├── LICENSE ├── README.md ├── chapter10 ├── bgppeer-demo.yaml ├── calico-customed.yaml ├── calico.yaml ├── canal.yaml ├── default-bgpconfiguration.yaml ├── default-ipv4-ippool.yaml ├── globalnetworkpolicy-demo.yaml ├── netpol-default-deny-all.yaml ├── netpol-dev-demoapp-egress.yaml ├── netpol-dev-demoapp-ingress.yaml ├── netpol-dev-denyall.yaml ├── netpol-stage-default.yaml ├── reflector-node-node01.yaml └── reflector-node.yaml ├── chapter11 ├── deployment-demo.yaml ├── kube-scheduler.yaml ├── kubeschedconf-v1alpha1-demo.yaml ├── kubeschedconf-v1alpha2-demo.yaml ├── node-affinity-and-resourcefits.yaml ├── node-affinity-preferred-demo.yaml ├── node-affinity-required-demo.yaml ├── pod-affinity-preferred-demo.yaml ├── pod-affinity-required-demo.yaml ├── pod-antiaffinity-required-demo.yaml ├── pod-with-nodeselector.yaml ├── policy.cfg └── scheduler-test.yaml ├── chapter12 ├── crd-v1-user-with-additinalprintercolumns.yaml ├── crd-v1-user-with-status.yaml ├── crd-v1-user.yaml ├── crd-v1beta1-user.yaml ├── kubebuilder │ └── init.sh ├── sample-apiserver │ ├── 01-ns.yaml │ ├── 02-sa.yaml │ ├── 03-rbac.yaml │ ├── 04-rbac-bind.yaml │ ├── 05-auth-delegator.yaml │ ├── 06-auth-reader.yaml │ ├── 07-service.yaml │ ├── 08-deployment.yaml │ └── apiservice.yaml └── user-crd-demo.yaml ├── chapter13 ├── configmap-ingress-nginx-controller.yaml ├── contour-ingress-demo.yaml ├── contour.yaml ├── demoapp-ingress-with-basicauth.yaml ├── demoapp-ingress.yaml ├── httpproxy-demo.yaml ├── httpproxy-headers-routing.yaml ├── httpproxy-health-checks.yaml ├── httpproxy-kubernetes-dashboard.yaml ├── httpproxy-lb-strategy.yaml ├── httpproxy-retry-timeout.yaml ├── httpproxy-tcpproxy-redis.yaml ├── httpproxy-tls-passthrough.yaml ├── httpproxy-traffic-mirror.yaml ├── httpproxy-traffic-splitting.yaml ├── ingress-demo.yaml ├── ingress-kubernetes-dashboard.yaml ├── ingress-nginx-deploy.yaml ├── ingress-nginx-externalIP-deploy.yaml ├── ingress-v1-demo.yaml ├── ingress-www-ilinux.crt ├── ingress-www-ilinux.key ├── ngxpasswd ├── patch.json ├── send-requests.sh ├── test.yaml └── tomcat.yaml ├── chapter14 ├── helm │ ├── demoapp-values.yaml │ ├── demoapp │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── NOTES.txt.bak │ │ │ ├── _helpers.tpl │ │ │ ├── deployment.yaml │ │ │ ├── hpa.yaml │ │ │ ├── ingress.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ └── tests │ │ │ │ └── test-connection.yaml │ │ └── values.yaml │ └── harbor │ │ ├── deploy.yaml │ │ ├── harbor-ingress-ca.crt │ │ ├── harbor-values-with-longhorn-volumes.yaml │ │ ├── harbor-values-without-persistence.yaml │ │ ├── longhorn-storageclass.yaml │ │ └── temp │ │ ├── harbor-values-default.yaml │ │ ├── harbor-values-with-longhorn-volumes.yaml │ │ ├── harbor-values-without-persistence.yaml │ │ ├── harbor-values.yaml │ │ ├── harbor.notes │ │ ├── test.yaml │ │ └── test2.yaml └── kustomize │ ├── demoapp │ ├── base │ │ ├── deploy-demoapp.yaml │ │ ├── kustomization.yaml │ │ └── service-demoapp.yaml │ ├── prod │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ ├── patches │ │ │ ├── demoapp-add-configmap-and-secret.yaml │ │ │ ├── demoapp-add-requests-and-limits.yaml │ │ │ ├── deploy-demoapp-add-sidecar.yaml │ │ │ └── patch-service-demoapp-targetport-8080.yaml │ │ └── secrets │ │ │ ├── tls.crt │ │ │ └── tls.key │ ├── staging │ │ ├── kustomization.yaml │ │ ├── namespace.yaml │ │ └── secrets │ │ │ ├── tls.crt │ │ │ └── tls.key │ └── test │ │ ├── kustomization.yaml │ │ └── namespace.yaml │ └── kustomize-demo │ ├── deploy-demoapp.yaml │ ├── kustomization.yaml │ └── service-demoapp.yaml ├── chapter15 ├── coredns-configmap.yaml ├── hpa │ ├── demoapp.yaml │ ├── hpa-v2-resources.yaml │ ├── metrics-app-hpa.yaml │ └── metrics-app.yaml ├── ingress-kubernetes-dashboard.yaml ├── metrics-server-deploy.yaml └── prometheus │ ├── grafana-values-defs.yaml │ ├── grafana-values-without-persistence-dashboard.yaml │ ├── grafana-values.yaml │ ├── prom-values-defs.yaml │ ├── prom-values-with-longhorn-volumes.yaml │ ├── prom-values-without-persistence.yaml │ ├── prometheus-adapter-values-defs.yaml │ ├── prometheus-adapter-values-with-custom-rules.yaml │ ├── prometheus-adapter-values-with-custom-rules.yaml.bak │ └── prometheus-adapter-values.yaml ├── chapter16 ├── cluster-log │ ├── bitnami-elasticsearch-values-def.yaml │ ├── bitnami-elasticsearch-values.yaml │ ├── bitnami-kibana-values-defs.yaml │ ├── bitnami-kibana-values.yaml │ ├── fluent-bit-0.6.2.tgz │ ├── fluent-bit │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── OWNERS │ │ ├── README.md │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── _pod.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap.yaml │ │ │ ├── daemonset.yaml │ │ │ ├── deployment.yaml │ │ │ ├── psp.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ ├── servicemonitor.yaml │ │ │ └── tests │ │ │ │ └── test-connection.yaml │ │ └── values.yaml │ ├── fluent-fluent-bit-values-defs.yaml │ ├── fluent-fluent-bit-values.yaml │ ├── fluent-fluent-bit-values.yaml.bak │ └── fluent-fluent-bit-with-parsers-values.yaml └── elastic │ ├── elasticsearch-values-def.yaml │ └── elasticsearch-values.yaml ├── chapter2 ├── krew-install.sh ├── kube-flannel.yml └── kubeadm-config ├── chapter3 ├── node-demo.yaml ├── ns-demo-term.json ├── ns-demo-v2.yaml ├── ns-demo.yaml ├── ns-with-labels.yaml └── test.yaml ├── chapter4 ├── all-in-one.yaml ├── bbox-cap.yaml ├── envoy.yaml ├── init-container-demo.yaml ├── lifecycle-demo.yaml ├── liveness-exec-demo.yaml ├── liveness-httpget-demo.yaml ├── liveness-tcpsocket-demo.yaml ├── memleak-demo.yaml ├── pod-demo-with-cmd-and-args.yaml ├── pod-demo.yaml ├── pod-resources-demo.yaml ├── pod-using-env.yaml ├── pod-using-hostnetwork.yaml ├── pod-using-hostport.yaml ├── readiness-httpget-demo.yaml ├── resource-limits-demo.yaml ├── resource-requests-demo.yaml ├── securitycontext-capabilities-demo.yaml ├── securitycontext-runasuser-demo.yaml ├── securitycontext-sysctls-demo.yaml ├── sidecar-container-demo.yaml └── startup-exec-demo.yaml ├── chapter5 ├── downwardapi-env.yaml ├── downwardapi-vol.yaml ├── glusterfs-endpoints.yaml ├── longhorn-customed-config.yaml ├── longhorn.yaml ├── pv-nfs-demo.yaml ├── pv-rbd-demo.yaml ├── pvc-demo-0001.yaml ├── pvc-demo-0002.yaml ├── pvc-dyn-longhorn-demo.yaml ├── pvc-dyn-rbd-demo.yaml ├── storageclass-rbd-demo.yaml ├── test.json ├── volumes-cephfs-demo.yaml ├── volumes-cinder-demo.yaml ├── volumes-emptydir-demo.yaml ├── volumes-gitrepo-demo.yaml ├── volumes-glusterfs-demo.yaml ├── volumes-hostpath-demo.yaml ├── volumes-nfs-demo.yaml ├── volumes-pvc-demo.yaml ├── volumes-pvc-longhorn-demo.yaml └── volumes-rbd-demo.yaml ├── chapter6 ├── BAK-demoapp-conf.d │ ├── eds.conf │ ├── envoy.yaml │ └── lds.conf ├── certs.d │ ├── nginx.crt │ └── nginx.key ├── configmaps-demo.yaml ├── configmaps-env-demo.yaml ├── configmaps-envfrom-demo.yaml ├── configmaps-volume-demo.yaml ├── configmaps-volume-demo2.yaml ├── configmaps-volume-demo3.yaml ├── demoapp-conf.d │ ├── envoy.yaml │ └── lds.conf ├── downwardapi-env-demo.yaml ├── downwardapi-volume-demo.yaml ├── nginx-conf.d │ ├── myserver-gzip.cfg │ ├── myserver-status.cfg │ └── myserver.conf ├── nginx-ssl-conf.d │ ├── myserver-gzip.cfg │ ├── myserver-status.cfg │ └── myserver.conf ├── secrets-demo.yaml ├── secrets-env-demo.yaml └── secrets-volume-demo.yaml ├── chapter7 ├── demoapp-headless-svc.yaml ├── endpointslice-demo.yaml ├── externalname-redis-svc.yaml ├── mysql-endpoints-demo.yaml ├── pod-with-dnspolicy.yaml ├── services-clusterip-demo.yaml ├── services-externalip-demo.yaml ├── services-loadbalancer-demo.yaml ├── services-nodeport-demo.yaml └── services-readiness-demo.yaml ├── chapter8 ├── cronjob-demo.yaml ├── daemonset-demo.yaml ├── demodb.yaml ├── deployment-demo.yaml ├── job-demo.yaml ├── job-para-demo.yaml ├── pdb-demo.yaml ├── replicaset-blue-green.yaml ├── replicaset-demo-patch-v2.yaml ├── replicaset-demo-v1.1.yaml ├── replicaset-demo.yaml ├── service-blue-green.yaml ├── service-for-replicaset-demo.yaml └── statefulset-demo.yaml ├── chapter9 ├── aggregated-clusterrole-rbac.yaml ├── clusterrole-with-psp.yaml ├── clusterrolebinding-with-psp.yaml ├── dashboard.crt ├── dashboard.key ├── dashboard.yaml ├── gen-kubeconfig-based-sa.sh ├── limitrange-core-resources.yaml ├── limitrange-demo.yaml ├── limitrange-pvc.yaml ├── mason-admin-rolebinding.yaml ├── nodes-admin-rbac.yaml ├── nonresourceurls-clusterrole-rbac.yaml ├── pod-privileged.yaml ├── pod-with-serviceaccount.yaml ├── pods-reader-rbac.yaml ├── psp-privileged ├── psp-restricted.yaml ├── resourcequota-demo.yaml ├── rolebinding-and-clusterrolebinding-rbac.yaml ├── secret-token.yaml └── serviceaccount-demo.yaml ├── imgs ├── book.jpg └── iKubernetes公众号二维码.jpg ├── kube-controller-manager ├── Dockerfile └── README.md ├── wordpress ├── 01-namespace.yaml ├── 02-configmap.yaml ├── 02-secret.yaml ├── 03-pvc.yaml ├── 04-wordpress-mysql.yaml ├── 05-wordpress.yaml ├── 06-nginx.yaml ├── debug.yaml ├── nginx.conf ├── nginx.crt ├── nginx.key └── test.yaml └── 勘误列表.md /README.md: -------------------------------------------------------------------------------- 1 | # Kubernetes_Advanced_Practical_2rd 2 | 《Kubernetes进阶实战(第2版)》随书代码~ 3 | 4 | ## 配套视频说明 5 | 与该书内部基本配套的视频已经录制完成,收录进了马哥教育”专题班“课程之中,有需要请访问[马哥教育](http://www.magedu.com)向课程顾问了解。相关视频包括: 6 | - Kubernetes系统:10天; 7 | - Prometheus监控系统:2天; 8 | - Ceph存储系统:3天; 9 | - Envoy代理及Istio服务网格:7天; 10 | 11 | ## iKubernetes公众号 12 | 13 | ![ikubernetes公众号二维码](https://github.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/raw/main/imgs/iKubernetes%E5%85%AC%E4%BC%97%E5%8F%B7%E4%BA%8C%E7%BB%B4%E7%A0%81.jpg) 14 | 15 | ## 《Kubernetes进阶实战第2版》 16 | 17 | - [淘宝直达](https://s.taobao.com/search?q=kubernetes%E8%BF%9B%E9%98%B6%E5%AE%9E%E6%88%98%E7%AC%AC2%E7%89%88&imgfile=&commend=all&ssid=s5-e&search_type=item&sourceId=tb.index&spm=a21bo.2017.201856-taobao-item.1&ie=utf8&initiative_id=tbindexz_20170306) 18 | - [京东商城直达](https://search.jd.com/Search?keyword=kubernetes%E8%BF%9B%E9%98%B6%E5%AE%9E%E6%88%98%E7%AC%AC2%E7%89%88&enc=utf-8&suggest=2.def.0.base&wq=kubernetes%E8%BF%9B%E9%98%B6%E5%AE%9E%E6%88%98&pvid=286ff777931e4075a762f321a0fb1139) 19 | - [当当直达](http://search.dangdang.com/?key=kubernetes%BD%F8%BD%D7%CA%B5%D5%BD%B5%DA%B6%FE%B0%E6&act=input) 20 | 21 | ![图书封面](https://github.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/raw/main/imgs/book.jpg) 22 | 23 | -------------------------------------------------------------------------------- /chapter10/bgppeer-demo.yaml: -------------------------------------------------------------------------------- 1 | kind: BGPPeer 2 | apiVersion: projectcalico.org/v3 3 | metadata: 4 | name: bgppeer-demo 5 | spec: 6 | nodeSelector: all() 7 | peerSelector: route-reflector=="true" 8 | -------------------------------------------------------------------------------- /chapter10/default-bgpconfiguration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: BGPConfiguration 3 | metadata: 4 | name: default 5 | spec: 6 | logSeverityScreen: Info 7 | nodeToNodeMeshEnabled: false 8 | asNumber: 63400 9 | -------------------------------------------------------------------------------- /chapter10/default-ipv4-ippool.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: IPPool 3 | metadata: 4 | name: default-ipv4-ippool 5 | spec: 6 | blockSize: 24 7 | cidr: 10.244.0.0/16 8 | ipipMode: CrossSubnet 9 | natOutgoing: true 10 | nodeSelector: all() 11 | vxlanMode: Never 12 | -------------------------------------------------------------------------------- /chapter10/globalnetworkpolicy-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # http://www.magedu.com 3 | # 4 | apiVersion: projectcalico.org/v3 5 | kind: GlobalNetworkPolicy 6 | metadata: 7 | name: namespaces-default 8 | spec: 9 | order: 0.0 10 | namespaceSelector: name not in {"kube-system","kubernetes-dashboard","logs","monitoring"} 11 | types: ["Ingress", "Egress"] 12 | ingress: 13 | - action: Allow 14 | source: 15 | namespaceSelector: name in {"kube-system","kubernetes-dashboard","logs","monitoring"} 16 | egress: 17 | - action: Allow 18 | -------------------------------------------------------------------------------- /chapter10/netpol-default-deny-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: deny-all-ingress 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: ["Ingress"] 9 | -------------------------------------------------------------------------------- /chapter10/netpol-dev-demoapp-egress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: demoapp-egress 5 | namespace: dev 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: demoapp 10 | policyTypes: ["Egress"] 11 | egress: 12 | - to: 13 | ports: 14 | - protocol: UDP 15 | port: 53 16 | - to: 17 | - podSelector: 18 | matchLabels: 19 | app: redis 20 | ports: 21 | - protocol: TCP 22 | port: 6379 23 | - to: 24 | - podSelector: 25 | matchLabels: 26 | app: demoapp 27 | ports: 28 | - protocol: TCP 29 | port: 80 30 | -------------------------------------------------------------------------------- /chapter10/netpol-dev-demoapp-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: demoapp-ingress 5 | namespace: dev 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: demoapp 10 | policyTypes: ["Ingress"] 11 | ingress: 12 | - from: 13 | - namespaceSelector: 14 | matchExpressions: 15 | - key: name 16 | operator: In 17 | values: [dev, kube-system, logs, monitoring, kubernetes-dashboard] 18 | - ipBlock: 19 | cidr: 10.244.0.0/24 20 | - from: 21 | - namespaceSelector: 22 | matchExpressions: 23 | - {key: name, operator: NotIn, values: ["default"]} 24 | ports: 25 | - protocol: TCP 26 | port: 80 27 | -------------------------------------------------------------------------------- /chapter10/netpol-dev-denyall.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: deny-all-ingress 5 | namespace: dev 6 | spec: 7 | podSelector: {} 8 | policyTypes: ["Ingress", "Egress"] 9 | egress: 10 | - to: 11 | - podSelector: {} 12 | ingress: 13 | - from: 14 | - podSelector: {} 15 | -------------------------------------------------------------------------------- /chapter10/netpol-stage-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: default 5 | namespace: stage 6 | spec: 7 | podSelector: {} 8 | policyTypes: ["Ingress","Egress"] 9 | ingress: 10 | - from: 11 | - namespaceSelector: 12 | matchExpressions: 13 | - key: name 14 | operator: In 15 | values: [stage,kube-system,logs,monitoring,kubernetes-dashboard] 16 | egress: 17 | - to: 18 | ports: 19 | - protocol: UDP 20 | port: 53 21 | - to: 22 | - namespaceSelector: 23 | matchLabels: 24 | name: kube-system 25 | podSelector: 26 | matchLabels: 27 | component: kube-apiserver 28 | ports: 29 | - protocol: TCP 30 | port: 443 31 | - to: 32 | - namespaceSelector: 33 | matchLabels: 34 | name: stage 35 | -------------------------------------------------------------------------------- /chapter10/reflector-node-node01.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: Node 3 | metadata: 4 | labels: 5 | route-reflector: true 6 | name: k8s-node01.ilinux.io 7 | spec: 8 | bgp: 9 | ipv4Address: 172.29.9.11/16 10 | ipv4IPIPTunnelAddr: 10.244.1.1 11 | routeReflectorClusterID: 1.1.1.1 12 | -------------------------------------------------------------------------------- /chapter10/reflector-node.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: Node 3 | metadata: 4 | labels: 5 | route-reflector: true 6 | name: k8s-master01.ilinux.io 7 | spec: 8 | bgp: 9 | ipv4Address: 172.29.9.1/16 10 | ipv4IPIPTunnelAddr: 10.244.0.1 11 | routeReflectorClusterID: 1.1.1.1 12 | -------------------------------------------------------------------------------- /chapter11/deployment-demo.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: deployment-demo 8 | spec: 9 | replicas: 2 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | release: stable 14 | template: 15 | metadata: 16 | labels: 17 | app: demoapp 18 | release: stable 19 | spec: 20 | schedulerName: demo-scheduler 21 | nodeName: k8s-node02.ilinux.io 22 | containers: 23 | - name: demoapp 24 | image: ikubernetes/demoapp:v1.0 25 | ports: 26 | - containerPort: 80 27 | name: http 28 | livenessProbe: 29 | httpGet: 30 | path: '/livez' 31 | port: 80 32 | initialDelaySeconds: 5 33 | readinessProbe: 34 | httpGet: 35 | path: '/readyz' 36 | port: 80 37 | initialDelaySeconds: 15 38 | -------------------------------------------------------------------------------- /chapter11/kube-scheduler.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | creationTimestamp: null 5 | labels: 6 | component: kube-scheduler 7 | tier: control-plane 8 | name: kube-scheduler 9 | namespace: kube-system 10 | spec: 11 | containers: 12 | - command: 13 | - kube-scheduler 14 | - --authentication-kubeconfig=/etc/kubernetes/scheduler.conf 15 | - --authorization-kubeconfig=/etc/kubernetes/scheduler.conf 16 | - --bind-address=127.0.0.1 17 | - --kubeconfig=/etc/kubernetes/scheduler.conf 18 | - --leader-elect=true 19 | - --config=/etc/kubernetes/scheduler/kubeschedconf-v1alpha1-demo.yaml 20 | image: gcr.azk8s.cn/google_containers/kube-scheduler:v1.18.3 21 | imagePullPolicy: IfNotPresent 22 | livenessProbe: 23 | failureThreshold: 8 24 | httpGet: 25 | host: 127.0.0.1 26 | path: /healthz 27 | port: 10259 28 | scheme: HTTPS 29 | initialDelaySeconds: 15 30 | timeoutSeconds: 15 31 | name: kube-scheduler 32 | resources: 33 | requests: 34 | cpu: 100m 35 | volumeMounts: 36 | - mountPath: /etc/kubernetes/scheduler.conf 37 | name: kubeconfig 38 | readOnly: true 39 | - mountPath: /etc/kubernetes/scheduler 40 | name: scheduler-config 41 | readOnly: true 42 | hostNetwork: true 43 | priorityClassName: system-cluster-critical 44 | volumes: 45 | - hostPath: 46 | path: /etc/kubernetes/scheduler.conf 47 | type: FileOrCreate 48 | name: kubeconfig 49 | - hostPath: 50 | path: /etc/kubernetes/scheduler 51 | type: DirectoryOrCreate 52 | name: scheduler-config 53 | status: {} 54 | -------------------------------------------------------------------------------- /chapter11/kubeschedconf-v1alpha1-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubescheduler.config.k8s.io/v1alpha1 2 | kind: KubeSchedulerConfiguration 3 | bindTimeoutSeconds: 600 4 | algorithmSource: 5 | policy: 6 | file: 7 | path: /etc/kubernetes/scheduler/policy.cfg 8 | provider: DefaultProvider 9 | clientConnection: 10 | kubeconfig: "/etc/kubernetes/scheduler.conf" 11 | disablePreemption: false 12 | -------------------------------------------------------------------------------- /chapter11/kubeschedconf-v1alpha2-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubescheduler.config.k8s.io/v1alpha2 2 | kind: KubeSchedulerConfiguration 3 | clientConnection: 4 | kubeconfig: "/etc/kubernetes/scheduler.conf" 5 | disablePreemption: false 6 | profiles: 7 | - schedulerName: default-scheduler 8 | - schedulerName: demo-scheduler 9 | plugins: 10 | filter: 11 | disabled: 12 | - name: NodeUnschedulable 13 | score: 14 | disabled: 15 | - name: NodeResourcesBalancedAllocation 16 | weight: 1 17 | - name: NodeResourcesLeastAllocated 18 | weight: 1 19 | enabled: 20 | - name: NodeResourcesMostAllocated 21 | weight: 5 22 | -------------------------------------------------------------------------------- /chapter11/node-affinity-and-resourcefits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: node-affinity-and-resourcefits 5 | namespace: default 6 | spec: 7 | replicas: 5 8 | selector: 9 | matchLabels: 10 | app: demoapp 11 | ctlr: node-affinity-and-resourcefits 12 | template: 13 | metadata: 14 | labels: 15 | app: demoapp 16 | ctlr: node-affinity-and-resourcefits 17 | spec: 18 | containers: 19 | - name: demoapp 20 | image: ikubernetes/demoapp:v1.0 21 | resources: 22 | requests: 23 | cpu: 2 24 | memory: 2Gi 25 | livenessProbe: 26 | httpGet: 27 | path: '/livez' 28 | port: 80 29 | initialDelaySeconds: 5 30 | readinessProbe: 31 | httpGet: 32 | path: '/readyz' 33 | port: 80 34 | initialDelaySeconds: 15 35 | affinity: 36 | nodeAffinity: 37 | requiredDuringSchedulingIgnoredDuringExecution: 38 | nodeSelectorTerms: 39 | - matchExpressions: 40 | - key: gpu 41 | operator: Exists 42 | - key: node-role.kubernetes.io/master 43 | operator: DoesNotExist 44 | -------------------------------------------------------------------------------- /chapter11/node-affinity-preferred-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: node-affinity-preferred 5 | spec: 6 | replicas: 5 7 | selector: 8 | matchLabels: 9 | app: demoapp 10 | ctlr: node-affinity-preferred 11 | template: 12 | metadata: 13 | name: demoapp 14 | labels: 15 | app: demoapp 16 | ctlr: node-affinity-preferred 17 | spec: 18 | containers: 19 | - name: demoapp 20 | image: ikubernetes/demoapp:v1.0 21 | resources: 22 | requests: 23 | cpu: 1500m 24 | memory: 1Gi 25 | affinity: 26 | nodeAffinity: 27 | preferredDuringSchedulingIgnoredDuringExecution: 28 | - weight: 60 29 | preference: 30 | matchExpressions: 31 | - key: gpu 32 | operator: Exists 33 | - weight: 30 34 | preference: 35 | matchExpressions: 36 | - key: region 37 | operator: In 38 | values: ["foo","bar"] 39 | -------------------------------------------------------------------------------- /chapter11/node-affinity-required-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: node-affinity-required 5 | namespace: default 6 | spec: 7 | replicas: 5 8 | selector: 9 | matchLabels: 10 | app: demoapp 11 | ctlr: node-affinity-required 12 | template: 13 | metadata: 14 | labels: 15 | app: demoapp 16 | ctlr: node-affinity-required 17 | spec: 18 | containers: 19 | - name: demoapp 20 | image: ikubernetes/demoapp:v1.0 21 | livenessProbe: 22 | httpGet: 23 | path: '/livez' 24 | port: 80 25 | initialDelaySeconds: 5 26 | readinessProbe: 27 | httpGet: 28 | path: '/readyz' 29 | port: 80 30 | initialDelaySeconds: 15 31 | affinity: 32 | nodeAffinity: 33 | requiredDuringSchedulingIgnoredDuringExecution: 34 | nodeSelectorTerms: 35 | - matchExpressions: 36 | - key: gpu 37 | operator: Exists 38 | - key: node-role.kubernetes.io/master 39 | operator: DoesNotExist 40 | -------------------------------------------------------------------------------- /chapter11/pod-affinity-preferred-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # Version: v0.1 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: redis-preferred 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: redis 13 | ctlr: redis-preferred 14 | template: 15 | metadata: 16 | labels: 17 | app: redis 18 | ctlr: redis-preferred 19 | spec: 20 | containers: 21 | - name: redis 22 | image: redis:6.0-alpine 23 | resources: 24 | requests: 25 | cpu: 500m 26 | memory: 512Mi 27 | --- 28 | apiVersion: apps/v1 29 | kind: Deployment 30 | metadata: 31 | name: pod-affinity-preferred 32 | spec: 33 | replicas: 4 34 | selector: 35 | matchLabels: 36 | app: demoapp 37 | ctlr: pod-affinity-preferred 38 | template: 39 | metadata: 40 | labels: 41 | app: demoapp 42 | ctlr: pod-affinity-preferred 43 | spec: 44 | containers: 45 | - name: demoapp 46 | image: ikubernetes/demoapp:v1.0 47 | resources: 48 | requests: 49 | cpu: 1500m 50 | memory: 1Gi 51 | affinity: 52 | podAffinity: 53 | preferredDuringSchedulingIgnoredDuringExecution: 54 | - weight: 100 55 | podAffinityTerm: 56 | labelSelector: 57 | matchExpressions: 58 | - {key: app, operator: In, values: ["redis"]} 59 | - {key: ctlr, operator: In, values: ["redis-prefered"]} 60 | topologyKey: kubernetes.io/hostname 61 | - weight: 50 62 | podAffinityTerm: 63 | labelSelector: 64 | matchExpressions: 65 | - {key: app, operator: In, values: ["redis"]} 66 | - {key: ctlr, operator: In, values: ["redis-prefered"]} 67 | topologyKey: rack 68 | -------------------------------------------------------------------------------- /chapter11/pod-affinity-required-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # Version: v0.1 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: redis 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: redis 13 | ctlr: redis 14 | template: 15 | metadata: 16 | labels: 17 | app: redis 18 | ctlr: redis 19 | spec: 20 | containers: 21 | - name: redis 22 | image: redis:6.0-alpine 23 | --- 24 | apiVersion: apps/v1 25 | kind: Deployment 26 | metadata: 27 | name: pod-affinity-required 28 | spec: 29 | replicas: 5 30 | selector: 31 | matchLabels: 32 | app: demoapp 33 | ctlr: pod-affinity-required 34 | template: 35 | metadata: 36 | labels: 37 | app: demoapp 38 | ctlr: pod-affinity-required 39 | spec: 40 | containers: 41 | - name: demoapp 42 | image: ikubernetes/demoapp:v1.0 43 | affinity: 44 | podAffinity: 45 | requiredDuringSchedulingIgnoredDuringExecution: 46 | - labelSelector: 47 | matchExpressions: 48 | - {key: app, operator: In, values: ["redis"]} 49 | - {key: ctlr, operator: In, values: ["redis"]} 50 | topologyKey: rack 51 | -------------------------------------------------------------------------------- /chapter11/pod-antiaffinity-required-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # Version: v0.1 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: pod-antiaffinity-required 8 | spec: 9 | replicas: 4 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | ctlr: pod-antiaffinity-required 14 | template: 15 | metadata: 16 | labels: 17 | app: demoapp 18 | ctlr: pod-antiaffinity-required 19 | spec: 20 | containers: 21 | - name: demoapp 22 | image: ikubernetes/demoapp:v1.0 23 | affinity: 24 | podAntiAffinity: 25 | requiredDuringSchedulingIgnoredDuringExecution: 26 | - labelSelector: 27 | matchExpressions: 28 | - {key: app, operator: In, values: ["demoapp"]} 29 | - key: ctlr 30 | operator: In 31 | values: ["pod-antiaffinity-required"] 32 | topologyKey: kubernetes.io/hostname 33 | -------------------------------------------------------------------------------- /chapter11/pod-with-nodeselector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-with-nodeselector 5 | spec: 6 | containers: 7 | - name: demoapp 8 | image: ikubernetes/demoapp:v1.0 9 | nodeSelector: 10 | gpu: '' 11 | -------------------------------------------------------------------------------- /chapter11/policy.cfg: -------------------------------------------------------------------------------- 1 | kind: Policy 2 | apiVersion: v1 3 | predicates: 4 | - name: GeneralPredicates 5 | - name: MaxCSIVolumeCountPred 6 | - name: CheckVolumeBinding 7 | - name: EvenPodsSpread 8 | - name: MatchInterPodAffinity 9 | - name: CheckNodeUnschedulable 10 | - name: NoDiskConflict 11 | - name: NoVolumeZoneConflict 12 | - name: MatchNodeSelector 13 | - name: PodToleratesNodeTaints 14 | priorities: 15 | - {name: LeastRequestedPriority, weight: 1} 16 | - {name: BalancedResourceAllocation, weight: 1} 17 | - {name: ServiceSpreadingPriority, weight: 2} 18 | - {name: EvenPodsSpreadPriority, weight: 1} 19 | - {name: TaintTolerationPriority, weight: 1} 20 | - {name: ImageLocalityPriority, weight: 2} 21 | - {name: SelectorSpreadPriority, weight: 1} 22 | - {name: InterPodAffinityPriority, weight: 1} 23 | - {name: EqualPriority, weight: 1} 24 | -------------------------------------------------------------------------------- /chapter11/scheduler-test.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: sched-test 8 | spec: 9 | replicas: 4 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | release: stable 14 | template: 15 | metadata: 16 | labels: 17 | app: demoapp 18 | release: stable 19 | spec: 20 | schedulerName: demo-scheduler 21 | containers: 22 | - name: demoapp 23 | image: ikubernetes/demoapp:v1.0 24 | ports: 25 | - containerPort: 80 26 | name: http 27 | livenessProbe: 28 | httpGet: 29 | path: '/livez' 30 | port: 80 31 | initialDelaySeconds: 5 32 | readinessProbe: 33 | httpGet: 34 | path: '/readyz' 35 | port: 80 36 | initialDelaySeconds: 15 37 | resources: 38 | requests: 39 | cpu: "1000m" 40 | memory: "512Mi" 41 | limits: 42 | cpu: "1000m" 43 | memory: "512Mi" 44 | -------------------------------------------------------------------------------- /chapter12/crd-v1-user-with-additinalprintercolumns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: users.auth.ilinux.io 5 | spec: 6 | group: auth.ilinux.io 7 | names: 8 | kind: User 9 | plural: users 10 | singular: user 11 | shortNames: 12 | - u 13 | scope: Namespaced 14 | versions: 15 | - served: true 16 | storage: true 17 | name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | userID: 26 | type: integer 27 | minimum: 1 28 | maximum: 65535 29 | groups: 30 | type: array 31 | items: 32 | type: string 33 | email: 34 | type: string 35 | password: 36 | type: string 37 | format: password 38 | required: ["userID","groups"] 39 | additionalPrinterColumns: 40 | - name: userID 41 | type: integer 42 | description: The user ID. 43 | jsonPath: .spec.userID 44 | - name: groups 45 | type: string 46 | description: The groups of the user. 47 | jsonPath: .spec.groups 48 | - name: email 49 | type: string 50 | description: The email address of the user. 51 | jsonPath: .spec.email 52 | -------------------------------------------------------------------------------- /chapter12/crd-v1-user-with-status.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: users.auth.ilinux.io 5 | spec: 6 | group: auth.ilinux.io 7 | names: 8 | kind: User 9 | plural: users 10 | singular: user 11 | shortNames: 12 | - u 13 | scope: Namespaced 14 | versions: 15 | - served: true 16 | storage: true 17 | name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | userID: 26 | type: integer 27 | minimum: 1 28 | maximum: 65535 29 | groups: 30 | type: array 31 | items: 32 | type: string 33 | email: 34 | type: string 35 | password: 36 | type: string 37 | format: password 38 | required: ["userID","groups"] 39 | status: 40 | type: object 41 | properties: 42 | phase: 43 | type: string 44 | additionalPrinterColumns: 45 | - name: userID 46 | type: integer 47 | description: The user ID. 48 | jsonPath: .spec.userID 49 | - name: groups 50 | type: string 51 | description: The groups of the user. 52 | jsonPath: .spec.groups 53 | - name: email 54 | type: string 55 | description: The email address of the user. 56 | jsonPath: .spec.email 57 | subresources: 58 | status: {} 59 | -------------------------------------------------------------------------------- /chapter12/crd-v1-user.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: users.auth.ilinux.io 5 | spec: 6 | group: auth.ilinux.io 7 | names: 8 | kind: User 9 | plural: users 10 | singular: user 11 | shortNames: 12 | - u 13 | scope: Namespaced 14 | versions: 15 | - served: true 16 | storage: true 17 | name: v1alpha1 18 | schema: 19 | openAPIV3Schema: 20 | type: object 21 | properties: 22 | spec: 23 | type: object 24 | properties: 25 | userID: 26 | type: integer 27 | minimum: 1 28 | maximum: 65535 29 | groups: 30 | type: array 31 | items: 32 | type: string 33 | email: 34 | type: string 35 | password: 36 | type: string 37 | format: password 38 | required: ["userID","groups"] 39 | 40 | -------------------------------------------------------------------------------- /chapter12/crd-v1beta1-user.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiextensions.k8s.io/v1beta1 2 | kind: CustomResourceDefinition 3 | metadata: 4 | name: users.auth.ilinux.io 5 | spec: 6 | group: auth.ilinux.io 7 | version: v1alpha1 8 | versions: 9 | - name: v1alpha1 10 | served: true 11 | storage: true 12 | names: 13 | kind: User 14 | plural: users 15 | singular: user 16 | shortNames: 17 | - u 18 | scope: Namespaced 19 | validation: 20 | openAPIV3Schema: 21 | properties: 22 | spec: 23 | properties: 24 | userID: 25 | type: integer 26 | minimum: 1 27 | maximum: 65535 28 | groups: 29 | type: array 30 | email: 31 | type: string 32 | password: 33 | type: string 34 | format: password 35 | required: ["userID","groups"] 36 | status: 37 | type: object 38 | properties: 39 | phase: 40 | type: string 41 | additionalPrinterColumns: 42 | - name: userID 43 | type: integer 44 | description: The user ID. 45 | JSONPath: .spec.userID 46 | - name: groups 47 | type: string 48 | description: The groups of the user. 49 | JSONPath: .spec.groups 50 | - name: email 51 | type: string 52 | description: The email address of the user. 53 | JSONPath: .spec.email 54 | subresources: 55 | status: {} 56 | -------------------------------------------------------------------------------- /chapter12/kubebuilder/init.sh: -------------------------------------------------------------------------------- 1 | os=$(go env GOOS) 2 | arch=$(go env GOARCH) 3 | version='2.3.1' 4 | 5 | # download kubebuilder and extract it to tmp 6 | curl -L https://go.kubebuilder.io/dl/${version}/${os}/${arch} | tar -xz -C /tmp/ 7 | 8 | # move to a long-term location and put it on your path 9 | # (you'll need to set the KUBEBUILDER_ASSETS env var if you put it somewhere else) 10 | sudo mv /tmp/kubebuilder_${version}_${os}_${arch} /usr/local/kubebuilder 11 | export PATH=$PATH:/usr/local/kubebuilder/bin 12 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/01-ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: wardle 5 | spec: 6 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/02-sa.yaml: -------------------------------------------------------------------------------- 1 | kind: ServiceAccount 2 | apiVersion: v1 3 | metadata: 4 | name: apiserver 5 | namespace: wardle 6 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/03-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: aggregated-apiserver-clusterrole 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["namespaces"] 8 | verbs: ["get", "watch", "list"] 9 | - apiGroups: ["admissionregistration.k8s.io"] 10 | resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] 11 | verbs: ["get", "watch", "list"] 12 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/04-rbac-bind.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: sample-apiserver-clusterrolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: aggregated-apiserver-clusterrole 9 | subjects: 10 | - kind: ServiceAccount 11 | name: apiserver 12 | namespace: wardle 13 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/05-auth-delegator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: wardle:system:auth-delegator 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: system:auth-delegator 9 | subjects: 10 | - kind: ServiceAccount 11 | name: apiserver 12 | namespace: wardle 13 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/06-auth-reader.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: wardle-auth-reader 5 | namespace: kube-system 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: Role 9 | name: extension-apiserver-authentication-reader 10 | subjects: 11 | - kind: ServiceAccount 12 | name: apiserver 13 | namespace: wardle 14 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/07-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: api 5 | namespace: wardle 6 | spec: 7 | ports: 8 | - port: 443 9 | protocol: TCP 10 | targetPort: 443 11 | selector: 12 | apiserver: "true" 13 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/08-deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: wardle-server 5 | namespace: wardle 6 | labels: 7 | apiserver: "true" 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | apiserver: "true" 13 | template: 14 | metadata: 15 | labels: 16 | apiserver: "true" 17 | spec: 18 | serviceAccountName: apiserver 19 | containers: 20 | - name: wardle-server 21 | # build from staging/src/k8s.io/sample-apiserver/artifacts/simple-image/Dockerfile 22 | # or 23 | # docker pull gcr.io/kubernetes-e2e-test-images/sample-apiserver:1.17 24 | # docker tag gcr.io/kubernetes-e2e-test-images/sample-apiserver:1.17 kube-sample-apiserver:latest 25 | #image: kube-sample-apiserver:latest 26 | image: e2eteam/sample-apiserver:1.17-linux-amd64 27 | imagePullPolicy: IfNotPresent 28 | args: [ "--etcd-servers=http://localhost:2379" ] 29 | - name: etcd 30 | image: quay.io/coreos/etcd:v3.4.7 31 | -------------------------------------------------------------------------------- /chapter12/sample-apiserver/apiservice.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apiregistration.k8s.io/v1 2 | kind: APIService 3 | metadata: 4 | name: v1alpha1.wardle.example.com 5 | spec: 6 | insecureSkipTLSVerify: true 7 | group: wardle.example.com 8 | groupPriorityMinimum: 1000 9 | versionPriority: 15 10 | service: 11 | name: api 12 | namespace: wardle 13 | version: v1alpha1 14 | -------------------------------------------------------------------------------- /chapter12/user-crd-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: auth.ilinux.io/v1alpha1 2 | kind: User 3 | metadata: 4 | name: admin 5 | namespace: default 6 | spec: 7 | userID: 1 8 | email: mage@magedu.com 9 | groups: 10 | - superusers 11 | - adminstrators 12 | password: ikubernetes.io 13 | -------------------------------------------------------------------------------- /chapter13/configmap-ingress-nginx-controller.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: ingress-nginx-controller 5 | namespace: ingress-nginx 6 | data: 7 | use-gzip: "true" 8 | gzip-level: "6" 9 | worker-processes: "8" 10 | -------------------------------------------------------------------------------- /chapter13/contour-ingress-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: contour-ingress-demo 5 | annotations: 6 | kubernetes.io/ingress.class: "contour" 7 | nginx.ingress.kubernetes.io/ssl-redirect: "false" 8 | namespace: dev 9 | spec: 10 | rules: 11 | - host: www.ilinux.io 12 | http: 13 | paths: 14 | - path: / 15 | backend: 16 | serviceName: demoapp 17 | servicePort: 80 18 | tls: 19 | - hosts: 20 | - www.ilinux.io 21 | secretName: tls-ingress-www-ilinux 22 | -------------------------------------------------------------------------------- /chapter13/demoapp-ingress-with-basicauth.yaml: -------------------------------------------------------------------------------- 1 | # Author: MageEdu 2 | # Version: 0.1 3 | apiVersion: extensions/v1beta1 4 | kind: Ingress 5 | metadata: 6 | name: demoapp-ingress 7 | annotations: 8 | kubernetes.io/ingress.class: "nginx" 9 | nginx.ingress.kubernetes.io/ssl-redirect: "false" 10 | nginx.ingress.kubernetes.io/auth-type: basic 11 | nginx.ingress.kubernetes.io/auth-secret: ilinux-passwd 12 | nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" 13 | nginx.ingress.kubernetes.io/auth-url: "/configs" 14 | namespace: dev 15 | spec: 16 | rules: 17 | - host: www.ilinux.io 18 | http: 19 | paths: 20 | - path: / 21 | backend: 22 | serviceName: demoapp 23 | servicePort: 80 24 | tls: 25 | - hosts: 26 | - www.ilinux.io 27 | secretName: tls-ingress-www-ilinux 28 | -------------------------------------------------------------------------------- /chapter13/demoapp-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: demoapp-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.ingress.kubernetes.io/ssl-redirect: "false" 8 | namespace: dev 9 | spec: 10 | rules: 11 | - host: www.ilinux.io 12 | http: 13 | paths: 14 | - path: / 15 | backend: 16 | serviceName: demoapp 17 | servicePort: 80 18 | tls: 19 | - hosts: 20 | - www.ilinux.io 21 | secretName: tls-ingress-www-ilinux 22 | -------------------------------------------------------------------------------- /chapter13/httpproxy-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-demo 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | tls: 10 | secretName: tls-ingress-www-ilinux 11 | minimumProtocolVersion: "tlsv1.1" 12 | routes: 13 | - conditions: 14 | - prefix: / 15 | services: 16 | - name: demoapp 17 | port: 80 18 | permitInsecure: true 19 | -------------------------------------------------------------------------------- /chapter13/httpproxy-headers-routing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-headers-routing 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - conditions: 11 | - header: 12 | name: X-Canary 13 | present: true 14 | - header: 15 | name: User-Agent 16 | contains: curl 17 | services: 18 | - name: demoappv11 19 | port: 80 20 | - services: 21 | - name: demoapp 22 | port: 80 23 | -------------------------------------------------------------------------------- /chapter13/httpproxy-health-checks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-health-check 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - conditions: 11 | - prefix: / 12 | healthCheckPolicy: 13 | path: / 14 | intervalSeconds: 5 15 | timeoutSeconds: 2 16 | unhealthyThresholdCount: 3 17 | healthyThresholdCount: 5 18 | services: 19 | - name: demoapp 20 | port: 80 21 | - name: demoappv11 22 | port: 80 23 | -------------------------------------------------------------------------------- /chapter13/httpproxy-kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: dashboard 5 | namespace: kubernetes-dashboard 6 | spec: 7 | virtualhost: 8 | fqdn: dashboard.ilinux.io 9 | tls: 10 | passthrough: true 11 | tcpproxy: 12 | services: 13 | - name: kubernetes-dashboard 14 | port: 443 15 | -------------------------------------------------------------------------------- /chapter13/httpproxy-lb-strategy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-lb-strategy 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - conditions: 11 | - prefix: / 12 | services: 13 | - name: demoapp 14 | port: 80 15 | - name: demoappv11 16 | port: 80 17 | loadBalancerPolicy: 18 | strategy: Random 19 | -------------------------------------------------------------------------------- /chapter13/httpproxy-retry-timeout.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-retry-timeout 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - timeoutPolicy: 11 | response: 2s 12 | idle: 5s 13 | retryPolicy: 14 | count: 3 15 | perTryTimeout: 500ms 16 | services: 17 | - name: demoapp 18 | port: 80 19 | -------------------------------------------------------------------------------- /chapter13/httpproxy-tcpproxy-redis.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-tcpproxy-redis 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: redis.ilinux.io 9 | tls: 10 | passthrough: true 11 | tcpproxy: 12 | services: 13 | - name: redis 14 | port: 6379 15 | -------------------------------------------------------------------------------- /chapter13/httpproxy-tls-passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: dashboard 5 | namespace: kubernetes-dashboard 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | tls: 10 | passthrough: true 11 | tcpproxy: 12 | services: 13 | - name: kubernetes-dashboard 14 | port: 443 15 | -------------------------------------------------------------------------------- /chapter13/httpproxy-traffic-mirror.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-traffic-mirror 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - conditions: 11 | - prefix: / 12 | services: 13 | - name: demoapp 14 | port: 80 15 | - name: demoappv11 16 | port: 80 17 | mirror: true 18 | -------------------------------------------------------------------------------- /chapter13/httpproxy-traffic-splitting.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcontour.io/v1 2 | kind: HTTPProxy 3 | metadata: 4 | name: httpproxy-traffic-splitting 5 | namespace: dev 6 | spec: 7 | virtualhost: 8 | fqdn: www.ilinux.io 9 | routes: 10 | - conditions: 11 | - prefix: / 12 | services: 13 | - name: demoapp 14 | port: 80 15 | weight: 90 16 | - name: demoappv11 17 | port: 80 18 | weight: 10 19 | -------------------------------------------------------------------------------- /chapter13/ingress-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: ingress-demo 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | namespace: dev 8 | spec: 9 | rules: 10 | - host: www.ik8s.io 11 | http: 12 | paths: 13 | - path: 14 | backend: 15 | serviceName: ik8s 16 | servicePort: 80 17 | - host: www.ilinux.io 18 | http: 19 | paths: 20 | - path: /foo 21 | backend: 22 | serviceName: foo-svc 23 | servicePort: 80 24 | - path: /bar 25 | backend: 26 | serviceName: bar-svc 27 | servicePort: 8080 28 | tls: 29 | - hosts: 30 | - www.ik8s.io 31 | secretName: tls-ik8s 32 | backend: 33 | serviceName: default-backend 34 | servicePort: 80 35 | -------------------------------------------------------------------------------- /chapter13/ingress-kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: dashboard 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | ingress.kubernetes.io/ssl-passthrough: "true" 8 | nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 9 | nginx.ingress.kubernetes.io/rewrite-target: /$2 10 | namespace: kubernetes-dashboard 11 | spec: 12 | rules: 13 | - http: 14 | paths: 15 | - path: /dashboard(/|$)(.*) 16 | backend: 17 | serviceName: kubernetes-dashboard 18 | servicePort: 443 19 | -------------------------------------------------------------------------------- /chapter13/ingress-v1-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: ingress-demo 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | namespace: dev 8 | spec: 9 | rules: 10 | - host: www.ik8s.io 11 | http: 12 | paths: 13 | - path: / 14 | pathType: Prefix 15 | backend: 16 | service: 17 | name: ik8s 18 | port: 19 | number: 80 20 | - host: www.ilinux.io 21 | http: 22 | paths: 23 | - path: /foo 24 | pathType: Prefix 25 | backend: 26 | service: 27 | name: foo-svc 28 | port: 29 | number: 80 30 | - path: /bar 31 | pathType: Prefix 32 | backend: 33 | service: 34 | name: bar-svc 35 | port: 36 | number: 8080 37 | -------------------------------------------------------------------------------- /chapter13/ingress-www-ilinux.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDlTCCAn2gAwIBAgIUCww5Uarqb8Nny5as8wsLSh9gjAEwDQYJKoZIhvcNAQEL 3 | BQAwWjELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0Jl 4 | aWppbmcxDzANBgNVBAoMBkRldk9wczEWMBQGA1UEAwwNd3d3LmlsaW51eC5pbzAe 5 | Fw0yMDA3MTAwOTU1MjNaFw0zMDA3MDgwOTU1MjNaMFoxCzAJBgNVBAYTAkNOMRAw 6 | DgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZEZXZP 7 | cHMxFjAUBgNVBAMMDXd3dy5pbGludXguaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB 8 | DwAwggEKAoIBAQC3D29AlxQ6gk7AsVQI4/27S8jCHYioYg9Ddn93ClJmU2ZEoe09 9 | nK+8ailNxseP4xHC5jueRpj8guelzrRrkDMdj1PMyGDf8E1CNHlHamnoO2u8gkfC 10 | jpxmGWUo6wAS7kPhkhXiBp1Md3rmCz+QmVCO8vRfe12eNMG5AJlS263Hi54EjQ3E 11 | 9p/mVq6JtcDRTNndBGSy1jgLvbrDPSy9hKo2uB5J0/zOONo9f9r532tqRvUcqP2y 12 | K/6G56sC7xZjJFWRU6KwK7crNkCvnYKipxctndezw2k2tYTc2lwYvcyw9UlZ8sIY 13 | UYEPg5oSMgZcX2qKXG4LcFvI/LM9ZM8xIMXVAgMBAAGjUzBRMB0GA1UdDgQWBBT9 14 | 1JC4UuqZxAY0pgj2ladS12kJQDAfBgNVHSMEGDAWgBT91JC4UuqZxAY0pgj2ladS 15 | 12kJQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA5WxtqZdpa 16 | +cCrPLi7bukhzEzxtUpLIa27GF6h7qz2ECgEwxHA6tdRtn/kRO47ZlpuGb1rQk5w 17 | 6ndDevlKusgw+fr/QymmqfmFzYGLQUNCdRDR/F5KH+fBzfCdjEG+QKsV+sfkDEQG 18 | us3xR9mSuT/OskLnnaV3rgcRmlovPDpNg2qSpTW1PG41VVmbK5ATh8+/BTve2S7w 19 | CB9AhjqX1SnoKqDlPKXoReOYqIELIiztV2N1mIfhbQItoaaioZ1NnE3XPDibKTFm 20 | wlTaTcKG3dSXgOewT07kekh3m3tyfQBzdxNuXiH8QyHCaZkQZtkp6MQTFna6AXMI 21 | nVmRHjw3UTr3 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /chapter13/ingress-www-ilinux.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEAtw9vQJcUOoJOwLFUCOP9u0vIwh2IqGIPQ3Z/dwpSZlNmRKHt 3 | PZyvvGopTcbHj+MRwuY7nkaY/ILnpc60a5AzHY9TzMhg3/BNQjR5R2pp6DtrvIJH 4 | wo6cZhllKOsAEu5D4ZIV4gadTHd65gs/kJlQjvL0X3tdnjTBuQCZUtutx4ueBI0N 5 | xPaf5lauibXA0UzZ3QRkstY4C726wz0svYSqNrgeSdP8zjjaPX/a+d9rakb1HKj9 6 | siv+huerAu8WYyRVkVOisCu3KzZAr52CoqcXLZ3Xs8NpNrWE3NpcGL3MsPVJWfLC 7 | GFGBD4OaEjIGXF9qilxuC3BbyPyzPWTPMSDF1QIDAQABAoIBAHuWMwDDPofls29K 8 | CLbb3VAWcNoEgF9VnIJqPNHMKScmBPQu8fDXmJk2ft4gZlhQ74vKTdOkS+KmKef5 9 | 7jp0Jt49BlFJsoVdQXuB26MIR6nee/TPa80A5LvVR0NhrDIbo75lFtr6pjWasGEg 10 | lPB1YTqw8aSIsAKAEY1pxxl2cBM3ndChS966QKAGAJkSJQZjIy6VJHfzMzT/tO3y 11 | bZlCHMp6rReBzC1rv8Ww5PXFHMXZW7VGtR/9NUeFScFz0EokzZ8kKF3TbSt7mPeE 12 | e48RZHAoCd9Dj06YHagVFQ4gWL3cqDJVXh+ns4/vEwVhmfMhNLveb3ucXv30Pmvb 13 | 39mT9YECgYEA2L4NOttdsPMfQsL6A016Zgnnf12QzQ3v5iSfPiHWY7EkUSdu9nJw 14 | 3TJ+GcR6vcnAii+fIAYRpedUHjuucmLvJE+eOpKdHgMyH4ok5BNDLcdHTCXIvNZQ 15 | nSGEbalveja8ECpYKOl1f/pTaTA8wzLhRIUf6KTdx3oahfQfciTldWECgYEA2Deb 16 | CEmyHh8We9N+LtAHMC68ztqlNZ7bWk5qZLCdtcDnZ7p9rMRzIWBVm2BHRs+JB5su 17 | nbRUIQoF9EX8J1YvyigqNHzFpV1/RQHSPNxlXeoR9UkbOkg/M9DpvSSYYh8ZGuts 18 | s5KcRURFT1rM0/92bkrhjtNj2qtb9SxfxzBNcPUCgYBHJbPgEyxhLp2fY7OALAm2 19 | vx+Pzp3+wclzKahgU+k1VmvOe/xPx+dGpRGB0d5cuIKMme9JKtTWOeaB+iNchx9r 20 | MvuEzKXouTHV6poLiEswFs9PrsODQXK68cqv2MOwQZFgWRYRb/lTJlAFIoF/rg8G 21 | WBDOZHgsx+c2+5jq9jOgYQKBgCuNX9QWjCNXHb9JhaRGUPxanbuI/ThEzGhvXSz1 22 | Cn9+4N3bCc+QLqStc/D9Pr47tZ1rm8M2fK+/Bh4DLtx5ltzApGe4LlO19pne2Qtb 23 | VavKJ13iIPLndJuqXDq2MV+qZfMvMtElGgc1zkRCxPl6/s8OlEqht/5m//ntu0kz 24 | KJY1AoGAOIweVvCCaRTnykGT5RVXJ/xh229Z5UoB9cy6a2baw3umIZ1zHr8Wy+7S 25 | eXROBSny3YNtjxLNP75WMC/SCIbQ6EoEMkIs4faLmM4A8gUA9x8aZkmbJxBn2Ket 26 | 9lpTr4zvHzRpKLgyKQ+J86mOh6ctoUePowttNpcJgxPp+ZbVBmM= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /chapter13/ngxpasswd: -------------------------------------------------------------------------------- 1 | ilinux:$apr1$oQ9N/KCk$qmA8pq1lY9lYMfwnSlDSy1 2 | mageedu:$apr1$W0LERjL1$FNVEhYZQeAm1O5v8c92VS0 3 | -------------------------------------------------------------------------------- /chapter13/patch.json: -------------------------------------------------------------------------------- 1 | {data: 2 | { 3 | workprocess: "4", 4 | gzip-level: "6" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /chapter13/send-requests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Author: MageEdu 3 | # 4 | declare -i v10=0 5 | declare -i v11=0; 6 | declare -i i=1 7 | 8 | reqestsNum=${1:-"100"} 9 | echo $requestsNum 10 | 11 | host=${2:-www.ilinux.io} 12 | port=32139 13 | 14 | while [ $i -le ${requestsNum} ]; do 15 | if curl -s http://$host:$port/ | grep "v1.0" > /dev/null; then 16 | let v10++ 17 | else 18 | let v11++ 19 | fi 20 | 21 | let i++ 22 | done 23 | 24 | echo "Requests to demoapp V1.0: $v10" 25 | echo "Requests to demoapp V1.1: $v11" 26 | -------------------------------------------------------------------------------- /chapter13/test.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: demoapp-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.ingress.kubernetes.io/ssl-redirect: "false" 8 | namespace: dev 9 | spec: 10 | rules: 11 | - host: demoapp.ilinux.io 12 | http: 13 | paths: 14 | - path: / 15 | backend: 16 | serviceName: demoapp 17 | servicePort: 80 18 | tls: 19 | - hosts: 20 | - demoapp.ilinux.io 21 | secretName: tls-ingress-demoapp-ilinux 22 | -------------------------------------------------------------------------------- /chapter13/tomcat.yaml: -------------------------------------------------------------------------------- 1 | # Author: MageEdu 2 | # Version: v1.0 3 | # Date: 2020-07-11 4 | --- 5 | kind: Namespace 6 | apiVersion: v1 7 | metadata: 8 | name: testing 9 | labels: 10 | env: testing 11 | --- 12 | apiVersion: apps/v1 13 | kind: Deployment 14 | metadata: 15 | name: tomcat-deploy 16 | namespace: testing 17 | spec: 18 | replicas: 2 19 | selector: 20 | matchLabels: 21 | app: tomcat 22 | version: 8.5 23 | jdk: openjdk 24 | template: 25 | metadata: 26 | labels: 27 | app: tomcat 28 | version: 8.5 29 | jdk: openjdk 30 | spec: 31 | containers: 32 | - name: tomcat 33 | image: tomcat:8.5.57-jdk8-adoptopenjdk-openj9 34 | ports: 35 | - containerPort: 8080 36 | name: httpport 37 | - containerPort: 8009 38 | name: ajpport 39 | --- 40 | apiVersion: v1 41 | kind: Service 42 | metadata: 43 | name: tomcat 44 | namespace: testing 45 | spec: 46 | selector: 47 | app: tomcat 48 | version: 8.5 49 | jdk: openjdk 50 | ports: 51 | - name: http 52 | port: 80 53 | targetPort: 8080 54 | protocol: TCP 55 | --- 56 | apiVersion: extensions/v1beta1 57 | kind: Ingress 58 | metadata: 59 | name: tomcat 60 | namespace: testing 61 | annotations: 62 | kubernetes.io/ingress.class: "nginx" 63 | spec: 64 | rules: 65 | - host: tomcat.ilinux.io 66 | http: 67 | paths: 68 | - path: 69 | backend: 70 | serviceName: tomcat 71 | servicePort: 80 72 | --- 73 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp-values.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | annotations: 4 | kubernetes.io/ingress.class: nginx 5 | hosts: 6 | - host: www.ik8s.io 7 | paths: 8 | - / 9 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: demoapp 3 | description: A kubernetes-natvie application demo. 4 | 5 | # A chart can be either an 'application' or a 'library' chart. 6 | # 7 | # Application charts are a collection of templates that can be packaged into versioned archives 8 | # to be deployed. 9 | # 10 | # Library charts provide useful utilities or functions for the chart developer. They're included as 11 | # a dependency of application charts to inject those utilities and functions into the rendering 12 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 13 | type: application 14 | 15 | # This is the chart version. This version number should be incremented each time you make changes 16 | # to the chart and its templates, including the app version. 17 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 18 | version: 0.1.0 19 | 20 | # This is the version number of the application being deployed. This version number should be 21 | # incremented each time you make changes to the application. Versions are not expected to 22 | # follow Semantic Versioning. They should reflect the version the application is using. 23 | appVersion: 1.0.0 24 | 25 | maintainers: 26 | - name: MageEdu 27 | email: mage@magedu.com 28 | url: http://www.magedu.com 29 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/README.md: -------------------------------------------------------------------------------- 1 | # demoapp 2 | 3 | [demoapp](http://www.magedu.com/) is a demo application. 4 | 5 | ## TL;DR; 6 | 7 | ```console 8 | $ helm repo add ikubernetes https://hub.ilinux.io/chartrepo/ikubernetes 9 | $ helm install my-release ilinux/demoapp 10 | ``` 11 | 12 | ## Introduction 13 | 14 | This chart bootstraps a [demoapp](https://github.com/ikubernetes/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. 15 | 16 | ## Prerequisites 17 | 18 | - Kubernetes 1.12+ 19 | - Helm 2.0+ 20 | 21 | ## Installing the Chart 22 | 23 | To install the chart with the release name `my-release`: 24 | 25 | ```console 26 | $ helm repo add ikubernetes https://hub.ilinux.io/chartrepo/ikubernetes 27 | $ helm install my-release ilinux/demoapp 28 | ``` 29 | 30 | These commands deploy demoapp on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. 31 | 32 | > **Tip**: List all releases using `helm list` 33 | 34 | ## Uninstalling the Chart 35 | 36 | To uninstall/delete the `my-release` deployment: 37 | 38 | ```console 39 | $ helm delete my-release 40 | ``` 41 | 42 | The command removes all the Kubernetes components associated with the chart and deletes the release. 43 | 44 | ## Parameters 45 | 46 | The following tables lists the configurable parameters of the etcd chart and their default values. 47 | 48 | | Parameter | Description | Default | 49 | | -------------- | ----------------------- | ------- | 50 | | `replicaCount` | The number of replicas. | `1` | 51 | | | | | 52 | | | | | 53 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range .paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "demoapp.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "demoapp.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "demoapp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "demoapp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/NOTES.txt.bak: -------------------------------------------------------------------------------- 1 | 1. Get the application URL by running these commands: 2 | {{- if .Values.ingress.enabled }} 3 | {{- range $host := .Values.ingress.hosts }} 4 | {{- range .paths }} 5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} 6 | {{- end }} 7 | {{- end }} 8 | {{- else if contains "NodePort" .Values.service.type }} 9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "demoapp.fullname" . }}) 10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 11 | echo http://$NODE_IP:$NODE_PORT 12 | {{- else if contains "LoadBalancer" .Values.service.type }} 13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available. 14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "demoapp.fullname" . }}' 15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "demoapp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") 16 | echo http://$SERVICE_IP:{{ .Values.service.port }} 17 | {{- else if contains "ClusterIP" .Values.service.type }} 18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "demoapp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 19 | echo "Visit http://127.0.0.1:8080 to use your application" 20 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 21 | {{- end }} 22 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "demoapp.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 7 | {{- end }} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "demoapp.fullname" -}} 15 | {{- if .Values.fullnameOverride }} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 17 | {{- else }} 18 | {{- $name := default .Chart.Name .Values.nameOverride }} 19 | {{- if contains $name .Release.Name }} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 21 | {{- else }} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 23 | {{- end }} 24 | {{- end }} 25 | {{- end }} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "demoapp.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 32 | {{- end }} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "demoapp.labels" -}} 38 | helm.sh/chart: {{ include "demoapp.chart" . }} 39 | {{ include "demoapp.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end }} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "demoapp.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "demoapp.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end }} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "demoapp.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create }} 59 | {{- default (include "demoapp.fullname" .) .Values.serviceAccount.name }} 60 | {{- else }} 61 | {{- default "default" .Values.serviceAccount.name }} 62 | {{- end }} 63 | {{- end }} 64 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "demoapp.fullname" . }} 5 | labels: 6 | {{- include "demoapp.labels" . | nindent 4 }} 7 | spec: 8 | {{- if not .Values.autoscaling.enabled }} 9 | replicas: {{ .Values.replicaCount }} 10 | {{- end }} 11 | selector: 12 | matchLabels: 13 | {{- include "demoapp.selectorLabels" . | nindent 6 }} 14 | template: 15 | metadata: 16 | {{- with .Values.podAnnotations }} 17 | annotations: 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | labels: 21 | {{- include "demoapp.selectorLabels" . | nindent 8 }} 22 | spec: 23 | {{- with .Values.imagePullSecrets }} 24 | imagePullSecrets: 25 | {{- toYaml . | nindent 8 }} 26 | {{- end }} 27 | serviceAccountName: {{ include "demoapp.serviceAccountName" . }} 28 | securityContext: 29 | {{- toYaml .Values.podSecurityContext | nindent 8 }} 30 | containers: 31 | - name: {{ .Chart.Name }} 32 | securityContext: 33 | {{- toYaml .Values.securityContext | nindent 12 }} 34 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" 35 | imagePullPolicy: {{ .Values.image.pullPolicy }} 36 | ports: 37 | - name: http 38 | containerPort: 80 39 | protocol: TCP 40 | livenessProbe: 41 | httpGet: 42 | path: / 43 | port: http 44 | readinessProbe: 45 | httpGet: 46 | path: / 47 | port: http 48 | resources: 49 | {{- toYaml .Values.resources | nindent 12 }} 50 | {{- with .Values.nodeSelector }} 51 | nodeSelector: 52 | {{- toYaml . | nindent 8 }} 53 | {{- end }} 54 | {{- with .Values.affinity }} 55 | affinity: 56 | {{- toYaml . | nindent 8 }} 57 | {{- end }} 58 | {{- with .Values.tolerations }} 59 | tolerations: 60 | {{- toYaml . | nindent 8 }} 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/hpa.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.autoscaling.enabled }} 2 | apiVersion: autoscaling/v2beta1 3 | kind: HorizontalPodAutoscaler 4 | metadata: 5 | name: {{ include "demoapp.fullname" . }} 6 | labels: 7 | {{- include "demoapp.labels" . | nindent 4 }} 8 | spec: 9 | scaleTargetRef: 10 | apiVersion: apps/v1 11 | kind: Deployment 12 | name: {{ include "demoapp.fullname" . }} 13 | minReplicas: {{ .Values.autoscaling.minReplicas }} 14 | maxReplicas: {{ .Values.autoscaling.maxReplicas }} 15 | metrics: 16 | {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} 17 | - type: Resource 18 | resource: 19 | name: cpu 20 | targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} 21 | {{- end }} 22 | {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} 23 | - type: Resource 24 | resource: 25 | name: memory 26 | targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} 27 | {{- end }} 28 | {{- end }} 29 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled -}} 2 | {{- $fullName := include "demoapp.fullname" . -}} 3 | {{- $svcPort := .Values.service.port -}} 4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} 5 | apiVersion: networking.k8s.io/v1beta1 6 | {{- else -}} 7 | apiVersion: extensions/v1beta1 8 | {{- end }} 9 | kind: Ingress 10 | metadata: 11 | name: {{ $fullName }} 12 | labels: 13 | {{- include "demoapp.labels" . | nindent 4 }} 14 | {{- with .Values.ingress.annotations }} 15 | annotations: 16 | {{- toYaml . | nindent 4 }} 17 | {{- end }} 18 | spec: 19 | {{- if .Values.ingress.tls }} 20 | tls: 21 | {{- range .Values.ingress.tls }} 22 | - hosts: 23 | {{- range .hosts }} 24 | - {{ . | quote }} 25 | {{- end }} 26 | secretName: {{ .secretName }} 27 | {{- end }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .host | quote }} 32 | http: 33 | paths: 34 | {{- range .paths }} 35 | - path: {{ . }} 36 | backend: 37 | serviceName: {{ $fullName }} 38 | servicePort: {{ $svcPort }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "demoapp.fullname" . }} 5 | labels: 6 | {{- include "demoapp.labels" . | nindent 4 }} 7 | spec: 8 | type: {{ .Values.service.type }} 9 | ports: 10 | - port: {{ .Values.service.port }} 11 | targetPort: http 12 | protocol: TCP 13 | name: http 14 | selector: 15 | {{- include "demoapp.selectorLabels" . | nindent 4 }} 16 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "demoapp.serviceAccountName" . }} 6 | labels: 7 | {{- include "demoapp.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "demoapp.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "demoapp.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "demoapp.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /chapter14/helm/demoapp/values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for demoapp. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | 5 | replicaCount: 1 6 | 7 | image: 8 | repository: ikubernetes/demoapp 9 | pullPolicy: IfNotPresent 10 | tag: "v1.0" 11 | 12 | imagePullSecrets: [] 13 | nameOverride: "" 14 | fullnameOverride: "" 15 | 16 | serviceAccount: 17 | # Specifies whether a service account should be created 18 | create: false 19 | # Annotations to add to the service account 20 | annotations: {} 21 | # The name of the service account to use. 22 | # If not set and create is true, a name is generated using the fullname template 23 | name: "" 24 | 25 | podAnnotations: {} 26 | 27 | podSecurityContext: {} 28 | # fsGroup: 2000 29 | 30 | securityContext: {} 31 | # capabilities: 32 | # drop: 33 | # - ALL 34 | # readOnlyRootFilesystem: true 35 | # runAsNonRoot: true 36 | # runAsUser: 1000 37 | 38 | service: 39 | type: ClusterIP 40 | port: 80 41 | 42 | ingress: 43 | enabled: false 44 | annotations: 45 | # kubernetes.io/ingress.class: nginx 46 | # kubernetes.io/tls-acme: "true" 47 | hosts: 48 | - host: chart-example.local 49 | paths: [] 50 | tls: [] 51 | # - secretName: chart-example-tls 52 | # hosts: 53 | # - chart-example.local 54 | 55 | resources: {} 56 | # We usually recommend not to specify default resources and to leave this as a conscious 57 | # choice for the user. This also increases chances charts run on environments with little 58 | # resources, such as Minikube. If you do want to specify resources, uncomment the following 59 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'. 60 | # limits: 61 | # cpu: 100m 62 | # memory: 128Mi 63 | # requests: 64 | # cpu: 100m 65 | # memory: 128Mi 66 | 67 | autoscaling: 68 | enabled: false 69 | minReplicas: 1 70 | maxReplicas: 100 71 | targetCPUUtilizationPercentage: 80 72 | # targetMemoryUtilizationPercentage: 80 73 | 74 | nodeSelector: {} 75 | 76 | tolerations: [] 77 | 78 | affinity: {} 79 | -------------------------------------------------------------------------------- /chapter14/helm/harbor/harbor-ingress-ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIC9TCCAd2gAwIBAgIRALmdruu+1nOYWIsVD5f9TMAwDQYJKoZIhvcNAQELBQAw 3 | FDESMBAGA1UEAxMJaGFyYm9yLWNhMB4XDTIwMDcyMzAzMzgxM1oXDTIxMDcyMzAz 4 | MzgxM1owFDESMBAGA1UEAxMJaGFyYm9yLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOC 5 | AQ8AMIIBCgKCAQEAnKQYh8imuaY5hgbOIiVn7/bt8VdkE47R8917Q0D6subr0P8R 6 | nRNs42yGZU8bYFuh6I5BDt71mE/RrPsc761ZXT11GRXE+GhUvwsGXGkzYDr0h3wq 7 | FeDuBu0NE4jFBMOrrqRlFnKI1OyjhSp9wQD8+ZIVhqtfSMCcBApen0zIP+DfrIOm 8 | vXd1YUyzoDz7heCJ0LK9DvbAQqP6L8t/oQNJTg34u1Aomys9rZwKbyzCiseFkszo 9 | 2Ll9X4KYnmyXL9hcvhvlRN6vbPaT3qSXagWtblO4lwgjMX05EqUU9ndzFdvqLDW5 10 | gdO7q7b9qZ5k2sVXaf6005JKjYa4dQHm7oTqLQIDAQABo0IwQDAOBgNVHQ8BAf8E 11 | BAMCAqQwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQF 12 | MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHLgw99YhptTK91DoijKDnc1XdxjgxOh 13 | DS2sWMJogvE5fnVwTIvRbOnSqQZIFfTFefsKnule8r1wGFh9YvqHuf3rjmc/Hao7 14 | Mhs2ssWPnFZdYz/D0tlG9aAAMBTyFLO9u9ivWHTJp3HkJ+6xG5M8zzRWghiLpw6t 15 | iUQ5l6aY5SNNnZwicj0WiXrzJfjgJ+FbQgIe/z0eimZVs/vabc21KsTZvRritXLK 16 | xWBPfCT1rcKMl1LnOuDi46gkOGo1Zpq2vl7vWgsgC6f0zf03uz9MBdG92tDyuFgN 17 | CzUcNsErPQF91TJmnhxAkm/M4l5F7Fi4dOy4khZ4CBYhmJ7RtuHvsHM= 18 | -----END CERTIFICATE----- 19 | -------------------------------------------------------------------------------- /chapter14/helm/harbor/longhorn-storageclass.yaml: -------------------------------------------------------------------------------- 1 | kind: StorageClass 2 | apiVersion: storage.k8s.io/v1 3 | metadata: 4 | name: longhorn 5 | provisioner: driver.longhorn.io 6 | allowVolumeExpansion: true 7 | parameters: 8 | numberOfReplicas: "2" 9 | staleReplicaTimeout: "2880" # 48 hours in minutes 10 | fromBackup: "" 11 | reclaimPolicy: Retain 12 | -------------------------------------------------------------------------------- /chapter14/helm/harbor/temp/harbor-values-without-persistence.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | hosts: 4 | core: hub.ilinux.io 5 | notary: notary.ilinux.io 6 | controller: nginx 7 | annotations: 8 | ingress.kubernetes.io/ssl-redirect: "true" 9 | ingress.kubernetes.io/proxy-body-size: "0" 10 | nginx.ingress.kubernetes.io/ssl-redirect: "true" 11 | nginx.ingress.kubernetes.io/proxy-body-size: "0" 12 | 13 | externalURL: https://hub.ilinux.io 14 | harborAdminPassword: "MageEdu123" 15 | 16 | service: 17 | type: ClusterIP 18 | tls: 19 | enabled: true 20 | existingSecret: "" 21 | notaryExistingSecret: "" 22 | commonName: "hub.ilinux.io" 23 | ports: 24 | http: 80 25 | https: 443 26 | notary: 4443 27 | 28 | persistence: 29 | enabled: false 30 | 31 | # Values for Dependencies. 32 | postgresql: 33 | persistence: 34 | enabled: false 35 | 36 | redis: 37 | master: 38 | persistence: 39 | enabled: false 40 | slave: 41 | persistence: 42 | enabled: false 43 | -------------------------------------------------------------------------------- /chapter14/helm/harbor/temp/harbor.notes: -------------------------------------------------------------------------------- 1 | NAME: hub 2 | LAST DEPLOYED: Fri Jul 24 10:05:23 2020 3 | NAMESPACE: harbor 4 | STATUS: deployed 5 | REVISION: 1 6 | TEST SUITE: None 7 | NOTES: 8 | ** Please be patient while the chart is being deployed ** 9 | 10 | 1. Get the Harbor URL: 11 | 12 | You should be able to access your new Harbor installation through https://hub.ilinux.io 13 | 14 | 2. Login with the following credentials to see your Harbor application 15 | 16 | echo Username: "admin" 17 | echo Password: $(kubectl get secret --namespace harbor hub-harbor-core-envvars -o jsonpath="{.data.HARBOR_ADMIN_PASSWORD}" | base64 --decode) 18 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/base/deploy-demoapp.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: demoapp 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | template: 14 | metadata: 15 | labels: 16 | app: demoapp 17 | spec: 18 | containers: 19 | - name: demoapp 20 | image: ikubernetes/demoapp:v1.0 21 | ports: 22 | - containerPort: 80 23 | name: http 24 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - deploy-demoapp.yaml 6 | - service-demoapp.yaml 7 | 8 | commonLabels: 9 | generated-by: kustomize 10 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/base/service-demoapp.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: demoapp 5 | spec: 6 | selector: 7 | app: demoapp 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 80 12 | targetPort: 80 13 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../base/ 6 | 7 | resources: 8 | - namespace.yaml 9 | 10 | namespace: prod 11 | 12 | commonLabels: 13 | environment: prod 14 | 15 | commonAnnotations: 16 | ilinux.io/app: "demoapp" 17 | 18 | configMapGenerator: 19 | - name: demoapp-conf 20 | literals: 21 | - host="0.0.0.0" 22 | - port="8080" 23 | 24 | secretGenerator: 25 | - name: demoapp-ssl 26 | files: 27 | - secrets/tls.crt 28 | - secrets/tls.key 29 | type: "kubernetes.io/tls" 30 | 31 | generatorOptions: 32 | disableNameSuffixHash: true 33 | 34 | patchesStrategicMerge: 35 | - patches/demoapp-add-requests-and-limits.yaml 36 | - patches/demoapp-add-configmap-and-secret.yaml 37 | 38 | patchesJson6902: 39 | - target: 40 | version: v1 41 | kind: Service 42 | name: demoapp 43 | path: patches/patch-service-demoapp-targetport-8080.yaml 44 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: prod 5 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/patches/demoapp-add-configmap-and-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: demoapp 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: demoapp 10 | env: 11 | - name: PORT 12 | valueFrom: 13 | configMapKeyRef: 14 | name: demoapp-conf 15 | key: demoapp.port 16 | optional: false 17 | - name: HOST 18 | valueFrom: 19 | configMapKeyRef: 20 | name: demoapp-conf 21 | key: demoapp.host 22 | optional: true 23 | volumeMounts: 24 | - name: demoappcerts 25 | mountPath: /etc/demoapp/certs/ 26 | readOnly: true 27 | volumes: 28 | - name: demoappcerts 29 | secret: 30 | secretName: demoapp-ssl 31 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/patches/demoapp-add-requests-and-limits.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: demoapp 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: demoapp 10 | livenessProbe: 11 | httpGet: 12 | path: '/livez' 13 | port: 80 14 | initialDelaySeconds: 5 15 | readinessProbe: 16 | httpGet: 17 | path: '/readyz' 18 | port: 80 19 | initialDelaySeconds: 15 20 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/patches/deploy-demoapp-add-sidecar.yaml: -------------------------------------------------------------------------------- 1 | - name: proxy 2 | image: envoyproxy/envoy-alpine:v1.14.1 3 | command: ['/bin/sh','-c'] 4 | args: ['sleep 5 && envoy -c /etc/envoy/envoy.yaml'] 5 | lifecycle: 6 | postStart: 7 | exec: 8 | command: ['/bin/sh','-c','wget -O /etc/envoy/envoy.yaml http://ilinux.io/envoy.yaml'] 9 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/patches/patch-service-demoapp-targetport-8080.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /spec/ports/0/targetPort 3 | value: 8080 4 | - op: add 5 | path: /spec/ports/1 6 | value: 7 | name: https 8 | protocol: TCP 9 | port: 443 10 | targetPort: 8443 11 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/secrets/tls.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDETCCAfmgAwIBAgIUSMqYopoKeVbSvotHVFN72/6tTXgwDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UEAwwNd3d3LmlsaW51eC5pbzAeFw0yMDA3MTYwMzI5NTVaFw0z 4 | MDA3MTQwMzI5NTVaMBgxFjAUBgNVBAMMDXd3dy5pbGludXguaW8wggEiMA0GCSqG 5 | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWCKsgk0PptzxCaM9hpaoGK++gmD7iQ8Fx 6 | DJa/KuC7AViQ8MEKTZG7BKIZ/Lte7SCZfAswotNYyvq7YJWmz2gP+bTQ5aLoiApW 7 | mufaf+mJC8cey+j93v/LxE0ClkYi0urW7FFwghqVis7pNbX5iORUemfSpo3+Md4b 8 | MfqorqTY1nrF95N1j9oUiY2j7m6zwGBGy8HXSndwONRgJUgWo+Ob9JS/2sGRsnma 9 | GJw0bJesSoUx9736LEDo0Afkm8GfSFRRU+P0r7HhwlDmKTyzZt/NkjvJv71NX1VT 10 | 8zWwtwY+ZAe9vrdrF7cpCTher9UTenUC/2RN+FvsDaK9UFCgW0+HAgMBAAGjUzBR 11 | MB0GA1UdDgQWBBRbq62aQiEkDKyatbqMTM36hJyVzDAfBgNVHSMEGDAWgBRbq62a 12 | QiEkDKyatbqMTM36hJyVzDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA 13 | A4IBAQDSwf3AQ1Sfr5ju2gHV8k6fh295S5GK5/2wn5qApGmJw6qdD4/dmaIGmJF5 14 | wtpPk5XeEJ/WpsqJQ8Awj/PVhjeffxZGRRLi0W8w2ZrvHtwwYte8L5BntAeodqw6 15 | RvCo55Tf3FSvUpZWGbsy34G7prJKl4GCx0sAgUHqXZ1u9D1BvU/XlLUXb/sOmphp 16 | jOHbqhsj1FPJmsuuwfitp2pWB72KCX7SZmqCtG+gb5aLEZMkG7nRG2ji3Suu2a5f 17 | uxsfJ4fHbadyqf34ytIf0WJGcelWxdLzhH7d3x2wy9SdfgqgvQM8DlCNMrtZTEsl 18 | YGtZ98/Ja28wmGDjhMhobBq6yOw9 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/prod/secrets/tls.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEA1girIJND6bc8QmjPYaWqBivvoJg+4kPBcQyWvyrguwFYkPDB 3 | Ck2RuwSiGfy7Xu0gmXwLMKLTWMr6u2CVps9oD/m00OWi6IgKVprn2n/piQvHHsvo 4 | /d7/y8RNApZGItLq1uxRcIIalYrO6TW1+YjkVHpn0qaN/jHeGzH6qK6k2NZ6xfeT 5 | dY/aFImNo+5us8BgRsvB10p3cDjUYCVIFqPjm/SUv9rBkbJ5mhicNGyXrEqFMfe9 6 | +ixA6NAH5JvBn0hUUVPj9K+x4cJQ5ik8s2bfzZI7yb+9TV9VU/M1sLcGPmQHvb63 7 | axe3KQk4Xq/VE3p1Av9kTfhb7A2ivVBQoFtPhwIDAQABAoIBADWM06wBzHMUOkpv 8 | SLuopEKJCZpHnSwlQafUO3827iU7r/oLknDOeZCuFxSjbAnTEF32cCJKCtDjcBoj 9 | jy2+JM4ibr/5RGojZ1rFxQ6hBEAap0YoRHIIMj28LnxgNsoNtV3yoGmi053ord4h 10 | Zxc4zc/pFELbExmvRl/NgGZl067AfXHY3VxVYjJEeIBiPKPvpkOcLKgi7dMkqUg7 11 | xTSPIZF0/elj90g04/ylggh1BnIjzme08rplPLHkrhym0duBlPtu92jcHG5rOvyo 12 | 5meLrR2ypzhwDlBZquPJR8pDUc6RWr01AJqxRqU7S1cIhbEWs6du9b9Q6cop42UK 13 | C22uB7ECgYEA+hS6XTywyYqWXdllBAq4lFp7UQTtaKeNszbr7/ZeTVaRARZlprxQ 14 | EbfcQ1eEuw4s3Anz1INPHenskcXWPt1a2WNraHyUGvyDV2kOGhpYhzZGCd2B3eYc 15 | tngMvnHACQeMd+WgWs7rvalCUl8GfSKiVUIEAIABVmCbqRLEGzGmuwkCgYEA2xmG 16 | ynH4fUFDSHIcbLPsbK6fN8C2TM/HvaXb0V5Touh4Nf70OlJMV5dlkcV8YtYxQv62 17 | 4166LbwvgqbmIhhCL8Uc+W83UBmBtk8w6erJa/HeuHyLdKNSfqyfY2DTrBvEaoF0 18 | /8RAUAQsPyA/RpXtBIn4G79/UW+45QcHqnwICg8CgYEAtGU9ZkKAWHHjNAG8z6SY 19 | L1PxvqjqROMQ4WVN3sR+lBVM9lbcruEKdS2G8wDv2ytHitaXEAZEjRSQNTtb5+8v 20 | OL9x3GZ5Q9pBOE2tAYFduPOapEUoCBSVQ77nmn1dhGXwmxCGktrOzPqKv/aSLLRO 21 | G2hKkL3FuTRpNRY3ZlJzrlkCgYAk3x3c8eMkiRgel/2KmZjfDWAEDO1g7dKqasAc 22 | cuhWURLx208UhYcNcpAIQRjWtT8jDCSRDP799V51eUrfT//LdDuVCo9fbntyx87u 23 | frGY9eJKX8NERLv8T2afXcsheqbKWbDr3gYIsTsVAINFiLOTgPh9CvQNK2UNPeqf 24 | WTItJwKBgE/rLWemFF2yDv67RuO4wIH/McUy3YNlN7U5Mr4uu7L0GXIqRrcznoZo 25 | HeuesTUFEbgMPCNqe8HWi9Do//w6LNt3dVzpkXIy0ZAyrcA+N8l0pvXEE57QowLo 26 | idXF3Xs/zmaH+eq84tIyXZBez/LP9WliM6tIafb3aGeMxWRdcNHF 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/staging/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../base/ 6 | 7 | resources: 8 | - namespace.yaml 9 | 10 | namespace: staging 11 | 12 | commonLabels: 13 | environment: staging 14 | 15 | commonAnnotations: 16 | ilinux.io/app: "demoapp" 17 | 18 | configMapGenerator: 19 | - name: demoapp-conf 20 | literals: 21 | - HOST="0.0.0.0" 22 | - PORT="8080" 23 | 24 | secretGenerator: 25 | - name: demoapp-ssl 26 | files: 27 | - secrets/tls.crt 28 | - secrets/tls.key 29 | type: "kubernetes.io/tls" 30 | 31 | generatorOptions: 32 | disableNameSuffixHash: true 33 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/staging/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: staging 5 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/staging/secrets/tls.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDETCCAfmgAwIBAgIUSMqYopoKeVbSvotHVFN72/6tTXgwDQYJKoZIhvcNAQEL 3 | BQAwGDEWMBQGA1UEAwwNd3d3LmlsaW51eC5pbzAeFw0yMDA3MTYwMzI5NTVaFw0z 4 | MDA3MTQwMzI5NTVaMBgxFjAUBgNVBAMMDXd3dy5pbGludXguaW8wggEiMA0GCSqG 5 | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWCKsgk0PptzxCaM9hpaoGK++gmD7iQ8Fx 6 | DJa/KuC7AViQ8MEKTZG7BKIZ/Lte7SCZfAswotNYyvq7YJWmz2gP+bTQ5aLoiApW 7 | mufaf+mJC8cey+j93v/LxE0ClkYi0urW7FFwghqVis7pNbX5iORUemfSpo3+Md4b 8 | MfqorqTY1nrF95N1j9oUiY2j7m6zwGBGy8HXSndwONRgJUgWo+Ob9JS/2sGRsnma 9 | GJw0bJesSoUx9736LEDo0Afkm8GfSFRRU+P0r7HhwlDmKTyzZt/NkjvJv71NX1VT 10 | 8zWwtwY+ZAe9vrdrF7cpCTher9UTenUC/2RN+FvsDaK9UFCgW0+HAgMBAAGjUzBR 11 | MB0GA1UdDgQWBBRbq62aQiEkDKyatbqMTM36hJyVzDAfBgNVHSMEGDAWgBRbq62a 12 | QiEkDKyatbqMTM36hJyVzDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA 13 | A4IBAQDSwf3AQ1Sfr5ju2gHV8k6fh295S5GK5/2wn5qApGmJw6qdD4/dmaIGmJF5 14 | wtpPk5XeEJ/WpsqJQ8Awj/PVhjeffxZGRRLi0W8w2ZrvHtwwYte8L5BntAeodqw6 15 | RvCo55Tf3FSvUpZWGbsy34G7prJKl4GCx0sAgUHqXZ1u9D1BvU/XlLUXb/sOmphp 16 | jOHbqhsj1FPJmsuuwfitp2pWB72KCX7SZmqCtG+gb5aLEZMkG7nRG2ji3Suu2a5f 17 | uxsfJ4fHbadyqf34ytIf0WJGcelWxdLzhH7d3x2wy9SdfgqgvQM8DlCNMrtZTEsl 18 | YGtZ98/Ja28wmGDjhMhobBq6yOw9 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/staging/secrets/tls.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEA1girIJND6bc8QmjPYaWqBivvoJg+4kPBcQyWvyrguwFYkPDB 3 | Ck2RuwSiGfy7Xu0gmXwLMKLTWMr6u2CVps9oD/m00OWi6IgKVprn2n/piQvHHsvo 4 | /d7/y8RNApZGItLq1uxRcIIalYrO6TW1+YjkVHpn0qaN/jHeGzH6qK6k2NZ6xfeT 5 | dY/aFImNo+5us8BgRsvB10p3cDjUYCVIFqPjm/SUv9rBkbJ5mhicNGyXrEqFMfe9 6 | +ixA6NAH5JvBn0hUUVPj9K+x4cJQ5ik8s2bfzZI7yb+9TV9VU/M1sLcGPmQHvb63 7 | axe3KQk4Xq/VE3p1Av9kTfhb7A2ivVBQoFtPhwIDAQABAoIBADWM06wBzHMUOkpv 8 | SLuopEKJCZpHnSwlQafUO3827iU7r/oLknDOeZCuFxSjbAnTEF32cCJKCtDjcBoj 9 | jy2+JM4ibr/5RGojZ1rFxQ6hBEAap0YoRHIIMj28LnxgNsoNtV3yoGmi053ord4h 10 | Zxc4zc/pFELbExmvRl/NgGZl067AfXHY3VxVYjJEeIBiPKPvpkOcLKgi7dMkqUg7 11 | xTSPIZF0/elj90g04/ylggh1BnIjzme08rplPLHkrhym0duBlPtu92jcHG5rOvyo 12 | 5meLrR2ypzhwDlBZquPJR8pDUc6RWr01AJqxRqU7S1cIhbEWs6du9b9Q6cop42UK 13 | C22uB7ECgYEA+hS6XTywyYqWXdllBAq4lFp7UQTtaKeNszbr7/ZeTVaRARZlprxQ 14 | EbfcQ1eEuw4s3Anz1INPHenskcXWPt1a2WNraHyUGvyDV2kOGhpYhzZGCd2B3eYc 15 | tngMvnHACQeMd+WgWs7rvalCUl8GfSKiVUIEAIABVmCbqRLEGzGmuwkCgYEA2xmG 16 | ynH4fUFDSHIcbLPsbK6fN8C2TM/HvaXb0V5Touh4Nf70OlJMV5dlkcV8YtYxQv62 17 | 4166LbwvgqbmIhhCL8Uc+W83UBmBtk8w6erJa/HeuHyLdKNSfqyfY2DTrBvEaoF0 18 | /8RAUAQsPyA/RpXtBIn4G79/UW+45QcHqnwICg8CgYEAtGU9ZkKAWHHjNAG8z6SY 19 | L1PxvqjqROMQ4WVN3sR+lBVM9lbcruEKdS2G8wDv2ytHitaXEAZEjRSQNTtb5+8v 20 | OL9x3GZ5Q9pBOE2tAYFduPOapEUoCBSVQ77nmn1dhGXwmxCGktrOzPqKv/aSLLRO 21 | G2hKkL3FuTRpNRY3ZlJzrlkCgYAk3x3c8eMkiRgel/2KmZjfDWAEDO1g7dKqasAc 22 | cuhWURLx208UhYcNcpAIQRjWtT8jDCSRDP799V51eUrfT//LdDuVCo9fbntyx87u 23 | frGY9eJKX8NERLv8T2afXcsheqbKWbDr3gYIsTsVAINFiLOTgPh9CvQNK2UNPeqf 24 | WTItJwKBgE/rLWemFF2yDv67RuO4wIH/McUy3YNlN7U5Mr4uu7L0GXIqRrcznoZo 25 | HeuesTUFEbgMPCNqe8HWi9Do//w6LNt3dVzpkXIy0ZAyrcA+N8l0pvXEE57QowLo 26 | idXF3Xs/zmaH+eq84tIyXZBez/LP9WliM6tIafb3aGeMxWRdcNHF 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/test/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | bases: 5 | - ../base/ 6 | 7 | resources: 8 | - namespace.yaml 9 | 10 | namespace: test 11 | 12 | commonLabels: 13 | environment: test 14 | 15 | commonAnnotations: 16 | ilinux.io/app: "demoapp" 17 | 18 | images: 19 | - name: "ikubernetes/demoapp" 20 | newTag: "v1.1" 21 | -------------------------------------------------------------------------------- /chapter14/kustomize/demoapp/test/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: test 5 | -------------------------------------------------------------------------------- /chapter14/kustomize/kustomize-demo/deploy-demoapp.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: demoapp 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | template: 14 | metadata: 15 | labels: 16 | app: demoapp 17 | spec: 18 | containers: 19 | - name: demoapp 20 | image: ikubernetes/demoapp:v1.0 21 | ports: 22 | - containerPort: 80 23 | name: http 24 | -------------------------------------------------------------------------------- /chapter14/kustomize/kustomize-demo/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - deploy-demoapp.yaml 6 | - service-demoapp.yaml 7 | 8 | commonLabels: 9 | generated-by: kustomize 10 | -------------------------------------------------------------------------------- /chapter14/kustomize/kustomize-demo/service-demoapp.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: demoapp 5 | spec: 6 | selector: 7 | app: demoapp 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 80 12 | targetPort: 80 13 | -------------------------------------------------------------------------------- /chapter15/coredns-configmap.yaml: -------------------------------------------------------------------------------- 1 | # Create By: MageEdu 2 | # 3 | apiVersion: v1 4 | data: 5 | Corefile: | 6 | .:53 { 7 | hosts { 8 | 172.29.9.1 k8s-master01.ilinux.io 9 | 172.29.9.11 k8s-node01.ilinux.io 10 | 172.29.9.12 k8s-node02.ilinux.io 11 | 172.29.9.13 k8s-node03.ilinux.io 12 | fallthrough 13 | } 14 | errors 15 | health { 16 | lameduck 5s 17 | } 18 | ready 19 | kubernetes cluster.local in-addr.arpa ip6.arpa { 20 | pods insecure 21 | fallthrough in-addr.arpa ip6.arpa 22 | ttl 30 23 | } 24 | prometheus :9153 25 | forward . /etc/resolv.conf 26 | cache 30 27 | loop 28 | reload 29 | loadbalance 30 | } 31 | kind: ConfigMap 32 | metadata: 33 | name: coredns 34 | namespace: kube-system 35 | -------------------------------------------------------------------------------- /chapter15/hpa/demoapp.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: demoapp 8 | spec: 9 | replicas: 2 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | controller: demoapp 14 | template: 15 | metadata: 16 | labels: 17 | app: demoapp 18 | controller: demoapp 19 | spec: 20 | containers: 21 | - name: demoapp 22 | image: ikubernetes/demoapp:v1.0 23 | ports: 24 | - containerPort: 80 25 | name: http 26 | resources: 27 | requests: 28 | memory: "256Mi" 29 | cpu: "50m" 30 | limits: 31 | memory: "256Mi" 32 | cpu: "50m" 33 | --- 34 | apiVersion: v1 35 | kind: Service 36 | metadata: 37 | name: demoapp 38 | spec: 39 | selector: 40 | app: demoapp 41 | controller: demoapp 42 | ports: 43 | - name: http 44 | port: 80 45 | targetPort: 80 46 | -------------------------------------------------------------------------------- /chapter15/hpa/hpa-v2-resources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: autoscaling/v2beta2 2 | kind: HorizontalPodAutoscaler 3 | metadata: 4 | name: demoapp 5 | spec: 6 | scaleTargetRef: 7 | apiVersion: apps/v1 8 | kind: Deployment 9 | name: demoapp 10 | minReplicas: 2 11 | maxReplicas: 5 12 | metrics: 13 | - type: Resource 14 | resource: 15 | name: cpu 16 | target: 17 | type: Utilization 18 | averageUtilization: 60 19 | - type: Resource 20 | resource: 21 | name: memory 22 | target: 23 | type: AverageValue 24 | averageValue: 30Mi 25 | behavior: 26 | scaleDown: 27 | stabilizationWindowSeconds: 120 28 | -------------------------------------------------------------------------------- /chapter15/hpa/metrics-app-hpa.yaml: -------------------------------------------------------------------------------- 1 | kind: HorizontalPodAutoscaler 2 | apiVersion: autoscaling/v2beta2 3 | metadata: 4 | name: metrics-app-hpa 5 | spec: 6 | scaleTargetRef: 7 | apiVersion: apps/v1 8 | kind: Deployment 9 | name: metrics-app 10 | minReplicas: 2 11 | maxReplicas: 10 12 | metrics: 13 | - type: Pods 14 | pods: 15 | metric: 16 | name: http_requests_per_second 17 | target: 18 | type: AverageValue 19 | averageValue: 5 20 | behavior: 21 | scaleDown: 22 | stabilizationWindowSeconds: 120 23 | -------------------------------------------------------------------------------- /chapter15/hpa/metrics-app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: metrics-app 5 | spec: 6 | replicas: 2 7 | selector: 8 | matchLabels: 9 | app: metrics-app 10 | controller: metrics-app 11 | template: 12 | metadata: 13 | labels: 14 | app: metrics-app 15 | controller: metrics-app 16 | annotations: 17 | prometheus.io/scrape: "true" 18 | prometheus.io/port: "80" 19 | prometheus.io/path: "/metrics" 20 | spec: 21 | containers: 22 | - image: ikubernetes/metrics-app 23 | name: metrics-app 24 | ports: 25 | - name: web 26 | containerPort: 80 27 | resources: 28 | requests: 29 | memory: "256Mi" 30 | cpu: "500m" 31 | limits: 32 | memory: "256Mi" 33 | cpu: "500m" 34 | --- 35 | apiVersion: v1 36 | kind: Service 37 | metadata: 38 | name: metrics-app 39 | spec: 40 | type: NodePort 41 | ports: 42 | - name: web 43 | port: 80 44 | targetPort: 80 45 | selector: 46 | app: metrics-app 47 | controller: metrics-app 48 | -------------------------------------------------------------------------------- /chapter15/ingress-kubernetes-dashboard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: dashboard 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | ingress.kubernetes.io/ssl-passthrough: "true" 8 | nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 9 | nginx.ingress.kubernetes.io/rewrite-target: /$2 10 | namespace: kubernetes-dashboard 11 | spec: 12 | rules: 13 | - host: ui.ilinux.io 14 | http: 15 | paths: 16 | - path: /dashboard(/|$)(.*) 17 | backend: 18 | serviceName: kubernetes-dashboard 19 | servicePort: 443 20 | -------------------------------------------------------------------------------- /chapter15/prometheus/grafana-values-without-persistence-dashboard.yaml: -------------------------------------------------------------------------------- 1 | ## Maintainer: MageEdu 2 | ## URL: http://www.magedu.com 3 | # 4 | service: 5 | type: ClusterIP 6 | port: 80 7 | targetPort: 3000 8 | annotations: 9 | prometheus.io/scrape: "true" 10 | labels: {} 11 | portName: service 12 | 13 | podAnnotations: 14 | prometheus.io/scrape: "true" 15 | prometheus.io/port: "3000" 16 | 17 | ingress: 18 | enabled: true 19 | annotations: 20 | kubernetes.io/ingress.class: nginx 21 | path: / 22 | hosts: 23 | - grafana.ilinux.io 24 | - promui.ilinux.io 25 | tls: [] 26 | # - secretName: chart-example-tls 27 | # hosts: 28 | # - chart-example.local 29 | 30 | persistence: 31 | type: pvc 32 | enabled: false 33 | storageClassName: "longhorn" 34 | accessModes: 35 | - ReadWriteOnce 36 | size: 10Gi 37 | finalizers: 38 | - kubernetes.io/pvc-protection 39 | 40 | adminUser: admin 41 | adminPassword: MageEdu.com 42 | 43 | plugins: [] 44 | # - digrich-bubblechart-panel 45 | # - grafana-clock-panel 46 | -------------------------------------------------------------------------------- /chapter15/prometheus/grafana-values.yaml: -------------------------------------------------------------------------------- 1 | ## Maintainer: MageEdu 2 | ## URL: http://www.magedu.com 3 | ## Chart: stable/grafana 4 | # 5 | service: 6 | type: ClusterIP 7 | port: 80 8 | targetPort: 3000 9 | annotations: 10 | prometheus.io/scrape: "true" 11 | labels: {} 12 | portName: service 13 | 14 | podAnnotations: 15 | prometheus.io/scrape: "true" 16 | prometheus.io/port: "3000" 17 | 18 | ingress: 19 | enabled: true 20 | annotations: 21 | kubernetes.io/ingress.class: nginx 22 | path: / 23 | hosts: 24 | - grafana.ilinux.io 25 | - promui.ilinux.io 26 | tls: [] 27 | # - secretName: chart-example-tls 28 | # hosts: 29 | # - chart-example.local 30 | 31 | persistence: 32 | type: pvc 33 | enabled: true 34 | storageClassName: "longhorn" 35 | accessModes: 36 | - ReadWriteOnce 37 | size: 10Gi 38 | finalizers: 39 | - kubernetes.io/pvc-protection 40 | 41 | adminUser: admin 42 | adminPassword: MageEdu.com 43 | 44 | plugins: [] 45 | # - digrich-bubblechart-panel 46 | # - grafana-clock-panel 47 | 48 | datasources: 49 | datasources.yaml: 50 | apiVersion: 1 51 | datasources: 52 | - name: Prometheus 53 | type: prometheus 54 | url: http://prom-prometheus-server.monitoring.svc.cluster.local 55 | access: proxy 56 | isDefault: true 57 | 58 | dashboardProviders: 59 | dashboardproviders.yaml: 60 | apiVersion: 1 61 | providers: 62 | - name: 'default' 63 | orgId: 1 64 | folder: '' 65 | type: file 66 | disableDeletion: false 67 | editable: true 68 | options: 69 | path: /var/lib/grafana/dashboards/default 70 | 71 | dashboards: 72 | default: 73 | Kubernetes-cluster-monitoring: 74 | gnetId: 315 75 | revision: 3 76 | datasource: Prometheus 77 | Kubernetes-Nodes: 78 | gnetId: 5219 79 | revision: 8 80 | datasource: Prometheus 81 | Kubernetes-Cluster: 82 | gnetId: 7249 83 | revision: 1 84 | datasource: Prometheus 85 | 86 | -------------------------------------------------------------------------------- /chapter15/prometheus/prometheus-adapter-values-with-custom-rules.yaml: -------------------------------------------------------------------------------- 1 | ## stable/prometheus-adapter 2 | prometheus: 3 | url: http://prom-prometheus-server.monitoring.svc.cluster.local 4 | port: 80 5 | path: "" 6 | 7 | replicas: 1 8 | 9 | metricsRelistInterval: 1m 10 | 11 | listenPort: 6443 12 | 13 | service: 14 | annotations: {} 15 | port: 443 16 | type: ClusterIP 17 | 18 | rules: 19 | default: true # 是否加载默认规则; 20 | custom: 21 | # - seriesQuery: '{__name__=~"^http_requests_.*",kubernetes_namespace!="",kubernetes_pod_name!=""}' 22 | # resources: 23 | # overrides: 24 | # kubernetes_namespace: {resource: "namespace"} 25 | # kubernetes_pod_name: {resource: "pod"} 26 | # metricsQuery: '<<.Series>>{<<.LabelMatchers>>}' 27 | - seriesQuery: 'http_requests_total{kubernetes_namespace!="",kubernetes_pod_name!=""}' 28 | resources: 29 | overrides: 30 | kubernetes_namespace: {resource: "namespace"} 31 | kubernetes_pod_name: {resource: "pod"} 32 | name: 33 | matches: "^(.*)_total" 34 | as: "${1}_per_second" 35 | metricsQuery: 'rate(<<.Series>>{<<.LabelMatchers>>}[2m])' 36 | existing: 37 | external: [] 38 | 39 | tls: 40 | enable: false 41 | ca: |- 42 | # Public CA file that signed the APIService 43 | key: |- 44 | # Private key of the APIService 45 | certificate: |- 46 | # Public key of the APIService 47 | -------------------------------------------------------------------------------- /chapter15/prometheus/prometheus-adapter-values-with-custom-rules.yaml.bak: -------------------------------------------------------------------------------- 1 | prometheus: 2 | url: http://prom-prometheus-server.monitoring.svc.cluster.local 3 | port: 80 4 | path: "" 5 | 6 | replicas: 1 7 | 8 | metricsRelistInterval: 1m 9 | 10 | listenPort: 6443 11 | 12 | service: 13 | annotations: {} 14 | port: 443 15 | type: ClusterIP 16 | 17 | rules: 18 | default: true # 是否加载默认规则; 19 | custom: 20 | - seriesQuery: 'http_requests_total{kubernetes_namespace!="",kubernetes_pod_name!=""}' 21 | resources: 22 | overrides: 23 | kubernetes_namespace: {resource: "namespace"} 24 | kubernetes_pod_name: {resource: "pod"} 25 | metricsQuery: '<<.Series>>{<<.LabelMatchers>>}' 26 | - seriesQuery: 'http_requests_per_second{kubernetes_namespace!="",kubernetes_pod_name!=""}' 27 | resources: 28 | overrides: 29 | kubernetes_namespace: {resource: "namespace"} 30 | kubernetes_pod_name: {resource: "pod"} 31 | metricsQuery: '<<.Series>>{<<.LabelMatchers>>}' 32 | # - seriesQuery: 'http_requests_total{kubernetes_namespace!="",kubernetes_pod_name!=""}' 33 | # resources: 34 | # overrides: 35 | # kubernetes_namespace: {resource: "namespace"} 36 | # kubernetes_pod_name: {resource: "pod"} 37 | # name: 38 | # matches: "^(.*)_total" 39 | # as: "${1}_per_second" 40 | # metricsQuery: 'rate(<<.Series>>{<<.LabelMatchers>>}[1m])' 41 | existing: 42 | external: [] 43 | 44 | tls: 45 | enable: false 46 | ca: |- 47 | # Public CA file that signed the APIService 48 | key: |- 49 | # Private key of the APIService 50 | certificate: |- 51 | # Public key of the APIService 52 | -------------------------------------------------------------------------------- /chapter15/prometheus/prometheus-adapter-values.yaml: -------------------------------------------------------------------------------- 1 | ## helm install adapter -f prometheus-adapter-values.yaml stable/prometheus-adapter -n monitoring 2 | ## stable/prometheus-adapter 3 | prometheus: 4 | url: http://prom-prometheus-server.monitoring.svc.cluster.local 5 | port: 80 6 | path: "" 7 | 8 | replicas: 1 9 | 10 | metricsRelistInterval: 1m 11 | 12 | listenPort: 6443 13 | 14 | service: 15 | annotations: {} 16 | port: 443 17 | type: ClusterIP 18 | 19 | tls: 20 | enable: false 21 | ca: |- 22 | # Public CA file that signed the APIService 23 | key: |- 24 | # Private key of the APIService 25 | certificate: |- 26 | # Public key of the APIService 27 | -------------------------------------------------------------------------------- /chapter16/cluster-log/bitnami-kibana-values.yaml: -------------------------------------------------------------------------------- 1 | replicaCount: 1 2 | 3 | updateStrategy: 4 | type: RollingUpdate 5 | 6 | plugins: 7 | - https://github.com/pjhampton/kibana-prometheus-exporter/releases/download/7.8.1/kibana-prometheus-exporter-7.8.1.zip 8 | 9 | persistence: 10 | enabled: true 11 | storageClass: "longhorn" 12 | # existingClaim: your-claim 13 | accessMode: ReadWriteOnce 14 | size: 10Gi 15 | 16 | service: 17 | port: 5601 18 | type: ClusterIP 19 | # nodePort: 20 | externalTrafficPolicy: Cluster 21 | annotations: {} 22 | # loadBalancerIP: 23 | # extraPorts: 24 | 25 | ingress: 26 | enabled: true 27 | certManager: false 28 | annotations: 29 | kubernetes.io/ingress.class: nginx 30 | 31 | hosts: 32 | - name: kibana.ilinux.io 33 | path: / 34 | tls: false 35 | # tlsHosts: 36 | # - www.kibana.local 37 | # - kibana.local 38 | # tlsSecret: kibana.local-tls 39 | 40 | configuration: 41 | server: 42 | basePath: "" 43 | rewriteBasePath: false 44 | 45 | metrics: 46 | enabled: true 47 | service: 48 | annotations: 49 | prometheus.io/scrape: "true" 50 | prometheus.io/port: "80" 51 | prometheus.io/path: "_prometheus/metrics" 52 | 53 | serviceMonitor: 54 | enabled: false 55 | # namespace: monitoring 56 | # interval: 10s 57 | # scrapeTimeout: 10s 58 | # selector: 59 | # prometheus: my-prometheus 60 | 61 | elasticsearch: 62 | hosts: 63 | - es-elasticsearch-coordinating-only.logging.svc.cluster.local. 64 | # - elasticsearch-2 65 | port: 9200 66 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit-0.6.2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/79d08c7b444a70ff0c313e0af6124aadb9e47d89/chapter16/cluster-log/fluent-bit-0.6.2.tgz -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | appVersion: 1.5.2 3 | description: Fast and lightweight log processor and forwarder or Linux, OSX and BSD 4 | family operating systems. 5 | home: https://fluentbit.io/ 6 | icon: https://fluentbit.io/assets/img/logo1-default.png 7 | keywords: 8 | - logging 9 | - fluent-bit 10 | - fluentd 11 | maintainers: 12 | - email: eduardo@treasure-data.com 13 | name: edsiper 14 | - email: naseem@transit.app 15 | name: naseemkullah 16 | - email: towmeykaw@gmail.com 17 | name: Towmeykaw 18 | name: fluent-bit 19 | sources: 20 | - https://github.com/fluent/fluent-bit/ 21 | version: 0.6.2 22 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - edsiper 3 | - naseemkullah 4 | - Towmeykaw 5 | reviewers: 6 | - edsiper 7 | - naseemkullah 8 | - Towmeykaw 9 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Get Fluent Bit build information by running these commands: 2 | 3 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fluent-bit.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 4 | echo "curl http://127.0.0.1:2020 for Fluent Bit build information" 5 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 2020:2020 6 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "fluent-bit.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | If release name contains chart name it will be used as a full name. 13 | */}} 14 | {{- define "fluent-bit.fullname" -}} 15 | {{- if .Values.fullnameOverride -}} 16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} 17 | {{- else -}} 18 | {{- $name := default .Chart.Name .Values.nameOverride -}} 19 | {{- if contains $name .Release.Name -}} 20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | {{- end -}} 25 | {{- end -}} 26 | 27 | {{/* 28 | Create chart name and version as used by the chart label. 29 | */}} 30 | {{- define "fluent-bit.chart" -}} 31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 32 | {{- end -}} 33 | 34 | {{/* 35 | Common labels 36 | */}} 37 | {{- define "fluent-bit.labels" -}} 38 | helm.sh/chart: {{ include "fluent-bit.chart" . }} 39 | {{ include "fluent-bit.selectorLabels" . }} 40 | {{- if .Chart.AppVersion }} 41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 42 | {{- end }} 43 | app.kubernetes.io/managed-by: {{ .Release.Service }} 44 | {{- end -}} 45 | 46 | {{/* 47 | Selector labels 48 | */}} 49 | {{- define "fluent-bit.selectorLabels" -}} 50 | app.kubernetes.io/name: {{ include "fluent-bit.name" . }} 51 | app.kubernetes.io/instance: {{ .Release.Name }} 52 | {{- end -}} 53 | 54 | {{/* 55 | Create the name of the service account to use 56 | */}} 57 | {{- define "fluent-bit.serviceAccountName" -}} 58 | {{- if .Values.serviceAccount.create -}} 59 | {{ default (include "fluent-bit.fullname" .) .Values.serviceAccount.name }} 60 | {{- else -}} 61 | {{ default "default" .Values.serviceAccount.name }} 62 | {{- end -}} 63 | {{- end -}} 64 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/clusterrole.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: {{ include "fluent-bit.fullname" . }} 6 | labels: 7 | {{- include "fluent-bit.labels" . | nindent 4 }} 8 | rules: 9 | - apiGroups: 10 | - "" 11 | resources: 12 | - pods 13 | - namespaces 14 | verbs: 15 | - get 16 | - list 17 | - watch 18 | {{- if .Values.podSecurityPolicy.create }} 19 | - apiGroups: 20 | - policy 21 | resources: 22 | - podsecuritypolicies 23 | resourceNames: 24 | - {{ include "fluent-bit.fullname" . }} 25 | verbs: 26 | - use 27 | {{- end }} 28 | {{- end -}} 29 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/clusterrolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: {{ include "fluent-bit.fullname" . }} 6 | labels: 7 | {{- include "fluent-bit.labels" . | nindent 4 }} 8 | roleRef: 9 | apiGroup: rbac.authorization.k8s.io 10 | kind: ClusterRole 11 | name: {{ include "fluent-bit.fullname" . }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "fluent-bit.serviceAccountName" . }} 15 | namespace: {{ .Release.Namespace }} 16 | {{- end -}} 17 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ include "fluent-bit.fullname" . }} 5 | labels: 6 | {{- include "fluent-bit.labels" . | nindent 4 }} 7 | data: 8 | custom_parsers.conf: | 9 | {{- .Values.config.customParsers | nindent 4 }} 10 | fluent-bit.conf: | 11 | {{- .Values.config.service | nindent 4 }} 12 | {{- .Values.config.inputs | nindent 4 }} 13 | {{- .Values.config.filters | nindent 4 }} 14 | {{- .Values.config.outputs | nindent 4 }} 15 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.kind "DaemonSet" }} 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: {{ include "fluent-bit.fullname" . }} 6 | labels: 7 | {{- include "fluent-bit.labels" . | nindent 4 }} 8 | spec: 9 | selector: 10 | matchLabels: 11 | {{- include "fluent-bit.selectorLabels" . | nindent 6 }} 12 | template: 13 | metadata: 14 | annotations: 15 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 16 | {{- with .Values.podAnnotations }} 17 | {{- toYaml . | nindent 8 }} 18 | {{- end }} 19 | labels: 20 | {{- include "fluent-bit.selectorLabels" . | nindent 8 }} 21 | spec: 22 | {{- include "fluent-bit.pod" . | nindent 6 }} 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- if eq .Values.kind "Deployment" }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ include "fluent-bit.fullname" . }} 6 | labels: 7 | {{- include "fluent-bit.labels" . | nindent 4 }} 8 | spec: 9 | replicas: {{ .Values.replicaCount }} 10 | selector: 11 | matchLabels: 12 | {{- include "fluent-bit.selectorLabels" . | nindent 6 }} 13 | template: 14 | metadata: 15 | annotations: 16 | checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} 17 | {{- with .Values.podAnnotations }} 18 | {{- toYaml . | nindent 8 }} 19 | {{- end }} 20 | labels: 21 | {{- include "fluent-bit.selectorLabels" . | nindent 8 }} 22 | spec: 23 | {{- include "fluent-bit.pod" . | nindent 6 }} 24 | {{- end }} 25 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/psp.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.podSecurityPolicy.create }} 2 | apiVersion: policy/v1beta1 3 | kind: PodSecurityPolicy 4 | metadata: 5 | name: {{ include "fluent-bit.fullname" . }} 6 | spec: 7 | privileged: false 8 | # Required to prevent escalations to root. 9 | allowPrivilegeEscalation: false 10 | # This is redundant with non-root + disallow privilege escalation, 11 | # but we can provide it for defense in depth. 12 | requiredDropCapabilities: 13 | - ALL 14 | volumes: 15 | - '*' 16 | hostNetwork: false 17 | hostIPC: false 18 | hostPID: false 19 | runAsUser: 20 | # TODO: Require the container to run without root privileges. 21 | rule: 'RunAsAny' 22 | seLinux: 23 | # This policy assumes the nodes are using AppArmor rather than SELinux. 24 | rule: 'RunAsAny' 25 | supplementalGroups: 26 | rule: 'MustRunAs' 27 | ranges: 28 | # Forbid adding the root group. 29 | - min: 1 30 | max: 65535 31 | fsGroup: 32 | rule: 'MustRunAs' 33 | ranges: 34 | # Forbid adding the root group. 35 | - min: 1 36 | max: 65535 37 | readOnlyRootFilesystem: false 38 | {{- end }} 39 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ include "fluent-bit.fullname" . }} 5 | labels: 6 | {{- include "fluent-bit.labels" . | nindent 4 }} 7 | {{- with .Values.service.labels }} 8 | {{- toYaml . | nindent 4 }} 9 | {{- end }} 10 | {{- with .Values.service.annotations }} 11 | annotations: 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | type: {{ .Values.service.type }} 16 | ports: 17 | - port: {{ .Values.service.port }} 18 | targetPort: http 19 | protocol: TCP 20 | name: http 21 | {{- if .Values.extraPorts }} 22 | {{- range .Values.extraPorts }} 23 | - name: {{ .name }} 24 | targetPort: {{ .name }} 25 | protocol: {{ .protocol }} 26 | port: {{ .port }} 27 | {{- end }} 28 | {{- end }} 29 | selector: 30 | {{- include "fluent-bit.selectorLabels" . | nindent 4 }} 31 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "fluent-bit.serviceAccountName" . }} 6 | labels: 7 | {{- include "fluent-bit.labels" . | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end -}} 13 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ template "fluent-bit.fullname" . }} 6 | {{- with .Values.serviceMonitor.namespace }} 7 | namespace: {{ . }} 8 | {{- end }} 9 | labels: 10 | {{- include "fluent-bit.labels" . | nindent 4 }} 11 | {{- with .Values.serviceMonitor.selector }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | endpoints: 16 | - port: http 17 | path: /api/v1/metrics/prometheus 18 | {{- with .Values.serviceMonitor.interval }} 19 | interval: {{ . }} 20 | {{- end }} 21 | {{- with .Values.serviceMonitor.scrapeTimeout }} 22 | scrapeTimeout: {{ . }} 23 | {{- end }} 24 | namespaceSelector: 25 | matchNames: 26 | - {{ .Release.Namespace }} 27 | selector: 28 | matchLabels: 29 | {{- include "fluent-bit.selectorLabels" . | nindent 6 }} 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /chapter16/cluster-log/fluent-bit/templates/tests/test-connection.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: "{{ include "fluent-bit.fullname" . }}-test-connection" 5 | labels: 6 | {{- include "fluent-bit.labels" . | nindent 4 }} 7 | annotations: 8 | "helm.sh/hook": test-success 9 | spec: 10 | containers: 11 | - name: wget 12 | image: busybox 13 | command: ['wget'] 14 | args: ['{{ include "fluent-bit.fullname" . }}:{{ .Values.service.port }}'] 15 | restartPolicy: Never 16 | -------------------------------------------------------------------------------- /chapter16/elastic/elasticsearch-values.yaml: -------------------------------------------------------------------------------- 1 | clusterName: "elasticsearch" 2 | nodeGroup: "master" 3 | 4 | roles: 5 | master: "true" 6 | ingest: "true" 7 | data: "true" 8 | 9 | replicas: 3 10 | minimumMasterNodes: 2 11 | 12 | esJavaOpts: "-Xmx1g -Xms1g" 13 | 14 | resources: 15 | requests: 16 | cpu: "1000m" 17 | memory: "2Gi" 18 | limits: 19 | cpu: "1000m" 20 | memory: "2Gi" 21 | 22 | networkHost: "0.0.0.0" 23 | 24 | volumeClaimTemplate: 25 | accessModes: [ "ReadWriteOnce" ] 26 | resources: 27 | requests: 28 | storage: 5Gi 29 | 30 | persistence: 31 | enabled: true 32 | labels: 33 | enabled: false 34 | annotations: {} 35 | 36 | protocol: http 37 | httpPort: 9200 38 | transportPort: 9300 39 | 40 | 41 | service: 42 | type: ClusterIP 43 | nodePort: "" 44 | httpPortName: http 45 | transportPortName: transport 46 | loadBalancerIP: "" 47 | 48 | ingress: 49 | enabled: false 50 | annotations: 51 | kubernetes.io/ingress.class: nginx 52 | # kubernetes.io/tls-acme: "true" 53 | path: / 54 | hosts: 55 | - log.ilinux.io 56 | tls: [] 57 | # - secretName: log-tls 58 | # hosts: 59 | # - log.ilinux.io 60 | -------------------------------------------------------------------------------- /chapter2/krew-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -x; cd "$(mktemp -d)" 3 | 4 | curl -fsSLO "https://github.com/kubernetes-sigs/krew/releases/latest/download/krew.{tar.gz,yaml}" 5 | tar zxvf krew.tar.gz 6 | KREW=./krew-"$(uname | tr '[:upper:]' '[:lower:]')_amd64" 7 | 8 | "$KREW" install --manifest=krew.yaml --archive=krew.tar.gz 9 | "$KREW" update 10 | -------------------------------------------------------------------------------- /chapter2/kubeadm-config: -------------------------------------------------------------------------------- 1 | apiVersion: kubeadm.k8s.io/v1beta2 2 | kind: ClusterConfiguration 3 | networking: # 网络定义; 4 | serviceSubnet: "10.96.0.0/12" # Service网络地址; 5 | podSubnet: "10.244.0.0/24" # Pod网络地址; 6 | dnsDomain: "cluster.local" # 集群域名后缀; 7 | kubernetesVersion: "v1.18.6" # Kubernetes自身的版本; 8 | controlPlaneEndpoint: "k8s-api.ilinux.io:6443" # 控制平面端点; 9 | apiServer: # 配置API Server 10 | extraArgs: # 额外指定的参数; 11 | authorization-mode: "Node,RBAC" # 支持的授权机制; 12 | kubelet-certificate-authority: /etc/kubernetes/pki/ca.key 13 | certSANs: # API Server服务器端证书的Subject列表; 14 | - "k8s-api.ilinux.io" 15 | timeoutForControlPlane: 4m0s 16 | controllerManager: # 控制器管理器相关的配置 17 | extraArgs: 18 | node-cidr-mask-size: "24" # 为节点分配置podCIDR时使用的掩码长度; 19 | cluster-signing-cert-file: /etc/kubernetes/pki/ca.crt # 激活内置签名者; 20 | cluster-signing-key-file: /etc/kubernetes/pki/ca.key 21 | scheduler: # 调度器相关的配置; 22 | extraArgs: 23 | address: "127.0.0.1" # 监听的地址; 24 | certificatesDir: "/etc/kubernetes/pki" # 证书文件目录; 25 | imageRepository: "k8s.gcr.io" # k8s集群组件镜像文件仓库; 26 | useHyperKubeImage: false # 是否使用HyperKubeImage; 27 | clusterName: "kubernetes" # 集群名称; 28 | -------------------------------------------------------------------------------- /chapter3/node-demo.yaml: -------------------------------------------------------------------------------- 1 | ## Node Demo 2 | # Maintainer: MageEdu 3 | apiVersion: v1 4 | kind: Node 5 | metadata: 6 | name: temp-node.ilinux.io 7 | labels: 8 | kubernetes.io/hostname: temp-node.ilinux.io 9 | spec: 10 | podCIDR: 10.244.6.0/24 11 | podCIDRs: [10.244.6.0/24] 12 | -------------------------------------------------------------------------------- /chapter3/ns-demo-term.json: -------------------------------------------------------------------------------- 1 | { 2 | "apiVersion": "v1", 3 | "kind": "Namespace", 4 | "metadata": { 5 | "creationTimestamp": "2020-03-12T13:11:19Z", 6 | "deletionTimestamp": "2020-03-13T00:48:13Z", 7 | "name": "demo", 8 | "resourceVersion": "786424", 9 | "selfLink": "/api/v1/namespaces/demo", 10 | "uid": "15b970cf-384a-474c-8780-680b3b041802" 11 | }, 12 | "spec": {}, 13 | "status": { 14 | "phase": "Terminating" 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /chapter3/ns-demo-v2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: demo 5 | spec: 6 | finalizers: 7 | -------------------------------------------------------------------------------- /chapter3/ns-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | apiVersion: v1 4 | kind: Namespace 5 | metadata: 6 | name: demo 7 | spec: 8 | finalizers: 9 | - kubernetes 10 | -------------------------------------------------------------------------------- /chapter3/ns-with-labels.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: eshop 5 | labels: 6 | app: eshop 7 | env: dev 8 | spec: 9 | finalizers: 10 | - kubernetes 11 | -------------------------------------------------------------------------------- /chapter3/test.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: name-virtual-host-ingress 5 | spec: 6 | rules: 7 | - host: foo.bar.com 8 | http: 9 | paths: 10 | - backend: 11 | serviceName: service1 12 | servicePort: 80 13 | - host: bar.foo.com 14 | http: 15 | paths: 16 | - backend: 17 | serviceName: service2 18 | servicePort: 80 19 | -------------------------------------------------------------------------------- /chapter4/all-in-one.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: all-in-one 7 | namespace: default 8 | spec: 9 | initContainers: 10 | - name: iptables-init 11 | image: ikubernetes/admin-box:latest 12 | imagePullPolicy: IfNotPresent 13 | command: ['/bin/sh','-c'] 14 | args: ['iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80'] 15 | securityContext: 16 | capabilities: 17 | add: 18 | - NET_ADMIN 19 | containers: 20 | - name: sidecar-proxy 21 | image: envoyproxy/envoy-alpine:v1.13.1 22 | command: ['/bin/sh','-c'] 23 | args: ['sleep 3 && envoy -c /etc/envoy/envoy.yaml'] 24 | lifecycle: 25 | postStart: 26 | exec: 27 | command: ['/bin/sh','-c','wget -O /etc/envoy/envoy.yaml http://ilinux.io/envoy.yaml'] 28 | livenessProbe: 29 | tcpSocket: 30 | port: 80 31 | initialDelaySeconds: 5 32 | readinessProbe: 33 | tcpSocket: 34 | port: 80 35 | initialDelaySeconds: 5 36 | - name: demo 37 | image: ikubernetes/demoapp:v1.0 38 | imagePullPolicy: IfNotPresent 39 | env: 40 | - name: PORT 41 | value: '8080' 42 | livenessProbe: 43 | httpGet: 44 | path: '/livez' 45 | port: 8080 46 | initialDelaySeconds: 5 47 | readinessProbe: 48 | httpGet: 49 | path: '/readyz' 50 | port: 8080 51 | initialDelaySeconds: 15 52 | securityContext: 53 | runAsUser: 1001 54 | runAsGroup: 1001 55 | resources: 56 | requests: 57 | cpu: 0.5 58 | memory: "64Mi" 59 | limits: 60 | cpu: 2 61 | memory: "1024Mi" 62 | securityContext: 63 | supplementalGroups: [1002, 1003] 64 | fsGroup: 2000 65 | -------------------------------------------------------------------------------- /chapter4/bbox-cap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: bbox-cap 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: busybox 10 | imagePullPolicy: IfNotPresent 11 | command: ["/bin/httpd", "-f"] 12 | securityContext: 13 | runAsUser: 100 14 | runAsGroup: 100 15 | capabilities: 16 | drop: ['all'] 17 | add: ['NET_BIND_SERVICE'] 18 | allowPrivilegeEscalation: true 19 | -------------------------------------------------------------------------------- /chapter4/envoy.yaml: -------------------------------------------------------------------------------- 1 | admin: 2 | access_log_path: /tmp/admin_access.log 3 | address: 4 | socket_address: { address: 0.0.0.0, port_value: 9901 } 5 | 6 | static_resources: 7 | listeners: 8 | - name: listener_0 9 | address: 10 | socket_address: { address: 0.0.0.0, port_value: 80 } 11 | filter_chains: 12 | - filters: 13 | - name: envoy.http_connection_manager 14 | config: 15 | stat_prefix: ingress_http 16 | codec_type: AUTO 17 | route_config: 18 | name: local_route 19 | virtual_hosts: 20 | - name: local_service 21 | domains: ["*"] 22 | routes: 23 | - match: { prefix: "/" } 24 | route: { cluster: local_service } 25 | http_filters: 26 | - name: envoy.router 27 | 28 | clusters: 29 | - name: local_service 30 | connect_timeout: 0.25s 31 | type: STATIC 32 | lb_policy: ROUND_ROBIN 33 | load_assignment: 34 | cluster_name: local_service 35 | endpoints: 36 | - lb_endpoints: 37 | - endpoint: 38 | address: 39 | socket_address: 40 | address: 127.0.0.1 41 | port_value: 8080 42 | -------------------------------------------------------------------------------- /chapter4/init-container-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: init-container-demo 5 | namespace: default 6 | spec: 7 | initContainers: 8 | - name: iptables-init 9 | image: ikubernetes/admin-box:latest 10 | imagePullPolicy: IfNotPresent 11 | command: ['/bin/sh','-c'] 12 | args: ['iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80'] 13 | securityContext: 14 | capabilities: 15 | add: 16 | - NET_ADMIN 17 | containers: 18 | - name: demo 19 | image: ikubernetes/demoapp:v1.0 20 | imagePullPolicy: IfNotPresent 21 | ports: 22 | - name: http 23 | containerPort: 80 24 | -------------------------------------------------------------------------------- /chapter4/lifecycle-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: lifecycle-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | securityContext: 12 | capabilities: 13 | add: 14 | - NET_ADMIN 15 | livenessProbe: 16 | httpGet: 17 | path: '/livez' 18 | port: 80 19 | scheme: HTTP 20 | initialDelaySeconds: 5 21 | lifecycle: 22 | postStart: 23 | exec: 24 | command: ['/bin/sh','-c','iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-ports 80'] 25 | preStop: 26 | exec: 27 | command: ['/bin/sh','-c','while killall python3; do sleep 1; done'] 28 | restartPolicy: Always 29 | -------------------------------------------------------------------------------- /chapter4/liveness-exec-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: liveness-exec-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | livenessProbe: 12 | exec: 13 | command: ['/bin/sh', '-c', '[ "$(curl -s 127.0.0.1/livez)" == "OK" ]'] 14 | initialDelaySeconds: 5 15 | timeoutSeconds: 1 16 | periodSeconds: 5 17 | -------------------------------------------------------------------------------- /chapter4/liveness-httpget-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: liveness-httpget-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - name: demo 12 | image: ikubernetes/demoapp:v1.0 13 | imagePullPolicy: IfNotPresent 14 | livenessProbe: 15 | httpGet: 16 | path: '/livez' 17 | port: 80 18 | scheme: HTTP 19 | initialDelaySeconds: 5 20 | -------------------------------------------------------------------------------- /chapter4/liveness-tcpsocket-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: liveness-tcpsocket-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | ports: 12 | - name: http 13 | containerPort: 80 14 | securityContext: 15 | capabilities: 16 | add: 17 | - NET_ADMIN 18 | livenessProbe: 19 | tcpSocket: 20 | port: http 21 | periodSeconds: 5 22 | initialDelaySeconds: 5 23 | -------------------------------------------------------------------------------- /chapter4/memleak-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: memleak-pod 8 | spec: 9 | containers: 10 | - name: simmemleak 11 | image: ikubernetes/simmemleak 12 | resources: 13 | requests: 14 | memory: "64Mi" 15 | cpu: "1" 16 | limits: 17 | memory: "64Mi" 18 | cpu: "1" 19 | -------------------------------------------------------------------------------- /chapter4/pod-demo-with-cmd-and-args.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-demo-with-cmd-and-args 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | command: ['/bin/sh','-c'] 12 | args: ['python3 /usr/local/bin/demo.py -p 8080'] 13 | -------------------------------------------------------------------------------- /chapter4/pod-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | -------------------------------------------------------------------------------- /chapter4/pod-resources-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: stress-pod 8 | spec: 9 | containers: 10 | - name: stress 11 | image: ikubernetes/stress-ng 12 | command: ["/usr/bin/stress-ng", "-c 1", "-m 1", "--metrics-brief"] 13 | resources: 14 | requests: 15 | memory: "128Mi" 16 | cpu: "200m" 17 | limits: 18 | memory: "512Mi" 19 | cpu: "400m" 20 | -------------------------------------------------------------------------------- /chapter4/pod-using-env.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-using-env 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | env: 12 | - name: HOST 13 | value: "127.0.0.1" 14 | - name: PORT 15 | value: "8080" 16 | -------------------------------------------------------------------------------- /chapter4/pod-using-hostnetwork.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # # URL: http://www.magedu.com 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: pod-using-hostnetwork 7 | namespace: default 8 | spec: 9 | containers: 10 | - name: demo 11 | image: ikubernetes/demoapp:v1.0 12 | imagePullPolicy: IfNotPresent 13 | hostNetwork: true 14 | -------------------------------------------------------------------------------- /chapter4/pod-using-hostport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-using-hostport 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | ports: 12 | - name: http 13 | containerPort: 80 14 | protocol: TCP 15 | hostPort: 10080 16 | -------------------------------------------------------------------------------- /chapter4/readiness-httpget-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: readiness-httpget-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | readinessProbe: 12 | httpGet: 13 | path: '/readyz' 14 | port: 80 15 | scheme: HTTP 16 | initialDelaySeconds: 15 17 | timeoutSeconds: 2 18 | periodSeconds: 5 19 | failureThreshold: 3 20 | restartPolicy: Always 21 | -------------------------------------------------------------------------------- /chapter4/resource-limits-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: memleak-pod 5 | labels: 6 | app: memleak 7 | spec: 8 | containers: 9 | - name: simmemleak 10 | image: ikubernetes/simmemleak 11 | imagePullPolicy: IfNotPresent 12 | resources: 13 | requests: 14 | memory: "64Mi" 15 | cpu: "1" 16 | limits: 17 | memory: "64Mi" 18 | cpu: "1" 19 | -------------------------------------------------------------------------------- /chapter4/resource-requests-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: stress-pod 5 | spec: 6 | containers: 7 | - name: stress 8 | image: ikubernetes/stress-ng 9 | command: ["/usr/bin/stress-ng", "-c 1", "-m 1", "--metrics-brief"] 10 | resources: 11 | requests: 12 | memory: "128Mi" 13 | cpu: "200m" 14 | limits: 15 | memory: "512Mi" 16 | cpu: "400m" 17 | -------------------------------------------------------------------------------- /chapter4/securitycontext-capabilities-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # # URL: http://www.magedu.com 3 | apiVersion: v1 4 | kind: Pod 5 | metadata: 6 | name: securitycontext-capabilities-demo 7 | namespace: default 8 | spec: 9 | containers: 10 | - name: demo 11 | image: ikubernetes/demoapp:v1.0 12 | imagePullPolicy: IfNotPresent 13 | command: ["/bin/sh","-c"] 14 | args: ["/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80 && /usr/bin/python3 /usr/local/bin/demo.py"] 15 | securityContext: 16 | capabilities: 17 | add: ['NET_ADMIN'] 18 | drop: ['CHOWN'] 19 | -------------------------------------------------------------------------------- /chapter4/securitycontext-runasuser-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: securitycontext-runasuser-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - name: demo 12 | image: ikubernetes/demoapp:v1.0 13 | imagePullPolicy: IfNotPresent 14 | env: 15 | - name: PORT 16 | value: "8080" 17 | securityContext: 18 | runAsUser: 1001 19 | runAsGroup: 1001 20 | -------------------------------------------------------------------------------- /chapter4/securitycontext-sysctls-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: securitycontext-sysctls-demo 5 | namespace: default 6 | spec: 7 | securityContext: 8 | sysctls: 9 | - name: kernel.shm_rmid_forced 10 | value: "0" 11 | - name: net.ipv4.ip_unprivileged_port_start 12 | value: "0" 13 | containers: 14 | - name: demo 15 | image: ikubernetes/demoapp:v1.0 16 | imagePullPolicy: IfNotPresent 17 | securityContext: 18 | runAsUser: 1001 19 | runAsGroup: 1001 20 | -------------------------------------------------------------------------------- /chapter4/sidecar-container-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: sidecar-container-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - name: proxy 12 | image: envoyproxy/envoy-alpine:v1.14.1 13 | command: ['/bin/sh','-c'] 14 | args: ['sleep 5 && envoy -c /etc/envoy/envoy.yaml'] 15 | lifecycle: 16 | postStart: 17 | exec: 18 | command: ['/bin/sh','-c','wget -O /etc/envoy/envoy.yaml http://ilinux.io/envoy.yaml'] 19 | - name: demo 20 | image: ikubernetes/demoapp:v1.0 21 | imagePullPolicy: IfNotPresent 22 | env: 23 | - name: HOST 24 | value: "127.0.0.1" 25 | - name: PORT 26 | value: "8080" 27 | -------------------------------------------------------------------------------- /chapter4/startup-exec-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: startup-exec-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - name: demo 12 | image: ikubernetes/demoapp:v1.0 13 | imagePullPolicy: IfNotPresent 14 | startupProbe: 15 | exec: 16 | command: ['/bin/sh','-c','test','"$(curl -s 127.0.0.1/livez)"=="OK"'] 17 | initialDelaySeconds: 0 18 | failureThreshold: 3 19 | periodSeconds: 5 20 | -------------------------------------------------------------------------------- /chapter5/downwardapi-env.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | # --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: env-test-pod 8 | labels: 9 | app: env-test-pod 10 | spec: 11 | containers: 12 | - name: env-test-container 13 | image: ikubernetes/admin-toolbox:v1.0 14 | command: [ "/bin/sh", "-c", "env" ] 15 | resources: 16 | requests: 17 | memory: "32Mi" 18 | cpu: "125m" 19 | limits: 20 | memory: "64Mi" 21 | cpu: "250m" 22 | env: 23 | - name: MY_POD_NAME 24 | valueFrom: 25 | fieldRef: 26 | fieldPath: metadata.name 27 | - name: MY_POD_NAMESPACE 28 | valueFrom: 29 | fieldRef: 30 | fieldPath: metadata.namespace 31 | - name: MY_APP_LABEL 32 | valueFrom: 33 | fieldRef: 34 | fieldPath: metadata.labels['app'] 35 | - name: MY_CPU_LIMIT 36 | valueFrom: 37 | resourceFieldRef: 38 | resource: limits.cpu 39 | - name: MY_MEM_REQUEST 40 | valueFrom: 41 | resourceFieldRef: 42 | resource: requests.memory 43 | divisor: 1Mi 44 | restartPolicy: Never 45 | -------------------------------------------------------------------------------- /chapter5/downwardapi-vol.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | labels: 5 | zone: east-china 6 | rack: rack-101 7 | app: dapi-vol-pod 8 | name: dapi-vol-pod 9 | annotations: 10 | ilinux.io/app: "demoapp" 11 | spec: 12 | containers: 13 | - name: volume-test-container 14 | image: ikubernetes/demoapp:v1.0 15 | resources: 16 | requests: 17 | memory: "32Mi" 18 | cpu: "200m" 19 | limits: 20 | memory: "64Mi" 21 | cpu: "500m" 22 | volumeMounts: 23 | - name: podinfo 24 | mountPath: /etc/podinfo 25 | readOnly: false 26 | volumes: 27 | - name: podinfo 28 | downwardAPI: 29 | defaultMode: 420 30 | items: 31 | - fieldRef: 32 | fieldPath: metadata.namespace 33 | path: pod_namespace 34 | - fieldRef: 35 | fieldPath: metadata.labels 36 | path: pod_labels 37 | - fieldRef: 38 | fieldPath: metadata.annotations 39 | path: pod_annotations 40 | - resourceFieldRef: 41 | containerName: volume-test-container 42 | resource: limits.cpu 43 | path: "cpu_limit" 44 | - resourceFieldRef: 45 | containerName: volume-test-container 46 | resource: requests.memory 47 | divisor: "1Mi" 48 | path: "mem_request" 49 | -------------------------------------------------------------------------------- /chapter5/glusterfs-endpoints.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Endpoints 3 | metadata: 4 | name: glusterfs-endpoints 5 | subsets: 6 | - addresses: 7 | - ip: gfs01.ilinux.io 8 | ports: 9 | - port: 24007 10 | name: glusterd 11 | - addresses: 12 | - ip: gfs02.ilinux.io 13 | ports: 14 | - port: 24007 15 | name: glusterd 16 | - addresses: 17 | - ip: gfs03.ilinux.io 18 | ports: 19 | - port: 24007 20 | name: glusterd 21 | -------------------------------------------------------------------------------- /chapter5/pv-nfs-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: pv-nfs-demo 5 | spec: 6 | capacity: 7 | storage: 5Gi 8 | volumeMode: Filesystem 9 | accessModes: 10 | - ReadWriteMany 11 | persistentVolumeReclaimPolicy: Retain 12 | mountOptions: 13 | - hard 14 | - nfsvers=4.1 15 | nfs: 16 | path: "/data/redis002" 17 | server: nfs.ilinux.io 18 | -------------------------------------------------------------------------------- /chapter5/pv-rbd-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolume 3 | metadata: 4 | name: pv-rbd-demo 5 | labels: 6 | usedof: redisdata 7 | spec: 8 | capacity: 9 | storage: 2Gi 10 | accessModes: 11 | - ReadWriteOnce 12 | rbd: 13 | monitors: 14 | - ceph01.ilinux.io 15 | - ceph02.ilinux.io 16 | - ceph03.ilinux.io 17 | pool: kube 18 | image: pv-test 19 | user: kube 20 | keyring: /etc/ceph/ceph.client.kube.keyring 21 | fsType: xfs 22 | readOnly: false 23 | persistentVolumeReclaimPolicy: Retain 24 | -------------------------------------------------------------------------------- /chapter5/pvc-demo-0001.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pvc-demo-0001 5 | namespace: default 6 | spec: 7 | accessModes: ["ReadWriteMany"] 8 | volumeMode: Filesystem 9 | resources: 10 | requests: 11 | storage: 3Gi 12 | limits: 13 | storage: 10Gi 14 | -------------------------------------------------------------------------------- /chapter5/pvc-demo-0002.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pvc-demo-0002 5 | spec: 6 | accessModes: ["ReadWriteOnce"] 7 | volumeMode: Filesystem 8 | resources: 9 | requests: 10 | storage: 2Gi 11 | limits: 12 | storage: 5Gi 13 | selector: 14 | matchLabels: 15 | usedof: "redisdata" 16 | -------------------------------------------------------------------------------- /chapter5/pvc-dyn-longhorn-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pvc-dyn-longhorn-demo 5 | namespace: default 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | volumeMode: Filesystem 9 | resources: 10 | requests: 11 | storage: 2Gi 12 | limits: 13 | storage: 10Gi 14 | storageClassName: longhorn 15 | -------------------------------------------------------------------------------- /chapter5/pvc-dyn-rbd-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: pvc-sc-rbd-demo 5 | namespace: default 6 | spec: 7 | accessModes: ["ReadWriteOnce"] 8 | volumeMode: Filesystem 9 | resources: 10 | requests: 11 | storage: 3Gi 12 | limits: 13 | storage: 10Gi 14 | storageClassName: fast-rbd 15 | -------------------------------------------------------------------------------- /chapter5/storageclass-rbd-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: StorageClass 3 | metadata: 4 | name: fast-rbd 5 | provisioner: kubernetes.io/rbd 6 | parameters: 7 | monitors: ceph01.ilinux.io:6789,ceph02.ilinux.io:6789,ceph03.ilinux.io:6789 8 | adminId: admin 9 | adminSecretName: ceph-admin-secret 10 | adminSecretNamespace: kube-system 11 | pool: kube 12 | userId: kube 13 | userSecretName: ceph-kube-secret 14 | userSecretNamespace: kube-system 15 | fsType: ext4 16 | imageFormat: "2" 17 | imageFeatures: "layering" 18 | reclaimPolicy: Retain 19 | -------------------------------------------------------------------------------- /chapter5/volumes-cephfs-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-cephfs-demo 5 | spec: 6 | containers: 7 | - name: redis 8 | image: redis:alpine 9 | volumeMounts: 10 | - mountPath: "/data" 11 | name: redis-cephfs-vol 12 | volumes: 13 | - name: redis-cephfs-vol 14 | cephfs: 15 | monitors: 16 | - 172.29.200.1:6789 17 | - 172.29.200.2:6789 18 | - 172.29.200.3:6789 19 | path: /kube/namespaces/default/redis1 20 | user: fsclient 21 | secretFile: "/etc/ceph/fsclient.key" 22 | readOnly: false 23 | -------------------------------------------------------------------------------- /chapter5/volumes-cinder-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volume-cinder-demo 5 | spec: 6 | containers: 7 | - image: mysql 8 | name: mysql 9 | args: 10 | - "--ignore-db-dir" 11 | - "lost+found" 12 | env: 13 | - name: MYSQL_ROOT_PASSWORD 14 | value: YOUR_PASS 15 | ports: 16 | - containerPort: 3306 17 | name: mysqlport 18 | volumeMounts: 19 | - name: mysqldata 20 | mountPath: /var/lib/mysql 21 | volumes: 22 | - name: mysqldata 23 | cinder: 24 | volumeID: e2b8d2f7-wece-90d1-a505-4acf607a90bc 25 | fsType: ext4 26 | -------------------------------------------------------------------------------- /chapter5/volumes-emptydir-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-emptydir-demo 5 | namespace: default 6 | spec: 7 | initContainers: 8 | - name: config-file-downloader 9 | image: ikubernetes/admin-box 10 | imagePullPolicy: IfNotPresent 11 | command: ['/bin/sh','-c','wget -O /data/envoy.yaml https://raw.githubusercontent.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/main/chapter4/envoy.yaml'] 12 | volumeMounts: 13 | - name: config-file-store 14 | mountPath: /data 15 | containers: 16 | - name: envoy 17 | image: envoyproxy/envoy-alpine:v1.13.1 18 | command: ['/bin/sh','-c'] 19 | args: ['envoy -c /etc/envoy/envoy.yaml'] 20 | volumeMounts: 21 | - name: config-file-store 22 | mountPath: /etc/envoy 23 | readOnly: true 24 | volumes: 25 | - name: config-file-store 26 | emptyDir: 27 | medium: Memory 28 | sizeLimit: 16Mi 29 | -------------------------------------------------------------------------------- /chapter5/volumes-gitrepo-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-gitrepo-demo 5 | spec: 6 | containers: 7 | - name: nginx 8 | image: nginx:alpine 9 | volumeMounts: 10 | - name: html 11 | mountPath: /usr/share/nginx/html 12 | volumes: 13 | - name: html 14 | gitRepo: 15 | repository: https://github.com/iKubernetes/Kubernetes_Advanced_Practical_2rd.git 16 | directory: . 17 | revision: "master" 18 | -------------------------------------------------------------------------------- /chapter5/volumes-glusterfs-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: volumes-glusterfs-demo 8 | labels: 9 | app: redis 10 | spec: 11 | containers: 12 | - name: redis 13 | image: redis:alpine 14 | ports: 15 | - containerPort: 6379 16 | name: redisport 17 | volumeMounts: 18 | - mountPath: /data 19 | name: redisdata 20 | volumes: 21 | - name: redisdata 22 | glusterfs: 23 | endpoints: glusterfs-endpoints 24 | path: kube-redis 25 | readOnly: false 26 | -------------------------------------------------------------------------------- /chapter5/volumes-hostpath-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-hostpath-demo 5 | spec: 6 | containers: 7 | - name: filebeat 8 | image: ikubernetes/filebeat:5.6.7-alpine 9 | env: 10 | - name: REDIS_HOST 11 | value: redis.ilinux.io:6379 12 | - name: LOG_LEVEL 13 | value: info 14 | volumeMounts: 15 | - name: varlog 16 | mountPath: /var/log 17 | - name: socket 18 | mountPath: /var/run/docker.sock 19 | - name: varlibdockercontainers 20 | mountPath: /var/lib/docker/containers 21 | readOnly: true 22 | volumes: 23 | - name: varlog 24 | hostPath: 25 | path: /var/log 26 | - name: varlibdockercontainers 27 | hostPath: 28 | path: /var/lib/docker/containers 29 | - name: socket 30 | hostPath: 31 | path: /var/run/docker.sock 32 | -------------------------------------------------------------------------------- /chapter5/volumes-nfs-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-nfs-demo 5 | labels: 6 | app: redis 7 | spec: 8 | containers: 9 | - name: redis 10 | image: redis:alpine 11 | ports: 12 | - containerPort: 6379 13 | name: redisport 14 | securityContext: 15 | runAsUser: 999 16 | volumeMounts: 17 | - mountPath: /data 18 | name: redisdata 19 | volumes: 20 | - name: redisdata 21 | nfs: 22 | server: nfs.ilinux.io 23 | path: /data/redis 24 | readOnly: false 25 | -------------------------------------------------------------------------------- /chapter5/volumes-pvc-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-pvc-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: redis 9 | image: redis:alpine 10 | imagePullPolicy: IfNotPresent 11 | ports: 12 | - containerPort: 6379 13 | name: redisport 14 | volumeMounts: 15 | - mountPath: /data 16 | name: redis-rbd-vol 17 | volumes: 18 | - name: redis-rbd-vol 19 | persistentVolumeClaim: 20 | claimName: pvc-demo-0002 21 | -------------------------------------------------------------------------------- /chapter5/volumes-pvc-longhorn-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: volumes-pvc-longhorn-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - name: redis 12 | image: redis:alpine 13 | imagePullPolicy: IfNotPresent 14 | ports: 15 | - containerPort: 6379 16 | name: redisport 17 | volumeMounts: 18 | - mountPath: /data 19 | name: redis-data-vol 20 | volumes: 21 | - name: redis-data-vol 22 | persistentVolumeClaim: 23 | claimName: pvc-dyn-longhorn-demo 24 | -------------------------------------------------------------------------------- /chapter5/volumes-rbd-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: volumes-rbd-demo 5 | spec: 6 | containers: 7 | - name: redis 8 | image: redis:alpine 9 | ports: 10 | - containerPort: 6379 11 | name: redisport 12 | volumeMounts: 13 | - mountPath: /data 14 | name: redis-rbd-vol 15 | volumes: 16 | - name: redis-rbd-vol 17 | rbd: 18 | monitors: 19 | - '172.29.200.1:6789' 20 | - '172.29.200.2:6789' 21 | - '172.29.200.3:6789' 22 | pool: kube 23 | image: redis-img1 24 | fsType: xfs 25 | readOnly: false 26 | user: kube 27 | keyring: /etc/ceph/ceph.client.kube.keyring 28 | -------------------------------------------------------------------------------- /chapter6/BAK-demoapp-conf.d/eds.conf: -------------------------------------------------------------------------------- 1 | { 2 | "version_info": "0", 3 | "resources": [{ 4 | "@type": "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment", 5 | "cluster_name": "local_service", 6 | "endpoints": [{ 7 | "lb_endpoints": [{ 8 | "endpoint": { 9 | "address": { 10 | "socket_address": { 11 | "address": "127.0.0.1", 12 | "port_value": 8080 13 | } 14 | } 15 | } 16 | }] 17 | }] 18 | }] 19 | } 20 | -------------------------------------------------------------------------------- /chapter6/BAK-demoapp-conf.d/envoy.yaml: -------------------------------------------------------------------------------- 1 | node: 2 | id: sidecar-proxy 3 | cluster: demoapp-cluster 4 | 5 | admin: 6 | access_log_path: /tmp/admin_access.log 7 | address: 8 | socket_address: { address: 0.0.0.0, port_value: 9901 } 9 | 10 | static_resources: 11 | listeners: 12 | - name: listener_0 13 | address: 14 | socket_address: { address: 0.0.0.0, port_value: 80 } 15 | filter_chains: 16 | - filters: 17 | - name: envoy.http_connection_manager 18 | config: 19 | stat_prefix: ingress_http 20 | codec_type: AUTO 21 | route_config: 22 | name: local_route 23 | virtual_hosts: 24 | - name: local_service 25 | domains: ["*"] 26 | routes: 27 | - match: { prefix: "/" } 28 | route: { cluster: local_service } 29 | http_filters: 30 | - name: envoy.router 31 | 32 | clusters: 33 | - name: local_service 34 | connect_timeout: 0.25s 35 | lb_policy: ROUND_ROBIN 36 | type: EDS 37 | eds_cluster_config: 38 | service_name: local_service 39 | eds_config: 40 | path: '/etc/envoy/eds.conf' 41 | -------------------------------------------------------------------------------- /chapter6/BAK-demoapp-conf.d/lds.conf: -------------------------------------------------------------------------------- 1 | version_info: 0 2 | resources: 3 | - "@type": type.googleapis.com/envoy.api.v2.Listener 4 | name: listener_0 5 | address: 6 | socket_address: { address: 0.0.0.0, port_value: 80 } 7 | filter_chains: 8 | - filters: 9 | - name: envoy.http_connection_manager 10 | config: 11 | stat_prefix: ingress_http 12 | codec_type: AUTO 13 | route_config: 14 | name: local_route 15 | virtual_hosts: 16 | - name: local_service 17 | domains: ["*"] 18 | routes: 19 | - match: { prefix: "/" } 20 | route: { cluster: local_service } 21 | http_filters: 22 | - name: envoy.router 23 | -------------------------------------------------------------------------------- /chapter6/certs.d/nginx.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDlTCCAn2gAwIBAgIUGfrkNExfbKcyc/KbJKQry34Spr4wDQYJKoZIhvcNAQEL 3 | BQAwWjELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0Jl 4 | aWppbmcxDzANBgNVBAoMBkRldk9wczEWMBQGA1UEAwwNd3d3LmlsaW51eC5pbzAe 5 | Fw0yMDA0MTUwNTAwNDNaFw0yMDA1MTUwNTAwNDNaMFoxCzAJBgNVBAYTAkNOMRAw 6 | DgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ8wDQYDVQQKDAZEZXZP 7 | cHMxFjAUBgNVBAMMDXd3dy5pbGludXguaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB 8 | DwAwggEKAoIBAQDMi5+2Q+YNSqy/oUXMC0+jIjsjnKc9K7cW60xXkC6NkyRcpYJl 9 | uc8rAXELrf512bTXhqoHjTnIxQ1TTNx3QlOhLpXV2BlkNmSscL4S/H/UDY9Pk+ts 10 | b8iDe+3vPDCVbC+o8AXaHTjKZCJWsJ1cDIcBFzt40T3Qk0/XPqV+3ZDEaMqoKbII 11 | dolCK/6b7PehIWUQVxUC+shgLUn2Qyrf+E+D/SBfE9WwPjtawBxwqh6Ns5utEl/G 12 | VimlC13klY3FCTLXHESxM+7F6U6UGibmBXTl/6eWR6niUumd28rScgyuCNp54f6p 13 | uTaL+FMlm07CbKyKXxCdzU5ukHYNayjkzwrNAgMBAAGjUzBRMB0GA1UdDgQWBBQ5 14 | XMnHIjvXdUBoPDwpin7bUczHrjAfBgNVHSMEGDAWgBQ5XMnHIjvXdUBoPDwpin7b 15 | UczHrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBUpSZR5A9F 16 | 6mVaIMzMItjvZuqiD3ixoO7sDtFBpelaVMWGHi6wpYS/md6CfKHPCzrH8g6jVLhZ 17 | TiEgy9TDPnp2e4UcAS7X1PO3mFY5lpjUjLIf4xmFkS/EtT5dNSmAu4lF7fkFA+hF 18 | sn8ok9nOC6M99Pqnd5JZUGZpDRB+SPnZHW6wGbbIWwGxOBcmz0A0sI592VoO98X+ 19 | 1+l80EfvHcD2PFgfK8jKx9xItR10rpmTN2BkOBPbDFxHvDq3cFTAIUa0hVKN1OLI 20 | MhHK/VrfELGjrocJSdAqpjOLYtGbP7OlYDGO1OD96dESa+VY4Wbqjc79KInDD+Zy 21 | YYjnBJGayTLr 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /chapter6/certs.d/nginx.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEAzIuftkPmDUqsv6FFzAtPoyI7I5ynPSu3FutMV5AujZMkXKWC 3 | ZbnPKwFxC63+ddm014aqB405yMUNU0zcd0JToS6V1dgZZDZkrHC+Evx/1A2PT5Pr 4 | bG/Ig3vt7zwwlWwvqPAF2h04ymQiVrCdXAyHARc7eNE90JNP1z6lft2QxGjKqCmy 5 | CHaJQiv+m+z3oSFlEFcVAvrIYC1J9kMq3/hPg/0gXxPVsD47WsAccKoejbObrRJf 6 | xlYppQtd5JWNxQky1xxEsTPuxelOlBom5gV05f+nlkep4lLpndvK0nIMrgjaeeH+ 7 | qbk2i/hTJZtOwmysil8Qnc1ObpB2DWso5M8KzQIDAQABAoIBACcyjo2wH1Lmv4oN 8 | jsGWXVGGysx9RbM8QF7dAok5MSKiUvKKKR3zaJb2NMKnOj89VCGFReoijzNBR9dx 9 | wEH+bOZTdhU/z0XcApjlFhevWZO6cX8veosSNNu1kRgqcakAzXVTYdu1g9+NJuNz 10 | /wPXxrtXx2bUukLRKBi4gaB5NzfcARw0HXoZR11mTrvHKIdRALxCmJGOZNX9F8F1 11 | lCWB7hcYSdEX910dOeENTsQCLyRoh7WZBRz0DQPX6sIwaILkEOJnIT4+rX6WBdgd 12 | ddF3w/FXplEuoAIZeH2ffy/33rLZRIyReaDVrTxqT2uNBUdnBO7SEkeXWndPHvWc 13 | iJQPlSECgYEA9wFBjs8i6kF+X357OnxZnepxZuY0hjFNAqWOHiT1k/qkzOjQHmd2 14 | GJrYf749G7TpvGf6O+sjR/foz85ltUbJxyZMH+bjC803ETyzvNiWg161Zz7+y4jJ 15 | R9vXBKNowCek5EaTrgz0fJyn2uZTCjMZPMVUQAFiXsDmQ02mJzuWpNkCgYEA0/6I 16 | N86kk3jTshxoLC9UDt+LxU5ZPO/KKtkmRPJ+aMHm/nQrXk6zkZIUAv8r+9fWUwGm 17 | XRgvB5ehp/OXmvLKXHRVhaV77A6o0EPTTkqNbeNFHx5qQNmO9dwHU3RMnOyi4Nyn 18 | aI6Yc4b/1bWuyAbUesKDur7/AL8Z9QMWUETojRUCgYAvo65hPNIfHEKjaGGcBh/C 19 | tVTp47x9pUSVHhkq9zXmNJFUdBKvyoScekEHYkmm7l2mWOeKZu+HEel1Kvmy3NRN 20 | 9LT58i4YOJxGVs7TvXJKJBoYr62008z+bwgpfNrXNM44uOQCzbzZy90T+xhI/1H+ 21 | xpBZR+sRG2NN18wUBQopAQKBgEvsGX7bG+fQ2wgr0kcYwCL/foAwOhdvzVihImqI 22 | 6iq8Xuz8T9fbmcXlqhMUrfzo5NIfgiRPF/DBJl0PCVmt4DlSVJqjlIkLCvxjfhbI 23 | 7nPPdB7b9rO49tEodts1iIae3QppG+9/OiwNyiwQgEMU5x378c98vbjXuAUekOw4 24 | cYytAoGALKMk0p1E+drmW5nKuLkgr463nkezpewf8yRvPvPqJ8RGhm0FnZa9mfCF 25 | wRB08u2Fza4GJWDcJvTodWsmJjBTtLCL3hYBJcMAsU4GDmpBd7P1PPCVBoBLyRcl 26 | r+eS8Rse4pLDc9giBOYHjxChlVKRuXDJhvWi4k6U4f9m+A6jxI8= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /chapter6/configmaps-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: configmap-demo 5 | namespace: default 6 | data: 7 | demoapp-host: 0.0.0.0 8 | demoapp-port: "10080" 9 | app.config: | 10 | threads = 4 11 | connections = 1024 12 | -------------------------------------------------------------------------------- /chapter6/configmaps-env-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: ConfigMap 6 | metadata: 7 | name: demoapp-config 8 | namespace: default 9 | data: 10 | demoapp.port: "8080" 11 | demoapp.host: 0.0.0.0 12 | --- 13 | apiVersion: v1 14 | kind: Pod 15 | metadata: 16 | name: configmaps-env-demo 17 | namespace: default 18 | spec: 19 | containers: 20 | - image: ikubernetes/demoapp:v1.0 21 | name: demoapp 22 | env: 23 | - name: PORT 24 | valueFrom: 25 | configMapKeyRef: 26 | name: demoapp-config 27 | key: demoapp.port 28 | optional: false 29 | - name: HOST 30 | valueFrom: 31 | configMapKeyRef: 32 | name: demoapp-config 33 | key: demoapp.host 34 | optional: true 35 | -------------------------------------------------------------------------------- /chapter6/configmaps-envfrom-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: demoapp-config-for-envfrom 5 | namespace: default 6 | data: 7 | PORT: "8090" 8 | HOST: 0.0.0.0 9 | --- 10 | apiVersion: v1 11 | kind: Pod 12 | metadata: 13 | name: configmaps-envfrom-demo 14 | namespace: default 15 | spec: 16 | containers: 17 | - image: ikubernetes/demoapp:v1.0 18 | name: demoapp 19 | envFrom: 20 | - configMapRef: 21 | name: demoapp-config-for-envfrom 22 | optional: false 23 | -------------------------------------------------------------------------------- /chapter6/configmaps-volume-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: configmaps-volume-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - image: nginx:alpine 9 | name: nginx-server 10 | volumeMounts: 11 | - name: ngxconfs 12 | mountPath: /etc/nginx/conf.d/ 13 | readOnly: true 14 | volumes: 15 | - name: ngxconfs 16 | configMap: 17 | name: nginx-config-files 18 | optional: false 19 | -------------------------------------------------------------------------------- /chapter6/configmaps-volume-demo2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: configmaps-volume-demo2 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: proxy 9 | image: envoyproxy/envoy-alpine:v1.14.1 10 | command: ['/bin/sh','-c','envoy -c /etc/envoy/..data/envoy.yaml'] 11 | volumeMounts: 12 | - name: appconfs 13 | mountPath: /etc/envoy 14 | readOnly: true 15 | - name: demo 16 | image: ikubernetes/demoapp:v1.0 17 | imagePullPolicy: IfNotPresent 18 | env: 19 | - name: PORT 20 | valueFrom: 21 | configMapKeyRef: 22 | name: demoapp-confs 23 | key: demoapp.port 24 | optional: false 25 | - name: HOST 26 | valueFrom: 27 | configMapKeyRef: 28 | name: demoapp-confs 29 | key: demoapp.host 30 | optional: true 31 | volumes: 32 | - name: appconfs 33 | configMap: 34 | name: demoapp-confs 35 | items: 36 | - key: envoy.yaml 37 | path: envoy.yaml 38 | mode: 0644 39 | - key: lds.conf 40 | path: lds.conf 41 | mode: 0644 42 | optional: false 43 | -------------------------------------------------------------------------------- /chapter6/configmaps-volume-demo3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: configmap-volume-demo3 5 | namespace: default 6 | spec: 7 | containers: 8 | - image: nginx:alpine 9 | name: nginx-server 10 | volumeMounts: 11 | - name: ngxconfs 12 | mountPath: /etc/nginx/conf.d/myserver.conf 13 | subPath: myserver.conf 14 | readOnly: true 15 | - name: ngxconfs 16 | mountPath: /etc/nginx/conf.d/myserver-gzip.cfg 17 | subPath: myserver-gzip.cfg 18 | readOnly: true 19 | volumes: 20 | - name: ngxconfs 21 | configMap: 22 | name: nginx-config-files 23 | -------------------------------------------------------------------------------- /chapter6/demoapp-conf.d/envoy.yaml: -------------------------------------------------------------------------------- 1 | node: 2 | id: sidecar-proxy 3 | cluster: demoapp-cluster 4 | 5 | admin: 6 | access_log_path: /tmp/admin_access.log 7 | address: 8 | socket_address: { address: 0.0.0.0, port_value: 9901 } 9 | 10 | dynamic_resources: 11 | lds_config: 12 | path: '/etc/envoy/lds.conf' 13 | 14 | static_resources: 15 | clusters: 16 | - name: local_service 17 | connect_timeout: 0.25s 18 | type: STATIC 19 | lb_policy: ROUND_ROBIN 20 | load_assignment: 21 | cluster_name: local_service 22 | endpoints: 23 | - lb_endpoints: 24 | - endpoint: 25 | address: 26 | socket_address: 27 | address: 127.0.0.1 28 | port_value: 8080 29 | -------------------------------------------------------------------------------- /chapter6/demoapp-conf.d/lds.conf: -------------------------------------------------------------------------------- 1 | { 2 | "version_info": "0", 3 | "resources": [ 4 | { 5 | "@type": "type.googleapis.com/envoy.api.v2.Listener", 6 | "name": "listener_0", 7 | "address": { 8 | "socket_address": { 9 | "address": "0.0.0.0", 10 | "port_value": 80 11 | } 12 | }, 13 | "filter_chains": [ 14 | { 15 | "filters": [ 16 | { 17 | "name": "envoy.http_connection_manager", 18 | "config": { 19 | "stat_prefix": "ingress_http", 20 | "codec_type": "AUTO", 21 | "route_config": { 22 | "name": "local_route", 23 | "virtual_hosts": [ 24 | { 25 | "name": "local_service", 26 | "domains": [ 27 | "*" 28 | ], 29 | "routes": [ 30 | { 31 | "match": { 32 | "prefix": "/" 33 | }, 34 | "route": { 35 | "cluster": "local_service" 36 | } 37 | } 38 | ] 39 | } 40 | ] 41 | }, 42 | "http_filters": [ 43 | { 44 | "name": "envoy.router" 45 | } 46 | ] 47 | } 48 | } 49 | ] 50 | } 51 | ] 52 | } 53 | ] 54 | } 55 | -------------------------------------------------------------------------------- /chapter6/downwardapi-env-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: downwardapi-env-demo 8 | labels: 9 | app: demoapp 10 | spec: 11 | containers: 12 | - name: demoapp 13 | image: ikubernetes/demoapp:v1.0 14 | command: [ "/bin/sh", "-c", "env" ] 15 | resources: 16 | requests: 17 | memory: "32Mi" 18 | cpu: "250m" 19 | limits: 20 | memory: "64Mi" 21 | cpu: "500m" 22 | env: 23 | - name: THIS_POD_NAME 24 | valueFrom: 25 | fieldRef: 26 | fieldPath: metadata.name 27 | - name: THIS_POD_NAMESPACE 28 | valueFrom: 29 | fieldRef: 30 | fieldPath: metadata.namespace 31 | - name: THIS_APP_LABEL 32 | valueFrom: 33 | fieldRef: 34 | fieldPath: metadata.labels['app'] 35 | - name: THIS_CPU_LIMIT 36 | valueFrom: 37 | resourceFieldRef: 38 | resource: limits.cpu 39 | - name: THIS_MEM_REQUEST 40 | valueFrom: 41 | resourceFieldRef: 42 | resource: requests.memory 43 | divisor: 1Mi 44 | restartPolicy: Never 45 | -------------------------------------------------------------------------------- /chapter6/downwardapi-volume-demo.yaml: -------------------------------------------------------------------------------- 1 | kind: Pod 2 | apiVersion: v1 3 | metadata: 4 | name: downwardapi-volume-demo 5 | labels: 6 | zone: zone1 7 | rack: rack100 8 | app: demoapp 9 | annotations: 10 | region: ease-cn 11 | spec: 12 | containers: 13 | - name: demoapp 14 | image: ikubernetes/demoapp:v1.0 15 | resources: 16 | requests: 17 | memory: "32Mi" 18 | cpu: "250m" 19 | limits: 20 | memory: "64Mi" 21 | cpu: "500m" 22 | volumeMounts: 23 | - name: podinfo 24 | mountPath: /etc/podinfo 25 | readOnly: false 26 | volumes: 27 | - name: podinfo 28 | downwardAPI: 29 | defaultMode: 420 30 | items: 31 | - fieldRef: 32 | fieldPath: metadata.namespace 33 | path: pod_namespace 34 | - fieldRef: 35 | fieldPath: metadata.labels 36 | path: pod_labels 37 | - fieldRef: 38 | fieldPath: metadata.annotations 39 | path: pod_annotations 40 | - resourceFieldRef: 41 | containerName: demoapp 42 | resource: limits.cpu 43 | path: "cpu_limit" 44 | - resourceFieldRef: 45 | containerName: demoapp 46 | resource: requests.memory 47 | divisor: "1Mi" 48 | path: "mem_request" 49 | -------------------------------------------------------------------------------- /chapter6/nginx-conf.d/myserver-gzip.cfg: -------------------------------------------------------------------------------- 1 | gzip on; 2 | gzip_comp_level 5; 3 | gzip_proxied expired no-cache no-store private auth; 4 | gzip_types text/plain text/css application/xml text/javascript; 5 | -------------------------------------------------------------------------------- /chapter6/nginx-conf.d/myserver-status.cfg: -------------------------------------------------------------------------------- 1 | location /nginx-status { 2 | stub_status on; 3 | access_log off; 4 | } 5 | -------------------------------------------------------------------------------- /chapter6/nginx-conf.d/myserver.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 8080; 3 | server_name www.ik8s.io; 4 | 5 | include /etc/nginx/conf.d/myserver-*.cfg; 6 | 7 | location / { 8 | root /usr/share/nginx/html; 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /chapter6/nginx-ssl-conf.d/myserver-gzip.cfg: -------------------------------------------------------------------------------- 1 | gzip on; 2 | gzip_comp_level 5; 3 | gzip_proxied expired no-cache no-store private auth; 4 | gzip_types text/plain text/css application/xml text/javascript; 5 | -------------------------------------------------------------------------------- /chapter6/nginx-ssl-conf.d/myserver-status.cfg: -------------------------------------------------------------------------------- 1 | location /nginx-status { 2 | stub_status on; 3 | access_log off; 4 | } 5 | -------------------------------------------------------------------------------- /chapter6/nginx-ssl-conf.d/myserver.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 443 ssl; 3 | server_name www.ik8s.io; 4 | 5 | ssl_certificate /etc/nginx/certs/tls.crt; 6 | ssl_certificate_key /etc/nginx/certs/tls.key; 7 | 8 | ssl_session_timeout 5m; 9 | 10 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 11 | 12 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 13 | ssl_prefer_server_ciphers on; 14 | 15 | include /etc/nginx/conf.d/myserver-*.cfg; 16 | 17 | location / { 18 | root /usr/share/nginx/html; 19 | } 20 | } 21 | 22 | server { 23 | listen 80; 24 | server_name www.ilinux.io; 25 | return 301 https://$host$request_uri; 26 | } 27 | -------------------------------------------------------------------------------- /chapter6/secrets-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: secrets-demo 5 | stringData: 6 | username: redis 7 | password: redisp@ss 8 | type: Opaque 9 | -------------------------------------------------------------------------------- /chapter6/secrets-env-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: secrets-env-demo 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: mariadb 9 | image: mariadb 10 | imagePullPolicy: IfNotPresent 11 | env: 12 | - name: MYSQL_ROOT_PASSWORD 13 | valueFrom: 14 | secretKeyRef: 15 | name: mysql-root-authn 16 | key: password 17 | -------------------------------------------------------------------------------- /chapter6/secrets-volume-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | apiVersion: v1 5 | kind: Pod 6 | metadata: 7 | name: secrets-volume-demo 8 | namespace: default 9 | spec: 10 | containers: 11 | - image: nginx:alpine 12 | name: ngxserver 13 | volumeMounts: 14 | - name: nginxcerts 15 | mountPath: /etc/nginx/certs/ 16 | readOnly: true 17 | - name: nginxconfs 18 | mountPath: /etc/nginx/conf.d/ 19 | readOnly: true 20 | volumes: 21 | - name: nginxcerts 22 | secret: 23 | secretName: nginx-ssl-secret 24 | - name: nginxconfs 25 | configMap: 26 | name: nginx-sslvhosts-confs 27 | optional: false 28 | -------------------------------------------------------------------------------- /chapter7/demoapp-headless-svc.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: demoapp-headless-svc 8 | spec: 9 | clusterIP: None 10 | selector: 11 | app: demoapp 12 | ports: 13 | - port: 80 14 | targetPort: 80 15 | name: http 16 | -------------------------------------------------------------------------------- /chapter7/endpointslice-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: discovery.k8s.io/v1beta1 2 | kind: EndpointSlice 3 | metadata: 4 | name: demoapp-01 5 | labels: 6 | kubernetes.io/service-name: demoapp 7 | addressType: IPv4 8 | ports: 9 | - name: http 10 | protocol: TCP 11 | port: 80 12 | endpoints: 13 | - addresses: 14 | - "10.244.101.3" 15 | conditions: 16 | ready: true 17 | - addresses: 18 | - "10.244.102.6" 19 | conditions: 20 | ready: true 21 | -------------------------------------------------------------------------------- /chapter7/externalname-redis-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-redis-svc 5 | namespace: default 6 | spec: 7 | type: ExternalName 8 | externalName: redis.ik8s.io 9 | ports: 10 | - protocol: TCP 11 | port: 6379 12 | targetPort: 6379 13 | nodePort: 0 14 | selector: {} 15 | -------------------------------------------------------------------------------- /chapter7/mysql-endpoints-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Endpoints 3 | metadata: 4 | name: mysql-external 5 | namespace: default 6 | subsets: 7 | - addresses: 8 | - ip: 172.29.9.51 9 | - ip: 172.29.9.52 10 | ports: 11 | - name: mysql 12 | port: 3306 13 | protocol: TCP 14 | --- 15 | apiVersion: v1 16 | kind: Service 17 | metadata: 18 | name: mysql-external 19 | namespace: default 20 | spec: 21 | type: ClusterIP 22 | ports: 23 | - name: mysql 24 | port: 3306 25 | targetPort: 3306 26 | protocol: TCP 27 | -------------------------------------------------------------------------------- /chapter7/pod-with-dnspolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-with-dnspolicy 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: demo 9 | image: ikubernetes/demoapp:v1.0 10 | imagePullPolicy: IfNotPresent 11 | dnsPolicy: None 12 | dnsConfig: 13 | nameservers: 14 | - 10.96.0.10 15 | - 223.5.5.5 16 | - 223.6.6.6 17 | searches: 18 | - svc.cluster.local 19 | - cluster.local 20 | - ilinux.io 21 | options: 22 | - name: ndots 23 | value: "5" 24 | -------------------------------------------------------------------------------- /chapter7/services-clusterip-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: demoapp-svc 8 | namespace: default 9 | spec: 10 | clusterIP: 10.97.72.1 11 | selector: 12 | app: demoapp 13 | ports: 14 | - name: http 15 | protocol: TCP 16 | port: 80 17 | targetPort: 80 18 | -------------------------------------------------------------------------------- /chapter7/services-externalip-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: demoapp-externalip-svc 8 | namespace: default 9 | spec: 10 | type: ClusterIP 11 | selector: 12 | app: demoapp 13 | ports: 14 | - name: http 15 | protocol: TCP 16 | port: 80 17 | targetPort: 80 18 | externalIPs: 19 | - 172.29.9.26 20 | -------------------------------------------------------------------------------- /chapter7/services-loadbalancer-demo.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: demoapp-loadbalancer-svc 5 | spec: 6 | type: LoadBalancer 7 | selector: 8 | app: demoapp 9 | ports: 10 | - name: http 11 | protocol: TCP 12 | port: 80 13 | targetPort: 80 14 | loadBalancerIP: 1.2.3.4 15 | -------------------------------------------------------------------------------- /chapter7/services-nodeport-demo.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | # URL: http://www.magedu.com 3 | --- 4 | kind: Service 5 | apiVersion: v1 6 | metadata: 7 | name: demoapp-nodeport-svc 8 | spec: 9 | type: NodePort 10 | clusterIP: 10.97.56.1 11 | selector: 12 | app: demoapp 13 | ports: 14 | - name: http 15 | protocol: TCP 16 | port: 80 17 | targetPort: 80 18 | nodePort: 31398 19 | # externalTrafficPolicy: Local 20 | -------------------------------------------------------------------------------- /chapter7/services-readiness-demo.yaml: -------------------------------------------------------------------------------- 1 | # Author: MageEdu 2 | --- 3 | kind: Service 4 | apiVersion: v1 5 | metadata: 6 | name: services-readiness-demo 7 | namespace: default 8 | spec: 9 | selector: 10 | app: demoapp-with-readiness 11 | ports: 12 | - name: http 13 | protocol: TCP 14 | port: 80 15 | targetPort: 80 16 | --- 17 | apiVersion: apps/v1 18 | kind: Deployment 19 | metadata: 20 | name: demoapp2 21 | spec: 22 | replicas: 2 23 | selector: 24 | matchLabels: 25 | app: demoapp-with-readiness 26 | template: 27 | metadata: 28 | creationTimestamp: null 29 | labels: 30 | app: demoapp-with-readiness 31 | spec: 32 | containers: 33 | - image: ikubernetes/demoapp:v1.0 34 | name: demoapp 35 | imagePullPolicy: IfNotPresent 36 | readinessProbe: 37 | httpGet: 38 | path: '/readyz' 39 | port: 80 40 | initialDelaySeconds: 15 41 | periodSeconds: 10 42 | --- 43 | -------------------------------------------------------------------------------- /chapter8/cronjob-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1beta1 2 | kind: CronJob 3 | metadata: 4 | name: cronjob-demo 5 | namespace: default 6 | spec: 7 | schedule: "*/2 * * * *" 8 | jobTemplate: 9 | metadata: 10 | labels: 11 | controller: cronjob-demo 12 | spec: 13 | parallelism: 1 14 | completions: 1 15 | ttlSecondsAfterFinished: 600 16 | backoffLimit: 3 17 | activeDeadlineSeconds: 60 18 | template: 19 | spec: 20 | containers: 21 | - name: myjob 22 | image: alpine 23 | command: 24 | - /bin/sh 25 | - -c 26 | - date; echo Hello from CronJob, sleep a while...; sleep 10 27 | restartPolicy: OnFailure 28 | startingDeadlineSeconds: 300 29 | -------------------------------------------------------------------------------- /chapter8/daemonset-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: DaemonSet 3 | metadata: 4 | name: daemonset-demo 5 | namespace: default 6 | labels: 7 | app: prometheus 8 | component: node-exporter 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: prometheus 13 | component: node-exporter 14 | template: 15 | metadata: 16 | name: prometheus-node-exporter 17 | labels: 18 | app: prometheus 19 | component: node-exporter 20 | spec: 21 | containers: 22 | - image: prom/node-exporter:v0.18.0 23 | name: prometheus-node-exporter 24 | ports: 25 | - name: prom-node-exp 26 | containerPort: 9100 27 | hostPort: 9100 28 | livenessProbe: 29 | tcpSocket: 30 | port: prom-node-exp 31 | initialDelaySeconds: 3 32 | readinessProbe: 33 | httpGet: 34 | path: '/metrics' 35 | port: prom-node-exp 36 | scheme: HTTP 37 | initialDelaySeconds: 5 38 | hostNetwork: true 39 | hostPID: true 40 | -------------------------------------------------------------------------------- /chapter8/demodb.yaml: -------------------------------------------------------------------------------- 1 | # demodb ,an educational Kubernetes-native NoSQL data store. It is a distributed 2 | # key-value store, supporting permanent read and write operations. 3 | # Environment Variables: DEMODB_DATADIR, DEMODB_HOST, DEMODB_PORT 4 | # default port: 9907/tcp for clients, 9999/tcp for members. 5 | # Maintainter: MageEdu 6 | --- 7 | apiVersion: v1 8 | kind: Service 9 | metadata: 10 | name: demodb 11 | namespace: default 12 | labels: 13 | app: demodb 14 | spec: 15 | clusterIP: None 16 | ports: 17 | - port: 9907 18 | selector: 19 | app: demodb 20 | --- 21 | apiVersion: apps/v1 22 | kind: StatefulSet 23 | metadata: 24 | name: demodb 25 | namespace: default 26 | spec: 27 | selector: 28 | matchLabels: 29 | app: demodb 30 | serviceName: "demodb" 31 | replicas: 2 32 | template: 33 | metadata: 34 | labels: 35 | app: demodb 36 | spec: 37 | containers: 38 | - name: demodb-shard 39 | image: ikubernetes/demodb:v0.1 40 | ports: 41 | - containerPort: 9907 42 | name: db 43 | env: 44 | - name: DEMODB_DATADIR 45 | value: "/demodb/data" 46 | livenessProbe: 47 | initialDelaySeconds: 2 48 | periodSeconds: 10 49 | httpGet: 50 | path: /status 51 | port: db 52 | readinessProbe: 53 | initialDelaySeconds: 15 54 | periodSeconds: 30 55 | httpGet: 56 | path: /status?level=full 57 | port: db 58 | volumeMounts: 59 | - name: data 60 | mountPath: /demodb/data 61 | volumeClaimTemplates: 62 | - metadata: 63 | name: data 64 | spec: 65 | accessModes: [ "ReadWriteOnce" ] 66 | storageClassName: "fast-rbd" 67 | resources: 68 | requests: 69 | storage: 2Gi 70 | -------------------------------------------------------------------------------- /chapter8/deployment-demo.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: apps/v1 5 | kind: Deployment 6 | metadata: 7 | name: deployment-demo 8 | spec: 9 | replicas: 4 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | release: stable 14 | template: 15 | metadata: 16 | labels: 17 | app: demoapp 18 | release: stable 19 | spec: 20 | containers: 21 | - name: demoapp 22 | image: ikubernetes/demoapp:${VERSION} 23 | ports: 24 | - containerPort: 80 25 | name: http 26 | livenessProbe: 27 | httpGet: 28 | path: '/livez' 29 | port: 80 30 | initialDelaySeconds: 5 31 | readinessProbe: 32 | httpGet: 33 | path: '/readyz' 34 | port: 80 35 | initialDelaySeconds: 15 36 | -------------------------------------------------------------------------------- /chapter8/job-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: job-demo 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: myjob 10 | image: alpine:3.11 11 | imagePullPolicy: IfNotPresent 12 | command: ["/bin/sh", "-c", "sleep 60"] 13 | restartPolicy: Never 14 | completions: 2 15 | ttlSecondsAfterFinished: 3600 16 | backoffLimit: 3 17 | activeDeadlineSeconds: 300 18 | -------------------------------------------------------------------------------- /chapter8/job-para-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: job-para-demo 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: myjob 10 | image: alpine:3.11 11 | imagePullPolicy: IfNotPresent 12 | command: ["/bin/sh", "-c", "sleep 60"] 13 | restartPolicy: Never 14 | completions: 12 15 | parallelism: 2 16 | ttlSecondsAfterFinished: 3600 17 | backoffLimit: 3 18 | activeDeadlineSeconds: 1200 19 | -------------------------------------------------------------------------------- /chapter8/pdb-demo.yaml: -------------------------------------------------------------------------------- 1 | # PodDisruptionBudget 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: policy/v1beta1 5 | kind: PodDisruptionBudget 6 | metadata: 7 | name: pdb-demo 8 | spec: 9 | maxUnavailable: 1 10 | selector: 11 | matchLabels: 12 | app: demoapp 13 | release: stable 14 | -------------------------------------------------------------------------------- /chapter8/replicaset-blue-green.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # DEPLOY: blue OR green 3 | # Maintainer: MageEdu 4 | --- 5 | apiVersion: apps/v1 6 | kind: ReplicaSet 7 | metadata: 8 | name: rs-${DEPLOY} 9 | spec: 10 | minReadySeconds: 3 11 | replicas: 2 12 | selector: 13 | matchLabels: 14 | app: demoapp 15 | ctr: rs-${DEPLOY} 16 | version: ${VERSION} 17 | template: 18 | metadata: 19 | labels: 20 | app: demoapp 21 | ctr: rs-${DEPLOY} 22 | version: ${VERSION} 23 | spec: 24 | containers: 25 | - name: demoapp 26 | image: ikubernetes/demoapp:${VERSION} 27 | ports: 28 | - name: http 29 | containerPort: 80 30 | livenessProbe: 31 | httpGet: 32 | path: '/livez' 33 | port: 80 34 | initialDelaySeconds: 5 35 | readinessProbe: 36 | httpGet: 37 | path: '/readyz' 38 | port: 80 39 | initialDelaySeconds: 15 40 | -------------------------------------------------------------------------------- /chapter8/replicaset-demo-patch-v2.yaml: -------------------------------------------------------------------------------- 1 | spec: 2 | template: 3 | spec: 4 | containers: 5 | - name: demoapp 6 | image: ikubernetes/demoapp:v1.2 7 | -------------------------------------------------------------------------------- /chapter8/replicaset-demo-v1.1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: ReplicaSet 3 | metadata: 4 | name: replicaset-demo 5 | spec: 6 | minReadySeconds: 3 7 | replicas: 2 8 | selector: 9 | matchLabels: 10 | app: demoapp 11 | release: stable 12 | version: v1.0 13 | template: 14 | metadata: 15 | labels: 16 | app: demoapp 17 | release: stable 18 | version: v1.0 19 | spec: 20 | containers: 21 | - name: demoapp 22 | image: ikubernetes/demoapp:v1.1 23 | ports: 24 | - name: http 25 | containerPort: 80 26 | livenessProbe: 27 | httpGet: 28 | path: '/livez' 29 | port: 80 30 | initialDelaySeconds: 5 31 | readinessProbe: 32 | httpGet: 33 | path: '/readyz' 34 | port: 80 35 | initialDelaySeconds: 15 36 | -------------------------------------------------------------------------------- /chapter8/replicaset-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: ReplicaSet 3 | metadata: 4 | name: replicaset-demo 5 | spec: 6 | minReadySeconds: 3 7 | replicas: 2 8 | selector: 9 | matchLabels: 10 | app: demoapp 11 | release: stable 12 | version: v1.0 13 | template: 14 | metadata: 15 | labels: 16 | app: demoapp 17 | release: stable 18 | version: v1.0 19 | spec: 20 | containers: 21 | - name: demoapp 22 | image: ikubernetes/demoapp:v1.0 23 | ports: 24 | - name: http 25 | containerPort: 80 26 | livenessProbe: 27 | httpGet: 28 | path: '/livez' 29 | port: 80 30 | initialDelaySeconds: 5 31 | readinessProbe: 32 | httpGet: 33 | path: '/readyz' 34 | port: 80 35 | initialDelaySeconds: 15 36 | -------------------------------------------------------------------------------- /chapter8/service-blue-green.yaml: -------------------------------------------------------------------------------- 1 | # VERSION: demoapp version 2 | # DEPLOY: blue OR green 3 | # Maintainer: MageEdu 4 | --- 5 | apiVersion: v1 6 | kind: Service 7 | metadata: 8 | name: demoapp-svc 9 | namespace: default 10 | spec: 11 | type: ClusterIP 12 | selector: 13 | app: demoapp 14 | ctr: rs-${DEPLOY} 15 | version: ${VERSION} 16 | ports: 17 | - name: http 18 | port: 80 19 | protocol: TCP 20 | targetPort: 80 21 | -------------------------------------------------------------------------------- /chapter8/service-for-replicaset-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: demoapp 5 | namespace: default 6 | spec: 7 | type: ClusterIP 8 | clusterIP: 10.97.26.1 9 | selector: 10 | app: demoapp 11 | release: stable 12 | ports: 13 | - name: http 14 | port: 80 15 | protocol: TCP 16 | targetPort: 80 17 | -------------------------------------------------------------------------------- /chapter8/statefulset-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: demoapp-sts 5 | namespace: default 6 | spec: 7 | clusterIP: None 8 | ports: 9 | - port: 80 10 | name: http 11 | selector: 12 | app: demoapp 13 | controller: sts-demo 14 | --- 15 | apiVersion: apps/v1 16 | kind: StatefulSet 17 | metadata: 18 | name: sts-demo 19 | spec: 20 | serviceName: demoapp-sts 21 | replicas: 2 22 | selector: 23 | matchLabels: 24 | app: demoapp 25 | controller: sts-demo 26 | template: 27 | metadata: 28 | labels: 29 | app: demoapp 30 | controller: sts-demo 31 | spec: 32 | containers: 33 | - name: demoapp 34 | image: ikubernetes/myapp:v5 35 | ports: 36 | - containerPort: 80 37 | name: web 38 | volumeMounts: 39 | - name: appdata 40 | mountPath: /app/data 41 | volumeClaimTemplates: 42 | - metadata: 43 | name: appdata 44 | spec: 45 | accessModes: [ "ReadWriteOnce" ] 46 | storageClassName: "kube" 47 | resources: 48 | requests: 49 | storage: 2Gi 50 | -------------------------------------------------------------------------------- /chapter9/aggregated-clusterrole-rbac.yaml: -------------------------------------------------------------------------------- 1 | # Maintainer: MageEdu 2 | --- 3 | kind: ClusterRole 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | metadata: 6 | name: global-resources-view 7 | labels: 8 | rbac.ilinux.io/aggregate-to-global-admin: "true" 9 | rules: 10 | - apiGroups: [""] 11 | resources: ["nodes", "namespaces", "persistentvolumes"] 12 | verbs: ["get", "list", "watch"] 13 | --- 14 | kind: ClusterRole 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | metadata: 17 | name: global-resources-edit 18 | labels: 19 | rbac.ilinux.io/aggregate-to-global-admin: "true" 20 | rules: 21 | - apiGroups: [""] 22 | resources: ["nodes", "namespaces", "persistentvolumes"] 23 | verbs: ["create", "delete", "deletecollection", "patch", "update"] 24 | --- 25 | kind: ClusterRole 26 | apiVersion: rbac.authorization.k8s.io/v1 27 | metadata: 28 | name: global-resources-admin 29 | aggregationRule: 30 | clusterRoleSelectors: 31 | - matchLabels: 32 | rbac.ilinux.io/aggregate-to-global-admin: "true" 33 | rules: [] 34 | --- 35 | -------------------------------------------------------------------------------- /chapter9/clusterrole-with-psp.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: psp-restricted 5 | rules: 6 | - apiGroups: ['policy'] 7 | resources: ['podsecuritypolicies'] 8 | verbs: ['use'] 9 | resourceNames: 10 | - restricted 11 | --- 12 | kind: ClusterRole 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | metadata: 15 | name: psp-privileged 16 | rules: 17 | - apiGroups: ['policy'] 18 | resources: ['podsecuritypolicies'] 19 | verbs: ['use'] 20 | resourceNames: 21 | - privileged 22 | -------------------------------------------------------------------------------- /chapter9/clusterrolebinding-with-psp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: privileged-psp-user 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: psp-privileged 9 | subjects: 10 | - apiGroup: rbac.authorization.k8s.io 11 | kind: Group 12 | name: system:masters 13 | - apiGroup: rbac.authorization.k8s.io 14 | kind: Group 15 | name: system:node 16 | - apiGroup: rbac.authorization.k8s.io 17 | kind: Group 18 | name: system:serviceaccounts:kube-system 19 | --- 20 | kind: ClusterRoleBinding 21 | apiVersion: rbac.authorization.k8s.io/v1 22 | metadata: 23 | name: restricted-psp-user 24 | roleRef: 25 | kind: ClusterRole 26 | name: psp-restricted 27 | apiGroup: rbac.authorization.k8s.io 28 | subjects: 29 | - kind: Group 30 | apiGroup: rbac.authorization.k8s.io 31 | name: system:authenticated 32 | -------------------------------------------------------------------------------- /chapter9/dashboard.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDSTCCAjGgAwIBAgIUFY4j8ZVxtjHU3SsSf2NNQ4QOOhowDQYJKoZIhvcNAQEL 3 | BQAwNDEUMBIGA1UECgwLQ2x1c3RlckFQUHMxHDAaBgNVBAMME2Rhc2hib2FyZC5p 4 | bGludXguaW8wHhcNMjAwNTMxMTI0NjAxWhcNMzAwNTI5MTI0NjAxWjA0MRQwEgYD 5 | VQQKDAtDbHVzdGVyQVBQczEcMBoGA1UEAwwTZGFzaGJvYXJkLmlsaW51eC5pbzCC 6 | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKn/uYCckE515N+zFI4pWD/Y 7 | KhEJgmir/9tLJNsvbv8YisJ9fFtZR7kwveRkdogW/seIXCZKo1snh7lj8sqEqTkz 8 | pIya9EjJq5HbmuWb0oJ/oN/D1AoXfE4CfHbXcYcUg60GhJ4z5DRPn05De5UAKL1J 9 | vCsn0w/Ut+cG0Wly99kMIqtSOpFNGvxqGKIeY5tP/Jf3qmCeaZxCUa22FMmq6n9R 10 | +iVHeG5pN3w9e1Y+ABKLoE8P/N5ggO+0cU1c+6sXSROMoQ6hhaBLsdni4rwC3nHd 11 | +ZyBSISpU6rmbPboA1xpN5GfLHW+vo54hj+YwF+jFcIxY13y/caGxbuGeWWIeMkC 12 | AwEAAaNTMFEwHQYDVR0OBBYEFHmtE6H6y3MmPQM1M+EkptNTIb0JMB8GA1UdIwQY 13 | MBaAFHmtE6H6y3MmPQM1M+EkptNTIb0JMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI 14 | hvcNAQELBQADggEBAInfrwS5MZAvfKPjUUgkE8/dIFAmfdDDmUppH8hQNtjqEeEB 15 | TRyFZqOnY20m6ETLLjFn9h5bC+SEOZ32S3Q3iIQyIdhn2/RBQCcjBQ9usx0eJTRA 16 | AmViVm+vxQe/aXWbSltWRUU2QnY0KxI12jou+6+MBBY8S8zVuRymYUdI4iPUEOwC 17 | 1hL85YrbI2OPjGltrknnx37RC0iENW3UMlqmTnhjVroaZd+mANl1M25lPGIyJVEc 18 | ManBemBVHn2pTlsCKuqK62bTOtEYHzrpCXCBXfUzz/AbHsm1+7UcmgH64tbhrsEb 19 | GZhFGtgZ9vvlhJ5hoM/OPp7MN/dvWihtvsT338Q= 20 | -----END CERTIFICATE----- 21 | -------------------------------------------------------------------------------- /chapter9/dashboard.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpQIBAAKCAQEAqf+5gJyQTnXk37MUjilYP9gqEQmCaKv/20sk2y9u/xiKwn18 3 | W1lHuTC95GR2iBb+x4hcJkqjWyeHuWPyyoSpOTOkjJr0SMmrkdua5ZvSgn+g38PU 4 | Chd8TgJ8dtdxhxSDrQaEnjPkNE+fTkN7lQAovUm8KyfTD9S35wbRaXL32Qwiq1I6 5 | kU0a/GoYoh5jm0/8l/eqYJ5pnEJRrbYUyarqf1H6JUd4bmk3fD17Vj4AEougTw/8 6 | 3mCA77RxTVz7qxdJE4yhDqGFoEux2eLivALecd35nIFIhKlTquZs9ugDXGk3kZ8s 7 | db6+jniGP5jAX6MVwjFjXfL9xobFu4Z5ZYh4yQIDAQABAoIBADJtwqiNSR2NSXy2 8 | keVuDFi8FhaBvKayRy7VRrSiiImxzQ/Oy8IJZQZhmCMVTjgmoiOsprFROM5ElrV/ 9 | GbnLyqtGT4zKNqcU9AlLnNJ5++NsWtumKtNnjh9SC3vxgyLwCfOc2GBZwltmNzqv 10 | OAzGRE+KfQBMSwcKMhedZSejzDQdMm2KKi/QqI/uX+fx62rH4f68TUEqt9O7hFHJ 11 | jwZXKUTAbih1SkhFHmDDRqja7gUSBZB4euFvmPh/1KXHYt9W2uqwYtZOQPluLWWH 12 | VEagtaaJFKWEdvedqHHPiePtuGiSQertRhwVb2JwiJphauhnwpuIm+t6JrvCRS8i 13 | d/ICkoECgYEA3t5g46Q2SA69YZzn+f0fWZ4ZoteiKtCZ2bmNzTY+/u2mlNpSMJr9 14 | UEWW3/S6be4IPuYUB4bIEr31sGzHSSQRNhDBoYJhBFclVHZ3PWWvzVgALVRQGG4k 15 | 2Hzd8MgBErugdnWm76lhokLRqiiPvp2JR3QZXSqIYutDzi28wKvVClkCgYEAw0VN 16 | 1eSILsSNO3XatJ0or6K0P1Jq1KRY0Hp/1h8NluZN9NbSvoPoVSsRRpcS5L7r0jN7 17 | WsbYkQ/hKNt5oLA3ixHrR4PqV8IEcjldiENB4PtVTwvGkq0SncQfbYICwnUBPSL8 18 | WG7t4xT+CBlGArjIPinrGh96pAyJT7wk4gb6M/ECgYEAyffe+Az1gCGTcCVgeETy 19 | JyXGd7NQa9p0wkGMht7VAfNeFeEvwIqEaz1VOAmw9TRUVqPsnNGA+LMbNtGtW9QK 20 | oONYhkQAJY3P75YYAxTm14EbT/jrSOhwDZxDCRRHHLHZ/eAq81+dcg15selmMsjT 21 | AmTtI2gLBxHLdcovFq/htakCgYEAiAZ+GxLQfuuyioolqQ2VawwHTdkGzEwUBl5f 22 | MPR+zfBuu7DuK4LN1I5kwWy535jTw6DTPEAqWpraOVDyICrA9mKsKCxPkYR4/mzR 23 | p/taJ/RMz/ye/kwMHNSjI/CeJYHGNCVr7dqQYlCcSV35tCmubAddW9wz3ZVSDbY9 24 | Zyp/HrECgYEAjrJIJiCIL1gBczwyTWD7bNLJjvs3fgOCspauLQZr7/rOsX5wbRLo 25 | DP9Fp8/nnUFoYma9+3gkdeyjntPWnimVpGlIpESi+ID1YuX8K4wpiTWyVIJzNs1/ 26 | cyBsPGn2Zwpb7YFBQBpYiAKEZAc1rZoW7ffY+giNtj7xOXawBm++xbs= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /chapter9/gen-kubeconfig-based-sa.sh: -------------------------------------------------------------------------------- 1 | # Update these to match your environment 2 | SERVICE_ACCOUNT_NAME=$1 3 | CONTEXT=$(kubectl config current-context) 4 | NAMESPACE=$2 5 | 6 | NEW_CONTEXT=$3 7 | KUBECONFIG_FILE="kubeconfig-sa" 8 | 9 | 10 | SECRET_NAME=$(kubectl get serviceaccount ${SERVICE_ACCOUNT_NAME} \ 11 | --context ${CONTEXT} \ 12 | --namespace ${NAMESPACE} \ 13 | -o jsonpath='{.secrets[0].name}') 14 | TOKEN_DATA=$(kubectl get secret ${SECRET_NAME} \ 15 | --context ${CONTEXT} \ 16 | --namespace ${NAMESPACE} \ 17 | -o jsonpath='{.data.token}') 18 | 19 | TOKEN=$(echo ${TOKEN_DATA} | base64 -d) 20 | 21 | # Create dedicated kubeconfig 22 | # Create a full copy 23 | kubectl config view --raw > ${KUBECONFIG_FILE}.full.tmp 24 | # Switch working context to correct context 25 | kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp config use-context ${CONTEXT} 26 | # Minify 27 | kubectl --kubeconfig ${KUBECONFIG_FILE}.full.tmp \ 28 | config view --flatten --minify > ${KUBECONFIG_FILE}.tmp 29 | # Rename context 30 | kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ 31 | rename-context ${CONTEXT} ${NEW_CONTEXT} 32 | # Create token user 33 | kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ 34 | set-credentials ${CONTEXT}-${NAMESPACE}-token-user \ 35 | --token ${TOKEN} 36 | # Set context to use token user 37 | kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ 38 | set-context ${NEW_CONTEXT} --user ${CONTEXT}-${NAMESPACE}-token-user 39 | # Set context to correct namespace 40 | kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ 41 | set-context ${NEW_CONTEXT} --namespace ${NAMESPACE} 42 | # Flatten/minify kubeconfig 43 | kubectl config --kubeconfig ${KUBECONFIG_FILE}.tmp \ 44 | view --flatten --minify > ${KUBECONFIG_FILE} 45 | # Remove tmp 46 | rm ${KUBECONFIG_FILE}.full.tmp 47 | rm ${KUBECONFIG_FILE}.tmp 48 | -------------------------------------------------------------------------------- /chapter9/limitrange-core-resources.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: core-resource-limits 5 | spec: 6 | limits: 7 | - type: "Pod" 8 | max: 9 | cpu: "4" 10 | memory: "4Gi" 11 | min: 12 | cpu: "500m" 13 | memory: "16Mi" 14 | - type: "Container" 15 | max: 16 | cpu: "4" 17 | memory: "1Gi" 18 | min: 19 | cpu: "100m" 20 | memory: "4Mi" 21 | default: 22 | cpu: "2" 23 | memory: "512Mi" 24 | defaultRequest: 25 | cpu: "500m" 26 | memory: "64Mi" 27 | maxLimitRequestRatio: 28 | cpu: "4" 29 | -------------------------------------------------------------------------------- /chapter9/limitrange-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: core-resource-limits 5 | namespace: dev 6 | spec: 7 | limits: 8 | - type: Pod 9 | max: 10 | cpu: "4" 11 | memory: "4Gi" 12 | min: 13 | cpu: "500m" 14 | memory: "16Mi" 15 | - type: Container 16 | max: 17 | cpu: "4" 18 | memory: "1Gi" 19 | min: 20 | cpu: "100m" 21 | memory: "4Mi" 22 | default: 23 | cpu: "2" 24 | memory: "512Mi" 25 | defaultRequest: 26 | cpu: "500m" 27 | memory: "64Mi" 28 | maxLimitRequestRatio: 29 | cpu: "4" 30 | - type: PersistentVolumeClaim 31 | max: 32 | storage: "10Gi" 33 | min: 34 | storage: "1Gi" 35 | default: 36 | storage: "5Gi" 37 | defaultRequest: 38 | storage: "1Gi" 39 | maxLimitRequestRatio: 40 | storage: "5" 41 | -------------------------------------------------------------------------------- /chapter9/limitrange-pvc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: LimitRange 3 | metadata: 4 | name: storagelimits 5 | spec: 6 | limits: 7 | - type: PersistentVolumeClaim 8 | max: 9 | storage: "10Gi" 10 | min: 11 | storage: "1Gi" 12 | -------------------------------------------------------------------------------- /chapter9/mason-admin-rolebinding.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: mason-admin 5 | namespace: dev 6 | subjects: 7 | - kind: User 8 | name: mason 9 | apiGroup: rbac.authorization.k8s.io 10 | roleRef: 11 | kind: Role 12 | name: admin 13 | apiGroup: rbac.authorization.k8s.io 14 | -------------------------------------------------------------------------------- /chapter9/nodes-admin-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: nodes-admin 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["nodes"] 8 | verbs: ["*"] 9 | -------------------------------------------------------------------------------- /chapter9/nonresourceurls-clusterrole-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: healthz-reader 5 | rules: 6 | - nonResourceURLs: 7 | - /healthz 8 | verbs: 9 | - get 10 | -------------------------------------------------------------------------------- /chapter9/pod-privileged.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-privileged 5 | spec: 6 | containers: 7 | - name: demoapp 8 | image: ikubernetes/demoapp:v1.0 9 | imagePullPolicy: IfNotPresent 10 | securityContext: 11 | privileged: true 12 | -------------------------------------------------------------------------------- /chapter9/pod-with-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: pod-with-sa 5 | namespace: default 6 | spec: 7 | containers: 8 | - name: adminbox 9 | image: ikubernetes/admin-toolbox:v1.0 10 | imagePullPolicy: IfNotPresent 11 | serviceAccountName: namespace-admin 12 | -------------------------------------------------------------------------------- /chapter9/pods-reader-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | namespace: default 5 | name: pods-reader 6 | rules: 7 | - apiGroups: [""] 8 | resources: ["pods", "services", pods/log"] 9 | verbs: ["get", "list", "watch"] 10 | -------------------------------------------------------------------------------- /chapter9/psp-privileged: -------------------------------------------------------------------------------- 1 | # Pod Security Policy 2 | # privileged policy 3 | # Maintainer: MageEdu 4 | --- 5 | apiVersion: policy/v1beta1 6 | kind: PodSecurityPolicy 7 | metadata: 8 | name: privileged 9 | annotations: 10 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' 11 | spec: 12 | privileged: true 13 | allowPrivilegeEscalation: true 14 | allowedCapabilities: 15 | - '*' 16 | allowedUnsafeSysctls: 17 | - '*' 18 | volumes: 19 | - '*' 20 | hostNetwork: true 21 | hostPorts: 22 | - min: 0 23 | max: 65535 24 | hostIPC: true 25 | hostPID: true 26 | runAsUser: 27 | rule: 'RunAsAny' 28 | runAsGroup: 29 | rule: 'RunAsAny' 30 | seLinux: 31 | rule: 'RunAsAny' 32 | supplementalGroups: 33 | rule: 'RunAsAny' 34 | fsGroup: 35 | rule: 'RunAsAny' 36 | -------------------------------------------------------------------------------- /chapter9/psp-restricted.yaml: -------------------------------------------------------------------------------- 1 | # Pod Security Policy 2 | # Unprivileged policy 3 | # Maintainer: MageEdu 4 | --- 5 | apiVersion: policy/v1beta1 6 | kind: PodSecurityPolicy 7 | metadata: 8 | name: restricted 9 | annotations: 10 | seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' 11 | apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' 12 | seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' 13 | apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' 14 | spec: 15 | privileged: false 16 | allowPrivilegeEscalation: false 17 | allowedUnsafeSysctls: [] 18 | requiredDropCapabilities: 19 | - ALL 20 | # Allow core volume types. 21 | volumes: 22 | - 'configMap' 23 | - 'emptyDir' 24 | - 'projected' 25 | - 'secret' 26 | - 'downwardAPI' 27 | - 'persistentVolumeClaim' 28 | hostNetwork: false 29 | hostIPC: false 30 | hostPID: false 31 | runAsUser: 32 | rule: 'MustRunAsNonRoot' 33 | seLinux: 34 | rule: 'RunAsAny' 35 | supplementalGroups: 36 | rule: 'MustRunAs' 37 | ranges: 38 | # Forbid adding the root group. 39 | - min: 1 40 | max: 65535 41 | fsGroup: 42 | rule: 'MustRunAs' 43 | ranges: 44 | # Forbid adding the root group. 45 | - min: 1 46 | max: 65535 47 | readOnlyRootFilesystem: false 48 | -------------------------------------------------------------------------------- /chapter9/resourcequota-demo.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ResourceQuota 3 | metadata: 4 | name: resourcequota-demo 5 | namespace: dev 6 | spec: 7 | hard: 8 | pods: "5" 9 | count/services: "5" 10 | count/configmaps: "5" 11 | count/secrets: "5" 12 | count/cronjobs.batch: "2" 13 | requests.cpu: "2" 14 | requests.memory: "4Gi" 15 | limits.cpu: "4" 16 | limits.memory: "8Gi" 17 | count/deployments.apps: "2" 18 | count/statefulsets.apps: "2" 19 | persistentvolumeclaims: "6" 20 | requests.storage: "20Gi" 21 | fast-rbd.storageclass.storage.k8s.io/requests.storage: "20Gi" 22 | fast-rbd.storageclass.storage.k8s.io/persistentvolumeclaims: "6" 23 | -------------------------------------------------------------------------------- /chapter9/rolebinding-and-clusterrolebinding-rbac.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: mason-pvc-admin 5 | namespace: dev 6 | subjects: 7 | - kind: User 8 | name: mason 9 | apiGroup: rbac.authorization.k8s.io 10 | roleRef: 11 | kind: ClusterRole 12 | name: pv-admin 13 | apiGroup: rbac.authorization.k8s.io 14 | --- 15 | kind: ClusterRoleBinding 16 | apiVersion: rbac.authorization.k8s.io/v1 17 | metadata: 18 | name: ik8s-pv-admin 19 | subjects: 20 | - kind: User 21 | name: ik8s 22 | apiGroup: rbac.authorization.k8s.io 23 | roleRef: 24 | kind: ClusterRole 25 | name: pv-admin 26 | apiGroup: rbac.authorization.k8s.io 27 | -------------------------------------------------------------------------------- /chapter9/secret-token.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: k8sadmin-secret 5 | namespace: default 6 | annotations: 7 | kubernetes.io/service-account.name: k8sadmin 8 | type: kubernetes.io/service-account-token 9 | -------------------------------------------------------------------------------- /chapter9/serviceaccount-demo.yaml: -------------------------------------------------------------------------------- 1 | # serviceaccount/k8sadmin 2 | # Maintainer: MageEdu 3 | --- 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: namespace-admin 8 | namespace: default 9 | automountServiceAccountToken: true 10 | -------------------------------------------------------------------------------- /imgs/book.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/79d08c7b444a70ff0c313e0af6124aadb9e47d89/imgs/book.jpg -------------------------------------------------------------------------------- /imgs/iKubernetes公众号二维码.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/iKubernetes/Kubernetes_Advanced_Practical_2rd/79d08c7b444a70ff0c313e0af6124aadb9e47d89/imgs/iKubernetes公众号二维码.jpg -------------------------------------------------------------------------------- /kube-controller-manager/Dockerfile: -------------------------------------------------------------------------------- 1 | ARG KUBE_VERSION="v1.20.4" 2 | 3 | FROM registry.aliyuncs.com/google_containers/kube-controller-manager:${KUBE_VERSION} 4 | 5 | RUN apt update && apt install -y wget gnupg lsb-release 6 | 7 | ARG CEPH_VERSION="octopus" 8 | RUN wget -q -O - https://mirrors.aliyun.com/ceph/keys/release.asc | apt-key add - && \ 9 | echo deb https://mirrors.aliyun.com/ceph/debian-${CEPH_VERSION}/ $(lsb_release -sc) main > /etc/apt/sources.list.d/ceph.list && \ 10 | apt update && \ 11 | apt install -y ceph-common ceph-fuse 12 | 13 | RUN rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* 14 | -------------------------------------------------------------------------------- /kube-controller-manager/README.md: -------------------------------------------------------------------------------- 1 | #### Build Command 2 | ```docker build . -t YOUR_TAG -a --build-arg KUBE_VERSION='v1.19.0' --build-arg CEPH_VERSION='octopus' 3 | -------------------------------------------------------------------------------- /wordpress/01-namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: wordpress 6 | --- 7 | -------------------------------------------------------------------------------- /wordpress/02-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-conf 5 | namespace: wordpress 6 | data: 7 | myserver.conf: | 8 | server { 9 | server_name www.magedu.com; 10 | root /usr/share/nginx/html; 11 | 12 | listen 443 ssl; 13 | ssl_certificate /etc/nginx/certs/tls.crt; 14 | ssl_certificate_key /etc/nginx/certs/tls.key; 15 | 16 | location / { 17 | proxy_pass http://wordpress:80; 18 | } 19 | } 20 | 21 | server { 22 | listen 80; 23 | root /usr/share/nginx/html; 24 | server_name www.magedu.com; 25 | location / { 26 | proxy_pass http://wordpress:80; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /wordpress/03-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: wordpress-pvc 6 | namespace: wordpress 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | storageClassName: longhorn-nfs 11 | resources: 12 | requests: 13 | storage: 1Gi 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: wordpress-mysql-pvc 19 | namespace: wordpress 20 | spec: 21 | accessModes: 22 | - ReadWriteOnce 23 | storageClassName: longhorn 24 | resources: 25 | requests: 26 | storage: 3Gi 27 | --- 28 | -------------------------------------------------------------------------------- /wordpress/04-wordpress-mysql.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: wordpress-mysql 6 | namespace: wordpress 7 | labels: 8 | app: wordpress 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: wordpress 13 | tier: mysql 14 | template: 15 | metadata: 16 | labels: 17 | app: wordpress 18 | tier: mysql 19 | spec: 20 | containers: 21 | - image: mysql:5.7 22 | name: mysql 23 | env: 24 | - name: MYSQL_ROOT_PASSWORD 25 | valueFrom: 26 | secretKeyRef: 27 | name: mysql-password 28 | key: root.password 29 | - name: MYSQL_USER 30 | valueFrom: 31 | secretKeyRef: 32 | name: mysql-password 33 | key: user.username 34 | - name: MYSQL_PASSWORD 35 | valueFrom: 36 | secretKeyRef: 37 | name: mysql-password 38 | key: user.password 39 | - name: MYSQL_DATABASE 40 | valueFrom: 41 | secretKeyRef: 42 | name: mysql-password 43 | key: wordpress.db.name 44 | ports: 45 | - containerPort: 3306 46 | name: mysql 47 | volumeMounts: 48 | - name: mysqlstor 49 | mountPath: /var/lib/mysql 50 | subPath: data 51 | volumes: 52 | - name: mysqlstor 53 | persistentVolumeClaim: 54 | claimName: wordpress-mysql-pvc 55 | --- 56 | apiVersion: v1 57 | kind: Service 58 | metadata: 59 | name: wordpress-mysql 60 | namespace: wordpress 61 | labels: 62 | app: wordpress 63 | spec: 64 | ports: 65 | - port: 3306 66 | selector: 67 | app: wordpress 68 | tier: mysql 69 | --- 70 | -------------------------------------------------------------------------------- /wordpress/05-wordpress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: wordpress 6 | namespace: wordpress 7 | labels: 8 | app: wordpress 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: wordpress 13 | tier: frontend 14 | template: 15 | metadata: 16 | labels: 17 | app: wordpress 18 | tier: frontend 19 | spec: 20 | containers: 21 | - image: wordpress:5.5.3-apache 22 | name: wordpress 23 | env: 24 | - name: WORDPRESS_DB_HOST 25 | value: wordpress-mysql 26 | - name: WORDPRESS_DB_NAME 27 | valueFrom: 28 | secretKeyRef: 29 | name: mysql-password 30 | key: wordpress.db.name 31 | - name: WORDPRESS_DB_USER 32 | valueFrom: 33 | secretKeyRef: 34 | name: mysql-password 35 | key: user.username 36 | - name: WORDPRESS_DB_PASSWORD 37 | valueFrom: 38 | secretKeyRef: 39 | name: mysql-password 40 | key: user.password 41 | ports: 42 | - containerPort: 80 43 | name: wordpress 44 | volumeMounts: 45 | - name: wordpress-stor 46 | mountPath: /var/www/html 47 | volumes: 48 | - name: wordpress-stor 49 | persistentVolumeClaim: 50 | claimName: wordpress-pvc 51 | --- 52 | apiVersion: v1 53 | kind: Service 54 | metadata: 55 | name: wordpress 56 | namespace: wordpress 57 | labels: 58 | app: wordpress 59 | spec: 60 | ports: 61 | - port: 80 62 | targetPort: 80 63 | name: http 64 | selector: 65 | app: wordpress 66 | tier: frontend 67 | type: NodePort 68 | -------------------------------------------------------------------------------- /wordpress/06-nginx.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: nginx 6 | namespace: wordpress 7 | labels: 8 | app: nginx 9 | spec: 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | tier: proxy 14 | template: 15 | metadata: 16 | labels: 17 | app: nginx 18 | tier: proxy 19 | spec: 20 | containers: 21 | - image: nginx:alpine 22 | name: nginx 23 | imagePullPolicy: IfNotPresent 24 | ports: 25 | - containerPort: 80 26 | name: http 27 | - containerPort: 443 28 | name: https 29 | volumeMounts: 30 | - name: nginxconf 31 | mountPath: /etc/nginx/conf.d/ 32 | - name: nginxcert 33 | mountPath: /etc/nginx/certs/ 34 | volumes: 35 | - name: nginxconf 36 | configMap: 37 | name: nginx-conf 38 | - name: nginxcert 39 | secret: 40 | secretName: nginx-cert 41 | --- 42 | apiVersion: v1 43 | kind: Service 44 | metadata: 45 | name: nginx 46 | namespace: wordpress 47 | labels: 48 | app: nginx 49 | spec: 50 | ports: 51 | - port: 80 52 | targetPort: 80 53 | name: http 54 | - port: 443 55 | targetPort: 443 56 | name: https 57 | selector: 58 | app: nginx 59 | tier: proxy 60 | type: NodePort 61 | -------------------------------------------------------------------------------- /wordpress/debug.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: admin-box 5 | namespace: wordpress 6 | spec: 7 | containers: 8 | - image: ikubernetes/admin-box:latest 9 | name: debug 10 | imagePullPolicy: IfNotPresent 11 | command: ["/bin/sh","-c"] 12 | args: ["sleep 999999"] 13 | volumeMounts: 14 | - name: mysqlstor 15 | mountPath: /var/lib/mysql 16 | volumes: 17 | - name: mysqlstor 18 | persistentVolumeClaim: 19 | claimName: wordpress-mysql-pvc 20 | -------------------------------------------------------------------------------- /wordpress/nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | server_name www.magedu.com; 3 | root /usr/share/nginx/html; 4 | 5 | index index.php; 6 | 7 | listen 443 ssl; 8 | ssl_certificate /etc/nginx/certs/tls.crt; 9 | ssl_certificate_key /etc/nginx/certs/tls.key; 10 | 11 | location / { 12 | try_files $uri @apache; 13 | } 14 | 15 | location ~[^?]*/$ { 16 | proxy_set_header X-Real-IP $remote_addr; 17 | proxy_set_header X-Forwarded-For $remote_addr; 18 | proxy_set_header X-Forwarded-Host $host; 19 | proxy_set_header X-Forwarded-Proto $scheme; 20 | proxy_set_header Host $host; 21 | proxy_pass http://wordpress:80; 22 | } 23 | 24 | location ~ \.php$ { 25 | proxy_set_header X-Real-IP $remote_addr; 26 | proxy_set_header X-Forwarded-For $remote_addr; 27 | proxy_set_header X-Forwarded-Host $host; 28 | proxy_set_header X-Forwarded-Proto $scheme; 29 | proxy_set_header Host $host; 30 | proxy_pass http://wordpress:80; 31 | } 32 | 33 | location @apache { 34 | proxy_set_header X-Real-IP $remote_addr; 35 | proxy_set_header X-Forwarded-For $remote_addr; 36 | proxy_set_header X-Forwarded-Host $host; 37 | proxy_set_header X-Forwarded-Proto $scheme; 38 | proxy_set_header Host $host; 39 | proxy_pass http://wordpress:80; 40 | } 41 | } 42 | 43 | server { 44 | listen 80; 45 | server_name www.magedu.com; 46 | return 301 https://$host$request_uri; 47 | } 48 | -------------------------------------------------------------------------------- /wordpress/nginx.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDEzCCAfugAwIBAgIUWeBbgkDi49ZbG/J30NtN/oMLkE8wDQYJKoZIhvcNAQEL 3 | BQAwGTEXMBUGA1UEAwwOd3d3Lm1hZ2VkdS5jb20wHhcNMjAxMjEwMTExNzQ1WhcN 4 | MjEwMTA5MTExNzQ1WjAZMRcwFQYDVQQDDA53d3cubWFnZWR1LmNvbTCCASIwDQYJ 5 | KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOEgE22kJbRUwwzAq9JEFBNRfuhKmQ62 6 | u9DsoZqJecQkA+nre8zNFg8tufeZMSbpHc9iDQ+HU3P4fm3UettoTEvZ/GmzkGzb 7 | k+s0v3xOxnVPulutObKaxppkDNkwXPxgmi1mM+F816+8c43S5NKmiT/acJW2Ew7T 8 | PyYh1cC9p+YKYNFmkcb8CcILQy2S+65RpaEJlo0lKfj33dc3vtsf5qLnwSpIDCRU 9 | oO1UrXU0+6gDTUuJuIDdlnemMYQdiea1hHTTxLnTz9ODalTHKi6muR/VYHWpnhHv 10 | tpJ/ro8mhh4mxbe3wEJ0g4XFNw3meFcvQDmgt5HqM33ANKYZwyYeBIMCAwEAAaNT 11 | MFEwHQYDVR0OBBYEFKVMk28u5aLkLYE43LfAhoBxNT/rMB8GA1UdIwQYMBaAFKVM 12 | k28u5aLkLYE43LfAhoBxNT/rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL 13 | BQADggEBAN5aYAn2BsWKZcyu20/HuBL0q0+96I+kwu2ktpmS5UGRT0kBI9qq9UyN 14 | SR1lPFiFQugKcycZMika244yVzams/t1lgkAkcoJgbxiWoghGes4LlU8B112898M 15 | nwRAx9QAfqycEf06lDK52B0laIzROukIYa/fEFlmsCfYn4HGinOBlGdKKbgWkaLc 16 | EiKYDSK1941fk+7rhJDjW2tWrBdRaR6Vy11UK6SVm+kbSrXBd1jLJsSYcgQabZiv 17 | hNFZoIbEDbVKrW21dDQIUOuwBqbkXAAgO355AMCOCakHGJljbmWgaObEkFBsHbFL 18 | ZM8XihFwDeotYe4PsYJKlQKj1F9Bga4= 19 | -----END CERTIFICATE----- 20 | -------------------------------------------------------------------------------- /wordpress/nginx.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEA4SATbaQltFTDDMCr0kQUE1F+6EqZDra70Oyhmol5xCQD6et7 3 | zM0WDy2595kxJukdz2IND4dTc/h+bdR622hMS9n8abOQbNuT6zS/fE7GdU+6W605 4 | sprGmmQM2TBc/GCaLWYz4XzXr7xzjdLk0qaJP9pwlbYTDtM/JiHVwL2n5gpg0WaR 5 | xvwJwgtDLZL7rlGloQmWjSUp+Pfd1ze+2x/moufBKkgMJFSg7VStdTT7qANNS4m4 6 | gN2Wd6YxhB2J5rWEdNPEudPP04NqVMcqLqa5H9VgdameEe+2kn+ujyaGHibFt7fA 7 | QnSDhcU3DeZ4Vy9AOaC3keozfcA0phnDJh4EgwIDAQABAoIBAG9dkr7WSOCgXazd 8 | UyI9E0FLO2BmJrkkpFyB8p+kClyBBH6fQyrY+WSg1jIp0irRfzGr65IW+62O69wh 9 | FHWdbsDHIRqY/YUcSlw8R82SmpJF0oavdq9n6X9Opxx51EX089ApktilDX2d1/v8 10 | q72ZLKQtxywIWf0ne0G90yP5rikZY1Qt9d0pBN/dJnvfwko5aeioQfAw6RGtN/3Y 11 | sqavbCZom7NkUCm6ilBe2+/XW6uB1O2zIc7Q1SF9abCTIbXvhT0N0vWOgzcFOLhb 12 | Yfogc7uqj38z1iEKwc0KuQfrS+7kgxU2qi5MFqBjcqaoSUYJFCs36oPkBlMKTpgw 13 | xv/+TAECgYEA/ZKTH9Rsi6gBdebBHLICn8zfTQHXCEbgZe4OHvjB8hszaLsnbO48 14 | bWQ8MjSAKp8PPKdyf0iYYdCOKUxOX7hCwrghYHPlGQDfrKLAkgJeE+TYjpFWRqxF 15 | 6bLVmGfVC4Fj32foi7NIgTWxXR4GYKze8sfSHN2b+TFHphMcUqfTjYECgYEA40fJ 16 | OhRtznK21wdIpZREwaaqQEEm1FKPKf80K49YFumEwthu5Od9Fbo7uncqSWJsTq2x 17 | NNh7gGBSiOm5Ofc6KYW2yC7M4UsKNMqpXgs56XQ73vxmH8zATFqnasAIAyumfR5d 18 | SAo1+5TSmncZ3N3PmyR0IUKDx3YgjAcSSs5JXAMCgYAPQI/E7FwTEmn0E4suFK7/ 19 | uaz8zs2GW+0HdIg46LGRxH0VIZy/epz733mXc3z6E1MxTMkgStePmqHSbhqQu16Y 20 | o8auLIptNJY/phJ7NdU+0RcNjERqP9Z8thsO7b/szz2YpIFiVchYrUgb18B+dCd8 21 | 5vQGdHX7STGMFb4wYpPhAQKBgQCDqHX82xCw4urfrSx8HmOl+jHtftBLdnfQUDGc 22 | ejEBNMzfQhkbKK3hBDzNS3KHiChNe3iHsE/6kdG91gaieYCLxRWY6ONuLtX+ttdd 23 | zwsBHYABMBzIlwdeM7V/tTXvAD41hH1s2d1jm1ZUfGHS+/rjWD6ddbZ4uQkplH8Y 24 | Ll94mQKBgAuSS3Gs98AlQ80AEpxxWKNUyP4s71vU9wLTZ13lrK2tx3IETHBsuWKR 25 | DLTUMtxNFU/Bo0R5ft2/Bc4TXd6dhtMs/VNhsP+87g5YTGoGkLN7bV+TRMNvvgr3 26 | xoTpJsHQ01C+osVDM7zC3E+BCvTk6Nb6wwyXRHKa0nPbdlXPi2Sd 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /勘误列表.md: -------------------------------------------------------------------------------- 1 | ## 内容勘误(2021年2月第2版第1次印刷版) 2 | 3 | 1. 第124页,页尾代码上面一行中,最后一句中的“使用11024以内的端口的权限”要修改为“使用1024以内端口的权限”。 4 | 2. 第159页,5.3一节标题上面一段中的第一句中,“gitrRepo存储卷构建于emptDir之上”一句中的“gitrRepo”要修改为“gitRepo”。 5 | 3. 第391页,第4小节的第一行中,“有两种是基于本地节点的端口(nodePort)”一句中,括号中的“nodePor”t要修改为“hostPort”。 6 | 4. 第392页,第一行中的最后两个字“运行”要修改为“支持”。 7 | 5. 第449页,11.1.2一节中的第一段的第4行,原文“优先级函数是节点优选级排序工具”一句中的“优选”要修改为“优先”。 8 | 6. 第477页,最后一行中的“node-type是具有NoScheduler效用标识的污点”中的“NoScheduler”要修改为“NoSchedule”。 9 | 7. 第37页,配置容器运行引擎第6个步骤“启动Docker服务,并设置服务可随系统引导启动”一节中的第二个命令“sudo systemctl -start docker.service”中的“-start”要修改为“start”;同时,第三个命令中的“-enable”要修改为“enable”; 10 | 8. 第140页,4.6.2一节之前的一段中的两个“postStop”要修改为“preStop”; 11 | 9. 第434页,“ingress.from字段”一节中,第一段第三行中的“ipBloc”要修改为“ipBlock”; 12 | 10. 第215年,“kubectl get secrets/mysql-ops-authn”命令中的“mysql-ops-authn”要修改为“web-basic-authn”; 13 | 11. 第217页,“kubectl get secret nginx-ssl -o yaml”命令中的“nginx-ssl”要修改为“nginx-ssl-secret”; 14 | 12. 第322页,PDB资源规范中,kind字段的值要从“CronJob”修改为“PodDisruptionBudget”,且“namespace ”注释中的“CronJob”也要修改为“PodDisruptionBudget”; 15 | 13. 第226页,配置示例中的第三行“name: downwardapi-volume-demo”修改放在metadata字段中,且与labels缩进相同; 16 | 14. 第376页,第二个命令“kubectl describe limitranges/resource-limits -m dev”中的“-m”要修改为“-n”; 17 | 15. 第33页,2.1.5一节中,第一行开头“初始化集群的kubeadm inti命令”一句中的“inti”要修改为“init”; 18 | 19 | ## 内容勘误(2021年6月第2版第2次印刷版) 20 | 21 | 1. 第432页,灰色背景的代码部分中,倒数第三行的“engress <[]object>”中的“engress”要修改为“egress”; 22 | 2. 第200页,3.2.2一节中,“Namespace资源的名称仅能由字母、数字、连接线和下划组等字符组成”,需要更正为“Namespace资源的名字仅能由小写字母和连接线组成,且必须以小写字母开头和结尾”; 23 | 24 | --------------------------------------------------------------------------------