ├── provisioner-clusterrolebinding.yaml │ ├── provisioner-deployment.yaml │ ├── provisioner-http-service.yaml │ ├── provisioner-psp.yaml │ ├── provisioner-role.yaml │ ├── provisioner-rolebinding.yaml │ ├── provisioner-rules-clusterrole.yaml │ └── provisioner-serviceaccount.yaml │ └── values.yaml ├── chap09 ├── 9.1.md └── 9.5.md ├── chap10 ├── 10.1.md ├── 10.2.md └── 10.3.md ├── chap11 ├── 11.1.md └── 11.2.md ├── chap12 ├── 12.5.md ├── 12.8.md └── 12.9.md ├── chap15 └── 15.3.md ├── chap16 ├── 16.10.md ├── 16.11.md ├── 16.2.md ├── 16.3.md ├── 16.4.md ├── 16.6.md ├── 16.7.md ├── 16.8.md └── 16.9.md ├── chap17 ├── 17.10.md ├── 17.6 ├── 17.6.md ├── 17.7.md └── 17.8.md └── chap18 ├── 18.5.md └── 18.6.md /README.md: -------------------------------------------------------------------------------- 1 | ## 云原生K8s全栈架构师实战文档 2 | 3 | ## K8s技术QQ交流群:612388919 4 | ## 作者QQ:727585266 5 | 6 | ## 书籍配套视频: 7 | 8 | **提供免费更新、免费技术问答、免费岗位推荐、受益终身【平均月薪25K】** 9 | 10 | 腾讯: 11 | K8s全栈架构师:https://ke.qq.com/course/2738602 12 | K8s管理员认证CKA:https://ke.qq.com/course/3382340?tuin=2b5e11f2 13 | K8s安全专家CKS:https://ke.qq.com/course/4161957?tuin=2b5e11f2 14 | CKA+架构师:https://ke.qq.com/course/package/38982?tuin=2b5e11f2 15 | 超级套购:https://ke.qq.com/course/package/41755?tuin=2b5e11f2 16 | 51CTO: 17 | 全栈架构师:https://edu.51cto.com/course/23845.html 18 | K8s管理员认证CKA:https://edu.51cto.com/course/27103.html 19 | K8s安全专家CKS:https://edu.51cto.com/course/29792.html 20 | CKA+架构师:https://edu.51cto.com/topic/4973.html 21 | 超级套购:https://edu.51cto.com/topic/5174.html 22 | 23 | 24 | # 勘误 25 | ### 非常抱歉给大家带来的不便,书中的错误更正如下: 26 | 1. 182页 9.3.2小节 第一个`kubectl run nginx-server`命令改为`kubectl create deployment nginx-server`,错误原因:由于版本问题,`kubectl run`变为了创建Pod,创建Deployment需要用`kubectl create deployment`。 27 | 2. 77页 28 | ```` 29 | successThreshold: 1 # 表示检查成功1次表示就绪 30 | failureThreshold: 2 # 检测失败2次表示未就绪 31 | ```` 32 | 3. 71页 Node节点描述的Docker Engine: 负责对容器的管理,写成了负载对容器的管理 33 | 4. 14页 1.5集群初始化小节上面一行:`如果ping不通且telnet没有出现`,应该为`如果ping不通或telnet没有出现"]"` 34 | 5. 第5页和第27页的`git clone https://gitee.com/dukuan/k8s-ha-install.git`,应该为:`git clone https://gitee.com/dukuan/k8s-ha-install.git; git checkout manual-installation-v1.22.x` 35 | 6. 第35页、36页、37页、41页的`如果不是高可用集群,把Master的地址改为10.0.0.236:16443,把APIServer的端口改为16443,默认是6443`表述错误,正确应该为:`如果不是高可用集群,修改--server=https://10.0.0.236:16443为--server=https://Master节点的IP:6443即可` 36 | -------------------------------------------------------------------------------- /docs/chap01/1.4.md: -------------------------------------------------------------------------------- 1 | **vim /etc/haproxy/haproxy.cfg** 2 | 3 | ````bash 4 | global 5 | maxconn 2000 6 | ulimit-n 16384 7 | log 127.0.0.1 local0 err 8 | stats timeout 30s 9 | 10 | defaults 11 | log global 12 | mode http 13 | option httplog 14 | timeout connect 5000 15 | timeout client 50000 16 | timeout server 50000 17 | timeout http-request 15s 18 | timeout http-keep-alive 15s 19 | 20 | frontend monitor-in 21 | bind *:33305 22 | mode http 23 | option httplog 24 | monitor-uri /monitor 25 | 26 | frontend k8s-master 27 | bind 0.0.0.0:16443 # 监听的端口 28 | bind 127.0.0.1:16443 29 | mode tcp 30 | option tcplog 31 | tcp-request inspect-delay 5s 32 | default_backend k8s-master 33 | 34 | backend k8s-master 35 | mode tcp 36 | option tcplog 37 | option tcp-check 38 | balance roundrobin 39 | default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100 40 | server k8s-master01 192.168.236.201:6443 check # 配置后端服务器地址 41 | server k8s-master02 192.168.236.202:6443 check 42 | server k8s-master03 192.168.236.203:6443 check 43 | ```` 44 | 45 | **Master01:** 46 | 47 | **vim /etc/keepalived/keepalived.conf** 48 | 49 | ````bash 50 | ! Configuration File for keepalived 51 | global_defs { 52 | router_id LVS_DEVEL 53 | script_user root 54 | enable_script_security 55 | } 56 | vrrp_script chk_apiserver { 57 | script "/etc/keepalived/check_apiserver.sh" 58 | interval 5 59 | weight -5 60 | fall 2 61 | rise 1 62 | } 63 | vrrp_instance VI_1 { 64 | state MASTER 65 | interface ens33 # 本机网卡名称 66 | mcast_src_ip 192.168.236.201 # 本机IP地址 67 | virtual_router_id 51 68 | priority 101 69 | advert_int 2 70 | authentication { 71 | auth_type PASS 72 | auth_pass K8SHA_KA_AUTH 73 | } 74 | virtual_ipaddress { 75 | 192.168.236.236 # VIP地址,需要是宿主机同网段且不存在的IP地址 76 | } 77 | track_script { 78 | chk_apiserver 79 | } 80 | } 81 | ```` 82 | 83 | **Master02:** 84 | 85 | **vim /etc/keepalived/keepalived.conf** 86 | 87 | ```` 88 | ! Configuration File for keepalived 89 | global_defs { 90 | router_id LVS_DEVEL 91 | script_user root 92 | enable_script_security 93 | } 94 | vrrp_script chk_apiserver { 95 | script "/etc/keepalived/check_apiserver.sh" 96 | interval 5 97 | weight -5 98 | fall 2 99 | rise 1 100 | } 101 | vrrp_instance VI_1 { 102 | state BACKUP 103 | interface ens33 104 | mcast_src_ip 192.168.236.202 105 | virtual_router_id 51 106 | priority 100 107 | advert_int 2 108 | authentication { 109 | auth_type PASS 110 | auth_pass K8SHA_KA_AUTH 111 | } 112 | virtual_ipaddress { 113 | 192.168.236.236 114 | } 115 | track_script { 116 | chk_apiserver 117 | } 118 | } 119 | ```` 120 | 121 | **Master03:** 122 | 123 | **vim /etc/keepalived/keepalived.conf** 124 | 125 | ```` 126 | ! Configuration File for keepalived 127 | global_defs { 128 | router_id LVS_DEVEL 129 | script_user root 130 | enable_script_security 131 | } 132 | vrrp_script chk_apiserver { 133 | script "/etc/keepalived/check_apiserver.sh" 134 | interval 5 135 | weight -5 136 | fall 2 137 | rise 1 138 | } 139 | vrrp_instance VI_1 { 140 | state BACKUP 141 | interface ens33 142 | mcast_src_ip 192.168.236.203 143 | virtual_router_id 51 144 | priority 100 145 | advert_int 2 146 | authentication { 147 | auth_type PASS 148 | auth_pass K8SHA_KA_AUTH 149 | } 150 | virtual_ipaddress { 151 | 192.168.236.236 152 | } 153 | track_script { 154 | chk_apiserver 155 | } 156 | } 157 | ```` 158 | 159 | **check_apiserver.sh** 160 | 161 | ```` 162 | #!/bin/bash 163 | 164 | err=0 165 | for k in $(seq 1 3) 166 | do 167 | check_code=$(pgrep haproxy) 168 | if [[ $check_code == "" ]]; then 169 | err=$(expr $err + 1) 170 | sleep 1 171 | continue 172 | else 173 | err=0 174 | break 175 | fi 176 | done 177 | 178 | if [[ $err != "0" ]]; then 179 | echo "systemctl stop keepalived" 180 | /usr/bin/systemctl stop keepalived 181 | exit 1 182 | else 183 | exit 0 184 | fi 185 | ```` 186 | 187 | -------------------------------------------------------------------------------- /docs/chap01/1.5.md: -------------------------------------------------------------------------------- 1 | **vim kubeadm-config.yaml** 2 | 3 | ```` 4 | apiVersion: kubeadm.k8s.io/v1beta3 5 | bootstrapTokens: 6 | - groups: 7 | - system:bootstrappers:kubeadm:default-node-token 8 | token: 7t2weq.bjbawausm0jaxury 9 | ttl: 24h0m0s 10 | usages: 11 | - signing 12 | - authentication 13 | kind: InitConfiguration 14 | localAPIEndpoint: 15 | advertiseAddress: 192.168.236.201 16 | bindPort: 6443 17 | nodeRegistration: 18 | # criSocket: /var/run/dockershim.sock # 如果是Docker作为Runtime配置此项 19 | criSocket: /run/containerd/containerd.sock # 如果是Containerd作为Runtime配置此项 20 | name: k8s-master01 21 | taints: 22 | - effect: NoSchedule 23 | key: node-role.kubernetes.io/master 24 | --- 25 | apiServer: 26 | certSANs: 27 | - 192.168.236.236 28 | timeoutForControlPlane: 4m0s 29 | apiVersion: kubeadm.k8s.io/v1beta2 30 | certificatesDir: /etc/kubernetes/pki 31 | clusterName: kubernetes 32 | controlPlaneEndpoint: 192.168.236.236:16443 33 | controllerManager: {} 34 | dns: 35 | type: CoreDNS 36 | etcd: 37 | local: 38 | dataDir: /var/lib/etcd 39 | imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers 40 | kind: ClusterConfiguration 41 | kubernetesVersion: v1.22.0 # 更改此处的版本号和kubeadm version一致 42 | networking: 43 | dnsDomain: cluster.local 44 | podSubnet: 172.16.0.0/12 45 | serviceSubnet: 192.168.0.0/16 46 | scheduler: {} 47 | ```` 48 | 49 | -------------------------------------------------------------------------------- /docs/chap02/2.6.md: -------------------------------------------------------------------------------- 1 | **vim /etc/etcd/etcd.config.yml** 2 | 3 | **自行更改相关配置** 4 | 5 | ```` 6 | name: 'k8s-master01' 7 | data-dir: /var/lib/etcd 8 | wal-dir: /var/lib/etcd/wal 9 | snapshot-count: 5000 10 | heartbeat-interval: 100 11 | election-timeout: 1000 12 | quota-backend-bytes: 0 13 | listen-peer-urls: 'https://192.168.236.201:2380' 14 | listen-client-urls: 'https://192.168.236.201:2379,http://127.0.0.1:2379' 15 | max-snapshots: 3 16 | max-wals: 5 17 | cors: 18 | initial-advertise-peer-urls: 'https://192.168.236.201:2380' 19 | advertise-client-urls: 'https://192.168.236.201:2379' 20 | discovery: 21 | discovery-fallback: 'proxy' 22 | discovery-proxy: 23 | discovery-srv: 24 | initial-cluster: 'k8s-master01=https://192.168.236.201:2380,k8s-master02=https://192.168.236.202:2380,k8s-master03=https://192.168.236.203:2380' 25 | initial-cluster-token: 'etcd-k8s-cluster' 26 | initial-cluster-state: 'new' 27 | strict-reconfig-check: false 28 | enable-v2: true 29 | enable-pprof: true 30 | proxy: 'off' 31 | proxy-failure-wait: 5000 32 | proxy-refresh-interval: 30000 33 | proxy-dial-timeout: 1000 34 | proxy-write-timeout: 5000 35 | proxy-read-timeout: 0 36 | client-transport-security: 37 | cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' 38 | key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' 39 | client-cert-auth: true 40 | trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' 41 | auto-tls: true 42 | peer-transport-security: 43 | cert-file: '/etc/kubernetes/pki/etcd/etcd.pem' 44 | key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem' 45 | peer-client-cert-auth: true 46 | trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem' 47 | auto-tls: true 48 | debug: false 49 | log-package-levels: 50 | log-outputs: [default] 51 | force-new-cluster: false 52 | ```` 53 | 54 | **vim /usr/lib/systemd/system/etcd.service** 55 | 56 | ```` 57 | [Unit] 58 | Description=Etcd Service 59 | Documentation=https://coreos.com/etcd/docs/latest/ 60 | After=network.target 61 | 62 | [Service] 63 | Type=notify 64 | ExecStart=/usr/local/bin/etcd --config-file=/etc/etcd/etcd.config.yml 65 | Restart=on-failure 66 | RestartSec=10 67 | LimitNOFILE=65536 68 | 69 | [Install] 70 | WantedBy=multi-user.target 71 | Alias=etcd3.service 72 | ```` 73 | 74 | -------------------------------------------------------------------------------- /docs/chap02/2.7.md: -------------------------------------------------------------------------------- 1 | **vim /usr/lib/systemd/system/kube-apiserver.service** 2 | 3 | **配置自行更改** 4 | 5 | ```` 6 | [Unit] 7 | Description=Kubernetes API Server 8 | Documentation=https://github.com/kubernetes/kubernetes 9 | After=network.target 10 | 11 | [Service] 12 | ExecStart=/usr/local/bin/kube-apiserver \ 13 | --v=2 \ 14 | --logtostderr=true \ 15 | --allow-privileged=true \ 16 | --bind-address=0.0.0.0 \ 17 | --secure-port=6443 \ 18 | --insecure-port=0 \ 19 | --advertise-address=192.168.236.201 \ 20 | --service-cluster-ip-range=192.168.0.0/16 \ 21 | --service-node-port-range=30000-32767 \ 22 | --etcd-servers=https://192.168.236.201:2379,https://192.168.236.202:2379,https://192.168.236.203:2379 \ 23 | --etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \ 24 | --etcd-certfile=/etc/etcd/ssl/etcd.pem \ 25 | --etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \ 26 | --client-ca-file=/etc/kubernetes/pki/ca.pem \ 27 | --tls-cert-file=/etc/kubernetes/pki/apiserver.pem \ 28 | --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \ 29 | --kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \ 30 | --kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \ 31 | --service-account-key-file=/etc/kubernetes/pki/sa.pub \ 32 | --service-account-signing-key-file=/etc/kubernetes/pki/sa.key \ 33 | --service-account-issuer=https://kubernetes.default.svc.cluster.local \ 34 | --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \ 35 | --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \ 36 | --authorization-mode=Node,RBAC \ 37 | --enable-bootstrap-token-auth=true \ 38 | --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \ 39 | --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \ 40 | --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \ 41 | --requestheader-allowed-names=aggregator \ 42 | --requestheader-group-headers=X-Remote-Group \ 43 | --requestheader-extra-headers-prefix=X-Remote-Extra- \ 44 | --requestheader-username-headers=X-Remote-User 45 | # --token-auth-file=/etc/kubernetes/token.csv 46 | 47 | Restart=on-failure 48 | RestartSec=10s 49 | LimitNOFILE=65535 50 | 51 | [Install] 52 | WantedBy=multi-user.target 53 | 54 | ```` 55 | 56 | **vim /usr/lib/systemd/system/kube-controller-manager.service** 57 | 58 | **配置自行更改** 59 | 60 | ```` 61 | [Unit] 62 | Description=Kubernetes Controller Manager 63 | Documentation=https://github.com/kubernetes/kubernetes 64 | After=network.target 65 | 66 | [Service] 67 | ExecStart=/usr/local/bin/kube-controller-manager \ 68 | --v=2 \ 69 | --logtostderr=true \ 70 | --address=127.0.0.1 \ 71 | --root-ca-file=/etc/kubernetes/pki/ca.pem \ 72 | --cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem \ 73 | --cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem \ 74 | --service-account-private-key-file=/etc/kubernetes/pki/sa.key \ 75 | --kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \ 76 | --leader-elect=true \ 77 | --use-service-account-credentials=true \ 78 | --node-monitor-grace-period=40s \ 79 | --node-monitor-period=5s \ 80 | --pod-eviction-timeout=2m0s \ 81 | --controllers=*,bootstrapsigner,tokencleaner \ 82 | --allocate-node-cidrs=true \ 83 | --cluster-cidr=172.16.0.0/12 \ 84 | --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \ 85 | --node-cidr-mask-size=24 86 | 87 | Restart=always 88 | RestartSec=10s 89 | 90 | [Install] 91 | WantedBy=multi-user.target 92 | ```` 93 | 94 | **vim /usr/lib/systemd/system/kube-scheduler.service** 95 | 96 | ```` 97 | [Unit] 98 | Description=Kubernetes Scheduler 99 | Documentation=https://github.com/kubernetes/kubernetes 100 | After=network.target 101 | 102 | [Service] 103 | ExecStart=/usr/local/bin/kube-scheduler \ 104 | --v=2 \ 105 | --logtostderr=true \ 106 | --address=127.0.0.1 \ 107 | --leader-elect=true \ 108 | --kubeconfig=/etc/kubernetes/scheduler.kubeconfig 109 | 110 | Restart=always 111 | RestartSec=10s 112 | 113 | [Install] 114 | WantedBy=multi-user.target 115 | ```` 116 | 117 | -------------------------------------------------------------------------------- /docs/chap02/2.9.md: -------------------------------------------------------------------------------- 1 | **vim /usr/lib/systemd/system/kubelet.service** 2 | 3 | ```` 4 | [Unit] 5 | Description=Kubernetes Kubelet 6 | Documentation=https://github.com/kubernetes/kubernetes 7 | After=docker.service 8 | Requires=docker.service 9 | 10 | [Service] 11 | ExecStart=/usr/local/bin/kubelet 12 | 13 | Restart=always 14 | StartLimitInterval=0 15 | RestartSec=10 16 | 17 | [Install] 18 | WantedBy=multi-user.target 19 | ```` 20 | 21 | **vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf** 22 | 23 | ```` 24 | [Service] 25 | Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig" 26 | Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd" 27 | Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml" 28 | Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' " 29 | ExecStart= 30 | ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS 31 | ```` 32 | 33 | **Runtime为Docker,请使用如下Kubelet的配置** 34 | 35 | **vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf** 36 | 37 | ```` 38 | [Service] 39 | Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig" 40 | Environment="KUBELET_SYSTEM_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" 41 | Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.5" 42 | Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' " 43 | ExecStart= 44 | ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS 45 | ```` 46 | 47 | **vim /etc/kubernetes/kubelet-conf.yml** 48 | 49 | ```` 50 | apiVersion: kubelet.config.k8s.io/v1beta1 51 | kind: KubeletConfiguration 52 | address: 0.0.0.0 53 | port: 10250 54 | readOnlyPort: 10255 55 | authentication: 56 | anonymous: 57 | enabled: false 58 | webhook: 59 | cacheTTL: 2m0s 60 | enabled: true 61 | x509: 62 | clientCAFile: /etc/kubernetes/pki/ca.pem 63 | authorization: 64 | mode: Webhook 65 | webhook: 66 | cacheAuthorizedTTL: 5m0s 67 | cacheUnauthorizedTTL: 30s 68 | cgroupDriver: systemd 69 | cgroupsPerQOS: true 70 | clusterDNS: 71 | - 192.168.0.10 72 | clusterDomain: cluster.local 73 | containerLogMaxFiles: 5 74 | containerLogMaxSize: 10Mi 75 | contentType: application/vnd.kubernetes.protobuf 76 | cpuCFSQuota: true 77 | cpuManagerPolicy: none 78 | cpuManagerReconcilePeriod: 10s 79 | enableControllerAttachDetach: true 80 | enableDebuggingHandlers: true 81 | enforceNodeAllocatable: 82 | - pods 83 | eventBurst: 10 84 | eventRecordQPS: 5 85 | evictionHard: 86 | imagefs.available: 15% 87 | memory.available: 100Mi 88 | nodefs.available: 10% 89 | nodefs.inodesFree: 5% 90 | evictionPressureTransitionPeriod: 5m0s 91 | failSwapOn: true 92 | fileCheckFrequency: 20s 93 | hairpinMode: promiscuous-bridge 94 | healthzBindAddress: 127.0.0.1 95 | healthzPort: 10248 96 | httpCheckFrequency: 20s 97 | imageGCHighThresholdPercent: 85 98 | imageGCLowThresholdPercent: 80 99 | imageMinimumGCAge: 2m0s 100 | iptablesDropBit: 15 101 | iptablesMasqueradeBit: 14 102 | kubeAPIBurst: 10 103 | kubeAPIQPS: 5 104 | makeIPTablesUtilChains: true 105 | maxOpenFiles: 1000000 106 | maxPods: 110 107 | nodeStatusUpdateFrequency: 10s 108 | oomScoreAdj: -999 109 | podPidsLimit: -1 110 | registryBurst: 10 111 | registryPullQPS: 5 112 | resolvConf: /etc/resolv.conf 113 | rotateCertificates: true 114 | runtimeRequestTimeout: 2m0s 115 | serializeImagePulls: true 116 | staticPodPath: /etc/kubernetes/manifests 117 | streamingConnectionIdleTimeout: 4h0m0s 118 | syncFrequency: 1m0s 119 | volumeStatsAggPeriod: 1m0s 120 | ```` 121 | 122 | **vim /usr/lib/systemd/system/kube-proxy.service** 123 | 124 | ```` 125 | [Unit] 126 | Description=Kubernetes Kube Proxy 127 | Documentation=https://github.com/kubernetes/kubernetes 128 | After=network.target 129 | 130 | [Service] 131 | ExecStart=/usr/local/bin/kube-proxy \ 132 | --config=/etc/kubernetes/kube-proxy.yaml \ 133 | --v=2 134 | 135 | Restart=always 136 | RestartSec=10s 137 | 138 | [Install] 139 | WantedBy=multi-user.target 140 | 141 | ```` 142 | 143 | **vim /etc/kubernetes/kube-proxy.yaml** 144 | 145 | ```` 146 | apiVersion: kubeproxy.config.k8s.io/v1alpha1 147 | bindAddress: 0.0.0.0 148 | clientConnection: 149 | acceptContentTypes: "" 150 | burst: 10 151 | contentType: application/vnd.kubernetes.protobuf 152 | kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig 153 | qps: 5 154 | clusterCIDR: 172.16.0.0/12 155 | configSyncPeriod: 15m0s 156 | conntrack: 157 | max: null 158 | maxPerCore: 32768 159 | min: 131072 160 | tcpCloseWaitTimeout: 1h0m0s 161 | tcpEstablishedTimeout: 24h0m0s 162 | enableProfiling: false 163 | healthzBindAddress: 0.0.0.0:10256 164 | hostnameOverride: "" 165 | iptables: 166 | masqueradeAll: false 167 | masqueradeBit: 14 168 | minSyncPeriod: 0s 169 | syncPeriod: 30s 170 | ipvs: 171 | masqueradeAll: true 172 | minSyncPeriod: 5s 173 | scheduler: "rr" 174 | syncPeriod: 30s 175 | kind: KubeProxyConfiguration 176 | metricsBindAddress: 127.0.0.1:10249 177 | mode: "ipvs" 178 | nodePortAddresses: null 179 | oomScoreAdj: -999 180 | portRange: "" 181 | udpIdleTimeout: 250ms 182 | 183 | ```` 184 | 185 | -------------------------------------------------------------------------------- /docs/chap04/4.6.md: -------------------------------------------------------------------------------- 1 | **定义一个Pod** 2 | 3 | ```` 4 | apiVersion: v1 # 必选,API的版本号 5 | kind: Pod # 必选,类型Pod 6 | metadata: # 必选,元数据 7 | name: nginx # 必选,符合RFC 1035规范的Pod名称 8 | namespace: default # 可选,Pod所在的命名空间,不指定默认为default,可以使用-n 指定namespace 9 | labels: # 可选,标签选择器,一般用于过滤和区分Pod 10 | app: nginx 11 | role: frontend # 可以写多个 12 | annotations: # 可选,注释列表,可以写多个 13 | app: nginx 14 | spec: # 必选,用于定义容器的详细信息 15 | initContainers: # 初始化容器,在容器启动之前执行的一些初始化操作 16 | - command: 17 | - sh 18 | - -c 19 | - echo "I am InitContainer for init some configuration" 20 | image: busybox 21 | imagePullPolicy: IfNotPresent 22 | name: init-container 23 | containers: # 必选,容器列表 24 | - name: nginx # 必选,符合RFC 1035规范的容器名称 25 | image: nginx:latest # 必选,容器所用的镜像的地址 26 | imagePullPolicy: Always # 可选,镜像拉取策略 27 | command: # 可选,容器启动执行的命令 28 | - nginx 29 | - -g 30 | - "daemon off;" 31 | workingDir: /usr/share/nginx/html # 可选,容器的工作目录 32 | volumeMounts: # 可选,存储卷配置,可以配置多个 33 | - name: webroot # 存储卷名称 34 | mountPath: /usr/share/nginx/html # 挂载目录 35 | readOnly: true # 只读 36 | ports: # 可选,容器需要暴露的端口号列表 37 | - name: http # 端口名称 38 | containerPort: 80 # 端口号 39 | protocol: TCP # 端口协议,默认TCP 40 | env: # 可选,环境变量配置列表 41 | - name: TZ # 变量名 42 | value: Asia/Shanghai # 变量的值 43 | - name: LANG 44 | value: en_US.utf8 45 | resources: # 可选,资源限制和资源请求限制 46 | limits: # 最大限制设置 47 | cpu: 1000m 48 | memory: 1024Mi 49 | requests: # 启动所需的资源 50 | cpu: 100m 51 | memory: 512Mi 52 | # startupProbe: # 可选,检测容器内进程是否完成启动。注意三种检查方式同时只能使用一种。 53 | # httpGet: # httpGet检测方式,生产环境建议使用httpGet实现接口级健康检查,健康检查由应用程序提供。 54 | # path: /api/successStart # 检查路径 55 | # port: 80 56 | readinessProbe: # 可选,健康检查。注意三种检查方式同时只能使用一种。 57 | httpGet: # httpGet检测方式,生产环境建议使用httpGet实现接口级健康检查,健康检查由应用程序提供。 58 | path: / # 检查路径 59 | port: 80 # 监控端口 60 | livenessProbe: # 可选,健康检查 61 | #exec: # 执行容器命令检测方式 62 | #command: 63 | #- cat 64 | #- /health 65 | #httpGet: # httpGet检测方式 66 | # path: /_health # 检查路径 67 | # port: 8080 68 | # httpHeaders: # 检查的请求头 69 | # - name: end-user 70 | # value: Jason 71 | tcpSocket: # 端口检测方式 72 | port: 80 73 | initialDelaySeconds: 60 # 初始化时间 74 | timeoutSeconds: 2 # 超时时间 75 | periodSeconds: 5 # 检测间隔 76 | successThreshold: 1 # 检查成功为2次表示就绪 77 | failureThreshold: 2 # 检测失败1次表示未就绪 78 | lifecycle: 79 | postStart: # 容器创建完成后执行的指令, 可以是exec httpGet TCPSocket 80 | exec: 81 | command: 82 | - sh 83 | - -c 84 | - 'mkdir /data/ ' 85 | preStop: 86 | httpGet: 87 | path: / 88 | port: 80 89 | # exec: 90 | # command: 91 | # - sh 92 | # - -c 93 | # - sleep 9 94 | restartPolicy: Always # 可选,默认为Always 95 | #nodeSelector: # 可选,指定Node节点 96 | # region: subnet7 97 | imagePullSecrets: # 可选,拉取镜像使用的secret,可以配置多个 98 | - name: default-dockercfg-86258 99 | hostNetwork: false # 可选,是否为主机模式,如是,会占用主机端口 100 | volumes: # 共享存储卷列表 101 | - name: webroot # 名称,与上述对应 102 | emptyDir: {} # 挂载目录 103 | #hostPath: # 挂载本机目录 104 | # path: /etc/hosts 105 | 106 | ```` 107 | 108 | -------------------------------------------------------------------------------- /docs/chap05/5.1.md: -------------------------------------------------------------------------------- 1 | **定义一个Replication Controller** 2 | 3 | ``` 4 | apiVersion: v1 5 | kind: ReplicationController 6 | metadata: 7 | name: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | app: nginx 12 | template: 13 | metadata: 14 | name: nginx 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx 21 | ports: 22 | - containerPort: 80 23 | ``` 24 | 25 | **定义一个ReplicaSet** 26 | 27 | ```` 28 | apiVersion: apps/v1 29 | kind: ReplicaSet 30 | metadata: 31 | name: frontend 32 | labels: 33 | app: guestbook 34 | tier: frontend 35 | spec: 36 | # modify replicas according to your case 37 | replicas: 3 38 | selector: 39 | matchLabels: 40 | tier: frontend 41 | matchExpressions: 42 | - {key: tier, operator: In, values: [frontend]} 43 | template: 44 | metadata: 45 | labels: 46 | app: guestbook 47 | tier: frontend 48 | spec: 49 | containers: 50 | - name: php-redis 51 | image: gcr.io/google_samples/gb-frontend:v3 52 | resources: 53 | requests: 54 | cpu: 100m 55 | memory: 100Mi 56 | env: 57 | - name: GET_HOSTS_FROM 58 | value: dns 59 | # If your cluster config does not include a dns service, then to 60 | # instead access environment variables to find service host 61 | # info, comment out the 'value: dns' line above, and uncomment the 62 | # line below. 63 | # value: env 64 | ports: 65 | - containerPort: 80 66 | 67 | ```` 68 | 69 | -------------------------------------------------------------------------------- /docs/chap06/6.2.md: -------------------------------------------------------------------------------- 1 | **定义Service的yaml文件** 2 | 3 | ``` 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: my-service 8 | spec: 9 | selector: 10 | app: myapp 11 | ports: 12 | - protocol: TCP 13 | port: 80 14 | targetPort: 9376 15 | 16 | ``` 17 | 18 | **无Selector的Service** 19 | 20 | ```` 21 | kind: Service 22 | apiVersion: v1 23 | metadata: 24 | name: my-service 25 | spec: 26 | ports: 27 | - protocol: TCP 28 | port: 80 29 | targetPort: 9376 30 | --- 31 | kind: Endpoints 32 | apiVersion: v1 33 | metadata: 34 | name: my-service 35 | subsets: 36 | - addresses: 37 | - ip: 1.2.3.4 38 | ports: 39 | - port: 9376 40 | 41 | ```` 42 | 43 | **ExternalName Service** 44 | 45 | ```` 46 | kind: Service 47 | apiVersion: v1 48 | metadata: 49 | name: my-service 50 | namespace: prod 51 | spec: 52 | type: ExternalName 53 | externalName: my.database.example.com 54 | 55 | ```` 56 | 57 | **多端口Service** 58 | 59 | ```` 60 | kind: Service 61 | apiVersion: v1 62 | metadata: 63 | name: my-service 64 | spec: 65 | selector: 66 | app: myapp 67 | ports: 68 | - name: http 69 | protocol: TCP 70 | port: 80 71 | targetPort: 9376 72 | - name: https 73 | protocol: TCP 74 | port: 443 75 | targetPort: 9377 76 | 77 | ```` 78 | 79 | **NodePort** 80 | 81 | ````` 82 | kind: Service 83 | apiVersion: v1 84 | metadata: 85 | labels: 86 | k8s-app: kubernetes-dashboard 87 | name: kubernetes-dashboard 88 | namespace: kube-system 89 | spec: 90 | type: NodePort 91 | ports: 92 | - port: 443 93 | targetPort: 8443 94 | nodePort: 30000 95 | selector: 96 | k8s-app: kubernetes-dashboard 97 | ````` 98 | 99 | -------------------------------------------------------------------------------- /docs/chap06/6.3.md: -------------------------------------------------------------------------------- 1 | **创建一个Ingress** 2 | 3 | ```` 4 | apiVersion: networking.k8s.io/v1beta1 5 | kind: Ingress 6 | metadata: 7 | name: simple-fanout-example 8 | annotations: 9 | kubernetes.io/ingress.class: "nginx" # 不同的controller,ingress.class可能不一致 10 | spec: 11 | rules: 12 | - host: foo.bar.com 13 | http: 14 | paths: 15 | - path: /foo 16 | pathType: Prefix 17 | backend: 18 | serviceName: service1 19 | servicePort: 4200 20 | - path: /bar 21 | pathType: ImplementationSpecific 22 | backend: 23 | serviceName: service2 24 | servicePort: 8080 25 | 26 | ```` 27 | 28 | **Ingress v1** 29 | 30 | ```` 31 | apiVersion: networking.k8s.io/v1 # 1.19+ 32 | kind: Ingress 33 | metadata: 34 | name: simple-fanout-example 35 | spec: 36 | ingressClassName: nginx 37 | rules: 38 | - host: foo.bar.com 39 | http: 40 | paths: 41 | - path: /foo 42 | backend: 43 | service 44 | name: service1 45 | port: 46 | number: 4200 47 | ```` 48 | 49 | **单域名** 50 | 51 | ```` 52 | apiVersion: networking.k8s.io/v1beta1 53 | kind: Ingress 54 | metadata: 55 | name: simple-fanout-example 56 | annotations: 57 | nginx.ingress.kubernetes.io/rewrite-target: / 58 | spec: 59 | rules: 60 | - host: foo.bar.com 61 | http: 62 | paths: 63 | - path: /foo 64 | backend: 65 | serviceName: service1 66 | servicePort: 4200 67 | - path: /bar 68 | backend: 69 | serviceName: service2 70 | servicePort: 8080 71 | 72 | ```` 73 | 74 | **多域名** 75 | 76 | ```` 77 | apiVersion: networking.k8s.io/v1beta1 78 | kind: Ingress 79 | metadata: 80 | name: name-virtual-host-ingress 81 | spec: 82 | rules: 83 | - host: foo.bar.com 84 | http: 85 | paths: 86 | - backend: 87 | serviceName: service1 88 | servicePort: 80 89 | - host: bar.foo.com 90 | http: 91 | paths: 92 | - backend: 93 | serviceName: service2 94 | servicePort: 80 95 | 96 | ```` 97 | 98 | **TLS** 99 | 100 | ```` 101 | apiVersion: networking.k8s.io/v1beta1 102 | kind: Ingress 103 | metadata: 104 | name: nginx-https-test 105 | namespace: default 106 | annotations: 107 | kubernetes.io/ingress.class: "nginx" 108 | spec: 109 | rules: 110 | - host: https-test.com 111 | http: 112 | paths: 113 | - backend: 114 | serviceName: nginx-svc 115 | servicePort: 80 116 | tls: 117 | - secretName: nginx-test-tls 118 | 119 | ```` 120 | 121 | -------------------------------------------------------------------------------- /docs/chap07/7.2.md: -------------------------------------------------------------------------------- 1 | **game.properties** 2 | 3 | ```` 4 | enemies=aliens 5 | lives=3 6 | enemies.cheat=true 7 | enemies.cheat.level=noGoodRotten 8 | secret.code.passphrase=UUDDLRLRBABAS 9 | secret.code.allowed=true 10 | secret.code.lives=30 11 | 12 | ```` 13 | 14 | **ui.properties** 15 | 16 | ```` 17 | color.good=purple 18 | color.bad=yellow 19 | allow.textmode=true 20 | how.nice.to.look=fairlyNice 21 | 22 | ```` 23 | 24 | **game-env-file.properties** 25 | 26 | ``` 27 | enemies=aliens 28 | lives=3 29 | allowed="true" 30 | 31 | ``` 32 | 33 | -------------------------------------------------------------------------------- /docs/chap07/7.3.md: -------------------------------------------------------------------------------- 1 | **valueFrom** 2 | 3 | ``` 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app: env-valuefrom 9 | name: env-valuefrom 10 | namespace: default 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app: env-valuefrom 16 | strategy: 17 | rollingUpdate: 18 | maxSurge: 1 19 | maxUnavailable: 0 20 | type: RollingUpdate 21 | template: 22 | metadata: 23 | labels: 24 | app: env-valuefrom 25 | spec: 26 | containers: 27 | - command: 28 | - sh 29 | - -c 30 | - env 31 | env: 32 | - name: TZ 33 | value: Asia/Shanghai 34 | - name: LANG 35 | value: C.UTF-8 36 | - name: SPECIAL_LEVEL_KEY 37 | valueFrom: 38 | configMapKeyRef: 39 | key: special.how 40 | name: special-config 41 | image: busybox 42 | imagePullPolicy: IfNotPresent 43 | name: env-valuefrom 44 | resources: 45 | limits: 46 | cpu: 100m 47 | memory: 100Mi 48 | requests: 49 | cpu: 10m 50 | memory: 10Mi 51 | dnsPolicy: ClusterFirst 52 | restartPolicy: Never 53 | 54 | ``` 55 | 56 | **envFrom** 57 | 58 | ```` 59 | apiVersion: apps/v1 60 | kind: Deployment 61 | metadata: 62 | labels: 63 | app: env-valuefrom 64 | name: env-valuefrom 65 | namespace: default 66 | spec: 67 | replicas: 1 68 | selector: 69 | matchLabels: 70 | app: env-valuefrom 71 | strategy: 72 | rollingUpdate: 73 | maxSurge: 1 74 | maxUnavailable: 0 75 | type: RollingUpdate 76 | template: 77 | metadata: 78 | labels: 79 | app: env-valuefrom 80 | spec: 81 | containers: 82 | - command: 83 | - sh 84 | - -c 85 | - env 86 | env: 87 | - name: TZ 88 | value: Asia/Shanghai 89 | - name: LANG 90 | value: C.UTF-8 91 | envFrom: 92 | - configMapRef: 93 | name: game-config-env-file 94 | prefix: fromCm_ 95 | image: busybox 96 | imagePullPolicy: IfNotPresent 97 | name: env-valuefrom 98 | resources: 99 | limits: 100 | cpu: 100m 101 | memory: 100Mi 102 | requests: 103 | cpu: 10m 104 | memory: 10Mi 105 | dnsPolicy: ClusterFirst 106 | restartPolicy: Never 107 | 108 | ```` 109 | 110 | **文件挂载** 111 | 112 | ```` 113 | apiVersion: v1 114 | kind: Pod 115 | metadata: 116 | name: dapi-test-pod 117 | spec: 118 | containers: 119 | - name: test-container 120 | image: busybox 121 | command: [ "/bin/sh", "-c", "ls /etc/config/" ] 122 | volumeMounts: 123 | - name: config-volume 124 | mountPath: /etc/config 125 | volumes: 126 | - name: config-volume 127 | configMap: 128 | # Provide the name of the ConfigMap containing the files you want 129 | # to add to the container 130 | name: special-config 131 | restartPolicy: Never 132 | 133 | ```` 134 | 135 | **自定义文件名** 136 | 137 | ``` 138 | apiVersion: v1 139 | kind: Pod 140 | metadata: 141 | name: dapi-test-pod 142 | spec: 143 | containers: 144 | - name: test-container 145 | image: busybox 146 | command: [ "/bin/sh","-c","cat /etc/config/keys" ] 147 | volumeMounts: 148 | - name: config-volume 149 | mountPath: /etc/config 150 | volumes: 151 | - name: config-volume 152 | configMap: 153 | name: special-config 154 | items: 155 | - key: special.how 156 | path: keys 157 | restartPolicy: Never 158 | 159 | ``` 160 | 161 | **指定文件权限** 162 | 163 | ``` 164 | apiVersion: v1 165 | kind: Pod 166 | metadata: 167 | name: dapi-test-pod 168 | spec: 169 | containers: 170 | - name: test-container 171 | image: busybox 172 | command: [ "/bin/sh","-c","ls -l /etc/config/..data/" ] 173 | volumeMounts: 174 | - name: config-volume 175 | mountPath: /etc/config 176 | volumes: 177 | - name: config-volume 178 | configMap: 179 | name: special-config 180 | items: 181 | - key: special.how 182 | path: keys 183 | defaultMode: 0666 184 | restartPolicy: Never 185 | 186 | ``` 187 | 188 | -------------------------------------------------------------------------------- /docs/chap07/7.6.md: -------------------------------------------------------------------------------- 1 | **挂载Secret** 2 | 3 | ``` 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: mypod 8 | spec: 9 | containers: 10 | - name: mypod 11 | image: redis 12 | volumeMounts: 13 | - name: foo 14 | mountPath: "/etc/foo" 15 | readOnly: true 16 | volumes: 17 | - name: foo 18 | secret: # configMap换成secret 19 | secretName: mysecret # configMap类型为name 20 | 21 | ``` 22 | 23 | **自定义文件名挂载** 24 | 25 | ``` 26 | apiVersion: v1 27 | kind: Pod 28 | metadata: 29 | name: mypod 30 | spec: 31 | containers: 32 | - name: mypod 33 | image: redis 34 | volumeMounts: 35 | - name: foo 36 | mountPath: "/etc/foo" 37 | readOnly: true 38 | volumes: 39 | - name: foo 40 | secret: 41 | secretName: mysecret 42 | items: 43 | - key: username 44 | path: my-group/my-username 45 | 46 | ``` 47 | 48 | **Secret作为环境变量** 49 | 50 | ```` 51 | apiVersion: v1 52 | kind: Pod 53 | metadata: 54 | name: secret-env-pod 55 | spec: 56 | containers: 57 | - name: mycontainer 58 | image: redis 59 | env: 60 | - name: SECRET_USERNAME 61 | valueFrom: 62 | secretKeyRef: 63 | name: mysecret 64 | key: username 65 | - name: SECRET_PASSWORD 66 | valueFrom: 67 | secretKeyRef: 68 | name: mysecret 69 | key: password 70 | restartPolicy: Never 71 | 72 | ```` 73 | 74 | -------------------------------------------------------------------------------- /docs/chap07/7.7.md: -------------------------------------------------------------------------------- 1 | **imagePullSecrets** 2 | 3 | ```` 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: foo 8 | namespace: awesomeapps 9 | spec: 10 | containers: 11 | - name: foo 12 | image: janedoe/awesomeapp:v1 13 | imagePullSecrets: 14 | - name: myregistrykey 15 | # 多个Secret 16 | - name: myregistrykey2 17 | - name: myregistrykeyx 18 | 19 | ```` 20 | 21 | **Ingress TLS** 22 | 23 | ```` 24 | apiVersion: networking.k8s.io/v1beta1 25 | kind: Ingress 26 | metadata: 27 | name: nginx-https-test 28 | namespace: default 29 | annotations: 30 | kubernetes.io/ingress.class: "nginx" 31 | spec: 32 | rules: 33 | - host: https-test.com 34 | http: 35 | paths: 36 | - backend: 37 | serviceName: nginx-svc 38 | servicePort: 80 39 | tls: 40 | - secretName: nginx-test-tls 41 | 42 | ```` 43 | 44 | -------------------------------------------------------------------------------- /docs/chap08/8.1-8.5.md: -------------------------------------------------------------------------------- 1 | **nginx-empty.yaml** 2 | 3 | ```` 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | labels: 8 | app: nginx 9 | name: nginx 10 | namespace: default 11 | spec: 12 | replicas: 1 13 | selector: 14 | matchLabels: 15 | app: nginx 16 | template: 17 | metadata: 18 | labels: 19 | app: nginx 20 | spec: 21 | containers: 22 | - image: nginx:1.15.2 23 | imagePullPolicy: IfNotPresent 24 | name: nginx 25 | volumeMounts: 26 | - mountPath: /opt 27 | name: share-volume 28 | - image: nginx:1.15.2 29 | imagePullPolicy: IfNotPresent 30 | name: nginx2 31 | command: 32 | - sh 33 | - -c 34 | - sleep 3600 35 | volumeMounts: 36 | - mountPath: /mnt 37 | name: share-volume 38 | volumes: 39 | - name: share-volume 40 | emptyDir: {} 41 | #medium: Memory 42 | 43 | ```` 44 | 45 | **nginx-hostPath.yaml ** 46 | 47 | ```` 48 | apiVersion: apps/v1 49 | kind: Deployment 50 | metadata: 51 | labels: 52 | app: nginx 53 | name: nginx 54 | namespace: default 55 | spec: 56 | replicas: 1 57 | selector: 58 | matchLabels: 59 | app: nginx 60 | template: 61 | metadata: 62 | labels: 63 | app: nginx 64 | spec: 65 | containers: 66 | - image: nginx:1.15.2 67 | imagePullPolicy: IfNotPresent 68 | name: nginx 69 | volumeMounts: 70 | - mountPath: /opt 71 | name: share-volume 72 | - mountPath: /etc/timezone 73 | name: timezone 74 | - image: nginx:1.15.2 75 | imagePullPolicy: IfNotPresent 76 | name: nginx2 77 | command: 78 | - sh 79 | - -c 80 | - sleep 3600 81 | volumeMounts: 82 | - mountPath: /mnt 83 | name: share-volume 84 | volumes: 85 | - name: share-volume 86 | emptyDir: {} 87 | #medium: Memory 88 | - name: timezone 89 | hostPath: 90 | path: /etc/timezone 91 | type: File 92 | 93 | ```` 94 | 95 | -------------------------------------------------------------------------------- /docs/chap08/8.6.md: -------------------------------------------------------------------------------- 1 | **基于NFS的PV** 2 | 3 | ```` 4 | apiVersion: v1 5 | kind: PersistentVolume 6 | metadata: 7 | name: pv0003 8 | spec: 9 | capacity: 10 | storage: 5Gi 11 | volumeMode: Filesystem 12 | accessModes: 13 | - ReadWriteOnce 14 | persistentVolumeReclaimPolicy: Recycle 15 | storageClassName: nfs-slow 16 | mountOptions: 17 | - hard 18 | - nfsvers=4.1 19 | nfs: 20 | path: /tmp 21 | server: 172.17.0.2 22 | 23 | ```` 24 | 25 | **基于HostPath的PV** 26 | 27 | ```` 28 | kind: PersistentVolume 29 | apiVersion: v1 30 | metadata: 31 | name: task-pv-volume 32 | labels: 33 | type: local 34 | spec: 35 | storageClassName: manual 36 | capacity: 37 | storage: 10Gi 38 | accessModes: 39 | - ReadWriteOnce 40 | hostPath: 41 | path: "/mnt/data" 42 | 43 | ```` 44 | 45 | **基于Ceph RBD的PV** 46 | 47 | ```` 48 | apiVersion: v1 49 | kind: PersistentVolume 50 | metadata: 51 | name: ceph-rbd-pv 52 | spec: 53 | capacity: 54 | storage: 1Gi 55 | accessModes: 56 | - ReadWriteOnce 57 | rbd: 58 | monitors: 59 | - 192.168.1.123:6789 60 | - 192.168.1.124:6789 61 | - 192.168.1.125:6789 62 | pool: rbd 63 | image: ceph-rbd-pv-test 64 | user: admin 65 | secretRef: 66 | name: ceph-secret 67 | fsType: ext4 68 | readOnly: false 69 | 70 | ```` 71 | 72 | -------------------------------------------------------------------------------- /docs/chap08/8.7.md: -------------------------------------------------------------------------------- 1 | **PVC的创建** 2 | 3 | ```` 4 | kind: PersistentVolume 5 | apiVersion: v1 6 | metadata: 7 | name: task-pv-volume 8 | labels: 9 | type: local 10 | spec: 11 | storageClassName: manual 12 | capacity: 13 | storage: 10Gi 14 | accessModes: 15 | - ReadWriteOnce 16 | hostPath: 17 | path: "/mnt/data" 18 | --- 19 | kind: PersistentVolumeClaim 20 | apiVersion: v1 21 | metadata: 22 | name: task-pv-claim 23 | spec: 24 | storageClassName: manual 25 | accessModes: 26 | - ReadWriteOnce 27 | resources: 28 | requests: 29 | storage: 3Gi 30 | 31 | ```` 32 | 33 | **NFS类型的PVC** 34 | 35 | ```` 36 | kind: PersistentVolumeClaim 37 | apiVersion: v1 38 | metadata: 39 | name: pvc-nfs 40 | spec: 41 | storageClassName: nfs-slow 42 | accessModes: 43 | - ReadWriteOnce 44 | resources: 45 | requests: 46 | storage: 3Gi 47 | 48 | ```` 49 | 50 | **PVC的使用** 51 | 52 | ```` 53 | kind: Pod 54 | apiVersion: v1 55 | metadata: 56 | name: task-pv-pod 57 | spec: 58 | volumes: 59 | - name: task-pv-storage 60 | persistentVolumeClaim: 61 | claimName: task-pv-claim 62 | containers: 63 | - name: task-pv-container 64 | image: nginx 65 | ports: 66 | - containerPort: 80 67 | name: "http-server" 68 | volumeMounts: 69 | - mountPath: "/usr/share/nginx/html" 70 | name: task-pv-storage 71 | 72 | ```` 73 | 74 | -------------------------------------------------------------------------------- /docs/chap08/8.8.md: -------------------------------------------------------------------------------- 1 | **定义一个StorageClass** 2 | 3 | ```` 4 | apiVersion: storage.k8s.io/v1 5 | kind: StorageClass 6 | metadata: 7 | name: slow 8 | provisioner: kubernetes.io/glusterfs 9 | parameters: 10 | resturl: "http://127.0.0.1:8081" 11 | clusterid: "630372ccdc720a92c681fb928f27b53f" 12 | restauthenabled: "true" 13 | restuser: "admin" 14 | secretNamespace: "default" 15 | secretName: "heketi-secret" 16 | gidMin: "40000" 17 | gidMax: "50000" 18 | volumetype: "replicate:3" 19 | 20 | ```` 21 | 22 | **vim provi-cephrbd.yaml** 23 | 24 | ````yaml 25 | --- 26 | kind: ClusterRole 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | metadata: 29 | name: rbd-provisioner 30 | namespace: kube-system 31 | rules: 32 | - apiGroups: [""] 33 | resources: ["persistentvolumes"] 34 | verbs: ["get", "list", "watch", "create", "delete"] 35 | - apiGroups: [""] 36 | resources: ["persistentvolumeclaims"] 37 | verbs: ["get", "list", "watch", "update"] 38 | - apiGroups: ["storage.k8s.io"] 39 | resources: ["storageclasses"] 40 | verbs: ["get", "list", "watch"] 41 | - apiGroups: [""] 42 | resources: ["events"] 43 | verbs: ["create", "update", "patch"] 44 | - apiGroups: [""] 45 | resources: ["services"] 46 | resourceNames: ["kube-dns","coredns"] 47 | verbs: ["list", "get"] 48 | - apiGroups: [""] 49 | resources: ["endpoints"] 50 | verbs: ["get", "list", "watch", "create", "update", "patch"] 51 | 52 | --- 53 | kind: ClusterRoleBinding 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | metadata: 56 | name: rbd-provisioner 57 | namespace: kube-system 58 | subjects: 59 | - kind: ServiceAccount 60 | name: rbd-provisioner 61 | namespace: kube-system 62 | roleRef: 63 | kind: ClusterRole 64 | name: rbd-provisioner 65 | apiGroup: rbac.authorization.k8s.io 66 | 67 | --- 68 | apiVersion: rbac.authorization.k8s.io/v1 69 | kind: Role 70 | metadata: 71 | name: rbd-provisioner 72 | namespace: kube-system 73 | rules: 74 | - apiGroups: [""] 75 | resources: ["secrets"] 76 | verbs: ["get"] 77 | - apiGroups: [""] 78 | resources: ["endpoints"] 79 | verbs: ["get", "list", "watch", "create", "update", "patch"] 80 | 81 | --- 82 | apiVersion: rbac.authorization.k8s.io/v1 83 | kind: RoleBinding 84 | metadata: 85 | name: rbd-provisioner 86 | namespace: kube-system 87 | roleRef: 88 | apiGroup: rbac.authorization.k8s.io 89 | kind: Role 90 | name: rbd-provisioner 91 | subjects: 92 | - kind: ServiceAccount 93 | name: rbd-provisioner 94 | namespace: kube-system 95 | 96 | --- 97 | apiVersion: apps/v1 98 | kind: Deployment 99 | metadata: 100 | name: rbd-provisioner 101 | namespace: kube-system 102 | spec: 103 | replicas: 1 104 | selector: 105 | matchLabels: 106 | app: rbd-provisioner 107 | strategy: 108 | type: Recreate 109 | template: 110 | metadata: 111 | labels: 112 | app: rbd-provisioner 113 | spec: 114 | containers: 115 | - name: rbd-provisioner 116 | image: "registry.cn-beijing.aliyuncs.com/dotbalo/rbd-provisioner:latest" 117 | env: 118 | - name: PROVISIONER_NAME 119 | value: ceph.com/rbd 120 | serviceAccount: rbd-provisioner 121 | 122 | ```` 123 | 124 | **vim rbd-sc.yaml** 125 | 126 | ````yaml 127 | --- 128 | kind: StorageClass 129 | apiVersion: storage.k8s.io/v1 130 | metadata: 131 | name: ceph-rbd 132 | provisioner: ceph.com/rbd 133 | parameters: 134 | monitors: x.x.x.x:6789,x.x.x.x:6789,x.x.x.x:6789 135 | pool: rbdfork8s 136 | adminId: admin 137 | adminSecretNamespace: kube-system 138 | adminSecretName: ceph-admin-secret 139 | userId: kube 140 | userSecretNamespace: kube-system 141 | userSecretName: ceph-k8s-secret 142 | imageFormat: "2" 143 | imageFeatures: layering 144 | 145 | ```` 146 | 147 | **vim rbd-pvc.yaml** 148 | 149 | ```` 150 | --- 151 | kind: PersistentVolumeClaim 152 | apiVersion: v1 153 | metadata: 154 | name: rbd-pvc-test 155 | spec: 156 | accessModes: 157 | - ReadWriteOnce 158 | storageClassName: ceph-rbd 159 | resources: 160 | requests: 161 | storage: 100Mi 162 | # kubectl create -f rbd-pvc.yaml 163 | 164 | ```` 165 | 166 | -------------------------------------------------------------------------------- /docs/chap08/8.9.md: -------------------------------------------------------------------------------- 1 | **8.9.1** 2 | 3 | **vim ceph-configmap.yaml** 4 | 5 | ```` 6 | apiVersion: v1 7 | kind: ConfigMap 8 | data: 9 | config.json: |- 10 | [ 11 | { 12 | "clusterID": "48ddd55b-28ce-43f3-92a8-d17d9ad2c0de", 13 | "monitors": [ 14 | "xxx:6789", 15 | "xxx:6789", 16 | "xxx:6789" 17 | ], 18 | "cephFS": { 19 | "subvolumeGroup": "cephfs-k8s-csi" 20 | } 21 | } 22 | ] 23 | metadata: 24 | name: ceph-csi-config 25 | 26 | ```` 27 | 28 | **vim cephfs-csi-sc.yaml** 29 | 30 | ```` 31 | --- 32 | apiVersion: storage.k8s.io/v1 33 | kind: StorageClass 34 | metadata: 35 | name: csi-cephfs-sc 36 | provisioner: cephfs.csi.ceph.com 37 | parameters: 38 | clusterID: 48ddd55b-28ce-43f3-92a8-d17d9ad2c0de 39 | 40 | fsName: sharefs 41 | 42 | pool: sharefs-data0 43 | 44 | # The secrets have to contain user and/or Ceph admin credentials. 45 | csi.storage.k8s.io/provisioner-secret-name: csi-cephfs-secret 46 | csi.storage.k8s.io/provisioner-secret-namespace: ceph-csi-cephfs 47 | csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret 48 | csi.storage.k8s.io/controller-expand-secret-namespace: ceph-csi-cephfs 49 | csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret 50 | csi.storage.k8s.io/node-stage-secret-namespace: ceph-csi-cephfs 51 | 52 | # (optional) The driver can use either ceph-fuse (fuse) or 53 | # ceph kernelclient (kernel). 54 | # If omitted, default volume mounter will be used - this is 55 | # determined by probing for ceph-fuse and mount.ceph 56 | # mounter: kernel 57 | 58 | # (optional) Prefix to use for naming subvolumes. 59 | # If omitted, defaults to "csi-vol-". 60 | # volumeNamePrefix: "foo-bar-" 61 | 62 | reclaimPolicy: Delete 63 | allowVolumeExpansion: true 64 | mountOptions: 65 | - debug 66 | 67 | ```` 68 | 69 | **vim pvc.yaml** 70 | 71 | ```` 72 | --- 73 | kind: PersistentVolumeClaim 74 | apiVersion: v1 75 | metadata: 76 | name: cephfs-pvc-test-csi 77 | spec: 78 | accessModes: 79 | - ReadWriteMany 80 | storageClassName: csi-cephfs-sc 81 | resources: 82 | requests: 83 | storage: 100Mi 84 | 85 | ```` 86 | 87 | **vim test-pvc-dp.yaml** 88 | 89 | ```` 90 | apiVersion: apps/v1 91 | kind: Deployment 92 | metadata: 93 | labels: 94 | app: test-cephfs 95 | name: test-cephfs 96 | namespace: default 97 | spec: 98 | replicas: 1 99 | selector: 100 | matchLabels: 101 | app: test-cephfs 102 | strategy: 103 | rollingUpdate: 104 | maxSurge: 1 105 | maxUnavailable: 0 106 | type: RollingUpdate 107 | template: 108 | metadata: 109 | labels: 110 | app: test-cephfs 111 | spec: 112 | containers: 113 | - command: 114 | - sh 115 | - -c 116 | - sleep 36000 117 | image: registry.cn-beijing.aliyuncs.com/dotbalo/debug-tools 118 | name: test-cephfs 119 | volumeMounts: 120 | - mountPath: /mnt 121 | name: cephfs-pvc-test 122 | volumes: 123 | - name: cephfs-pvc-test 124 | persistentVolumeClaim: 125 | claimName: cephfs-pvc-test-csi 126 | 127 | ```` 128 | 129 | **8.9.2** 130 | 131 | ceph-configmap.yaml** 132 | 133 | ```` 134 | apiVersion: v1 135 | kind: ConfigMap 136 | data: 137 | config.json: |- 138 | [ 139 | { 140 | "clusterID": "48ddd55b-28ce-43f3-92a8-d17d9ad2c0de", 141 | "monitors": [ 142 | "xxx:6789", 143 | "xxx:6789", 144 | "xxx:6789" 145 | ], 146 | "cephFS": { 147 | "subvolumeGroup": "cephrbd-k8s-csi" 148 | } 149 | } 150 | ] 151 | metadata: 152 | name: ceph-csi-config 153 | 154 | ```` 155 | 156 | ​ **rbd-csi-sc.yaml** 157 | 158 | ```` 159 | --- 160 | apiVersion: storage.k8s.io/v1 161 | kind: StorageClass 162 | metadata: 163 | name: csi-rbd-sc 164 | provisioner: rbd.csi.ceph.com 165 | parameters: 166 | clusterID: 48ddd55b-28ce-43f3-92a8-d17d9ad2c0de 167 | pool: rbdfork8s 168 | imageFeatures: layering 169 | 170 | csi.storage.k8s.io/provisioner-secret-name: csi-rbd-secret 171 | csi.storage.k8s.io/provisioner-secret-namespace: ceph-csi-rbd 172 | csi.storage.k8s.io/controller-expand-secret-name: csi-rbd-secret 173 | csi.storage.k8s.io/controller-expand-secret-namespace: ceph-csi-rbd 174 | csi.storage.k8s.io/node-stage-secret-name: csi-rbd-secret 175 | csi.storage.k8s.io/node-stage-secret-namespace: ceph-csi-rbd 176 | csi.storage.k8s.io/fstype: ext4 177 | reclaimPolicy: Delete 178 | allowVolumeExpansion: true 179 | mountOptions: 180 | - discard 181 | 182 | ```` 183 | 184 | ​ **pvc.yaml** 185 | 186 | ```` 187 | --- 188 | kind: PersistentVolumeClaim 189 | apiVersion: v1 190 | metadata: 191 | name: rbd-pvc-test-csi 192 | spec: 193 | accessModes: 194 | - ReadWriteOnce 195 | storageClassName: csi-rbd-sc 196 | resources: 197 | requests: 198 | storage: 100Mi 199 | 200 | ```` 201 | 202 | ​ **test-pvc-dp.yaml** 203 | 204 | ```` 205 | apiVersion: apps/v1 206 | kind: Deployment 207 | metadata: 208 | labels: 209 | app: test-rbd 210 | name: test-rbd 211 | namespace: default 212 | spec: 213 | replicas: 1 214 | selector: 215 | matchLabels: 216 | app: test-rbd 217 | strategy: 218 | rollingUpdate: 219 | maxSurge: 1 220 | maxUnavailable: 0 221 | type: RollingUpdate 222 | template: 223 | metadata: 224 | labels: 225 | app: test-rbd 226 | spec: 227 | containers: 228 | - command: 229 | - sh 230 | - -c 231 | - sleep 36000 232 | image: registry.cn-beijing.aliyuncs.com/dotbalo/debug-tools 233 | name: test-rbd 234 | volumeMounts: 235 | - mountPath: /mnt 236 | name: rbd-pvc-test 237 | volumes: 238 | - name: rbd-pvc-test 239 | persistentVolumeClaim: 240 | claimName: rbd-pvc-test-csi 241 | 242 | ```` 243 | 244 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: v3.3.1 3 | description: Container Storage Interface (CSI) driver, provisioner, snapshotter and 4 | attacher for Ceph cephfs 5 | home: https://github.com/ceph/ceph-csi 6 | icon: https://raw.githubusercontent.com/ceph/ceph-csi/v3.3.1/assets/ceph-logo.png 7 | keywords: 8 | - ceph 9 | - cephfs 10 | - ceph-csi 11 | name: ceph-csi-cephfs 12 | sources: 13 | - https://github.com/ceph/ceph-csi/tree/v3.3.1/charts/ceph-csi-cephfs 14 | version: 3.3.1 15 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/README.md: -------------------------------------------------------------------------------- 1 | # ceph-csi-cephfs 2 | 3 | The ceph-csi-cephfs chart adds cephfs volume support to your cluster. 4 | 5 | ## Install from release repo 6 | 7 | Add chart repository to install helm charts from it 8 | 9 | ```console 10 | helm repo add ceph-csi https://ceph.github.io/csi-charts 11 | ``` 12 | 13 | ## Install from local Chart 14 | 15 | we need to enter into the directory where all charts are present 16 | 17 | ```console 18 | cd charts 19 | ``` 20 | 21 | **Note:** charts directory is present in root of the ceph-csi project 22 | 23 | ### Install Chart 24 | 25 | To install the Chart into your Kubernetes cluster 26 | 27 | - For helm 2.x 28 | 29 | ```bash 30 | helm install --namespace "ceph-csi-cephfs" --name "ceph-csi-cephfs" ceph-csi/ceph-csi-cephfs 31 | ``` 32 | 33 | - For helm 3.x 34 | 35 | Create the namespace where Helm should install the components with 36 | 37 | ```bash 38 | kubectl create namespace ceph-csi-cephfs 39 | ``` 40 | 41 | Run the installation 42 | 43 | ```bash 44 | helm install --namespace "ceph-csi-cephfs" "ceph-csi-cephfs" ceph-csi/ceph-csi-cephfs 45 | ``` 46 | 47 | After installation succeeds, you can get a status of Chart 48 | 49 | ```bash 50 | helm status "ceph-csi-cephfs" 51 | ``` 52 | 53 | ### Delete Chart 54 | 55 | If you want to delete your Chart, use this command 56 | 57 | - For helm 2.x 58 | 59 | ```bash 60 | helm delete --purge "ceph-csi-cephfs" 61 | ``` 62 | 63 | - For helm 3.x 64 | 65 | ```bash 66 | helm uninstall "ceph-csi-cephfs" --namespace "ceph-csi-cephfs" 67 | ``` 68 | 69 | If you want to delete the namespace, use this command 70 | 71 | ```bash 72 | kubectl delete namespace ceph-csi-cephfs 73 | ``` 74 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Examples on how to configure a storage class and start using the driver are here: 2 | https://github.com/ceph/ceph-csi/tree/v3.3.1/examples/cephfs 3 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "ceph-csi-cephfs.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "ceph-csi-cephfs.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create a default fully qualified app name. 29 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 30 | If release name contains chart name it will be used as a full name. 31 | */}} 32 | {{- define "ceph-csi-cephfs.nodeplugin.fullname" -}} 33 | {{- if .Values.nodeplugin.fullnameOverride -}} 34 | {{- .Values.nodeplugin.fullnameOverride | trunc 63 | trimSuffix "-" -}} 35 | {{- else -}} 36 | {{- $name := default .Chart.Name .Values.nameOverride -}} 37 | {{- if contains $name .Release.Name -}} 38 | {{- printf "%s-%s" .Release.Name .Values.nodeplugin.name | trunc 63 | trimSuffix "-" -}} 39 | {{- else -}} 40 | {{- printf "%s-%s-%s" .Release.Name $name .Values.nodeplugin.name | trunc 63 | trimSuffix "-" -}} 41 | {{- end -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Create a default fully qualified app name. 47 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 48 | If release name contains chart name it will be used as a full name. 49 | */}} 50 | {{- define "ceph-csi-cephfs.provisioner.fullname" -}} 51 | {{- if .Values.provisioner.fullnameOverride -}} 52 | {{- .Values.provisioner.fullnameOverride | trunc 63 | trimSuffix "-" -}} 53 | {{- else -}} 54 | {{- $name := default .Chart.Name .Values.nameOverride -}} 55 | {{- if contains $name .Release.Name -}} 56 | {{- printf "%s-%s" .Release.Name .Values.provisioner.name | trunc 63 | trimSuffix "-" -}} 57 | {{- else -}} 58 | {{- printf "%s-%s-%s" .Release.Name $name .Values.provisioner.name | trunc 63 | trimSuffix "-" -}} 59 | {{- end -}} 60 | {{- end -}} 61 | {{- end -}} 62 | 63 | {{/* 64 | Create chart name and version as used by the chart label. 65 | */}} 66 | {{- define "ceph-csi-cephfs.chart" -}} 67 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 68 | {{- end -}} 69 | 70 | {{/* 71 | Create the name of the service account to use 72 | */}} 73 | {{- define "ceph-csi-cephfs.serviceAccountName.nodeplugin" -}} 74 | {{- if .Values.serviceAccounts.nodeplugin.create -}} 75 | {{ default (include "ceph-csi-cephfs.nodeplugin.fullname" .) .Values.serviceAccounts.nodeplugin.name }} 76 | {{- else -}} 77 | {{ default "default" .Values.serviceAccounts.nodeplugin.name }} 78 | {{- end -}} 79 | {{- end -}} 80 | 81 | {{/* 82 | Create the name of the service account to use 83 | */}} 84 | {{- define "ceph-csi-cephfs.serviceAccountName.provisioner" -}} 85 | {{- if .Values.serviceAccounts.provisioner.create -}} 86 | {{ default (include "ceph-csi-cephfs.provisioner.fullname" .) .Values.serviceAccounts.provisioner.name }} 87 | {{- else -}} 88 | {{ default "default" .Values.serviceAccounts.provisioner.name }} 89 | {{- end -}} 90 | {{- end -}} 91 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/csidriver-crd.yaml: -------------------------------------------------------------------------------- 1 | {{ if semverCompare ">=1.18" .Capabilities.KubeVersion.GitVersion }} 2 | apiVersion: storage.k8s.io/v1 3 | {{ else }} 4 | apiVersion: storage.k8s.io/v1betav1 5 | {{ end }} 6 | kind: CSIDriver 7 | metadata: 8 | name: {{ .Values.driverName }} 9 | spec: 10 | attachRequired: true 11 | podInfoOnMount: false 12 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/csiplugin-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.externallyManagedConfigmap }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.configMapName | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | data: 14 | config.json: |- 15 | {{ toJson .Values.csiConfig | indent 4 -}} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | {{- if .Values.topology.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["nodes"] 16 | verbs: ["get"] 17 | {{- end }} 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | {{- if .Values.topology.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: ClusterRole 19 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end }} 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml: -------------------------------------------------------------------------------- 1 | kind: DaemonSet 2 | apiVersion: apps/v1 3 | metadata: 4 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | selector: 14 | matchLabels: 15 | app: {{ include "ceph-csi-cephfs.name" . }} 16 | component: {{ .Values.nodeplugin.name }} 17 | release: {{ .Release.Name }} 18 | updateStrategy: 19 | type: {{ .Values.nodeplugin.updateStrategy }} 20 | template: 21 | metadata: 22 | labels: 23 | app: {{ include "ceph-csi-cephfs.name" . }} 24 | chart: {{ include "ceph-csi-cephfs.chart" . }} 25 | component: {{ .Values.nodeplugin.name }} 26 | release: {{ .Release.Name }} 27 | heritage: {{ .Release.Service }} 28 | spec: 29 | serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} 30 | {{- if .Values.nodeplugin.priorityClassName }} 31 | priorityClassName: {{ .Values.nodeplugin.priorityClassName }} 32 | {{- end }} 33 | hostNetwork: true 34 | # to use e.g. Rook orchestrated cluster, and mons' FQDN is 35 | # resolved through k8s service, set dns policy to cluster first 36 | dnsPolicy: ClusterFirstWithHostNet 37 | containers: 38 | - name: driver-registrar 39 | # This is necessary only for systems with SELinux, where 40 | # non-privileged sidecar containers cannot access unix domain socket 41 | # created by privileged CSI driver container. 42 | securityContext: 43 | privileged: true 44 | image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" 45 | imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} 46 | args: 47 | - "--v={{ .Values.logLevel }}" 48 | - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" 49 | - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" 50 | env: 51 | - name: KUBE_NODE_NAME 52 | valueFrom: 53 | fieldRef: 54 | fieldPath: spec.nodeName 55 | volumeMounts: 56 | - name: socket-dir 57 | mountPath: /csi 58 | - name: registration-dir 59 | mountPath: /registration 60 | resources: 61 | {{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} 62 | - name: csi-cephfsplugin 63 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 64 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 65 | args: 66 | - "--nodeid=$(NODE_ID)" 67 | - "--type=cephfs" 68 | - "--nodeserver=true" 69 | - "--pidlimit=-1" 70 | {{- if .Values.nodeplugin.forcecephkernelclient }} 71 | - "--forcecephkernelclient={{ .Values.nodeplugin.forcecephkernelclient }}" 72 | {{- end }} 73 | - "--endpoint=$(CSI_ENDPOINT)" 74 | - "--v={{ .Values.logLevel }}" 75 | - "--drivername=$(DRIVER_NAME)" 76 | {{- if .Values.topology.enabled }} 77 | - "--domainlabels={{ .Values.topology.domainLabels | join "," }}" 78 | {{- end }} 79 | env: 80 | - name: POD_IP 81 | valueFrom: 82 | fieldRef: 83 | fieldPath: status.podIP 84 | - name: DRIVER_NAME 85 | value: {{ .Values.driverName }} 86 | - name: NODE_ID 87 | valueFrom: 88 | fieldRef: 89 | fieldPath: spec.nodeName 90 | - name: CSI_ENDPOINT 91 | value: "unix:///csi/{{ .Values.pluginSocketFile }}" 92 | securityContext: 93 | privileged: true 94 | capabilities: 95 | add: ["SYS_ADMIN"] 96 | allowPrivilegeEscalation: true 97 | volumeMounts: 98 | - name: socket-dir 99 | mountPath: /csi 100 | - name: mountpoint-dir 101 | mountPath: {{ .Values.kubeletDir }}/pods 102 | mountPropagation: Bidirectional 103 | - name: plugin-dir 104 | mountPath: {{ .Values.kubeletDir }}/plugins 105 | mountPropagation: "Bidirectional" 106 | - mountPath: /dev 107 | name: host-dev 108 | - mountPath: /run/mount 109 | name: host-mount 110 | - mountPath: /sys 111 | name: host-sys 112 | - mountPath: /lib/modules 113 | name: lib-modules 114 | readOnly: true 115 | - name: ceph-csi-config 116 | mountPath: /etc/ceph-csi-config/ 117 | - name: keys-tmp-dir 118 | mountPath: /tmp/csi/keys 119 | resources: 120 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 121 | {{- if .Values.nodeplugin.httpMetrics.enabled }} 122 | - name: liveness-prometheus 123 | securityContext: 124 | privileged: true 125 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 126 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 127 | args: 128 | - "--type=liveness" 129 | - "--endpoint=$(CSI_ENDPOINT)" 130 | - "--metricsport={{ .Values.nodeplugin.httpMetrics.containerPort }}" 131 | - "--metricspath=/metrics" 132 | - "--polltime=60s" 133 | - "--timeout=3s" 134 | env: 135 | - name: CSI_ENDPOINT 136 | value: "unix:///csi/{{ .Values.pluginSocketFile }}" 137 | - name: POD_IP 138 | valueFrom: 139 | fieldRef: 140 | fieldPath: status.podIP 141 | volumeMounts: 142 | - name: socket-dir 143 | mountPath: /csi 144 | resources: 145 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 146 | {{- end }} 147 | volumes: 148 | - name: socket-dir 149 | hostPath: 150 | path: "{{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}" 151 | type: DirectoryOrCreate 152 | - name: registration-dir 153 | hostPath: 154 | path: {{ .Values.kubeletDir }}/plugins_registry 155 | type: Directory 156 | - name: mountpoint-dir 157 | hostPath: 158 | path: {{ .Values.kubeletDir }}/pods 159 | type: DirectoryOrCreate 160 | - name: plugin-dir 161 | hostPath: 162 | path: {{ .Values.kubeletDir }}/plugins 163 | type: Directory 164 | - name: host-sys 165 | hostPath: 166 | path: /sys 167 | - name: host-mount 168 | hostPath: 169 | path: /run/mount 170 | - name: lib-modules 171 | hostPath: 172 | path: /lib/modules 173 | - name: host-dev 174 | hostPath: 175 | path: /dev 176 | - name: ceph-csi-config 177 | configMap: 178 | name: {{ .Values.configMapName | quote }} 179 | {{- if .Values.configMapKey }} 180 | items: 181 | - key: {{ .Values.configMapKey | quote }} 182 | path: config.json 183 | {{- end }} 184 | - name: keys-tmp-dir 185 | emptyDir: { 186 | medium: "Memory" 187 | } 188 | {{- if .Values.nodeplugin.affinity }} 189 | affinity: 190 | {{ toYaml .Values.nodeplugin.affinity | indent 8 -}} 191 | {{- end -}} 192 | {{- if .Values.nodeplugin.nodeSelector }} 193 | nodeSelector: 194 | {{ toYaml .Values.nodeplugin.nodeSelector | indent 8 -}} 195 | {{- end -}} 196 | {{- if .Values.nodeplugin.tolerations }} 197 | tolerations: 198 | {{ toYaml .Values.nodeplugin.tolerations | indent 8 -}} 199 | {{- end -}} 200 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-http-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeplugin.httpMetrics.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.nodeplugin.httpMetrics.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.nodeplugin.httpMetrics.service.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}-http-metrics 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | app: {{ include "ceph-csi-cephfs.fullname" . }} 13 | chart: {{ include "ceph-csi-cephfs.chart" . }} 14 | component: {{ .Values.nodeplugin.name }} 15 | release: {{ .Release.Name }} 16 | heritage: {{ .Release.Service }} 17 | spec: 18 | {{- if .Values.nodeplugin.httpMetrics.service.clusterIP }} 19 | clusterIP: "{{ .Values.nodeplugin.httpMetrics.service.clusterIP }}" 20 | {{- end }} 21 | {{- if .Values.nodeplugin.httpMetrics.service.externalIPs }} 22 | externalIPs: 23 | {{ toYaml .Values.nodeplugin.httpMetrics.service.externalIPs | indent 4 }} 24 | {{- end }} 25 | {{- if .Values.nodeplugin.httpMetrics.service.loadBalancerIP }} 26 | loadBalancerIP: "{{ .Values.nodeplugin.httpMetrics.service.loadBalancerIP }}" 27 | {{- end }} 28 | {{- if .Values.nodeplugin.httpMetrics.service.loadBalancerSourceRanges }} 29 | loadBalancerSourceRanges: 30 | {{ toYaml .Values.nodeplugin.httpMetrics.service.loadBalancerSourceRanges | indent 4 }} 31 | {{- end }} 32 | ports: 33 | - name: http-metrics 34 | port: {{ .Values.nodeplugin.httpMetrics.service.servicePort }} 35 | targetPort: {{ .Values.nodeplugin.httpMetrics.containerPort }} 36 | selector: 37 | app: {{ include "ceph-csi-cephfs.name" . }} 38 | component: {{ .Values.nodeplugin.name }} 39 | release: {{ .Release.Name }} 40 | type: "{{ .Values.nodeplugin.httpMetrics.service.type }}" 41 | {{- end -}} 42 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.fullname" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | allowPrivilegeEscalation: true 14 | allowedCapabilities: 15 | - 'SYS_ADMIN' 16 | fsGroup: 17 | rule: RunAsAny 18 | privileged: true 19 | hostNetwork: true 20 | hostPID: true 21 | runAsUser: 22 | rule: RunAsAny 23 | seLinux: 24 | rule: RunAsAny 25 | supplementalGroups: 26 | rule: RunAsAny 27 | volumes: 28 | - 'configMap' 29 | - 'emptyDir' 30 | - 'projected' 31 | - 'secret' 32 | - 'downwardAPI' 33 | - 'hostPath' 34 | allowedHostPaths: 35 | - pathPrefix: '/dev' 36 | readOnly: false 37 | - pathPrefix: '/run/mount' 38 | readOnly: false 39 | - pathPrefix: '/sys' 40 | readOnly: false 41 | - pathPrefix: '/lib/modules' 42 | readOnly: true 43 | - pathPrefix: '{{ .Values.kubeletDir }}' 44 | readOnly: false 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.fullname" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rules: 14 | - apiGroups: ['policy'] 15 | resources: ['podsecuritypolicies'] 16 | verbs: ['use'] 17 | resourceNames: ['{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}'] 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.fullname" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: Role 19 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end -}} 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-rules-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | {{- if .Values.topology.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}-rules 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}: "true" 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["nodes"] 17 | verbs: ["get"] 18 | {{- end }} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/nodeplugin-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccounts.nodeplugin.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["get", "list"] 16 | - apiGroups: [""] 17 | resources: ["persistentvolumes"] 18 | verbs: ["get", "list", "watch", "create", "delete","patch"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumeclaims"] 21 | verbs: ["get", "list", "watch", "update"] 22 | - apiGroups: ["storage.k8s.io"] 23 | resources: ["storageclasses"] 24 | verbs: ["get", "list", "watch"] 25 | - apiGroups: [""] 26 | resources: ["events"] 27 | verbs: ["list", "watch", "create", "update", "patch"] 28 | - apiGroups: ["snapshot.storage.k8s.io"] 29 | resources: ["volumesnapshots"] 30 | verbs: ["get", "list"] 31 | - apiGroups: ["snapshot.storage.k8s.io"] 32 | resources: ["volumesnapshotcontents"] 33 | verbs: ["create", "get", "list", "watch", "update", "delete"] 34 | - apiGroups: ["snapshot.storage.k8s.io"] 35 | resources: ["volumesnapshotclasses"] 36 | verbs: ["get", "list", "watch"] 37 | - apiGroups: ["snapshot.storage.k8s.io"] 38 | resources: ["volumesnapshotcontents/status"] 39 | verbs: ["update"] 40 | {{- if .Values.provisioner.attacher.enabled }} 41 | - apiGroups: ["storage.k8s.io"] 42 | resources: ["volumeattachments"] 43 | verbs: ["get", "list", "watch", "update", "patch"] 44 | - apiGroups: ["storage.k8s.io"] 45 | resources: ["volumeattachments/status"] 46 | verbs: ["patch"] 47 | {{- end -}} 48 | {{- if semverCompare ">=1.15" .Capabilities.KubeVersion.GitVersion -}} 49 | {{- if .Values.provisioner.resizer.enabled }} 50 | - apiGroups: [""] 51 | resources: ["persistentvolumeclaims/status"] 52 | verbs: ["update", "patch"] 53 | {{- end -}} 54 | {{- end -}} 55 | {{- if .Values.topology.enabled }} 56 | - apiGroups: [""] 57 | resources: ["nodes"] 58 | verbs: ["get", "list", "watch"] 59 | - apiGroups: ["storage.k8s.io"] 60 | resources: ["csinodes"] 61 | verbs: ["get", "list", "watch"] 62 | {{- end }} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} 15 | namespace: {{ .Release.Namespace }} 16 | roleRef: 17 | kind: ClusterRole 18 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 19 | apiGroup: rbac.authorization.k8s.io 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-deployment.yaml: -------------------------------------------------------------------------------- 1 | kind: Deployment 2 | apiVersion: apps/v1 3 | metadata: 4 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | replicas: {{ .Values.provisioner.replicaCount }} 14 | selector: 15 | matchLabels: 16 | app: {{ include "ceph-csi-cephfs.name" . }} 17 | component: {{ .Values.provisioner.name }} 18 | release: {{ .Release.Name }} 19 | template: 20 | metadata: 21 | labels: 22 | app: {{ include "ceph-csi-cephfs.name" . }} 23 | chart: {{ include "ceph-csi-cephfs.chart" . }} 24 | component: {{ .Values.provisioner.name }} 25 | release: {{ .Release.Name }} 26 | heritage: {{ .Release.Service }} 27 | spec: 28 | {{- if gt (int .Values.provisioner.replicaCount) 1 }} 29 | affinity: 30 | podAntiAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | - labelSelector: 33 | matchExpressions: 34 | - key: app 35 | operator: In 36 | values: 37 | - {{ include "ceph-csi-cephfs.name" . }} 38 | - key: component 39 | operator: In 40 | values: 41 | - {{ .Values.provisioner.name }} 42 | topologyKey: "kubernetes.io/hostname" 43 | {{- end }} 44 | serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} 45 | {{- if .Values.provisioner.priorityClassName }} 46 | priorityClassName: {{ .Values.provisioner.priorityClassName }} 47 | {{- end }} 48 | containers: 49 | - name: csi-provisioner 50 | image: "{{ .Values.provisioner.provisioner.image.repository }}:{{ .Values.provisioner.provisioner.image.tag }}" 51 | imagePullPolicy: {{ .Values.provisioner.provisioner.image.pullPolicy }} 52 | args: 53 | - "--csi-address=$(ADDRESS)" 54 | - "--v={{ .Values.logLevel }}" 55 | - "--timeout={{ .Values.provisioner.timeout }}" 56 | - "--leader-election=true" 57 | - "--retry-interval-start=500ms" 58 | - "--extra-create-metadata=true" 59 | {{- if .Values.topology.enabled }} 60 | - "--feature-gates=Topology=true" 61 | {{- end }} 62 | env: 63 | - name: ADDRESS 64 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 65 | volumeMounts: 66 | - name: socket-dir 67 | mountPath: /csi 68 | resources: 69 | {{ toYaml .Values.provisioner.provisioner.resources | indent 12 }} 70 | - name: csi-snapshotter 71 | image: {{ .Values.provisioner.snapshotter.image.repository }}:{{ .Values.provisioner.snapshotter.image.tag }} 72 | imagePullPolicy: {{ .Values.provisioner.snapshotter.image.pullPolicy }} 73 | args: 74 | - "--csi-address=$(ADDRESS)" 75 | - "--v={{ .Values.logLevel }}" 76 | - "--timeout={{ .Values.provisioner.timeout }}" 77 | - "--leader-election=true" 78 | env: 79 | - name: ADDRESS 80 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 81 | securityContext: 82 | privileged: true 83 | volumeMounts: 84 | - name: socket-dir 85 | mountPath: /csi 86 | resources: 87 | {{ toYaml .Values.provisioner.snapshotter.resources | indent 12 }} 88 | {{- if .Values.provisioner.attacher.enabled }} 89 | - name: csi-attacher 90 | image: "{{ .Values.provisioner.attacher.image.repository }}:{{ .Values.provisioner.attacher.image.tag }}" 91 | imagePullPolicy: {{ .Values.provisioner.attacher.image.pullPolicy }} 92 | args: 93 | - "--v={{ .Values.logLevel }}" 94 | - "--csi-address=$(ADDRESS)" 95 | - "--leader-election=true" 96 | - "--retry-interval-start=500ms" 97 | env: 98 | - name: ADDRESS 99 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 100 | volumeMounts: 101 | - name: socket-dir 102 | mountPath: /csi 103 | resources: 104 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 105 | {{- end }} 106 | {{- if semverCompare ">=1.15" .Capabilities.KubeVersion.GitVersion -}} 107 | {{- if .Values.provisioner.resizer.enabled }} 108 | - name: csi-resizer 109 | image: "{{ .Values.provisioner.resizer.image.repository }}:{{ .Values.provisioner.resizer.image.tag }}" 110 | imagePullPolicy: {{ .Values.provisioner.resizer.image.pullPolicy }} 111 | args: 112 | - "--v={{ .Values.logLevel }}" 113 | - "--csi-address=$(ADDRESS)" 114 | - "--timeout={{ .Values.provisioner.timeout }}" 115 | - "--leader-election" 116 | - "--retry-interval-start=500ms" 117 | - "--handle-volume-inuse-error=false" 118 | env: 119 | - name: ADDRESS 120 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 121 | volumeMounts: 122 | - name: socket-dir 123 | mountPath: /csi 124 | resources: 125 | {{ toYaml .Values.provisioner.resizer.resources | indent 12 }} 126 | {{- end }} 127 | {{- end }} 128 | - name: csi-cephfsplugin 129 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 130 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 131 | args: 132 | - "--nodeid=$(NODE_ID)" 133 | - "--type=cephfs" 134 | - "--controllerserver=true" 135 | - "--pidlimit=-1" 136 | - "--endpoint=$(CSI_ENDPOINT)" 137 | - "--v={{ .Values.logLevel }}" 138 | - "--drivername=$(DRIVER_NAME)" 139 | env: 140 | - name: POD_IP 141 | valueFrom: 142 | fieldRef: 143 | fieldPath: status.podIP 144 | - name: DRIVER_NAME 145 | value: {{ .Values.driverName }} 146 | - name: NODE_ID 147 | valueFrom: 148 | fieldRef: 149 | fieldPath: spec.nodeName 150 | - name: CSI_ENDPOINT 151 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 152 | securityContext: 153 | privileged: true 154 | capabilities: 155 | add: ["SYS_ADMIN"] 156 | allowPrivilegeEscalation: true 157 | volumeMounts: 158 | - name: socket-dir 159 | mountPath: /csi 160 | - name: host-sys 161 | mountPath: /sys 162 | - name: lib-modules 163 | mountPath: /lib/modules 164 | readOnly: true 165 | - name: host-dev 166 | mountPath: /dev 167 | - name: ceph-csi-config 168 | mountPath: /etc/ceph-csi-config/ 169 | - name: keys-tmp-dir 170 | mountPath: /tmp/csi/keys 171 | resources: 172 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 173 | {{- if .Values.provisioner.httpMetrics.enabled }} 174 | - name: liveness-prometheus 175 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 176 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 177 | args: 178 | - "--type=liveness" 179 | - "--endpoint=$(CSI_ENDPOINT)" 180 | - "--metricsport={{ .Values.provisioner.httpMetrics.containerPort }}" 181 | - "--metricspath=/metrics" 182 | - "--polltime=60s" 183 | - "--timeout=3s" 184 | env: 185 | - name: CSI_ENDPOINT 186 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 187 | - name: POD_IP 188 | valueFrom: 189 | fieldRef: 190 | fieldPath: status.podIP 191 | volumeMounts: 192 | - name: socket-dir 193 | mountPath: /csi 194 | resources: 195 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 196 | {{- end }} 197 | volumes: 198 | - name: socket-dir 199 | emptyDir: { 200 | medium: "Memory" 201 | } 202 | - name: host-sys 203 | hostPath: 204 | path: /sys 205 | - name: lib-modules 206 | hostPath: 207 | path: /lib/modules 208 | - name: host-dev 209 | hostPath: 210 | path: /dev 211 | - name: ceph-csi-config 212 | configMap: 213 | name: {{ .Values.configMapName | quote }} 214 | {{- if .Values.configMapKey }} 215 | items: 216 | - key: {{ .Values.configMapKey | quote }} 217 | path: config.json 218 | {{- end }} 219 | - name: keys-tmp-dir 220 | emptyDir: { 221 | medium: "Memory" 222 | } 223 | {{- if .Values.provisioner.affinity }} 224 | affinity: 225 | {{ toYaml .Values.provisioner.affinity | indent 8 -}} 226 | {{- end -}} 227 | {{- if .Values.provisioner.nodeSelector }} 228 | nodeSelector: 229 | {{ toYaml .Values.provisioner.nodeSelector | indent 8 -}} 230 | {{- end -}} 231 | {{- if .Values.provisioner.tolerations }} 232 | tolerations: 233 | {{ toYaml .Values.provisioner.tolerations | indent 8 -}} 234 | {{- end -}} 235 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-http-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.provisioner.httpMetrics.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.provisioner.httpMetrics.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.provisioner.httpMetrics.service.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}-http-metrics 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | app: {{ include "ceph-csi-cephfs.fullname" . }} 13 | chart: {{ include "ceph-csi-cephfs.chart" . }} 14 | component: {{ .Values.provisioner.name }} 15 | release: {{ .Release.Name }} 16 | heritage: {{ .Release.Service }} 17 | spec: 18 | {{- if .Values.provisioner.httpMetrics.service.clusterIP }} 19 | clusterIP: "{{ .Values.provisioner.httpMetrics.service.clusterIP }}" 20 | {{- end }} 21 | {{- if .Values.provisioner.httpMetrics.service.externalIPs }} 22 | externalIPs: 23 | {{ toYaml .Values.provisioner.httpMetrics.service.externalIPs | indent 4 }} 24 | {{- end }} 25 | {{- if .Values.provisioner.httpMetrics.service.loadBalancerIP }} 26 | loadBalancerIP: "{{ .Values.provisioner.httpMetrics.service.loadBalancerIP }}" 27 | {{- end }} 28 | {{- if .Values.provisioner.httpMetrics.service.loadBalancerSourceRanges }} 29 | loadBalancerSourceRanges: 30 | {{ toYaml .Values.provisioner.httpMetrics.service.loadBalancerSourceRanges | indent 4 }} 31 | {{- end }} 32 | ports: 33 | - name: http-metrics 34 | port: {{ .Values.provisioner.httpMetrics.service.servicePort }} 35 | targetPort: {{ .Values.provisioner.httpMetrics.containerPort }} 36 | selector: 37 | app: {{ include "ceph-csi-cephfs.name" . }} 38 | component: {{ .Values.provisioner.name }} 39 | release: {{ .Release.Name }} 40 | type: "{{ .Values.provisioner.httpMetrics.service.type }}" 41 | {{- end -}} 42 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.provisioner.podSecurityPolicy.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | allowPrivilegeEscalation: true 14 | allowedCapabilities: 15 | - 'SYS_ADMIN' 16 | fsGroup: 17 | rule: RunAsAny 18 | privileged: true 19 | runAsUser: 20 | rule: RunAsAny 21 | seLinux: 22 | rule: RunAsAny 23 | supplementalGroups: 24 | rule: RunAsAny 25 | volumes: 26 | - 'configMap' 27 | - 'emptyDir' 28 | - 'projected' 29 | - 'secret' 30 | - 'downwardAPI' 31 | - 'hostPath' 32 | allowedHostPaths: 33 | - pathPrefix: '/dev' 34 | readOnly: false 35 | - pathPrefix: '/sys' 36 | readOnly: false 37 | - pathPrefix: '/lib/modules' 38 | readOnly: true 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["configmaps"] 16 | verbs: ["get", "list", "watch", "create", "delete"] 17 | - apiGroups: ["coordination.k8s.io"] 18 | resources: ["leases"] 19 | verbs: ["get", "watch", "list", "delete", "update", "create"] 20 | {{- if .Values.provisioner.podSecurityPolicy.enabled }} 21 | - apiGroups: ['policy'] 22 | resources: ['podsecuritypolicies'] 23 | verbs: ['use'] 24 | resourceNames: ['{{ include "ceph-csi-cephfs.provisioner.fullname" . }}'] 25 | {{- end -}} 26 | {{- end -}} 27 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: Role 19 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end -}} 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-rules-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.provisioner.fullname" . }}-rules 6 | labels: 7 | app: {{ include "ceph-csi-cephfs.name" . }} 8 | chart: {{ include "ceph-csi-cephfs.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rbac.cephfs.csi.ceph.com/aggregate-to-{{ include "ceph-csi-cephfs.provisioner.fullname" . }}: "true" 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["secrets"] 16 | verbs: ["get", "list"] 17 | - apiGroups: [""] 18 | resources: ["persistentvolumes"] 19 | verbs: ["get", "list", "watch", "create", "delete","patch"] 20 | - apiGroups: [""] 21 | resources: ["persistentvolumeclaims"] 22 | verbs: ["get", "list", "watch", "update"] 23 | - apiGroups: ["storage.k8s.io"] 24 | resources: ["storageclasses"] 25 | verbs: ["get", "list", "watch"] 26 | - apiGroups: [""] 27 | resources: ["events"] 28 | verbs: ["list", "watch", "create", "update", "patch"] 29 | - apiGroups: ["snapshot.storage.k8s.io"] 30 | resources: ["volumesnapshots"] 31 | verbs: ["get", "list"] 32 | - apiGroups: ["snapshot.storage.k8s.io"] 33 | resources: ["volumesnapshotcontents"] 34 | verbs: ["create", "get", "list", "watch", "update", "delete"] 35 | - apiGroups: ["snapshot.storage.k8s.io"] 36 | resources: ["volumesnapshotclasses"] 37 | verbs: ["get", "list", "watch"] 38 | - apiGroups: ["snapshot.storage.k8s.io"] 39 | resources: ["volumesnapshotcontents/status"] 40 | verbs: ["update"] 41 | {{- if .Values.provisioner.attacher.enabled }} 42 | - apiGroups: ["storage.k8s.io"] 43 | resources: ["volumeattachments"] 44 | verbs: ["get", "list", "watch", "update", "patch"] 45 | {{- end -}} 46 | {{- if semverCompare ">=1.15" .Capabilities.KubeVersion.GitVersion -}} 47 | {{- if .Values.provisioner.resizer.enabled }} 48 | - apiGroups: [""] 49 | resources: ["persistentvolumeclaims/status"] 50 | verbs: ["update", "patch"] 51 | {{- end -}} 52 | {{- end -}} 53 | {{- if .Values.topology.enabled }} 54 | - apiGroups: [""] 55 | resources: ["nodes"] 56 | verbs: ["get", "list", watch"] 57 | - apiGroups: ["storage.k8s.io"] 58 | resources: ["csinodes"] 59 | verbs: ["get", "list", "watch"] 60 | {{- end }} 61 | {{- end -}} 62 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/templates/provisioner-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccounts.provisioner.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ceph-csi-cephfs.serviceAccountName.provisioner" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-cephfs.name" . }} 9 | chart: {{ include "ceph-csi-cephfs.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-cephfs/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rbac: 3 | # Specifies whether RBAC resources should be created 4 | create: true 5 | 6 | serviceAccounts: 7 | nodeplugin: 8 | # Specifies whether a ServiceAccount should be created 9 | create: true 10 | # The name of the ServiceAccount to use. Copy from dotbalo. 11 | # If not set and create is true, a name is generated using the fullname 12 | name: 13 | provisioner: 14 | # Specifies whether a ServiceAccount should be created 15 | create: true 16 | # The name of the ServiceAccount to use. 17 | # If not set and create is true, a name is generated using the fullname 18 | name: 19 | 20 | # Configuration for the CSI to connect to the cluster 21 | # Ref: https://github.com/ceph/ceph-csi/blob/devel/examples/README.md 22 | # Example: 23 | # csiConfig: 24 | # - clusterID: "" 25 | # monitors: 26 | # - "" 27 | # - "" 28 | # cephFS: 29 | # subvolumeGroup: "csi" 30 | csiConfig: [] 31 | 32 | # Set logging level for csi containers. 33 | # Supported values from 0 to 5. 0 for general useful logs, 34 | # 5 for trace level verbosity. 35 | logLevel: 5 36 | 37 | nodeplugin: 38 | name: nodeplugin 39 | # if you are using ceph-fuse client set this value to OnDelete 40 | updateStrategy: RollingUpdate 41 | 42 | # set user created priorityclassName for csi plugin pods. default is 43 | # system-node-critical which is highest priority 44 | priorityClassName: system-node-critical 45 | 46 | httpMetrics: 47 | # Metrics only available for cephcsi/cephcsi => 1.2.0 48 | # Specifies whether http metrics should be exposed 49 | enabled: true 50 | # The port of the container to expose the metrics 51 | containerPort: 8081 52 | 53 | service: 54 | # Specifies whether a service should be created for the metrics 55 | enabled: true 56 | # The port to use for the service 57 | servicePort: 8080 58 | type: ClusterIP 59 | 60 | # Annotations for the service 61 | # Example: 62 | # annotations: 63 | # prometheus.io/scrape: "true" 64 | # prometheus.io/port: "9080" 65 | annotations: {} 66 | 67 | clusterIP: "" 68 | 69 | ## List of IP addresses at which the stats-exporter service is available 70 | ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips 71 | ## 72 | externalIPs: [] 73 | 74 | loadBalancerIP: "" 75 | loadBalancerSourceRanges: [] 76 | 77 | registrar: 78 | image: 79 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-node-driver-registrar 80 | tag: v2.0.1 81 | pullPolicy: IfNotPresent 82 | resources: {} 83 | 84 | plugin: 85 | image: 86 | repository: quay.io/cephcsi/cephcsi 87 | tag: v3.3.1 88 | pullPolicy: IfNotPresent 89 | resources: {} 90 | 91 | nodeSelector: {} 92 | 93 | tolerations: [] 94 | 95 | affinity: {} 96 | 97 | # Set to true to enable Ceph Kernel clients 98 | # on kernel < 4.17 which support quotas 99 | # forcecephkernelclient: true 100 | 101 | # If true, create & use Pod Security Policy resources 102 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 103 | podSecurityPolicy: 104 | enabled: false 105 | 106 | provisioner: 107 | name: provisioner 108 | replicaCount: 3 109 | # Timeout for waiting for creation or deletion of a volume 110 | timeout: 60s 111 | 112 | # set user created priorityclassName for csi provisioner pods. default is 113 | # system-cluster-critical which is less priority than system-node-critical 114 | priorityClassName: system-cluster-critical 115 | 116 | httpMetrics: 117 | # Metrics only available for cephcsi/cephcsi => 1.2.0 118 | # Specifies whether http metrics should be exposed 119 | enabled: true 120 | # The port of the container to expose the metrics 121 | containerPort: 8081 122 | 123 | service: 124 | # Specifies whether a service should be created for the metrics 125 | enabled: true 126 | # The port to use for the service 127 | servicePort: 8080 128 | type: ClusterIP 129 | 130 | # Annotations for the service 131 | # Example: 132 | # annotations: 133 | # prometheus.io/scrape: "true" 134 | # prometheus.io/port: "9080" 135 | annotations: {} 136 | 137 | clusterIP: "" 138 | 139 | ## List of IP addresses at which the stats-exporter service is available 140 | ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips 141 | ## 142 | externalIPs: [] 143 | 144 | loadBalancerIP: "" 145 | loadBalancerSourceRanges: [] 146 | 147 | provisioner: 148 | image: 149 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-provisioner 150 | tag: v2.0.4 151 | pullPolicy: IfNotPresent 152 | resources: {} 153 | 154 | attacher: 155 | name: attacher 156 | enabled: true 157 | image: 158 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-attacher 159 | tag: v3.0.2 160 | pullPolicy: IfNotPresent 161 | resources: {} 162 | 163 | resizer: 164 | name: resizer 165 | enabled: true 166 | image: 167 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-resizer 168 | tag: v1.0.1 169 | pullPolicy: IfNotPresent 170 | resources: {} 171 | 172 | snapshotter: 173 | image: 174 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-snapshotter 175 | tag: v3.0.2 176 | pullPolicy: IfNotPresent 177 | resources: {} 178 | 179 | nodeSelector: {} 180 | 181 | tolerations: [] 182 | 183 | affinity: {} 184 | 185 | # If true, create & use Pod Security Policy resources 186 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 187 | podSecurityPolicy: 188 | enabled: false 189 | 190 | topology: 191 | # Specifies whether topology based provisioning support should 192 | # be exposed by CSI 193 | enabled: false 194 | # domainLabels define which node labels to use as domains 195 | # for CSI nodeplugins to advertise their domains 196 | # NOTE: the value here serves as an example and needs to be 197 | # updated with node labels that define domains of interest 198 | domainLabels: 199 | - failure-domain/region 200 | - failure-domain/zone 201 | 202 | ######################################################### 203 | # Variables for 'internal' use please use with caution! # 204 | ######################################################### 205 | 206 | # The filename of the provisioner socket 207 | provisionerSocketFile: csi-provisioner.sock 208 | # The filename of the plugin socket 209 | pluginSocketFile: csi.sock 210 | # kubelet working directory,can be set using `--root-dir` when starting kubelet. 211 | kubeletDir: /var/lib/kubelet 212 | # Name of the csi-driver 213 | driverName: cephfs.csi.ceph.com 214 | # Name of the configmap used for state 215 | configMapName: ceph-csi-config 216 | # Key to use in the Configmap if not config.json 217 | # configMapKey: 218 | # Use an externally provided configmap 219 | externallyManagedConfigmap: false 220 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: v3.3.1 3 | description: Container Storage Interface (CSI) driver, provisioner, snapshotter, and 4 | attacher for Ceph RBD 5 | home: https://github.com/ceph/ceph-csi 6 | icon: https://raw.githubusercontent.com/ceph/ceph-csi/v3.3.1/assets/ceph-logo.png 7 | keywords: 8 | - ceph 9 | - rbd 10 | - ceph-csi 11 | name: ceph-csi-rbd 12 | sources: 13 | - https://github.com/ceph/ceph-csi/tree/v3.3.1/charts/ceph-csi-rbd 14 | version: 3.3.1 15 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/README.md: -------------------------------------------------------------------------------- 1 | # ceph-csi-rbd 2 | 3 | The ceph-csi-rbd chart adds rbd volume support to your cluster. 4 | 5 | ## Install from release repo 6 | 7 | Add chart repository to install helm charts from it 8 | 9 | ```console 10 | helm repo add ceph-csi https://ceph.github.io/csi-charts 11 | ``` 12 | 13 | ## Install from local Chart 14 | 15 | we need to enter into the directory where all charts are present 16 | 17 | ```console 18 | cd charts 19 | ``` 20 | 21 | **Note:** charts directory is present in root of the ceph-csi project 22 | 23 | ### Install chart 24 | 25 | To install the Chart into your Kubernetes cluster 26 | 27 | - For helm 2.x 28 | 29 | ```bash 30 | helm install --namespace "ceph-csi-rbd" --name "ceph-csi-rbd" ceph-csi/ceph-csi-rbd 31 | ``` 32 | 33 | - For helm 3.x 34 | 35 | Create the namespace where Helm should install the components with 36 | 37 | ```bash 38 | kubectl create namespace "ceph-csi-rbd" 39 | ``` 40 | 41 | Run the installation 42 | 43 | ```bash 44 | helm install --namespace "ceph-csi-rbd" "ceph-csi-rbd" ceph-csi/ceph-csi-rbd 45 | ``` 46 | 47 | After installation succeeds, you can get a status of Chart 48 | 49 | ```bash 50 | helm status "ceph-csi-rbd" 51 | ``` 52 | 53 | ### Delete Chart 54 | 55 | If you want to delete your Chart, use this command 56 | 57 | - For helm 2.x 58 | 59 | ```bash 60 | helm delete --purge "ceph-csi-rbd" 61 | ``` 62 | 63 | - For helm 3.x 64 | 65 | ```bash 66 | helm uninstall "ceph-csi-rbd" --namespace "ceph-csi-rbd" 67 | ``` 68 | 69 | If you want to delete the namespace, use this command 70 | 71 | ```bash 72 | kubectl delete namespace ceph-csi-rbd 73 | ``` 74 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Examples on how to configure a storage class and start using the driver are here: 2 | https://github.com/ceph/ceph-csi/tree/v3.3.1/examples/rbd 3 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "ceph-csi-rbd.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "ceph-csi-rbd.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create a default fully qualified app name. 29 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 30 | If release name contains chart name it will be used as a full name. 31 | */}} 32 | {{- define "ceph-csi-rbd.nodeplugin.fullname" -}} 33 | {{- if .Values.nodeplugin.fullnameOverride -}} 34 | {{- .Values.nodeplugin.fullnameOverride | trunc 63 | trimSuffix "-" -}} 35 | {{- else -}} 36 | {{- $name := default .Chart.Name .Values.nameOverride -}} 37 | {{- if contains $name .Release.Name -}} 38 | {{- printf "%s-%s" .Release.Name .Values.nodeplugin.name | trunc 63 | trimSuffix "-" -}} 39 | {{- else -}} 40 | {{- printf "%s-%s-%s" .Release.Name $name .Values.nodeplugin.name | trunc 63 | trimSuffix "-" -}} 41 | {{- end -}} 42 | {{- end -}} 43 | {{- end -}} 44 | 45 | {{/* 46 | Create a default fully qualified app name. 47 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 48 | If release name contains chart name it will be used as a full name. 49 | */}} 50 | {{- define "ceph-csi-rbd.provisioner.fullname" -}} 51 | {{- if .Values.provisioner.fullnameOverride -}} 52 | {{- .Values.provisioner.fullnameOverride | trunc 63 | trimSuffix "-" -}} 53 | {{- else -}} 54 | {{- $name := default .Chart.Name .Values.nameOverride -}} 55 | {{- if contains $name .Release.Name -}} 56 | {{- printf "%s-%s" .Release.Name .Values.provisioner.name | trunc 63 | trimSuffix "-" -}} 57 | {{- else -}} 58 | {{- printf "%s-%s-%s" .Release.Name $name .Values.provisioner.name | trunc 63 | trimSuffix "-" -}} 59 | {{- end -}} 60 | {{- end -}} 61 | {{- end -}} 62 | 63 | {{/* 64 | Create chart name and version as used by the chart label. 65 | */}} 66 | {{- define "ceph-csi-rbd.chart" -}} 67 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 68 | {{- end -}} 69 | 70 | {{/* 71 | Create the name of the service account to use 72 | */}} 73 | {{- define "ceph-csi-rbd.serviceAccountName.nodeplugin" -}} 74 | {{- if .Values.serviceAccounts.nodeplugin.create -}} 75 | {{ default (include "ceph-csi-rbd.nodeplugin.fullname" .) .Values.serviceAccounts.nodeplugin.name }} 76 | {{- else -}} 77 | {{ default "default" .Values.serviceAccounts.nodeplugin.name }} 78 | {{- end -}} 79 | {{- end -}} 80 | 81 | {{/* 82 | Create the name of the service account to use 83 | */}} 84 | {{- define "ceph-csi-rbd.serviceAccountName.provisioner" -}} 85 | {{- if .Values.serviceAccounts.provisioner.create -}} 86 | {{ default (include "ceph-csi-rbd.provisioner.fullname" .) .Values.serviceAccounts.provisioner.name }} 87 | {{- else -}} 88 | {{ default "default" .Values.serviceAccounts.provisioner.name }} 89 | {{- end -}} 90 | {{- end -}} 91 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/csidriver-crd.yaml: -------------------------------------------------------------------------------- 1 | {{ if semverCompare ">=1.18" .Capabilities.KubeVersion.GitVersion }} 2 | apiVersion: storage.k8s.io/v1 3 | {{ else }} 4 | apiVersion: storage.k8s.io/betav1 5 | {{ end }} 6 | kind: CSIDriver 7 | metadata: 8 | name: {{ .Values.driverName }} 9 | spec: 10 | attachRequired: true 11 | podInfoOnMount: false 12 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/csiplugin-configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.externallyManagedConfigmap }} 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: {{ .Values.configMapName | quote }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | data: 14 | config.json: |- 15 | {{ toJson .Values.csiConfig | indent 4 -}} 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/encryptionkms-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Values.kmsConfigMapName | quote }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | data: 13 | config.json: |- 14 | {{ toJson .Values.encryptionKMSConfig | indent 4 -}} 15 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rules: 13 | {{- if .Values.topology.enabled }} 14 | - apiGroups: [""] 15 | resources: ["nodes"] 16 | verbs: ["get"] 17 | {{- end }} 18 | # allow to read Vault Token and connection options from the Tenants namespace 19 | - apiGroups: [""] 20 | resources: ["secrets"] 21 | verbs: ["get"] 22 | - apiGroups: [""] 23 | resources: ["configmaps"] 24 | verbs: ["get"] 25 | {{- end -}} 26 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | {{- if .Values.topology.enabled }} 3 | kind: ClusterRoleBinding 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: ClusterRole 19 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end }} 22 | {{- end -}} 23 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-daemonset.yaml: -------------------------------------------------------------------------------- 1 | kind: DaemonSet 2 | apiVersion: apps/v1 3 | metadata: 4 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | selector: 14 | matchLabels: 15 | app: {{ include "ceph-csi-rbd.name" . }} 16 | component: {{ .Values.nodeplugin.name }} 17 | release: {{ .Release.Name }} 18 | updateStrategy: 19 | type: {{ .Values.nodeplugin.updateStrategy }} 20 | template: 21 | metadata: 22 | labels: 23 | app: {{ include "ceph-csi-rbd.name" . }} 24 | chart: {{ include "ceph-csi-rbd.chart" . }} 25 | component: {{ .Values.nodeplugin.name }} 26 | release: {{ .Release.Name }} 27 | heritage: {{ .Release.Service }} 28 | spec: 29 | serviceAccountName: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} 30 | hostNetwork: true 31 | hostPID: true 32 | {{- if .Values.nodeplugin.priorityClassName }} 33 | priorityClassName: {{ .Values.nodeplugin.priorityClassName }} 34 | {{- end }} 35 | # to use e.g. Rook orchestrated cluster, and mons' FQDN is 36 | # resolved through k8s service, set dns policy to cluster first 37 | dnsPolicy: ClusterFirstWithHostNet 38 | containers: 39 | - name: driver-registrar 40 | # This is necessary only for systems with SELinux, where 41 | # non-privileged sidecar containers cannot access unix domain socket 42 | # created by privileged CSI driver container. 43 | securityContext: 44 | privileged: true 45 | image: "{{ .Values.nodeplugin.registrar.image.repository }}:{{ .Values.nodeplugin.registrar.image.tag }}" 46 | imagePullPolicy: {{ .Values.nodeplugin.registrar.image.pullPolicy }} 47 | args: 48 | - "--v={{ .Values.logLevel }}" 49 | - "--csi-address=/csi/{{ .Values.pluginSocketFile }}" 50 | - "--kubelet-registration-path={{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}/{{ .Values.pluginSocketFile }}" 51 | env: 52 | - name: KUBE_NODE_NAME 53 | valueFrom: 54 | fieldRef: 55 | fieldPath: spec.nodeName 56 | volumeMounts: 57 | - name: socket-dir 58 | mountPath: /csi 59 | - name: registration-dir 60 | mountPath: /registration 61 | resources: 62 | {{ toYaml .Values.nodeplugin.registrar.resources | indent 12 }} 63 | - name: csi-rbdplugin 64 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 65 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 66 | args: 67 | - "--nodeid=$(NODE_ID)" 68 | - "--type=rbd" 69 | - "--nodeserver=true" 70 | - "--pidlimit=-1" 71 | - "--endpoint=$(CSI_ENDPOINT)" 72 | - "--v={{ .Values.logLevel }}" 73 | - "--drivername=$(DRIVER_NAME)" 74 | {{- if .Values.topology.enabled }} 75 | - "--domainlabels={{ .Values.topology.domainLabels | join "," }}" 76 | {{- end }} 77 | env: 78 | - name: POD_IP 79 | valueFrom: 80 | fieldRef: 81 | fieldPath: status.podIP 82 | - name: DRIVER_NAME 83 | value: {{ .Values.driverName }} 84 | - name: NODE_ID 85 | valueFrom: 86 | fieldRef: 87 | fieldPath: spec.nodeName 88 | - name: CSI_ENDPOINT 89 | value: "unix:///csi/{{ .Values.pluginSocketFile }}" 90 | securityContext: 91 | privileged: true 92 | capabilities: 93 | add: ["SYS_ADMIN"] 94 | allowPrivilegeEscalation: true 95 | volumeMounts: 96 | - name: socket-dir 97 | mountPath: /csi 98 | - mountPath: /dev 99 | name: host-dev 100 | - mountPath: /run/mount 101 | name: host-mount 102 | - mountPath: /sys 103 | name: host-sys 104 | - mountPath: /lib/modules 105 | name: lib-modules 106 | readOnly: true 107 | - name: ceph-csi-config 108 | mountPath: /etc/ceph-csi-config/ 109 | - name: ceph-csi-encryption-kms-config 110 | mountPath: /etc/ceph-csi-encryption-kms-config/ 111 | - name: plugin-dir 112 | mountPath: {{ .Values.kubeletDir }}/plugins 113 | mountPropagation: "Bidirectional" 114 | - name: mountpoint-dir 115 | mountPath: {{ .Values.kubeletDir }}/pods 116 | mountPropagation: "Bidirectional" 117 | - name: keys-tmp-dir 118 | mountPath: /tmp/csi/keys 119 | resources: 120 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 121 | {{- if .Values.nodeplugin.httpMetrics.enabled }} 122 | - name: liveness-prometheus 123 | securityContext: 124 | privileged: true 125 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 126 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 127 | args: 128 | - "--type=liveness" 129 | - "--endpoint=$(CSI_ENDPOINT)" 130 | - "--metricsport={{ .Values.nodeplugin.httpMetrics.containerPort }}" 131 | - "--metricspath=/metrics" 132 | - "--polltime=60s" 133 | - "--timeout=3s" 134 | env: 135 | - name: CSI_ENDPOINT 136 | value: "unix:///csi/{{ .Values.pluginSocketFile }}" 137 | - name: POD_IP 138 | valueFrom: 139 | fieldRef: 140 | fieldPath: status.podIP 141 | volumeMounts: 142 | - name: socket-dir 143 | mountPath: /csi 144 | resources: 145 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 146 | {{- end }} 147 | volumes: 148 | - name: socket-dir 149 | hostPath: 150 | path: "{{ .Values.kubeletDir }}/plugins/{{ .Values.driverName }}" 151 | type: DirectoryOrCreate 152 | - name: registration-dir 153 | hostPath: 154 | path: {{ .Values.kubeletDir }}/plugins_registry 155 | type: Directory 156 | - name: plugin-dir 157 | hostPath: 158 | path: {{ .Values.kubeletDir }}/plugins 159 | type: Directory 160 | - name: mountpoint-dir 161 | hostPath: 162 | path: {{ .Values.kubeletDir }}/pods 163 | type: DirectoryOrCreate 164 | - name: host-dev 165 | hostPath: 166 | path: /dev 167 | - name: host-mount 168 | hostPath: 169 | path: /run/mount 170 | - name: host-sys 171 | hostPath: 172 | path: /sys 173 | - name: lib-modules 174 | hostPath: 175 | path: /lib/modules 176 | - name: ceph-csi-config 177 | configMap: 178 | name: {{ .Values.configMapName | quote }} 179 | {{- if .Values.configMapKey }} 180 | items: 181 | - key: {{ .Values.configMapKey | quote }} 182 | path: config.json 183 | {{- end }} 184 | - name: ceph-csi-encryption-kms-config 185 | configMap: 186 | name: {{ .Values.kmsConfigMapName | quote }} 187 | - name: keys-tmp-dir 188 | emptyDir: { 189 | medium: "Memory" 190 | } 191 | {{- if .Values.nodeplugin.affinity }} 192 | affinity: 193 | {{ toYaml .Values.nodeplugin.affinity | indent 8 -}} 194 | {{- end -}} 195 | {{- if .Values.nodeplugin.nodeSelector }} 196 | nodeSelector: 197 | {{ toYaml .Values.nodeplugin.nodeSelector | indent 8 -}} 198 | {{- end -}} 199 | {{- if .Values.nodeplugin.tolerations }} 200 | tolerations: 201 | {{ toYaml .Values.nodeplugin.tolerations | indent 8 -}} 202 | {{- end -}} 203 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-http-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeplugin.httpMetrics.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.nodeplugin.httpMetrics.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.nodeplugin.httpMetrics.service.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}-http-metrics 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | app: {{ include "ceph-csi-rbd.fullname" . }} 13 | chart: {{ include "ceph-csi-rbd.chart" . }} 14 | component: {{ .Values.nodeplugin.name }} 15 | release: {{ .Release.Name }} 16 | heritage: {{ .Release.Service }} 17 | spec: 18 | {{- if .Values.nodeplugin.httpMetrics.service.clusterIP }} 19 | clusterIP: "{{ .Values.nodeplugin.httpMetrics.service.clusterIP }}" 20 | {{- end }} 21 | {{- if .Values.nodeplugin.httpMetrics.service.externalIPs }} 22 | externalIPs: 23 | {{ toYaml .Values.nodeplugin.httpMetrics.service.externalIPs | indent 4 }} 24 | {{- end }} 25 | {{- if .Values.nodeplugin.httpMetrics.service.loadBalancerIP }} 26 | loadBalancerIP: "{{ .Values.nodeplugin.httpMetrics.service.loadBalancerIP }}" 27 | {{- end }} 28 | {{- if .Values.nodeplugin.httpMetrics.service.loadBalancerSourceRanges }} 29 | loadBalancerSourceRanges: 30 | {{ toYaml .Values.nodeplugin.httpMetrics.service.loadBalancerSourceRanges | indent 4 }} 31 | {{- end }} 32 | ports: 33 | - name: http-metrics 34 | port: {{ .Values.nodeplugin.httpMetrics.service.servicePort }} 35 | targetPort: {{ .Values.nodeplugin.httpMetrics.containerPort }} 36 | selector: 37 | app: {{ include "ceph-csi-rbd.name" . }} 38 | component: {{ .Values.nodeplugin.name }} 39 | release: {{ .Release.Name }} 40 | type: "{{ .Values.nodeplugin.httpMetrics.service.type }}" 41 | {{- end -}} 42 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.nodeplugin.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | allowPrivilegeEscalation: true 14 | allowedCapabilities: 15 | - 'SYS_ADMIN' 16 | fsGroup: 17 | rule: RunAsAny 18 | privileged: true 19 | hostNetwork: true 20 | hostPID: true 21 | runAsUser: 22 | rule: RunAsAny 23 | seLinux: 24 | rule: RunAsAny 25 | supplementalGroups: 26 | rule: RunAsAny 27 | volumes: 28 | - 'configMap' 29 | - 'emptyDir' 30 | - 'projected' 31 | - 'secret' 32 | - 'downwardAPI' 33 | - 'hostPath' 34 | allowedHostPaths: 35 | - pathPrefix: '/dev' 36 | readOnly: false 37 | - pathPrefix: '/run/mount' 38 | readOnly: false 39 | - pathPrefix: '/sys' 40 | readOnly: false 41 | - pathPrefix: '/lib/modules' 42 | readOnly: true 43 | - pathPrefix: '{{ .Values.kubeletDir }}' 44 | readOnly: false 45 | {{- end }} 46 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rules: 14 | - apiGroups: ['policy'] 15 | resources: ['podsecuritypolicies'] 16 | verbs: ['use'] 17 | resourceNames: ['{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}'] 18 | {{- end -}} 19 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.rbac.create .Values.nodeplugin.podSecurityPolicy.enabled -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: Role 19 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end -}} 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-rules-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | {{- if .Values.topology.enabled }} 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: {{ include "ceph-csi-rbd.nodeplugin.fullname" . }}-rules 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.nodeplugin.fullname" . }}: "true" 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["nodes"] 17 | verbs: ["get"] 18 | {{- end }} 19 | {{- end -}} 20 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/nodeplugin-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccounts.nodeplugin.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.serviceAccountName.nodeplugin" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.nodeplugin.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rules: 13 | - apiGroups: [""] 14 | resources: ["secrets"] 15 | verbs: ["get", "list", "watch"] 16 | - apiGroups: [""] 17 | resources: ["persistentvolumes"] 18 | verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumeclaims"] 21 | verbs: ["get", "list", "watch", "update"] 22 | - apiGroups: ["storage.k8s.io"] 23 | resources: ["storageclasses"] 24 | verbs: ["get", "list", "watch"] 25 | - apiGroups: [""] 26 | resources: ["events"] 27 | verbs: ["list", "watch", "create", "update", "patch"] 28 | - apiGroups: [""] 29 | resources: ["endpoints"] 30 | verbs: ["get", "create", "update"] 31 | {{- if .Values.provisioner.attacher.enabled }} 32 | - apiGroups: ["storage.k8s.io"] 33 | resources: ["volumeattachments"] 34 | verbs: ["get", "list", "watch", "update", "patch"] 35 | - apiGroups: ["storage.k8s.io"] 36 | resources: ["volumeattachments/status"] 37 | verbs: ["patch"] 38 | {{- end }} 39 | - apiGroups: ["snapshot.storage.k8s.io"] 40 | resources: ["volumesnapshots"] 41 | verbs: ["get", "list"] 42 | - apiGroups: ["snapshot.storage.k8s.io"] 43 | resources: ["volumesnapshotcontents"] 44 | verbs: ["create", "get", "list", "watch", "update", "delete"] 45 | - apiGroups: ["snapshot.storage.k8s.io"] 46 | resources: ["volumesnapshotclasses"] 47 | verbs: ["get", "list", "watch"] 48 | - apiGroups: ["snapshot.storage.k8s.io"] 49 | resources: ["volumesnapshotcontents/status"] 50 | verbs: ["update"] 51 | - apiGroups: [""] 52 | resources: ["configmaps"] 53 | verbs: ["get"] 54 | {{- if .Values.provisioner.resizer.enabled }} 55 | - apiGroups: [""] 56 | resources: ["persistentvolumeclaims/status"] 57 | verbs: ["update", "patch"] 58 | {{- end }} 59 | {{- if .Values.topology.enabled }} 60 | - apiGroups: [""] 61 | resources: ["nodes"] 62 | verbs: ["get", "list", watch"] 63 | - apiGroups: ["storage.k8s.io"] 64 | resources: ["csinodes"] 65 | verbs: ["get", "list", "watch"] 66 | {{- end }} 67 | 68 | {{- end -}} 69 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} 15 | namespace: {{ .Release.Namespace }} 16 | roleRef: 17 | kind: ClusterRole 18 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 19 | apiGroup: rbac.authorization.k8s.io 20 | {{- end -}} 21 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-deployment.yaml: -------------------------------------------------------------------------------- 1 | kind: Deployment 2 | apiVersion: apps/v1 3 | metadata: 4 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 5 | namespace: {{ .Release.Namespace }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | replicas: {{ .Values.provisioner.replicaCount }} 14 | selector: 15 | matchLabels: 16 | app: {{ include "ceph-csi-rbd.name" . }} 17 | component: {{ .Values.provisioner.name }} 18 | release: {{ .Release.Name }} 19 | template: 20 | metadata: 21 | labels: 22 | app: {{ include "ceph-csi-rbd.name" . }} 23 | chart: {{ include "ceph-csi-rbd.chart" . }} 24 | component: {{ .Values.provisioner.name }} 25 | release: {{ .Release.Name }} 26 | heritage: {{ .Release.Service }} 27 | spec: 28 | {{- if gt (int .Values.provisioner.replicaCount) 1 }} 29 | affinity: 30 | podAntiAffinity: 31 | requiredDuringSchedulingIgnoredDuringExecution: 32 | - labelSelector: 33 | matchExpressions: 34 | - key: app 35 | operator: In 36 | values: 37 | - {{ include "ceph-csi-rbd.name" . }} 38 | - key: component 39 | operator: In 40 | values: 41 | - {{ .Values.provisioner.name }} 42 | topologyKey: "kubernetes.io/hostname" 43 | {{- end }} 44 | serviceAccountName: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} 45 | {{- if .Values.provisioner.priorityClassName }} 46 | priorityClassName: {{ .Values.provisioner.priorityClassName }} 47 | {{- end }} 48 | containers: 49 | - name: csi-provisioner 50 | image: "{{ .Values.provisioner.provisioner.image.repository }}:{{ .Values.provisioner.provisioner.image.tag }}" 51 | imagePullPolicy: {{ .Values.provisioner.provisioner.image.pullPolicy }} 52 | args: 53 | - "--csi-address=$(ADDRESS)" 54 | - "--v={{ .Values.logLevel }}" 55 | - "--timeout={{ .Values.provisioner.timeout }}" 56 | - "--leader-election=true" 57 | - "--retry-interval-start=500ms" 58 | - "--default-fstype={{ .Values.provisioner.defaultFSType }}" 59 | - "--extra-create-metadata=true" 60 | {{- if .Values.topology.enabled }} 61 | - "--feature-gates=Topology=true" 62 | {{- end }} 63 | env: 64 | - name: ADDRESS 65 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 66 | volumeMounts: 67 | - name: socket-dir 68 | mountPath: /csi 69 | resources: 70 | {{ toYaml .Values.provisioner.provisioner.resources | indent 12 }} 71 | {{- if .Values.provisioner.resizer.enabled }} 72 | - name: csi-resizer 73 | image: "{{ .Values.provisioner.resizer.image.repository }}:{{ .Values.provisioner.resizer.image.tag }}" 74 | imagePullPolicy: {{ .Values.provisioner.resizer.image.pullPolicy }} 75 | args: 76 | - "--v={{ .Values.logLevel }}" 77 | - "--csi-address=$(ADDRESS)" 78 | - "--timeout={{ .Values.provisioner.timeout }}" 79 | - "--leader-election" 80 | - "--retry-interval-start=500ms" 81 | - "--handle-volume-inuse-error=false" 82 | env: 83 | - name: ADDRESS 84 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 85 | volumeMounts: 86 | - name: socket-dir 87 | mountPath: /csi 88 | resources: 89 | {{ toYaml .Values.provisioner.resizer.resources | indent 12 }} 90 | {{- end }} 91 | - name: csi-snapshotter 92 | image: {{ .Values.provisioner.snapshotter.image.repository }}:{{ .Values.provisioner.snapshotter.image.tag }} 93 | imagePullPolicy: {{ .Values.provisioner.snapshotter.image.pullPolicy }} 94 | args: 95 | - "--csi-address=$(ADDRESS)" 96 | - "--v={{ .Values.logLevel }}" 97 | - "--timeout={{ .Values.provisioner.timeout }}" 98 | - "--leader-election=true" 99 | env: 100 | - name: ADDRESS 101 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 102 | securityContext: 103 | privileged: true 104 | volumeMounts: 105 | - name: socket-dir 106 | mountPath: /csi 107 | resources: 108 | {{ toYaml .Values.provisioner.snapshotter.resources | indent 12 }} 109 | {{- if .Values.provisioner.attacher.enabled }} 110 | - name: csi-attacher 111 | image: "{{ .Values.provisioner.attacher.image.repository }}:{{ .Values.provisioner.attacher.image.tag }}" 112 | imagePullPolicy: {{ .Values.provisioner.attacher.image.pullPolicy }} 113 | args: 114 | - "--v={{ .Values.logLevel }}" 115 | - "--csi-address=$(ADDRESS)" 116 | - "--leader-election=true" 117 | - "--retry-interval-start=500ms" 118 | env: 119 | - name: ADDRESS 120 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 121 | volumeMounts: 122 | - name: socket-dir 123 | mountPath: /csi 124 | resources: 125 | {{ toYaml .Values.provisioner.attacher.resources | indent 12 }} 126 | {{- end }} 127 | - name: csi-rbdplugin 128 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 129 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 130 | args: 131 | - "--nodeid=$(NODE_ID)" 132 | - "--type=rbd" 133 | - "--controllerserver=true" 134 | - "--pidlimit=-1" 135 | - "--endpoint=$(CSI_ENDPOINT)" 136 | - "--v={{ .Values.logLevel }}" 137 | - "--drivername=$(DRIVER_NAME)" 138 | - "--rbdhardmaxclonedepth={{ .Values.provisioner.hardMaxCloneDepth }}" 139 | - "--rbdsoftmaxclonedepth={{ .Values.provisioner.softMaxCloneDepth }}" 140 | - "--maxsnapshotsonimage={{ .Values.provisioner.maxSnapshotsOnImage }}" 141 | - "--minsnapshotsonimage={{ .Values.provisioner.minSnapshotsOnImage }}" 142 | {{- if .Values.provisioner.skipForceFlatten }} 143 | - "--skipforceflatten={{ .Values.provisioner.skipForceFlatten }}" 144 | {{- end }} 145 | env: 146 | - name: POD_IP 147 | valueFrom: 148 | fieldRef: 149 | fieldPath: status.podIP 150 | - name: DRIVER_NAME 151 | value: {{ .Values.driverName }} 152 | - name: NODE_ID 153 | valueFrom: 154 | fieldRef: 155 | fieldPath: spec.nodeName 156 | - name: CSI_ENDPOINT 157 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 158 | securityContext: 159 | privileged: true 160 | capabilities: 161 | add: ["SYS_ADMIN"] 162 | allowPrivilegeEscalation: true 163 | volumeMounts: 164 | - name: socket-dir 165 | mountPath: /csi 166 | - mountPath: /dev 167 | name: host-dev 168 | - mountPath: /sys 169 | name: host-sys 170 | - mountPath: /lib/modules 171 | name: lib-modules 172 | readOnly: true 173 | - name: ceph-csi-config 174 | mountPath: /etc/ceph-csi-config/ 175 | - name: ceph-csi-encryption-kms-config 176 | mountPath: /etc/ceph-csi-encryption-kms-config/ 177 | - name: keys-tmp-dir 178 | mountPath: /tmp/csi/keys 179 | resources: 180 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 181 | {{- if .Values.provisioner.deployController }} 182 | - name: csi-rbdplugin-controller 183 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 184 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 185 | args: 186 | - "--type=controller" 187 | - "--v={{ .Values.logLevel }}" 188 | - "--drivername=$(DRIVER_NAME)" 189 | - "--drivernamespace=$(DRIVER_NAMESPACE)" 190 | env: 191 | - name: DRIVER_NAMESPACE 192 | valueFrom: 193 | fieldRef: 194 | fieldPath: metadata.namespace 195 | - name: DRIVER_NAME 196 | value: {{ .Values.driverName }} 197 | securityContext: 198 | privileged: true 199 | capabilities: 200 | add: ["SYS_ADMIN"] 201 | allowPrivilegeEscalation: true 202 | volumeMounts: 203 | - name: ceph-csi-config 204 | mountPath: /etc/ceph-csi-config/ 205 | - name: keys-tmp-dir 206 | mountPath: /tmp/csi/keys 207 | resources: 208 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 209 | {{- end }} 210 | {{- if .Values.provisioner.httpMetrics.enabled }} 211 | - name: liveness-prometheus 212 | image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" 213 | imagePullPolicy: {{ .Values.nodeplugin.plugin.image.pullPolicy }} 214 | args: 215 | - "--type=liveness" 216 | - "--endpoint=$(CSI_ENDPOINT)" 217 | - "--metricsport={{ .Values.provisioner.httpMetrics.containerPort }}" 218 | - "--metricspath=/metrics" 219 | - "--polltime=60s" 220 | - "--timeout=3s" 221 | env: 222 | - name: CSI_ENDPOINT 223 | value: "unix:///csi/{{ .Values.provisionerSocketFile }}" 224 | - name: POD_IP 225 | valueFrom: 226 | fieldRef: 227 | fieldPath: status.podIP 228 | volumeMounts: 229 | - name: socket-dir 230 | mountPath: /csi 231 | resources: 232 | {{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} 233 | {{- end }} 234 | volumes: 235 | - name: socket-dir 236 | emptyDir: { 237 | medium: "Memory" 238 | } 239 | - name: host-dev 240 | hostPath: 241 | path: /dev 242 | - name: host-sys 243 | hostPath: 244 | path: /sys 245 | - name: lib-modules 246 | hostPath: 247 | path: /lib/modules 248 | - name: ceph-csi-config 249 | configMap: 250 | name: {{ .Values.configMapName | quote }} 251 | {{- if .Values.configMapKey }} 252 | items: 253 | - key: {{ .Values.configMapKey | quote }} 254 | path: config.json 255 | {{- end }} 256 | - name: ceph-csi-encryption-kms-config 257 | configMap: 258 | name: {{ .Values.kmsConfigMapName | quote }} 259 | - name: keys-tmp-dir 260 | emptyDir: { 261 | medium: "Memory" 262 | } 263 | {{- if .Values.provisioner.affinity }} 264 | affinity: 265 | {{ toYaml .Values.provisioner.affinity | indent 8 -}} 266 | {{- end -}} 267 | {{- if .Values.provisioner.nodeSelector }} 268 | nodeSelector: 269 | {{ toYaml .Values.provisioner.nodeSelector | indent 8 -}} 270 | {{- end -}} 271 | {{- if .Values.provisioner.tolerations }} 272 | tolerations: 273 | {{ toYaml .Values.provisioner.tolerations | indent 8 -}} 274 | {{- end -}} 275 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-http-service.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.provisioner.httpMetrics.service.enabled -}} 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | {{- if .Values.provisioner.httpMetrics.service.annotations }} 6 | annotations: 7 | {{ toYaml .Values.provisioner.httpMetrics.service.annotations | indent 4 }} 8 | {{- end }} 9 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}-http-metrics 10 | namespace: {{ .Release.Namespace }} 11 | labels: 12 | app: {{ include "ceph-csi-rbd.fullname" . }} 13 | chart: {{ include "ceph-csi-rbd.chart" . }} 14 | component: {{ .Values.provisioner.name }} 15 | release: {{ .Release.Name }} 16 | heritage: {{ .Release.Service }} 17 | spec: 18 | {{- if .Values.provisioner.httpMetrics.service.clusterIP }} 19 | clusterIP: "{{ .Values.provisioner.httpMetrics.service.clusterIP }}" 20 | {{- end }} 21 | {{- if .Values.provisioner.httpMetrics.service.externalIPs }} 22 | externalIPs: 23 | {{ toYaml .Values.provisioner.httpMetrics.service.externalIPs | indent 4 }} 24 | {{- end }} 25 | {{- if .Values.provisioner.httpMetrics.service.loadBalancerIP }} 26 | loadBalancerIP: "{{ .Values.provisioner.httpMetrics.service.loadBalancerIP }}" 27 | {{- end }} 28 | {{- if .Values.provisioner.httpMetrics.service.loadBalancerSourceRanges }} 29 | loadBalancerSourceRanges: 30 | {{ toYaml .Values.provisioner.httpMetrics.service.loadBalancerSourceRanges | indent 4 }} 31 | {{- end }} 32 | ports: 33 | - name: http-metrics 34 | port: {{ .Values.provisioner.httpMetrics.service.servicePort }} 35 | targetPort: {{ .Values.provisioner.httpMetrics.containerPort }} 36 | selector: 37 | app: {{ include "ceph-csi-rbd.name" . }} 38 | component: {{ .Values.provisioner.name }} 39 | release: {{ .Release.Name }} 40 | type: "{{ .Values.provisioner.httpMetrics.service.type }}" 41 | {{- end -}} 42 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.provisioner.podSecurityPolicy.enabled -}} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | spec: 13 | allowPrivilegeEscalation: true 14 | allowedCapabilities: 15 | - 'SYS_ADMIN' 16 | fsGroup: 17 | rule: RunAsAny 18 | privileged: true 19 | runAsUser: 20 | rule: RunAsAny 21 | seLinux: 22 | rule: RunAsAny 23 | supplementalGroups: 24 | rule: RunAsAny 25 | volumes: 26 | - 'configMap' 27 | - 'emptyDir' 28 | - 'projected' 29 | - 'secret' 30 | - 'downwardAPI' 31 | - 'hostPath' 32 | allowedHostPaths: 33 | - pathPrefix: '/dev' 34 | readOnly: false 35 | - pathPrefix: '/sys' 36 | readOnly: false 37 | - pathPrefix: '/lib/modules' 38 | readOnly: true 39 | {{- end }} 40 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["configmaps"] 16 | verbs: ["get", "list", "watch", "create","update", "delete"] 17 | - apiGroups: ["coordination.k8s.io"] 18 | resources: ["leases"] 19 | verbs: ["get", "watch", "list", "delete", "update", "create"] 20 | {{- if .Values.provisioner.podSecurityPolicy.enabled }} 21 | - apiGroups: ['policy'] 22 | resources: ['podsecuritypolicies'] 23 | verbs: ['use'] 24 | resourceNames: ['{{ include "ceph-csi-rbd.provisioner.fullname" . }}'] 25 | {{- end -}} 26 | {{- end -}} 27 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: RoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | subjects: 14 | - kind: ServiceAccount 15 | name: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} 16 | namespace: {{ .Release.Namespace }} 17 | roleRef: 18 | kind: Role 19 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} 20 | apiGroup: rbac.authorization.k8s.io 21 | {{- end -}} 22 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-rules-clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.provisioner.fullname" . }}-rules 6 | labels: 7 | app: {{ include "ceph-csi-rbd.name" . }} 8 | chart: {{ include "ceph-csi-rbd.chart" . }} 9 | component: {{ .Values.provisioner.name }} 10 | release: {{ .Release.Name }} 11 | heritage: {{ .Release.Service }} 12 | rbac.rbd.csi.ceph.com/aggregate-to-{{ include "ceph-csi-rbd.provisioner.fullname" . }}: "true" 13 | rules: 14 | - apiGroups: [""] 15 | resources: ["secrets"] 16 | verbs: ["get", "list"] 17 | - apiGroups: [""] 18 | resources: ["persistentvolumes"] 19 | verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 20 | - apiGroups: [""] 21 | resources: ["persistentvolumeclaims"] 22 | verbs: ["get", "list", "watch", "update"] 23 | - apiGroups: ["storage.k8s.io"] 24 | resources: ["storageclasses"] 25 | verbs: ["get", "list", "watch"] 26 | - apiGroups: [""] 27 | resources: ["events"] 28 | verbs: ["list", "watch", "create", "update", "patch"] 29 | - apiGroups: [""] 30 | resources: ["endpoints"] 31 | verbs: ["get", "create", "update"] 32 | {{- if .Values.provisioner.attacher.enabled }} 33 | - apiGroups: ["storage.k8s.io"] 34 | resources: ["volumeattachments"] 35 | verbs: ["get", "list", "watch", "update", "patch"] 36 | {{- end }} 37 | - apiGroups: ["snapshot.storage.k8s.io"] 38 | resources: ["volumesnapshots"] 39 | verbs: ["get", "list"] 40 | - apiGroups: ["snapshot.storage.k8s.io"] 41 | resources: ["volumesnapshotcontents"] 42 | verbs: ["create", "get", "list", "watch", "update", "delete"] 43 | - apiGroups: ["snapshot.storage.k8s.io"] 44 | resources: ["volumesnapshotclasses"] 45 | verbs: ["get", "list", "watch"] 46 | - apiGroups: ["snapshot.storage.k8s.io"] 47 | resources: ["volumesnapshotcontents/status"] 48 | verbs: ["update"] 49 | {{- if .Values.provisioner.resizer.enabled }} 50 | - apiGroups: [""] 51 | resources: ["persistentvolumeclaims/status"] 52 | verbs: ["update", "patch"] 53 | {{- end }} 54 | {{- if .Values.topology.enabled }} 55 | - apiGroups: [""] 56 | resources: ["nodes"] 57 | verbs: ["get", "list", watch"] 58 | - apiGroups: ["storage.k8s.io"] 59 | resources: ["csinodes"] 60 | verbs: ["get", "list", "watch"] 61 | {{- end }} 62 | {{- end -}} 63 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/templates/provisioner-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccounts.provisioner.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | app: {{ include "ceph-csi-rbd.name" . }} 9 | chart: {{ include "ceph-csi-rbd.chart" . }} 10 | component: {{ .Values.provisioner.name }} 11 | release: {{ .Release.Name }} 12 | heritage: {{ .Release.Service }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /docs/chap08/ceph-csi-rbd/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rbac: 3 | # Specifies whether RBAC resources should be created 4 | create: true 5 | 6 | serviceAccounts: 7 | nodeplugin: 8 | # Specifies whether a ServiceAccount should be created 9 | create: true 10 | # The name of the ServiceAccount to use. 11 | # If not set and create is true, a name is generated using the fullname 12 | name: 13 | provisioner: 14 | # Specifies whether a ServiceAccount should be created 15 | create: true 16 | # The name of the ServiceAccount to use. 17 | # If not set and create is true, a name is generated using the fullname 18 | name: 19 | 20 | # Configuration for the CSI to connect to the cluster 21 | # Ref: https://github.com/ceph/ceph-csi/blob/devel/examples/README.md 22 | # Example: 23 | # csiConfig: 24 | # - clusterID: "" 25 | # monitors: 26 | # - "" 27 | # - "" 28 | csiConfig: [] 29 | 30 | # Configuration for the encryption KMS 31 | # Ref: https://github.com/ceph/ceph-csi/blob/devel/docs/deploy-rbd.md 32 | # Example: 33 | # encryptionKMSConfig: 34 | # vault-unique-id-1: 35 | # encryptionKMSType: vault 36 | # vaultAddress: https://vault.example.com 37 | # vaultAuthPath: /v1/auth/kubernetes/login 38 | # vaultRole: csi-kubernetes 39 | # vaultPassphraseRoot: /v1/secret 40 | # vaultPassphrasePath: ceph-csi/ 41 | # vaultCAVerify: "false" 42 | encryptionKMSConfig: {} 43 | 44 | # Set logging level for csi containers. 45 | # Supported values from 0 to 5. 0 for general useful logs, 46 | # 5 for trace level verbosity. 47 | logLevel: 5 48 | 49 | nodeplugin: 50 | name: nodeplugin 51 | # set user created priorityclassName for csi plugin pods. default is 52 | # system-node-critical which is high priority 53 | priorityClassName: system-node-critical 54 | # if you are using rbd-nbd client set this value to OnDelete 55 | updateStrategy: RollingUpdate 56 | 57 | httpMetrics: 58 | # Metrics only available for cephcsi/cephcsi => 1.2.0 59 | # Specifies whether http metrics should be exposed 60 | enabled: true 61 | # The port of the container to expose the metrics 62 | containerPort: 8080 63 | 64 | service: 65 | # Specifies whether a service should be created for the metrics 66 | enabled: true 67 | # The port to use for the service 68 | servicePort: 8080 69 | type: ClusterIP 70 | 71 | # Annotations for the service 72 | # Example: 73 | # annotations: 74 | # prometheus.io/scrape: "true" 75 | # prometheus.io/port: "8080" 76 | annotations: {} 77 | 78 | clusterIP: "" 79 | 80 | ## List of IP addresses at which the stats-exporter service is available 81 | ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips 82 | ## 83 | externalIPs: [] 84 | 85 | loadBalancerIP: "" 86 | loadBalancerSourceRanges: [] 87 | 88 | registrar: 89 | image: 90 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-node-driver-registrar 91 | tag: v2.0.1 92 | pullPolicy: IfNotPresent 93 | resources: {} 94 | 95 | plugin: 96 | image: 97 | repository: quay.io/cephcsi/cephcsi 98 | tag: v3.3.1 99 | pullPolicy: IfNotPresent 100 | resources: {} 101 | 102 | nodeSelector: {} 103 | 104 | tolerations: [] 105 | 106 | affinity: {} 107 | 108 | # If true, create & use Pod Security Policy resources 109 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 110 | podSecurityPolicy: 111 | enabled: false 112 | 113 | provisioner: 114 | name: provisioner 115 | replicaCount: 3 116 | # if fstype is not specified in storageclass, ext4 is default 117 | defaultFSType: ext4 118 | # deployController to enable or disable the deployment of controller which 119 | # generates the OMAP data if its not Present. 120 | deployController: true 121 | # Timeout for waiting for creation or deletion of a volume 122 | timeout: 60s 123 | # Hard limit for maximum number of nested volume clones that are taken before 124 | # a flatten occurs 125 | hardMaxCloneDepth: 8 126 | # Soft limit for maximum number of nested volume clones that are taken before 127 | # a flatten occurs 128 | softMaxCloneDepth: 4 129 | # Maximum number of snapshots allowed on rbd image without flattening 130 | maxSnapshotsOnImage: 450 131 | # Minimum number of snapshots allowed on rbd image to trigger flattening 132 | minSnapshotsOnImage: 250 133 | # skip image flattening if kernel support mapping of rbd images 134 | # which has the deep-flatten feature 135 | # skipForceFlatten: false 136 | 137 | # set user created priorityclassName for csi provisioner pods. default is 138 | # system-cluster-critical which is less priority than system-node-critical 139 | priorityClassName: system-cluster-critical 140 | 141 | httpMetrics: 142 | # Metrics only available for cephcsi/cephcsi => 1.2.0 143 | # Specifies whether http metrics should be exposed 144 | enabled: true 145 | # The port of the container to expose the metrics 146 | containerPort: 8080 147 | 148 | service: 149 | # Specifies whether a service should be created for the metrics 150 | enabled: true 151 | # The port to use for the service 152 | servicePort: 8080 153 | type: ClusterIP 154 | 155 | # Annotations for the service 156 | # Example: 157 | # annotations: 158 | # prometheus.io/scrape: "true" 159 | # prometheus.io/port: "8080" 160 | annotations: {} 161 | 162 | clusterIP: "" 163 | 164 | ## List of IP addresses at which the stats-exporter service is available 165 | ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips 166 | ## 167 | externalIPs: [] 168 | 169 | loadBalancerIP: "" 170 | loadBalancerSourceRanges: [] 171 | 172 | provisioner: 173 | image: 174 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-provisioner 175 | tag: v2.0.4 176 | pullPolicy: IfNotPresent 177 | resources: {} 178 | 179 | attacher: 180 | name: attacher 181 | enabled: true 182 | image: 183 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-attacher 184 | tag: v3.0.2 185 | pullPolicy: IfNotPresent 186 | resources: {} 187 | 188 | resizer: 189 | name: resizer 190 | enabled: true 191 | image: 192 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-resizer 193 | tag: v1.0.1 194 | pullPolicy: IfNotPresent 195 | resources: {} 196 | 197 | snapshotter: 198 | image: 199 | repository: registry.cn-beijing.aliyuncs.com/dotbalo/csi-snapshotter 200 | tag: v3.0.2 201 | pullPolicy: IfNotPresent 202 | resources: {} 203 | 204 | nodeSelector: {} 205 | 206 | tolerations: [] 207 | 208 | affinity: {} 209 | 210 | # If true, create & use Pod Security Policy resources 211 | # https://kubernetes.io/docs/concepts/policy/pod-security-policy/ 212 | podSecurityPolicy: 213 | enabled: false 214 | 215 | topology: 216 | # Specifies whether topology based provisioning support should 217 | # be exposed by CSI 218 | enabled: false 219 | # domainLabels define which node labels to use as domains 220 | # for CSI nodeplugins to advertise their domains 221 | # NOTE: the value here serves as an example and needs to be 222 | # updated with node labels that define domains of interest 223 | # Copy from Dotbalo 224 | domainLabels: 225 | - failure-domain/region 226 | - failure-domain/zone 227 | 228 | ######################################################### 229 | # Variables for 'internal' use please use with caution! # 230 | ######################################################### 231 | 232 | # The filename of the provisioner socket 233 | provisionerSocketFile: csi-provisioner.sock 234 | # The filename of the plugin socket 235 | pluginSocketFile: csi.sock 236 | # kubelet working directory,can be set using `--root-dir` when starting kubelet. 237 | kubeletDir: /var/lib/kubelet 238 | # Name of the csi-driver 239 | driverName: rbd.csi.ceph.com 240 | # Name of the configmap used for state 241 | configMapName: ceph-csi-config 242 | # Key to use in the Configmap if not config.json 243 | # configMapKey: 244 | # Use an externally provided configmap 245 | externallyManagedConfigmap: false 246 | # Name of the configmap used for encryption kms configuration 247 | kmsConfigMapName: ceph-csi-encryption-kms-config 248 | -------------------------------------------------------------------------------- /docs/chap09/9.1.md: -------------------------------------------------------------------------------- 1 | **多个初始化容器使用** 2 | 3 | **myapp.yaml** 4 | 5 | ``` 6 | apiVersion: v1 7 | kind: Pod 8 | metadata: 9 | name: myapp-pod 10 | labels: 11 | app: myapp 12 | spec: 13 | containers: 14 | # 业务应用容器 15 | - name: myapp-container 16 | image: busybox:1.28 17 | command: ['sh', '-c', 'echo The app is running! && sleep 3600'] 18 | # 初始化容器列表 19 | initContainers: 20 | # 第一个初始化容器,等待当前Namespace下的myservice启动 21 | - name: init-myservice 22 | image: busybox:1.28 23 | command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"] 24 | # 第二个初始化容器,等待DB的Service启动 25 | - name: init-mydb 26 | image: busybox:1.28 27 | command: ['sh', '-c', "until nslookup mydb.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for mydb; sleep 2; done"] 28 | 29 | ``` 30 | 31 | -------------------------------------------------------------------------------- /docs/chap09/9.5.md: -------------------------------------------------------------------------------- 1 | **亲和力** 2 | 3 | ```` 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: with-node-affinity 8 | spec: 9 | affinity: 10 | nodeAffinity: 11 | requiredDuringSchedulingIgnoredDuringExecution: 12 | nodeSelectorTerms: 13 | - matchExpressions: 14 | - key: kubernetes.io/e2e-az-name 15 | operator: In 16 | values: 17 | - e2e-az1 18 | - e2e-az2 19 | preferredDuringSchedulingIgnoredDuringExecution: 20 | - weight: 1 21 | preference: 22 | matchExpressions: 23 | - key: another-node-label-key 24 | operator: In 25 | values: 26 | - another-node-label-value 27 | containers: 28 | - name: with-node-affinity 29 | image: nginx 30 | 31 | ```` 32 | 33 | **Pod亲和力** 34 | 35 | ```` 36 | apiVersion: v1 37 | kind: Pod 38 | metadata: 39 | name: with-pod-affinity 40 | spec: 41 | affinity: 42 | podAffinity: 43 | requiredDuringSchedulingIgnoredDuringExecution: 44 | - labelSelector: 45 | matchExpressions: 46 | - key: security 47 | operator: In 48 | values: 49 | - S1 50 | topologyKey: failure-domain.beta.kubernetes.io/zone 51 | podAntiAffinity: 52 | preferredDuringSchedulingIgnoredDuringExecution: 53 | - weight: 100 54 | podAffinityTerm: 55 | labelSelector: 56 | matchExpressions: 57 | - key: security 58 | operator: In 59 | values: 60 | - S2 61 | topologyKey: failure-domain.beta.kubernetes.io/zone 62 | containers: 63 | - name: with-pod-affinity 64 | image: nginx 65 | ```` 66 | 67 | **示例1:同一个应用部署在不同的宿主机** 68 | 69 | ```` 70 | apiVersion: apps/v1 71 | kind: Deployment 72 | metadata: 73 | labels: 74 | app: must-be-diff-nodes 75 | name: must-be-diff-nodes 76 | namespace: kube-public 77 | spec: 78 | replicas: 3 79 | selector: 80 | matchLabels: 81 | app: must-be-diff-nodes 82 | strategy: 83 | rollingUpdate: 84 | maxSurge: 1 85 | maxUnavailable: 0 86 | type: RollingUpdate 87 | template: 88 | metadata: 89 | labels: 90 | app: must-be-diff-nodes 91 | spec: 92 | affinity: 93 | podAntiAffinity: 94 | requiredDuringSchedulingIgnoredDuringExecution: 95 | - labelSelector: 96 | matchExpressions: 97 | - key: app 98 | operator: In 99 | values: 100 | - test-affinity 101 | topologyKey: kubernetes.io/hostname 102 | containers: 103 | - env: 104 | - name: TZ 105 | value: Asia/Shanghai 106 | - name: LANG 107 | value: C.UTF-8 108 | image: nginx 109 | imagePullPolicy: Always 110 | name: must-be-diff-nodes 111 | 112 | ```` 113 | 114 | **示例2:同一个应用不同副本固定节点** 115 | 116 | ```` 117 | apiVersion: apps/v1 118 | kind: Deployment 119 | metadata: 120 | name: redis-cache 121 | spec: 122 | selector: 123 | matchLabels: 124 | app: store 125 | replicas: 3 126 | template: 127 | metadata: 128 | labels: 129 | app: store 130 | spec: 131 | nodeSelector: 132 | app: store 133 | affinity: 134 | podAntiAffinity: 135 | requiredDuringSchedulingIgnoredDuringExecution: 136 | - labelSelector: 137 | matchExpressions: 138 | - key: app 139 | operator: In 140 | values: 141 | - store 142 | topologyKey: "kubernetes.io/hostname" 143 | containers: 144 | - name: redis-server 145 | image: redis:3.2-alpine 146 | 147 | ```` 148 | 149 | **示例3:应用和缓存尽量部署在同一个域内** 150 | 151 | ```` 152 | apiVersion: apps/v1 153 | kind: Deployment 154 | metadata: 155 | name: web-server 156 | spec: 157 | selector: 158 | matchLabels: 159 | app: web-store 160 | replicas: 3 161 | template: 162 | metadata: 163 | labels: 164 | app: web-store 165 | spec: 166 | affinity: 167 | podAntiAffinity: 168 | requiredDuringSchedulingIgnoredDuringExecution: 169 | - labelSelector: 170 | matchExpressions: 171 | - key: app 172 | operator: In 173 | values: 174 | - web-store 175 | topologyKey: "kubernetes.io/hostname" 176 | podAffinity: 177 | requiredDuringSchedulingIgnoredDuringExecution: 178 | - labelSelector: 179 | matchExpressions: 180 | - key: app 181 | operator: In 182 | values: 183 | - store 184 | topologyKey: "kubernetes.io/hostname" 185 | containers: 186 | - name: web-app 187 | image: nginx:1.16-alpine 188 | 189 | 190 | ```` 191 | 192 | -------------------------------------------------------------------------------- /docs/chap10/10.1.md: -------------------------------------------------------------------------------- 1 | resourcequota.yaml 2 | 3 | ```` 4 | apiVersion: v1 5 | kind: ResourceQuota 6 | metadata: 7 | name: resource-test 8 | labels: 9 | app: resourcequota 10 | spec: 11 | hard: 12 | pods: 50 13 | requests.cpu: 0.5 14 | requests.memory: 512Mi 15 | limits.cpu: 5 16 | limits.memory: 16Gi 17 | configmaps: 20 18 | requests.storage: 40Gi 19 | persistentvolumeclaims: 20 20 | replicationcontrollers: 20 21 | secrets: 20 22 | services: 50 23 | services.loadbalancers: "2" 24 | services.nodeports: "10" 25 | 26 | ```` 27 | 28 | ​ **quota-objects.yaml** 29 | 30 | ``` 31 | apiVersion: v1 32 | kind: ResourceQuota 33 | metadata: 34 | name: object-quota-demo 35 | spec: 36 | hard: 37 | persistentvolumeclaims: "1" 38 | 39 | ``` 40 | 41 | ​ **pvc.yaml** 42 | 43 | ``` 44 | apiVersion: v1 45 | kind: PersistentVolumeClaim 46 | metadata: 47 | name: pvc-quota-demo 48 | spec: 49 | storageClassName: manual 50 | accessModes: 51 | - ReadWriteOnce 52 | resources: 53 | requests: 54 | storage: 3Gi 55 | 56 | ``` 57 | 58 | ​ **pvc2.yaml** 59 | 60 | ``` 61 | apiVersion: v1 62 | kind: PersistentVolumeClaim 63 | metadata: 64 | name: pvc-quota-demo2 65 | spec: 66 | storageClassName: manual 67 | accessModes: 68 | - ReadWriteOnce 69 | resources: 70 | requests: 71 | storage: 3Gi 72 | 73 | ``` 74 | 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /docs/chap10/10.2.md: -------------------------------------------------------------------------------- 1 | **示例1:配置默认的requests和limits** 2 | 3 | ``` 4 | apiVersion: v1 5 | kind: LimitRange 6 | metadata: 7 | name: cpu-mem-limit-range 8 | spec: 9 | limits: 10 | - default: 11 | cpu: 1 12 | memory: 512Mi 13 | defaultRequest: 14 | cpu: 0.5 15 | memory: 256Mi 16 | type: Container 17 | --- 18 | apiVersion: v1 19 | kind: Pod 20 | metadata: 21 | name: default-cpu-demo 22 | spec: 23 | containers: 24 | - name: default-cpu-demo-ctr 25 | image: nginx 26 | 27 | ``` 28 | 29 | **示例2:配置requests和limits的范围** 30 | 31 | ``` 32 | apiVersion: v1 33 | kind: LimitRange 34 | metadata: 35 | name: cpu-min-max-demo-lr 36 | spec: 37 | limits: 38 | - max: 39 | cpu: "800m" 40 | memory: 1Gi 41 | min: 42 | cpu: "200m" 43 | memory: 500Mi 44 | type: Container 45 | --- 46 | apiVersion: v1 47 | kind: Pod 48 | metadata: 49 | name: constraints-mem-demo-2 50 | spec: 51 | containers: 52 | - name: constraints-mem-demo-2-ctr 53 | image: nginx 54 | resources: 55 | limits: 56 | memory: "1.5Gi" 57 | requests: 58 | memory: "800Mi" 59 | 60 | ``` 61 | 62 | ``` 63 | apiVersion: v1 64 | kind: Pod 65 | metadata: 66 | name: constraints-mem-demo-3 67 | spec: 68 | containers: 69 | - name: constraints-mem-demo-3-ctr 70 | image: nginx 71 | resources: 72 | limits: 73 | memory: "800Mi" 74 | requests: 75 | memory: "100Mi" 76 | 77 | ``` 78 | 79 | **示例3:限制申请存储空间的大小** 80 | 81 | ``` 82 | apiVersion: v1 83 | kind: LimitRange 84 | metadata: 85 | name: storagelimits 86 | spec: 87 | limits: 88 | - type: PersistentVolumeClaim 89 | max: 90 | storage: 2Gi 91 | min: 92 | storage: 1Gi 93 | 94 | ``` 95 | 96 | 97 | 98 | -------------------------------------------------------------------------------- /docs/chap10/10.3.md: -------------------------------------------------------------------------------- 1 | **示例1:实现QoS为Guaranteed的Pod** 2 | 3 | ​ **qos-pod.yaml** 4 | 5 | ```` 6 | apiVersion: v1 7 | kind: Pod 8 | metadata: 9 | name: qos-demo 10 | namespace: qos-example 11 | spec: 12 | containers: 13 | - name: qos-demo-ctr 14 | image: nginx 15 | resources: 16 | limits: 17 | memory: "200Mi" 18 | cpu: "700m" 19 | requests: 20 | memory: "200Mi" 21 | cpu: "700m" 22 | 23 | ```` 24 | 25 | **示例2:实现QoS为Burstable的Pod** 26 | 27 | ​ **qos-pod-2.yaml** 28 | 29 | ``` 30 | apiVersion: v1 31 | kind: Pod 32 | metadata: 33 | name: qos-demo-2 34 | namespace: qos-example 35 | spec: 36 | containers: 37 | - name: qos-demo-2-ctr 38 | image: nginx 39 | resources: 40 | limits: 41 | memory: "200Mi" 42 | requests: 43 | memory: "100Mi" 44 | 45 | ``` 46 | 47 | **示例3:实现QoS为BestEffort的Pod** 48 | 49 | **qos-pod-3.yaml** 50 | 51 | ``` 52 | apiVersion: v1 53 | kind: Pod 54 | metadata: 55 | name: qos-demo-3 56 | namespace: qos-example 57 | spec: 58 | containers: 59 | - name: qos-demo-3-ctr 60 | image: nginx 61 | 62 | ``` 63 | 64 | -------------------------------------------------------------------------------- /docs/chap11/11.1.md: -------------------------------------------------------------------------------- 1 | ​ **pod-exec-cr.yaml** 2 | 3 | ``` 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: ClusterRole 6 | metadata: 7 | name: pod-exec 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - pods 13 | - pods/log 14 | verbs: 15 | - get 16 | - list 17 | - apiGroups: 18 | - "" 19 | resources: 20 | - pods/exec #之前提到的子资源 21 | verbs: 22 | - create 23 | 24 | ``` 25 | 26 | ​ **ns-readonly.yaml** 27 | 28 | ``` 29 | apiVersion: rbac.authorization.k8s.io/v1 30 | kind: ClusterRole 31 | metadata: 32 | name: namespace-readonly 33 | rules: 34 | - apiGroups: 35 | - "" 36 | resources: 37 | - namespaces 38 | verbs: 39 | - get 40 | - list 41 | - watch 42 | - apiGroups: 43 | - metrics.k8s.io 44 | resources: 45 | - pods 46 | verbs: 47 | - get 48 | - list 49 | - watch 50 | 51 | ``` 52 | 53 | -------------------------------------------------------------------------------- /docs/chap11/11.2.md: -------------------------------------------------------------------------------- 1 | **mysql-redis-nw.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | name: mysql-np 8 | namespace: nw-demo 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | app: mysql 13 | policyTypes: 14 | - Ingress 15 | ingress: 16 | - from: 17 | - namespaceSelector: 18 | matchLabels: 19 | access-nw-mysql-redis: "true" 20 | ports: 21 | - protocol: TCP 22 | port: 3306 23 | --- 24 | apiVersion: networking.k8s.io/v1 25 | kind: NetworkPolicy 26 | metadata: 27 | name: redis-np 28 | namespace: nw-demo 29 | spec: 30 | podSelector: 31 | matchLabels: 32 | app: redis 33 | policyTypes: 34 | - Ingress 35 | ingress: 36 | - from: 37 | - namespaceSelector: 38 | matchLabels: 39 | access-nw-mysql-redis: "true" 40 | ports: 41 | - protocol: TCP 42 | port: 6379 43 | 44 | ``` 45 | 46 | ​ **nginx-nw.yaml** 47 | 48 | ``` 49 | apiVersion: networking.k8s.io/v1 50 | kind: NetworkPolicy 51 | metadata: 52 | name: nginx-np 53 | namespace: nw-demo 54 | spec: 55 | podSelector: 56 | matchLabels: 57 | app: nginx 58 | policyTypes: 59 | - Ingress 60 | ingress: 61 | - from: 62 | - namespaceSelector: 63 | matchLabels: 64 | app.kubernetes.io/name: ingress-nginx 65 | podSelector: 66 | matchLabels: 67 | "app.kubernetes.io/name": ingress-nginx 68 | - podSelector: {} 69 | ports: 70 | - protocol: TCP 71 | port: 80 72 | 73 | ``` 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | -------------------------------------------------------------------------------- /docs/chap12/12.5.md: -------------------------------------------------------------------------------- 1 | **volumeClaimTemplates** 2 | 3 | ``` 4 | apiVersion: v1 5 | kind: Service 6 | metadata: 7 | name: nginx 8 | labels: 9 | app: nginx 10 | spec: 11 | ports: 12 | - port: 80 13 | name: web 14 | clusterIP: None 15 | selector: 16 | app: nginx 17 | --- 18 | apiVersion: apps/v1 19 | kind: StatefulSet 20 | metadata: 21 | name: web 22 | spec: 23 | selector: 24 | matchLabels: 25 | app: nginx # has to match .spec.template.metadata.labels 26 | serviceName: "nginx" 27 | replicas: 3 # by default is 1 28 | template: 29 | metadata: 30 | labels: 31 | app: nginx # has to match .spec.selector.matchLabels 32 | spec: 33 | terminationGracePeriodSeconds: 10 34 | containers: 35 | - name: nginx 36 | image: nginx 37 | ports: 38 | - containerPort: 80 39 | name: web 40 | volumeMounts: 41 | - name: www 42 | mountPath: /usr/share/nginx/html 43 | volumeClaimTemplates: 44 | - metadata: 45 | name: www 46 | spec: 47 | accessModes: [ "ReadWriteOnce" ] 48 | storageClassName: "rook-ceph-block" 49 | resources: 50 | requests: 51 | storage: 1Gi 52 | 53 | ``` 54 | 55 | -------------------------------------------------------------------------------- /docs/chap12/12.8.md: -------------------------------------------------------------------------------- 1 | ​ **pvc-restore.yaml** 2 | 3 | ``` 4 | --- 5 | apiVersion: v1 6 | kind: PersistentVolumeClaim 7 | metadata: 8 | name: rbd-pvc-restore 9 | spec: 10 | storageClassName: rook-ceph-block 11 | dataSource: 12 | name: rbd-pvc-snapshot 13 | kind: VolumeSnapshot 14 | apiGroup: snapshot.storage.k8s.io 15 | accessModes: 16 | - ReadWriteOnce 17 | resources: 18 | requests: 19 | storage: 3Gi 20 | 21 | ``` 22 | 23 | ​ **restore-check-snapshot-rbd.yaml** 24 | 25 | ``` 26 | --- 27 | apiVersion: apps/v1 28 | kind: Deployment 29 | metadata: 30 | name: check-snapshot-restore 31 | spec: 32 | selector: 33 | matchLabels: 34 | app: check 35 | strategy: 36 | type: Recreate 37 | template: 38 | metadata: 39 | labels: 40 | app: check 41 | spec: 42 | containers: 43 | - image: alpine:3.8 44 | name: check 45 | command: 46 | - sh 47 | - -c 48 | - sleep 36000 49 | volumeMounts: 50 | - name: check-mysql-persistent-storage 51 | mountPath: /mnt 52 | volumes: 53 | - name: check-mysql-persistent-storage 54 | persistentVolumeClaim: 55 | claimName: rbd-pvc-restore 56 | 57 | ``` 58 | 59 | -------------------------------------------------------------------------------- /docs/chap12/12.9.md: -------------------------------------------------------------------------------- 1 | ​ **pvc-clone.yaml** 2 | 3 | ```` 4 | apiVersion: v1 5 | kind: PersistentVolumeClaim 6 | metadata: 7 | name: rbd-pvc-clone 8 | spec: 9 | storageClassName: rook-ceph-block 10 | dataSource: 11 | name: mysql-pv-claim 12 | kind: PersistentVolumeClaim 13 | accessModes: 14 | - ReadWriteOnce 15 | resources: 16 | requests: 17 | storage: 3Gi 18 | 19 | ```` 20 | 21 | -------------------------------------------------------------------------------- /docs/chap15/15.3.md: -------------------------------------------------------------------------------- 1 | **vim etcd-svc.yaml** 2 | 3 | ``` 4 | apiVersion: v1 5 | kind: Endpoints 6 | metadata: 7 | labels: 8 | app: etcd-prom 9 | name: etcd-prom 10 | namespace: kube-system 11 | subsets: 12 | - addresses: 13 | - ip: YOUR_ETCD_IP01 14 | - ip: YOUR_ETCD_IP02 15 | - ip: YOUR_ETCD_IP03 16 | ports: 17 | - name: https-metrics 18 | port: 2379 # etcd端口 19 | protocol: TCP 20 | apiVersion: v1 21 | kind: Service 22 | metadata: 23 | labels: 24 | app: etcd-prom 25 | name: etcd-prom 26 | namespace: kube-system 27 | spec: 28 | ports: 29 | - name: https-metrics 30 | port: 2379 31 | protocol: TCP 32 | targetPort: 2379 33 | type: ClusterIP 34 | 35 | ``` 36 | 37 | ​ **servicemonitor.yaml** 38 | 39 | ``` 40 | apiVersion: monitoring.coreos.com/v1 41 | kind: ServiceMonitor 42 | metadata: 43 | name: etcd 44 | namespace: monitoring 45 | labels: 46 | app: etcd 47 | spec: 48 | jobLabel: k8s-app 49 | endpoints: 50 | - interval: 30s 51 | port: https-metrics # 这个port对应 Service.spec.ports.name 52 | scheme: https 53 | tlsConfig: 54 | caFile: /etc/prometheus/secrets/etcd-ssl/etcd-ca.pem #证书路径 55 | certFile: /etc/prometheus/secrets/etcd-ssl/etcd.pem 56 | keyFile: /etc/prometheus/secrets/etcd-ssl/etcd-key.pem 57 | insecureSkipVerify: true # 关闭证书校验 58 | selector: 59 | matchLabels: 60 | app: etcd-prom # 跟Service的lables保持一致 61 | namespaceSelector: 62 | matchNames: 63 | - kube-system 64 | 65 | ``` 66 | 67 | ​ **mysql-exporter.yaml** 68 | 69 | ``` 70 | --- 71 | apiVersion: apps/v1 72 | kind: Deployment 73 | metadata: 74 | name: mysql-exporter 75 | namespace: monitoring 76 | spec: 77 | replicas: 1 78 | selector: 79 | matchLabels: 80 | k8s-app: mysql-exporter 81 | template: 82 | metadata: 83 | labels: 84 | k8s-app: mysql-exporter 85 | spec: 86 | containers: 87 | - name: mysql-exporter 88 | image: registry.cn-beijing.aliyuncs.com/dotbalo/mysqld-exporter 89 | env: 90 | - name: DATA_SOURCE_NAME 91 | value: "exporter:exporter@(mysql.default:3306)/" 92 | imagePullPolicy: IfNotPresent 93 | ports: 94 | - containerPort: 9104 95 | --- 96 | apiVersion: v1 97 | kind: Service 98 | metadata: 99 | name: mysql-exporter 100 | namespace: monitoring 101 | labels: 102 | k8s-app: mysql-exporter 103 | spec: 104 | type: ClusterIP 105 | selector: 106 | k8s-app: mysql-exporter 107 | ports: 108 | - name: api 109 | port: 9104 110 | protocol: TCP 111 | 112 | ``` 113 | 114 | ​ **mysql-sm.yaml** 115 | 116 | ``` 117 | apiVersion: monitoring.coreos.com/v1 118 | kind: ServiceMonitor 119 | metadata: 120 | name: mysql-exporter 121 | namespace: monitoring 122 | labels: 123 | k8s-app: mysql-exporter 124 | namespace: monitoring 125 | spec: 126 | jobLabel: k8s-app 127 | endpoints: 128 | - port: api 129 | interval: 30s 130 | scheme: http 131 | selector: 132 | matchLabels: 133 | k8s-app: mysql-exporter 134 | namespaceSelector: 135 | matchNames: 136 | - monitoring 137 | 138 | ``` 139 | 140 | -------------------------------------------------------------------------------- /docs/chap16/16.10.md: -------------------------------------------------------------------------------- 1 | ​ **vim auth-rate-limit.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/auth-realm: Please Input Your Username and Password 9 | nginx.ingress.kubernetes.io/auth-secret: basic-auth 10 | nginx.ingress.kubernetes.io/auth-type: basic 11 | nginx.ingress.kubernetes.io/limit-connections: "1" 12 | name: ingress-with-auth 13 | namespace: study-ingress 14 | spec: 15 | ingressClassName: nginx 16 | rules: 17 | - host: auth.test.com 18 | http: 19 | paths: 20 | - backend: 21 | service: 22 | name: nginx 23 | port: 24 | number: 80 25 | path: / 26 | pathType: ImplementationSpecific 27 | 28 | ``` 29 | 30 | -------------------------------------------------------------------------------- /docs/chap16/16.11.md: -------------------------------------------------------------------------------- 1 | ​ **vim canary-v2.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/canary: "true" 9 | nginx.ingress.kubernetes.io/canary-weight: "10" 10 | name: canary-v2 11 | namespace: canary 12 | spec: 13 | ingressClassName: nginx 14 | rules: 15 | - host: canary.com 16 | http: 17 | paths: 18 | - backend: 19 | service: 20 | name: canary-v2 21 | port: 22 | number: 8080 23 | path: / 24 | pathType: ImplementationSpecific 25 | 26 | ``` 27 | 28 | -------------------------------------------------------------------------------- /docs/chap16/16.2.md: -------------------------------------------------------------------------------- 1 | **vim web-ingress.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | name: nginx-ingress 8 | namespace: study-ingress 9 | spec: 10 | ingressClassName: nginx 11 | rules: 12 | - host: nginx.test.com 13 | http: 14 | paths: 15 | - backend: 16 | service: 17 | name: nginx 18 | port: 19 | number: 80 20 | path: / 21 | pathType: ImplementationSpecific 22 | 23 | ``` 24 | 25 | **v1beta1** 26 | 27 | ``` 28 | apiVersion: networking.k8s.io/v1beta1 29 | kind: Ingress 30 | metadata: 31 | name: nginx-ingress 32 | namespace: study-ingress 33 | spec: 34 | rules: 35 | - host: nginx.test.com 36 | http: 37 | paths: 38 | - backend: 39 | serviceName: nginx 40 | servicePort: 80 41 | path: / 42 | pathType: ImplementationSpecific 43 | 44 | ``` 45 | 46 | -------------------------------------------------------------------------------- /docs/chap16/16.3.md: -------------------------------------------------------------------------------- 1 | **vim redirect.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/permanent-redirect: https://www.baidu.com 9 | name: nginx-redirect 10 | namespace: study-ingress 11 | spec: 12 | ingressClassName: nginx 13 | rules: 14 | - host: nginx.redirect.com 15 | http: 16 | paths: 17 | - backend: 18 | service: 19 | name: nginx 20 | port: 21 | number: 80 22 | path: / 23 | pathType: ImplementationSpecific 24 | 25 | ``` 26 | 27 | -------------------------------------------------------------------------------- /docs/chap16/16.4.md: -------------------------------------------------------------------------------- 1 | **vim redirect.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/rewrite-target: /$2 9 | name: backend-api 10 | namespace: study-ingress 11 | spec: 12 | ingressClassName: nginx 13 | rules: 14 | - host: nginx.test.com 15 | http: 16 | paths: 17 | - backend: 18 | service: 19 | name: backend-api 20 | port: 21 | number: 80 22 | path: /api-a(/|$)(.*) 23 | pathType: ImplementationSpecific 24 | 25 | ``` 26 | 27 | -------------------------------------------------------------------------------- /docs/chap16/16.6.md: -------------------------------------------------------------------------------- 1 | **vim ingress-ssl.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | creationTimestamp: null 8 | name: nginx-ingress 9 | spec: 10 | ingressClassName: nginx 11 | rules: 12 | - host: nginx.test.com 13 | http: 14 | paths: 15 | - backend: 16 | service: 17 | name: nginx 18 | port: 19 | number: 80 20 | path: / 21 | pathType: ImplementationSpecific 22 | tls: 23 | - hosts: 24 | - nginx.test.com 25 | secretName: ca-secret 26 | 27 | ``` 28 | 29 | -------------------------------------------------------------------------------- /docs/chap16/16.7.md: -------------------------------------------------------------------------------- 1 | **vim laptop-ingress.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/server-snippet: | 9 | set $agentflag 0; 10 | if ($http_user_agent ~* "(Android|iPhone|Windows Phone|UC|Kindle)" ){ 11 | set $agentflag 1; 12 | } 13 | if ( $agentflag = 1 ) { 14 | return 301 http://m.test.com; 15 | } 16 | name: laptop 17 | namespace: study-ingress 18 | spec: 19 | ingressClassName: nginx 20 | rules: 21 | - host: test.com 22 | http: 23 | paths: 24 | - backend: 25 | service: 26 | name: laptop 27 | port: 28 | number: 80 29 | path: / 30 | pathType: ImplementationSpecific 31 | 32 | ``` 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /docs/chap16/16.8.md: -------------------------------------------------------------------------------- 1 | **vim ingress-with-auth.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/auth-realm: Please Input Your Username and Password 9 | nginx.ingress.kubernetes.io/auth-secret: basic-auth 10 | nginx.ingress.kubernetes.io/auth-type: basic 11 | name: ingress-with-auth 12 | namespace: study-ingress 13 | spec: 14 | ingressClassName: nginx 15 | rules: 16 | - host: auth.test.com 17 | http: 18 | paths: 19 | - backend: 20 | service: 21 | name: nginx 22 | port: 23 | number: 80 24 | path: / 25 | pathType: ImplementationSpecific 26 | 27 | ``` 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /docs/chap16/16.9.md: -------------------------------------------------------------------------------- 1 | **vim auth-whitelist.yaml** 2 | 3 | ``` 4 | apiVersion: networking.k8s.io/v1 5 | kind: Ingress 6 | metadata: 7 | annotations: 8 | nginx.ingress.kubernetes.io/auth-realm: Please Input Your Username and Password 9 | nginx.ingress.kubernetes.io/auth-secret: basic-auth 10 | nginx.ingress.kubernetes.io/auth-type: basic 11 | nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.10.128 12 | name: ingress-with-auth 13 | namespace: study-ingress 14 | spec: 15 | ingressClassName: nginx 16 | rules: 17 | - host: auth.test.com 18 | http: 19 | paths: 20 | - backend: 21 | service: 22 | name: nginx 23 | port: 24 | number: 80 25 | path: / 26 | pathType: ImplementationSpecific 27 | 28 | ``` 29 | 30 | -------------------------------------------------------------------------------- /docs/chap17/17.10.md: -------------------------------------------------------------------------------- 1 | **Jenkinsfile** 2 | 3 | ``` 4 | pipeline { 5 | agent { 6 | kubernetes { 7 | cloud 'kubernetes-study' 8 | slaveConnectTimeout 1200 9 | yaml ''' 10 | apiVersion: v1 11 | kind: Pod 12 | spec: 13 | containers: 14 | # 只需要配置jnlp和kubectl镜像即可 15 | - args: [\'$(JENKINS_SECRET)\', \'$(JENKINS_NAME)\'] 16 | image: 'registry.cn-beijing.aliyuncs.com/citools/jnlp:alpine' 17 | name: jnlp 18 | imagePullPolicy: IfNotPresent 19 | - command: 20 | - "cat" 21 | env: 22 | - name: "LANGUAGE" 23 | value: "en_US:en" 24 | - name: "LC_ALL" 25 | value: "en_US.UTF-8" 26 | - name: "LANG" 27 | value: "en_US.UTF-8" 28 | image: "registry.cn-beijing.aliyuncs.com/citools/kubectl:self-1.17" 29 | imagePullPolicy: "IfNotPresent" 30 | name: "kubectl" 31 | tty: true 32 | restartPolicy: "Never" 33 | ''' 34 | } 35 | } 36 | 37 | stages { 38 | stage('Deploy') { 39 | environment { 40 | MY_KUBECONFIG = credentials('study-k8s-kubeconfig') 41 | } 42 | steps { 43 | container(name: 'kubectl'){ 44 | sh """ 45 | echo ${IMAGE_TAG} # 该变量即为前台选择的镜像 46 | kubectl --kubeconfig=${MY_KUBECONFIG} set image deployment -l app=${IMAGE_NAME} ${IMAGE_NAME}=${HARBOR_ADDRESS}/${IMAGE_TAG} -n ${NAMESPACE} 47 | kubectl --kubeconfig=${MY_KUBECONFIG} get po -l app=${IMAGE_NAME} -n ${NAMESPACE} -w 48 | """ 49 | } 50 | } 51 | } 52 | } 53 | environment { 54 | HARBOR_ADDRESS = "HARBOR_ADDRESS" 55 | NAMESPACE = "kubernetes" 56 | IMAGE_NAME = "go-project" 57 | TAG = "" 58 | } 59 | } 60 | 61 | ``` 62 | 63 | -------------------------------------------------------------------------------- /docs/chap17/17.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dotbalo/kubernetes-guide/2ad8430faef01c7f6d5df7f11d72483f3f1587a7/docs/chap17/17.6 -------------------------------------------------------------------------------- /docs/chap17/17.6.md: -------------------------------------------------------------------------------- 1 | **Jenkinsfile** 2 | 3 | ``` 4 | pipeline { 5 | agent { 6 | kubernetes { 7 | cloud 'kubernetes-study' 8 | slaveConnectTimeout 1200 9 | workspaceVolume hostPathWorkspaceVolume(hostPath: "/opt/workspace", readOnly: false) 10 | yaml ''' 11 | apiVersion: v1 12 | kind: Pod 13 | spec: 14 | containers: 15 | - args: [\'$(JENKINS_SECRET)\', \'$(JENKINS_NAME)\'] 16 | image: 'registry.cn-beijing.aliyuncs.com/citools/jnlp:alpine' 17 | name: jnlp 18 | imagePullPolicy: IfNotPresent 19 | volumeMounts: 20 | - mountPath: "/etc/localtime" 21 | name: "localtime" 22 | readOnly: false 23 | - command: 24 | - "cat" 25 | env: 26 | - name: "LANGUAGE" 27 | value: "en_US:en" 28 | - name: "LC_ALL" 29 | value: "en_US.UTF-8" 30 | - name: "LANG" 31 | value: "en_US.UTF-8" 32 | image: "registry.cn-beijing.aliyuncs.com/citools/maven:3.5.3" 33 | imagePullPolicy: "IfNotPresent" 34 | name: "build" 35 | tty: true 36 | volumeMounts: 37 | - mountPath: "/etc/localtime" 38 | name: "localtime" 39 | - mountPath: "/root/.m2/" 40 | name: "cachedir" 41 | readOnly: false 42 | - command: 43 | - "cat" 44 | env: 45 | - name: "LANGUAGE" 46 | value: "en_US:en" 47 | - name: "LC_ALL" 48 | value: "en_US.UTF-8" 49 | - name: "LANG" 50 | value: "en_US.UTF-8" 51 | image: "registry.cn-beijing.aliyuncs.com/citools/kubectl:self-1.17" 52 | imagePullPolicy: "IfNotPresent" 53 | name: "kubectl" 54 | tty: true 55 | volumeMounts: 56 | - mountPath: "/etc/localtime" 57 | name: "localtime" 58 | readOnly: false 59 | - command: 60 | - "cat" 61 | env: 62 | - name: "LANGUAGE" 63 | value: "en_US:en" 64 | - name: "LC_ALL" 65 | value: "en_US.UTF-8" 66 | - name: "LANG" 67 | value: "en_US.UTF-8" 68 | image: "registry.cn-beijing.aliyuncs.com/citools/docker:19.03.9-git" 69 | imagePullPolicy: "IfNotPresent" 70 | name: "docker" 71 | tty: true 72 | volumeMounts: 73 | - mountPath: "/etc/localtime" 74 | name: "localtime" 75 | readOnly: false 76 | - mountPath: "/var/run/docker.sock" 77 | name: "dockersock" 78 | readOnly: false 79 | restartPolicy: "Never" 80 | nodeSelector: 81 | build: "true" 82 | securityContext: {} 83 | volumes: 84 | - hostPath: 85 | path: "/var/run/docker.sock" 86 | name: "dockersock" 87 | - hostPath: 88 | path: "/usr/share/zoneinfo/Asia/Shanghai" 89 | name: "localtime" 90 | - name: "cachedir" 91 | hostPath: 92 | path: "/opt/m2" 93 | ''' 94 | } 95 | } 96 | stages { 97 | stage('Pulling Code') { 98 | parallel { 99 | stage('Pulling Code by Jenkins') { 100 | when { 101 | expression { 102 | env.gitlabBranch == null 103 | } 104 | 105 | } 106 | steps { 107 | git(changelog: true, poll: true, url: 'git@CHANGE_HERE_FOR_YOUR_GITLAB_URL:root/spring-boot-project.git', branch: "${BRANCH}", credentialsId: 'gitlab-key') 108 | script { 109 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 110 | TAG = BUILD_TAG + '-' + COMMIT_ID 111 | println "Current branch is ${BRANCH}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 112 | 113 | } 114 | 115 | } 116 | } 117 | 118 | stage('Pulling Code by trigger') { 119 | when { 120 | expression { 121 | env.gitlabBranch != null 122 | } 123 | 124 | } 125 | steps { 126 | git(url: 'git@CHANGE_HERE_FOR_YOUR_GITLAB_URL:root/spring-boot-project.git', branch: env.gitlabBranch, changelog: true, poll: true, credentialsId: 'gitlab-key') 127 | script { 128 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 129 | TAG = BUILD_TAG + '-' + COMMIT_ID 130 | println "Current branch is ${env.gitlabBranch}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 131 | } 132 | 133 | } 134 | } 135 | 136 | } 137 | } 138 | 139 | stage('Building') { 140 | steps { 141 | container(name: 'build') { 142 | sh """ 143 | curl repo.maven.apache.org 144 | mvn clean install -DskipTests 145 | ls target/* 146 | """ 147 | } 148 | } 149 | } 150 | 151 | stage('Docker build for creating image') { 152 | environment { 153 | HARBOR_USER = credentials('HARBOR_ACCOUNT') 154 | } 155 | steps { 156 | container(name: 'docker') { 157 | sh """ 158 | echo ${HARBOR_USER_USR} ${HARBOR_USER_PSW} ${TAG} 159 | docker build -t ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} . 160 | docker login -u ${HARBOR_USER_USR} -p ${HARBOR_USER_PSW} ${HARBOR_ADDRESS} 161 | docker push ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} 162 | """ 163 | } 164 | } 165 | } 166 | 167 | stage('Deploying to K8s') { 168 | environment { 169 | MY_KUBECONFIG = credentials('study-k8s-kubeconfig') 170 | } 171 | steps { 172 | container(name: 'kubectl'){ 173 | sh """ 174 | /usr/local/bin/kubectl --kubeconfig $MY_KUBECONFIG set image deploy -l app=${IMAGE_NAME} ${IMAGE_NAME}=${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} -n $NAMESPACE 175 | """ 176 | } 177 | } 178 | } 179 | 180 | } 181 | environment { 182 | COMMIT_ID = "" 183 | HARBOR_ADDRESS = "CHANGE_HERE_FOR_YOUR_HARBOR_URL" 184 | REGISTRY_DIR = "kubernetes" 185 | IMAGE_NAME = "spring-boot-project" 186 | NAMESPACE = "kubernetes" 187 | TAG = "" 188 | } 189 | parameters { 190 | gitParameter(branch: '', branchFilter: 'origin/(.*)', defaultValue: '', description: 'Branch for build and deploy', name: 'BRANCH', quickFilterEnabled: false, selectedValue: 'NONE', sortMode: 'NONE', tagFilter: '*', type: 'PT_BRANCH') 191 | } 192 | } 193 | 194 | ``` 195 | 196 | **Dockerfile** 197 | 198 | ``` 199 | # 基础镜像可以按需修改,可以更改为公司自有镜像 200 | FROM registry.cn-beijing.aliyuncs.com/dotbalo/jre:8u211-data 201 | # jar包名称改成实际的名称,本示例为spring-cloud-eureka-0.0.1-SNAPSHOT.jar 202 | COPY target/spring-cloud-eureka-0.0.1-SNAPSHOT.jar ./ 203 | # 启动Jar包 204 | CMD java -jar spring-cloud-eureka-0.0.1-SNAPSHOT.jar 205 | 206 | ``` 207 | 208 | **Deployment/Service/Ingress** 209 | 210 | ``` 211 | --- 212 | apiVersion: v1 213 | kind: Service 214 | metadata: 215 | creationTimestamp: null 216 | labels: 217 | app: spring-boot-project 218 | name: spring-boot-project 219 | namespace: kubernetes 220 | spec: 221 | ports: 222 | - name: web 223 | port: 8761 224 | protocol: TCP 225 | targetPort: 8761 226 | selector: 227 | app: spring-boot-project 228 | sessionAffinity: None 229 | type: ClusterIP 230 | status: 231 | loadBalancer: {} 232 | --- 233 | apiVersion: networking.k8s.io/v1 234 | kind: Ingress 235 | metadata: 236 | creationTimestamp: null 237 | name: spring-boot-project 238 | namespace: kubernetes 239 | spec: 240 | rules: 241 | - host: spring-boot-project.test.com 242 | http: 243 | paths: 244 | - backend: 245 | service: 246 | name: spring-boot-project 247 | port: 248 | number: 8761 249 | path: / 250 | pathType: ImplementationSpecific 251 | status: 252 | loadBalancer: {} 253 | --- 254 | apiVersion: apps/v1 255 | kind: Deployment 256 | metadata: 257 | creationTimestamp: null 258 | labels: 259 | app: spring-boot-project 260 | name: spring-boot-project 261 | namespace: kubernetes 262 | spec: 263 | replicas: 1 264 | selector: 265 | matchLabels: 266 | app: spring-boot-project 267 | strategy: 268 | rollingUpdate: 269 | maxSurge: 1 270 | maxUnavailable: 0 271 | type: RollingUpdate 272 | template: 273 | metadata: 274 | creationTimestamp: null 275 | labels: 276 | app: spring-boot-project 277 | spec: 278 | affinity: 279 | podAntiAffinity: 280 | preferredDuringSchedulingIgnoredDuringExecution: 281 | - podAffinityTerm: 282 | labelSelector: 283 | matchExpressions: 284 | - key: app 285 | operator: In 286 | values: 287 | - spring-boot-project 288 | topologyKey: kubernetes.io/hostname 289 | weight: 100 290 | containers: 291 | - env: 292 | - name: TZ 293 | value: Asia/Shanghai 294 | - name: LANG 295 | value: C.UTF-8 296 | image: nginx 297 | imagePullPolicy: IfNotPresent 298 | lifecycle: {} 299 | livenessProbe: 300 | failureThreshold: 2 301 | initialDelaySeconds: 30 302 | periodSeconds: 10 303 | successThreshold: 1 304 | tcpSocket: 305 | port: 8761 306 | timeoutSeconds: 2 307 | name: spring-boot-project 308 | ports: 309 | - containerPort: 8761 310 | name: web 311 | protocol: TCP 312 | readinessProbe: 313 | failureThreshold: 2 314 | initialDelaySeconds: 30 315 | periodSeconds: 10 316 | successThreshold: 1 317 | tcpSocket: 318 | port: 8761 319 | timeoutSeconds: 2 320 | resources: 321 | limits: 322 | cpu: 994m 323 | memory: 1170Mi 324 | requests: 325 | cpu: 10m 326 | memory: 55Mi 327 | dnsPolicy: ClusterFirst 328 | imagePullSecrets: 329 | - name: harborkey 330 | restartPolicy: Always 331 | securityContext: {} 332 | serviceAccountName: default 333 | 334 | ``` 335 | 336 | -------------------------------------------------------------------------------- /docs/chap17/17.7.md: -------------------------------------------------------------------------------- 1 | **Jenkinsfile** 2 | 3 | ``` 4 | pipeline { 5 | agent { 6 | kubernetes { 7 | cloud 'kubernetes-study' 8 | slaveConnectTimeout 1200 9 | workspaceVolume hostPathWorkspaceVolume(hostPath: "/opt/workspace", readOnly: false) 10 | yaml ''' 11 | apiVersion: v1 12 | kind: Pod 13 | spec: 14 | containers: 15 | - args: [\'$(JENKINS_SECRET)\', \'$(JENKINS_NAME)\'] 16 | image: 'registry.cn-beijing.aliyuncs.com/citools/jnlp:alpine' 17 | name: jnlp 18 | imagePullPolicy: IfNotPresent 19 | volumeMounts: 20 | - mountPath: "/etc/localtime" 21 | name: "localtime" 22 | readOnly: false 23 | - command: 24 | - "cat" 25 | env: 26 | - name: "LANGUAGE" 27 | value: "en_US:en" 28 | - name: "LC_ALL" 29 | value: "en_US.UTF-8" 30 | - name: "LANG" 31 | value: "en_US.UTF-8" 32 | image: "registry.cn-beijing.aliyuncs.com/citools/node:lts" 33 | imagePullPolicy: "IfNotPresent" 34 | name: "build" 35 | tty: true 36 | volumeMounts: 37 | - mountPath: "/etc/localtime" 38 | name: "localtime" 39 | - mountPath: "/root/.m2/" 40 | name: "cachedir" 41 | readOnly: false 42 | - command: 43 | - "cat" 44 | env: 45 | - name: "LANGUAGE" 46 | value: "en_US:en" 47 | - name: "LC_ALL" 48 | value: "en_US.UTF-8" 49 | - name: "LANG" 50 | value: "en_US.UTF-8" 51 | image: "registry.cn-beijing.aliyuncs.com/citools/kubectl:self-1.17" 52 | imagePullPolicy: "IfNotPresent" 53 | name: "kubectl" 54 | tty: true 55 | volumeMounts: 56 | - mountPath: "/etc/localtime" 57 | name: "localtime" 58 | readOnly: false 59 | - command: 60 | - "cat" 61 | env: 62 | - name: "LANGUAGE" 63 | value: "en_US:en" 64 | - name: "LC_ALL" 65 | value: "en_US.UTF-8" 66 | - name: "LANG" 67 | value: "en_US.UTF-8" 68 | image: "registry.cn-beijing.aliyuncs.com/citools/docker:19.03.9-git" 69 | imagePullPolicy: "IfNotPresent" 70 | name: "docker" 71 | tty: true 72 | volumeMounts: 73 | - mountPath: "/etc/localtime" 74 | name: "localtime" 75 | readOnly: false 76 | - mountPath: "/var/run/docker.sock" 77 | name: "dockersock" 78 | readOnly: false 79 | restartPolicy: "Never" 80 | nodeSelector: 81 | build: "true" 82 | securityContext: {} 83 | volumes: 84 | - hostPath: 85 | path: "/var/run/docker.sock" 86 | name: "dockersock" 87 | - hostPath: 88 | path: "/usr/share/zoneinfo/Asia/Shanghai" 89 | name: "localtime" 90 | - name: "cachedir" 91 | hostPath: 92 | path: "/opt/m2" 93 | ''' 94 | } 95 | } 96 | stages { 97 | stage('Pulling Code') { 98 | parallel { 99 | stage('Pulling Code by Jenkins') { 100 | when { 101 | expression { 102 | env.gitlabBranch == null 103 | } 104 | 105 | } 106 | steps { 107 | git(changelog: true, poll: true, url: 'git@192.168.236.251:kubernetes/vue-project.git', branch: "${BRANCH}", credentialsId: 'gitlab-key') 108 | script { 109 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 110 | TAG = BUILD_TAG + '-' + COMMIT_ID 111 | println "Current branch is ${BRANCH}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 112 | 113 | } 114 | 115 | } 116 | } 117 | 118 | stage('Pulling Code by trigger') { 119 | when { 120 | expression { 121 | env.gitlabBranch != null 122 | } 123 | 124 | } 125 | steps { 126 | git(url: 'git@192.168.236.251:kubernetes/vue-project.git', branch: env.gitlabBranch, changelog: true, poll: true, credentialsId: 'gitlab-key') 127 | script { 128 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 129 | TAG = BUILD_TAG + '-' + COMMIT_ID 130 | println "Current branch is ${BRANCH}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 131 | } 132 | 133 | } 134 | } 135 | 136 | } 137 | } 138 | 139 | stage('Building') { 140 | steps { 141 | container(name: 'build') { 142 | sh """ 143 | npm install --registry=https://registry.npm.taobao.org 144 | npm run build 145 | """ 146 | } 147 | } 148 | } 149 | 150 | stage('Docker build for creating image') { 151 | environment { 152 | HARBOR_USER = credentials('HARBOR_ACCOUNT') 153 | } 154 | steps { 155 | container(name: 'docker') { 156 | sh """ 157 | echo ${HARBOR_USER_USR} ${HARBOR_USER_PSW} ${TAG} 158 | docker build -t ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} . 159 | docker login -u ${HARBOR_USER_USR} -p ${HARBOR_USER_PSW} ${HARBOR_ADDRESS} 160 | docker push ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} 161 | """ 162 | } 163 | } 164 | } 165 | 166 | stage('Deploying to K8s') { 167 | environment { 168 | MY_KUBECONFIG = credentials('study-k8s-kubeconfig') 169 | } 170 | steps { 171 | container(name: 'kubectl'){ 172 | sh """ 173 | /usr/local/bin/kubectl --kubeconfig $MY_KUBECONFIG set image deploy -l app=${IMAGE_NAME} ${IMAGE_NAME}=${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} -n $NAMESPACE 174 | """ 175 | } 176 | } 177 | } 178 | 179 | } 180 | environment { 181 | COMMIT_ID = "" 182 | HARBOR_ADDRESS = "192.168.236.204" 183 | REGISTRY_DIR = "kubernetes" 184 | IMAGE_NAME = "vue-project" 185 | NAMESPACE = "kubernetes" 186 | TAG = "" 187 | } 188 | parameters { 189 | gitParameter(branch: '', branchFilter: 'origin/(.*)', defaultValue: '', description: 'Branch for build and deploy', name: 'BRANCH', quickFilterEnabled: false, selectedValue: 'NONE', sortMode: 'NONE', tagFilter: '*', type: 'PT_BRANCH') 190 | } 191 | } 192 | 193 | ``` 194 | 195 | **Dockerfile** 196 | 197 | ``` 198 | FROM registry.cn-beijing.aliyuncs.com/dotbalo/nginx:1.15.12 199 | 200 | COPY dist/* /usr/share/nginx/html/ 201 | 202 | ``` 203 | 204 | **Deployment/Service/Ingress** 205 | 206 | ``` 207 | --- 208 | apiVersion: v1 209 | kind: Service 210 | metadata: 211 | creationTimestamp: null 212 | labels: 213 | app: vue-project 214 | name: vue-project 215 | namespace: kubernetes 216 | spec: 217 | ports: 218 | - name: web 219 | port: 80 220 | protocol: TCP 221 | targetPort: 80 222 | selector: 223 | app: vue-project 224 | sessionAffinity: None 225 | type: ClusterIP 226 | status: 227 | loadBalancer: {} 228 | --- 229 | apiVersion: networking.k8s.io/v1 230 | kind: Ingress 231 | metadata: 232 | creationTimestamp: null 233 | name: vue-project 234 | namespace: kubernetes 235 | spec: 236 | rules: 237 | - host: vue-project.test.com 238 | http: 239 | paths: 240 | - backend: 241 | service: 242 | name: vue-project 243 | port: 244 | number: 80 245 | path: / 246 | pathType: ImplementationSpecific 247 | --- 248 | apiVersion: apps/v1 249 | kind: Deployment 250 | metadata: 251 | creationTimestamp: null 252 | labels: 253 | app: vue-project 254 | name: vue-project 255 | namespace: kubernetes 256 | spec: 257 | replicas: 1 258 | selector: 259 | matchLabels: 260 | app: vue-project 261 | strategy: 262 | rollingUpdate: 263 | maxSurge: 1 264 | maxUnavailable: 0 265 | type: RollingUpdate 266 | template: 267 | metadata: 268 | creationTimestamp: null 269 | labels: 270 | app: vue-project 271 | spec: 272 | affinity: 273 | podAntiAffinity: 274 | preferredDuringSchedulingIgnoredDuringExecution: 275 | - podAffinityTerm: 276 | labelSelector: 277 | matchExpressions: 278 | - key: app 279 | operator: In 280 | values: 281 | - vue-project 282 | topologyKey: kubernetes.io/hostname 283 | weight: 100 284 | containers: 285 | - env: 286 | - name: TZ 287 | value: Asia/Shanghai 288 | - name: LANG 289 | value: C.UTF-8 290 | image: nginx 291 | imagePullPolicy: IfNotPresent 292 | lifecycle: {} 293 | livenessProbe: 294 | failureThreshold: 2 295 | initialDelaySeconds: 30 296 | periodSeconds: 10 297 | successThreshold: 1 298 | tcpSocket: 299 | port: 80 300 | timeoutSeconds: 2 301 | name: vue-project 302 | ports: 303 | - containerPort: 80 304 | name: web 305 | protocol: TCP 306 | readinessProbe: 307 | failureThreshold: 2 308 | initialDelaySeconds: 30 309 | periodSeconds: 10 310 | successThreshold: 1 311 | tcpSocket: 312 | port: 80 313 | timeoutSeconds: 2 314 | resources: 315 | limits: 316 | cpu: 994m 317 | memory: 1170Mi 318 | requests: 319 | cpu: 10m 320 | memory: 55Mi 321 | dnsPolicy: ClusterFirst 322 | imagePullSecrets: 323 | - name: harborkey 324 | restartPolicy: Always 325 | securityContext: {} 326 | serviceAccountName: default 327 | 328 | ``` 329 | 330 | -------------------------------------------------------------------------------- /docs/chap17/17.8.md: -------------------------------------------------------------------------------- 1 | **Jenkinsfile** 2 | 3 | ``` 4 | pipeline { 5 | agent { 6 | kubernetes { 7 | cloud 'kubernetes-study' 8 | slaveConnectTimeout 1200 9 | workspaceVolume hostPathWorkspaceVolume(hostPath: "/opt/workspace", readOnly: false) 10 | yaml ''' 11 | apiVersion: v1 12 | kind: Pod 13 | spec: 14 | containers: 15 | - args: [\'$(JENKINS_SECRET)\', \'$(JENKINS_NAME)\'] 16 | image: 'registry.cn-beijing.aliyuncs.com/citools/jnlp:alpine' 17 | name: jnlp 18 | imagePullPolicy: IfNotPresent 19 | volumeMounts: 20 | - mountPath: "/etc/localtime" 21 | name: "localtime" 22 | readOnly: false 23 | - command: 24 | - "cat" 25 | env: 26 | - name: "LANGUAGE" 27 | value: "en_US:en" 28 | - name: "LC_ALL" 29 | value: "en_US.UTF-8" 30 | - name: "LANG" 31 | value: "en_US.UTF-8" 32 | image: "registry.cn-beijing.aliyuncs.com/citools/node:lts" 33 | imagePullPolicy: "IfNotPresent" 34 | name: "build" 35 | tty: true 36 | volumeMounts: 37 | - mountPath: "/etc/localtime" 38 | name: "localtime" 39 | - mountPath: "/root/.m2/" 40 | name: "cachedir" 41 | readOnly: false 42 | - command: 43 | - "cat" 44 | env: 45 | - name: "LANGUAGE" 46 | value: "en_US:en" 47 | - name: "LC_ALL" 48 | value: "en_US.UTF-8" 49 | - name: "LANG" 50 | value: "en_US.UTF-8" 51 | image: "registry.cn-beijing.aliyuncs.com/citools/kubectl:self-1.17" 52 | imagePullPolicy: "IfNotPresent" 53 | name: "kubectl" 54 | tty: true 55 | volumeMounts: 56 | - mountPath: "/etc/localtime" 57 | name: "localtime" 58 | readOnly: false 59 | - command: 60 | - "cat" 61 | env: 62 | - name: "LANGUAGE" 63 | value: "en_US:en" 64 | - name: "LC_ALL" 65 | value: "en_US.UTF-8" 66 | - name: "LANG" 67 | value: "en_US.UTF-8" 68 | image: "registry.cn-beijing.aliyuncs.com/citools/docker:19.03.9-git" 69 | imagePullPolicy: "IfNotPresent" 70 | name: "docker" 71 | tty: true 72 | volumeMounts: 73 | - mountPath: "/etc/localtime" 74 | name: "localtime" 75 | readOnly: false 76 | - mountPath: "/var/run/docker.sock" 77 | name: "dockersock" 78 | readOnly: false 79 | restartPolicy: "Never" 80 | nodeSelector: 81 | build: "true" 82 | securityContext: {} 83 | volumes: 84 | - hostPath: 85 | path: "/var/run/docker.sock" 86 | name: "dockersock" 87 | - hostPath: 88 | path: "/usr/share/zoneinfo/Asia/Shanghai" 89 | name: "localtime" 90 | - name: "cachedir" 91 | hostPath: 92 | path: "/opt/m2" 93 | ''' 94 | } 95 | } 96 | stages { 97 | stage('Pulling Code') { 98 | parallel { 99 | stage('Pulling Code by Jenkins') { 100 | when { 101 | expression { 102 | env.gitlabBranch == null 103 | } 104 | 105 | } 106 | steps { 107 | git(changelog: true, poll: true, url: 'git@192.168.236.251:kubernetes/vue-project.git', branch: "${BRANCH}", credentialsId: 'gitlab-key') 108 | script { 109 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 110 | TAG = BUILD_TAG + '-' + COMMIT_ID 111 | println "Current branch is ${BRANCH}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 112 | 113 | } 114 | 115 | } 116 | } 117 | 118 | stage('Pulling Code by trigger') { 119 | when { 120 | expression { 121 | env.gitlabBranch != null 122 | } 123 | 124 | } 125 | steps { 126 | git(url: 'git@192.168.236.251:kubernetes/vue-project.git', branch: env.gitlabBranch, changelog: true, poll: true, credentialsId: 'gitlab-key') 127 | script { 128 | COMMIT_ID = sh(returnStdout: true, script: "git log -n 1 --pretty=format:'%h'").trim() 129 | TAG = BUILD_TAG + '-' + COMMIT_ID 130 | println "Current branch is ${BRANCH}, Commit ID is ${COMMIT_ID}, Image TAG is ${TAG}" 131 | } 132 | 133 | } 134 | } 135 | 136 | } 137 | } 138 | 139 | stage('Building') { 140 | steps { 141 | container(name: 'build') { 142 | sh """ 143 | npm install --registry=https://registry.npm.taobao.org 144 | npm run build 145 | """ 146 | } 147 | } 148 | } 149 | 150 | stage('Docker build for creating image') { 151 | environment { 152 | HARBOR_USER = credentials('HARBOR_ACCOUNT') 153 | } 154 | steps { 155 | container(name: 'docker') { 156 | sh """ 157 | echo ${HARBOR_USER_USR} ${HARBOR_USER_PSW} ${TAG} 158 | docker build -t ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} . 159 | docker login -u ${HARBOR_USER_USR} -p ${HARBOR_USER_PSW} ${HARBOR_ADDRESS} 160 | docker push ${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} 161 | """ 162 | } 163 | } 164 | } 165 | 166 | stage('Deploying to K8s') { 167 | environment { 168 | MY_KUBECONFIG = credentials('study-k8s-kubeconfig') 169 | } 170 | steps { 171 | container(name: 'kubectl'){ 172 | sh """ 173 | /usr/local/bin/kubectl --kubeconfig $MY_KUBECONFIG set image deploy -l app=${IMAGE_NAME} ${IMAGE_NAME}=${HARBOR_ADDRESS}/${REGISTRY_DIR}/${IMAGE_NAME}:${TAG} -n $NAMESPACE 174 | """ 175 | } 176 | } 177 | } 178 | 179 | } 180 | environment { 181 | COMMIT_ID = "" 182 | HARBOR_ADDRESS = "192.168.236.204" 183 | REGISTRY_DIR = "kubernetes" 184 | IMAGE_NAME = "vue-project" 185 | NAMESPACE = "kubernetes" 186 | TAG = "" 187 | } 188 | parameters { 189 | gitParameter(branch: '', branchFilter: 'origin/(.*)', defaultValue: '', description: 'Branch for build and deploy', name: 'BRANCH', quickFilterEnabled: false, selectedValue: 'NONE', sortMode: 'NONE', tagFilter: '*', type: 'PT_BRANCH') 190 | } 191 | } 192 | 193 | ``` 194 | 195 | **Dockerfile** 196 | 197 | ``` 198 | FROM registry.cn-beijing.aliyuncs.com/dotbalo/alpine-glibc:alpine-3.9 199 | 200 | COPY conf/ ./conf # 如果定义了单独的配置文件,可能需要拷贝到镜像中 201 | COPY ./go-project ./ # 包名按照实际情况进行修改 202 | 203 | ENTRYPOINT [ "./go-project"] # 启动该应用 204 | 205 | ``` 206 | 207 | **Deployment/Service/Ingress** 208 | 209 | ``` 210 | --- 211 | apiVersion: v1 212 | kind: Service 213 | metadata: 214 | creationTimestamp: null 215 | labels: 216 | app: go-project 217 | name: go-project 218 | namespace: kubernetes 219 | spec: 220 | ports: 221 | - name: web 222 | port: 8080 223 | protocol: TCP 224 | targetPort: 8080 225 | selector: 226 | app: go-project 227 | sessionAffinity: None 228 | type: ClusterIP 229 | status: 230 | loadBalancer: {} 231 | --- 232 | apiVersion: networking.k8s.io/v1 233 | kind: Ingress 234 | metadata: 235 | creationTimestamp: null 236 | name: go-project 237 | namespace: kubernetes 238 | spec: 239 | rules: 240 | - host: go-project.test.com 241 | http: 242 | paths: 243 | - backend: 244 | service: 245 | name: go-project 246 | port: 247 | number: 8080 248 | path: / 249 | pathType: ImplementationSpecific 250 | --- 251 | apiVersion: apps/v1 252 | kind: Deployment 253 | metadata: 254 | creationTimestamp: null 255 | labels: 256 | app: go-project 257 | name: go-project 258 | namespace: kubernetes 259 | spec: 260 | replicas: 1 261 | selector: 262 | matchLabels: 263 | app: go-project 264 | strategy: 265 | rollingUpdate: 266 | maxSurge: 1 267 | maxUnavailable: 0 268 | type: RollingUpdate 269 | template: 270 | metadata: 271 | creationTimestamp: null 272 | labels: 273 | app: go-project 274 | spec: 275 | affinity: 276 | podAntiAffinity: 277 | preferredDuringSchedulingIgnoredDuringExecution: 278 | - podAffinityTerm: 279 | labelSelector: 280 | matchExpressions: 281 | - key: app 282 | operator: In 283 | values: 284 | - go-project 285 | topologyKey: kubernetes.io/hostname 286 | weight: 100 287 | containers: 288 | - env: 289 | - name: TZ 290 | value: Asia/Shanghai 291 | - name: LANG 292 | value: C.UTF-8 293 | image: nginx 294 | imagePullPolicy: IfNotPresent 295 | lifecycle: {} 296 | livenessProbe: 297 | failureThreshold: 2 298 | initialDelaySeconds: 30 299 | periodSeconds: 10 300 | successThreshold: 1 301 | tcpSocket: 302 | port: 8080 303 | timeoutSeconds: 2 304 | name: go-project 305 | ports: 306 | - containerPort: 8080 307 | name: web 308 | protocol: TCP 309 | readinessProbe: 310 | failureThreshold: 2 311 | initialDelaySeconds: 30 312 | periodSeconds: 10 313 | successThreshold: 1 314 | tcpSocket: 315 | port: 8080 316 | timeoutSeconds: 2 317 | resources: 318 | limits: 319 | cpu: 994m 320 | memory: 1170Mi 321 | requests: 322 | cpu: 10m 323 | memory: 55Mi 324 | dnsPolicy: ClusterFirst 325 | imagePullSecrets: 326 | - name: harborkey 327 | restartPolicy: Always 328 | securityContext: {} 329 | serviceAccountName: default 330 | 331 | ``` 332 | 333 | -------------------------------------------------------------------------------- /docs/chap18/18.5.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dotbalo/kubernetes-guide/2ad8430faef01c7f6d5df7f11d72483f3f1587a7/docs/chap18/18.5.md -------------------------------------------------------------------------------- /docs/chap18/18.6.md: -------------------------------------------------------------------------------- 1 | **Gateway配置** 2 | 3 | ``` 4 | apiVersion: networking.istio.io/v1alpha3 5 | kind: Gateway 6 | metadata: 7 | name: bookinfo-gateway 8 | spec: 9 | selector: 10 | istio: ingressgateway # 使用默认的istio ingress gateway 11 | servers: 12 | - port: 13 | number: 80 14 | name: http 15 | protocol: HTTP 16 | hosts: 17 | - "bookinfo.kubeasy.com" # 发布域名 18 | 19 | ``` 20 | 21 | **配置VirtualService** 22 | 23 | ``` 24 | --- 25 | apiVersion: networking.istio.io/v1alpha3 26 | kind: VirtualService 27 | metadata: 28 | name: bookinfo 29 | spec: 30 | hosts: 31 | - "*" 32 | gateways: 33 | - bookinfo-gateway 34 | http: 35 | - match: 36 | - uri: 37 | exact: /productpage 38 | - uri: 39 | prefix: /static 40 | - uri: 41 | exact: /login 42 | - uri: 43 | exact: /logout 44 | - uri: 45 | prefix: /api/v1/products 46 | route: 47 | - destination: 48 | host: productpage 49 | port: 50 | number: 9080 51 | 52 | ``` 53 | 54 | **vim reviews-dr.yaml** 55 | 56 | ``` 57 | apiVersion: networking.istio.io/v1alpha3 58 | kind: DestinationRule 59 | metadata: 60 | name: reviews 61 | spec: 62 | host: reviews 63 | subsets: 64 | - name: v1 65 | labels: 66 | version: v1 # subset v1指向具有version=v1的Pod 67 | - name: v2 68 | labels: 69 | version: v2 # subset v2指向具有version=v2的Pod 70 | - name: v3 71 | labels: 72 | version: v3 # subset v3指向具有version=v3的Pod 73 | 74 | ``` 75 | 76 | **vim reviews-v1-all.yaml** 77 | 78 | ``` 79 | apiVersion: networking.istio.io/v1alpha3 80 | kind: VirtualService 81 | metadata: 82 | name: reviews 83 | spec: 84 | hosts: 85 | - reviews 86 | http: 87 | - route: 88 | - destination: 89 | host: reviews 90 | subset: v1 # 将流量指向v1 91 | 92 | ``` 93 | 94 | **vim reviews-20v2-80v1.yaml** 95 | 96 | ``` 97 | apiVersion: networking.istio.io/v1alpha3 98 | kind: VirtualService 99 | metadata: 100 | name: reviews 101 | spec: 102 | hosts: 103 | - reviews 104 | http: 105 | - route: 106 | - destination: 107 | host: reviews 108 | subset: v1 # 将80%流量指向v1 109 | weight: 80 # 只需要配置一个weight参数即可 110 | - destination: 111 | host: reviews 112 | subset: v2 # 将20%流量指向v2 113 | weight: 20 114 | 115 | ``` 116 | 117 | **vim reviews-v2-all.yaml** 118 | 119 | ``` 120 | apiVersion: networking.istio.io/v1alpha3 121 | kind: VirtualService 122 | metadata: 123 | name: reviews 124 | spec: 125 | hosts: 126 | - reviews 127 | http: 128 | - route: 129 | - destination: 130 | host: reviews 131 | subset: v2 # 指向v2 132 | 133 | ``` 134 | 135 | **cat reviews-jasonv3.yaml** 136 | 137 | ``` 138 | apiVersion: networking.istio.io/v1alpha3 139 | kind: VirtualService 140 | metadata: 141 | name: reviews 142 | spec: 143 | hosts: 144 | - reviews 145 | http: 146 | - match: 147 | - headers: # 匹配请求头 148 | end-user: # 匹配请求头的key为end-user 149 | exact: jason # value为jason 150 | route: 151 | - destination: 152 | host: reviews 153 | subset: v3 # 匹配到end-user=jason路由至v3版本 154 | - route: 155 | - destination: 156 | host: reviews 157 | subset: v2 # 其余的路由至v2版本 158 | 159 | ``` 160 | 161 | ​ **vim details-delay.yaml** 162 | 163 | ``` 164 | apiVersion: networking.istio.io/v1alpha3 165 | kind: VirtualService 166 | metadata: 167 | name: details 168 | spec: 169 | hosts: 170 | - details 171 | http: 172 | - fault: # 添加一个错误 173 | delay: # 添加类型为delay的故障 174 | percentage: # 故障注入的百分比 175 | value: 100 # 对所有请求注入故障 176 | fixedDelay: 5s # 注入的延迟时间 177 | route: 178 | - destination: 179 | host: details 180 | 181 | ``` 182 | 183 | **vim details-abort.yaml** --------------------------------------------------------------------------------